General Info

File name

NewOrder_TenderSalesContracts309484394543PdfOutput.js

Full analysis
https://app.any.run/tasks/9bd1c254-f1dc-492c-9994-acccb4e06c7f
Verdict
Malicious activity
Analysis date
4/23/2019, 15:41:57
OS:
Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:

autoit

rat

nanocore

Indicators:

MIME:
text/plain
File info:
ASCII text, with very long lines, with CRLF line terminators
MD5

6f6155da1574ba94fb9337281f2eec4d

SHA1

0c59fcf26485973f1a8ddc0fc20d67d42cb6a59b

SHA256

a0153ed8db2d705b4fc6af69f8748b4cfe9fdbf0b2b09451a75cd0ea2c63761c

SSDEEP

24576:C5ztbLtLNtKJmre0Gzi3+LkcR0M2ujOmmBFYTHsf7zXp6TN3riTDoLdox:CRLuIJhtujOf76N+no56

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distored by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Software environment set and analysis options

Launch configuration

Task duration
60 seconds
Additional time used
none
Fakenet option
off
Heavy Evaision option
off
MITM proxy
off
Route via Tor
off
Network geolocation
off
Privacy
Public submission
Autoconfirmation of UAC
on

Software preset

  • Internet Explorer 8.0.7601.17514
  • Adobe Acrobat Reader DC MUI (15.023.20070)
  • Adobe Flash Player 26 ActiveX (26.0.0.131)
  • Adobe Flash Player 26 NPAPI (26.0.0.131)
  • Adobe Flash Player 26 PPAPI (26.0.0.131)
  • Adobe Refresh Manager (1.8.0)
  • CCleaner (5.35)
  • FileZilla Client 3.36.0 (3.36.0)
  • Google Chrome (73.0.3683.75)
  • Google Update Helper (1.3.33.23)
  • Java 8 Update 92 (8.0.920.14)
  • Java Auto Updater (2.8.92.14)
  • Microsoft .NET Framework 4.6.1 (4.6.01055)
  • Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Professional 2010 (14.0.6029.1000)
  • Microsoft Office Proof (English) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (French) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
  • Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
  • Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Single Image 2010 (14.0.6029.1000)
  • Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
  • Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
  • Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
  • Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2017 Redistributable (x86) - 14.15.26706 (14.15.26706.0)
  • Microsoft Visual C++ 2017 x86 Additional Runtime - 14.15.26706 (14.15.26706)
  • Microsoft Visual C++ 2017 x86 Minimum Runtime - 14.15.26706 (14.15.26706)
  • Mozilla Firefox 65.0.2 (x86 en-US) (65.0.2)
  • Notepad++ (32-bit x86) (7.5.1)
  • Opera 12.15 (12.15.1748)
  • Skype version 8.29 (8.29)
  • VLC media player (2.2.6)
  • WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

  • Client LanguagePack Package
  • Client Refresh LanguagePack Package
  • CodecPack Basic Package
  • Foundation Package
  • IE Troubleshooters Package
  • InternetExplorer Optional Package
  • KB2534111
  • KB2999226
  • KB976902
  • LocalPack AU Package
  • LocalPack CA Package
  • LocalPack GB Package
  • LocalPack US Package
  • LocalPack ZA Package
  • ProfessionalEdition
  • UltimateEdition

Behavior activities

MALICIOUS SUSPICIOUS INFO
NanoCore was detected
  • RegSvcs.exe (PID: 3572)
Application was dropped or rewritten from another process
  • sOFiDqRMqvqMZvuQ.scr (PID: 2268)
  • RegSvcs.exe (PID: 3572)
  • miu.exe (PID: 4064)
  • miu.exe (PID: 3712)
Changes the autorun value in the registry
  • RegSvcs.exe (PID: 3572)
  • miu.exe (PID: 3712)
Starts application with an unusual extension
  • WScript.exe (PID: 2924)
Executable content was dropped or overwritten
  • sOFiDqRMqvqMZvuQ.scr (PID: 2268)
  • RegSvcs.exe (PID: 3572)
  • WScript.exe (PID: 2924)
Creates files in the user directory
  • RegSvcs.exe (PID: 3572)
Drop AutoIt3 executable file
  • sOFiDqRMqvqMZvuQ.scr (PID: 2268)
Dropped object may contain Bitcoin addresses
  • miu.exe (PID: 4064)
  • sOFiDqRMqvqMZvuQ.scr (PID: 2268)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Static information

