General Info

URL

http://141.136.44.78/jnn/jnn.exe

Full analysis
https://app.any.run/tasks/be34fe63-3521-4575-adde-a3944e455a41
Verdict
Malicious activity
Analysis date
3/14/2019, 13:28:33
OS:
Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
opendir
loader
autoit
rat
nanocore
Indicators:

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distored by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Software environment set and analysis options

Launch configuration

Task duration
300 seconds
Additional time used
240 seconds
Fakenet option
off
Heavy Evaision option
off
MITM proxy
off
Route via Tor
off
Network geolocation
off
Privacy
Public submission
Autoconfirmation of UAC
on

Software preset

  • Internet Explorer 8.0.7601.17514
  • Adobe Acrobat Reader DC MUI (15.023.20070)
  • Adobe Flash Player 26 ActiveX (26.0.0.131)
  • Adobe Flash Player 26 NPAPI (26.0.0.131)
  • Adobe Flash Player 26 PPAPI (26.0.0.131)
  • Adobe Refresh Manager (1.8.0)
  • CCleaner (5.35)
  • FileZilla Client 3.36.0 (3.36.0)
  • Google Chrome (68.0.3440.106)
  • Google Update Helper (1.3.33.17)
  • Java 8 Update 92 (8.0.920.14)
  • Java Auto Updater (2.8.92.14)
  • Microsoft .NET Framework 4.6.1 (4.6.01055)
  • Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Professional 2010 (14.0.6029.1000)
  • Microsoft Office Proof (English) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (French) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
  • Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
  • Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Single Image 2010 (14.0.6029.1000)
  • Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
  • Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
  • Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
  • Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2017 Redistributable (x86) - 14.15.26706 (14.15.26706.0)
  • Microsoft Visual C++ 2017 x86 Additional Runtime - 14.15.26706 (14.15.26706)
  • Microsoft Visual C++ 2017 x86 Minimum Runtime - 14.15.26706 (14.15.26706)
  • Mozilla Firefox 61.0.2 (x86 en-US) (61.0.2)
  • Notepad++ (32-bit x86) (7.5.1)
  • Opera 12.15 (12.15.1748)
  • Skype version 8.29 (8.29)
  • VLC media player (2.2.6)
  • WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

  • Client LanguagePack Package
  • Client Refresh LanguagePack Package
  • CodecPack Basic Package
  • Foundation Package
  • IE Troubleshooters Package
  • InternetExplorer Optional Package
  • KB2534111
  • KB2999226
  • KB976902
  • LocalPack AU Package
  • LocalPack CA Package
  • LocalPack GB Package
  • LocalPack US Package
  • LocalPack ZA Package
  • ProfessionalEdition
  • UltimateEdition

Behavior activities

MALICIOUS SUSPICIOUS INFO
Application was dropped or rewritten from another process
  • mdo.exe (PID: 3264)
  • jnn[1].exe (PID: 3140)
  • mdo.exe (PID: 2440)
Downloads executable files from the Internet
  • iexplore.exe (PID: 3752)
Changes the autorun value in the registry
  • mdo.exe (PID: 3264)
Downloads executable files from IP
  • iexplore.exe (PID: 3752)
NanoCore was detected
  • RegSvcs.exe (PID: 2292)
Application launched itself
  • mdo.exe (PID: 2440)
Executable content was dropped or overwritten
  • iexplore.exe (PID: 3468)
  • jnn[1].exe (PID: 3140)
  • iexplore.exe (PID: 3752)
Drop AutoIt3 executable file
  • jnn[1].exe (PID: 3140)
Creates files in the user directory
  • RegSvcs.exe (PID: 2292)
Connects to unusual port
  • RegSvcs.exe (PID: 2292)
Reads Internet Cache Settings
  • iexplore.exe (PID: 3752)
  • iexplore.exe (PID: 3468)
Dropped object may contain Bitcoin addresses
  • mdo.exe (PID: 2440)
  • jnn[1].exe (PID: 3140)
Changes internet zones settings
  • iexplore.exe (PID: 3468)
Application launched itself
  • iexplore.exe (PID: 3468)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Screenshots

Processes

Total processes
35
Monitored processes
6
Malicious processes
5
Suspicious processes
0

Behavior graph

+
drop and start start drop and start iexplore.exe iexplore.exe jnn[1].exe mdo.exe no specs mdo.exe #NANOCORE regsvcs.exe
Specs description
Program did not start
Integrity level elevation
Task сontains an error or was rebooted
Process has crashed
Task contains several apps running
Executable file was dropped
Debug information is available
Process was injected
Network attacks were detected
Application downloaded the executable file
Actions similar to stealing personal data
Behavior similar to exploiting the vulnerability
Inspected object has sucpicious PE structure
File is detected by antivirus software
CPU overrun
RAM overrun
Process starts the services
Process was added to the startup
Behavior similar to spam
Low-level access to the HDD
Probably Tor was used
System was rebooted
Connects to the network
Known threat

Process information

Click at the process to see the details.

