| File name: | bill notice 05.2019.rar |
| Full analysis: | https://app.any.run/tasks/8edd4ef1-32f7-47ff-bfda-8ee1eeb65ed0 |
| Verdict: | Malicious activity |
| Threats: | Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links. |
| Analysis date: | May 20, 2019, 14:18:01 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/x-rar |
| File info: | RAR archive data, v5 |
| MD5: | 0569CA387F8B950E00B99E9ACB612BE9 |
| SHA1: | 33D0CDACED6249AA93B4B1B54D2005A907EE563F |
| SHA256: | BF5E00FA491B76FCCEEA0B8DE133F5C28E20C556FACCE6652E6BCA60FA946746 |
| SSDEEP: | 1536:Tr99BZ4Hi14xpjaCvCl7fnrZ0L/gCwKzDQV+o5p5t/1MxxJZ/dd6mEpjKCqvDawE:d9BZ4Hddsl50LpwKzcV+CqxrZWFsawE |
MALICIOUS
Executable content was dropped or overwritten
- EXCEL.EXE (PID: 2876)
Unusual execution from Microsoft Office
- EXCEL.EXE (PID: 2876)
Loads the Task Scheduler COM API
- OSPPSVC.EXE (PID: 3304)
Application was dropped or rewritten from another process
- exit.exe (PID: 3040)
- rtegre.exe (PID: 3084)
- wprgxyeqd79.exe (PID: 3296)
- uninstall.exe (PID: 3288)
- veter1605_MAPS_10cr0.exe (PID: 3004)
- exit.exe (PID: 764)
- winserv.exe (PID: 2796)
Loads dropped or rewritten executable
- cmd.exe (PID: 1360)
- taskkill.exe (PID: 2884)
- taskkill.exe (PID: 4068)
- DllHost.exe (PID: 1276)
- taskkill.exe (PID: 2688)
- taskkill.exe (PID: 756)
- OSPPSVC.EXE (PID: 3304)
- taskkill.exe (PID: 1652)
- PING.EXE (PID: 2280)
- taskkill.exe (PID: 3888)
- taskkill.exe (PID: 3236)
- rtegre.exe (PID: 3084)
- wprgxyeqd79.exe (PID: 3296)
- taskkill.exe (PID: 2052)
- taskkill.exe (PID: 2336)
- taskkill.exe (PID: 1092)
- taskkill.exe (PID: 3812)
- taskkill.exe (PID: 2540)
- taskkill.exe (PID: 1344)
- reg.exe (PID: 2224)
- taskkill.exe (PID: 300)
- taskkill.exe (PID: 3872)
- taskkill.exe (PID: 2864)
- taskkill.exe (PID: 2608)
- taskkill.exe (PID: 312)
- veter1605_MAPS_10cr0.exe (PID: 3004)
- WinRAR.exe (PID: 3188)
- exit.exe (PID: 3040)
- conhost.exe (PID: 3416)
- wmiprvse.exe (PID: 2800)
- PING.EXE (PID: 3280)
- taskkill.exe (PID: 4008)
- svchost.exe (PID: 3848)
- taskkill.exe (PID: 3256)
- conhost.exe (PID: 4088)
- uninstall.exe (PID: 3288)
- cmd.exe (PID: 964)
- taskkill.exe (PID: 1156)
- EXCEL.EXE (PID: 2876)
- taskkill.exe (PID: 3496)
- taskkill.exe (PID: 2296)
- taskkill.exe (PID: 2524)
- taskkill.exe (PID: 3068)
- winserv.exe (PID: 2796)
- taskkill.exe (PID: 2960)
- taskkill.exe (PID: 3092)
- taskkill.exe (PID: 3960)
- exit.exe (PID: 764)
- taskkill.exe (PID: 3044)
- taskkill.exe (PID: 3428)
- taskkill.exe (PID: 3144)
- taskkill.exe (PID: 584)
- taskkill.exe (PID: 2356)
- taskkill.exe (PID: 3232)
- taskkill.exe (PID: 1892)
- taskkill.exe (PID: 120)
- taskkill.exe (PID: 3240)
- taskkill.exe (PID: 3472)
- taskkill.exe (PID: 2412)
- taskkill.exe (PID: 1092)
- taskkill.exe (PID: 3736)
- taskkill.exe (PID: 2668)
- taskkill.exe (PID: 1080)
- taskkill.exe (PID: 2404)
- taskkill.exe (PID: 3692)
- taskkill.exe (PID: 3788)
- taskkill.exe (PID: 3748)
- taskkill.exe (PID: 3952)
- taskkill.exe (PID: 608)
- taskkill.exe (PID: 3732)
- taskkill.exe (PID: 2980)
- taskkill.exe (PID: 3264)
