General Info

File name

LCM.rar

Full analysis
https://app.any.run/tasks/f18cdd3a-86c0-43e2-aea7-ffc274580a25
Verdict
Malicious activity
Analysis date
9/11/2019, 09:06:13
OS:
Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:

keylogger

rat

nanocore

trojan

remcos

Indicators:

MIME:
application/x-rar
File info:
RAR archive data, v5
MD5

63f958df81a489d497ad2aa53911e888

SHA1

a9a019c0c89675ded0169caeabfab56024654cd9

SHA256

dcfb8b09bc3c452c697115f77ea646387a9553aed083f747127cbab70bbf0929

SSDEEP

12288:qcO9kmU9rgoC71t9CvfKpCsKEGVI0Wf6rpVNA8xJWLeobcth3bu4UmyQmkJIDR:qiS6vSwsKZQfwz68xJWiRNEmLp+V

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distored by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Software environment set and analysis options

Launch configuration

Task duration
300 seconds
Additional time used
240 seconds
Fakenet option
off
Heavy Evaision option
off
MITM proxy
off
Route via Tor
off
Network geolocation
off
Privacy
Public submission
Autoconfirmation of UAC
on

Software preset

  • Internet Explorer 8.0.7601.17514
  • Adobe Acrobat Reader DC MUI (15.023.20070)
  • Adobe Flash Player 26 ActiveX (26.0.0.131)
  • Adobe Flash Player 26 NPAPI (26.0.0.131)
  • Adobe Flash Player 26 PPAPI (26.0.0.131)
  • Adobe Refresh Manager (1.8.0)
  • CCleaner (5.35)
  • FileZilla Client 3.36.0 (3.36.0)
  • Google Chrome (75.0.3770.100)
  • Google Update Helper (1.3.34.7)
  • Java 8 Update 92 (8.0.920.14)
  • Java Auto Updater (2.8.92.14)
  • Microsoft .NET Framework 4.7.2 (4.7.03062)
  • Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Professional 2010 (14.0.6029.1000)
  • Microsoft Office Proof (English) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (French) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
  • Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
  • Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Single Image 2010 (14.0.6029.1000)
  • Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
  • Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
  • Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
  • Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2015-2019 Redistributable (x86) - 14.21.27702 (14.21.27702.2)
  • Microsoft Visual C++ 2019 X86 Additional Runtime - 14.21.27702 (14.21.27702)
  • Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.21.27702 (14.21.27702)
  • Mozilla Firefox 68.0.1 (x86 en-US) (68.0.1)
  • Notepad++ (32-bit x86) (7.5.1)
  • Opera 12.15 (12.15.1748)
  • Skype version 8.29 (8.29)
  • Update for Microsoft .NET Framework 4.7.2 (KB4087364) (1)
  • VLC media player (2.2.6)
  • WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

  • Client LanguagePack Package
  • Client Refresh LanguagePack Package
  • CodecPack Basic Package
  • Foundation Package
  • IE Troubleshooters Package
  • InternetExplorer Optional Package
  • KB2534111
  • KB2999226
  • KB4019990
  • KB976902
  • LocalPack AU Package
  • LocalPack CA Package
  • LocalPack GB Package
  • LocalPack US Package
  • LocalPack ZA Package
  • ProfessionalEdition
  • UltimateEdition