Screenshots

Processes

Total processes
35
Monitored processes
5
Malicious processes
5
Suspicious processes
0

Behavior graph

+
drop and start start drop and start wscript.exe sofidqrmqvqmzvuq.scr miu.exe no specs miu.exe #NANOCORE regsvcs.exe
Specs description
Program did not start
Integrity level elevation
Task сontains an error or was rebooted
Process has crashed
Task contains several apps running
Executable file was dropped
Debug information is available
Process was injected
Network attacks were detected
Application downloaded the executable file
Actions similar to stealing personal data
Behavior similar to exploiting the vulnerability
Inspected object has sucpicious PE structure
File is detected by antivirus software
CPU overrun
RAM overrun
Process starts the services
Process was added to the startup
Behavior similar to spam
Low-level access to the HDD
Probably Tor was used
System was rebooted
Connects to the network
Known threat

Process information

Click at the process to see the details.

PID
2924
CMD
"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\NewOrder_TenderSalesContracts309484394543PdfOutput.js"
Path
C:\Windows\System32\WScript.exe
Indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Microsoft ® Windows Based Script Host
Version
5.8.7600.16385
Modules
Image
c:\windows\system32\wscript.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\version.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\sxs.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\jscript.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\msisip.dll
c:\windows\system32\wshext.dll
c:\windows\system32\shell32.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\scrobj.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\scrrun.dll
c:\windows\system32\msxml3.dll
c:\program files\common files\system\ado\msado15.dll
c:\windows\system32\msdart.dll
c:\windows\system32\wshom.ocx
c:\windows\system32\mpr.dll
c:\windows\system32\propsys.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\sspicli.dll
c:\users\admin\appdata\local\temp\sofidqrmqvqmzvuq.scr

PID
2268
CMD
"C:\Users\admin\AppData\Local\Temp\sOFiDqRMqvqMZvuQ.scr" /S
Path
C:\Users\admin\AppData\Local\Temp\sOFiDqRMqvqMZvuQ.scr
Indicators
Parent process
WScript.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Description
Version
Modules
Image
c:\users\admin\appdata\local\temp\sofidqrmqvqmzvuq.scr
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\aclayers.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\winspool.drv
c:\windows\system32\mpr.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\riched32.dll
c:\windows\system32\riched20.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\clbcatq.dll
c:\program files\common files\microsoft shared\ink\tiptsf.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\users\admin\appdata\local\temp\09699021\miu.exe
c:\windows\system32\sfc.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\devrtl.dll

PID
4064
CMD
"C:\Users\admin\AppData\Local\Temp\09699021\miu.exe" kks=jbg
Path
C:\Users\admin\AppData\Local\Temp\09699021\miu.exe
Indicators
No indicators
Parent process
sOFiDqRMqvqMZvuQ.scr
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
AutoIt Team
Description
AutoIt v3 Script
Version
3, 3, 14, 5
Modules
Image
c:\users\admin\appdata\local\temp\09699021\miu.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\wsock32.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\windows\system32\version.dll
c:\windows\system32\winmm.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\mpr.dll
c:\windows\system32\wininet.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\psapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\aclayers.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\winspool.drv
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll

PID
3712
CMD
C:\Users\admin\AppData\Local\Temp\09699021\miu.exe C:\Users\admin\AppData\Local\Temp\09699021\IZSZO
Path
C:\Users\admin\AppData\Local\Temp\09699021\miu.exe
Indicators
Parent process
miu.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
AutoIt Team
Description
AutoIt v3 Script
Version
3, 3, 14, 5
Modules
Image
c:\users\admin\appdata\local\temp\09699021\miu.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\wsock32.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\windows\system32\version.dll
c:\windows\system32\winmm.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\mpr.dll
c:\windows\system32\wininet.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\psapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\aclayers.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\winspool.drv
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe

PID
3572
CMD
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Path
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Indicators
Parent process
miu.exe
User
admin
Integrity Level
MEDIUM
Version:
Company
Microsoft Corporation
Description
Microsoft .NET Services Installation Utility
Version
4.6.1055.0 built by: NETFXREL2
Modules
Image
c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\aclayers.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\winspool.drv
c:\windows\system32\mpr.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\system32\version.dll
c:\windows\microsoft.net\framework\v4.0.30319\clr.dll
c:\windows\system32\msvcr120_clr0400.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\mscorlib\225759bb87c854c0fff27b1d84858c21\mscorlib.ni.dll
c:\windows\system32\cryptbase.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system\52cca48930e580e3189eac47158c20be\system.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.drawing\646b4b01cb29986f8e076aa65c9e9753\system.drawing.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.windows.forms\5aac750b35b27770dccb1a43f83cced7\system.windows.forms.ni.dll
c:\windows\microsoft.net\framework\v4.0.30319\clrjit.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.core\55560c2014611e9119f99923c9ebdeef\system.core.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\microsoft.v9921e851#\7ca6a7b9413844e82108a9d62f88a2d9\microsoft.visualbasic.ni.dll
c:\windows\microsoft.net\framework\v4.0.30319\nlssorting.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\uxtheme.dll
c:\windows\microsoft.net\assembly\gac_msil\system.windows.forms\v4.0_4.0.0.0__b77a5c561934e089\system.windows.forms.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\bcrypt.dll
c:\windows\microsoft.net\framework\v4.0.30319\diasymreader.dll
c:\windows\system32\psapi.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\wship6.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.configuration\46957030830964165644b52b0696c5d9\system.configuration.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.xml\d86b080a37c60a872c82b912a2a63dac\system.xml.ni.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll

Registry activity

Total events
752
Read events
741
Write events
11
Delete events
0

Modification events

PID
Process
Operation
Key
Name
Value
2924
WScript.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
2924
WScript.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
2268
sOFiDqRMqvqMZvuQ.scr
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
2268
sOFiDqRMqvqMZvuQ.scr
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
3712
miu.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
WindowsUpdate
C:\Users\admin\AppData\Local\Temp\09699021\miu.exe C:\Users\admin\AppData\Local\Temp\09699021\KKS_JB~1
3572
RegSvcs.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
TCP Monitor
C:\Users\admin\AppData\Roaming\90059C37-1320-41A4-B58D-2B75A9850D2F\TCP Monitor\tcpmon.exe

