File name:

Invoice_K857412496.mht

Full analysis: https://app.any.run/tasks/e5c3c980-2f0e-465c-a6d2-5bf11240e142
Verdict: Malicious activity
Threats:

Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.

Malware Trends Tracker     >>>
Analysis date: February 18, 2019, 14:43:14
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
rat
adwind
Indicators:
MIME: text/plain
File info: MIME entity, ASCII text, with CRLF line terminators
MD5:

CA5C2CB3AA44B62B7E2D22D2EACCEFC7

SHA1:

A69512C5259C233820DE9D9BCC6BF64646ADF7C9

SHA256:

D48A0760C1CB8E9140789260A394090D254D616A9F4E7169290B64E737E6EE11

SSDEEP:

6:3XmMQ8a0NNEXW0YVIUOAQ0kJgon3emJCQ9MfUKCK3XViATqb4g+:3XmMQYf1IRAQ0Atn3ec9eUKuAWb4g+

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • reg.exe (PID: 3792)
      • reg.exe (PID: 2588)

    • ADWIND was detected

      • javaw.exe (PID: 2228)

    • Connects to CnC server

      • javaw.exe (PID: 2228)

  • SUSPICIOUS

    • Executes JAVA applets

      • iexplore.exe (PID: 3256)
      • javaw.exe (PID: 3024)

    • Uses REG.EXE to modify Windows registry

      • javaw.exe (PID: 3024)
      • javaw.exe (PID: 2228)

    • Uses ATTRIB.EXE to modify file attributes

      • javaw.exe (PID: 3024)
      • javaw.exe (PID: 2228)

    • Creates files in the user directory

      • javaw.exe (PID: 3024)

    • Writes to a desktop.ini file (may be used to cloak folders)

      • javaw.exe (PID: 3024)

    • Application launched itself

      • javaw.exe (PID: 3024)

    • Connects to unusual port

      • javaw.exe (PID: 2228)

  • INFO

    • Reads internet explorer settings

      • iexplore.exe (PID: 3576)

    • Application launched itself

      • iexplore.exe (PID: 3256)

    • Changes internet zones settings

      • iexplore.exe (PID: 3256)

    • Reads Internet Cache Settings

      • iexplore.exe (PID: 3576)
      • iexplore.exe (PID: 3256)
      • iexplore.exe (PID: 3628)

    • Reads Microsoft Office registry keys

      • iexplore.exe (PID: 3256)

    • Creates files in the user directory

      • iexplore.exe (PID: 3628)
      • iexplore.exe (PID: 3256)

    • Reads settings of System Certificates

      • iexplore.exe (PID: 3256)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
49
Monitored processes
12
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start iexplore.exe iexplore.exe no specs iexplore.exe javaw.exe no specs reg.exe no specs reg.exe attrib.exe no specs attrib.exe no specs #ADWIND javaw.exe reg.exe no specs reg.exe attrib.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1012attrib +s +h +r "C:\Users\admin\AppData\Roaming\UpdatesJava"C:\Windows\system32\attrib.exejavaw.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Attribute Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\attrib.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ulib.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\advapi32.dll
2228"C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe" -jar "C:\Users\admin\AppData\Roaming\UpdatesJava\UpdatesJava.jar"C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe
javaw.exe
User:
admin
Company:
Oracle Corporation
Integrity Level:
MEDIUM
Description:
Java(TM) Platform SE binary
Exit code:
0
Version:
8.0.920.14
Modules
Images
c:\program files\java\jre1.8.0_92\bin\javaw.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
2588reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v UpdatesJava /t REG_SZ /d "\"C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe\" -jar \"C:\Users\admin\AppData\Roaming\UpdatesJava\UpdatesJava.jar\"" /fC:\Windows\system32\reg.exe
javaw.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Console Tool
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\reg.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
3004reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v UpdatesJava /t REG_SZ /d "\"C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe\" -jar \"C:\Users\admin\AppData\Roaming\UpdatesJava\UpdatesJava.jar\"" /fC:\Windows\system32\reg.exejavaw.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Console Tool
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\reg.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
3016reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v UpdatesJava /t REG_SZ /d "\"C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe\" -jar \"C:\Users\admin\AppData\Roaming\UpdatesJava\UpdatesJava.jar\"" /fC:\Windows\system32\reg.exejavaw.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Console Tool
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\reg.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
3024"C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe" -jar "C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\OCDM6JB6\Invoice_K98574124623[1].jar" C:\Program Files\Java\jre1.8.0_92\bin\javaw.exeiexplore.exe
User:
admin
Company:
Oracle Corporation
Integrity Level:
MEDIUM
Description:
Java(TM) Platform SE binary
Exit code:
0
Version:
8.0.920.14
Modules
Images
c:\program files\java\jre1.8.0_92\bin\javaw.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
3256"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\admin\AppData\Local\Temp\Invoice_K857412496.mhtC:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
0
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
3328attrib +H C:\Users\admin\.Plugins3C:\Windows\system32\attrib.exejavaw.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Attribute Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\attrib.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ulib.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
3576"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3256 CREDAT:79873C:\Program Files\Internet Explorer\iexplore.exeiexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
0
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
3628"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3256 CREDAT:137473C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
Total events
867
Read events
770
Write events
94
Delete events
3