Behavior activities

MALICIOUS SUSPICIOUS INFO
Loads the Task Scheduler COM API
  • schtasks.exe (PID: 1348)
  • schtasks.exe (PID: 2376)
Application was dropped or rewritten from another process
  • win-server.exe (PID: 2520)
  • sek.exe (PID: 2836)
  • sek.exe (PID: 2952)
  • REVISED FINAL CARGO MANIFEST COPY_pdf.exe (PID: 2420)
  • REVISED FINAL CARGO MANIFEST COPY_pdf.exe (PID: 3276)
Uses Task Scheduler to run other applications
  • REVISED FINAL CARGO MANIFEST COPY_pdf.exe (PID: 3276)
Changes the autorun value in the registry
  • win-server.exe (PID: 2520)
  • sek.exe (PID: 2836)
  • REVISED FINAL CARGO MANIFEST COPY_pdf.exe (PID: 3276)
  • iexplore.exe (PID: 3184)
Uses SVCHOST.EXE for hidden code execution
  • iexplore.exe (PID: 3184)
REMCOS was detected
  • iexplore.exe (PID: 3184)
Detected logs from REMCOS RAT
  • iexplore.exe (PID: 3184)
Known privilege escalation attack
  • sek.exe (PID: 2836)
  • sek.exe (PID: 2952)
Connects to CnC server
  • REVISED FINAL CARGO MANIFEST COPY_pdf.exe (PID: 3276)
  • iexplore.exe (PID: 3184)
NANOCORE was detected
  • REVISED FINAL CARGO MANIFEST COPY_pdf.exe (PID: 3276)
Starts Internet Explorer
  • win-server.exe (PID: 2520)
Uses TASKKILL.EXE to kill process
  • cmd.exe (PID: 2224)
Starts CMD.EXE for self-deleting
  • REVISED FINAL CARGO MANIFEST COPY_pdf.exe (PID: 3276)
Starts CMD.EXE for commands execution
  • REVISED FINAL CARGO MANIFEST COPY_pdf.exe (PID: 3276)
  • WScript.exe (PID: 936)
Writes files like Keylogger logs
  • iexplore.exe (PID: 3184)
  • sek.exe (PID: 2836)
  • REVISED FINAL CARGO MANIFEST COPY_pdf.exe (PID: 3276)
Creates files in the user directory
  • sek.exe (PID: 2836)
  • REVISED FINAL CARGO MANIFEST COPY_pdf.exe (PID: 3276)
Executes scripts
  • sek.exe (PID: 2836)
Modifies the open verb of a shell class
  • sek.exe (PID: 2836)
  • sek.exe (PID: 2952)
Executable content was dropped or overwritten
  • sek.exe (PID: 2836)
  • REVISED FINAL CARGO MANIFEST COPY_pdf.exe (PID: 3276)
  • WinRAR.exe (PID: 3020)
Creates files in the user directory
  • iexplore.exe (PID: 3184)
Manual execution by user
  • REVISED FINAL CARGO MANIFEST COPY_pdf.exe (PID: 2420)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Static information

TRiD
.rar
|   RAR compressed archive (v5.0) (61.5%)
.rar
|   RAR compressed archive (gen) (38.4%)

Screenshots

Processes

Total processes
59
Monitored processes
17
Malicious processes
9
Suspicious processes
0

Behavior graph

+
start drop and start winrar.exe revised final cargo manifest copy_pdf.exe no specs #NANOCORE revised final cargo manifest copy_pdf.exe sek.exe no specs eventvwr.exe no specs eventvwr.exe sek.exe wscript.exe no specs cmd.exe no specs win-server.exe #REMCOS iexplore.exe svchost.exe no specs schtasks.exe no specs schtasks.exe no specs cmd.exe no specs taskkill.exe no specs ping.exe no specs
Specs description
Program did not start
Integrity level elevation
Task сontains an error or was rebooted
Process has crashed
Task contains several apps running
Executable file was dropped
Debug information is available
Process was injected
Network attacks were detected
Application downloaded the executable file
Actions similar to stealing personal data
Behavior similar to exploiting the vulnerability
Inspected object has sucpicious PE structure
File is detected by antivirus software
CPU overrun
RAM overrun
Process starts the services
Process was added to the startup
Behavior similar to spam
Low-level access to the HDD
Probably Tor was used
System was rebooted
Connects to the network
Known threat

Process information

Click at the process to see the details.

PID
3020
CMD
"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\LCM.rar"
Path
C:\Program Files\WinRAR\WinRAR.exe
Indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Version:
Company
Alexander Roshal
Description
WinRAR archiver
Version
5.60.0
Modules
Image
c:\program files\winrar\winrar.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\shlwapi.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\uxtheme.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\msimg32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\riched20.dll
c:\program files\common files\microsoft shared\ink\tiptsf.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ehstorshell.dll
c:\windows\system32\cscui.dll
c:\windows\system32\cscdll.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\slc.dll
c:\windows\system32\imageres.dll
c:\windows\system32\mpr.dll
c:\windows\system32\drprov.dll
c:\windows\system32\winsta.dll
c:\windows\system32\ntlanman.dll
c:\windows\system32\davclnt.dll
c:\windows\system32\davhlpr.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\netutils.dll
c:\windows\system32\wpdshext.dll
c:\windows\system32\winmm.dll
c:\windows\system32\portabledeviceapi.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\audiodev.dll
c:\windows\system32\wmvcore.dll
c:\windows\system32\wmasf.dll
c:\windows\system32\ehstorapi.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\samcli.dll
c:\windows\system32\samlib.dll
c:\windows\system32\profapi.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\explorerframe.dll
c:\windows\system32\duser.dll
c:\windows\system32\dui70.dll