PID
3468
CMD
"C:\Program Files\Internet Explorer\iexplore.exe" -nohome
Path
C:\Program Files\Internet Explorer\iexplore.exe
Indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
1
Version:
Company
Microsoft Corporation
Description
Internet Explorer
Version
8.00.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\shell32.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\ole32.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\psapi.dll
c:\windows\system32\oleacc.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\profapi.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\cryptbase.dll
c:\program files\internet explorer\sqmapi.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\sensapi.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\ieui.dll
c:\windows\system32\msimg32.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\clbcatq.dll
c:\program files\internet explorer\ieproxy.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\url.dll
c:\windows\system32\version.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\xmllite.dll
c:\windows\system32\propsys.dll
c:\windows\system32\explorerframe.dll
c:\windows\system32\duser.dll
c:\windows\system32\dui70.dll
c:\windows\system32\msfeeds.dll
c:\windows\system32\sxs.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\wship6.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\userenv.dll
c:\windows\system32\linkinfo.dll
c:\windows\system32\actxprxy.dll
c:\windows\system32\shdocvw.dll
c:\users\admin\appdata\local\microsoft\windows\temporary internet files\content.ie5\0uu90r59\jnn[1].exe
c:\windows\system32\sfc.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\devrtl.dll
c:\windows\system32\mpr.dll
c:\windows\system32\mlang.dll

PID
3752
CMD
"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3468 CREDAT:71937
Path
C:\Program Files\Internet Explorer\iexplore.exe
Indicators
Parent process
iexplore.exe
User
admin
Integrity Level
LOW
Exit code
0
Version:
Company
Microsoft Corporation
Description
Internet Explorer
Version
8.00.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\shell32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\psapi.dll
c:\windows\system32\oleacc.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\comdlg32.dll
c:\program files\internet explorer\ieshims.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\rpcrtremote.dll
c:\program files\internet explorer\sqmapi.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\rsaenh.dll
c:\program files\internet explorer\ieproxy.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\mlang.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\apphelp.dll
c:\program files\java\jre1.8.0_92\bin\ssv.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\version.dll
c:\progra~1\micros~1\office14\urlredir.dll
c:\windows\system32\secur32.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\progra~1\micros~1\office14\msohev.dll
c:\program files\java\jre1.8.0_92\bin\jp2ssv.dll
c:\program files\java\jre1.8.0_92\bin\msvcr100.dll
c:\program files\java\jre1.8.0_92\bin\deploy.dll
c:\windows\system32\imagehlp.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\sxs.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\sensapi.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\mscoree.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorwks.dll
c:\windows\system32\wpc.dll
c:\windows\system32\userenv.dll
c:\windows\system32\wevtapi.dll
c:\windows\system32\samcli.dll
c:\windows\system32\samlib.dll
c:\windows\system32\netutils.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\ehstorshell.dll
c:\windows\system32\cscui.dll
c:\windows\system32\cscdll.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\slc.dll
c:\windows\system32\imageres.dll

PID
3140
CMD
"C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0UU90R59\jnn[1].exe"
Path
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0UU90R59\jnn[1].exe
Indicators
Parent process
iexplore.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Description
Version
Modules
Image
c:\users\admin\appdata\local\microsoft\windows\temporary internet files\content.ie5\0uu90r59\jnn[1].exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\aclayers.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\winspool.drv
c:\windows\system32\mpr.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\riched32.dll
c:\windows\system32\riched20.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\clbcatq.dll
c:\program files\common files\microsoft shared\ink\tiptsf.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\users\admin\appdata\local\temp\88127361\mdo.exe
c:\windows\system32\sfc.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\devrtl.dll

PID
2440
CMD
"C:\Users\admin\AppData\Local\Temp\88127361\mdo.exe" seg=muu
Path
C:\Users\admin\AppData\Local\Temp\88127361\mdo.exe
Indicators
No indicators
Parent process
jnn[1].exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
AutoIt Team
Description
AutoIt v3 Script
Version
3, 3, 14, 5
Modules
Image
c:\users\admin\appdata\local\temp\88127361\mdo.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\wsock32.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\windows\system32\version.dll
c:\windows\system32\winmm.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\mpr.dll
c:\windows\system32\wininet.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\psapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\aclayers.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\winspool.drv
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll

