General Info

File name

NEW_INVOICE_CONFIRMATION9298398392832928PDFOutput.js

Full analysis
https://app.any.run/tasks/271ed1a8-05de-4a8a-ac09-f25091587a29
Verdict
Malicious activity
Analysis date
4/15/2019, 12:27:03
OS:
Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:

autoit

rat

nanocore

Indicators:

MIME:
text/plain
File info:
ASCII text, with very long lines, with CRLF line terminators
MD5

27588926e91441e9246b033fd70fe567

SHA1

536c0ef8e841f69b1fb52bd74adc6b9cc2de116b

SHA256

e362cbdb02a7505408fb865c67d693663d67ab73dd32955366db831b584c6fd3

SSDEEP

24576:DLbKw7vQZAmGHMTD7Sk86SxGVWuYUYJ/FP9UvmutzizFOvTXdOZCGD6owZsxrKQG:DIUf/U1+cLQzYYgP

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distored by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Software environment set and analysis options

Launch configuration

Task duration
60 seconds
Additional time used
none
Fakenet option
off
Heavy Evaision option
off
MITM proxy
off
Route via Tor
off
Network geolocation
off
Privacy
Public submission
Autoconfirmation of UAC
on

Software preset

  • Internet Explorer 8.0.7601.17514
  • Adobe Acrobat Reader DC MUI (15.023.20070)
  • Adobe Flash Player 26 ActiveX (26.0.0.131)
  • Adobe Flash Player 26 NPAPI (26.0.0.131)
  • Adobe Flash Player 26 PPAPI (26.0.0.131)
  • Adobe Refresh Manager (1.8.0)
  • CCleaner (5.35)
  • FileZilla Client 3.36.0 (3.36.0)
  • Google Chrome (73.0.3683.75)
  • Google Update Helper (1.3.33.23)
  • Java 8 Update 92 (8.0.920.14)
  • Java Auto Updater (2.8.92.14)
  • Microsoft .NET Framework 4.6.1 (4.6.01055)
  • Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Professional 2010 (14.0.6029.1000)
  • Microsoft Office Proof (English) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (French) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
  • Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
  • Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Single Image 2010 (14.0.6029.1000)
  • Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
  • Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
  • Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
  • Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2017 Redistributable (x86) - 14.15.26706 (14.15.26706.0)
  • Microsoft Visual C++ 2017 x86 Additional Runtime - 14.15.26706 (14.15.26706)
  • Microsoft Visual C++ 2017 x86 Minimum Runtime - 14.15.26706 (14.15.26706)
  • Mozilla Firefox 65.0.2 (x86 en-US) (65.0.2)
  • Notepad++ (32-bit x86) (7.5.1)
  • Opera 12.15 (12.15.1748)
  • Skype version 8.29 (8.29)
  • VLC media player (2.2.6)
  • WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

  • Client LanguagePack Package
  • Client Refresh LanguagePack Package
  • CodecPack Basic Package
  • Foundation Package
  • IE Troubleshooters Package
  • InternetExplorer Optional Package
  • KB2534111
  • KB2999226
  • KB976902
  • LocalPack AU Package
  • LocalPack CA Package
  • LocalPack GB Package
  • LocalPack US Package
  • LocalPack ZA Package
  • ProfessionalEdition
  • UltimateEdition

Behavior activities

MALICIOUS SUSPICIOUS INFO
Application was dropped or rewritten from another process
  • RegSvcs.exe (PID: 4060)
  • bgq.exe (PID: 2088)
  • bgq.exe (PID: 3512)
  • INVOICE_CONFIRMATION9298398392832928.scr (PID: 2128)
Changes the autorun value in the registry
  • RegSvcs.exe (PID: 4060)
  • bgq.exe (PID: 2088)
NanoCore was detected
  • RegSvcs.exe (PID: 4060)
Executable content was dropped or overwritten
  • RegSvcs.exe (PID: 4060)
  • INVOICE_CONFIRMATION9298398392832928.scr (PID: 2128)
  • WinRAR.exe (PID: 2452)
Creates files in the user directory
  • RegSvcs.exe (PID: 4060)
Application launched itself
  • bgq.exe (PID: 3512)
Drop AutoIt3 executable file
  • INVOICE_CONFIRMATION9298398392832928.scr (PID: 2128)
Starts application with an unusual extension
  • WinRAR.exe (PID: 2452)
Dropped object may contain Bitcoin addresses
  • INVOICE_CONFIRMATION9298398392832928.scr (PID: 2128)
  • bgq.exe (PID: 3512)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Static information

