General Info

File name

PO.29477399274_pdf.iso

Full analysis
https://app.any.run/tasks/22ba649c-7532-42c7-99c2-93c207e37e0f
Verdict
Malicious activity
Analysis date
7/18/2019, 09:26:01
OS:
Windows 10 Professional (build: 16299, 64 bit)
Indicators:

MIME:
application/x-iso9660-image
File info:
ISO 9660 CD-ROM filesystem data 'PO.29477399274_pdf'
MD5

eec17bbaf8bb72fe3aa03aab524b7779

SHA1

f672a5c2ed7138ce829faf458f92aebe084faa3c

SHA256

b459b6246cc86a109676be895c40d83f794449f6274fafede4ab658c0485a8d3

SSDEEP

12288:18eA4ccTaFNjiHPp5pLmyZZGEuZVPZfVhDbcLKh7pQx:9rVa3Ox5oynuZ5hVJbcg7pQx

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distored by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Software environment set and analysis options

Launch configuration

Task duration
660 seconds
Additional time used
none
Fakenet option
off
Heavy Evaision option
on
MITM proxy
on
Route via Tor
off
Network geolocation
off
Privacy
Public submission
Autoconfirmation of UAC
on

Software preset

  • Internet Explorer 11.431.16299.0 KB4103768
  • Adobe Acrobat Reader DC MUI (15.007.20033)
  • CCleaner (5.35)
  • FileZilla Client 3.31.0 (3.31.0)
  • Google Chrome (73.0.3683.86)
  • Google Update Helper (1.3.33.23)
  • Java 8 Update 92 (64-bit) (8.0.920.14)
  • Java Auto Updater (2.8.92.14)
  • Microsoft Office Professional 2019 - en-us (16.0.11328.20158)
  • Microsoft Visual C++ 2017 Redistributable (x64) - 14.11.25325 (14.11.25325.0)
  • Microsoft Visual C++ 2017 Redistributable (x86) - 14.11.25325 (14.11.25325.0)
  • Microsoft Visual C++ 2017 x64 Additional Runtime - 14.11.25325 (14.11.25325)
  • Microsoft Visual C++ 2017 x64 Minimum Runtime - 14.11.25325 (14.11.25325)
  • Microsoft Visual C++ 2017 x86 Additional Runtime - 14.11.25325 (14.11.25325)
  • Microsoft Visual C++ 2017 x86 Minimum Runtime - 14.11.25325 (14.11.25325)
  • Mozilla Firefox 65.0.2 (x64 en-US) (65.0.2)
  • Notepad++ (64-bit x64) (7.5.1)
  • Office 16 Click-to-Run Extensibility Component (16.0.11328.20158)
  • Office 16 Click-to-Run Licensing Component (16.0.11328.20158)
  • Office 16 Click-to-Run Localization Component (16.0.11328.20158)
  • Opera 12.15 (12.15.1748)
  • Skype™ 7.39 (7.39.102)
  • Update for Windows 10 for x64-based Systems (KB4023057) (2.19.0.0)
  • VLC media player (2.2.6)
  • WinRAR 5.60 (64-bit) (5.60.0)
  • Windows 10 Upgrade Assistant (1.4.9200.22175)

Hotfixes

  • Client LanguagePack Package
  • Foundation Package
  • InternetExplorer Optional Package
  • KB4054022
  • KB4055237
  • KB4055994
  • KB4058043
  • KB4078408
  • KB4093110
  • KB4094276
  • KB4103729
  • KB4131372
  • KB4134661
  • LanguageFeatures Basic en us Package
  • LanguageFeatures Handwriting en us Package
  • LanguageFeatures OCR en us Package
  • LanguageFeatures Speech en us Package
  • LanguageFeatures TextToSpeech en us Package
  • MediaPlayer Package
  • Microsoft OneCore ApplicationModel Sync Desktop FOD Package
  • NetFx3 OnDemand Package
  • ProfessionalEdition
  • QuickAssist Package
  • RollupFix

Behavior activities

MALICIOUS SUSPICIOUS INFO
Application was dropped or rewritten from another process
  • PO.29477399274_pdf.exe (PID: 1284)
  • PO.29477399274_pdf.exe (PID: 5860)
  • PO.29477399274_pdf.exe (PID: 2916)
  • PO.29477399274_pdf.exe (PID: 556)
Changes the autorun value in the registry
  • iexplore.exe (PID: 2760)
UAC/LUA settings modification
  • PO.29477399274_pdf.exe (PID: 1284)
Application launched itself
  • PO.29477399274_pdf.exe (PID: 5860)
  • PO.29477399274_pdf.exe (PID: 556)
Executable content was dropped or overwritten
  • iexplore.exe (PID: 2760)
Creates files in the user directory
  • iexplore.exe (PID: 2760)
Manual execution by user
  • PO.29477399274_pdf.exe (PID: 556)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Static information