PID
3264
CMD
C:\Users\admin\AppData\Local\Temp\88127361\mdo.exe C:\Users\admin\AppData\Local\Temp\88127361\WNOFR
Path
C:\Users\admin\AppData\Local\Temp\88127361\mdo.exe
Indicators
Parent process
mdo.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
AutoIt Team
Description
AutoIt v3 Script
Version
3, 3, 14, 5
Modules
Image
c:\users\admin\appdata\local\temp\88127361\mdo.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\wsock32.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\windows\system32\version.dll
c:\windows\system32\winmm.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\mpr.dll
c:\windows\system32\wininet.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\psapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\aclayers.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\winspool.drv
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe

PID
2292
CMD
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Path
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Indicators
Parent process
mdo.exe
User
admin
Integrity Level
MEDIUM
Version:
Company
Microsoft Corporation
Description
Microsoft .NET Services Installation Utility
Version
4.6.1055.0 built by: NETFXREL2
Modules
Image
c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\aclayers.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\winspool.drv
c:\windows\system32\mpr.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\system32\version.dll
c:\windows\microsoft.net\framework\v4.0.30319\clr.dll
c:\windows\system32\msvcr120_clr0400.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\mscorlib\225759bb87c854c0fff27b1d84858c21\mscorlib.ni.dll
c:\windows\system32\cryptbase.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system\52cca48930e580e3189eac47158c20be\system.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.drawing\646b4b01cb29986f8e076aa65c9e9753\system.drawing.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.windows.forms\5aac750b35b27770dccb1a43f83cced7\system.windows.forms.ni.dll
c:\windows\microsoft.net\framework\v4.0.30319\clrjit.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.core\55560c2014611e9119f99923c9ebdeef\system.core.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\microsoft.v9921e851#\7ca6a7b9413844e82108a9d62f88a2d9\microsoft.visualbasic.ni.dll
c:\windows\microsoft.net\framework\v4.0.30319\nlssorting.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\uxtheme.dll
c:\windows\microsoft.net\assembly\gac_msil\system.windows.forms\v4.0_4.0.0.0__b77a5c561934e089\system.windows.forms.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\bcrypt.dll
c:\windows\microsoft.net\framework\v4.0.30319\diasymreader.dll
c:\windows\system32\psapi.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\wship6.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.configuration\46957030830964165644b52b0696c5d9\system.configuration.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.xml\d86b080a37c60a872c82b912a2a63dac\system.xml.ni.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\rasadhlp.dll

