General Info

File name

REVISED TELEX RELEASE 0509896_igs50595.exe

Full analysis
https://app.any.run/tasks/0aa22354-50b1-4d53-84da-8510b9dc41aa
Verdict
Malicious activity
Analysis date
1/10/2019, 22:29:29
OS:
Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:

autoit

trojan

nanocore

rat

Indicators:

MIME:
application/x-dosexec
File info:
PE32 executable (GUI) Intel 80386, for MS Windows, RAR self-extracting archive
MD5

a40714376c43c893afb72e96bba3e130

SHA1

ce9cae74b9d2f4f8d96e6d0a48205e77facb8b95

SHA256

b147ad75d27db7ad9c23fe86fcadc4097a10d7004285f214787fa0d56a9b3d8e

SSDEEP

24576:D2O/Gl1iD7c+k1Uf1/3ZJz9R6wmxhKbH3rUO46GcV:r/Xk2N9cwmxUT3i0V

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distored by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Software environment set and analysis options

Launch configuration

Task duration
60 seconds
Additional time used
none
Fakenet option
off
Heavy Evaision option
off
MITM proxy
off
Route via Tor
off
Network geolocation
off
Privacy
Public submission
Autoconfirmation of UAC
on

Software preset

  • Internet Explorer 8.0.7601.17514
  • Adobe Acrobat Reader DC MUI (15.023.20070)
  • Adobe Flash Player 26 ActiveX (26.0.0.131)
  • Adobe Flash Player 26 NPAPI (26.0.0.131)
  • Adobe Flash Player 26 PPAPI (26.0.0.131)
  • Adobe Refresh Manager (1.8.0)
  • CCleaner (5.35)
  • FileZilla Client 3.36.0 (3.36.0)
  • Google Chrome (68.0.3440.106)
  • Google Update Helper (1.3.33.17)
  • Java 8 Update 92 (8.0.920.14)
  • Java Auto Updater (2.8.92.14)
  • Microsoft .NET Framework 4.6.1 (4.6.01055)
  • Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Professional 2010 (14.0.6029.1000)
  • Microsoft Office Proof (English) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (French) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
  • Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
  • Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Single Image 2010 (14.0.6029.1000)
  • Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
  • Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
  • Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
  • Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2017 Redistributable (x86) - 14.15.26706 (14.15.26706.0)
  • Microsoft Visual C++ 2017 x86 Additional Runtime - 14.15.26706 (14.15.26706)
  • Microsoft Visual C++ 2017 x86 Minimum Runtime - 14.15.26706 (14.15.26706)
  • Mozilla Firefox 61.0.2 (x86 en-US) (61.0.2)
  • Notepad++ (32-bit x86) (7.5.1)
  • Opera 12.15 (12.15.1748)
  • Skype version 8.29 (8.29)
  • VLC media player (2.2.6)
  • WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

  • Client LanguagePack Package
  • Client Refresh LanguagePack Package
  • CodecPack Basic Package
  • Foundation Package
  • IE Troubleshooters Package
  • InternetExplorer Optional Package
  • KB2534111
  • KB2999226
  • KB976902
  • LocalPack AU Package
  • LocalPack CA Package
  • LocalPack GB Package
  • LocalPack US Package
  • LocalPack ZA Package
  • ProfessionalEdition
  • UltimateEdition

Behavior activities

MALICIOUS SUSPICIOUS INFO
Application was dropped or rewritten from another process
  • hqc.exe (PID: 2980)
  • hqc.exe (PID: 2216)
NanoCore was detected
  • RegSvcs.exe (PID: 3408)
Changes the autorun value in the registry
  • hqc.exe (PID: 2216)
Connects to CnC server
  • RegSvcs.exe (PID: 3408)
Drop AutoIt3 executable file
  • REVISED TELEX RELEASE 0509896_igs50595.exe (PID: 3120)
Application launched itself
  • hqc.exe (PID: 2980)
Connects to unusual port
  • RegSvcs.exe (PID: 3408)
Creates files in the user directory
  • RegSvcs.exe (PID: 3408)
Executable content was dropped or overwritten
  • REVISED TELEX RELEASE 0509896_igs50595.exe (PID: 3120)
Dropped object may contain Bitcoin addresses
  • hqc.exe (PID: 2980)
  • REVISED TELEX RELEASE 0509896_igs50595.exe (PID: 3120)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Static information

