General Info

File name

PAYMENT COPY_53673672882.tbz.z

Full analysis
https://app.any.run/tasks/ec51a803-a59a-4e78-a10d-b502fc5c59f9
Verdict
Malicious activity
Analysis date
4/15/2019, 11:29:45
OS:
Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:

autoit

rat

nanocore

Indicators:

MIME:
application/x-rar
File info:
RAR archive data, v5
MD5

9dcf4e3203376ee7781922516dea7aa2

SHA1

1220078c0f096d839accc49e3ffe5154fb5b6615

SHA256

c4e9379666dded57b4c71a8531999ade04c21789eee6c61accc25b7e9b8f9f8b

SSDEEP

24576:LMhwXOnEy9znr3/y/F21bXb13SwcRZITV:EwXKR9zragbX5iVR2Z

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distored by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Software environment set and analysis options

Launch configuration

Task duration
60 seconds
Additional time used
none
Fakenet option
off
Heavy Evaision option
off
MITM proxy
off
Route via Tor
off
Network geolocation
off
Privacy
Public submission
Autoconfirmation of UAC
on

Software preset

  • Internet Explorer 8.0.7601.17514
  • Adobe Acrobat Reader DC MUI (15.023.20070)
  • Adobe Flash Player 26 ActiveX (26.0.0.131)
  • Adobe Flash Player 26 NPAPI (26.0.0.131)
  • Adobe Flash Player 26 PPAPI (26.0.0.131)
  • Adobe Refresh Manager (1.8.0)
  • CCleaner (5.35)
  • FileZilla Client 3.36.0 (3.36.0)
  • Google Chrome (73.0.3683.75)
  • Google Update Helper (1.3.33.23)
  • Java 8 Update 92 (8.0.920.14)
  • Java Auto Updater (2.8.92.14)
  • Microsoft .NET Framework 4.6.1 (4.6.01055)
  • Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Professional 2010 (14.0.6029.1000)
  • Microsoft Office Proof (English) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (French) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
  • Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
  • Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Single Image 2010 (14.0.6029.1000)
  • Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
  • Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
  • Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
  • Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2017 Redistributable (x86) - 14.15.26706 (14.15.26706.0)
  • Microsoft Visual C++ 2017 x86 Additional Runtime - 14.15.26706 (14.15.26706)
  • Microsoft Visual C++ 2017 x86 Minimum Runtime - 14.15.26706 (14.15.26706)
  • Mozilla Firefox 65.0.2 (x86 en-US) (65.0.2)
  • Notepad++ (32-bit x86) (7.5.1)
  • Opera 12.15 (12.15.1748)
  • Skype version 8.29 (8.29)
  • VLC media player (2.2.6)
  • WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

  • Client LanguagePack Package
  • Client Refresh LanguagePack Package
  • CodecPack Basic Package
  • Foundation Package
  • IE Troubleshooters Package
  • InternetExplorer Optional Package
  • KB2534111
  • KB2999226
  • KB976902
  • LocalPack AU Package
  • LocalPack CA Package
  • LocalPack GB Package
  • LocalPack US Package
  • LocalPack ZA Package
  • ProfessionalEdition
  • UltimateEdition

Behavior activities

MALICIOUS SUSPICIOUS INFO
Application was dropped or rewritten from another process
  • RegSvcs.exe (PID: 876)
  • kgj.exe (PID: 2712)
  • PAYMENT COPY_53673672882.scr (PID: 2488)
  • kgj.exe (PID: 3552)
NanoCore was detected
  • RegSvcs.exe (PID: 876)
Changes the autorun value in the registry
  • kgj.exe (PID: 2712)
  • RegSvcs.exe (PID: 876)
Executable content was dropped or overwritten
  • kgj.exe (PID: 2712)
  • RegSvcs.exe (PID: 876)
  • PAYMENT COPY_53673672882.scr (PID: 2488)
  • WinRAR.exe (PID: 2076)
Application launched itself
  • kgj.exe (PID: 3552)
Creates files in the user directory
  • RegSvcs.exe (PID: 876)
Starts application with an unusual extension
  • WinRAR.exe (PID: 2076)
Drop AutoIt3 executable file
  • PAYMENT COPY_53673672882.scr (PID: 2488)
Dropped object may contain Bitcoin addresses
  • kgj.exe (PID: 3552)
  • PAYMENT COPY_53673672882.scr (PID: 2488)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Static information