Registry activity

Total events
1007
Read events
950
Write events
54
Delete events
3

Modification events

PID
Process
Operation
Key
Name
Value
3468
iexplore.exe
delete key
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012018082720180903
3468
iexplore.exe
delete key
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012018090920180910
3468
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
CompatibilityFlags
0
3468
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
3468
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
3468
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
SecuritySafe
1
3468
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
ProxyEnable
0
3468
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
SavedLegacySettings
4600000069000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
3468
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Recovery\Active
{B751A371-4654-11E9-BEEC-5254004A04AF}
0
3468
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Type
4
3468
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Count
3
3468
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Time
E307030004000E000C001C0031005801
3468
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}\iexplore
Type
4
3468
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}\iexplore
Count
3
3468
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}\iexplore
Time
E307030004000E000C001C0031005801
3468
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
FullScreen
no
3468
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Window_Placement
2C0000000200000003000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF20000000200000004003000078020000
3468
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites\Links
Order
08000000020000000C01000001000000020000007E0000000000000070003200EC000000464B245120005355474745537E312E55524C0000540008000400EFBE454B974D464B24512A000000F94300000000020000000000000000000000000000005300750067006700650073007400650064002000530069007400650073002E00750072006C0000001C00000000000000820000000100000074003200E2000000464B24512000574542534C497E312E55524C0000580008000400EFBE454B864A464B24512A000000743E0000000003000000000000000000000000000000570065006200200053006C006900630065002000470061006C006C006500720079002E00750072006C0000001C00000000000000
3468
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\iexplore
Type
3
3468
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\iexplore
Count
3
3468
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\iexplore
Time
E307030004000E000C001C003100F401
3468
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\iexplore
LoadTime
11
3468
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
Type
3
3468
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
Count
3
3468
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
Time
E307030004000E000C001C0031000402
3468
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
LoadTime
37
3468
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DBC80044-A445-435B-BC74-9C25C1C588A9}\iexplore
Type
3
3468
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DBC80044-A445-435B-BC74-9C25C1C588A9}\iexplore
Count
3
3468
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DBC80044-A445-435B-BC74-9C25C1C588A9}\iexplore
Time
E307030004000E000C001C0031006202
3468
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DBC80044-A445-435B-BC74-9C25C1C588A9}\iexplore
LoadTime
37
3468
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}\Enum
Implementing
1C00000001000000E307030004000E000C001C0038005E0000000000
3468
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
NotifyDownloadComplete
yes
3468
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012019031420190315
CachePath
%USERPROFILE%\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012019031420190315
3468
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012019031420190315
CachePrefix
:2019031420190315:
3468
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012019031420190315
CacheLimit
8192
3468
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012019031420190315
CacheOptions
11
3468
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012019031420190315
CacheRepair
0
3752
iexplore.exe
delete key
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\LowCache\Extensible Cache\MSHist012018082820180829
3752
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\LowCache\Extensible Cache\MSHist012019031420190315
CachePath
%USERPROFILE%\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012019031420190315
3752
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\LowCache\Extensible Cache\MSHist012019031420190315
CachePrefix
:2019031420190315:
3752
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\LowCache\Extensible Cache\MSHist012019031420190315
CacheLimit
8192
3752
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\LowCache\Extensible Cache\MSHist012019031420190315
CacheOptions
11
3752
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\LowCache\Extensible Cache\MSHist012019031420190315
CacheRepair
0
3140
jnn[1].exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
3140
jnn[1].exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
3264
mdo.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
WindowsUpdatejnn
C:\Users\admin\AppData\Local\Temp\88127361\mdo.exe C:\Users\admin\AppData\Local\Temp\88127361\SEG_MU~1

