General Info

File name

NEW%20%20%20ORDER%20101%20%26SPECIFICATION%20FEB%20%20%202019%20SIGNED%20JDE.PDF.z

Full analysis
https://app.any.run/tasks/950ace92-1fe1-4713-b85c-6116319fc8f1
Verdict
Malicious activity
Analysis date
2/11/2019, 10:37:43
OS:
Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:

autoit

rat

nanocore

Indicators:

MIME:
application/zip
File info:
Zip archive data, at least v2.0 to extract
MD5

c1cdd10f921cd99f37e8d18b6ad0ad97

SHA1

e3e23770561418fe15e39df311ea312e4f96f2b6

SHA256

d2ca4afee725fb33e2569005d8c09e595d0224862780dc51beee4590a025d67b

SSDEEP

24576:DWixbooHaAvjCXEH8nYYUemtmbhWbf3rUe4C8ISG:a9A0EMYYUesmb0r3wIr

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distored by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Software environment set and analysis options

Launch configuration

Task duration
300 seconds
Additional time used
240 seconds
Fakenet option
off
Heavy Evaision option
off
MITM proxy
off
Route via Tor
off
Network geolocation
off
Privacy
Public submission
Autoconfirmation of UAC
on

Software preset

  • Internet Explorer 8.0.7601.17514
  • Adobe Acrobat Reader DC MUI (15.023.20070)
  • Adobe Flash Player 26 ActiveX (26.0.0.131)
  • Adobe Flash Player 26 NPAPI (26.0.0.131)
  • Adobe Flash Player 26 PPAPI (26.0.0.131)
  • Adobe Refresh Manager (1.8.0)
  • CCleaner (5.35)
  • FileZilla Client 3.36.0 (3.36.0)
  • Google Chrome (68.0.3440.106)
  • Google Update Helper (1.3.33.17)
  • Java 8 Update 92 (8.0.920.14)
  • Java Auto Updater (2.8.92.14)
  • Microsoft .NET Framework 4.6.1 (4.6.01055)
  • Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Professional 2010 (14.0.6029.1000)
  • Microsoft Office Proof (English) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (French) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
  • Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
  • Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Single Image 2010 (14.0.6029.1000)
  • Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
  • Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
  • Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
  • Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2017 Redistributable (x86) - 14.15.26706 (14.15.26706.0)
  • Microsoft Visual C++ 2017 x86 Additional Runtime - 14.15.26706 (14.15.26706)
  • Microsoft Visual C++ 2017 x86 Minimum Runtime - 14.15.26706 (14.15.26706)
  • Mozilla Firefox 61.0.2 (x86 en-US) (61.0.2)
  • Notepad++ (32-bit x86) (7.5.1)
  • Opera 12.15 (12.15.1748)
  • Skype version 8.29 (8.29)
  • VLC media player (2.2.6)
  • WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

  • Client LanguagePack Package
  • Client Refresh LanguagePack Package
  • CodecPack Basic Package
  • Foundation Package
  • IE Troubleshooters Package
  • InternetExplorer Optional Package
  • KB2534111
  • KB2999226
  • KB976902
  • LocalPack AU Package
  • LocalPack CA Package
  • LocalPack GB Package
  • LocalPack US Package
  • LocalPack ZA Package
  • ProfessionalEdition
  • UltimateEdition

Behavior activities

MALICIOUS SUSPICIOUS INFO
Changes the autorun value in the registry
  • RegSvcs.exe (PID: 3952)
  • nxk.exe (PID: 3248)
Application was dropped or rewritten from another process
  • NEW ORDER 101 &SPECIFICATION FEB 2019 SIGNED JDE.exe (PID: 1032)
  • nxk.exe (PID: 2800)
  • nxk.exe (PID: 3248)
NanoCore was detected
  • RegSvcs.exe (PID: 3952)
Creates files in the user directory
  • RegSvcs.exe (PID: 3952)
Connects to unusual port
  • RegSvcs.exe (PID: 3952)
Drop AutoIt3 executable file
  • NEW ORDER 101 &SPECIFICATION FEB 2019 SIGNED JDE.exe (PID: 1032)
Executable content was dropped or overwritten
  • WinRAR.exe (PID: 3004)
  • NEW ORDER 101 &SPECIFICATION FEB 2019 SIGNED JDE.exe (PID: 1032)
Application launched itself
  • nxk.exe (PID: 2800)
Dropped object may contain Bitcoin addresses
  • nxk.exe (PID: 2800)
  • NEW ORDER 101 &SPECIFICATION FEB 2019 SIGNED JDE.exe (PID: 1032)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Static information