TRiD
.rar
|   RAR compressed archive (v5.0) (61.5%)
.rar
|   RAR compressed archive (gen) (38.4%)

Screenshots

Processes

Total processes
36
Monitored processes
5
Malicious processes
5
Suspicious processes
0

Behavior graph

+
drop and start start drop and start drop and start winrar.exe payment copy_53673672882.scr kgj.exe no specs kgj.exe #NANOCORE regsvcs.exe
Specs description
Program did not start
Integrity level elevation
Task сontains an error or was rebooted
Process has crashed
Task contains several apps running
Executable file was dropped
Debug information is available
Process was injected
Network attacks were detected
Application downloaded the executable file
Actions similar to stealing personal data
Behavior similar to exploiting the vulnerability
Inspected object has sucpicious PE structure
File is detected by antivirus software
CPU overrun
RAM overrun
Process starts the services
Process was added to the startup
Behavior similar to spam
Low-level access to the HDD
Probably Tor was used
System was rebooted
Connects to the network
Known threat

Process information

Click at the process to see the details.

PID
2076
CMD
"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\PAYMENT COPY_53673672882.tbz.z.rar"
Path
C:\Program Files\WinRAR\WinRAR.exe
Indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Alexander Roshal
Description
WinRAR archiver
Version
5.60.0
Modules
Image
c:\program files\winrar\winrar.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\shlwapi.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\uxtheme.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\msimg32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\riched20.dll
c:\program files\common files\microsoft shared\ink\tiptsf.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ehstorshell.dll
c:\windows\system32\cscui.dll
c:\windows\system32\cscdll.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\slc.dll
c:\windows\system32\imageres.dll
c:\windows\system32\mpr.dll
c:\windows\system32\drprov.dll
c:\windows\system32\winsta.dll
c:\windows\system32\ntlanman.dll
c:\windows\system32\davclnt.dll
c:\windows\system32\davhlpr.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\netutils.dll
c:\windows\system32\wpdshext.dll
c:\windows\system32\winmm.dll
c:\windows\system32\portabledeviceapi.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\audiodev.dll
c:\windows\system32\wmvcore.dll
c:\windows\system32\wmasf.dll
c:\windows\system32\ehstorapi.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\samcli.dll
c:\windows\system32\samlib.dll
c:\windows\system32\profapi.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\explorerframe.dll
c:\windows\system32\duser.dll
c:\windows\system32\dui70.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\users\admin\appdata\local\temp\rar$dia2076.10996\payment copy_53673672882.scr
c:\program files\filezilla ftp client\fzshellext.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\mssprxy.dll

PID
2488
CMD
"C:\Users\admin\AppData\Local\Temp\Rar$DIa2076.10996\PAYMENT COPY_53673672882.scr" /S
Path
C:\Users\admin\AppData\Local\Temp\Rar$DIa2076.10996\PAYMENT COPY_53673672882.scr
Indicators
Parent process
WinRAR.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Description
Version
Modules
Image
c:\users\admin\appdata\local\temp\rar$dia2076.10996\payment copy_53673672882.scr
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\aclayers.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\winspool.drv
c:\windows\system32\mpr.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\riched32.dll
c:\windows\system32\riched20.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\clbcatq.dll
c:\program files\common files\microsoft shared\ink\tiptsf.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\users\admin\appdata\local\temp\60283121\kgj.exe
c:\windows\system32\sfc.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\devrtl.dll

PID
3552
CMD
"C:\Users\admin\AppData\Local\Temp\60283121\kgj.exe" afo=xpd
Path
C:\Users\admin\AppData\Local\Temp\60283121\kgj.exe
Indicators
No indicators
Parent process
PAYMENT COPY_53673672882.scr
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
AutoIt Team
Description
AutoIt v3 Script
Version
3, 3, 14, 5
Modules
Image
c:\users\admin\appdata\local\temp\60283121\kgj.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\wsock32.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\windows\system32\version.dll
c:\windows\system32\winmm.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\mpr.dll
c:\windows\system32\wininet.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\psapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\aclayers.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\winspool.drv
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll

PID
2712
CMD
C:\Users\admin\AppData\Local\Temp\60283121\kgj.exe C:\Users\admin\AppData\Local\Temp\60283121\BKBWW
Path
C:\Users\admin\AppData\Local\Temp\60283121\kgj.exe
Indicators
Parent process
kgj.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
AutoIt Team
Description
AutoIt v3 Script
Version
3, 3, 14, 5
Modules
Image
c:\users\admin\appdata\local\temp\60283121\kgj.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\wsock32.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\windows\system32\version.dll
c:\windows\system32\winmm.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\mpr.dll
c:\windows\system32\wininet.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\psapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\aclayers.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\winspool.drv
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\users\admin\appdata\local\temp\regsvcs.exe

PID
876
CMD
"C:\Users\admin\AppData\Local\Temp\RegSvcs.exe"
Path
C:\Users\admin\AppData\Local\Temp\RegSvcs.exe
Indicators
Parent process
kgj.exe
User
admin
Integrity Level
MEDIUM
Version:
Company
Microsoft Corporation
Description
Microsoft .NET Services Installation Utility
Version
4.6.1055.0 built by: NETFXREL2
Modules
Image
c:\users\admin\appdata\local\temp\regsvcs.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\aclayers.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\winspool.drv
c:\windows\system32\mpr.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\system32\version.dll
c:\windows\microsoft.net\framework\v4.0.30319\clr.dll
c:\windows\system32\msvcr120_clr0400.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\mscorlib\225759bb87c854c0fff27b1d84858c21\mscorlib.ni.dll
c:\windows\system32\cryptbase.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system\52cca48930e580e3189eac47158c20be\system.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.drawing\646b4b01cb29986f8e076aa65c9e9753\system.drawing.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.windows.forms\5aac750b35b27770dccb1a43f83cced7\system.windows.forms.ni.dll
c:\windows\microsoft.net\framework\v4.0.30319\clrjit.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.core\55560c2014611e9119f99923c9ebdeef\system.core.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\microsoft.v9921e851#\7ca6a7b9413844e82108a9d62f88a2d9\microsoft.visualbasic.ni.dll
c:\windows\microsoft.net\framework\v4.0.30319\nlssorting.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\uxtheme.dll
c:\windows\microsoft.net\assembly\gac_msil\system.windows.forms\v4.0_4.0.0.0__b77a5c561934e089\system.windows.forms.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\bcrypt.dll
c:\windows\microsoft.net\framework\v4.0.30319\diasymreader.dll
c:\windows\system32\psapi.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\wship6.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.configuration\46957030830964165644b52b0696c5d9\system.configuration.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.xml\d86b080a37c60a872c82b912a2a63dac\system.xml.ni.dll

Registry activity

Total events
834
Read events
802
Write events
32
Delete events
0

Modification events

PID
Process
Operation
Key
Name
Value
2076
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
ShellExtBMP
2076
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
ShellExtIcon
2076
WinRAR.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
LanguageList
en-US
2076
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
0
C:\Users\admin\Desktop\PAYMENT COPY_53673672882.tbz.z.rar
2076
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
name
120
2076
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
size
80
2076
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
type
120
2076
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
mtime
100
2076
WinRAR.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@shell32,-10162
Screen saver
2076
WinRAR.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
2076
WinRAR.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
2076
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\Interface\MainWin
Placement
2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF42000000420000000204000037020000
2076
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\General
LastFolder
C:\Users\admin\Desktop
2076
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\ArcColumnWidths
name
120
2076
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\ArcColumnWidths
size
80
2076
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\ArcColumnWidths
psize
80
2076
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\ArcColumnWidths
type
120
2076
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\ArcColumnWidths
mtime
100
2076
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\ArcColumnWidths
crc
70
2076
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\General\Toolbar\Layout
Band56_0
38000000730100000402000000000000D4D0C800000000000000000000000000300105000000000039000000B40200000000000001000000
2076
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\General\Toolbar\Layout
Band56_1
38000000730100000500000000000000D4D0C8000000000000000000000000002E01040000000000160000002A0000000000000002000000
2076
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\General\Toolbar\Layout
Band56_2
38000000730100000400000000000000D4D0C8000000000000000000000000006E0104000000000016000000640000000000000003000000
2488
PAYMENT COPY_53673672882.scr
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
2488
PAYMENT COPY_53673672882.scr
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
2712
kgj.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
WindowsUpdate
C:\Users\admin\AppData\Local\Temp\60283121\kgj.exe C:\Users\admin\AppData\Local\Temp\60283121\AFO_XP~1
876
RegSvcs.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
TCP Monitor
C:\Users\admin\AppData\Roaming\90059C37-1320-41A4-B58D-2B75A9850D2F\TCP Monitor\tcpmon.exe