Files activity

Executable files
3
Suspicious files
1
Text files
52
Unknown types
2

Dropped files

PID
Process
Filename
Type
3140
jnn[1].exe
C:\Users\admin\AppData\Local\Temp\88127361\mdo.exe
executable
MD5: c56b5f0201a3b3de53e561fe76912bfd
SHA256: 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
3752
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\OCDM6JB6\jnn[1].exe
executable
MD5: 22cf84a2fd381a3e383e65c933553fe1
SHA256: f62a182a1b4bd3f05ad0a639b3c5333990a6721dae6715ca6863e5e97d03a6e8
3468
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0UU90R59\jnn[1].exe
executable
MD5: 22cf84a2fd381a3e383e65c933553fe1
SHA256: f62a182a1b4bd3f05ad0a639b3c5333990a6721dae6715ca6863e5e97d03a6e8
3140
jnn[1].exe
C:\Users\admin\AppData\Local\Temp\88127361\tlr.txt
text
MD5: 19edfee859fce71ce355d9d7d9f2fae3
SHA256: f719a2229c9929c53a9b10b59a2d1ac20b86758c0d360233e01942fa31e29409
3140
jnn[1].exe
C:\Users\admin\AppData\Local\Temp\88127361\swq.xl
text
MD5: bc716dec0a405bd457fdb8aae6f880d4
SHA256: 521008524e25091b703c03e9c2b77388e24f0a1d89bf9c92d6ae453f8409c5b6
3140
jnn[1].exe
C:\Users\admin\AppData\Local\Temp\88127361\ema.mp4
text
MD5: 19e2227a516dd3c03af3f429ad3cb801
SHA256: 6d7024ebd9a1ed69679795de3fd9cd93d8dc6cb00826822eed818b950ac1a403
3140
jnn[1].exe
C:\Users\admin\AppData\Local\Temp\88127361\lph.xl
text
MD5: 602face6e7db59f16cdcf5c62a90fdf4
SHA256: bf42e5064bb8056a92711535f5c332500f7eb8351a6a7b076992e8d416445b83
3140
jnn[1].exe
C:\Users\admin\AppData\Local\Temp\88127361\dnq.mp3
text
MD5: 1770257b1d796e2c229417b1dd44171e
SHA256: 7dc9ca12a862d2f7ec48117148bdb82c53e001db155628de552bb84c033ec40e
3140
jnn[1].exe
C:\Users\admin\AppData\Local\Temp\88127361\wlx.mp3
text
MD5: 3ef0a39f10a6a648a1776e7a5fd356d1
SHA256: 3c5db10a768ddb3694a65cdd7f662411759a1f1b3f6d33b30030ef2e1826cb29
3140
jnn[1].exe
C:\Users\admin\AppData\Local\Temp\88127361\iwc.txt
text
MD5: c7329353c0cdcdfbfbc625a5121fa4c0
SHA256: 0f6005a715a87630f15de43e21f0e88c1da01b0f7a95b4a9be92fb8c5acc94d8
3140
jnn[1].exe
C:\Users\admin\AppData\Local\Temp\88127361\crc.bmp
text
MD5: c68768cbca85c691387a6dd545162283
SHA256: a2426d1643153e335aab55a4c8078e5dc42416142d9890ce9256e38b3ed63106
3140
jnn[1].exe
C:\Users\admin\AppData\Local\Temp\88127361\iwd.docx
text
MD5: 52b5dd8a14c0e8b0c1348f1445c9605f
SHA256: 6dc83bc1f8f7e95296c7b70b68caa85056513f9e079137a843ef0fece00cd294
3140
jnn[1].exe
C:\Users\admin\AppData\Local\Temp\88127361\agf.mp3
text
MD5: 6b683766e31bf4c09e9606b132a0dcbb
SHA256: e73aef70c5db9d851d906b775e5aabe18888062af3faf53c0ec8cbca5b55e535
3140
jnn[1].exe
C:\Users\admin\AppData\Local\Temp\88127361\otp.ico
text
MD5: b84743ee3bd9c88c1bf27279e3e1e8cc
SHA256: ca56196b6f06c185cf87311e6e49eb71393a2d3967fb6ce1213a50f122295491
3140
jnn[1].exe
C:\Users\admin\AppData\Local\Temp\88127361\vur.mp4
text
MD5: 20458011d0d339b9d638cd696b112533
SHA256: 771530df8d287e3b3f6c1ef14cfc8d2104cd158a7cf73c3cf12b6ac18565d515
3140
jnn[1].exe
C:\Users\admin\AppData\Local\Temp\88127361\uvh.dat
text
MD5: f7d948d24ab00d59fda153ff1c40dad7
SHA256: 4f127ae7c1d45a796718fe442bf3eea86c3ed464a744fe20d2bcd244a843ee80
3140
jnn[1].exe
C:\Users\admin\AppData\Local\Temp\88127361\gbd.ppt
text
MD5: 8ca027526de874041007ebbf4749597b
SHA256: d8e049827a9f7eb38557f48c134bf30893bb798af61878c5a2d9b512fb69022c
3140
jnn[1].exe
C:\Users\admin\AppData\Local\Temp\88127361\ras.mp3
text
MD5: f6002c65bf5773dbb147aa34813138f3
SHA256: f5fbdc98a578ca4fa9c0c0b9838ebc188ee55efcd5812b2adec14c8bea1281b1
3140
jnn[1].exe
C:\Users\admin\AppData\Local\Temp\88127361\bkr.dat
text
MD5: 220534e4734ceeaae6bb055b4f0ce3cf
SHA256: 715de9c63dc88fd8f8e8540f067685ed620eff0178e16ae45853c454146287da
3140
jnn[1].exe
C:\Users\admin\AppData\Local\Temp\88127361\hlk.mp3
text
MD5: 6b00ad93325c0a65afbb84f495edd1a8
SHA256: b079e22683fcd46b416a695a4550b6e06db15bba197179d6120904f90ddadb88