TRiD
.zip
|   ZIP compressed archive (100%)
EXIF
ZIP
ZipRequiredVersion:
20
ZipBitFlag:
null
ZipCompression:
Deflated
ZipModifyDate:
2019:02:10 18:01:27
ZipCRC:
0x838b9c3b
ZipCompressedSize:
871873
ZipUncompressedSize:
933336
ZipFileName:
NEW ORDER 101 &SPECIFICATION FEB 2019 SIGNED JDE.exe

Screenshots

Processes

Total processes
35
Monitored processes
5
Malicious processes
4
Suspicious processes
0

Behavior graph

+
start drop and start winrar.exe new order 101 &specification feb 2019 signed jde.exe nxk.exe no specs nxk.exe #NANOCORE regsvcs.exe
Specs description
Program did not start
Integrity level elevation
Task сontains an error or was rebooted
Process has crashed
Task contains several apps running
Executable file was dropped
Debug information is available
Process was injected
Network attacks were detected
Application downloaded the executable file
Actions similar to stealing personal data
Behavior similar to exploiting the vulnerability
Inspected object has sucpicious PE structure
File is detected by antivirus software
CPU overrun
RAM overrun
Process starts the services
Process was added to the startup
Behavior similar to spam
Low-level access to the HDD
Probably Tor was used
System was rebooted
Connects to the network
Known threat

Process information

Click at the process to see the details.

PID
3004
CMD
"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\ce8c186e-3443-4e5c-b282-d06472615bfc.zip"
Path
C:\Program Files\WinRAR\WinRAR.exe
Indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Alexander Roshal
Description
WinRAR archiver
Version
5.60.0
Modules
Image
c:\program files\winrar\winrar.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\shell32.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\uxtheme.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\msimg32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\riched20.dll
c:\program files\common files\microsoft shared\ink\tiptsf.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ehstorshell.dll
c:\windows\system32\cscui.dll
c:\windows\system32\cscdll.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\slc.dll
c:\windows\system32\imageres.dll
c:\windows\system32\mpr.dll
c:\windows\system32\drprov.dll
c:\windows\system32\winsta.dll
c:\windows\system32\ntlanman.dll
c:\windows\system32\davclnt.dll
c:\windows\system32\davhlpr.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\netutils.dll
c:\windows\system32\wpdshext.dll
c:\windows\system32\winmm.dll
c:\windows\system32\portabledeviceapi.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\audiodev.dll
c:\windows\system32\wmvcore.dll
c:\windows\system32\wmasf.dll
c:\windows\system32\ehstorapi.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\samcli.dll
c:\windows\system32\samlib.dll
c:\windows\system32\profapi.dll
c:\windows\system32\explorerframe.dll
c:\windows\system32\duser.dll
c:\windows\system32\dui70.dll

PID
1032
CMD
"C:\Users\admin\Desktop\NEW ORDER 101 &SPECIFICATION FEB 2019 SIGNED JDE.exe"
Path
C:\Users\admin\Desktop\NEW ORDER 101 &SPECIFICATION FEB 2019 SIGNED JDE.exe
Indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Description
Version
Modules
Image
c:\users\admin\desktop\new order 101 &specification feb 2019 signed jde.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\aclayers.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\winspool.drv
c:\windows\system32\mpr.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\riched32.dll
c:\windows\system32\riched20.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\clbcatq.dll
c:\program files\common files\microsoft shared\ink\tiptsf.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\users\admin\appdata\local\temp\87181008\nxk.exe

PID
2800
CMD
"C:\Users\admin\AppData\Local\Temp\87181008\nxk.exe" hrn=olx
Path
C:\Users\admin\AppData\Local\Temp\87181008\nxk.exe
Indicators
No indicators
Parent process
NEW ORDER 101 &SPECIFICATION FEB 2019 SIGNED JDE.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
AutoIt Team
Description
AutoIt v3 Script
Version
3, 3, 14, 5
Modules
Image
c:\users\admin\appdata\local\temp\87181008\nxk.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\wsock32.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\windows\system32\version.dll
c:\windows\system32\winmm.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\mpr.dll
c:\windows\system32\wininet.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\psapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\aclayers.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\winspool.drv
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll

PID
3248
CMD
C:\Users\admin\AppData\Local\Temp\87181008\nxk.exe C:\Users\admin\AppData\Local\Temp\87181008\ZKHFU
Path
C:\Users\admin\AppData\Local\Temp\87181008\nxk.exe
Indicators
Parent process
nxk.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
AutoIt Team
Description
AutoIt v3 Script
Version
3, 3, 14, 5
Modules
Image
c:\users\admin\appdata\local\temp\87181008\nxk.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\wsock32.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\windows\system32\version.dll
c:\windows\system32\winmm.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\mpr.dll
c:\windows\system32\wininet.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\psapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\aclayers.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\winspool.drv
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe

PID
3952
CMD
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Path
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Indicators
Parent process
nxk.exe
User
admin
Integrity Level
MEDIUM
Version:
Company
Microsoft Corporation
Description
Microsoft .NET Services Installation Utility
Version
4.6.1055.0 built by: NETFXREL2
Modules
Image
c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\aclayers.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\winspool.drv
c:\windows\system32\mpr.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\system32\version.dll
c:\windows\microsoft.net\framework\v4.0.30319\clr.dll
c:\windows\system32\msvcr120_clr0400.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\mscorlib\225759bb87c854c0fff27b1d84858c21\mscorlib.ni.dll
c:\windows\system32\cryptbase.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system\52cca48930e580e3189eac47158c20be\system.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.drawing\646b4b01cb29986f8e076aa65c9e9753\system.drawing.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.windows.forms\5aac750b35b27770dccb1a43f83cced7\system.windows.forms.ni.dll
c:\windows\microsoft.net\framework\v4.0.30319\clrjit.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.core\55560c2014611e9119f99923c9ebdeef\system.core.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\microsoft.v9921e851#\7ca6a7b9413844e82108a9d62f88a2d9\microsoft.visualbasic.ni.dll
c:\windows\microsoft.net\framework\v4.0.30319\nlssorting.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\uxtheme.dll
c:\windows\microsoft.net\assembly\gac_msil\system.windows.forms\v4.0_4.0.0.0__b77a5c561934e089\system.windows.forms.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\bcrypt.dll
c:\windows\microsoft.net\framework\v4.0.30319\diasymreader.dll
c:\windows\system32\psapi.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\wship6.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.configuration\46957030830964165644b52b0696c5d9\system.configuration.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.xml\d86b080a37c60a872c82b912a2a63dac\system.xml.ni.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll

Registry activity

Total events
816
Read events
788
Write events
28
Delete events
0

Modification events

PID
Process
Operation
Key
Name
Value
3004
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
ShellExtBMP
3004
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
ShellExtIcon
3004
WinRAR.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
LanguageList
en-US
3004
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
0
C:\Users\admin\AppData\Local\Temp\ce8c186e-3443-4e5c-b282-d06472615bfc.zip
3004
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
name
120
3004
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
size
80
3004
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
type
120
3004
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
mtime
100
3004
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\DialogEditHistory\ExtrPath
0
C:\Users\admin\Desktop
3004
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\Interface\MainWin
Placement
2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFED00000069000000AD0400005E020000
3004
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\General
LastFolder
C:\Users\admin\AppData\Local\Temp
3004
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\ArcColumnWidths
name
120
3004
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\ArcColumnWidths
size
80
3004
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\ArcColumnWidths
psize
80
3004
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\ArcColumnWidths
type
120
3004
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\ArcColumnWidths
mtime
100
3004
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\ArcColumnWidths
crc
70
3004
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\General\Toolbar\Layout
Band56_0
38000000730100000402000000000000D4D0C800000000000000000000000000860102000000000039000000B40200000000000001000000
3004
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\General\Toolbar\Layout
Band56_1
38000000730100000500000000000000D4D0C8000000000000000000000000008801030000000000160000002A0000000000000002000000
3004
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\General\Toolbar\Layout
Band56_2
38000000730100000400000000000000D4D0C800000000000000000000000000980103000000000016000000640000000000000003000000
1032
NEW ORDER 101 &SPECIFICATION FEB 2019 SIGNED JDE.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
1032
NEW ORDER 101 &SPECIFICATION FEB 2019 SIGNED JDE.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
3248
nxk.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
WindowsUpdate
C:\Users\admin\AppData\Local\Temp\87181008\nxk.exe C:\Users\admin\AppData\Local\Temp\87181008\HRN_OL~1
3952
RegSvcs.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
TCP Monitor
C:\Users\admin\AppData\Roaming\90059C37-1320-41A4-B58D-2B75A9850D2F\TCP Monitor\tcpmon.exe

