General Info

File name

123.exe

Full analysis
https://app.any.run/tasks/93ff1707-df2a-43b1-a850-9e18ea1e298f
Verdict
Malicious activity
Analysis date
7/11/2019, 17:49:35
OS:
Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:

ransomware

Indicators:

MIME:
application/x-dosexec
File info:
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5

cb1c660658312dd77c68a8ce9102b8a0

SHA1

7e4fbbad202835954d10f113ed6774757d8c0398

SHA256

cb0b411cc1f6704c16f3a50aadc6384275ba5b2e17be0a69c632883d83d9cd35

SSDEEP

1536:J4ctAMwflmsolaTIrRuw+mqbz9j1MWLQsgZdO:dqM+lmsolAIrRuw+mqv9j1MWLQFZd

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distored by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Software environment set and analysis options

Launch configuration

Task duration
60 seconds
Additional time used
none
Fakenet option
off
Heavy Evaision option
off
MITM proxy
off
Route via Tor
off
Network geolocation
off
Privacy
Public submission
Autoconfirmation of UAC
on

Software preset

  • Internet Explorer 8.0.7601.17514
  • Adobe Acrobat Reader DC MUI (15.023.20070)
  • Adobe Flash Player 26 ActiveX (26.0.0.131)
  • Adobe Flash Player 26 NPAPI (26.0.0.131)
  • Adobe Flash Player 26 PPAPI (26.0.0.131)
  • Adobe Refresh Manager (1.8.0)
  • CCleaner (5.35)
  • FileZilla Client 3.36.0 (3.36.0)
  • Google Chrome (75.0.3770.100)
  • Google Update Helper (1.3.34.7)
  • Java 8 Update 92 (8.0.920.14)
  • Java Auto Updater (2.8.92.14)
  • Microsoft .NET Framework 4.7.2 (4.7.03062)
  • Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Professional 2010 (14.0.6029.1000)
  • Microsoft Office Proof (English) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (French) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
  • Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
  • Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Single Image 2010 (14.0.6029.1000)
  • Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
  • Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
  • Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
  • Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2015-2019 Redistributable (x86) - 14.21.27702 (14.21.27702.2)
  • Microsoft Visual C++ 2019 X86 Additional Runtime - 14.21.27702 (14.21.27702)
  • Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.21.27702 (14.21.27702)
  • Mozilla Firefox 67.0.4 (x86 en-US) (67.0.4)
  • Notepad++ (32-bit x86) (7.5.1)
  • Opera 12.15 (12.15.1748)
  • Skype version 8.29 (8.29)
  • Update for Microsoft .NET Framework 4.7.2 (KB4087364) (1)
  • VLC media player (2.2.6)
  • WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

  • Client LanguagePack Package
  • Client Refresh LanguagePack Package
  • CodecPack Basic Package
  • Foundation Package
  • IE Troubleshooters Package
  • InternetExplorer Optional Package
  • KB2534111
  • KB2999226
  • KB4019990
  • KB976902
  • LocalPack AU Package
  • LocalPack CA Package
  • LocalPack GB Package
  • LocalPack US Package
  • LocalPack ZA Package
  • ProfessionalEdition
  • UltimateEdition

Behavior activities

MALICIOUS SUSPICIOUS INFO
Changes settings of System certificates
  • 123.exe (PID: 2896)
Renames files like Ransomware
  • 123.exe (PID: 2896)
Creates files like Ransomware instruction
  • 123.exe (PID: 2896)
Executable content was dropped or overwritten
  • 123.exe (PID: 2896)
Creates files in the user directory
  • opera.exe (PID: 3516)
Manual execution by user
  • NOTEPAD.EXE (PID: 2704)
  • opera.exe (PID: 3516)
  • rundll32.exe (PID: 2428)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Static information

TRiD
.exe
|   Generic CIL Executable (.NET, Mono, etc.) (63.1%)
.exe
|   Win64 Executable (generic) (23.8%)
.dll
|   Win32 Dynamic Link Library (generic) (5.6%)
.exe
|   Win32 Executable (generic) (3.8%)
.exe
|   Generic Win/DOS Executable (1.7%)
EXIF
EXE
MachineType:
Intel 386 or later, and compatibles
TimeStamp:
2019:07:11 17:06:47+02:00
PEType:
PE32
LinkerVersion:
48
CodeSize:
114176
InitializedDataSize:
5632
UninitializedDataSize:
null
EntryPoint:
0x1dc6a
OSVersion:
4
ImageVersion:
null
SubsystemVersion:
6
Subsystem:
Windows GUI
FileVersionNumber:
1.0.0.0
ProductVersionNumber:
1.0.0.0
FileFlagsMask:
0x003f
FileFlags:
(none)
FileOS:
Win32
ObjectFileType:
Executable application
FileSubtype:
null
LanguageCode:
Neutral
CharacterSet:
Unicode
Comments:
null
CompanyName:
windows
FileDescription:
Bulba
FileVersion:
1.0.0.0
InternalName:
Bulba.exe
LegalCopyright:
Copyright © 2019
LegalTrademarks:
null
OriginalFileName:
Bulba.exe
ProductName:
Bulba
ProductVersion:
1.0.0.0
AssemblyVersion:
1.0.0.0
Summary
Architecture:
IMAGE_FILE_MACHINE_I386
Subsystem:
IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date:
11-Jul-2019 15:06:47
Comments:
null
CompanyName:
windows
FileDescription:
Bulba
FileVersion:
1.0.0.0
InternalName:
Bulba.exe
LegalCopyright:
Copyright © 2019
LegalTrademarks:
null
OriginalFilename:
Bulba.exe
ProductName:
Bulba
ProductVersion:
1.0.0.0
Assembly Version:
1.0.0.0
DOS Header
Magic number:
MZ
Bytes on last page of file:
0x0090
Pages in file:
0x0003
Relocations:
0x0000
Size of header:
0x0004
Min extra paragraphs:
0x0000
Max extra paragraphs:
0xFFFF
Initial SS value:
0x0000
Initial SP value:
0x00B8
Checksum:
0x0000
Initial IP value:
0x0000
Initial CS value:
0x0000
Overlay number:
0x0000
OEM identifier:
0x0000
OEM information:
0x0000
Address of NE header:
0x00000080
PE Headers
Signature:
PE
Machine:
IMAGE_FILE_MACHINE_I386
Number of sections:
3
Time date stamp:
11-Jul-2019 15:06:47
Pointer to Symbol Table:
0x00000000
Number of symbols:
0
Size of Optional Header:
0x00E0
Characteristics
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
Sections
Name Virtual Address Virtual Size Raw Size Charateristics Entropy
.text 0x00002000 0x0001BC78 0x0001BE00 IMAGE_SCN_CNT_CODE,IMAGE_SCN_MEM_EXECUTE,IMAGE_SCN_MEM_READ 4.67063
.rsrc 0x0001E000 0x0000120C 0x00001400 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ 4.80835
.reloc 0x00020000 0x0000000C 0x00000200 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_DISCARDABLE,IMAGE_SCN_MEM_READ 0.10191
Resources
1