Files activity

Executable files
3
Suspicious files
0
Text files
46
Unknown types
0

Dropped files

PID
Process
Filename
Type
3572
RegSvcs.exe
C:\Users\admin\AppData\Roaming\90059C37-1320-41A4-B58D-2B75A9850D2F\TCP Monitor\tcpmon.exe
executable
MD5: be5073ae05e68612ba0fc1a3d339e64c
SHA256: 1735ba356794975169a93ee2babd33862229a1842c6e2c6a0b67366f5856894e
2924
WScript.exe
C:\Users\admin\AppData\Local\Temp\sOFiDqRMqvqMZvuQ.scr
executable
MD5: 1819cabcf9c00f7d2263c12e613a842e
SHA256: 68e291a97642ade40d5b8001145cd3ed1b2d58583085c9ec5b44c123be6d4813
2268
sOFiDqRMqvqMZvuQ.scr
C:\Users\admin\AppData\Local\Temp\09699021\miu.exe
executable
MD5: c56b5f0201a3b3de53e561fe76912bfd
SHA256: 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
2268
sOFiDqRMqvqMZvuQ.scr
C:\Users\admin\AppData\Local\Temp\09699021\ndb.mp4
text
MD5: 39789f7c58e988dc35b7291f21ea4f18
SHA256: ded1aa47cae49e5bd534aa67d864edc282ccdad45b3e73c476c7f12ddf66b7a2
2268
sOFiDqRMqvqMZvuQ.scr
C:\Users\admin\AppData\Local\Temp\09699021\fcx.icm
text
MD5: 217d0d2d98b23b8328f670c96a110656
SHA256: 81652610652e5de3a9488bf38d5058f5a91d7a2fdd6a0cfc1e0be50145c90b4a
2268
sOFiDqRMqvqMZvuQ.scr
C:\Users\admin\AppData\Local\Temp\09699021\ako.mp3
text
MD5: ab5e674ca2aceaed8ad6fc182df0ee85
SHA256: 043852d29193be4ddea49e229cbb3b429af6e9627fd99591629412420d2ee4bb
2268
sOFiDqRMqvqMZvuQ.scr
C:\Users\admin\AppData\Local\Temp\09699021\vrv.icm
text
MD5: 6a6ab4cb2cfca20afcbe679b6f1341d6
SHA256: 59398b7c24715248d9cdc46a9e15795b01edf66663b88a9177c3f1f5433f0804
2268
sOFiDqRMqvqMZvuQ.scr
C:\Users\admin\AppData\Local\Temp\09699021\drj.icm
text
MD5: d10772009ce29fc29147bb9ac7fc6bdc
SHA256: 3af35f1d3380767b5485d0b8382c52b1faf78ac64a0a6954beda57f5726bc712
2268
sOFiDqRMqvqMZvuQ.scr
C:\Users\admin\AppData\Local\Temp\09699021\gea.txt
text
MD5: c9a9501922874322d28bc355734723e0
SHA256: b49501af8fe710a73418e6851774f8a3890cfc2a6de239f6568c526dafd038e9
2268
sOFiDqRMqvqMZvuQ.scr
C:\Users\admin\AppData\Local\Temp\09699021\trt.mp4
text
MD5: 463434643aa0bf7a304a141376f4f613
SHA256: f5d6a43057100038977fc0c9ffc7bfa215f1612f2edc9a160009cfa739a672eb
2268
sOFiDqRMqvqMZvuQ.scr
C:\Users\admin\AppData\Local\Temp\09699021\qjf.docx
text
MD5: 30046ff49197d40f66a857f4857d7474
SHA256: b7feb4d6778919749f2d7ee9f721fcd8f1dbf352bfeef2226c83a5aadfe2b1c3
2268
sOFiDqRMqvqMZvuQ.scr
C:\Users\admin\AppData\Local\Temp\09699021\peg.docx
text
MD5: 605ed1ca6c5f2353fbb93682ba8fb8f8
SHA256: e6f5b0844bcd5868ef8b6a5a5a428f3e8712f5ec9270ee756d6df56cd4ccfdb2
2268
sOFiDqRMqvqMZvuQ.scr
C:\Users\admin\AppData\Local\Temp\09699021\vso.ppt
text
MD5: a797fdbef5d3fb5ad6ea3483261fb422
SHA256: 3691f16586892b157c1313c9e93921ec2b87e3e88a224dbe3db9b74f660a4ced
2268
sOFiDqRMqvqMZvuQ.scr