Files activity

Executable files
5
Suspicious files
1
Text files
55
Unknown types
0

Dropped files

PID
Process
Filename
Type
876
RegSvcs.exe
C:\Users\admin\AppData\Roaming\90059C37-1320-41A4-B58D-2B75A9850D2F\TCP Monitor\tcpmon.exe
executable
MD5: be5073ae05e68612ba0fc1a3d339e64c
SHA256: 1735ba356794975169a93ee2babd33862229a1842c6e2c6a0b67366f5856894e
2488
PAYMENT COPY_53673672882.scr
C:\Users\admin\AppData\Local\Temp\60283121\kgj.exe
executable
MD5: c56b5f0201a3b3de53e561fe76912bfd
SHA256: 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
2076
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$DIa2076.10996\PAYMENT COPY_53673672882.scr
executable
MD5: 6eed1b25e43cc5e2bd237de92b11e238
SHA256: 9f83c1ead3fc41aaf57c63a494612b17ea09e9e09b8ef8372a6227151d37f771
2712
kgj.exe
C:\Users\admin\AppData\Local\Temp\RegSvcs.exe
executable
MD5: be5073ae05e68612ba0fc1a3d339e64c
SHA256: 1735ba356794975169a93ee2babd33862229a1842c6e2c6a0b67366f5856894e
2488
PAYMENT COPY_53673672882.scr
C:\Users\admin\AppData\Local\Temp\60283121\leo.dat
text
MD5: afd0ff7d12c6968710936b47dcc74f40
SHA256: a1b340ef94bf750cf4a70e7c8939356f844213b09ea07cfb11ebf3fd29901a8d
2488
PAYMENT COPY_53673672882.scr
C:\Users\admin\AppData\Local\Temp\60283121\gul.jpg
text
MD5: 04d5e6d9a2be97bc2b5ca8f37ecd5b22
SHA256: 8355ab6ac02a103d4206a92570e6f700d717abac2b1bfb52fb3bf975763551c2
2488
PAYMENT COPY_53673672882.scr
C:\Users\admin\AppData\Local\Temp\60283121\fab.ico
text
MD5: 2ba92c5b871869b3e3a70f128e07c77a
SHA256: bd1925e3a7fedfaac9414e56095eaf22e1257478248850c70b9b5b7240c3a1dc
2488
PAYMENT COPY_53673672882.scr
C:\Users\admin\AppData\Local\Temp\60283121\tja.bmp
text
MD5: d529bb80323349df1ae2ea51394df209
SHA256: b14c64d5e53244a714312f8641ec24e8e81a8b5a654929cd1a4ac1b74c0291aa
2488
PAYMENT COPY_53673672882.scr
C:\Users\admin\AppData\Local\Temp\60283121\xml.ppt
text
MD5: 9fc02c8464c71d597f0d06aac44618e3
SHA256: 3fd7c3a4593c4ea835b61cf2885f00962fde7a2e38a06cf10b126548f35d156a
2488
PAYMENT COPY_53673672882.scr
C:\Users\admin\AppData\Local\Temp\60283121\dmf.jpg
text
MD5: ef479a54d57daeec70b09fe07927b084
SHA256: d8278870b1ea6f8548e1d100d68fcf70881ff78e0727f032640f2f1a17999df6
2488
PAYMENT COPY_53673672882.scr
C:\Users\admin\AppData\Local\Temp\60283121\jsk.ico
text
MD5: 316f1bcca97ed135c655e0e485da3958
SHA256: 1a3064d2579f0f00fddf1bb713e92579aa7695ac14a238a7bec7364ab053d23c
2488
PAYMENT COPY_53673672882.scr
C:\Users\admin\AppData\Local\Temp\60283121\dpe.pdf
text
MD5: d15b11a31d025d2306aa568240d6fa99
SHA256: c8c0401e85d805ead41324f2aadbea929cb83a4466c00b0a27e968c0eb4d1a99