- taskkill.exe (PID: 3648)
- taskkill.exe (PID: 2408)
- taskkill.exe (PID: 3644)
- taskkill.exe (PID: 280)
- taskkill.exe (PID: 2912)
- taskkill.exe (PID: 300)
- taskkill.exe (PID: 3292)
- taskkill.exe (PID: 2708)
- taskkill.exe (PID: 3524)
- taskkill.exe (PID: 3692)
- taskkill.exe (PID: 2268)
- taskkill.exe (PID: 1244)
- taskkill.exe (PID: 1916)
- taskkill.exe (PID: 3700)
- taskkill.exe (PID: 1248)
- taskkill.exe (PID: 3524)
- taskkill.exe (PID: 3904)
- taskkill.exe (PID: 2632)
- taskkill.exe (PID: 3732)
- taskkill.exe (PID: 3552)
- taskkill.exe (PID: 1880)
- taskkill.exe (PID: 2700)
- taskkill.exe (PID: 588)
- taskkill.exe (PID: 2952)
- taskkill.exe (PID: 2508)
- taskkill.exe (PID: 3420)
- taskkill.exe (PID: 2996)
- taskkill.exe (PID: 3412)
- taskkill.exe (PID: 2940)
- taskkill.exe (PID: 3952)
- taskkill.exe (PID: 3788)
- taskkill.exe (PID: 3528)
- taskkill.exe (PID: 3460)
- taskkill.exe (PID: 3360)
- taskkill.exe (PID: 756)
- taskkill.exe (PID: 2936)
- taskkill.exe (PID: 2708)
- taskkill.exe (PID: 3144)
- taskkill.exe (PID: 2884)
- taskkill.exe (PID: 2596)
- taskkill.exe (PID: 2196)
- taskkill.exe (PID: 3984)
- taskkill.exe (PID: 2304)
- taskkill.exe (PID: 3404)
- taskkill.exe (PID: 1324)
- taskkill.exe (PID: 1888)
- taskkill.exe (PID: 3484)
- taskkill.exe (PID: 2436)
- taskkill.exe (PID: 2500)
- taskkill.exe (PID: 628)
- taskkill.exe (PID: 3260)
- taskkill.exe (PID: 2532)
- taskkill.exe (PID: 3220)
- taskkill.exe (PID: 3724)
- taskkill.exe (PID: 3872)
- taskkill.exe (PID: 3644)
- taskkill.exe (PID: 2856)
- taskkill.exe (PID: 2420)
- taskkill.exe (PID: 3108)
- taskkill.exe (PID: 3964)
- taskkill.exe (PID: 760)
- taskkill.exe (PID: 2700)
- taskkill.exe (PID: 2648)
- taskkill.exe (PID: 3020)
- taskkill.exe (PID: 2552)
- taskkill.exe (PID: 2576)
- taskkill.exe (PID: 3404)
- taskkill.exe (PID: 3160)
- taskkill.exe (PID: 2080)
- taskkill.exe (PID: 3896)
- taskkill.exe (PID: 2136)
- taskkill.exe (PID: 2424)
- taskkill.exe (PID: 2656)
- taskkill.exe (PID: 2472)
- taskkill.exe (PID: 2548)
- taskkill.exe (PID: 2188)
- taskkill.exe (PID: 1888)
- taskkill.exe (PID: 2460)
- taskkill.exe (PID: 2568)
- taskkill.exe (PID: 1352)
- taskkill.exe (PID: 3700)
- taskkill.exe (PID: 2384)
- taskkill.exe (PID: 312)
- taskkill.exe (PID: 2268)
- taskkill.exe (PID: 3312)
- taskkill.exe (PID: 2300)
- taskkill.exe (PID: 832)
- taskkill.exe (PID: 3500)
- taskkill.exe (PID: 2576)
- taskkill.exe (PID: 2524)
- taskkill.exe (PID: 2504)
- taskkill.exe (PID: 3236)
- taskkill.exe (PID: 1156)
- taskkill.exe (PID: 3428)
- taskkill.exe (PID: 2692)
- taskkill.exe (PID: 2304)
- taskkill.exe (PID: 3840)
- taskkill.exe (PID: 352)
- taskkill.exe (PID: 3912)
- taskkill.exe (PID: 3260)
- taskkill.exe (PID: 3836)
- taskkill.exe (PID: 3768)
- taskkill.exe (PID: 896)
- taskkill.exe (PID: 3560)
- taskkill.exe (PID: 1480)
- taskkill.exe (PID: 2248)
- taskkill.exe (PID: 2484)
- taskkill.exe (PID: 2364)
- taskkill.exe (PID: 1864)
- taskkill.exe (PID: 2724)
- taskkill.exe (PID: 1532)
- taskkill.exe (PID: 3492)
- taskkill.exe (PID: 2720)