Screenshots

Processes

Total processes
36
Monitored processes
6
Malicious processes
6
Suspicious processes
0

Behavior graph

+
start drop and start drop and start wscript.exe no specs winrar.exe invoice_confirmation9298398392832928.scr bgq.exe no specs bgq.exe #NANOCORE regsvcs.exe
Specs description
Program did not start
Integrity level elevation
Task сontains an error or was rebooted
Process has crashed
Task contains several apps running
Executable file was dropped
Debug information is available
Process was injected
Network attacks were detected
Application downloaded the executable file
Actions similar to stealing personal data
Behavior similar to exploiting the vulnerability
Inspected object has sucpicious PE structure
File is detected by antivirus software
CPU overrun
RAM overrun
Process starts the services
Process was added to the startup
Behavior similar to spam
Low-level access to the HDD
Probably Tor was used
System was rebooted
Connects to the network
Known threat

Process information

Click at the process to see the details.

PID
2760
CMD
"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\NEW_INVOICE_CONFIRMATION9298398392832928PDFOutput.js"
Path
C:\Windows\System32\WScript.exe
Indicators
No indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Microsoft ® Windows Based Script Host
Version
5.8.7600.16385
Modules
Image
c:\windows\system32\wscript.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\version.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\sxs.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\jscript.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\msisip.dll
c:\windows\system32\wshext.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\scrobj.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\scrrun.dll
c:\windows\system32\msxml3.dll
c:\program files\common files\system\ado\msado15.dll
c:\windows\system32\msdart.dll
c:\windows\system32\wshom.ocx
c:\windows\system32\mpr.dll
c:\windows\system32\propsys.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\shdocvw.dll
c:\program files\winrar\winrar.exe

PID
2452
CMD
"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\AapHtEYA.zip"
Path
C:\Program Files\WinRAR\WinRAR.exe
Indicators
Parent process
WScript.exe
User
admin
Integrity Level
MEDIUM
Version:
Company
Alexander Roshal
Description
WinRAR archiver
Version
5.60.0
Modules
Image
c:\program files\winrar\winrar.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\shlwapi.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\uxtheme.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\msimg32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\riched20.dll
c:\program files\common files\microsoft shared\ink\tiptsf.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ehstorshell.dll
c:\windows\system32\cscui.dll
c:\windows\system32\cscdll.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\slc.dll
c:\windows\system32\imageres.dll
c:\windows\system32\mpr.dll
c:\windows\system32\drprov.dll
c:\windows\system32\winsta.dll
c:\windows\system32\ntlanman.dll
c:\windows\system32\davclnt.dll
c:\windows\system32\davhlpr.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\netutils.dll
c:\windows\system32\wpdshext.dll
c:\windows\system32\winmm.dll
c:\windows\system32\portabledeviceapi.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\audiodev.dll
c:\windows\system32\wmvcore.dll
c:\windows\system32\wmasf.dll
c:\windows\system32\ehstorapi.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\samcli.dll
c:\windows\system32\samlib.dll
c:\windows\system32\profapi.dll
c:\windows\system32\explorerframe.dll
c:\windows\system32\duser.dll
c:\windows\system32\dui70.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\users\admin\appdata\local\temp\rar$dia2452.4962\invoice_confirmation9298398392832928.scr