PID
2420
CMD
"C:\Users\admin\Desktop\REVISED FINAL CARGO MANIFEST COPY_pdf.exe"
Path
C:\Users\admin\Desktop\REVISED FINAL CARGO MANIFEST COPY_pdf.exe
Indicators
No indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
sMArT
Description
atwain
Version
1.03.0002
Modules
Image
c:\users\admin\desktop\revised final cargo manifest copy_pdf.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvbvm60.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\sxs.dll
c:\windows\system32\version.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\nsi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\apphelp.dll

PID
3276
CMD
"C:\Users\admin\Desktop\REVISED FINAL CARGO MANIFEST COPY_pdf.exe"
Path
C:\Users\admin\Desktop\REVISED FINAL CARGO MANIFEST COPY_pdf.exe
Indicators
Parent process
REVISED FINAL CARGO MANIFEST COPY_pdf.exe
User
admin
Integrity Level
MEDIUM
Exit code
1
Version:
Company
sMArT
Description
atwain
Version
1.03.0002
Modules
Image
c:\users\admin\desktop\revised final cargo manifest copy_pdf.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvbvm60.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\sxs.dll
c:\windows\system32\version.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\nsi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\propsys.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\sspicli.dll
c:\users\admin\sek.exe
c:\windows\system32\mscoree.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorwks.dll
c:\windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\msvcr80.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\mscorlib\62a0b3e4b40ec0e8c5cfaa0c8848e64a\mscorlib.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system\9e0a3b9b9f457233a335d7fba8f95419\system.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.drawing\dbfe8642a8ed7b2b103ad28e0c96418a\system.drawing.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.windows.forms\3afcd5168c7a6cb02eab99d7fd71e102\system.windows.forms.ni.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorjit.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.visualbas#\08d608378aa405adc844f3cf36974b8c\microsoft.visualbasic.ni.dll
c:\windows\system32\uxtheme.dll
c:\windows\assembly\gac_msil\system.windows.forms\2.0.0.0__b77a5c561934e089\system.windows.forms.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\shfolder.dll
c:\windows\microsoft.net\framework\v2.0.50727\culture.dll
c:\windows\system32\psapi.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\wship6.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.configuration\bc09ad2d49d8535371845cd7532f9271\system.configuration.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.xml\461d3b6b3f43e6fbe6c897d5936e17e4\system.xml.ni.dll
c:\windows\system32\dnsapi.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.management\6f3b99ed0b791ff4d8aa52f2f0cd0bcf\system.management.ni.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll
c:\windows\system32\wbem\wmiutils.dll
c:\windows\system32\wbemcomn.dll
c:\windows\system32\wbem\wbemprox.dll
c:\windows\system32\wbem\wbemsvc.dll
c:\windows\system32\wbem\fastprox.dll
c:\windows\system32\ntdsapi.dll
c:\windows\system32\devenum.dll
c:\windows\system32\winmm.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\msdmo.dll
c:\windows\system32\avicap32.dll
c:\windows\system32\msvfw32.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\windowscodecs.dll
c:\windows\microsoft.net\framework\v2.0.50727\diasymreader.dll

PID
2952
CMD
"C:\Users\admin\sek.exe"
Path
C:\Users\admin\sek.exe
Indicators
No indicators
Parent process
REVISED FINAL CARGO MANIFEST COPY_pdf.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Description
Version
Modules
Image
c:\users\admin\sek.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\msvcp60.dll
c:\windows\system32\winmm.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\psapi.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\propsys.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\eventvwr.exe
c:\windows\system32\mpr.dll

PID
2292
CMD
"C:\Windows\System32\eventvwr.exe"
Path
C:\Windows\System32\eventvwr.exe
Indicators
No indicators
Parent process
sek.exe
User
admin
Integrity Level
MEDIUM
Exit code
3221226540
Version:
Company
Microsoft Corporation
Description
Event Viewer Snapin Launcher
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\eventvwr.exe
c:\systemroot\system32\ntdll.dll