Imports
    mscoree.dll

Exports

    No exports.

Screenshots

Processes

Total processes
37
Monitored processes
4
Malicious processes
1
Suspicious processes
0

Behavior graph

+
start 123.exe rundll32.exe no specs notepad.exe no specs opera.exe
Specs description
Program did not start
Integrity level elevation
Task сontains an error or was rebooted
Process has crashed
Task contains several apps running
Executable file was dropped
Debug information is available
Process was injected
Network attacks were detected
Application downloaded the executable file
Actions similar to stealing personal data
Behavior similar to exploiting the vulnerability
Inspected object has sucpicious PE structure
File is detected by antivirus software
CPU overrun
RAM overrun
Process starts the services
Process was added to the startup
Behavior similar to spam
Low-level access to the HDD
Probably Tor was used
System was rebooted
Connects to the network
Known threat

Process information

Click at the process to see the details.

PID
2896
CMD
"C:\Users\admin\AppData\Local\Temp\123.exe"
Path
C:\Users\admin\AppData\Local\Temp\123.exe
Indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Version:
Company
windows
Description
Bulba
Version
1.0.0.0
Modules
Image
c:\users\admin\appdata\local\temp\123.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\version.dll
c:\windows\microsoft.net\framework\v4.0.30319\clr.dll
c:\windows\system32\msvcr120_clr0400.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\mscorlib\97e047cf68e9a7d90e196d072cd49cac\mscorlib.ni.dll
c:\windows\system32\ole32.dll
c:\windows\system32\cryptbase.dll
c:\windows\microsoft.net\framework\v4.0.30319\clrjit.dll
c:\windows\system32\oleaut32.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system\e071297bb06faa961bef045ae5f25fdc\system.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.drawing\61dfb69c9ad6ed96809170d54d80b8a6\system.drawing.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.windows.forms\2dc6cfd856864312d563098f9486361c\system.windows.forms.ni.dll
c:\windows\system32\uxtheme.dll
c:\windows\microsoft.net\assembly\gac_msil\system.windows.forms\v4.0_4.0.0.0__b77a5c561934e089\system.windows.forms.dll
c:\windows\system32\sspicli.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.core\21a1606b6c00f9abe7db55c02e0f87c9\system.core.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.configuration\cd03f9386e02f56502e01a25ddd7e0a7\system.configuration.ni.dll
c:\windows\microsoft.net\framework\v4.0.30319\nlssorting.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.xml\7c8f75f367134a030cba4a127dc62a2f\system.xml.ni.dll
c:\windows\system32\shell32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\psapi.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\wship6.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\webio.dll
c:\windows\system32\credssp.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\dhcpcsvc6.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\secur32.dll
c:\windows\system32\schannel.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\userenv.dll
c:\windows\system32\gpapi.dll
c:\windows\system32\cryptnet.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\sensapi.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\cabinet.dll
c:\windows\system32\devrtl.dll
c:\windows\system32\propsys.dll
c:\windows\microsoft.net\framework\v4.0.30319\diasymreader.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscorlib.dll
c:\windows\microsoft.net\assembly\gac_msil\system\v4.0_4.0.0.0__b77a5c561934e089\system.dll
c:\windows\microsoft.net\assembly\gac_msil\system.drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\system.drawing.dll
c:\windows\microsoft.net\assembly\gac_msil\system.configuration\v4.0_4.0.0.0__b03f5f7f11d50a3a\system.configuration.dll
c:\windows\microsoft.net\assembly\gac_msil\system.core\v4.0_4.0.0.0__b77a5c561934e089\system.core.dll
c:\windows\microsoft.net\assembly\gac_msil\system.xml\v4.0_4.0.0.0__b77a5c561934e089\system.xml.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\clbcatq.dll

PID
2428
CMD
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\admin\Desktop\displaydemand.jpg.Pox
Path
C:\Windows\system32\rundll32.exe
Indicators
No indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows host process (Rundll32)
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\rundll32.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imagehlp.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\aclayers.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\winspool.drv
c:\windows\system32\mpr.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\propsys.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\clbcatq.dll

PID
2704
CMD
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\admin\Desktop\HOW TO DECRYPT FILES.txt
Path
C:\Windows\system32\NOTEPAD.EXE
Indicators
No indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Notepad
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\notepad.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\shlwapi.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\winspool.drv
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\version.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\clbcatq.dll

PID
3516
CMD
"C:\Program Files\Opera\opera.exe"
Path
C:\Program Files\Opera\opera.exe
Indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Version:
Company
Opera Software
Description
Opera Internet Browser
Version
1748
Modules
Image
c:\program files\opera\opera.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\psapi.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\ole32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\program files\opera\opera.dll
c:\windows\system32\oleacc.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\msimg32.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\winmm.dll
c:\windows\system32\version.dll
c:\windows\system32\wsock32.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\profapi.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\linkinfo.dll
c:\windows\system32\devenum.dll
c:\windows\system32\msdmo.dll
c:\windows\system32\avicap32.dll
c:\windows\system32\msvfw32.dll
c:\windows\system32\quartz.dll
c:\program files\adobe\acrobat reader dc\reader\browser\nppdf32.dll
c:\windows\system32\macromed\flash\npswf32_26_0_0_131.dll
c:\program files\java\jre1.8.0_92\bin\dtplugin\npdeployjava1.dll
c:\program files\java\jre1.8.0_92\bin\plugin2\npjp2.dll
c:\progra~1\micros~1\office14\npauthz.dll
c:\progra~1\micros~1\office14\npspwrap.dll
c:\program files\google\update\1.3.34.11\npgoogleupdate3.dll
c:\program files\videolan\vlc\npvlc.dll
c:\program files\adobe\acrobat reader dc\reader\air\nppdf32.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ehstorshell.dll
c:\windows\system32\cscui.dll
c:\windows\system32\cscdll.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\slc.dll
c:\windows\system32\imageres.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\wship6.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\dhcpcsvc6.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\userenv.dll