TRiD
.iso
|   ISO 9660 CD image (27.6%)
.atn
|   Photoshop Action (27.1%)
.gmc
|   Game Music Creator Music (6.1%)
EXIF
ISO
System:
Win32
VolumeName:
PO.29477399274_pdf
VolumeBlockCount:
396
VolumeBlockSize:
2048
RootDirectoryCreateDate:
2019:07:04 16:26:10-07:00
Software:
PowerISO
VolumeCreateDate:
2019:07:04 16:26:10.00-07:00
VolumeModifyDate:
2019:07:04 16:26:10.00-07:00
Composite
VolumeSize:
792 kB

Video and screenshots

Processes

Total processes
95
Monitored processes
6
Malicious processes
2
Suspicious processes
1

Behavior graph

+
start winrar.exe no specs po.29477399274_pdf.exe no specs po.29477399274_pdf.exe no specs po.29477399274_pdf.exe no specs iexplore.exe po.29477399274_pdf.exe no specs
Specs description
Program did not start
Integrity level elevation
Task сontains an error or was rebooted
Process has crashed
Task contains several apps running
Executable file was dropped
Debug information is available
Process was injected
Network attacks were detected
Application downloaded the executable file
Actions similar to stealing personal data
Behavior similar to exploiting the vulnerability
Inspected object has sucpicious PE structure
File is detected by antivirus software
CPU overrun
RAM overrun
Process starts the services
Process was added to the startup
Behavior similar to spam
Low-level access to the HDD
Probably Tor was used
System was rebooted
Connects to the network
Known threat

Process information

Click at the process to see the details.

PID
1092
CMD
"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\PO.29477399274_pdf.iso"
Path
C:\Program Files\WinRAR\WinRAR.exe
Indicators
No indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Alexander Roshal
Description
WinRAR archiver
Version
5.60.0
Modules
Image
c:\program files\winrar\winrar.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\shcore.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\shell32.dll
c:\windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.16299.431_none_15c7d3ee93659e73\comctl32.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\windows.storage.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\profapi.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\uxtheme.dll
c:\windows\winsxs\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.16299.431_none_46b2c6d3edf81841\gdiplus.dll
c:\windows\system32\msimg32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\cldapi.dll
c:\windows\system32\aepic.dll
c:\windows\system32\fltlib.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\propsys.dll
c:\windows\system32\riched20.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msls31.dll
c:\windows\system32\msctf.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\textinputframework.dll
c:\windows\system32\coreuicomponents.dll
c:\windows\system32\coremessaging.dll
c:\windows\system32\wintypes.dll
c:\program files\common files\microsoft shared\ink\tiptsf.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\onecoreuapcommonproxystub.dll
c:\windows\system32\mpr.dll
c:\windows\system32\drprov.dll
c:\windows\system32\winsta.dll
c:\windows\system32\ntlanman.dll
c:\windows\system32\davclnt.dll
c:\windows\system32\davhlpr.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\netutils.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\dlnashext.dll
c:\windows\system32\playtodevice.dll
c:\windows\system32\devdispitemprovider.dll
c:\windows\system32\mmdevapi.dll
c:\windows\system32\devobj.dll
c:\windows\system32\wpdshext.dll
c:\windows\system32\portabledeviceapi.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\ehstorshell.dll
c:\windows\system32\ehstorapi.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\samcli.dll
c:\windows\system32\samlib.dll
c:\windows\system32\thumbcache.dll
c:\windows\system32\policymanager.dll
c:\windows\system32\msvcp110_win.dll