PID
3948
CMD
"C:\Windows\System32\eventvwr.exe"
Path
C:\Windows\System32\eventvwr.exe
Indicators
Parent process
sek.exe
User
admin
Integrity Level
HIGH
Exit code
3221225547
Version:
Company
Microsoft Corporation
Description
Event Viewer Snapin Launcher
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\eventvwr.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\usp10.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\ole32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\propsys.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\sspicli.dll
c:\users\admin\sek.exe
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\apphelp.dll

PID
2836
CMD
"C:\Users\admin\sek.exe"
Path
C:\Users\admin\sek.exe
Indicators
Parent process
eventvwr.exe
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
Description
Version
Modules
Image
c:\users\admin\sek.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\msvcp60.dll
c:\windows\system32\winmm.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\psapi.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\propsys.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\wscript.exe

PID
936
CMD
"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\install.vbs"
Path
C:\Windows\System32\WScript.exe
Indicators
No indicators
Parent process
sek.exe
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
Microsoft Corporation
Description
Microsoft ® Windows Based Script Host
Version
5.8.7600.16385
Modules
Image
c:\windows\system32\wscript.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\version.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\sxs.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\vbscript.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\msisip.dll
c:\windows\system32\wshext.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\scrobj.dll
c:\windows\system32\mlang.dll
c:\windows\system32\scrrun.dll
c:\windows\system32\wshom.ocx
c:\windows\system32\mpr.dll
c:\windows\system32\propsys.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\psapi.dll
c:\windows\system32\oleacc.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\sspicli.dll

PID
3732
CMD
"C:\Windows\System32\cmd.exe" /c "C:\Users\admin\AppData\Roaming\System\win-server.exe"
Path
C:\Windows\System32\cmd.exe
Indicators
No indicators
Parent process
WScript.exe
User
admin
Integrity Level
HIGH
Exit code
3
Version:
Company
Microsoft Corporation
Description
Windows Command Processor
Version
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Image
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\apphelp.dll
c:\users\admin\appdata\roaming\system\win-server.exe

PID
2520
CMD
C:\Users\admin\AppData\Roaming\System\win-server.exe
Path
C:\Users\admin\AppData\Roaming\System\win-server.exe
Indicators
Parent process
cmd.exe
User
admin
Integrity Level
HIGH
Exit code
3
Version:
Company
Description
Version
Modules
Image
c:\users\admin\appdata\roaming\system\win-server.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\msvcp60.dll
c:\windows\system32\winmm.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\psapi.dll
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\apphelp.dll

PID
3184
CMD
"C:\Program Files\Internet Explorer\iexplore.exe"
Path
C:\Program Files\Internet Explorer\iexplore.exe
Indicators
Parent process
win-server.exe
User
admin
Integrity Level
HIGH
Version:
Company
Microsoft Corporation
Description
Internet Explorer
Version
8.00.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\msvcp60.dll
c:\windows\system32\winmm.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\psapi.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\napinsp.dll
c:\windows\system32\pnrpnsp.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\winrnr.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\rasadhlp.dll

PID
4024
CMD
C:\Windows\system32\svchost.exe
Path
C:\Windows\system32\svchost.exe
Indicators
No indicators
Parent process
iexplore.exe
User
admin
Integrity Level
HIGH
Version:
Company
Microsoft Corporation
Description
Host Process for Windows Services
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\svchost.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\msvcp60.dll
c:\windows\system32\winmm.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll

PID
1348
CMD
"schtasks.exe" /delete /f /tn "TCP Monitor"
Path
C:\Windows\system32\schtasks.exe
Indicators
No indicators
Parent process
REVISED FINAL CARGO MANIFEST COPY_pdf.exe
User
admin
Integrity Level
MEDIUM
Exit code
1
Version:
Company
Microsoft Corporation
Description
Manages scheduled tasks
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\schtasks.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\ktmw32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\version.dll
c:\windows\system32\sechost.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\taskschd.dll
c:\windows\system32\sspicli.dll