Registry activity

Total events
277
Read events
191
Write events
86
Delete events
0

Modification events

PID
Process
Operation
Key
Name
Value
2896
123.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\123_RASAPI32
EnableFileTracing
0
2896
123.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\123_RASAPI32
EnableConsoleTracing
0
2896
123.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\123_RASAPI32
FileTracingMask
4294901760
2896
123.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\123_RASAPI32
ConsoleTracingMask
4294901760
2896
123.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\123_RASAPI32
MaxFileSize
1048576
2896
123.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\123_RASAPI32
FileDirectory
%windir%\tracing
2896
123.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\123_RASMANCS
EnableFileTracing
0
2896
123.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\123_RASMANCS
EnableConsoleTracing
0
2896
123.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\123_RASMANCS
FileTracingMask
4294901760
2896
123.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\123_RASMANCS
ConsoleTracingMask
4294901760
2896
123.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\123_RASMANCS
MaxFileSize
1048576
2896
123.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\123_RASMANCS
FileDirectory
%windir%\tracing
2896
123.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\70\52C64B7E
LanguageList
en-US
2896
123.exe
write
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\CA\Certificates\339CDD57CFD5B141169B615FF31428782D1DA639
Blob
030000000100000014000000339CDD57CFD5B141169B615FF31428782D1DA63914000000010000001400000090AF6A3A945A0BD890EA125673DF43B43A28DAE704000000010000001000000083E10465B722EF33FF0B6F535E8D996B0F00000001000000300000005EDE0695F52AA1ECF55B329CB3917D3569F231309F37C7ECC4AFE6578DC9121EE316F056EA9C0C31112DF82AA9010247190000000100000010000000C6EFF83E98DCB29BAF3BCB857D7C5A7518000000010000001000000082218FFB91733E64136BE5719F57C3A120000000010000000C06000030820608308203F0A00302010202102B2E6EEAD975366C148A6EDBA37C8C07300D06092A864886F70D01010C0500308185310B3009060355040613024742311B30190603550408131247726561746572204D616E636865737465723110300E0603550407130753616C666F7264311A3018060355040A1311434F4D4F444F204341204C696D69746564312B302906035504031322434F4D4F444F205253412043657274696669636174696F6E20417574686F72697479301E170D3134303231323030303030305A170D3239303231313233353935395A308190310B3009060355040613024742311B30190603550408131247726561746572204D616E636865737465723110300E0603550407130753616C666F7264311A3018060355040A1311434F4D4F444F204341204C696D69746564313630340603550403132D434F4D4F444F2052534120446F6D61696E2056616C69646174696F6E205365637572652053657276657220434130820122300D06092A864886F70D01010105000382010F003082010A02820101008EC20219E1A059A4EB38358D2CFD01D0D349C064C70B620545163AA8A0C00C027F1DCCDBC4A16D7703A30F86F9E3069C3E0B818A9B491BAD03BEFA4BDB8C20EDD5CE5E658E3E0DAF4CC2B0B7455E522F34DE482464B441AE0097F7BE67DE9ED07AA753803B7CADF596556F97470A7C858B22978DB384E09657D0701860968FEE2D07939DA1BACAD1CD7BE9C42A9A2821914D6F924F25A5F27A35DD26DC46A5D0AC59358CFF4E9143503F59931E6C5121EE5814ABFE7550783E4CB01C8613FA6B98BCE03B941E8552DC039324186ECB275145E670DE2543A40DE14AA5EDB67EC8CD6DEE2E1D27735DDC453080AAE3B2410BAFBD4487DAB9E51B9D7FAEE58582A50203010001A382016530820161301F0603551D23041830168014BBAF7E023DFAA6F13C848EADEE3898ECD93232D4301D0603551D0E0416041490AF6A3A945A0BD890EA125673DF43B43A28DAE7300E0603551D0F0101FF04040302018630120603551D130101FF040830060101FF020100301D0603551D250416301406082B0601050507030106082B06010505070302301B0603551D200414301230060604551D20003008060667810C010201304C0603551D1F044530433041A03FA03D863B687474703A2F2F63726C2E636F6D6F646F63612E636F6D2F434F4D4F444F52534143657274696669636174696F6E417574686F726974792E63726C307106082B0601050507010104653063303B06082B06010505073002862F687474703A2F2F6372742E636F6D6F646F63612E636F6D2F434F4D4F444F525341416464547275737443412E637274302406082B060105050730018618687474703A2F2F6F6373702E636F6D6F646F63612E636F6D300D06092A864886F70D01010C050003820201004E2B764F921C623689BA77C12705F41CD6449DA99A3EAAD56666013EEA49E6A235BCFAF6DD958E9935980E361875B1DDDD50727CAEDC7788CE0FF79020CAA3672E1F567F7BE144EA4295C45D0D01504615F28189596C8ADD8CF112A18D3A428A98F84B347B273B08B46F243B729D6374583C1A6C3F4FC7119AC8A8F5B537EF1045C66CD9E05E9526B3EBADA3B9EE7F0C9A66357332604EE5DD8A612C6E5211776896D318755115001B7488DDE1C738044328E916FDD905D45D472760D6FB383B6C72A294F8421ADFED6F068C45C20600AAE4E8DCD9B5E17378ECF623DCD1DD6C8E1A8FA5EA547C96B7C3FE558E8D495EFC64BBCF3EBD96EB69CDBFE048F1628210E50C4657F233DAD0C863EDC61F9405964A1A91D1F7EBCF8F52AE0D08D93EA8A051E9C18774D5C9F774AB2E53FBBB7AFB97E2F81F268FB3D2A0E0375B283B31E50E572D5AB8AD79AC5E20661AA5B9A6B539C1F59843FFEEF9A7A7FDEECA243D8016C4178F8AC160A10CAE5B4347914BD59A175FF9D487C1C28CB7E7E20F30193786ACE0DC4203E694A89DAEFD0F245194CE9208D1FC50F003407B8859ED0EDDACD2778234DC069502D890F92DEA37D51A60D06720D7D8420B45AF8268DEDD66243790299419461925B880D7CBD486286A4470262362A99F866FBFBA9070D256778578EFEA25A917CE50728C003AAAE3DB63349FF8067101E28220D4FE6FBDB1