- taskkill.exe (PID: 2532)
- taskkill.exe (PID: 3012)
- taskkill.exe (PID: 1880)
- taskkill.exe (PID: 476)
- taskkill.exe (PID: 3076)
- taskkill.exe (PID: 1500)
- taskkill.exe (PID: 2144)
- taskkill.exe (PID: 3400)
- taskkill.exe (PID: 3968)
- taskkill.exe (PID: 1352)
- taskkill.exe (PID: 1308)
- taskkill.exe (PID: 280)
- taskkill.exe (PID: 3728)
- taskkill.exe (PID: 2760)
- taskkill.exe (PID: 1696)
- taskkill.exe (PID: 2116)
- taskkill.exe (PID: 120)
- taskkill.exe (PID: 3608)
- taskkill.exe (PID: 1652)
- taskkill.exe (PID: 3040)
- taskkill.exe (PID: 676)
- taskkill.exe (PID: 3448)
- taskkill.exe (PID: 1740)
- taskkill.exe (PID: 800)
- taskkill.exe (PID: 3648)
- taskkill.exe (PID: 3812)
- taskkill.exe (PID: 1532)
- taskkill.exe (PID: 1260)
- taskkill.exe (PID: 2756)
- taskkill.exe (PID: 1020)
- taskkill.exe (PID: 2952)
- taskkill.exe (PID: 2188)
- taskkill.exe (PID: 1332)
- taskkill.exe (PID: 3536)
- taskkill.exe (PID: 2924)
- taskkill.exe (PID: 2200)
- taskkill.exe (PID: 3440)
- taskkill.exe (PID: 3008)
- taskkill.exe (PID: 2000)
- taskkill.exe (PID: 352)
- taskkill.exe (PID: 3212)
- taskkill.exe (PID: 3024)
- taskkill.exe (PID: 3556)
- taskkill.exe (PID: 456)
- taskkill.exe (PID: 2664)
- taskkill.exe (PID: 3220)
- taskkill.exe (PID: 3712)
- taskkill.exe (PID: 3320)
- taskkill.exe (PID: 3916)
- taskkill.exe (PID: 3512)
- taskkill.exe (PID: 2384)
- taskkill.exe (PID: 3256)
- taskkill.exe (PID: 3628)
- taskkill.exe (PID: 2176)
- taskkill.exe (PID: 3396)
- taskkill.exe (PID: 828)
- taskkill.exe (PID: 3092)
- taskkill.exe (PID: 3908)
- taskkill.exe (PID: 2368)
- taskkill.exe (PID: 2632)
- taskkill.exe (PID: 1824)
- taskkill.exe (PID: 1568)
- taskkill.exe (PID: 3244)
- taskkill.exe (PID: 3244)
- taskkill.exe (PID: 608)
- taskkill.exe (PID: 3716)
- taskkill.exe (PID: 476)
- taskkill.exe (PID: 2976)
- taskkill.exe (PID: 2980)
- taskkill.exe (PID: 2200)
- taskkill.exe (PID: 3024)
- taskkill.exe (PID: 3916)
- taskkill.exe (PID: 2912)
- taskkill.exe (PID: 2336)
- taskkill.exe (PID: 1096)
- taskkill.exe (PID: 2992)
- taskkill.exe (PID: 3628)
- taskkill.exe (PID: 3396)
- taskkill.exe (PID: 2820)
- taskkill.exe (PID: 1920)
- taskkill.exe (PID: 2552)
- taskkill.exe (PID: 3860)
- taskkill.exe (PID: 920)
- taskkill.exe (PID: 3312)
- taskkill.exe (PID: 3448)
- taskkill.exe (PID: 3708)
- taskkill.exe (PID: 3584)
- taskkill.exe (PID: 2116)
- taskkill.exe (PID: 2968)
- taskkill.exe (PID: 3552)
- taskkill.exe (PID: 1664)
- taskkill.exe (PID: 3776)
- taskkill.exe (PID: 2388)
- taskkill.exe (PID: 2636)
- taskkill.exe (PID: 1076)
- taskkill.exe (PID: 3420)
- taskkill.exe (PID: 3108)
- taskkill.exe (PID: 2216)
- taskkill.exe (PID: 3392)
- taskkill.exe (PID: 3380)
- taskkill.exe (PID: 3616)
- taskkill.exe (PID: 1924)
- taskkill.exe (PID: 2316)
- taskkill.exe (PID: 2536)
- taskkill.exe (PID: 3320)
- taskkill.exe (PID: 3656)
- taskkill.exe (PID: 2916)
- taskkill.exe (PID: 2152)
- taskkill.exe (PID: 2272)
- taskkill.exe (PID: 3344)
- taskkill.exe (PID: 1084)
- taskkill.exe (PID: 1548)
- taskkill.exe (PID: 3316)
- taskkill.exe (PID: 3192)