PID
2376
CMD
"schtasks.exe" /delete /f /tn "TCP Monitor Task"
Path
C:\Windows\system32\schtasks.exe
Indicators
No indicators
Parent process
REVISED FINAL CARGO MANIFEST COPY_pdf.exe
User
admin
Integrity Level
MEDIUM
Exit code
1
Version:
Company
Microsoft Corporation
Description
Manages scheduled tasks
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\schtasks.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\ktmw32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\version.dll
c:\windows\system32\sechost.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\taskschd.dll
c:\windows\system32\sspicli.dll

PID
2224
CMD
"cmd.exe" /C taskkill /f /im "REVISED FINAL CARGO MANIFEST COPY_pdf.exe" & ping -n 1 -w 3000 1.1.1.1 & type nul > "C:\Users\admin\Desktop\REVISED FINAL CARGO MANIFEST COPY_pdf.exe" & del /f /q "C:\Users\admin\Desktop\REVISED FINAL CARGO MANIFEST COPY_pdf.exe"
Path
C:\Windows\system32\cmd.exe
Indicators
No indicators
Parent process
REVISED FINAL CARGO MANIFEST COPY_pdf.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows Command Processor
Version
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Image
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\apphelp.dll

PID
304
CMD
taskkill /f /im "REVISED FINAL CARGO MANIFEST COPY_pdf.exe"
Path
C:\Windows\system32\taskkill.exe
Indicators
No indicators
Parent process
cmd.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Terminates Processes
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\taskkill.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\version.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\mpr.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\framedynos.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\dbghelp.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\wbem\wbemprox.dll
c:\windows\system32\wbemcomn.dll
c:\windows\system32\winsta.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\wbem\wbemsvc.dll
c:\windows\system32\wbem\fastprox.dll
c:\windows\system32\ntdsapi.dll

PID
2732
CMD
ping -n 1 -w 3000 1.1.1.1
Path
C:\Windows\system32\PING.EXE
Indicators
No indicators
Parent process
cmd.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
TCP/IP Ping Command
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\ping.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\nsi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshqos.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\wship6.dll

Registry activity

Total events
1336
Read events
1128
Write events
208
Delete events
0

Modification events

PID
Process
Operation
Key
Name
Value
3020
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
ShellExtBMP
3020
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
ShellExtIcon
3020
WinRAR.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\72\52C64B7E
LanguageList
en-US
3020
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
0
C:\Users\admin\AppData\Local\Temp\LCM.rar
3020
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
name
120
3020
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
size
80
3020
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
type
120
3020
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
mtime
100
3020
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\DialogEditHistory\ExtrPath
0
C:\Users\admin\Desktop
3276
REVISED FINAL CARGO MANIFEST COPY_pdf.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
3276
REVISED FINAL CARGO MANIFEST COPY_pdf.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
3276
REVISED FINAL CARGO MANIFEST COPY_pdf.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
TCP Monitor
C:\Users\admin\AppData\Roaming\90059C37-1320-41A4-B58D-2B75A9850D2F\TCP Monitor\tcpmon.exe
2952
sek.exe
write
HKEY_CURRENT_USER\Software\SystemServer-VT0N9U
origmsc
E2B895A9C13D10443426125E13C2737BF053D8F49E0A8E30AD0C517CBCF944CF1E5060E5ECB4
2952
sek.exe
write
HKEY_CLASSES_ROOT\mscfile\shell\open\command
C:\Users\admin\sek.exe
2952
sek.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
2952
sek.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
3948
eventvwr.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
3948
eventvwr.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
2836
sek.exe
write
HKEY_CLASSES_ROOT\mscfile\shell\open\command
%SystemRoot%\system32\mmc.exe "%1" %*
2836
sek.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
SystemServer
"C:\Users\admin\AppData\Roaming\System\win-server.exe"
2836
sek.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
2836
sek.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
936
WScript.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
936
WScript.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
2520
win-server.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
SystemServer
"C:\Users\admin\AppData\Roaming\System\win-server.exe"
2520
win-server.exe
write
HKEY_CURRENT_USER\Software\SystemServer-VT0N9U
exepath
84EBD6DAE95828162849037B3DB17908D836D4C7C8568E5DA7225A0485D927EA5F7230C082B4E989F258E37217ABB1A56896E13B2A16F06AD037526CE1186194A08DD870C1C6C0E41A99674F7A9B6D9F71603A938B3A40A644DC7540B04DD34D6328951BB997F9EF0C36
2520
win-server.exe
write
HKEY_CURRENT_USER\Software\SystemServer-VT0N9U
licence
98716DD66F691F6FB65C51B7285094FC
2520
win-server.exe
write
HKEY_CURRENT_USER\Software\SystemServer-VT0N9U
Inj
1
3184
iexplore.exe
write
HKEY_CURRENT_USER\Software\SystemServer-VT0N9U
WD
3184
3184
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
SystemServer
"C:\Users\admin\AppData\Roaming\System\win-server.exe"
3184
iexplore.exe
write
HKEY_CURRENT_USER\Software\SystemServer-VT0N9U
exepath
84EBD6DAE95828162849037B3DB17908D836D4C7C8568E5DA7225A0485D927EA5F7230C082B4E989F258E37217ABB1A56896E13B2A16F06AD037526CE1186194A08DD870C1C6C0E41A99674F7A9B6D9F71603A938B3A40A644DC7540B04DD34D6328951BB997F9EF0C36