Files activity

Executable files
2
Suspicious files
0
Text files
51
Unknown types
0

Dropped files

PID
Process
Filename
Type
3004
WinRAR.exe
C:\Users\admin\Desktop\NEW ORDER 101 &SPECIFICATION FEB 2019 SIGNED JDE.exe
executable
MD5: c1dd858ce6f7c27300af55a0f376fe09
SHA256: 74061ec39aba6ba864acccecb3506e367d669303a11d43e3bd84b9fb532f5b73
1032
NEW ORDER 101 &SPECIFICATION FEB 2019 SIGNED JDE.exe
C:\Users\admin\AppData\Local\Temp\87181008\nxk.exe
executable
MD5: c56b5f0201a3b3de53e561fe76912bfd
SHA256: 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
1032
NEW ORDER 101 &SPECIFICATION FEB 2019 SIGNED JDE.exe
C:\Users\admin\AppData\Local\Temp\87181008\qxc.xl
text
MD5: d1d3b2964838ce780953b590361d6686
SHA256: 76b991484c0caa6aebe01fc79efeb01908ed40137699fe557baf64066fe781df
1032
NEW ORDER 101 &SPECIFICATION FEB 2019 SIGNED JDE.exe
C:\Users\admin\AppData\Local\Temp\87181008\paa.icm
text
MD5: 29078faa7f12fd40365a429437685201
SHA256: 1073eef46706f71fca3b32499f96f074a4c2d5509d8c80ec667c8b0ff931ab1a
1032
NEW ORDER 101 &SPECIFICATION FEB 2019 SIGNED JDE.exe
C:\Users\admin\AppData\Local\Temp\87181008\bjg.txt
text
MD5: 918c883512bd6d683a7cbe1cedabcf86
SHA256: 8cfd389383fd93d5571f769ddbd62556d13849c08352a36e784993952d1bb04a
1032
NEW ORDER 101 &SPECIFICATION FEB 2019 SIGNED JDE.exe
C:\Users\admin\AppData\Local\Temp\87181008\kcn.ppt
text
MD5: b9404b159debea4cd8306581e1466003
SHA256: 49bc73dea784a6db901c4689fa1201ae23fedcb7e371ce9fa78b4a27535ed086
1032
NEW ORDER 101 &SPECIFICATION FEB 2019 SIGNED JDE.exe
C:\Users\admin\AppData\Local\Temp\87181008\vie.bmp
text
MD5: 8950cddd8715a12dc96478ccf177ecea
SHA256: a3fb243675b29134365e9c6642ff35c971138c12cf44c99b6ef2f7244830fe40
1032
NEW ORDER 101 &SPECIFICATION FEB 2019 SIGNED JDE.exe
C:\Users\admin\AppData\Local\Temp\87181008\igx.docx
text
MD5: 4d11b45a685f1a31af845f4a65c64d3c
SHA256: 4399a27d8b47b5cd494e7e9d6841495337c392cdc6a66d56828982614c58cabd
1032
NEW ORDER 101 &SPECIFICATION FEB 2019 SIGNED JDE.exe
C:\Users\admin\AppData\Local\Temp\87181008\cjd.ico
text
MD5: 9bf5d00beaa94535ffdc4cd8e7851c78
SHA256: f05421743b3f0fd1b67a83f7aa2961504b5c145777bcdda8f089179a0e22be44
1032
NEW ORDER 101 &SPECIFICATION FEB 2019 SIGNED JDE.exe
C:\Users\admin\AppData\Local\Temp\87181008\sjb.icm
text
MD5: 5f0bebe68b88e3aaa80260c87658714c
SHA256: 41f15c4636242344e9db4657e43564ffc129416257fa109d495a1dddf5d7761f
1032
NEW ORDER 101 &SPECIFICATION FEB 2019 SIGNED JDE.exe
C:\Users\admin\AppData\Local\Temp\87181008\wta.pdf
text
MD5: ef0c34afe0164258685afec9eda46be6