PID
2128
CMD
"C:\Users\admin\AppData\Local\Temp\Rar$DIa2452.4962\INVOICE_CONFIRMATION9298398392832928.scr" /S
Path
C:\Users\admin\AppData\Local\Temp\Rar$DIa2452.4962\INVOICE_CONFIRMATION9298398392832928.scr
Indicators
Parent process
WinRAR.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Description
Version
Modules
Image
c:\users\admin\appdata\local\temp\rar$dia2452.4962\invoice_confirmation9298398392832928.scr
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\aclayers.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\winspool.drv
c:\windows\system32\mpr.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\riched32.dll
c:\windows\system32\riched20.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\clbcatq.dll
c:\program files\common files\microsoft shared\ink\tiptsf.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\users\admin\appdata\local\temp\70231609\bgq.exe
c:\windows\system32\sfc.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\devrtl.dll

PID
3512
CMD
"C:\Users\admin\AppData\Local\Temp\70231609\bgq.exe" dbc=flb
Path
C:\Users\admin\AppData\Local\Temp\70231609\bgq.exe
Indicators
No indicators
Parent process
INVOICE_CONFIRMATION9298398392832928.scr
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
AutoIt Team
Description
AutoIt v3 Script
Version
3, 3, 14, 5
Modules
Image
c:\users\admin\appdata\local\temp\70231609\bgq.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\wsock32.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\windows\system32\version.dll
c:\windows\system32\winmm.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\mpr.dll
c:\windows\system32\wininet.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\psapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\aclayers.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\winspool.drv
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll

PID
2088
CMD
C:\Users\admin\AppData\Local\Temp\70231609\bgq.exe C:\Users\admin\AppData\Local\Temp\70231609\XLNAK
Path
C:\Users\admin\AppData\Local\Temp\70231609\bgq.exe
Indicators
Parent process
bgq.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
AutoIt Team
Description
AutoIt v3 Script
Version
3, 3, 14, 5
Modules
Image
c:\users\admin\appdata\local\temp\70231609\bgq.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\wsock32.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\windows\system32\version.dll
c:\windows\system32\winmm.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\mpr.dll
c:\windows\system32\wininet.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\psapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\aclayers.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\winspool.drv
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe

PID
4060
CMD
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Path
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Indicators
Parent process
bgq.exe
User
admin
Integrity Level
MEDIUM
Version:
Company
Microsoft Corporation
Description
Microsoft .NET Services Installation Utility
Version
4.6.1055.0 built by: NETFXREL2
Modules
Image
c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\aclayers.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\winspool.drv
c:\windows\system32\mpr.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\system32\version.dll
c:\windows\microsoft.net\framework\v4.0.30319\clr.dll
c:\windows\system32\msvcr120_clr0400.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\mscorlib\225759bb87c854c0fff27b1d84858c21\mscorlib.ni.dll
c:\windows\system32\cryptbase.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system\52cca48930e580e3189eac47158c20be\system.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.drawing\646b4b01cb29986f8e076aa65c9e9753\system.drawing.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.windows.forms\5aac750b35b27770dccb1a43f83cced7\system.windows.forms.ni.dll
c:\windows\microsoft.net\framework\v4.0.30319\clrjit.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.core\55560c2014611e9119f99923c9ebdeef\system.core.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\microsoft.v9921e851#\7ca6a7b9413844e82108a9d62f88a2d9\microsoft.visualbasic.ni.dll
c:\windows\microsoft.net\framework\v4.0.30319\nlssorting.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\uxtheme.dll
c:\windows\microsoft.net\assembly\gac_msil\system.windows.forms\v4.0_4.0.0.0__b77a5c561934e089\system.windows.forms.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\bcrypt.dll
c:\windows\microsoft.net\framework\v4.0.30319\diasymreader.dll
c:\windows\system32\psapi.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\wship6.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.configuration\46957030830964165644b52b0696c5d9\system.configuration.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.xml\d86b080a37c60a872c82b912a2a63dac\system.xml.ni.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll

Registry activity

Total events
1186
Read events
1165
Write events
21
Delete events
0

Modification events

PID
Process
Operation
Key
Name
Value
2128
INVOICE_CONFIRMATION9298398392832928.scr
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
2128
INVOICE_CONFIRMATION9298398392832928.scr
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
2452
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
ShellExtBMP
2452
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
ShellExtIcon
2452
WinRAR.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
LanguageList
en-US
2452
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
0
C:\Users\admin\AppData\Local\Temp\AapHtEYA.zip
2452
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
name
120
2452
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
size
80
2452
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
type
120
2452
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
mtime
100
2452
WinRAR.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@shell32,-10162
Screen saver
2452
WinRAR.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
2452
WinRAR.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
2088
bgq.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
WindowsUpdate
C:\Users\admin\AppData\Local\Temp\70231609\bgq.exe C:\Users\admin\AppData\Local\Temp\70231609\DBC_FL~1
4060
RegSvcs.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
TCP Monitor
C:\Users\admin\AppData\Roaming\90059C37-1320-41A4-B58D-2B75A9850D2F\TCP Monitor\tcpmon.exe

Files activity

Executable files
3
Suspicious files
1
Text files
54
Unknown types
0

Dropped files

PID
Process
Filename
Type
4060
RegSvcs.exe
C:\Users\admin\AppData\Roaming\90059C37-1320-41A4-B58D-2B75A9850D2F\TCP Monitor\tcpmon.exe
executable
MD5: be5073ae05e68612ba0fc1a3d339e64c
SHA256: 1735ba356794975169a93ee2babd33862229a1842c6e2c6a0b67366f5856894e
2452
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$DIa2452.4962\INVOICE_CONFIRMATION9298398392832928.scr
executable
MD5: 62f0b31d39196b1409eb4207c9f17141
SHA256: 3aab04e6bc14052c7d67a2fd05be695476da241e9c756235a2cb6cd5bcea694c
2128
INVOICE_CONFIRMATION9298398392832928.scr
C:\Users\admin\AppData\Local\Temp\70231609\bgq.exe
executable
MD5: c56b5f0201a3b3de53e561fe76912bfd
SHA256: 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
2128
INVOICE_CONFIRMATION9298398392832928.scr
C:\Users\admin\AppData\Local\Temp\70231609\aqp.docx
text
MD5: ee2ed93ee11a0c368a3ec502bcd257cd
SHA256: d0d8307a59c6f2c6181468cf496f04bf71dfa85103017f0b52882a7ca6f44c05
2128
INVOICE_CONFIRMATION9298398392832928.scr
C:\Users\admin\AppData\Local\Temp\70231609\cxe.pdf