C:\Users\admin\AppData\Local\Temp\09699021\kno.dat
text
MD5: 4e3a4492c4aaf9c51d10a4e5f14740dc
SHA256: 963d698b108f76b0d8e12925b66048b3116a251a4e5172812ef5937bc267e192
2268
sOFiDqRMqvqMZvuQ.scr
C:\Users\admin\AppData\Local\Temp\09699021\mha.ico
text
MD5: 795c5044d4a6f8b0f1379cfd77491065
SHA256: 2e0565df0180ff5a8fd2ee9969a7a5d840261ebf1d05c5c33532ebf7a94965ee
2268
sOFiDqRMqvqMZvuQ.scr
C:\Users\admin\AppData\Local\Temp\09699021\kpt.dat
text
MD5: bfc78b9a119c198a3caecf3523e59b8b
SHA256: d8f53075c84c8f61c5e7040311af7279eba075c9edb8f1215b13112f60930380
2268
sOFiDqRMqvqMZvuQ.scr
C:\Users\admin\AppData\Local\Temp\09699021\som.dat
text
MD5: b0e09b83f041cfc3caba43c6e6f13db7
SHA256: c5c967967c94af59a2d756a146a36480a28b8eddf4d6d47b9e4d082b0a20d0d7
2268
sOFiDqRMqvqMZvuQ.scr
C:\Users\admin\AppData\Local\Temp\09699021\wwh.ppt
text
MD5: 50b8d8d5d0bb74f940b400a56d6bebd2
SHA256: 898e77f9a972bc55a7fd690a0fa48f4df2d1e1732f258b7f226f4f9a86ea97d9
2268
sOFiDqRMqvqMZvuQ.scr
C:\Users\admin\AppData\Local\Temp\09699021\prm.icm
text
MD5: 99a47df61c14852b984ce24bb1d3ea6c
SHA256: 0affc8883cef8605e787b7c2e85a9a72fa8c0e091be29da91aa9af728599531b
2268
sOFiDqRMqvqMZvuQ.scr
C:\Users\admin\AppData\Local\Temp\09699021\ivw.icm
text
MD5: 8e4a4e0e19580c8c794e0540b1f9e09f
SHA256: 9cb43b6f5ac7907ac9f6f41a91623517237a96cb91c60608196aab0554cf3e31
2268
sOFiDqRMqvqMZvuQ.scr
C:\Users\admin\AppData\Local\Temp\09699021\ljk.mp3
text
MD5: e27a1f5031f09a7906a84ba164307233
SHA256: 0dd4aaa1dca8709729d0eca8c949203579b385f7b9894d8e53f92b21e769972f
2268
sOFiDqRMqvqMZvuQ.scr
C:\Users\admin\AppData\Local\Temp\09699021\gfe.ico
text
MD5: ed859e3dfd4dd1a4359161a21a296b9f
SHA256: 6b9ea9c4d61a256f641203d05800f21cd1dfee1d44e309e2cbf469580914faf6
2268
sOFiDqRMqvqMZvuQ.scr
C:\Users\admin\AppData\Local\Temp\09699021\vrf.pdf
text
MD5: c7fc9f6e57f2dafd0b5ea0fa88e1e43b
SHA256: 904716d0fe273328902d0e52591e65f3c046af02e9790b197b5976a8bd8ae1c6
2268
sOFiDqRMqvqMZvuQ.scr
C:\Users\admin\AppData\Local\Temp\09699021\wgo.icm
text
MD5: 319c6365134a57836956fda1b7730c50
SHA256: 47ca39f9c3779a005928f590b9a284a92a600094358ae1a3665b8b772ba043cc
2268
sOFiDqRMqvqMZvuQ.scr
C:\Users\admin\AppData\Local\Temp\09699021\ruq.docx
text
MD5: 4fe1dcefb05802a1d77c96eb3d17c3ff
SHA256: 3db690d1bba93b327627a13e6dd131fcc7701c134ac2c34dc10d394d36fb0886
2268
sOFiDqRMqvqMZvuQ.scr
C:\Users\admin\AppData\Local\Temp\09699021\qnw.bmp
text
MD5: f07244d532bba728ba828b3c598636d0
SHA256: 6b465a48e98db6142392cf10319c3d70f4789ba884b1587ffc1c7a3db4c5ac38
2268
sOFiDqRMqvqMZvuQ.scr
C:\Users\admin\AppData\Local\Temp\09699021\gil.mp3
text
MD5: 26e0a16312a40ca2e3f3ff25ff5534c2
SHA256: eeef19e21f7cc17583ba5b0e040a3e3e2ee1fa7b3d12c0533f9ba576d1c38770
2268
sOFiDqRMqvqMZvuQ.scr