TRiD
.exe
|   Win32 Executable MS Visual C++ (generic) (35.8%)
.exe
|   Win64 Executable (generic) (31.7%)
.scr
|   Windows screen saver (15%)
.dll
|   Win32 Dynamic Link Library (generic) (7.5%)
.exe
|   Win32 Executable (generic) (5.1%)
EXIF
EXE
MachineType:
Intel 386 or later, and compatibles
TimeStamp:
2012:06:09 15:19:49+02:00
PEType:
PE32
LinkerVersion:
9
CodeSize:
74752
InitializedDataSize:
59392
UninitializedDataSize:
null
EntryPoint:
0xac87
OSVersion:
5
ImageVersion:
null
SubsystemVersion:
5
Subsystem:
Windows GUI
FileVersionNumber:
1.0.0.0
ProductVersionNumber:
1.0.0.0
FileFlagsMask:
0x0000
FileFlags:
(none)
FileOS:
Win32
ObjectFileType:
Dynamic link library
FileSubtype:
null
LanguageCode:
English (U.S.)
CharacterSet:
Unicode
FileDescription:
null
OriginalFileName:
null
CompanyName:
null
FileVersion:
null
LegalCopyright:
null
ProductName:
null
ProductVersion:
1,0,0,0
Summary
Architecture:
IMAGE_FILE_MACHINE_I386
Subsystem:
IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date:
09-Jun-2012 13:19:49
Detected languages
English - United Kingdom
English - United States
Process Default Language
Debug artifacts
d:\Projects\WinRAR\SFX\build\sfxrar32\Release\sfxrar.pdb
FileDescription:
null
OriginalFilename:
null
CompanyName:
null
FileVersion:
null
LegalCopyright:
null
ProductName:
null
ProductVersion:
1,0,0,0
DOS Header
Magic number:
MZ
Bytes on last page of file:
0x0090
Pages in file:
0x0003
Relocations:
0x0000
Size of header:
0x0004
Min extra paragraphs:
0x0000
Max extra paragraphs:
0xFFFF
Initial SS value:
0x0000
Initial SP value:
0x00B8
Checksum:
0x0000
Initial IP value:
0x0000
Initial CS value:
0x0000
Overlay number:
0x0000
OEM identifier:
0x0000
OEM information:
0x0000
Address of NE header:
0x000000F0
PE Headers
Signature:
PE
Machine:
IMAGE_FILE_MACHINE_I386
Number of sections:
5
Time date stamp:
09-Jun-2012 13:19:49
Pointer to Symbol Table:
0x00000000
Number of symbols:
0
Size of Optional Header:
0x00E0
Characteristics
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_RELOCS_STRIPPED
Sections
Name Virtual Address Virtual Size Raw Size Charateristics Entropy
.text 0x00001000 0x0001231E 0x00012400 IMAGE_SCN_CNT_CODE,IMAGE_SCN_MEM_EXECUTE,IMAGE_SCN_MEM_READ 6.55555
.rdata 0x00014000 0x00001D15 0x00001E00 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ 4.99401
.data 0x00016000 0x00017724 0x00000200 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ,IMAGE_SCN_MEM_WRITE 3.54914
.CRT 0x0002E000 0x00000020 0x00000200 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ 0.394141
.rsrc 0x0002F000 0x0000C504 0x0000C600 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ 6.43964
Resources
1

7

8

9

10

11

12

100

101

ASKNEXTVOL

GETPASSWORD1

LICENSEDLG

RENAMEDLG

REPLACEFILEDLG

STARTDLG

Imports
    COMCTL32.dll

    SHLWAPI.dll

    KERNEL32.dll

    USER32.dll

    GDI32.dll

    COMDLG32.dll

    ADVAPI32.dll

    SHELL32.dll

    ole32.dll

    OLEAUT32.dll

Exports

    No exports.

Screenshots

Processes

Total processes
33
Monitored processes
4
Malicious processes
4
Suspicious processes
0

Behavior graph

+
drop and start start revised telex release 0509896_igs50595.exe hqc.exe no specs hqc.exe #NANOCORE regsvcs.exe
Specs description
Program did not start
Integrity level elevation
Task сontains an error or was rebooted
Process has crashed
Task contains several apps running
Executable file was dropped
Debug information is available
Process was injected
Network attacks were detected
Application downloaded the executable file
Actions similar to stealing personal data
Behavior similar to exploiting the vulnerability
Inspected object has sucpicious PE structure
File is detected by antivirus software
CPU overrun
RAM overrun
Process starts the services
Process was added to the startup
Behavior similar to spam
Low-level access to the HDD
Probably Tor was used
System was rebooted
Connects to the network
Known threat

Process information

Click at the process to see the details.