3140
jnn[1].exe
C:\Users\admin\AppData\Local\Temp\88127361\ucu.icm
text
MD5: d9b3eb6f6cbab2b8565265147411a2dd
SHA256: 16d9831ec31cc0696835b56cc4d7ff59cdd7f9380b0c12bc09fd8752d4b81223
3140
jnn[1].exe
C:\Users\admin\AppData\Local\Temp\88127361\bos.dat
text
MD5: af76971543c4ce9db8caf2e571875f4f
SHA256: fdb64db0910f2ec413da1e4c18c505c2cce72231b1e5ef007605f78a6e5dd1d6
3140
jnn[1].exe
C:\Users\admin\AppData\Local\Temp\88127361\hrp.jpg
text
MD5: 520be58348f83651a6a77d7180c18f1e
SHA256: 81061cb012d827dc6805d6f38e46069478d5ef4062809609ecc64abf8d410a73
3140
jnn[1].exe
C:\Users\admin\AppData\Local\Temp\88127361\bqc.pdf
text
MD5: dcc558713f18bb6f9f1986614670d633
SHA256: bd17ebfdfbbe72298118e4878256d0c306134dae72e24165ac9a9b96c5d7add3
3140
jnn[1].exe
C:\Users\admin\AppData\Local\Temp\88127361\nkd.docx
text
MD5: 2a1f8daf674e9855126c8a9fe1f52f08
SHA256: a5ead5b669f54af308cd26009949e93dddf82721ecee453e7430639bb357f2e9
3140
jnn[1].exe
C:\Users\admin\AppData\Local\Temp\88127361\jrx.docx
text
MD5: 5744c7f84cdad1fb1027e90e02e33530
SHA256: da8e37eb2f0c1ba7d298a184c8e263ff81d84f5ff5cb4e52541edff939a7ccbe
3140
jnn[1].exe
C:\Users\admin\AppData\Local\Temp\88127361\kgo.bmp
text
MD5: 4ef0cd3566b0cd7df92dd53b2615190b
SHA256: 86aa28bd8be550be1a2632f5ef119b78bf05efb98cf2316e777be81597c13c04
3140
jnn[1].exe
C:\Users\admin\AppData\Local\Temp\88127361\jkm.mp3
text
MD5: d764faade38682911bebbe4386b1ced4
SHA256: 27fa4da115127f99de35b1b6d2d241fd2e420ef7b14539bdaba45e33e5e0fdc4
3140
jnn[1].exe
C:\Users\admin\AppData\Local\Temp\88127361\wmg.mp4
text
MD5: 930e1630892a35d1cbd8a595e972eb0b
SHA256: 958e318f9c7d99abc90e5a98aee4f8af8205dcf542e28ebca2ed8ca6835f7577
3140
jnn[1].exe
C:\Users\admin\AppData\Local\Temp\88127361\nek.mp3
text
MD5: 6d9b924a1abf1d14608bcb066ddfe976
SHA256: fb433941510461f34c27bc1625e9d1a249e59a58132eb7a79ae0acf2bd0bcae7
3140
jnn[1].exe
C:\Users\admin\AppData\Local\Temp\88127361\tgo.ppt
text
MD5: da7da040fa0aac5f0434873dd878fd9c
SHA256: 57f6780fd5738439d4aa03b8f3aad8ceffaf99a2fb3e20b0e3916298ce09962a
3468
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R9ZEWH8D\favicon[1].ico
––
MD5:  ––
SHA256:  ––
3140
jnn[1].exe
C:\Users\admin\AppData\Local\Temp\88127361\lti.docx
text
MD5: 2571c4827b75254f512f67d569d4969e
SHA256: 72e1bf13d71df21ae55d248b6be66933e371cfc5bc7b0c33f4526f59e8f3f510
3140
jnn[1].exe
C:\Users\admin\AppData\Local\Temp\88127361\wqh.ppt
text
MD5: 9c47a245493b6fdb09ebf389cbc97aa9
SHA256: b12245e281dbeb82ea9bd1574634a000ff06e26b14b377f82c820bd9f3af771a
3140
jnn[1].exe
C:\Users\admin\AppData\Local\Temp\88127361\wnm.txt
text
MD5: 9d871b45be406860726b7127c3a443cf
SHA256: eb6bd3df86e186d00fdea3207eb712de268e2d8fcef9af8a9e8b73899f89957f
3140
jnn[1].exe
C:\Users\admin\AppData\Local\Temp\88127361\sqj.dat
text
MD5: 42c1de8aafab368ba22a4c3504a35c19
SHA256: fca18198a5e5ce7a7438d9a0d5eabf81314f1b13eec4e7ab6b962cdcc60f3bf9
3140
jnn[1].exe
C:\Users\admin\AppData\Local\Temp\88127361\qtl.docx
text
MD5: eb59a1fe851e768f7bd175cc24217aac
SHA256: 7e30c168edd43afe3e0fb0d21485cf025d5f226d948cb4e56b9f722ba2281365
3140
jnn[1].exe
C:\Users\admin\AppData\Local\Temp\88127361\qaa.xl
text
MD5: f4712ebb85e9532888e8479a3d71448e
SHA256: 7ceea16b3c8eb2a38ed9e2bbb3462232f84c15dc66d4ab594ca1ff7c4d78954c
3140
jnn[1].exe
C:\Users\admin\AppData\Local\Temp\88127361\nok.pdf
text
MD5: 1db14f74f3914de40c93043a5e0fd2b2
SHA256: 65ddd15ca974d5116f734ad62735fa5d25a298f46653433134ab9b509b3f37ea
3140
jnn[1].exe
C:\Users\admin\AppData\Local\Temp\88127361\ois.xl
text
MD5: 153b3b542f9cd17247811f7af364a980
SHA256: 7357786d348f08ab1e564efb68cc740e416828252c732721b44bf5f8b9f78303
2440
mdo.exe
C:\Users\admin\AppData\Local\Temp\88127361\WNOFR
text
MD5: 4d184c13b95c0c8d7cf644b9599bfed4
SHA256: 11ab9c4ce531bf94d9ffb7d242a41fae41ccb95e5fc9845c37d315e345b1e2ee
3140
jnn[1].exe
C:\Users\admin\AppData\Local\Temp\88127361\jvk.mp3