2488
PAYMENT COPY_53673672882.scr
C:\Users\admin\AppData\Local\Temp\60283121\aws.txt
text
MD5: 9d7b1c4dea31a67ab32e5d2e7683de54
SHA256: 7e428a4e5268ac4c6a3d7eef846a5a58cce9daf986ef8f4241890d0553f75727
2488
PAYMENT COPY_53673672882.scr
C:\Users\admin\AppData\Local\Temp\60283121\gcu.pdf
text
MD5: e7a0ae83e0645b4b6a2e6fd0fcd13e48
SHA256: 2a6fd26cb89f798103513f3c2f0bd0f55fc7a1aa8dfe3527e040bf0e945939c6
2488
PAYMENT COPY_53673672882.scr
C:\Users\admin\AppData\Local\Temp\60283121\dho.dat
text
MD5: ddfd594054b2a4824305a8aa0e85311d
SHA256: 165e3c30debebf79e10864374b6516d4c5f793dd804244fadd20137c9608e1ca
2488
PAYMENT COPY_53673672882.scr
C:\Users\admin\AppData\Local\Temp\60283121\own.txt
text
MD5: a6fdc6e1f9da78549efb50bb3d67df91
SHA256: 826b311b75046d0c1588fe4a9b898d87c5d4e5eda08209235193365c536636a7
2488
PAYMENT COPY_53673672882.scr
C:\Users\admin\AppData\Local\Temp\60283121\nts.xl
text
MD5: 2467b2460b127e698b81d181b920ec98
SHA256: 6face3fc87f27d3100c4b17fb772da6bcccefaadbe6e32a81ecdf4e15888096b
2488
PAYMENT COPY_53673672882.scr
C:\Users\admin\AppData\Local\Temp\60283121\vva.txt
text
MD5: 004f9a90cfdec768c21cd7c364276ea6
SHA256: e555944f16284093bd5c0390d76f3d754463fc29f40a98777d671743b8557e2c
2488
PAYMENT COPY_53673672882.scr
C:\Users\admin\AppData\Local\Temp\60283121\gxw.docx
text
MD5: 07bc960e7119ff4c041a47f87dde8c77
SHA256: ce433e29f2d92d766c128a49991586a632b2fe250b3a076ba699320ac11a755a
2488
PAYMENT COPY_53673672882.scr
C:\Users\admin\AppData\Local\Temp\60283121\lkk.mp4
text
MD5: 07cd384260798e323436131af62af409
SHA256: f9b78fef29e3a4097b3112ae6cfcf0dbe99a601b4ce2d134963e5d9b02e07771
2488
PAYMENT COPY_53673672882.scr
C:\Users\admin\AppData\Local\Temp\60283121\pnk.pdf
text
MD5: 7cec0ac3ebf1f0ce06f3af8a17ff7646
SHA256: 2a2fec6635887d3c972f82f50e7ff01c1aae9684182ed1ac1c682b3fbade1bd4
2488
PAYMENT COPY_53673672882.scr
C:\Users\admin\AppData\Local\Temp\60283121\rur.mp3
text
MD5: 4fc14cdbdb1fcedc5a2cbb15ed0fb516
SHA256: c164d9674f46f54aa37505ebc0936640a855119c29e59e4e82b71eb92a03f40c
2488
PAYMENT COPY_53673672882.scr
C:\Users\admin\AppData\Local\Temp\60283121\dsh.ico
text
MD5: 8db52ab04fe459ed9f4122b15c281583
SHA256: 41e7c506808f06c457268bddc812d59aeda537a85b7783669c1a2b7469be158f
2488
PAYMENT COPY_53673672882.scr
C:\Users\admin\AppData\Local\Temp\60283121\ans.jpg
text
MD5: d2acd22e28bce75e40f132b77790f476
SHA256: 7d81e343ae1abcf5f963f3957e433e7d18dd32a6404a247fddba315adc6698d1
2488
PAYMENT COPY_53673672882.scr
C:\Users\admin\AppData\Local\Temp\60283121\seu.xl
text
MD5: 09f906b9248b8d57a16fe08a3104e5ca