- taskkill.exe (PID: 3712)
- taskkill.exe (PID: 296)
- taskkill.exe (PID: 672)
- taskkill.exe (PID: 2080)
- taskkill.exe (PID: 1728)
- taskkill.exe (PID: 3652)
- taskkill.exe (PID: 3616)
- taskkill.exe (PID: 2320)
- taskkill.exe (PID: 2536)
- taskkill.exe (PID: 1548)
- taskkill.exe (PID: 3224)
- taskkill.exe (PID: 2124)
- taskkill.exe (PID: 592)
- taskkill.exe (PID: 3516)
- taskkill.exe (PID: 2968)
- taskkill.exe (PID: 1904)
- taskkill.exe (PID: 2368)
- taskkill.exe (PID: 1664)
- taskkill.exe (PID: 3956)
- taskkill.exe (PID: 3612)
- taskkill.exe (PID: 3544)
- taskkill.exe (PID: 1396)
- taskkill.exe (PID: 2656)
- taskkill.exe (PID: 2516)
- taskkill.exe (PID: 2128)
- taskkill.exe (PID: 1336)
- taskkill.exe (PID: 3672)
- taskkill.exe (PID: 3984)
- taskkill.exe (PID: 1244)
- taskkill.exe (PID: 1864)
- taskkill.exe (PID: 1040)
- taskkill.exe (PID: 2000)
- taskkill.exe (PID: 3560)
- taskkill.exe (PID: 3452)
- taskkill.exe (PID: 3204)
- taskkill.exe (PID: 3504)
- taskkill.exe (PID: 3156)
- taskkill.exe (PID: 2848)
- taskkill.exe (PID: 1012)
- taskkill.exe (PID: 2728)
- taskkill.exe (PID: 3992)
- taskkill.exe (PID: 3224)
- taskkill.exe (PID: 3152)
- taskkill.exe (PID: 1208)
- taskkill.exe (PID: 3440)
- taskkill.exe (PID: 1420)
- taskkill.exe (PID: 3768)
- taskkill.exe (PID: 2984)
- taskkill.exe (PID: 2944)
- taskkill.exe (PID: 2540)
- taskkill.exe (PID: 3028)
- taskkill.exe (PID: 3624)
- taskkill.exe (PID: 1836)
- taskkill.exe (PID: 3076)
- taskkill.exe (PID: 2428)
- taskkill.exe (PID: 2144)
- taskkill.exe (PID: 3860)
- taskkill.exe (PID: 3080)
- taskkill.exe (PID: 3192)
- taskkill.exe (PID: 3624)
- taskkill.exe (PID: 2456)
- taskkill.exe (PID: 3796)
- taskkill.exe (PID: 2244)
- taskkill.exe (PID: 1260)
- taskkill.exe (PID: 3620)
- taskkill.exe (PID: 2456)
- taskkill.exe (PID: 2924)
- taskkill.exe (PID: 3072)
- taskkill.exe (PID: 3464)
- taskkill.exe (PID: 1344)
- taskkill.exe (PID: 1708)
- taskkill.exe (PID: 2804)
- taskkill.exe (PID: 1472)
- taskkill.exe (PID: 2092)
- taskkill.exe (PID: 2224)
- taskkill.exe (PID: 304)
- taskkill.exe (PID: 2604)
- taskkill.exe (PID: 4000)
- taskkill.exe (PID: 3672)
- taskkill.exe (PID: 2168)
- taskkill.exe (PID: 3584)
- taskkill.exe (PID: 4092)
- taskkill.exe (PID: 3748)
- taskkill.exe (PID: 3740)
- taskkill.exe (PID: 2920)
- taskkill.exe (PID: 3964)
- taskkill.exe (PID: 2856)
- taskkill.exe (PID: 3752)
- taskkill.exe (PID: 968)
- taskkill.exe (PID: 404)
- taskkill.exe (PID: 2648)
- taskkill.exe (PID: 1524)
- taskkill.exe (PID: 3096)
- taskkill.exe (PID: 3096)
- taskkill.exe (PID: 904)
- taskkill.exe (PID: 3292)
- taskkill.exe (PID: 3212)
- taskkill.exe (PID: 3604)
- taskkill.exe (PID: 1020)
- taskkill.exe (PID: 2668)
- taskkill.exe (PID: 2404)
- taskkill.exe (PID: 2760)
- taskkill.exe (PID: 3992)
- taskkill.exe (PID: 2672)
- taskkill.exe (PID: 3528)
- taskkill.exe (PID: 1660)
- taskkill.exe (PID: 3720)
- taskkill.exe (PID: 1480)
- taskkill.exe (PID: 3764)
- taskkill.exe (PID: 3480)
- taskkill.exe (PID: 2332)
- taskkill.exe (PID: 3720)
- taskkill.exe (PID: 3856)