C:\Users\admin\AppData\Local\Temp\09699021\nfu.mp3
text
MD5: f93b8a0bfe5e7e612e46f153965aa005
SHA256: a65ae74ba43221915e179dcca0d2640d9229a64f6d4e9bf36fd76364e291c8c7
2268
sOFiDqRMqvqMZvuQ.scr
C:\Users\admin\AppData\Local\Temp\09699021\gcu.icm
text
MD5: 8424827a13f75382e65921f947923c7d
SHA256: 296580524161eb770f006ca129adb27ba1d880b64539b79b784e86538169b0ad
2268
sOFiDqRMqvqMZvuQ.scr
C:\Users\admin\AppData\Local\Temp\09699021\lfk.mp3
text
MD5: b90a15e9512c2562e08602b75dbb060c
SHA256: 1b4927e929be939773134cd8384ea109daa1485a416527d172508a6f41ed0c8d
2268
sOFiDqRMqvqMZvuQ.scr
C:\Users\admin\AppData\Local\Temp\09699021\tof.xl
text
MD5: a1026d7dc39ae015fe907db31f839c18
SHA256: 6b511019a7f5a08b31cf9a5e3a8bfbbc7ee55cb61130ac2efe40889405a6d474
2268
sOFiDqRMqvqMZvuQ.scr
C:\Users\admin\AppData\Local\Temp\09699021\vos.icm
text
MD5: bce047dc6938f5da3138a3b59377cfee
SHA256: f9da252268c85c0475bee068f93f4f8b9423d4e7b5c5a51fd1ceecb5dcce9476
2268
sOFiDqRMqvqMZvuQ.scr
C:\Users\admin\AppData\Local\Temp\09699021\jeq.icm
text
MD5: cec6539fb8e6cfa8983c4f2eb6c5d7ce
SHA256: 2491ca0b143e65d486ce8f1575b35e0d7657560cc864a43f10b2c6a8f4449ebd
2268
sOFiDqRMqvqMZvuQ.scr
C:\Users\admin\AppData\Local\Temp\09699021\pqd.docx
text
MD5: 72bc5119b9ae1e74049e49585208b4d2
SHA256: fda8c26c0421ea02e13bbb67ad324dd2b8d0800329353869c5a681f4e8baa546
2268
sOFiDqRMqvqMZvuQ.scr
C:\Users\admin\AppData\Local\Temp\09699021\cxc.bmp
text
MD5: d72fb21fe6a512c9ec7c926d0962e298
SHA256: 19056f8a102a6804fd64d6ca4b2410392636e9a6ae5123a66bb3f085b811ad5f
2268
sOFiDqRMqvqMZvuQ.scr
C:\Users\admin\AppData\Local\Temp\09699021\oaf.bmp
text
MD5: 628a1a4ae0d85935215d660c6fab07d8
SHA256: 77be11e8d0c38aa95ea0f28ae8a65b7b17ac23c336a0bea90d42258ba50a3911
2268
sOFiDqRMqvqMZvuQ.scr
C:\Users\admin\AppData\Local\Temp\09699021\ckf.icm
text
MD5: bf2aafde775a240036e26e555f2e5d65
SHA256: 40056e40a5b6258aa7907ee89e9e42869fe1c7841c1483e5e83b2ae8bbf6df92
2268
sOFiDqRMqvqMZvuQ.scr
C:\Users\admin\AppData\Local\Temp\09699021\rpf.ppt
text
MD5: 8dd58be1052f32bbcd818e14a3b255ed
SHA256: e0cfd464a2a7e078a51fced0b7576e3c43841e37612d4109a5070d0326629b83
2268
sOFiDqRMqvqMZvuQ.scr
C:\Users\admin\AppData\Local\Temp\09699021\wjj.icm
text
MD5: bd505834cfe7a3c2095034475da97a5a
SHA256: 88db62a65267be2c4c65be7e190d7d839492914b904f30aa33c0548cfb0aa7e8
2268
sOFiDqRMqvqMZvuQ.scr
C:\Users\admin\AppData\Local\Temp\09699021\exs.jpg
text
MD5: 3f401611d21e0a325f2670682bc6044b
SHA256: c9df4dc624e2690e0d106dda7c410ce2c058a99324d26d7443d77e44ee56b81b
4064
miu.exe
C:\Users\admin\AppData\Local\Temp\09699021\IZSZO
text
MD5: edc905489af8443c5da2782f8a20c4de
SHA256: c79d6179619aef152bbda33410bd08af282b75d4d7daf20838445f81fe4e4106
2268
sOFiDqRMqvqMZvuQ.scr