Files activity

Executable files
4
Suspicious files
3
Text files
6
Unknown types
1

Dropped files

PID
Process
Filename
Type
3020
WinRAR.exe
C:\Users\admin\Desktop\REVISED FINAL CARGO MANIFEST COPY_pdf.exe
executable
MD5: 027b8fcf82710d8f2552c63ecebc0810
SHA256: 868525fb62c82c417d0afd84b47ad0becff423349702c1bcafffd4c446ab5624
3276
REVISED FINAL CARGO MANIFEST COPY_pdf.exe
C:\Users\admin\AppData\Roaming\90059C37-1320-41A4-B58D-2B75A9850D2F\TCP Monitor\tcpmon.exe
executable
MD5: 027b8fcf82710d8f2552c63ecebc0810
SHA256: 868525fb62c82c417d0afd84b47ad0becff423349702c1bcafffd4c446ab5624
2836
sek.exe
C:\Users\admin\AppData\Roaming\System\win-server.exe
executable
MD5: dea5fb09bd2ff353de5681e3c672cd75
SHA256: 723afa2fbd250d4985062091d10952f7e2a5cb8a2826bf32d9a7fcafcd811bde
3276
REVISED FINAL CARGO MANIFEST COPY_pdf.exe
C:\Users\admin\sek.exe
executable
MD5: dea5fb09bd2ff353de5681e3c672cd75
SHA256: 723afa2fbd250d4985062091d10952f7e2a5cb8a2826bf32d9a7fcafcd811bde
3184
iexplore.exe
C:\Users\admin\AppData\Roaming\remcos\logs.dat
text
MD5: 5486497beb8cd670f0402483333a201a
SHA256: e7f850d2c1e52a7667980be45e6297bb4bf8baf0dfcd943e7dbba14de9f9dd1a
2836
sek.exe
C:\Users\admin\AppData\Local\Temp\install.vbs
binary
MD5: 4e1cdf73cb95b9df95353ab21c1cfef6
SHA256: 27b901c33c0300cf4c0f52706a329113ccccdf1d7cd3875dcc85417b479f8545
3184
iexplore.exe
C:\Users\admin\AppData\Roaming\remcos\logs.dat
text
MD5: a3010d20226fd36e9f3e5a6aead695b5
SHA256: a1ae8c76758577e7016cfe3156ba31c4c9b4a46b916c52831c8d6b089326b17f
3276
REVISED FINAL CARGO MANIFEST COPY_pdf.exe
C:\Users\admin\AppData\Roaming\90059C37-1320-41A4-B58D-2B75A9850D2F\catalog.dat
bs
MD5: 716c1b07d8e40bf9b01d221c339f882c
SHA256: 56f8f38e572e1bafa449511f23d2f4c4aa0eb1e896739ef0ab19abcec406bf23
3276
REVISED FINAL CARGO MANIFEST COPY_pdf.exe
C:\Users\admin\AppData\Roaming\90059C37-1320-41A4-B58D-2B75A9850D2F\run.dat
text
MD5: 5360813e487d5025b0cff91fcc1a7c48
SHA256: 9ed097250b1d909686b20c3a0c775714089b82109999f65dc178b7887895a3fa
3276
REVISED FINAL CARGO MANIFEST COPY_pdf.exe
C:\Users\admin\AppData\Roaming\90059C37-1320-41A4-B58D-2B75A9850D2F\storage.dat
binary
MD5: 52c4ea50312f1e087781d1a4ae9c018d
SHA256: b83c0880fb814ba0380fe21746e8cd056f0f70915c58585f62b7d8ec698d09a8
3276
REVISED FINAL CARGO MANIFEST COPY_pdf.exe
C:\Users\admin\AppData\Local\VirtualStore\Windows\win.ini
text
MD5: d2a2412bddba16d60ec63bd9550d933f
SHA256: 79ff2254e38192be1626d05bec6c82e10c85e1cf91df7440c4c443380a1e877a
2420
REVISED FINAL CARGO MANIFEST COPY_pdf.exe
C:\Users\admin\AppData\Local\VirtualStore\Windows\win.ini
text
MD5: d2a2412bddba16d60ec63bd9550d933f
SHA256: 79ff2254e38192be1626d05bec6c82e10c85e1cf91df7440c4c443380a1e877a
3276
REVISED FINAL CARGO MANIFEST COPY_pdf.exe
C:\Users\admin\AppData\Roaming\90059C37-1320-41A4-B58D-2B75A9850D2F\settings.bin
binary
MD5: 4e5e92e2369688041cc82ef9650eded2
SHA256: f8098a6290118f2944b9e7c842bd014377d45844379f863b00d54515a8a64b48