PID
3120
CMD
"C:\Users\admin\AppData\Local\Temp\REVISED TELEX RELEASE 0509896_igs50595.exe"
Path
C:\Users\admin\AppData\Local\Temp\REVISED TELEX RELEASE 0509896_igs50595.exe
Indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Description
Version
Modules
Image
c:\users\admin\appdata\local\temp\revised telex release 0509896_igs50595.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\aclayers.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\winspool.drv
c:\windows\system32\mpr.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\riched32.dll
c:\windows\system32\riched20.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\clbcatq.dll
c:\program files\common files\microsoft shared\ink\tiptsf.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\users\admin\appdata\local\temp\30954511\hqc.exe
c:\windows\system32\sfc.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\devrtl.dll

PID
2980
CMD
"C:\Users\admin\AppData\Local\Temp\30954511\hqc.exe" klc=jts
Path
C:\Users\admin\AppData\Local\Temp\30954511\hqc.exe
Indicators
No indicators
Parent process
REVISED TELEX RELEASE 0509896_igs50595.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
AutoIt Team
Description
AutoIt v3 Script
Version
3, 3, 14, 5
Modules
Image
c:\users\admin\appdata\local\temp\30954511\hqc.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\wsock32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\windows\system32\version.dll
c:\windows\system32\winmm.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\mpr.dll
c:\windows\system32\wininet.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\psapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\aclayers.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\winspool.drv
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll

PID
2216
CMD
C:\Users\admin\AppData\Local\Temp\30954511\hqc.exe C:\Users\admin\AppData\Local\Temp\30954511\JTQNE
Path
C:\Users\admin\AppData\Local\Temp\30954511\hqc.exe
Indicators
Parent process
hqc.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
AutoIt Team
Description
AutoIt v3 Script
Version
3, 3, 14, 5
Modules
Image
c:\users\admin\appdata\local\temp\30954511\hqc.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\wsock32.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\windows\system32\version.dll
c:\windows\system32\winmm.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\mpr.dll
c:\windows\system32\wininet.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\psapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\aclayers.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\winspool.drv
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe

PID
3408
CMD
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Path
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Indicators
Parent process
hqc.exe
User
admin
Integrity Level
MEDIUM
Version:
Company
Microsoft Corporation
Description
Microsoft .NET Services Installation Utility
Version
4.6.1055.0 built by: NETFXREL2
Modules
Image
c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\aclayers.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\winspool.drv
c:\windows\system32\mpr.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\system32\version.dll
c:\windows\microsoft.net\framework\v4.0.30319\clr.dll
c:\windows\system32\msvcr120_clr0400.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\mscorlib\225759bb87c854c0fff27b1d84858c21\mscorlib.ni.dll
c:\windows\system32\cryptbase.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system\52cca48930e580e3189eac47158c20be\system.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.drawing\646b4b01cb29986f8e076aa65c9e9753\system.drawing.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.windows.forms\5aac750b35b27770dccb1a43f83cced7\system.windows.forms.ni.dll
c:\windows\microsoft.net\framework\v4.0.30319\clrjit.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.core\55560c2014611e9119f99923c9ebdeef\system.core.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\microsoft.v9921e851#\7ca6a7b9413844e82108a9d62f88a2d9\microsoft.visualbasic.ni.dll
c:\windows\microsoft.net\framework\v4.0.30319\nlssorting.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\uxtheme.dll
c:\windows\microsoft.net\assembly\gac_msil\system.windows.forms\v4.0_4.0.0.0__b77a5c561934e089\system.windows.forms.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\bcrypt.dll
c:\windows\microsoft.net\framework\v4.0.30319\diasymreader.dll
c:\windows\system32\psapi.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\wship6.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.configuration\46957030830964165644b52b0696c5d9\system.configuration.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.xml\d86b080a37c60a872c82b912a2a63dac\system.xml.ni.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\microsoft.net\framework\v4.0.30319\clrcompression.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.management\4dfa27fdd6a4cce26f99585e1c744f9b\system.management.ni.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\microsoft.net\framework\v4.0.30319\wminet_utils.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\wbem\wmiutils.dll
c:\windows\system32\wbemcomn.dll
c:\windows\system32\wbem\wbemprox.dll
c:\windows\system32\wbem\wbemsvc.dll
c:\windows\system32\wbem\fastprox.dll
c:\windows\system32\ntdsapi.dll
c:\windows\system32\sxs.dll
c:\windows\system32\devenum.dll
c:\windows\system32\winmm.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\msdmo.dll
c:\windows\system32\avicap32.dll
c:\windows\system32\msvfw32.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\windowscodecs.dll