2896
123.exe
write
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\CA\Certificates\F5AD0BCC1AD56CD150725B1C866C30AD92EF21B0
Blob
030000000100000014000000F5AD0BCC1AD56CD150725B1C866C30AD92EF21B0140000000100000014000000BBAF7E023DFAA6F13C848EADEE3898ECD93232D40400000001000000100000001EDAF9AE99CE2920667D0E9A8B3F8C9C0F00000001000000300000007CE102D63C57CB48F80A65D1A5E9B350A7A618482AA5A36775323CA933DDFCB00DEF83796A6340DEC5EBF7596CFD8E5D19000000010000001000000082218FFB91733E64136BE5719F57C3A118000000010000001000000045ED9BBC5E43D3B9ECD63C060DB78E5C200000000100000078050000308205743082045CA00302010202102766EE56EB49F38EABD770A2FC84DE22300D06092A864886F70D01010C0500306F310B300906035504061302534531143012060355040A130B416464547275737420414231263024060355040B131D41646454727573742045787465726E616C20545450204E6574776F726B312230200603550403131941646454727573742045787465726E616C20434120526F6F74301E170D3030303533303130343833385A170D3230303533303130343833385A308185310B3009060355040613024742311B30190603550408131247726561746572204D616E636865737465723110300E0603550407130753616C666F7264311A3018060355040A1311434F4D4F444F204341204C696D69746564312B302906035504031322434F4D4F444F205253412043657274696669636174696F6E20417574686F7269747930820222300D06092A864886F70D01010105000382020F003082020A028202010091E85492D20A56B1AC0D24DDC5CF446774992B37A37D23700071BC53DFC4FA2A128F4B7F1056BD9F7072B7617FC94B0F17A73DE3B00461EEFF1197C7F4863E0AFA3E5CF993E6347AD9146BE79CB385A0827A76AF7190D7ECFD0DFA9C6CFADFB082F4147EF9BEC4A62F4F7F997FB5FC674372BD0C00D689EB6B2CD3ED8F981C14AB7EE5E36EFCD8A8E49224DA436B62B855FDEAC1BC6CB68BF30E8D9AE49B6C6999F878483045D5ADE10D3C4560FC32965127BC67C3CA2EB66BEA46C7C720A0B11F65DE4808BAA44EA9F283463784EBE8CC814843674E722A9B5CBD4C1B288A5C227BB4AB98D9EEE05183C309464E6D3E99FA9517DA7C3357413C8D51ED0BB65CAF2C631ADF57C83FBCE95DC49BAF4599E2A35A24B4BAA9563DCF6FAAFF4958BEF0A8FFF4B8ADE937FBBAB8F40B3AF9E843421E89D884CB13F1D9BBE18960B88C2856AC141D9C0AE771EBCF0EDD3DA996A148BD3CF7AFB50D224CC01181EC563BF6D3A2E25BB7B204225295809369E88E4C65F191032D707402EA8B671529695202BBD7DF506A5546BFA0A328617F70D0C3A2AA2C21AA47CE289C064576BF821827B4D5AEB4CB50E66BF44C867130E9A6DF1686E0D8FF40DDFBD042887FA3333A2E5C1E41118163CE18716B2BECA68AB7315C3A6A47E0C37959D6201AAFF26A98AA72BC574AD24B9DBB10FCB04C41E5ED1D3D5E289D9CCCBFB351DAA747E584530203010001A381F43081F1301F0603551D23041830168014ADBD987A34B426F7FAC42654EF03BDE024CB541A301D0603551D0E04160414BBAF7E023DFAA6F13C848EADEE3898ECD93232D4300E0603551D0F0101FF040403020186300F0603551D130101FF040530030101FF30110603551D20040A300830060604551D200030440603551D1F043D303B3039A037A0358633687474703A2F2F63726C2E7573657274727573742E636F6D2F416464547275737445787465726E616C4341526F6F742E63726C303506082B0601050507010104293027302506082B060105050730018619687474703A2F2F6F6373702E7573657274727573742E636F6D300D06092A864886F70D01010C0500038201010064BF83F15F9A85D0CDB8A129570DE85AF7D1E93EF276046EF15270BB1E3CFF4D0D746ACC818225D3C3A02A5D4CF5BA8BA16DC4540975C7E3270E5D847937401377F5B4AC1CD03BAB1712D6EF34187E2BE979D3AB57450CAF28FAD0DBE5509588BBDF8557697D92D852CA7381BF1CF3E6B86E661105B31E942D7F91959259F14CCEA391714C7C470C3B0B19F6A1B16C863E5CAAC42E82CBF90796BA484D90F294C8A973A2EB067B239DDEA2F34D559F7A6145981868C75E406B23F5797AEF8CB56B8BB76F46F47BF13D4B04D89380595AE041241DB28F15605847DBEF6E46FD15F5D95F9AB3DBD8B8E440B3CD9739AE85BB1D8EBCDC879BD1A6EFF13B6F10386F
2704
NOTEPAD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Notepad
iWindowPosX
121
2704
NOTEPAD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Notepad
iWindowPosY
64
2704
NOTEPAD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Notepad
iWindowPosDX
960
2704
NOTEPAD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Notepad
iWindowPosDY
501
3516
opera.exe
write
HKEY_CURRENT_USER\Software\Opera Software
Last CommandLine v2
C:\Program Files\Opera\opera.exe
3516
opera.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\70\52C64B7E
LanguageList
en-US