SHA256: 0256c29cdd36632315d8406e5de92606c2ae95aa8f8cc5daf55ca35be138fdea
1032
NEW ORDER 101 &SPECIFICATION FEB 2019 SIGNED JDE.exe
C:\Users\admin\AppData\Local\Temp\87181008\fjf.mp4
text
MD5: c3b7d2d66633c88cd2daa0b954bde546
SHA256: bb8640e344909308f3371a1e590811d67ec02b7f3e5674bbf6d2de6b8e62738a
1032
NEW ORDER 101 &SPECIFICATION FEB 2019 SIGNED JDE.exe
C:\Users\admin\AppData\Local\Temp\87181008\wmk.ico
text
MD5: a8c5c3950ad22fd591aa8ad7b8a7e343
SHA256: 48575074f408df485eeee3458d90230a0ddec8b75af502800c4b841ef2c5fc0d
1032
NEW ORDER 101 &SPECIFICATION FEB 2019 SIGNED JDE.exe
C:\Users\admin\AppData\Local\Temp\87181008\nbo.txt
text
MD5: b369e16f346db469ad5d36fddf25a9b9
SHA256: 0bae3be0fd3a8e75f7c4aa66c4a91ba1bdb61d7fb01025c229ac1963cd21ae98
1032
NEW ORDER 101 &SPECIFICATION FEB 2019 SIGNED JDE.exe
C:\Users\admin\AppData\Local\Temp\87181008\gqo.docx
text
MD5: 7f453251c25ca11c154437ac3b1c56ce
SHA256: c99e27cc6785d5f317d78762c9b38d8ad6569b5bb7cfc6aed422a33a4c44bb3e
1032
NEW ORDER 101 &SPECIFICATION FEB 2019 SIGNED JDE.exe
C:\Users\admin\AppData\Local\Temp\87181008\lpp.txt
text
MD5: a73ac700f9032ad6db9a39d66600028d
SHA256: f576aea0ae6f988d8c2e39e68c343945be4e78b423eda15e2f4f14fd465d356e
1032
NEW ORDER 101 &SPECIFICATION FEB 2019 SIGNED JDE.exe
C:\Users\admin\AppData\Local\Temp\87181008\mcp.dat
text
MD5: 4651f1dceb1536c9627d1a8d7f6fbd55
SHA256: 6a45df3646b7f3efa60100bddb88e93b75d1665d43337029faa405395e55b1d3
1032
NEW ORDER 101 &SPECIFICATION FEB 2019 SIGNED JDE.exe
C:\Users\admin\AppData\Local\Temp\87181008\jio.pdf
text
MD5: d47629193fca7e101b419970956cbd7e
SHA256: e79e91e038f923c47c3099dc507b5fcf9818cc52f7a2cb67924c86402b562937
1032
NEW ORDER 101 &SPECIFICATION FEB 2019 SIGNED JDE.exe
C:\Users\admin\AppData\Local\Temp\87181008\ixm.ico
text
MD5: 056dfb1e93c0cb133169b5099ff6fbbc
SHA256: 0ebb4d2283142c8797c60f1e62263f759825446ce57fa92b224e28a6c1031799
1032
NEW ORDER 101 &SPECIFICATION FEB 2019 SIGNED JDE.exe
C:\Users\admin\AppData\Local\Temp\87181008\rio.xl
text
MD5: de82ba35cd6cd0ef3bc6e301622b92cb
SHA256: 356c3e18659bbf96a436efc2430785419c16232c55d6f49d256191e97f4a3111
1032
NEW ORDER 101 &SPECIFICATION FEB 2019 SIGNED JDE.exe
C:\Users\admin\AppData\Local\Temp\87181008\cek.icm
text
MD5: 76efbaca1e9244516b9269fa17f8f894
SHA256: f5bf7e951a5376bc21b7a226a7897ba0c9d77934aaa435c72fe52ebfb31a332d
1032
NEW ORDER 101 &SPECIFICATION FEB 2019 SIGNED JDE.exe
C:\Users\admin\AppData\Local\Temp\87181008\esn.xl
text
MD5: 12803ac563d183f3b45144f5c85fe0fc