Find more information of the staic content and download it at the full report

Network activity

HTTP(S) requests
0
TCP/UDP connections
14
DNS requests
4
Threats
106

HTTP requests

No HTTP requests.

Connections

PID Process IP ASN CN Reputation
3276 REVISED FINAL CARGO MANIFEST COPY_pdf.exe 10.153.35.10:30089 –– unknown
3184 iexplore.exe 185.165.153.92:3434 NL malicious
–– –– 8.8.8.8:53 Google Inc. US whitelisted
3276 REVISED FINAL CARGO MANIFEST COPY_pdf.exe 185.165.153.35:30089 NL malicious
3276 REVISED FINAL CARGO MANIFEST COPY_pdf.exe 8.8.8.8:53 Google Inc. US whitelisted

DNS requests

Domain IP Reputation
madss.hopto.org 185.165.153.35
malicious

Threats

PID Process Class Message
3184 iexplore.exe A Network Trojan was detected MALWARE [PTsecurity] Backdoor.Win32/Remcos RAT connection
3276 REVISED FINAL CARGO MANIFEST COPY_pdf.exe A Network Trojan was detected ET TROJAN Possible NanoCore C2 60B
3276 REVISED FINAL CARGO MANIFEST COPY_pdf.exe A Network Trojan was detected MALWARE [PTsecurity] NanoCore.RAT
3276 REVISED FINAL CARGO MANIFEST COPY_pdf.exe A Network Trojan was detected MALWARE [PTsecurity] NanoCore.RAT
3276 REVISED FINAL CARGO MANIFEST COPY_pdf.exe A Network Trojan was detected ET TROJAN Possible NanoCore C2 60B
3276 REVISED FINAL CARGO MANIFEST COPY_pdf.exe A Network Trojan was detected MALWARE [PTsecurity] NanoCore.RAT
3276 REVISED FINAL CARGO MANIFEST COPY_pdf.exe A Network Trojan was detected ET TROJAN Possible NanoCore C2 60B
3276 REVISED FINAL CARGO MANIFEST COPY_pdf.exe A Network Trojan was detected MALWARE [PTsecurity] NanoCore.RAT
3276 REVISED FINAL CARGO MANIFEST COPY_pdf.exe A Network Trojan was detected MALWARE [PTsecurity] NanoCore.RAT
3276 REVISED FINAL CARGO MANIFEST COPY_pdf.exe A Network Trojan was detected ET TROJAN Possible NanoCore C2 60B
3276 REVISED FINAL CARGO MANIFEST COPY_pdf.exe A Network Trojan was detected MALWARE [PTsecurity] NanoCore.RAT
3276 REVISED FINAL CARGO MANIFEST COPY_pdf.exe A Network Trojan was detected ET TROJAN Possible NanoCore C2 60B
3276 REVISED FINAL CARGO MANIFEST COPY_pdf.exe A Network Trojan was detected MALWARE [PTsecurity] NanoCore.RAT
3276 REVISED FINAL CARGO MANIFEST COPY_pdf.exe A Network Trojan was detected MALWARE [PTsecurity] NanoCore.RAT
3276 REVISED FINAL CARGO MANIFEST COPY_pdf.exe A Network Trojan was detected ET TROJAN Possible NanoCore C2 60B
3276 REVISED FINAL CARGO MANIFEST COPY_pdf.exe A Network Trojan was detected ET TROJAN Possible NanoCore C2 60B
3276 REVISED FINAL CARGO MANIFEST COPY_pdf.exe A Network Trojan was detected ET TROJAN Possible NanoCore C2 60B