C:\Users\admin\AppData\Local\Temp\09699021\oxv.icm
text
MD5: ff67d7114e1cd97a832220439f3188a2
SHA256: bf687e0a592d9e5733fcd58b35beb19c387f4f251a7464dd925174253fe73998
2268
sOFiDqRMqvqMZvuQ.scr
C:\Users\admin\AppData\Local\Temp\09699021\gsq.ppt
text
MD5: e90e195aa1f87056172d769ad4c2346b
SHA256: b942a50fd994c36ee6ab74970eada5dacc969fa6a5b37c524bbd35c40ae26cec
2268
sOFiDqRMqvqMZvuQ.scr
C:\Users\admin\AppData\Local\Temp\09699021\wxp.mp3
text
MD5: 2bd01c8d5405dce5d5aa257a62513081
SHA256: 5456adc804f428a023f34e6670ca56aa520d86402c6e57a06c6c6701ce3bb9b8
2268
sOFiDqRMqvqMZvuQ.scr
C:\Users\admin\AppData\Local\Temp\09699021\ToolTipConstants.icm
text
MD5: edb9eb2d02629af02a0128c0ce7dea02
SHA256: 1f95d111d0e6c452172f54ee84b439ccf134cde7f58dd29785d91c936157c8a3
2268
sOFiDqRMqvqMZvuQ.scr
C:\Users\admin\AppData\Local\Temp\09699021\ColorConstants.mp3
text
MD5: 7cfaeccc521c4cb1e844c3431e79bc0f
SHA256: 3be299b2a7db31289b44ad4e5284b954482f713043494de0a5db3ad530f6b797
2268
sOFiDqRMqvqMZvuQ.scr
C:\Users\admin\AppData\Local\Temp\09699021\bms.txt
text
MD5: 633ec0aba8f049634f401975a122aa6c
SHA256: 9ca262e905db93bfda2f7f3803fd9f5942bf6a0ff775a88248e0d6f62a88d691
2268
sOFiDqRMqvqMZvuQ.scr
C:\Users\admin\AppData\Local\Temp\09699021\kks=jbg
text
MD5: 5b319a723b5334416aa0d3791d903daf
SHA256: b623fc3e5bc5a43dbe0c11f76441756d122244c48083f2b5bf053037f089dffe
3572
RegSvcs.exe
C:\Users\admin\AppData\Roaming\90059C37-1320-41A4-B58D-2B75A9850D2F\run.dat
text
MD5: 441cc26b7b13366407cc8fb33728dd5e
SHA256: 19a3d61e633a2ce99f17220d0fb64632853f7a7785479d15f784a8700faa35f7

Find more information of the staic content and download it at the full report

Network activity

HTTP(S) requests
0
TCP/UDP connections
17
DNS requests
6
Threats
6

HTTP requests

No HTTP requests.

Connections

PID Process IP ASN CN Reputation
3572 RegSvcs.exe 8.8.8.8:53 Google Inc. US whitelisted
3572 RegSvcs.exe 91.192.100.18:64599 SOFTplus Entwicklungen GmbH CH malicious
3572 RegSvcs.exe 79.134.225.23:64599 Andreas Fink trading as Fink Telecom Services CH malicious

DNS requests

Domain IP Reputation
stannanoserve.duckdns.org 91.192.100.18
malicious

Threats

PID Process Class Message
3572 RegSvcs.exe Misc activity ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
3572 RegSvcs.exe Misc activity ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
3572 RegSvcs.exe Misc activity ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
3572 RegSvcs.exe Misc activity ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
3572 RegSvcs.exe Misc activity ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
3572 RegSvcs.exe Misc activity ET INFO DYNAMIC_DNS Query to *.duckdns. Domain

Debug output strings

No debug info.