PID
556
CMD
"D:\PO.29477399274_pdf.exe"
Path
D:\PO.29477399274_pdf.exe
Indicators
No indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Description
Version
Modules
Image
d:\po.29477399274_pdf.exe
c:\systemroot\system32\ntdll.dll
c:\systemroot\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\win32u.dll
c:\windows\syswow64\gdi32.dll
c:\windows\syswow64\gdi32full.dll
c:\windows\syswow64\msvcp_win.dll
c:\windows\syswow64\ucrtbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\sechost.dll
c:\windows\syswow64\rpcrt4.dll
c:\windows\syswow64\sspicli.dll
c:\windows\syswow64\cryptbase.dll
c:\windows\syswow64\bcryptprimitives.dll
c:\windows\syswow64\oleaut32.dll
c:\windows\syswow64\combase.dll
c:\windows\syswow64\comdlg32.dll
c:\windows\syswow64\version.dll
c:\windows\syswow64\shcore.dll
c:\windows\syswow64\winspool.drv
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.16299.431_none_d026bbf95f37292c\comctl32.dll
c:\windows\syswow64\shlwapi.dll
c:\windows\syswow64\bcrypt.dll
c:\windows\syswow64\iphlpapi.dll
c:\windows\syswow64\shell32.dll
c:\windows\syswow64\cfgmgr32.dll
c:\windows\syswow64\windows.storage.dll
c:\windows\syswow64\kernel.appcore.dll
c:\windows\syswow64\powrprof.dll
c:\windows\syswow64\profapi.dll
c:\windows\syswow64\imm32.dll
c:\windows\syswow64\uxtheme.dll
c:\windows\syswow64\msctf.dll
c:\windows\syswow64\dwmapi.dll

PID
1284
CMD
"D:\PO.29477399274_pdf.exe"
Path
D:\PO.29477399274_pdf.exe
Indicators
No indicators
Parent process
PO.29477399274_pdf.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Description
Version
Modules
Image
d:\po.29477399274_pdf.exe
c:\systemroot\system32\ntdll.dll
c:\systemroot\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvbvm60.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\win32u.dll
c:\windows\syswow64\gdi32.dll
c:\windows\syswow64\gdi32full.dll
c:\windows\syswow64\msvcp_win.dll
c:\windows\syswow64\ucrtbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\sechost.dll
c:\windows\syswow64\rpcrt4.dll
c:\windows\syswow64\sspicli.dll
c:\windows\syswow64\cryptbase.dll
c:\windows\syswow64\bcryptprimitives.dll
c:\windows\syswow64\ole32.dll
c:\windows\syswow64\combase.dll
c:\windows\syswow64\oleaut32.dll
c:\windows\syswow64\imm32.dll
c:\windows\syswow64\kernel.appcore.dll
c:\windows\syswow64\uxtheme.dll
c:\windows\syswow64\sxs.dll
c:\windows\syswow64\msctf.dll
c:\windows\syswow64\coml2.dll
c:\windows\syswow64\dwmapi.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.16299.431_none_5d750ac5a7e1c779\comctl32.dll
c:\windows\syswow64\psapi.dll

PID
5860
CMD
"D:\PO.29477399274_pdf.exe" 2 1284 1751187
Path
D:\PO.29477399274_pdf.exe
Indicators
No indicators
Parent process
PO.29477399274_pdf.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Description
Version
Modules
Image
d:\po.29477399274_pdf.exe
c:\systemroot\system32\ntdll.dll
c:\systemroot\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\win32u.dll
c:\windows\syswow64\gdi32.dll
c:\windows\syswow64\gdi32full.dll
c:\windows\syswow64\msvcp_win.dll
c:\windows\syswow64\ucrtbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\sechost.dll
c:\windows\syswow64\rpcrt4.dll
c:\windows\syswow64\sspicli.dll
c:\windows\syswow64\cryptbase.dll
c:\windows\syswow64\bcryptprimitives.dll
c:\windows\syswow64\oleaut32.dll
c:\windows\syswow64\combase.dll
c:\windows\syswow64\comdlg32.dll
c:\windows\syswow64\shcore.dll
c:\windows\syswow64\version.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.16299.431_none_d026bbf95f37292c\comctl32.dll
c:\windows\syswow64\winspool.drv
c:\windows\syswow64\shlwapi.dll
c:\windows\syswow64\shell32.dll
c:\windows\syswow64\iphlpapi.dll
c:\windows\syswow64\bcrypt.dll
c:\windows\syswow64\cfgmgr32.dll
c:\windows\syswow64\windows.storage.dll
c:\windows\syswow64\kernel.appcore.dll
c:\windows\syswow64\powrprof.dll
c:\windows\syswow64\profapi.dll
c:\windows\syswow64\imm32.dll
c:\windows\syswow64\uxtheme.dll
c:\windows\syswow64\msctf.dll
c:\windows\syswow64\dwmapi.dll