text
MD5: b0e152a8f9a8f93c74c312486ddd0638
SHA256: 4a40bfbe7c16219f9a45c1d9f10c032d9fc126e706a26f13453ea855ca61418f
2128
INVOICE_CONFIRMATION9298398392832928.scr
C:\Users\admin\AppData\Local\Temp\70231609\urk.pdf
text
MD5: 0adc96cc85874d85f5b6a8b8b1bf12c6
SHA256: 45d0c4a8f7a1f821a5233a8bbee3005691abd38bfd391dfc5a19d60f3124f69e
2128
INVOICE_CONFIRMATION9298398392832928.scr
C:\Users\admin\AppData\Local\Temp\70231609\wfm.txt
text
MD5: 966651cf4b8ae55c8608b92b7f7edc3e
SHA256: a0c5ba88aa5dddcc78bfb5e47ac9eaff9a69c585363305fcedc5bdc07c139ab3
2128
INVOICE_CONFIRMATION9298398392832928.scr
C:\Users\admin\AppData\Local\Temp\70231609\ixw.docx
text
MD5: ec5e714902d09c34cac64e159c3af716
SHA256: 14555d7e8b10bca8d5eb8895e35ab656fb171d61b54584c6d41c69399ad74c34
2128
INVOICE_CONFIRMATION9298398392832928.scr
C:\Users\admin\AppData\Local\Temp\70231609\ldk.docx
text
MD5: ca2c70bcf42f4a1cd3f55baadf7052d7
SHA256: df5ae652a8fb86134b235fe6d5b0d5c0a47fad7a3b47ff69ec631670efd5aba2
2128
INVOICE_CONFIRMATION9298398392832928.scr
C:\Users\admin\AppData\Local\Temp\70231609\lxs.icm
text
MD5: 65b998dc3a989516751b96b37c927927
SHA256: 8aac47e32ac9b4b13d9daf1367abcaf0bc65a3ffd54c570bd2a8044b68a93ab8
2128
INVOICE_CONFIRMATION9298398392832928.scr
C:\Users\admin\AppData\Local\Temp\70231609\nxs.xl
text
MD5: 7e98ef2540430aaa013572378e3b9d35
SHA256: f12b9907ba3b838fcd8f9c409687c54d41c45950c0b113031b9fe18666cde566
2128
INVOICE_CONFIRMATION9298398392832928.scr
C:\Users\admin\AppData\Local\Temp\70231609\snw.jpg
text
MD5: e76a7d795a6c89396e9fa2957812264c
SHA256: 3df87a7f39adac0d1eb4d46b92e1bae25f3aebf2ae6a83b2a1169810d90ce5de
2128
INVOICE_CONFIRMATION9298398392832928.scr
C:\Users\admin\AppData\Local\Temp\70231609\qlt.ico
text
MD5: 92eee5f7fae7b03ebdab41f70e3deee7
SHA256: 31b2bfd9acc144d0cb05e62155d63c3872820a8fd300f95a979f6b3d413c4793
2128
INVOICE_CONFIRMATION9298398392832928.scr
C:\Users\admin\AppData\Local\Temp\70231609\gtr.txt
text
MD5: 6fedfb0ca41b3328afa3d48e6ba30b08
SHA256: 3235bde54f535960dc9cda84a66cd82c9a6764ead6aa293b82208fb133739ac2
2128
INVOICE_CONFIRMATION9298398392832928.scr
C:\Users\admin\AppData\Local\Temp\70231609\xfo.icm
text
MD5: 8b228e6ef26e723e0ed5f994aa2bc267
SHA256: 90afb6a6f0ed6bb473916740b6b09691185dd6aec33aff060f1a509c281003e8
2128
INVOICE_CONFIRMATION9298398392832928.scr
C:\Users\admin\AppData\Local\Temp\70231609\obs.mp3
text
MD5: 0c360242830aced470fb504f21b94a65
SHA256: ee0b8e8aa226b5ec5733c0a82cd89c52bacf0b7174cff7fbc27712ddb19a94c1
2128
INVOICE_CONFIRMATION9298398392832928.scr
C:\Users\admin\AppData\Local\Temp\70231609\vsx.xl
text
MD5: 020f512923881b9188ad66231124f0d1