- taskkill.exe (PID: 3432)
- taskkill.exe (PID: 2180)
- taskkill.exe (PID: 3540)
- taskkill.exe (PID: 1904)
- taskkill.exe (PID: 2904)
- taskkill.exe (PID: 2740)
- taskkill.exe (PID: 2596)
- taskkill.exe (PID: 2768)
- taskkill.exe (PID: 640)
- taskkill.exe (PID: 2728)
- taskkill.exe (PID: 1740)
- taskkill.exe (PID: 3196)
- taskkill.exe (PID: 4084)
- taskkill.exe (PID: 1440)
- taskkill.exe (PID: 2808)
- taskkill.exe (PID: 776)
- taskkill.exe (PID: 2720)
- taskkill.exe (PID: 1152)
- taskkill.exe (PID: 2284)
- taskkill.exe (PID: 3324)
- taskkill.exe (PID: 3620)
- taskkill.exe (PID: 2388)
- taskkill.exe (PID: 3716)
- taskkill.exe (PID: 2476)
- taskkill.exe (PID: 2504)
- taskkill.exe (PID: 2152)
- taskkill.exe (PID: 3836)
- taskkill.exe (PID: 3452)
- taskkill.exe (PID: 828)
- taskkill.exe (PID: 3856)
- taskkill.exe (PID: 304)
- taskkill.exe (PID: 3240)
- taskkill.exe (PID: 1524)
- taskkill.exe (PID: 2996)
- taskkill.exe (PID: 3264)
- taskkill.exe (PID: 2928)
- taskkill.exe (PID: 3324)
- taskkill.exe (PID: 852)
- taskkill.exe (PID: 1184)
- taskkill.exe (PID: 1780)
- taskkill.exe (PID: 2464)
- taskkill.exe (PID: 3180)
- taskkill.exe (PID: 2832)
- taskkill.exe (PID: 3660)
- taskkill.exe (PID: 3852)
- taskkill.exe (PID: 3088)
- taskkill.exe (PID: 1796)
- taskkill.exe (PID: 920)
- taskkill.exe (PID: 3184)
- taskkill.exe (PID: 2852)
- taskkill.exe (PID: 2112)
- taskkill.exe (PID: 3376)
- taskkill.exe (PID: 3652)
- taskkill.exe (PID: 3052)
- taskkill.exe (PID: 2660)
- taskkill.exe (PID: 1084)
- taskkill.exe (PID: 3900)
- taskkill.exe (PID: 3400)
- taskkill.exe (PID: 3792)
- taskkill.exe (PID: 2520)
- taskkill.exe (PID: 1784)
- taskkill.exe (PID: 4036)
- taskkill.exe (PID: 2492)
- taskkill.exe (PID: 1924)
- taskkill.exe (PID: 3824)
- taskkill.exe (PID: 3908)
- taskkill.exe (PID: 2508)
- taskkill.exe (PID: 1920)
- taskkill.exe (PID: 2324)
- taskkill.exe (PID: 1380)
- taskkill.exe (PID: 3740)
- taskkill.exe (PID: 3112)
- taskkill.exe (PID: 3392)
- taskkill.exe (PID: 1396)
- taskkill.exe (PID: 628)
- taskkill.exe (PID: 2400)
- taskkill.exe (PID: 3356)
- taskkill.exe (PID: 2592)
- taskkill.exe (PID: 2892)
- taskkill.exe (PID: 2516)
- taskkill.exe (PID: 2168)
- taskkill.exe (PID: 3968)
- taskkill.exe (PID: 2096)
- taskkill.exe (PID: 3072)
Changes the autorun value in the registry
- reg.exe (PID: 2224)
RMS RAT was detected
- winserv.exe (PID: 2796)
SUSPICIOUS
Starts CMD.EXE for commands execution
- exit.exe (PID: 3040)
- exit.exe (PID: 764)
Executable content was dropped or overwritten
- wprgxyeqd79.exe (PID: 3296)
- cmd.exe (PID: 1360)
- uninstall.exe (PID: 3288)
- veter1605_MAPS_10cr0.exe (PID: 3004)
Creates files in the program directory
- uninstall.exe (PID: 3288)
Uses REG.EXE to modify Windows registry
- cmd.exe (PID: 964)
Reads Windows Product ID
- winserv.exe (PID: 2796)
Reads Environment values
- winserv.exe (PID: 2796)
Reads the machine GUID from the registry
- winserv.exe (PID: 2796)
Uses TASKKILL.EXE to kill process
- cmd.exe (PID: 964)
Creates files in the user directory
- winserv.exe (PID: 2796)
INFO