Modification events

(PID) Process:(3256) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Operation:writeName:CompatibilityFlags
Value:
0
(PID) Process:(3256) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
(PID) Process:(3256) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
1
(PID) Process:(3256) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
Operation:writeName:SecuritySafe
Value:
1
(PID) Process:(3256) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:writeName:ProxyEnable
Value:
0
(PID) Process:(3256) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Operation:writeName:SavedLegacySettings
Value:
4600000069000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
(PID) Process:(3256) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Recovery\Active
Operation:writeName:{8B949BD9-338B-11E9-91D7-5254004A04AF}
Value:
0
(PID) Process:(3256) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Operation:writeName:Type
Value:
4
(PID) Process:(3256) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Operation:writeName:Count
Value:
3
(PID) Process:(3256) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Operation:writeName:Time
Value:
E3070200010012000E002B001A00DE00
Executable files
2
Suspicious files
1
Text files
11
Unknown types
3

Dropped files

PID
Process
Filename
Type
3256iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R9ZEWH8D\favicon[1].ico
MD5:
SHA256:
3256iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
3628iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\admin@uclaut[1].txt
MD5:
SHA256:
3256iexplore.exeC:\Users\admin\AppData\Local\Temp\~DF1DCA731FE29A2DB3.TMP
MD5:
SHA256:
3576iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R9ZEWH8D\wbk5BED.tmptext
MD5:
SHA256:
3628iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\admin@myqbd[1].txttext
MD5:
SHA256:
3256iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\{8B949BDB-338B-11E9-91D7-5254004A04AF}.datbinary
MD5:
SHA256:
3628iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\admin@uclaut[2].txttext
MD5:
SHA256:
3576iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0UU90R59\wbk5D75.tmptext
MD5:
SHA256:
3628iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\OCDM6JB6\Invoice_K98574124623[1].jarjava
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
6
DNS requests
6
Threats
8

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3628
iexplore.exe
GET
301
104.24.4.46:80
http://j.gs/CKyy
US
malicious
3628
iexplore.exe
GET
302
104.18.55.84:80
http://uclaut.net/-12YGPJ/CKyy?rndad=3110648295-1550501010
US
malicious
3256
iexplore.exe
GET
200
204.79.197.200:80
http://www.bing.com/favicon.ico
US
image
237 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3256
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
3628
iexplore.exe
192.185.175.157:443
lifeskillsmagicschool.com
CyrusOne LLC
US
suspicious
3628
iexplore.exe
104.28.27.34:443
www.myqbd.com
Cloudflare Inc
US
shared
3628
iexplore.exe
104.24.4.46:80
j.gs
Cloudflare Inc
US
shared
3628
iexplore.exe
104.18.55.84:80
uclaut.net
Cloudflare Inc
US
shared
2228
javaw.exe
54.37.240.234:3040
dxyasser0.linkpc.net
OVH SAS
FR
malicious

DNS requests

Domain
IP
Reputation
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
lifeskillsmagicschool.com
  • 192.185.175.157
suspicious
www.myqbd.com
  • 104.28.27.34
  • 104.28.26.34
unknown
j.gs
  • 104.24.4.46
  • 104.24.5.46
malicious
uclaut.net
  • 104.18.55.84
  • 104.18.54.84
malicious
dxyasser0.linkpc.net
  • 54.37.240.234
malicious

Threats

PID
Process
Class
Message
2228
javaw.exe
A Network Trojan was detected
MALWARE [PTsecurity] Possible JavaRAT(Qarallax/QRat) 4byte TCP serialization java stream
2228
javaw.exe
A Network Trojan was detected
MALWARE [PTsecurity] Backdoor.Java.QRat.gen
2228
javaw.exe
A Network Trojan was detected
MALWARE [PTsecurity] Adwind.RAT v.3.0 Check-in
2228
javaw.exe
A Network Trojan was detected
MALWARE [PTsecurity] Adwind.RAT v.3.0 Check-in
2228
javaw.exe
A Network Trojan was detected
MALWARE [PTsecurity] Adwind.RAT v.3.0 Check-in
2228
javaw.exe
A Network Trojan was detected
MALWARE [PTsecurity] Adwind.RAT v.3.0 Check-in
2228
javaw.exe
A Network Trojan was detected
MALWARE [PTsecurity] Adwind.RAT v.3.0 Check-in
1 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Invoice_K857412496.mht