Files activity

Executable files
1
Suspicious files
49
Text files
4
Unknown types
2

Dropped files

PID
Process
Filename
Type
2896
123.exe
C:\admin\Systems\local.exe
executable
MD5: cb1c660658312dd77c68a8ce9102b8a0
SHA256: cb0b411cc1f6704c16f3a50aadc6384275ba5b2e17be0a69c632883d83d9cd35
2896
123.exe
C:\Users\admin\Downloads\enoughseveral.jpg
––
MD5:  ––
SHA256:  ––
3516
opera.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\optrust.dat
binary
MD5: 1aa8644c9261dc10f7247f6a145c1dd2
SHA256: 58a8933f65361633c6ab194000d312dc9d566f717b1a16814a0dbee24a60ebe3
3516
opera.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\opssl6.dat
––
MD5:  ––
SHA256:  ––
3516
opera.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\opssl6.dat
binary
MD5: 8ebf690f473fef979668963513c93ac7
SHA256: 734681f81322ccf9d327a928ede7b5e219e596d279f8b79a563a8ce4caa2ea5a
3516
opera.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\opcacrt6.dat
binary
MD5: 59761e989f564f76a3a4b778db7abcf1
SHA256: af879942d234d85c0ce75921dbdda50e2f6d135bd961f259106131751359052b
3516
opera.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\opuntrust.dat
binary
MD5: 1aa8644c9261dc10f7247f6a145c1dd2
SHA256: 58a8933f65361633c6ab194000d312dc9d566f717b1a16814a0dbee24a60ebe3
3516
opera.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\opicacrt6.dat
binary
MD5: 82f1a2b1176a5ecc457d32301e2ad833
SHA256: a783052804dd4c232be2ed3dc00c430cb67a20370890e235562ed2b27b5a602e
3516
opera.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\opssl6.dat
binary
MD5: 9a8247a7db85d3f8c0238e74759d1b17
SHA256: 7a2fef8fbf55cb5ec3d448746cc33aa6341a7a7c1d7a19b3607c22e9dd1af395
3516
opera.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\opcert6.dat
binary
MD5: 1aa8644c9261dc10f7247f6a145c1dd2
SHA256: 58a8933f65361633c6ab194000d312dc9d566f717b1a16814a0dbee24a60ebe3
3516
opera.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\16ec093b8f51508f.customDestinations-ms
binary
MD5: 8d2af1b32332cbc3eb43e52363bc928d
SHA256: a8a64be8eab84cf198494b0773676df0fb6cab57e8dc1329ebcfdcd849ebdfe0
3516
opera.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\16ec093b8f51508f.customDestinations-ms~RF1603ec.TMP
binary
MD5: 8d2af1b32332cbc3eb43e52363bc928d
SHA256: a8a64be8eab84cf198494b0773676df0fb6cab57e8dc1329ebcfdcd849ebdfe0
3516
opera.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\86U2FRLKXM75QRWDF207.temp
––
MD5:  ––
SHA256:  ––
3516
opera.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\tasks.xml
xml
MD5: 303be429d1f3eb7544c54578edf0ad14
SHA256: 022020d8e819619fee68791c2065a259d538b866f80e41978435309ac011db80
3516
opera.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\oprF901.tmp
––
MD5:  ––
SHA256:  ––
3516
opera.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\operaprefs.ini
text
MD5: 8a773ec1e56acdfe7a52190e59cfc7c0
SHA256: a7f448a0cf050ae5707f56268ef810df5ff42e70ee02854c75947c19df5f2aa5
3516
opera.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\oprF8B1.tmp
––
MD5:  ––
SHA256:  ––
2896
123.exe
C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\74FBF93595CFC8459196065CE54AD928
der
MD5: 1edaf9ae99ce2920667d0e9a8b3f8c9c
SHA256: 4f32d5dc00f715250abcc486511e37f501a899deb3bf7ea8adbbd3aef1c412da
2896
123.exe
C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\74FBF93595CFC8459196065CE54AD928
binary
MD5: 2b2e8e4692224f08580030522f573e1b
SHA256: 34e3c3c578f5cbdb86a07a907eef1361a9faa3cce3a8687ed75699871bfd9c5c
2896
123.exe
C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\34DA60AA966CD9270C5362E6AEF824CF
der
MD5: 83e10465b722ef33ff0b6f535e8d996b
SHA256: 02ab57e4e67a0cb48dd2ff34830e8ac40f4476fb08ca6be3f5cd846f646840f0
2896
123.exe
C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\34DA60AA966CD9270C5362E6AEF824CF
binary
MD5: 0caecac76c16dee9d34961699b8c9fdc
SHA256: 1218e66ef0bd20f277d3340fd4e991c000c4ec400a2a0c2bd7ed01898ba0a89f
3516
opera.exe
C:\Users\admin\AppData\Local\Opera\Opera\cache\CACHEDIR.TAG
text
MD5: e717f92fa29ae97dbe4f6f5c04b7a3d9
SHA256: 5bbd5dcbf87fd8cd7544c522badf22a2951cf010ad9f25c40f9726f09ea2b552
2896
123.exe
C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
binary
MD5: bf9f7b888ef30b2c18357c2cfbbf4b2a
SHA256: 644af7c04969522d40bb1438347dde1e95177ce48457becab3d72a8eac37983b
2896
123.exe
C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
compressed
MD5: ea8f42f93bee43a6632dbaddc84bf19a
SHA256: 7cea505e8377dfcce4155bfcc08c8bac011bd181c681c5c5545fca619b4b8f3b
2896
123.exe
C:\Users\admin\AppData\Local\Temp\TarBA2F.tmp
––
MD5:  ––
SHA256:  ––
2896
123.exe
C:\Users\admin\AppData\Local\Temp\CabBA2E.tmp
––
MD5:  ––
SHA256:  ––
2896
123.exe
C:\Users\admin\AppData\Local\Temp\TarB9DF.tmp
––
MD5:  ––
SHA256:  ––
2896
123.exe