Registry activity

Total events
393
Read events
387
Write events
6
Delete events
0

Modification events

PID
Process
Operation
Key
Name
Value
3120
REVISED TELEX RELEASE 0509896_igs50595.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
3120
REVISED TELEX RELEASE 0509896_igs50595.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
2216
hqc.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
WindowsUpdate
C:\Users\admin\AppData\Local\Temp\30954511\hqc.exe C:\Users\admin\AppData\Local\Temp\30954511\KLC_JT~1

Files activity

Executable files
1
Suspicious files
0
Text files
52
Unknown types
0

Dropped files

PID
Process
Filename
Type
3120
REVISED TELEX RELEASE 0509896_igs50595.exe
C:\Users\admin\AppData\Local\Temp\30954511\hqc.exe
executable
MD5: c56b5f0201a3b3de53e561fe76912bfd
SHA256: 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
3120
REVISED TELEX RELEASE 0509896_igs50595.exe
C:\Users\admin\AppData\Local\Temp\30954511\xui.pdf
text
MD5: 7758c746c1c9a0a13c7fb679f2045914
SHA256: f8595501b63dbaaad12f4f1aa09f7de37ffcf588819fcb6b75f72626b4986c56
3120
REVISED TELEX RELEASE 0509896_igs50595.exe
C:\Users\admin\AppData\Local\Temp\30954511\xlf.pdf
text
MD5: 90744cf803822da0c54d4206787e4095
SHA256: 3dc322eee0a550a52abd35a4880e44a2cb029ad47c408a7c828a2f75d928cd5b
3120
REVISED TELEX RELEASE 0509896_igs50595.exe
C:\Users\admin\AppData\Local\Temp\30954511\rjm.bmp
text
MD5: 690ad8d8e89ea078ca76c850654bc545
SHA256: 156310fd085c6df864508d8a210b1693c8c774e1372b39465aff368788b4b986
3120
REVISED TELEX RELEASE 0509896_igs50595.exe
C:\Users\admin\AppData\Local\Temp\30954511\qun.icm
text
MD5: 0aad3cb4c0fb82c1d2860d12e82fe84b
SHA256: 21e73aae3bc42ba13df5ff9a1852769abb354fd8df62c61a50d934a357d418ee
3120
REVISED TELEX RELEASE 0509896_igs50595.exe
C:\Users\admin\AppData\Local\Temp\30954511\hcu.bmp
text
MD5: c6d6b6f8de03885e939ec258ac8d0049
SHA256: 3f5b57d91489567f17b67c6c9e525cd1d46ab6a9b15e059e14117d16562388c9
3120
REVISED TELEX RELEASE 0509896_igs50595.exe
C:\Users\admin\AppData\Local\Temp\30954511\kjl.pdf
text
MD5: 9cee7bae509eb872040b6a8471236180
SHA256: b1b2bd82adefcdb825e383c728934d8f80e7634ce0749be07959fad862207dc2
3120
REVISED TELEX RELEASE 0509896_igs50595.exe
C:\Users\admin\AppData\Local\Temp\30954511\sii.jpg
text
MD5: 6ba4cb6c47577caac9b720d53bb8aea7
SHA256: ba48bd952ba2850532ac420281cb190c6f66a80d867a22bc0ad2b55b9494d244
3120
REVISED TELEX RELEASE 0509896_igs50595.exe
C:\Users\admin\AppData\Local\Temp\30954511\sxd.pdf
text
MD5: 2eeb8fa5c1c5d8dd52efe109d0a23214
SHA256: 7b4fb3e713d8f4d9981fdc86e77de90443a648dfc2af624cbf20e729c8fd9c97
3120
REVISED TELEX RELEASE 0509896_igs50595.exe
C:\Users\admin\AppData\Local\Temp\30954511\moh.bmp
text
MD5: 7371ad99d95f6a2e7fd5db9dfe702e55
SHA256: b0b21e31208e2722d49c747397cbe798207485c883124013ee0319ec7ca81cc7
3120
REVISED TELEX RELEASE 0509896_igs50595.exe
C:\Users\admin\AppData\Local\Temp\30954511\koq.ico
text
MD5: 5cf357f66cfb8f596229597cc9e1d8dc
SHA256: d9e9748fe5e37e223e2b642992acd97cf083baee9a12b0d6d7ffd17ce4ee0985