3276 REVISED FINAL CARGO MANIFEST COPY_pdf.exe A Network Trojan was detected ET TROJAN Possible NanoCore C2 60B
3276 REVISED FINAL CARGO MANIFEST COPY_pdf.exe A Network Trojan was detected ET TROJAN Possible NanoCore C2 60B
3276 REVISED FINAL CARGO MANIFEST COPY_pdf.exe A Network Trojan was detected ET TROJAN Possible NanoCore C2 60B
3276 REVISED FINAL CARGO MANIFEST COPY_pdf.exe A Network Trojan was detected ET TROJAN Possible NanoCore C2 60B
3276 REVISED FINAL CARGO MANIFEST COPY_pdf.exe A Network Trojan was detected ET TROJAN Possible NanoCore C2 60B
3276 REVISED FINAL CARGO MANIFEST COPY_pdf.exe A Network Trojan was detected ET TROJAN Possible NanoCore C2 60B
3276 REVISED FINAL CARGO MANIFEST COPY_pdf.exe A Network Trojan was detected ET TROJAN Possible NanoCore C2 64B
3276 REVISED FINAL CARGO MANIFEST COPY_pdf.exe A Network Trojan was detected ET TROJAN Possible NanoCore C2 60B
3276 REVISED FINAL CARGO MANIFEST COPY_pdf.exe A Network Trojan was detected ET TROJAN Possible NanoCore C2 60B
3184 iexplore.exe A Network Trojan was detected MALWARE [PTsecurity] Backdoor.Win32/Remcos RAT connection
3276 REVISED FINAL CARGO MANIFEST COPY_pdf.exe A Network Trojan was detected ET TROJAN Possible NanoCore C2 60B
3276 REVISED FINAL CARGO MANIFEST COPY_pdf.exe A Network Trojan was detected ET TROJAN Possible NanoCore C2 60B
3276 REVISED FINAL CARGO MANIFEST COPY_pdf.exe A Network Trojan was detected ET TROJAN Possible NanoCore C2 60B
3184 iexplore.exe A Network Trojan was detected MALWARE [PTsecurity] Backdoor.Win32/Remcos RAT connection
3276 REVISED FINAL CARGO MANIFEST COPY_pdf.exe A Network Trojan was detected ET TROJAN Possible NanoCore C2 60B
3276 REVISED FINAL CARGO MANIFEST COPY_pdf.exe A Network Trojan was detected ET TROJAN Possible NanoCore C2 60B
3276 REVISED FINAL CARGO MANIFEST COPY_pdf.exe A Network Trojan was detected ET TROJAN Possible NanoCore C2 64B
3276 REVISED FINAL CARGO MANIFEST COPY_pdf.exe A Network Trojan was detected ET TROJAN Possible NanoCore C2 60B
3276 REVISED FINAL CARGO MANIFEST COPY_pdf.exe A Network Trojan was detected MALWARE [PTsecurity] NanoCore.RAT
3276 REVISED FINAL CARGO MANIFEST COPY_pdf.exe A Network Trojan was detected ET TROJAN Possible NanoCore C2 64B
3276 REVISED FINAL CARGO MANIFEST COPY_pdf.exe A Network Trojan was detected MALWARE [PTsecurity] NanoCore.RAT
3276 REVISED FINAL CARGO MANIFEST COPY_pdf.exe A Network Trojan was detected MALWARE [PTsecurity] NanoCore.RAT

67 ETPRO signatures available at the full report

Debug output strings

No debug info.