SHA256: a34e9c99b1de11dad6abffa17067020f78cbc9ca57f1dcdffb4d0037774ba000
2128
INVOICE_CONFIRMATION9298398392832928.scr
C:\Users\admin\AppData\Local\Temp\70231609\vlp.icm
text
MD5: a90dee3aaea2330ef30ce481ab58f4d1
SHA256: 242f23a06061c1ae0468fff9bf6146ded40d15bc17c29ee5705353f63e0454f5
2128
INVOICE_CONFIRMATION9298398392832928.scr
C:\Users\admin\AppData\Local\Temp\70231609\qdw.pdf
text
MD5: 3a56183a52dae560652de43282603bce
SHA256: 18d8ffb0724cfa8536aeb21b60a90ecaf1b1413c332a78ce0741b8af71924012
2128
INVOICE_CONFIRMATION9298398392832928.scr
C:\Users\admin\AppData\Local\Temp\70231609\llo.icm
text
MD5: 27641bc4449285a1dd8cd92b9387d2e2
SHA256: 80c00bbe360da12500c450bc5bc5daaa894cf1ac6f648d2566970a078dd1f03e
2128
INVOICE_CONFIRMATION9298398392832928.scr
C:\Users\admin\AppData\Local\Temp\70231609\wqw.pdf
text
MD5: bccfcebf08b3d03ae7a9ec4abf7fc832
SHA256: d70650e57e328edc60297978c71c22bba05116bca7137c9adf7dd27968df3103
2128
INVOICE_CONFIRMATION9298398392832928.scr
C:\Users\admin\AppData\Local\Temp\70231609\rlw.pdf
text
MD5: 051c3091f913380e0eaf5518306e495c
SHA256: 84b72c24217f482e1e95cfe0f6755087c7a3e28a23710d11d31a22ae182750e2
2128
INVOICE_CONFIRMATION9298398392832928.scr
C:\Users\admin\AppData\Local\Temp\70231609\btb.txt
text
MD5: 5c6285b167cc027e651cde2e14ac6a75
SHA256: ef8e5f1415c191c54f3b0bd6231649be15a64ed716ee672b81e323b6d6adad57
2128
INVOICE_CONFIRMATION9298398392832928.scr
C:\Users\admin\AppData\Local\Temp\70231609\qpm.txt
text
MD5: 7559d60ed030450d1459be910c873d80
SHA256: 00ee3ca14c2c1cf3d2b1eb1ad194420565aa4e0cb32d4ddbffcb4f1b28576293
2128
INVOICE_CONFIRMATION9298398392832928.scr
C:\Users\admin\AppData\Local\Temp\70231609\ohj.ppt
text
MD5: d704e761bf84e70be163c7bdea1203f1
SHA256: 38a79a20cec86919e41cef780fd918f4e7a9b1d3d84f7f00547d10beed0ca5b3
2128
INVOICE_CONFIRMATION9298398392832928.scr
C:\Users\admin\AppData\Local\Temp\70231609\udt.icm
text
MD5: 2a9aaee04bc71a25ae87d0b14ba1aa22
SHA256: 0bd62b74cb1ff988bf337cbd99173e6b60f9012df1683bd0c7573bb2f1f843ca
2128
INVOICE_CONFIRMATION9298398392832928.scr
C:\Users\admin\AppData\Local\Temp\70231609\ccr.txt
text
MD5: 9efe37c5134030bae3515c58431147be
SHA256: c7e5646b44ced01c7ed203ffa4de3824e6c60f670e3fb766aef63b94b4567741
2128
INVOICE_CONFIRMATION9298398392832928.scr
C:\Users\admin\AppData\Local\Temp\70231609\eag.ico
text
MD5: b8ffe1b0751acc0eefb7bae0b9cd378a
SHA256: 2c0c0ccc5114005c12ddc0aeced0e40ed417e25d7c8a7452a54259e56fde6f05
2128
INVOICE_CONFIRMATION9298398392832928.scr
C:\Users\admin\AppData\Local\Temp\70231609\ksr.ico
text
MD5: 5a24f891f4fed79d602fa62e6315cc29
SHA256: d6bde4fabe289e33587f217119144d5b186f609cab76aa7fa5838acf8169bfb7
2128
INVOICE_CONFIRMATION9298398392832928.scr