Manual execution by user
- EXCEL.EXE (PID: 2876)
Reads Microsoft Office registry keys
- EXCEL.EXE (PID: 2876)
Creates files in the user directory
- EXCEL.EXE (PID: 2876)
Dropped object may contain Bitcoin addresses
- wprgxyeqd79.exe (PID: 3296)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .rar | | | RAR compressed archive (v5.0) (61.5) |
|---|---|---|
| .rar | | | RAR compressed archive (gen) (38.4) |
Total processes
533
Monitored processes
502
Malicious processes
8
Suspicious processes
40
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 120 | taskkill /f /im "rundll32.exe" | C:\Windows\system32\taskkill.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Terminates Processes Exit code: 128 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 120 | taskkill /f /im "rundll32.exe" | C:\Windows\system32\taskkill.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Terminates Processes Exit code: 128 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 280 | taskkill /f /im "rundll32.exe" | C:\Windows\system32\taskkill.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Terminates Processes Exit code: 128 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 280 | taskkill /f /im "rundll32.exe" | C:\Windows\system32\taskkill.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Terminates Processes Exit code: 128 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 296 | taskkill /f /im "rundll32.exe" | C:\Windows\system32\taskkill.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Terminates Processes Exit code: 128 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 300 | taskkill /f /im "rundll32.exe" | C:\Windows\system32\taskkill.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Terminates Processes Exit code: 128 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 300 | taskkill /f /im "rundll32.exe" | C:\Windows\system32\taskkill.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Terminates Processes Exit code: 128 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 304 | taskkill /f /im "rundll32.exe" | C:\Windows\system32\taskkill.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Terminates Processes Exit code: 128 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 304 | taskkill /f /im "rundll32.exe" | C:\Windows\system32\taskkill.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Terminates Processes Exit code: 128 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 312 | taskkill /f /im "rundll32.exe" | C:\Windows\system32\taskkill.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Terminates Processes Exit code: 128 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
Total events
2 687
Read events
2 612
Write events
68
Delete events
7
Modification events
| (PID) Process: | (3188) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
| Operation: | write | Name: | ShellExtBMP |
Value: | |||
| (PID) Process: | (3188) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
| Operation: | write | Name: | ShellExtIcon |
Value: | |||