PID
2760
CMD
D:\PO.29477399274_pdf.exe
Path
C:\Program Files (x86)\Internet Explorer\iexplore.exe
Indicators
Parent process
PO.29477399274_pdf.exe
User
admin
Integrity Level
MEDIUM
Version:
Company
Microsoft Corporation
Description
Internet Explorer
Version
11.00.16299.15 (WinBuild.160101.0800)
Modules
Image
c:\program files (x86)\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\systemroot\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\ole32.dll
c:\windows\syswow64\combase.dll
c:\windows\syswow64\ucrtbase.dll
c:\windows\syswow64\rpcrt4.dll
c:\windows\syswow64\sspicli.dll
c:\windows\syswow64\cryptbase.dll
c:\windows\syswow64\bcryptprimitives.dll
c:\windows\syswow64\sechost.dll
c:\windows\syswow64\gdi32.dll
c:\windows\syswow64\gdi32full.dll
c:\windows\syswow64\msvcp_win.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\win32u.dll
c:\windows\syswow64\msvbvm60.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\oleaut32.dll
c:\windows\syswow64\imm32.dll
c:\windows\syswow64\kernel.appcore.dll
c:\windows\syswow64\uxtheme.dll
c:\windows\syswow64\version.dll
c:\windows\syswow64\sxs.dll
c:\windows\syswow64\msctf.dll
c:\windows\syswow64\dwmapi.dll
c:\windows\syswow64\ws2_32.dll
c:\windows\syswow64\shell32.dll
c:\windows\syswow64\cfgmgr32.dll
c:\windows\syswow64\shcore.dll
c:\windows\syswow64\windows.storage.dll
c:\windows\syswow64\shlwapi.dll
c:\windows\syswow64\powrprof.dll
c:\windows\syswow64\profapi.dll
c:\windows\syswow64\clbcatq.dll
c:\windows\syswow64\shacct.dll
c:\windows\syswow64\samlib.dll
c:\windows\syswow64\propsys.dll
c:\windows\syswow64\scrrun.dll
c:\windows\syswow64\napinsp.dll
c:\windows\syswow64\pnrpnsp.dll
c:\windows\syswow64\nlaapi.dll
c:\windows\syswow64\mswsock.dll
c:\windows\syswow64\dnsapi.dll
c:\windows\syswow64\nsi.dll
c:\windows\syswow64\iphlpapi.dll
c:\windows\syswow64\winrnr.dll
c:\windows\syswow64\fwpuclnt.dll
c:\windows\syswow64\bcrypt.dll
c:\windows\syswow64\rasadhlp.dll

PID
2916
CMD
"D:\PO.29477399274_pdf.exe"
Path
D:\PO.29477399274_pdf.exe
Indicators
No indicators
Parent process
PO.29477399274_pdf.exe
User
admin
Integrity Level
MEDIUM
Version:
Company
Description
Version
Modules
Image
d:\po.29477399274_pdf.exe
c:\systemroot\system32\ntdll.dll
c:\systemroot\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\win32u.dll
c:\windows\syswow64\gdi32.dll
c:\windows\syswow64\gdi32full.dll
c:\windows\syswow64\msvcp_win.dll
c:\windows\syswow64\ucrtbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\sechost.dll
c:\windows\syswow64\rpcrt4.dll
c:\windows\syswow64\sspicli.dll
c:\windows\syswow64\cryptbase.dll
c:\windows\syswow64\bcryptprimitives.dll
c:\windows\syswow64\oleaut32.dll
c:\windows\syswow64\combase.dll
c:\windows\syswow64\comdlg32.dll
c:\windows\syswow64\shcore.dll
c:\windows\syswow64\version.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.16299.431_none_d026bbf95f37292c\comctl32.dll
c:\windows\syswow64\winspool.drv
c:\windows\syswow64\shlwapi.dll
c:\windows\syswow64\shell32.dll
c:\windows\syswow64\iphlpapi.dll
c:\windows\syswow64\bcrypt.dll
c:\windows\syswow64\cfgmgr32.dll
c:\windows\syswow64\windows.storage.dll
c:\windows\syswow64\kernel.appcore.dll
c:\windows\syswow64\powrprof.dll
c:\windows\syswow64\profapi.dll
c:\windows\syswow64\imm32.dll
c:\windows\syswow64\uxtheme.dll
c:\windows\syswow64\msctf.dll
c:\windows\syswow64\dwmapi.dll