SHA256: 9b3ea9b216da3ce3507b4bb67a2ad11a69cd1bbd4e3cc541618bcc4971e99a8d
1032
NEW ORDER 101 &SPECIFICATION FEB 2019 SIGNED JDE.exe
C:\Users\admin\AppData\Local\Temp\87181008\rbq.ico
text
MD5: 934b1de46840966bb2843a77bfcd38c7
SHA256: 81ecd279d2bd04d5f28e12fd61894cafb932ba293b6c8bf8e6b138b3030a39ab
1032
NEW ORDER 101 &SPECIFICATION FEB 2019 SIGNED JDE.exe
C:\Users\admin\AppData\Local\Temp\87181008\sob.docx
text
MD5: 79f8827f09ddebf13a70986e7c8690bd
SHA256: e7444a73f0f53d3bd73b014e7dcdc9762c383e4c73377b28a2d787c46c48d8f9
1032
NEW ORDER 101 &SPECIFICATION FEB 2019 SIGNED JDE.exe
C:\Users\admin\AppData\Local\Temp\87181008\qqv.docx
text
MD5: 66e78cf9eae015eb31e85a97f1c31f9e
SHA256: 3ca07a6b8306ccac0afbe5d111dafa075d8395d411deb607fb68839618994c2f
1032
NEW ORDER 101 &SPECIFICATION FEB 2019 SIGNED JDE.exe
C:\Users\admin\AppData\Local\Temp\87181008\onx.bmp
text
MD5: 016044548f17e4f3dff780fad9693ad9
SHA256: 3c799fc88c79124162b9c78f12d2b72ff5402a4656fdfdb047a981c159bea723
1032
NEW ORDER 101 &SPECIFICATION FEB 2019 SIGNED JDE.exe
C:\Users\admin\AppData\Local\Temp\87181008\pxu.icm
text
MD5: 0e99c5c2ad254c18cf4b877b2ead3c14
SHA256: 79da09ac1c70da4d0db4213a44a679fc86bd8ff2aecef19e6129bf8e7c338b0f
1032
NEW ORDER 101 &SPECIFICATION FEB 2019 SIGNED JDE.exe
C:\Users\admin\AppData\Local\Temp\87181008\kgp.dat
text
MD5: 2371c1a6c4d4d29a46fe9a875e0f5747
SHA256: 03e3cdf1520e320ddaa5d8e744e85171b561d08bac5767b96a61cc0a071f6f93
1032
NEW ORDER 101 &SPECIFICATION FEB 2019 SIGNED JDE.exe
C:\Users\admin\AppData\Local\Temp\87181008\iec.bmp
text
MD5: 80c1fa63046628e97991d7cab4fe0da0
SHA256: 6e4a6db7e1b996f116c25f9e0b5d45ecda046b2aff41f9fbb47f36b12d77ec8d
1032
NEW ORDER 101 &SPECIFICATION FEB 2019 SIGNED JDE.exe
C:\Users\admin\AppData\Local\Temp\87181008\bpg.bmp
text
MD5: 923604cef822564f9f73c96d0d90f7c9
SHA256: 9b617a79c618f1bab32939e5acba9ed1f7d20f82f6fbcbce2cd624d9237a8eeb
1032
NEW ORDER 101 &SPECIFICATION FEB 2019 SIGNED JDE.exe
C:\Users\admin\AppData\Local\Temp\87181008\vss.xl
text
MD5: 838ffdff7944bcf865e91034adb4a9f9
SHA256: 949485b4e2edb0ad45380d18d70ab6facf93bef9bcc0756269b48d55806f1bfa
1032
NEW ORDER 101 &SPECIFICATION FEB 2019 SIGNED JDE.exe
C:\Users\admin\AppData\Local\Temp\87181008\akf.xl
text
MD5: 1df6b61267374ca8a8297bfb47b1a6a8
SHA256: 57d049f126cea6f1c23458a8a736cb6191651b7682da6dc75a09146a0c4bfae6
1032
NEW ORDER 101 &SPECIFICATION FEB 2019 SIGNED JDE.exe
C:\Users\admin\AppData\Local\Temp\87181008\eed.txt
text
MD5: 0263783580ee0a2acfd143a6eb09b65c