| (PID) Process: | (3188) WinRAR.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E |
| Operation: | write | Name: | LanguageList |
Value: en-US | |||
| (PID) Process: | (3188) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 0 |
Value: C:\Users\admin\AppData\Local\Temp\bill notice 05.2019.rar | |||
| (PID) Process: | (3188) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | name |
Value: 120 | |||
| (PID) Process: | (3188) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | size |
Value: 80 | |||
| (PID) Process: | (3188) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | type |
Value: 120 | |||
| (PID) Process: | (3188) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | mtime |
Value: 100 | |||
| (PID) Process: | (3188) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\DialogEditHistory\ExtrPath |
| Operation: | write | Name: | 0 |
Value: C:\Users\admin\Desktop | |||
| (PID) Process: | (2876) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems |
| Operation: | write | Name: | s;= |
Value: 733B3D003C0B0000010000000000000000000000 | |||
Executable files
11
Suspicious files
2
Text files
8
Unknown types
2
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 2876 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\CVR63D3.tmp.cvr | — | |
MD5:— | SHA256:— | |||
| 3188 | WinRAR.exe | C:\Users\admin\Desktop\bill notice 05.2019.xls | document | |
MD5:— | SHA256:— | |||
| 3296 | wprgxyeqd79.exe | C:\Users\admin\AppData\Local\Temp\kernel.dll | executable | |
MD5:— | SHA256:— | |||
| 2876 | EXCEL.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\bill notice 05.2019.xls.LNK | lnk | |
MD5:— | SHA256:— | |||
| 2876 | EXCEL.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\pasmmm[1].exe | executable | |
MD5:— | SHA256:— | |||
| 3288 | uninstall.exe | C:\ProgramData\Windows Anytime Upgrade\exit.exe | executable | |
MD5:— | SHA256:— | |||
| 2876 | EXCEL.EXE | C:\Users\Public\wprgxyeqd79.exe | executable | |
MD5:— | SHA256:— | |||
| 3296 | wprgxyeqd79.exe | C:\Users\admin\AppData\Local\Temp\i.cmd | text | |
MD5:— | SHA256:— | |||
| 3288 | uninstall.exe | C:\ProgramData\Windows Anytime Upgrade\i.cmd | text | |
MD5:— | SHA256:— | |||
| 3288 | uninstall.exe | C:\ProgramData\Windows Anytime Upgrade\settings.dat | binary | |
MD5:— | SHA256:— | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
20
TCP/UDP connections
31
DNS requests
4
Threats
63
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
3084 | rtegre.exe | GET | — | 193.23.244.244:80 | http://193.23.244.244/tor/status-vote/current/consensus | DE | — | — | malicious |
3084 | rtegre.exe | GET | — | 51.15.187.236:80 | http://51.15.187.236/tor/server/fp/592031cfdba17dd46e1e365e6c60ad1f81655033 | FR | — | — | suspicious |
— | — | GET | — | 137.50.19.11:80 | http://137.50.19.11/tor/server/fp/67cdf7a4d06e98e55aae595bbebf38e64c4ccbf3 | GB | — | — | suspicious |
3084 | rtegre.exe | GET | — | 180.150.226.99:80 | http://180.150.226.99/tor/server/fp/ce3107441b0169882843e77b1bb0bb4a6ca38e0d | KR | — | — | malicious |