C:\Users\admin\AppData\Local\Temp\CabB9DE.tmp
––
MD5:  ––
SHA256:  ––
2896
123.exe
C:\Users\admin\AppData\Local\Temp\TarB98F.tmp
––
MD5:  ––
SHA256:  ––
2896
123.exe
C:\Users\admin\AppData\Local\Temp\CabB98E.tmp
––
MD5:  ––
SHA256:  ––
2896
123.exe
C:\Users\admin\AppData\Local\Temp\TarB844.tmp
––
MD5:  ––
SHA256:  ––
2896
123.exe
C:\Users\admin\AppData\Local\Temp\CabB843.tmp
––
MD5:  ––
SHA256:  ––
2896
123.exe
C:\Users\admin\AppData\Local\Temp\CabB7E4.tmp
––
MD5:  ––
SHA256:  ––
2896
123.exe
C:\Users\admin\AppData\Local\Temp\TarB7E5.tmp
––
MD5:  ––
SHA256:  ––
2896
123.exe
C:\Users\admin\AppData\Local\Temp\Cab7CDC.tmp
––
MD5:  ––
SHA256:  ––
2896
123.exe
C:\Users\admin\AppData\Local\Temp\Tar7CDD.tmp
––
MD5:  ––
SHA256:  ––
2896
123.exe
C:\Users\admin\AppData\Local\Temp\Tar7CCC.tmp
––
MD5:  ––
SHA256:  ––
2896
123.exe
C:\Users\admin\AppData\Local\Temp\Cab7CCB.tmp
––
MD5:  ––
SHA256:  ––
2896
123.exe
C:\Users\admin\Desktop\HOW TO DECRYPT FILES.txt
text
MD5: b817661349dba849215313d132b8a8f1
SHA256: 826ef587c1c2448f6526f06eefb564ffd9e698734e5e7247a18f5a680170a0e6
2896
123.exe
C:\Users\admin\Pictures\publicwrite.png.Pox
binary
MD5: 988b8c22dcbc1754660d42fe6125dd80
SHA256: 0b551c8456a379ea5f489cfa5122f7caf2abc4eba1a2edac4e78638b45f78586
2896
123.exe
C:\Users\admin\Pictures\publicwrite.png
––
MD5:  ––
SHA256:  ––
2896
123.exe
C:\Users\admin\Pictures\musicaldiscussion.png.Pox
binary
MD5: 6d21b6908a6ae79e283ab2e843a679e9
SHA256: 4b5bf4ffeeb2a156c061310cc6ee608f3b2679c43ca97b59c4d7220b4f9d820f
2896
123.exe
C:\Users\admin\Pictures\musicaldiscussion.png
––
MD5:  ––
SHA256:  ––
2896
123.exe
C:\Users\admin\Pictures\languageten.jpg.Pox
binary
MD5: 7e61655b65d09a970c1ab6e2f3c277f2
SHA256: 1a7165492b9f4b9dbdabe5db75bf32c615994aa0a41e8ced35a1a7b09f077383
2896
123.exe
C:\Users\admin\Pictures\languageten.jpg
––
MD5:  ––
SHA256:  ––
2896
123.exe
C:\Users\admin\Pictures\homedifficult.jpg.Pox
binary
MD5: b965c5e0ab7db4a08d1253b7333428d9
SHA256: fcd15ddc792717c49a54b81eafbb78a6c462b4a2e29c96804dd364299f1d966a
2896
123.exe
C:\Users\admin\Pictures\homedifficult.jpg
––
MD5:  ––
SHA256:  ––
2896
123.exe
C:\Users\admin\Pictures\diseasesure.png.Pox
binary
MD5: 3168565850ce5c011ff8fb4ead1efdbe
SHA256: ab06b9e71ebf31ab6d6b12774560613d287af09711437be67aa52480783ca6dd
2896
123.exe
C:\Users\admin\Pictures\diseasesure.png
––
MD5:  ––
SHA256:  ––
2896
123.exe
C:\Users\admin\Downloads\periodpanel.png.Pox
binary
MD5: 050b21357a292e6e729b6367bcd8df0c
SHA256: 966a31d0cf8fdb080fa70bb5098fdfdee7a550dfa15516ba3220f6871d76c909
2896
123.exe
C:\Users\admin\Downloads\periodpanel.png
––
MD5:  ––
SHA256:  ––
2896
123.exe
C:\Users\admin\Downloads\enoughseveral.jpg.Pox
binary
MD5: 1bce695666f250ea5f81d989b7720a15
SHA256: 24a68a7d0119394ac7eb0cd0356e483c9aaa04dc4c886fdbb6116eee6585ce5d
3516
opera.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\opcacrt6.dat
binary
MD5: 7f5dcbf9f067f258078d5071195d5c51
SHA256: fec0be3946fe4780375cee50eb647bea4fb130af228e473fe442b39ff19d0492
2896
123.exe
C:\Users\admin\Downloads\describedinstitute.jpg.Pox
binary
MD5: 9299ec1dd273d902fc1aa4a2a5e12a2b
SHA256: d0c50265071783c86a18b194b2f45b578fe2b2fccb384b1bdf18f2b50ea55003
2896
123.exe
C:\Users\admin\Downloads\describedinstitute.jpg
––
MD5:  ––
SHA256:  ––
2896
123.exe
C:\Users\admin\Downloads\collectionjersey.jpg.Pox
binary
MD5: 69741bcfb183af8a146902e54b3827df
SHA256: c7b8e9246c842c838d68473002cb4c59807ed320b0e1dd17fb568594d8cb9855
2896
123.exe
C:\Users\admin\Downloads\collectionjersey.jpg
––
MD5:  ––
SHA256:  ––
2896
123.exe
C:\Users\admin\Downloads\clientsagencies.jpg.Pox
binary
MD5: 8573ae1f7ca18f569a9a655fc30558c3
SHA256: 7a6b0fe19a4c41ea199f87a88e7c87b0fb10b5a18cfdb31e0f2ec309139bc286
2896
123.exe
C:\Users\admin\Downloads\clientsagencies.jpg
––
MD5:  ––
SHA256:  ––
2896
123.exe
C:\Users\admin\Downloads\chrissouthern.jpg.Pox
binary
MD5: 577096bb759efaa93a050ad303cbcb9a
SHA256: ae195260e288c3bbc952801f6200453a2473e1c4be167a54ff4284354d2dbe01
2896
123.exe
C:\Users\admin\Downloads\chrissouthern.jpg
––
MD5:  ––
SHA256:  ––
2896
123.exe
C:\Users\admin\Downloads\awardlisten.jpg.Pox
binary
MD5: 62c99905a1bb5231c436cb6b7639e558
SHA256: 406e3e4a626827bf6712f38d64c207f1e2b9c0c69302692af8fa83d75814224d
2896
123.exe
C:\Users\admin\Downloads\awardlisten.jpg
––
MD5:  ––
SHA256:  ––
2896
123.exe
C:\Users\admin\Documents\yetcorporation.rtf.Pox
binary
MD5: 13f407ba8929e7e3068998d6fdf3e70e
SHA256: fc79d3efa30c0a0bae2c97b41935c236d2ad95ad82e6946a38d4cd41bf2fb279
2896
123.exe
C:\Users\admin\Documents\yetcorporation.rtf
––
MD5:  ––
SHA256:  ––
2896
123.exe
C:\Users\admin\Documents\sellhousing.rtf.Pox
binary
MD5: cbebdda2bbe5d34ddad6e76a9d774b9c
SHA256: f2120ad06b5faa685bacc97d10240ba542112125bf8993342016605cf778ff7d
2896
123.exe