3120
REVISED TELEX RELEASE 0509896_igs50595.exe
C:\Users\admin\AppData\Local\Temp\30954511\bqa.xl
text
MD5: bbc802f99f0035efe910bd0e7ea9791d
SHA256: 68770b81d369856a584677893452b6fcf5a5b0c7f4daf934607edb97a2f916e6
3120
REVISED TELEX RELEASE 0509896_igs50595.exe
C:\Users\admin\AppData\Local\Temp\30954511\lfj.dat
text
MD5: 9f3690fc6f08dd5802f6bb5076b7ac73
SHA256: 109c23dd5c10d75756e1bec43b5ef50913f90b3c39335cff8595741670b0c437
3120
REVISED TELEX RELEASE 0509896_igs50595.exe
C:\Users\admin\AppData\Local\Temp\30954511\qfw.txt
text
MD5: 932f14af421c1caa26867e31389fa5d3
SHA256: 01279ed663fc796612037155e23ee0c9a5ce8fbcb4894e65d509679502761c97
3120
REVISED TELEX RELEASE 0509896_igs50595.exe
C:\Users\admin\AppData\Local\Temp\30954511\mwe.mp4
text
MD5: fcfa266451011686b0efc8f2b304855c
SHA256: 40f615f1f12d5f19aa27d592be7db4fb75f71eb7f7eeaec8b4e5ddb9b1858e4a
3120
REVISED TELEX RELEASE 0509896_igs50595.exe
C:\Users\admin\AppData\Local\Temp\30954511\svf.docx
text
MD5: 0f6616867402290959aa1562683bb329
SHA256: 8b74982c9ea4ee53f02129f281a58496f9cd46677bc4b4a3dee3d32d64e4ccad
3120
REVISED TELEX RELEASE 0509896_igs50595.exe
C:\Users\admin\AppData\Local\Temp\30954511\iqw.xl
text
MD5: 41d1f8c417cc109f5bbd1f7502861d36
SHA256: 957400c50802189c143a924f5068f817cc050e36c60589dfffdef99378918eda
3120
REVISED TELEX RELEASE 0509896_igs50595.exe
C:\Users\admin\AppData\Local\Temp\30954511\mxw.jpg
text
MD5: b6d6f0fce7ef0b0977a4ec845a9d0fa2
SHA256: a80369fbc237240894a3c385c296ae09f49b651e7fb563de1d2e955d8fb0513a
3120
REVISED TELEX RELEASE 0509896_igs50595.exe
C:\Users\admin\AppData\Local\Temp\30954511\twl.ico
text
MD5: 82bfdc9fc78b483cda8756902fdfd298
SHA256: 29da136597b11192fd69c56da086120ea876fd1b0d5c627fc4f6eb459719838b
3120
REVISED TELEX RELEASE 0509896_igs50595.exe
C:\Users\admin\AppData\Local\Temp\30954511\jxc.icm
text
MD5: 6a648eca05cb8ad31d68b98744278f6f
SHA256: eac02be5988d9852d0311ee7199b7bd6282c83daf043bf8e4a46a8ed9a23392c
3120
REVISED TELEX RELEASE 0509896_igs50595.exe
C:\Users\admin\AppData\Local\Temp\30954511\cfi.xl
text
MD5: 4f8aab9b31092b65c385aec77358b220
SHA256: 67f7b8159d195beb2ffbc0aaeb62ac876f25644bf853757581e616a4fc594737
3120
REVISED TELEX RELEASE 0509896_igs50595.exe
C:\Users\admin\AppData\Local\Temp\30954511\cgq.mp3
text
MD5: f270057aa690a67fc5111c491774e0c5
SHA256: 5316b8ba42048a7857f90ffff1d5cb9f9bc2037c52efe816199948d93d1f2486
3120
REVISED TELEX RELEASE 0509896_igs50595.exe
C:\Users\admin\AppData\Local\Temp\30954511\njn.bmp
text
MD5: e5275e1cc3e910c3c437df3b3aaff22b
SHA256: b455c6f966c11d3f95dfb4e94124f1e2e2915c803825fd04165fa9f6ecd4d0f1
3120
REVISED TELEX RELEASE 0509896_igs50595.exe
C:\Users\admin\AppData\Local\Temp\30954511\odn.ico
text
MD5: 0cdeaf505e6926961fd5418d4230b07c
SHA256: 7ff4d7715d70c431da612a7cddb8e5d6fed54e83eb10888a34cf056249649ffd
3120
REVISED TELEX RELEASE 0509896_igs50595.exe
C:\Users\admin\AppData\Local\Temp\30954511\amt.dat
text
MD5: 567ae1ec4751447274fb0d1a104c0735
SHA256: 58538b8fae733aa00744758f1770d581a837c5bfd5d0f6b0f03ffeee05f685d5