3084 | rtegre.exe | GET | — | 51.15.72.159:80 | http://51.15.72.159/tor/server/fp/44df1007b545b4d8057f279025ebb33cf99be227 | FR | — | — | malicious |
3084 | rtegre.exe | GET | — | 98.225.157.78:80 | http://98.225.157.78/tor/server/fp/469305ae56d9f446468e8be8780219eed54eef25 | US | — | — | suspicious |
3084 | rtegre.exe | GET | — | 178.63.172.13:80 | http://178.63.172.13/tor/server/fp/469305ae56d9f446468e8be8780219eed54eef25 | DE | — | — | malicious |
3084 | rtegre.exe | GET | — | 144.76.143.137:80 | http://144.76.143.137/tor/server/fp/c44cc64bed927031a5b3b0a7cdf6a9e28f058b3f | DE | — | — | suspicious |
3084 | rtegre.exe | GET | — | 23.129.64.188:80 | http://23.129.64.188/tor/server/fp/8924b3cce0ebbc6c31d4b085fa72bdfdc64ce0ba | US | — | — | suspicious |
3084 | rtegre.exe | GET | — | 23.129.64.160:80 | http://23.129.64.160/tor/server/fp/bc7acfac04854c77167c7d66b7e471314ed8c410 | US | — | — | suspicious |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
2796 | winserv.exe | 217.12.201.159:5655 | — | ITL Company | NL | suspicious |
2876 | EXCEL.EXE | 47.245.58.124:443 | kentona.su | — | US | suspicious |
3084 | rtegre.exe | 54.243.147.226:443 | api.ipify.org | Amazon.com, Inc. | US | malicious |
3084 | rtegre.exe | 193.23.244.244:80 | — | Chaos Computer Club e.V. | DE | malicious |
3084 | rtegre.exe | 54.37.74.60:443 | — | OVH SAS | FR | suspicious |
3084 | rtegre.exe | 180.150.226.99:80 | — | Korea Telecom | KR | malicious |
3084 | rtegre.exe | 129.6.15.28:13 | time-a.nist.gov | National Bureau of Standards | US | unknown |
— | — | 23.129.64.188:80 | — | — | US | suspicious |
3084 | rtegre.exe | 144.76.143.137:80 | — | Hetzner Online GmbH | DE | suspicious |
— | — | 51.15.187.236:80 | — | Online S.a.s. | FR | suspicious |
DNS requests
Domain | IP | Reputation |
|---|---|---|
kentona.su |
| malicious |
www.cloudflare.com |
| whitelisted |
api.ipify.org |
| shared |
time-a.nist.gov |
| whitelisted |
Threats
PID | Process | Class | Message |
|---|---|---|---|
1048 | svchost.exe | Potentially Bad Traffic | ET DNS Query for .su TLD (Soviet Union) Often Malware Related |
3084 | rtegre.exe | Misc Attack | ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 279 |
3084 | rtegre.exe | Misc activity | SUSPICIOUS [PTsecurity] ipify.org External IP Check |
3084 | rtegre.exe | Misc activity | SUSPICIOUS [PTsecurity] ipify.org External IP Check |
3084 | rtegre.exe | Misc Attack | ET TOR Known Tor Exit Node Traffic group 24 |
3084 | rtegre.exe | Misc Attack | ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 24 |
3084 | rtegre.exe | Potential Corporate Privacy Violation | ET P2P Tor Get Server Request |
3084 | rtegre.exe | Misc Attack | ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 532 |
3084 | rtegre.exe | Misc Attack | ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 145 |
3084 | rtegre.exe | Potential Corporate Privacy Violation | ET P2P Tor Get Server Request |
4 ETPRO signatures available at the full report
Process | Message |
|---|---|
winserv.exe | Error WTSQueryUserToken #1314 |
winserv.exe | 20-05-2019_15:18:56:626#T:Error #20 @2 |