text
MD5: d9b7cc3f58da6d96c3dbfb4008b26eb9
SHA256: 29f324a7980e633b0052b5bdb634833cd094e5a631380fe6049fc6f6daa7a48c
3140
jnn[1].exe
C:\Users\admin\AppData\Local\Temp\88127361\cll.ppt
text
MD5: c3038bb5d678596a20440872bb278380
SHA256: 70dcfc1d30a96aa81ca89c308a379a7458534b6c9cd469c8641e71842c188370
3140
jnn[1].exe
C:\Users\admin\AppData\Local\Temp\88127361\urr.docx
text
MD5: 1d37dace5d0be9a4c90b71036ffb43b0
SHA256: 040ed3cba92ec70663baecd5e7f4859776669f4405be70f6db3066bf984d16f4
3140
jnn[1].exe
C:\Users\admin\AppData\Local\Temp\88127361\pou.icm
text
MD5: 53ce9c11f69ede839689a93ea34b9201
SHA256: 3d08042dbb0a693dd4f838236e5d7f5e40f5667ba6b33adcd605f26610817627
3140
jnn[1].exe
C:\Users\admin\AppData\Local\Temp\88127361\nbb.icm
text
MD5: 9b65c9d1111c7e0640ce5900f01dbf05
SHA256: f4b0ae209225a3321acd8b5303b09d8ba245aa4250620d1407356faf82e6f800
3140
jnn[1].exe
C:\Users\admin\AppData\Local\Temp\88127361\bum.pdf
text
MD5: feaeea7208f7a411e4cdc0e3286a11db
SHA256: 1df03709f122f14e2606e94bccb74b47c6c48a483c68a45ed446c06c0ca01965
3140
jnn[1].exe
C:\Users\admin\AppData\Local\Temp\88127361\dss.dat
text
MD5: c488c0eeaa4a77679f10a662945e5e4e
SHA256: db289b5f6cad00bf4b05ed3ba50825ac178119ea0d5f9f58f7a22f1ff670addf
3140
jnn[1].exe
C:\Users\admin\AppData\Local\Temp\88127361\nkq.docx
text
MD5: 51c9b23e003e3e14f4659bc60d4be131
SHA256: 3adc7f290017eb28aa34e8cec227e781e25d180c3eb77e03b01211369980e0b6
3140
jnn[1].exe
C:\Users\admin\AppData\Local\Temp\88127361\lpr.mp4
text
MD5: 3576b5978b68394d98e25affd7225b83
SHA256: e182a17f5a6b486ff9410ecccbf9685bc5c54cf2ec314ae255040dabce04e895
3140
jnn[1].exe
C:\Users\admin\AppData\Local\Temp\88127361\bje.ppt
text
MD5: f77626bd4356a4ae7252eccf68ee9f35
SHA256: 0e385f3f3122f4a5bfa9ddfe1214ef92ead6eea3c834540a88d19f5f23085958
3140
jnn[1].exe
C:\Users\admin\AppData\Local\Temp\88127361\seg=muu
text
MD5: 451111d03bca3331e4d1f2631f56c494
SHA256: 98ec9a9a42575a0626ebffaf344487e26118ebca0d837d218cfc4dc446f37102
3468
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012019031420190315\index.dat
dat
MD5: 167415d8e9152730b884af8de7c2a481
SHA256: 4403285bd84977e14f1e10c44d7a8b9df22775f9ff404106636d7f23b617441b
3752
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012019031420190315\index.dat
dat
MD5: a2b324b6301e8b753c29f85146b33ba9
SHA256: 62442bf5dcca43dcd4e2682becfa5ff486a0e68ad13c4103244ab6e0fa3049e3
3468
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\OCDM6JB6\jnn[1].exe:Zone.Identifier
text
MD5: fbccf14d504b7b2dbcb5a5bda75bd93b
SHA256: eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913
3468
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0UU90R59\jnn[1].exe:Zone.Identifier
text
MD5: fbccf14d504b7b2dbcb5a5bda75bd93b
SHA256: eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913
3468
iexplore.exe
C:\Users\admin\AppData\Local\Temp\~DF2A57A6EB485046C9.TMP
––
MD5:  ––
SHA256:  ––
3752
iexplore.exe
C:\Users\admin\AppData\Local\Temp\Low\JavaDeployReg.log
text
MD5: 67ee575f659ff2c37e0ea39414ecdeed
SHA256: 013c42fe9b9a56930611057f52107f955ea8fa36d20ba472859d267128451160
3468
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\{B751A372-4654-11E9-BEEC-5254004A04AF}.dat
binary
MD5: 85bb838f633a7db2de091fc0df00953f
SHA256: 5c057cbb36aba09a7653064a54bf1733f308ccd707b8381ae30ca0772dec44ce
3468
iexplore.exe
C:\Users\admin\AppData\Local\Temp\~DF3C97C39B6365FBB5.TMP
––
MD5:  ––
SHA256:  ––
3468
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R9ZEWH8D\favicon[2].png
image
MD5: 9fb559a691078558e77d6848202f6541
SHA256: 6d8a01dc7647bc218d003b58fe04049e24a9359900b7e0cebae76edf85b8b914
3468
iexplore.exe
C:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
––
MD5:  ––
SHA256:  ––
3468
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{B751A371-4654-11E9-BEEC-5254004A04AF}.dat
––
MD5:  ––
SHA256:  ––