SHA256: ab4d361cec49cc708ca0ad04a86ab212e7cd83702e4b4a61726c84607e587124
2488
PAYMENT COPY_53673672882.scr
C:\Users\admin\AppData\Local\Temp\60283121\aru.icm
text
MD5: 0232ddde2567a96ba16708a064fd828f
SHA256: a1455015674785cb0a3d805b18e70c2ba74e938165f881028fbb9158d6aee67e
2488
PAYMENT COPY_53673672882.scr
C:\Users\admin\AppData\Local\Temp\60283121\ljf.txt
text
MD5: 3b6114b75a556bb807fae7f706e81126
SHA256: 66f53e4f34a7a9f3e3660e53666f45c5c7e0448ad4b1c5c770055aebf0eea9dd
2488
PAYMENT COPY_53673672882.scr
C:\Users\admin\AppData\Local\Temp\60283121\dko.txt
text
MD5: 7fbdbe8a464b263ba905dc04406cab84
SHA256: 201cfbdf84f859e321fbdbc8245d96396e60af526f5da1251e97f9c1bf82d771
2488
PAYMENT COPY_53673672882.scr
C:\Users\admin\AppData\Local\Temp\60283121\njs.dat
image
MD5: 2f04cfdd5d7e57d6447732fdb12da92d
SHA256: 7f3704c4bb38af5af4308f68c4dbc7c8167cd58023d619fb860560a184b2ec1c
2488
PAYMENT COPY_53673672882.scr
C:\Users\admin\AppData\Local\Temp\60283121\fqv.pdf
text
MD5: d022f2b69ff15db6c741913fc9ee2211
SHA256: 7861e14e00894534a4190a562833db0342238daf43a473227ff9e2e8c023a9a0
2488
PAYMENT COPY_53673672882.scr
C:\Users\admin\AppData\Local\Temp\60283121\qlo.mp3
text
MD5: eacb7e4affb3d13a20b968feaadd5ac0
SHA256: fe742ede4510c114643f5d63a9c95234aab6aad3263421dfe901864005ee9b9d
2488
PAYMENT COPY_53673672882.scr
C:\Users\admin\AppData\Local\Temp\60283121\kmp.xl
text
MD5: 1cb9d8cd733c945143425db8a9c05723
SHA256: 497dd7147fea611825813d02af8c33a8f7f2dfacdbfe2ffd9bebd9f1bcf412eb
2488
PAYMENT COPY_53673672882.scr
C:\Users\admin\AppData\Local\Temp\60283121\drd.pdf
text
MD5: 67a84d65c3e46dc52eda180ab7cf3c7d
SHA256: fdc0c53c4149d328d0552524ce1b69e92e24c9d9a844bf6150173fb7878b33cb
2488
PAYMENT COPY_53673672882.scr
C:\Users\admin\AppData\Local\Temp\60283121\iwc.docx
text
MD5: 7f357185006d9af45ee0f20db62ef38b
SHA256: 2cec35292c1d75b9a89061dd0d87126654374dbd42804898d3e533f48a4d1172
2488
PAYMENT COPY_53673672882.scr
C:\Users\admin\AppData\Local\Temp\60283121\wjg.ppt
text
MD5: da9ed2f24383f35feed5dcf18fe2cc16
SHA256: b49cfee6441f7dd02f7540610d7f3064447be94c65fab9c32627cce593e81071
2488
PAYMENT COPY_53673672882.scr
C:\Users\admin\AppData\Local\Temp\60283121\pom.dat
text
MD5: 92d4433f3861960d58c8f0eb3039c9c8
SHA256: 1ead14000d4c3a8c3b52c1d60cb5e15ec571c20e9c23375071b7c32d628b9050
2488
PAYMENT COPY_53673672882.scr
C:\Users\admin\AppData\Local\Temp\60283121\qav.ppt
text
MD5: b8467e25710f6795979e68c68612a0d6
SHA256: 925f39f9a04c7ae47fd92b7546186a9ca38ee843e40065192306bbd946dbf776
2488
PAYMENT COPY_53673672882.scr
C:\Users\admin\AppData\Local\Temp\60283121\crp.bmp