3120
REVISED TELEX RELEASE 0509896_igs50595.exe
C:\Users\admin\AppData\Local\Temp\30954511\sfm.jpg
text
MD5: ddd778f3a4bf54e6c36e2aae06c0cc50
SHA256: 0018828b73e8a33ae320ea17b5c730312ca9908958917760835455a1d852d22c
3120
REVISED TELEX RELEASE 0509896_igs50595.exe
C:\Users\admin\AppData\Local\Temp\30954511\oqh.bmp
text
MD5: 1c5c49957f96a5ece97ec36e48c91ae9
SHA256: e647e96bd55a436288c7ad33d16d89084be6b044d114de64f0606f560a055f2d
3120
REVISED TELEX RELEASE 0509896_igs50595.exe
C:\Users\admin\AppData\Local\Temp\30954511\enm.xl
text
MD5: c720fd5d521de9a8d611c85dbf93dc8c
SHA256: fd8cfc51e23b75302371c95416e6d38868aa0b3955cf8cd2509aaf3c3f831c93
3120
REVISED TELEX RELEASE 0509896_igs50595.exe
C:\Users\admin\AppData\Local\Temp\30954511\dxe.docx
text
MD5: c075f615861c652b29fc0248f6729eeb
SHA256: 458533bb3ae5383290f0c112d9ba946663256534c920679edb9140711f40ab24
3120
REVISED TELEX RELEASE 0509896_igs50595.exe
C:\Users\admin\AppData\Local\Temp\30954511\tsm.dat
text
MD5: 90d71b882c0da36559fbd54e3fa0b2dc
SHA256: aeb509346a974e2d7646d46d2d4eb98a019a22c6780714a2a29acf2bb3112d60
3120
REVISED TELEX RELEASE 0509896_igs50595.exe
C:\Users\admin\AppData\Local\Temp\30954511\kdi.jpg
text
MD5: ed01bfba1dc957acf7435baff67551ae
SHA256: c92669d6be7ab9ed494d2bb77a8c1f18cd4ae44e182c66e55fb3e57bdb5b0c17
3120
REVISED TELEX RELEASE 0509896_igs50595.exe
C:\Users\admin\AppData\Local\Temp\30954511\jdo.mp4
text
MD5: 5be45d60ed9b4bc6049f6b0560a17a25
SHA256: 5fba95cc8622059de1a57f5af4947c56855a51af51850f61cbdf4fe8e228328a
3120
REVISED TELEX RELEASE 0509896_igs50595.exe
C:\Users\admin\AppData\Local\Temp\30954511\pjs.txt
text
MD5: ef9a50922e910e5258c2455c0b4b9370
SHA256: 8721fb7de6c8a4bc9af90cd4449e3e5dcde3dacbbc999427516d7d35864bac08
3120
REVISED TELEX RELEASE 0509896_igs50595.exe
C:\Users\admin\AppData\Local\Temp\30954511\hsp.bmp
text
MD5: 3e82fdbacfe9ad05fb27d1797a8bd703
SHA256: 0b673108914fa58d43422e1d2e66dbf6dbe94b44994d99308e229fb74765cd56
3120
REVISED TELEX RELEASE 0509896_igs50595.exe
C:\Users\admin\AppData\Local\Temp\30954511\ggv.icm
text
MD5: 0be82675d89a91480a0d1533bf793e05
SHA256: 03f91cd20020ff5aeec45dbd88a8fa5b41a24f3db2649933663e8d0291b207f8
3120
REVISED TELEX RELEASE 0509896_igs50595.exe
C:\Users\admin\AppData\Local\Temp\30954511\hiu.txt
text
MD5: 73b7042f506511662f923302ac904d05
SHA256: c156306969eef81c84271b5a630c7140c3ae7430edc85379e580c12b5ba1edb5
3120
REVISED TELEX RELEASE 0509896_igs50595.exe
C:\Users\admin\AppData\Local\Temp\30954511\ixu.pdf
text
MD5: 9b7296661315ceb1a6937b65d7166960
SHA256: 1e1350a2a5fac551fcbe168b3c8220226d5333cca4152f90a8437f2de31df448
3120
REVISED TELEX RELEASE 0509896_igs50595.exe
C:\Users\admin\AppData\Local\Temp\30954511\fwk.dat
text
MD5: eac536f5ef3d495113832e9819316424
SHA256: d5714cda00ab526f530666dd501e2b8ccc085a02ee89ab3810f753c071bc0fd4
3120
REVISED TELEX RELEASE 0509896_igs50595.exe
C:\Users\admin\AppData\Local\Temp\30954511\oae.xl
text
MD5: 25d9280044c305c8aec04993f2484bd9
SHA256: 23d850ba19642c6952664116e47e76cf0ce10c093bdfd9ed3f026ea5e5531602