C:\Users\admin\Documents\sellhousing.rtf
––
MD5:  ––
SHA256:  ––
2896
123.exe
C:\Users\admin\Documents\politicalit.rtf.Pox
binary
MD5: 42710557a9d81d43abde4160f99a27bf
SHA256: def1e4fb6b39aa54b489d765b1ff370fdaa9dc18590abdde9589b8003c50c565
2896
123.exe
C:\Users\admin\Documents\politicalit.rtf
––
MD5:  ––
SHA256:  ––
2896
123.exe
C:\Users\admin\Documents\monitoringformat.rtf.Pox
binary
MD5: 0f03c0957233616b723ca3b28dc01561
SHA256: 0d7ccefda0639596c32a53580a44a3f31a03ae0eb87c2431f766a6b77d209bd9
2896
123.exe
C:\Users\admin\Documents\monitoringformat.rtf
––
MD5:  ––
SHA256:  ––
2896
123.exe
C:\Users\admin\Documents\computersmain.rtf.Pox
binary
MD5: 36586804884a33f5e200254d5f4ddec9
SHA256: acec680d15a91aff11d568e624cc62640e04ee08c9e9951c8274d32cc4625eb2
2896
123.exe
C:\Users\admin\Documents\computersmain.rtf
––
MD5:  ––
SHA256:  ––
2896
123.exe
C:\Users\admin\Contacts\admin.contact.Pox
binary
MD5: d5148a5e0a570e9d3129d5485f3adff4
SHA256: 179772a0e136e2b6f8289b034cd52c508e905833dd0c397f4f03a978d115b2d4
2896
123.exe
C:\Users\admin\Contacts\admin.contact
––
MD5:  ––
SHA256:  ––
2896
123.exe
C:\Users\admin\Links\RecentPlaces.lnk.Pox
binary
MD5: 509222fab7e2bcf5a3e57fc31d66cb7f
SHA256: ea735c8b7905485d5a897e897cc72e2485dca1f1e6bc934bfe77d5e9e6f96dff
2896
123.exe
C:\Users\admin\Links\RecentPlaces.lnk
––
MD5:  ––
SHA256:  ––
2896
123.exe
C:\Users\admin\Links\Downloads.lnk.Pox
binary
MD5: ce3902c794e900da2ed4a1672f0dc7b4
SHA256: a9f4a1a9158694665a9e7d63df10c5787db13299ee547543eaf73c55c4d5371f
2896
123.exe
C:\Users\admin\Links\Downloads.lnk
––
MD5:  ––
SHA256:  ––
2896
123.exe
C:\Users\admin\Links\Desktop.lnk.Pox
binary
MD5: 99aa579727a79f194015dcf90c2680fd
SHA256: 1dcae5dda271dffe6864dffe502119852f76f28cd56cd3c4952e18b9c0bae0cd
2896
123.exe
C:\Users\admin\Links\Desktop.lnk
––
MD5:  ––
SHA256:  ––
2896
123.exe
C:\Users\admin\Desktop\togethervideo.jpg.Pox
binary
MD5: d96677a620b0170bc317fb685a0e9cd1
SHA256: b7db8674d2f8cdb155e1c75ddcc17bde780d8288a1918e92d8016331589832a5
2896
123.exe
C:\Users\admin\Desktop\togethervideo.jpg
––
MD5:  ––
SHA256:  ––
2896
123.exe
C:\Users\admin\Desktop\testingcum.rtf.Pox
binary
MD5: 0a2f29da9e602dbc868766ffd0600b5f
SHA256: 794d671506a937d6e993c35b037d7b0cb8c79bfc5eb4ebd399ecc5870c9f4493
2896
123.exe
C:\Users\admin\Desktop\testingcum.rtf
––
MD5:  ––
SHA256:  ––
2896
123.exe
C:\Users\admin\Desktop\supplyschedule.rtf.Pox
binary
MD5: 68d06a031d33eb34356a162885fa4f26
SHA256: 92945c0db9391706cadc42d7c02c1e35e8341e411cd174d8bf2e4068ca6d6eb9
2896
123.exe
C:\Users\admin\Desktop\supplyschedule.rtf
––
MD5:  ––
SHA256:  ––
2896
123.exe
C:\Users\admin\Desktop\rightsdatabase.jpg.Pox
binary
MD5: e6bac30a39a172e1ab114fcfdae89724
SHA256: b4332128e2ea4fb7df55a5db86392014563161a2861402ae626822e127b556d5
2896
123.exe
C:\Users\admin\Desktop\rightsdatabase.jpg
––
MD5:  ––
SHA256:  ––
2896
123.exe
C:\Users\admin\Desktop\nowcharacter.png.Pox
binary
MD5: 2bb8697cfc2efb87487fc930faf7b2bf
SHA256: f49cf27124f3635b18fb1d18ae8379de295e6b797a5ac8867db7908ec177f75c
2896
123.exe
C:\Users\admin\Desktop\nowcharacter.png
––
MD5:  ––
SHA256:  ––
2896
123.exe
C:\Users\admin\Desktop\nakedanimals.png.Pox
binary
MD5: 91b2c2e0a43012f32c5aa79190caaba1
SHA256: 90b0c27819a858181f62324c6555f0f0d3c3163d6d71ddeeda991cccce7ee7db
2896
123.exe
C:\Users\admin\Desktop\nakedanimals.png
––
MD5:  ––
SHA256:  ––
2896
123.exe
C:\Users\admin\Desktop\lightrisk.rtf.Pox
binary
MD5: 98f2336a641ce8344f3a26bb6e37eb27
SHA256: 0bc66e56949de54b812c28b2fd3aec8ec3d3099a1f83b5fa98da0fb3c827bf1d
2896
123.exe
C:\Users\admin\Desktop\lightrisk.rtf
––
MD5:  ––
SHA256:  ––
2896
123.exe
C:\Users\admin\Desktop\infomaterials.png.Pox
binary
MD5: 2462732eebc3853949bca88fb7949673
SHA256: 41fb333268ff897539daa7cb1d6c8163c08c20a346ca398ebbba9663178c18f2
2896
123.exe
C:\Users\admin\Desktop\infomaterials.png
––
MD5:  ––
SHA256:  ––
2896
123.exe
C:\Users\admin\Desktop\displaydemand.jpg.Pox
binary
MD5: aff457340b4bc0cf0641c54c4de1dccc
SHA256: 14c156084a694606ac39876aaa31b67001c3b00bae5c3d3322aa53fe308c0754
2896
123.exe
C:\Users\admin\Desktop\displaydemand.jpg
––
MD5:  ––
SHA256:  ––
2896
123.exe
C:\Users\admin\Desktop\communitiesk.png.Pox
binary
MD5: 99c100f5f9b89509554e72d82f3b4e77
SHA256: 5d6de68d9fa8eb8315fdaffad10043a0c583cd836d6366d5eb59c332f3ed83e8
2896
123.exe
C:\Users\admin\Desktop\communitiesk.png
––
MD5:  ––
SHA256:  ––
2896
123.exe
C:\Users\admin\Desktop\administrationpayment.rtf.Pox
binary
MD5: 5db72986900ebb65b28d7a3d5c0a74b9
SHA256: 87d414ac4ec0cfd86f8d0221ba65fecbd501edf00c51a0cc3d3515ab25dab3d9
2896
123.exe
C:\Users\admin\Desktop\administrationpayment.rtf
––
MD5:  ––
SHA256:  ––
3516
opera.exe
C:\Users\admin\AppData\Local\Opera\Opera\cache\sesn\opr00001.tmp
––
MD5:  ––
SHA256:  ––