C:\Users\admin\AppData\Local\Temp\70231609\aon.txt
text
MD5: 217ff75e65fb0f2978e53f9342566f91
SHA256: 0d7a9199bef7727acdd9d0810492aafc9d48088c7698a064f21d8ee2507f5d4f
2128
INVOICE_CONFIRMATION9298398392832928.scr
C:\Users\admin\AppData\Local\Temp\70231609\igf.dat
text
MD5: ce9fb33931cb6136e7b6529f8c5b5aca
SHA256: 60c62d7ebb837672305bb7d2cc0f7a769fcd4dbcbd09b297be04f7c617518a46
2128
INVOICE_CONFIRMATION9298398392832928.scr
C:\Users\admin\AppData\Local\Temp\70231609\ifd.txt
text
MD5: 6a3970de5ca96ac4ad76c9bed7325909
SHA256: 46a5368691206ac5d0e34a450c64b08eb4bc2efafd212de69bad3f967e20110d
2128
INVOICE_CONFIRMATION9298398392832928.scr
C:\Users\admin\AppData\Local\Temp\70231609\npl.docx
text
MD5: d059eb74417c370c2672b71454a885e8
SHA256: 85e17618055da18880d548e3224164c096fae3908bb55e5de6c4f65adb127fdf
2128
INVOICE_CONFIRMATION9298398392832928.scr
C:\Users\admin\AppData\Local\Temp\70231609\ubb.mp4
text
MD5: faaee4cafddbbdd0db7f1b4f2025a9ae
SHA256: cd23e63a4da349bad625e6df44accca3b0ed3984ebb4c81a9d1d4d599601e45f
2128
INVOICE_CONFIRMATION9298398392832928.scr
C:\Users\admin\AppData\Local\Temp\70231609\rnj.ico
text
MD5: d951c08b71941a96d93b63e3748c64f7
SHA256: 4c9d88921a11b62131af8cab4308aa9deb2ded2d129d4f4fc8bf0d575e59cfd7
2128
INVOICE_CONFIRMATION9298398392832928.scr
C:\Users\admin\AppData\Local\Temp\70231609\qvj.txt
text
MD5: eb32fdd3106814855378b4645b392686
SHA256: 08682c8a6ed655c8b98720bcc2063e391d02eea33d92e6db35f7ef9a8f896e02
2128
INVOICE_CONFIRMATION9298398392832928.scr
C:\Users\admin\AppData\Local\Temp\70231609\shs.ppt
text
MD5: 0318d2f8aa30225cf06442f35e27945b
SHA256: daaf47365f78d573eb8970e3ed651e1cfd6332f7cda16b205fa9b47598efeeb6
2128
INVOICE_CONFIRMATION9298398392832928.scr
C:\Users\admin\AppData\Local\Temp\70231609\gls.mp3
text
MD5: 411bbcd12edc3bf8dd561a19cd0554dc
SHA256: 4386619aa3e05a1749e37c98bf40e62b44a1580c4694d1679282b6c68b3e520a
2128
INVOICE_CONFIRMATION9298398392832928.scr
C:\Users\admin\AppData\Local\Temp\70231609\kmn.ico
text
MD5: 0c259be176a9f389c9cc77e7e5dbce60
SHA256: 91a65eb4245fb40e4a5a333fe86ff3dfd3f52e293508199d3a4c578398a926a3
2128
INVOICE_CONFIRMATION9298398392832928.scr
C:\Users\admin\AppData\Local\Temp\70231609\dlm.txt
text
MD5: b3f9447a56ad772c0ca7b16529b8ae29
SHA256: 0a41dbbf05713af7222d5750f00e6b2586d130d954df8b799f6b21e1a5d762c1
2128
INVOICE_CONFIRMATION9298398392832928.scr
C:\Users\admin\AppData\Local\Temp\70231609\uwl.ppt
text
MD5: 8429096b8814949139de5d64bff2b324
SHA256: 159cd639e3d081ec046b094e01a1fe206660201a46a2ae55f296a228daf2d3b4
2128
INVOICE_CONFIRMATION9298398392832928.scr
C:\Users\admin\AppData\Local\Temp\70231609\efd.bmp
text