Registry activity

Total events
675
Read events
648
Write events
27
Delete events
0

Modification events

PID
Process
Operation
Key
Name
Value
1092
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
ShellExtBMP
1092
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
ShellExtIcon
1092
WinRAR.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\22\52C64B7E
LanguageList
en-US
1092
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
0
C:\Users\admin\Desktop\PO.29477399274_pdf.iso
1092
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
name
120
1092
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
size
80
1092
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
type
120
1092
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
mtime
100
1092
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\Interface\MainWin
Placement
2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF68000000680000002804000051020000
1092
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\General
LastFolder
C:\Users\admin\Desktop
1092
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\ArcColumnWidths
name
120
1092
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\ArcColumnWidths
size
80
1092
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\ArcColumnWidths
psize
80
1092
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\ArcColumnWidths
type
120
1092
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\ArcColumnWidths
mtime
100
1092
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\ArcColumnWidths
crc
70
1092
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\General\Toolbar\Layout
Band76_0
4C000000730100000402000000000000F0F0F00000000000000000000000000000000000000000008402080000000000000000003B000000B402000000000000000000000000000001000000
1092
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\General\Toolbar\Layout
Band76_1
4C000000730100000500000000000000F0F0F00000000000000000000000000000000000000000004E0015000000000000000000180000002A00000000000000000000000000000002000000
1092
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\General\Toolbar\Layout
Band76_2
4C000000730100000400000000000000F0F0F00000000000000000000000000000000000000000001E020E000000000000000000180000006400000000000000000000000000000003000000
1284
PO.29477399274_pdf.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center
UACDisableNotify
0
1284
PO.29477399274_pdf.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
EnableLUA
0
2760
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Y1E5W2H0-W6U4-K5S1-S8J1-Y5X8K0K337V4
C:\Users\admin\AppData\Roaming\Y1E5W2H0-W6U4-K5S1-S8J1-Y5X8K0K337V4\Y1E5W2H0-W6U4-K5S1-S8J1-Y5X8K0K337V4.exe
2760
iexplore.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
Y1E5W2H0-W6U4-K5S1-S8J1-Y5X8K0K337V4
C:\Users\admin\AppData\Roaming\Y1E5W2H0-W6U4-K5S1-S8J1-Y5X8K0K337V4\Y1E5W2H0-W6U4-K5S1-S8J1-Y5X8K0K337V4.exe

Files activity

Executable files
1
Suspicious files
0
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
2760
iexplore.exe
C:\Users\admin\AppData\Roaming\Y1E5W2H0-W6U4-K5S1-S8J1-Y5X8K0K337V4\Y1E5W2H0-W6U4-K5S1-S8J1-Y5X8K0K337V4.exe
executable
MD5: 22f8e759c431dfdd5c62f9a584329bdf
SHA256: 5d37edcb9700df18346541c40aaaffa93bc450d00f75b89bd0a9f54526c50fa2
1284
PO.29477399274_pdf.exe
C:\Users\admin\AppData\Local\Temp\~DF301D40E65DBAB007.TMP
––
MD5:  ––
SHA256:  ––
2760
iexplore.exe
C:\Users\admin\AppData\Roaming\Y1E5W2H0-W6U4-K5S1-S8J1-Y5X8K0K337V4\ut
image
MD5: 9a0951d6e69265802a0154a5c6521c72
SHA256: 28c19c4cc0594141c2752fa2e3cdb93ae2bbe128db13734c5dbb9c5c7555f567
2760
iexplore.exe
C:\Users\admin\AppData\Local\Temp\admin.bmp
image
MD5: dc2c42110b7d84f144c6d905a3dda74e
SHA256: 4e07a1a6fbb5f29252a7c7ad7c3c80b32b4cc8baeb832dbe40c38bbf85d984e7

Find more information of the staic content and download it at the full report

Network activity

HTTP(S) requests
0
TCP/UDP connections
14
DNS requests
3
Threats
2

HTTP requests

No HTTP requests.

Connections

PID Process IP ASN CN Reputation
2760 iexplore.exe 185.244.31.145:1989 –– malicious

DNS requests

Domain IP Reputation
csimich.duckdns.org 185.244.31.145
malicious
nexusrules.officeapps.live.com 52.109.8.20
whitelisted

Threats

PID Process Class Message
–– –– Misc activity ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
–– –– Misc activity ET INFO DYNAMIC_DNS Query to *.duckdns. Domain

Debug output strings

No debug info.