text
MD5: 9a7139b00000cca6a52332b47863f435
SHA256: 4eb319d969923cb9f439992262c6ba65378e74620faa93f678060d425bb8db5f
2488
PAYMENT COPY_53673672882.scr
C:\Users\admin\AppData\Local\Temp\60283121\uer.mp4
text
MD5: cd49243fb81207c7c137dff3cb4e2d31
SHA256: 47592f1789a3e8fdc23f04dc89b7ad6a44f45f3c64eab996d34aa47309befd8d
2488
PAYMENT COPY_53673672882.scr
C:\Users\admin\AppData\Local\Temp\60283121\qhv.docx
text
MD5: 192bccf29f0193bc50443538737e7e5b
SHA256: c3a13148d93de9005796e62e0ba1ab941980f7ccc94dfc2dffa8a8c1e1cdf25f
2488
PAYMENT COPY_53673672882.scr
C:\Users\admin\AppData\Local\Temp\60283121\hsd.mp4
text
MD5: 24262ba39f1c60a66705223842b362b1
SHA256: fdf9c07db693c058aeb9cc531118afc52fcb686acc72646cd9d88cedbfa55ec1
2488
PAYMENT COPY_53673672882.scr
C:\Users\admin\AppData\Local\Temp\60283121\tiu.dat
text
MD5: a17928d76b4f342449046c8525ef6c72
SHA256: ecb88c82c35f617475d417e57daa4fdc964198dc7bc9f442f928717387303d2b
2488
PAYMENT COPY_53673672882.scr
C:\Users\admin\AppData\Local\Temp\60283121\mak.txt
text
MD5: 7e53d30cfd95f78fa4ab7fcd203e1821
SHA256: d81742bfb40b2d937271a9522e3828991d684f8fcd0142b32b128b0fbdffaf54
2488
PAYMENT COPY_53673672882.scr
C:\Users\admin\AppData\Local\Temp\60283121\ibf.bmp
text
MD5: 3cdc940b537e76277a9b3bd6732856f4
SHA256: 5467cf8a693e01054a3b6536b6eab112986977518c7873f91844ccd77bb40565
2488
PAYMENT COPY_53673672882.scr
C:\Users\admin\AppData\Local\Temp\60283121\qhp.dat
text
MD5: c880a891da549d9f852661db1407d395
SHA256: 5067a99f658ca225cf8d6556b3b0b5651a736d88d7514531689c7656db1e22d5
2488
PAYMENT COPY_53673672882.scr
C:\Users\admin\AppData\Local\Temp\60283121\xtq.ppt
text
MD5: d48ce040ebb4ca8598418da16450a495
SHA256: 6ccabb445c9671476dc84bb748365ce76e121ab2fe3e4f54d5bdaec4fc66e9e6
2488
PAYMENT COPY_53673672882.scr
C:\Users\admin\AppData\Local\Temp\60283121\fua.icm
text
MD5: 7c89ed93652e495e087e71d6bce676c3
SHA256: 3f18b234d99ab4f85d37cdc7841e1f9259de0e2abbc972bf261a34b12b5909cb
2488
PAYMENT COPY_53673672882.scr
C:\Users\admin\AppData\Local\Temp\60283121\nje.mp3
text
MD5: f24449b784c38c5aee63aae3abfc1be2
SHA256: 59f3c134d7fd06c83fe167434b5f882660af16e85b7b35f940b4ac0d43b14d75
2488
PAYMENT COPY_53673672882.scr
C:\Users\admin\AppData\Local\Temp\60283121\cwh.icm
text
MD5: 13cd4e29190ef05eb359512172aabba0
SHA256: 620c0cffdc3a0a7be3a78f528e3f1add6e94e2db312da40399ae9674c0df3e87
2488
PAYMENT COPY_53673672882.scr
C:\Users\admin\AppData\Local\Temp\60283121\rdd.xl
text
MD5: 317ad26d6eb90cb36a79a2d797b98580
SHA256: a2cb984323b6fe3c69e4bac17c6d5ead81ef7b0e6f9ca78ee99fd0c737dcc5ce
2488
PAYMENT COPY_53673672882.scr