Find more information of the staic content and download it at the full report

Network activity

HTTP(S) requests
7
TCP/UDP connections
17
DNS requests
10
Threats
7

HTTP requests

PID Process Method HTTP Code IP URL CN Type Size Reputation
2896 123.exe GET 200 205.185.216.10:80 http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab US
compressed
whitelisted
2896 123.exe GET 200 91.199.212.52:80 http://crt.comodoca.com/COMODORSADomainValidationSecureServerCA.crt GB
der
whitelisted
2896 123.exe GET 200 91.199.212.52:80 http://crt.comodoca.com/COMODORSAAddTrustCA.crt GB
der
whitelisted
2896 123.exe GET 404 81.177.141.81:80 http://kingswagy.ru/Decrypter.exe RU
html
malicious
2896 123.exe GET 404 81.177.141.81:80 http://kingswagy.ru/Decrypter.exe RU
html
malicious
2896 123.exe GET 404 81.177.141.81:80 http://kingswagy.ru/ransom.jpg RU
html
malicious
3516 opera.exe GET 200 93.184.220.29:80 http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl US
der
whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID Process IP ASN CN Reputation
2896 123.exe 88.99.66.31:443 Hetzner Online GmbH DE suspicious
2896 123.exe 91.199.212.52:80 Comodo CA Ltd GB unknown
2896 123.exe 205.185.216.42:80 Highwinds Network Group, Inc. US whitelisted
–– –– 205.185.216.10:80 Highwinds Network Group, Inc. US whitelisted
3516 opera.exe 185.26.182.94:443 Opera Software AS –– malicious
3516 opera.exe 185.26.182.93:443 Opera Software AS –– unknown
2896 123.exe 81.177.141.81:80 JSC RTComm.RU RU malicious
3516 opera.exe 93.184.220.29:80 MCI Communications Services, Inc. d/b/a Verizon Business US whitelisted

DNS requests

Domain IP Reputation
maper.info 88.99.66.31
malicious
crt.comodoca.com 91.199.212.52
whitelisted
www.download.windowsupdate.com 205.185.216.42
205.185.216.10
whitelisted
kingswagy.ru 81.177.141.81
unknown
certs.opera.com 185.26.182.94
185.26.182.93
whitelisted
crl4.digicert.com 93.184.220.29
whitelisted

Threats

PID Process Class Message
2896 123.exe Potential Corporate Privacy Violation ET POLICY IP Logger Redirect Domain in SNI
2896 123.exe Potential Corporate Privacy Violation ET POLICY IP Logger Redirect Domain in SNI
2896 123.exe Potential Corporate Privacy Violation ET POLICY IP Logger Redirect Domain in SNI
2896 123.exe Potential Corporate Privacy Violation ET POLICY IP Logger Redirect Domain in SNI
2896 123.exe Potential Corporate Privacy Violation ET POLICY IP Logger Redirect Domain in SNI
2896 123.exe Potential Corporate Privacy Violation ET POLICY IP Logger Redirect Domain in SNI
2896 123.exe Potential Corporate Privacy Violation ET POLICY IP Logger Redirect Domain in SNI

Debug output strings

No debug info.