SHA256: 5638e0bfe9327dd3aba19038d1262c1c1ad5982e58541f77586fee40a71fc373
1032
NEW ORDER 101 &SPECIFICATION FEB 2019 SIGNED JDE.exe
C:\Users\admin\AppData\Local\Temp\87181008\wst.ico
text
MD5: d6b8558046976b2aee648c072c015732
SHA256: 74af043d15849de04b9345b10360a86cfc84ef36726cdb9007d41a976dd3a56e
1032
NEW ORDER 101 &SPECIFICATION FEB 2019 SIGNED JDE.exe
C:\Users\admin\AppData\Local\Temp\87181008\aaa.ico
text
MD5: 2b92f7195847215e36eb04e7af736773
SHA256: d2264d454d67b9dfcc98192dc63a271f9434e98a01be60e49f5b643aa7c9e1df
2800
nxk.exe
C:\Users\admin\AppData\Local\Temp\87181008\ZKHFU
text
MD5: 5160db9f230b9b663db41cd41e08fe3b
SHA256: 484ffdca131017ba7fb2b4b10aa83fbd0d3161f7f0eb71fe12a6e6f8a7b31aa3
1032
NEW ORDER 101 &SPECIFICATION FEB 2019 SIGNED JDE.exe
C:\Users\admin\AppData\Local\Temp\87181008\psx.xl
text
MD5: 00110fede97d2e63a6f9db08ecc2d8a1
SHA256: 438d8e06f74a49ccb702fe2b8bcf65854a5f5495225153c06f8ebfcbf44a2d9c
1032
NEW ORDER 101 &SPECIFICATION FEB 2019 SIGNED JDE.exe
C:\Users\admin\AppData\Local\Temp\87181008\jov.icm
text
MD5: 0ce5e1f24b425bf08fb6b40cc1123f4c
SHA256: adc09c7562256704ab60a40cdf67351c4e08ed11d9450c8cd7c9703ba18cfc1f
1032
NEW ORDER 101 &SPECIFICATION FEB 2019 SIGNED JDE.exe
C:\Users\admin\AppData\Local\Temp\87181008\pcs.dat
text
MD5: 70b268a42a6f38264d202406693f5475
SHA256: 7e9dc6a79de0449affd55fec8f093e90479ad69c089db6732423afe14f71bf5f
1032
NEW ORDER 101 &SPECIFICATION FEB 2019 SIGNED JDE.exe
C:\Users\admin\AppData\Local\Temp\87181008\hjt.txt
text
MD5: efeb56798667ceba2e85d43325320499
SHA256: fc73af0bd8eb69c56fe7e89ce2067960dfa6f36182af398b53235b7bae129dc1
1032
NEW ORDER 101 &SPECIFICATION FEB 2019 SIGNED JDE.exe
C:\Users\admin\AppData\Local\Temp\87181008\pxv.ico
text
MD5: f01b86e315a6f4d145e2002877ba064a
SHA256: 4abdcf1e175a37840fda826977f2b991a71c4200f001c34371e9b18671763b98
1032
NEW ORDER 101 &SPECIFICATION FEB 2019 SIGNED JDE.exe
C:\Users\admin\AppData\Local\Temp\87181008\igk.docx
text
MD5: 5d766ea79a7c06a9b6b5e666144a6a91
SHA256: 961eb0d555d6ab553f5688effa35013d5a37a9aa4b7ffec5c2467fa93ab869c1
1032
NEW ORDER 101 &SPECIFICATION FEB 2019 SIGNED JDE.exe
C:\Users\admin\AppData\Local\Temp\87181008\twn.xl
text
MD5: 6b03ea930387be2c602569e91fcec10b
SHA256: 7b83ff22e6637f14a9ddc0157f83d9df4129eae9e5ea787fec6547a59f6546ee
1032
NEW ORDER 101 &SPECIFICATION FEB 2019 SIGNED JDE.exe
C:\Users\admin\AppData\Local\Temp\87181008\oao.icm
text
MD5: eb1b464737f66e8c46751ce642339e58
SHA256: 2690f3328415a071a462077ac115b05a0026707e5979ce7d0fea80cc3508209a
1032