C:\Users\admin\AppData\Local\Temp\60283121\msm.dat
text
MD5: ef47a780c333be3b11b74bd55558ba00
SHA256: 43b2f44a4671155af65d9524fedebd6cc789cfaf1a0135b0c92bfd9fb409981d
2488
PAYMENT COPY_53673672882.scr
C:\Users\admin\AppData\Local\Temp\60283121\tnq.mp3
text
MD5: 48b0900177657a5ba3e41147f54f2bbc
SHA256: 72be3b6e301f7de9e47338763a1983c1e5eff4a6f7d8bb15b781c8250d93c31b
3552
kgj.exe
C:\Users\admin\AppData\Local\Temp\60283121\BKBWW
text
MD5: f482e2156434f2b842a2e2d90f247a14
SHA256: 758c44e000a3d4b254078be9c7ad1d542ddedefa40c54f68b3253a60c5ed2ead
2488
PAYMENT COPY_53673672882.scr
C:\Users\admin\AppData\Local\Temp\60283121\ejg.ppt
text
MD5: 85b6ad0d2d6c6a643dadeff00425e921
SHA256: 2ca6952108c55634f538fca7c6a054b0bc22bb3855d4c3500f0dc460b77466f3
2488
PAYMENT COPY_53673672882.scr
C:\Users\admin\AppData\Local\Temp\60283121\vuq.xl
text
MD5: 250d1d0410856b3aa7f45da15e5face7
SHA256: 297d546f9172c04ecff832e9ee8529541a0c4d970458957523a5a10fa943c0d8
2488
PAYMENT COPY_53673672882.scr
C:\Users\admin\AppData\Local\Temp\60283121\oso.jpg
text
MD5: 0a7d160d7c120670612f29c7b5edcf69
SHA256: ee0310851faa3673d67065446ffe72f87c9b86e25cb115221841b425b89cf0b0
2488
PAYMENT COPY_53673672882.scr
C:\Users\admin\AppData\Local\Temp\60283121\afo=xpd
text
MD5: bf3a89112e8febe95e44d7eddccdd42b
SHA256: c4a96e9e6e84c1e5b4a30ce3451a200d725f56c713bc37100b600cf2c2e9fde6
2488
PAYMENT COPY_53673672882.scr
C:\Users\admin\AppData\Local\Temp\60283121\ToolTipConstants.jpg
text
MD5: 907441db4eb84c19a075343c0f588b5d
SHA256: 638f96c764e2291260a1c8e75c6bde7e8e86b12058a2cad6bddd7cd6ac71e619
2488
PAYMENT COPY_53673672882.scr
C:\Users\admin\AppData\Local\Temp\60283121\ToolbarConstants.txt
text
MD5: fb0caafbfe58676638bcfd80697ad706
SHA256: 4e1af42343988ed1737eb778d310ee0fb0b075c6c9f0188bb1b0f4f05a9e1d55
876
RegSvcs.exe
C:\Users\admin\AppData\Roaming\90059C37-1320-41A4-B58D-2B75A9850D2F\run.dat
binary
MD5: 61a166f80ecca8e34612389428dc84d1
SHA256: 9b0a5f6cc9b259485711b56c223b00db36e1ac5e1964976fe0f971f901293c48

Find more information of the staic content and download it at the full report

Network activity

HTTP(S) requests
0
TCP/UDP connections
9
DNS requests
0
Threats
0

HTTP requests

No HTTP requests.

Connections

PID Process IP ASN CN Reputation
876 RegSvcs.exe 95.140.125.22:2643 Drustvo za telekomunikacije Orion telekom doo Beograd, Gandijeva 76a RS unknown
–– –– 95.140.125.22:2643 Drustvo za telekomunikacije Orion telekom doo Beograd, Gandijeva 76a RS unknown

DNS requests

No DNS requests.

Threats

No threats detected.

Debug output strings

No debug info.