3120
REVISED TELEX RELEASE 0509896_igs50595.exe
C:\Users\admin\AppData\Local\Temp\30954511\xvo.icm
text
MD5: 261654893dbeff446b721d95094eac1c
SHA256: f7f8514d4f7d0b3b5e867badd96f3657739b034b201a3a2010e0e44349bc5061
3120
REVISED TELEX RELEASE 0509896_igs50595.exe
C:\Users\admin\AppData\Local\Temp\30954511\dku.xl
text
MD5: 835ee824dd5b4e2147a4cea2264fcc6d
SHA256: ec7e02a631f8c8417fd3cc9ebea07fff3a85a41a7f90b8cc4e0e27938d8ecb55
3120
REVISED TELEX RELEASE 0509896_igs50595.exe
C:\Users\admin\AppData\Local\Temp\30954511\qfv.bmp
text
MD5: abda8d7db8a4ecf6f2916de5cfdf6c95
SHA256: 7572496705193efd86880a71b406cbab45df25b006b9354fd7c53e8dde557415
3120
REVISED TELEX RELEASE 0509896_igs50595.exe
C:\Users\admin\AppData\Local\Temp\30954511\cth.ppt
text
MD5: 988d8228564468e736875aee2d407454
SHA256: 26f3ae47a82014ee2161008a5729468c9849ee2c75d39f56bd44d945d9a9e082
3120
REVISED TELEX RELEASE 0509896_igs50595.exe
C:\Users\admin\AppData\Local\Temp\30954511\kpg.dat
text
MD5: a74b74d72603cf19cef64cbb27b3edfd
SHA256: dca35d3b7dd36ec7d18045be2aeb1bf64fdeb5e680272894810ce499d69b40c2
2980
hqc.exe
C:\Users\admin\AppData\Local\Temp\30954511\JTQNE
text
MD5: 6b7926935245608aba84601c6a5a2a9e
SHA256: 9b69d30b9b9bdbf774d6a0857e8a98b749739d81d3a8d1d528fbc90d9bbc6dc3
3120
REVISED TELEX RELEASE 0509896_igs50595.exe
C:\Users\admin\AppData\Local\Temp\30954511\bae.mp3
text
MD5: aabbcd155978dfeadb7302844c748f6c
SHA256: f0e83f51706c708cf373db49f25f4805677a8d306abe33c9ed8c0302b5ade0e1
3120
REVISED TELEX RELEASE 0509896_igs50595.exe
C:\Users\admin\AppData\Local\Temp\30954511\pne.ppt
text
MD5: afe992af7b30a629d7a320096389c10f
SHA256: 7c1f14d93c03a81a597c31f08840ede64aa21974f4bfca8ee708ac3cba98ecf9
3120
REVISED TELEX RELEASE 0509896_igs50595.exe
C:\Users\admin\AppData\Local\Temp\30954511\rjb.xl
text
MD5: 880b9468c340bc806cf49071635709d2
SHA256: 911420c04fe410c1ac4375492edb794599af8517f670270762181d0596cc26d7
3120
REVISED TELEX RELEASE 0509896_igs50595.exe
C:\Users\admin\AppData\Local\Temp\30954511\gnv.ppt
text
MD5: dda5614606c7ba39dc2242aac5393c9e
SHA256: adac2bb33b1818ff676c377d03d85e6c2e4b72c43bc56472d715d41df2614276
3120
REVISED TELEX RELEASE 0509896_igs50595.exe
C:\Users\admin\AppData\Local\Temp\30954511\klc=jts
text
MD5: 3bdb628a021983ac5b801652fd87abaa
SHA256: 4dfb74e4ffbe8200a816fcf041d90a5f0f75032f44169a5ddcc19f58111eb800
3120
REVISED TELEX RELEASE 0509896_igs50595.exe
C:\Users\admin\AppData\Local\Temp\30954511\set.mp4
text
MD5: 122bf182dda46e4183219e99e0bbd8fc
SHA256: de053b8fc7db35c11ddf17a7e49068ed95df198642918fed909e112fb4bdb4ae
3120
REVISED TELEX RELEASE 0509896_igs50595.exe
C:\Users\admin\AppData\Local\Temp\30954511\krf.mp4
text
MD5: 2d91e762167abfcbf51e64a7bb7ceacd
SHA256: 93ef66ee9e2ee3d0392aa58f3ceb2747d370aebef52db89f1929455dc65a1d48
3120
REVISED TELEX RELEASE 0509896_igs50595.exe
C:\Users\admin\AppData\Local\Temp\30954511\xqq.mp4
text
MD5: 8243b1301a6fa54f6943d9d978a69ffd
SHA256: ccbcdcb1368987f075fc13699c6d38b95f691910c75e1bd9da445998237c4a94