Find more information of the staic content and download it at the full report

Network activity

HTTP(S) requests
2
TCP/UDP connections
58
DNS requests
51
Threats
22

HTTP requests

PID Process Method HTTP Code IP URL CN Type Size Reputation
3752 iexplore.exe GET 200 141.136.44.78:80 http://141.136.44.78/jnn/jnn.exe LT
executable
suspicious
3468 iexplore.exe GET 200 204.79.197.200:80 http://www.bing.com/favicon.ico US
image
whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID Process IP ASN CN Reputation
3752 iexplore.exe 141.136.44.78:80 Vardas.lt, Uab LT suspicious
3468 iexplore.exe 204.79.197.200:80 Microsoft Corporation US whitelisted
2292 RegSvcs.exe 8.8.8.8:53 Google Inc. US whitelisted
2292 RegSvcs.exe 8.8.4.4:53 Google Inc. US whitelisted
2292 RegSvcs.exe 185.163.45.48:58887 MivoCloud SRL MD suspicious

DNS requests

Domain IP Reputation
www.bing.com 204.79.197.200
13.107.21.200
whitelisted
kgentle777.hopto.org No response unknown
kgentle77.duckdns.org 185.163.45.48
malicious

Threats

PID Process Class Message
3752 iexplore.exe A Network Trojan was detected ET INFO Executable Download from dotted-quad Host
3752 iexplore.exe Potentially Bad Traffic ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile
3752 iexplore.exe Potential Corporate Privacy Violation ET POLICY PE EXE or DLL Windows file download HTTP
3752 iexplore.exe Potentially Bad Traffic ET INFO SUSPICIOUS Dotted Quad Host MZ Response
3752 iexplore.exe Generic Protocol Command Decode SURICATA STREAM excessive retransmissions
2292 RegSvcs.exe Misc activity ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
2292 RegSvcs.exe Misc activity ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
2292 RegSvcs.exe Misc activity ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
2292 RegSvcs.exe Misc activity ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
2292 RegSvcs.exe Misc activity ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
2292 RegSvcs.exe Misc activity ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
2292 RegSvcs.exe Misc activity ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
2292 RegSvcs.exe Misc activity ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
2292 RegSvcs.exe Misc activity ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
2292 RegSvcs.exe Misc activity ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
2292 RegSvcs.exe Misc activity ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
2292 RegSvcs.exe Misc activity ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
2292 RegSvcs.exe Misc activity ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
2292 RegSvcs.exe Misc activity ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
2292 RegSvcs.exe Misc activity ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
2292 RegSvcs.exe Misc activity ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
2292 RegSvcs.exe Misc activity ET INFO DYNAMIC_DNS Query to *.duckdns. Domain

Debug output strings

No debug info.