NEW ORDER 101 &SPECIFICATION FEB 2019 SIGNED JDE.exe
C:\Users\admin\AppData\Local\Temp\87181008\jjd.pdf
text
MD5: e0c8f8273f183f2255bfd736905280fd
SHA256: 9e37dcdf84da06a87cb8711422db7d53d0ca14e30f45bbd705a5c20fce9caedf
1032
NEW ORDER 101 &SPECIFICATION FEB 2019 SIGNED JDE.exe
C:\Users\admin\AppData\Local\Temp\87181008\dqu.icm
text
MD5: 79e053cb582b1cfef41b80fdfa129779
SHA256: c3c6d1db602a3f8536b91ccf90345215a8733c0900afd25ce394a187170c0b5e
1032
NEW ORDER 101 &SPECIFICATION FEB 2019 SIGNED JDE.exe
C:\Users\admin\AppData\Local\Temp\87181008\hml.jpg
text
MD5: b8b3c397a69ecb54c4e6730482e043f4
SHA256: ae648108655f06d0158a67da24f7d35be5f0aedb20a0e5c0cfdf851cedea274a
1032
NEW ORDER 101 &SPECIFICATION FEB 2019 SIGNED JDE.exe
C:\Users\admin\AppData\Local\Temp\87181008\mkc.dat
text
MD5: edad0683002c66a575cc0ddea43016f1
SHA256: 6d008f992412b142939a6376a345a4366cd19f0929642c7827d386af6cbc5ad9
1032
NEW ORDER 101 &SPECIFICATION FEB 2019 SIGNED JDE.exe
C:\Users\admin\AppData\Local\Temp\87181008\kve.dat
text
MD5: 60f516d0dc2db256b22417ef7f5d9df5
SHA256: 92774ae5ac4f68398385dc406b88075c4784e9a1bb316ba99c0c6047b45ca677
1032
NEW ORDER 101 &SPECIFICATION FEB 2019 SIGNED JDE.exe
C:\Users\admin\AppData\Local\Temp\87181008\cjd.txt
text
MD5: 7577455a0e9102ebe79b9ec051f99d50
SHA256: f61179d4e663b40ca7e011902c227c8b80c74c7da4f8be625fcd73c76dd5be41
1032
NEW ORDER 101 &SPECIFICATION FEB 2019 SIGNED JDE.exe
C:\Users\admin\AppData\Local\Temp\87181008\fia.pdf
text
MD5: c83924238cb92459941e4844220e5d63
SHA256: 94982e72993a043475cec043b1a466c8f2e5e923fea309432d9c5bf3f6d22089
1032
NEW ORDER 101 &SPECIFICATION FEB 2019 SIGNED JDE.exe
C:\Users\admin\AppData\Local\Temp\87181008\hrn=olx
text
MD5: f53d33154ffed584ae89051eaef1d972
SHA256: 8f448d0d354ad8e2429ca3efd403418c2bb774e61c7dbc7a0ce9e69c6e7f22f3
1032
NEW ORDER 101 &SPECIFICATION FEB 2019 SIGNED JDE.exe
C:\Users\admin\AppData\Local\Temp\87181008\wwt.dat
text
MD5: 1271ecc9c042d9936f92382e1db7e1c3
SHA256: cff0dff925b4a9680ad42ea9fa799985109fc7e52d0e58c76f53d8be6ad6ff71

Find more information of the staic content and download it at the full report

Network activity

HTTP(S) requests
0
TCP/UDP connections
61
DNS requests
21
Threats
0

HTTP requests

No HTTP requests.

Connections

PID Process IP ASN CN Reputation
3952 RegSvcs.exe 8.8.8.8:53 Google Inc. US whitelisted
3952 RegSvcs.exe 185.244.30.97:3439 –– malicious

DNS requests

Domain IP Reputation
elvis4.ddns.net 185.244.30.97
malicious

Threats

No threats detected.

Debug output strings

No debug info.