Find more information of the staic content and download it at the full report

Network activity

HTTP(S) requests
0
TCP/UDP connections
4
DNS requests
2
Threats
35

HTTP requests

No HTTP requests.

Connections

PID Process IP ASN CN Reputation
3408 RegSvcs.exe 8.8.8.8:53 Google Inc. US whitelisted
3408 RegSvcs.exe 185.62.189.194:1336 Dotsi, Unipessoal Lda. NL suspicious

DNS requests

Domain IP Reputation
moneymen.ddns.net 185.62.189.194
malicious

Threats

PID Process Class Message
3408 RegSvcs.exe A Network Trojan was detected SC BAD_UNKNOWN Query to a Suspicious *.ddns.net Domain
3408 RegSvcs.exe A Network Trojan was detected SC BAD_UNKNOWN Generic dynamic DNS detection
3408 RegSvcs.exe A Network Trojan was detected ET TROJAN Possible NanoCore C2 64B
3408 RegSvcs.exe A Network Trojan was detected MALWARE [PTsecurity] NanoCore.RAT
3408 RegSvcs.exe A Network Trojan was detected ET TROJAN Possible NanoCore C2 60B
3408 RegSvcs.exe A Network Trojan was detected ET TROJAN Possible NanoCore C2 60B
3408 RegSvcs.exe A Network Trojan was detected MALWARE [PTsecurity] NanoCore.RAT
3408 RegSvcs.exe A Network Trojan was detected ET TROJAN Possible NanoCore C2 64B
3408 RegSvcs.exe A Network Trojan was detected MALWARE [PTsecurity] NanoCore.RAT
3408 RegSvcs.exe A Network Trojan was detected ET TROJAN Possible NanoCore C2 64B
3408 RegSvcs.exe A Network Trojan was detected MALWARE [PTsecurity] NanoCore.RAT
3408 RegSvcs.exe A Network Trojan was detected MALWARE [PTsecurity] NanoCore.RAT
3408 RegSvcs.exe A Network Trojan was detected ET TROJAN Possible NanoCore C2 64B
3408 RegSvcs.exe A Network Trojan was detected MALWARE [PTsecurity] NanoCore.RAT
3408 RegSvcs.exe A Network Trojan was detected ET TROJAN Possible NanoCore C2 64B
3408 RegSvcs.exe A Network Trojan was detected SC BAD_UNKNOWN Query to a Suspicious *.ddns.net Domain
3408 RegSvcs.exe A Network Trojan was detected SC BAD_UNKNOWN Generic dynamic DNS detection
3408 RegSvcs.exe A Network Trojan was detected ET TROJAN Possible NanoCore C2 60B
3408 RegSvcs.exe A Network Trojan was detected ET TROJAN Possible NanoCore C2 64B
3408 RegSvcs.exe A Network Trojan was detected ET TROJAN Possible NanoCore C2 64B

15 ETPRO signatures available at the full report

Debug output strings

No debug info.