MD5: 1c76eef9f1faa0beefd81cb5b316c263
SHA256: c740b117bae619055c500761d6c1afd8b6900d5fdfaeec5cfde94dc69e4c443b
2128
INVOICE_CONFIRMATION9298398392832928.scr
C:\Users\admin\AppData\Local\Temp\70231609\gop.ppt
text
MD5: d951315d53823d70201b7e2cc0095f35
SHA256: e39aefe97bac905637c9f732b62cb9acba37cd5a2f6ee5848f4b708fdefb2a7c
2128
INVOICE_CONFIRMATION9298398392832928.scr
C:\Users\admin\AppData\Local\Temp\70231609\iqj.docx
text
MD5: c61927cfb1f92ee4aaf2a68c4020246f
SHA256: 084caec40d140b15078411329f255e156c3db9ed514ed83e1e3576dd6f810260
2128
INVOICE_CONFIRMATION9298398392832928.scr
C:\Users\admin\AppData\Local\Temp\70231609\teq.bmp
text
MD5: 3b7b0fffb4893cd109f57d2034e6dbe3
SHA256: ce1770c081fdadc08a4e8993c1fdfe7c42ade44932e49e4bb57b9c400c508638
2128
INVOICE_CONFIRMATION9298398392832928.scr
C:\Users\admin\AppData\Local\Temp\70231609\tmv.xl
text
MD5: 44a25dcd820515591a44749a1915cb32
SHA256: 2cab6e248ad02f09e95bf83c0dc7079b71076b5c869c194566b7b48e062a092e
2128
INVOICE_CONFIRMATION9298398392832928.scr
C:\Users\admin\AppData\Local\Temp\70231609\gvn.bmp
text
MD5: 4de1b511f33353fbbebccb2bb3e30212
SHA256: 6ea9c1b721472a1acf8a5808ccca10eb311a55b81bc7a126974d17915fff7d5d
2128
INVOICE_CONFIRMATION9298398392832928.scr
C:\Users\admin\AppData\Local\Temp\70231609\fcr.mp4
text
MD5: 01ed43e829726fd16a249295cc20d6d6
SHA256: 460029038d418e169510b7875c3bb62b9d97b6b7ba245dec6a0170727d6d2fa5
2128
INVOICE_CONFIRMATION9298398392832928.scr
C:\Users\admin\AppData\Local\Temp\70231609\gbw.dat
text
MD5: cb5abba1602e66ed9d5b462302f61a2e
SHA256: ec445ada080bde9006757325bbf62941a42765f2f3e674112b34a01fa4134cf2
2128
INVOICE_CONFIRMATION9298398392832928.scr
C:\Users\admin\AppData\Local\Temp\70231609\jhq.xl
text
MD5: 66e10352164f87e62a5aff766c39032b
SHA256: d52f7f6f298ab77843f45f5a295d1fec38565500ff22b0e336b55ccf3535701a
2128
INVOICE_CONFIRMATION9298398392832928.scr
C:\Users\admin\AppData\Local\Temp\70231609\muq.docx
text
MD5: 3ecbb510408f501a701e1b8c31905c78
SHA256: 35967d89c094f189eb1aae4b2e4b8168de12da7ef568248a26be7f7ec36e4cfc
2760
WScript.exe
C:\Users\admin\AppData\Local\Temp\AapHtEYA.zip
compressed
MD5: e000dcb89265c092cd0c7bfcb1dc9ca0
SHA256: 5f10badc6400d9da397016a2d18f028b12d53c0b8c9233451319f2030d03e4f4
2128
INVOICE_CONFIRMATION9298398392832928.scr
C:\Users\admin\AppData\Local\Temp\70231609\ButtonConstants.dat
text
MD5: c6e41c374808b0217ebaf9b0e4f5a4b6
SHA256: 8a225999fcea536421b41049b2fc8955bdab6403699d6fb4f9e38b220ac4fc7a
2128
INVOICE_CONFIRMATION9298398392832928.scr
C:\Users\admin\AppData\Local\Temp\70231609\gpa.dat
text
MD5: e94eaa08b06dffc2c69d97678b6c59c6
SHA256: 9c1b1d79b04bea08837b7e429caa7a908b1d995b8e3e7e9128bfecbdbcfb6dcc
2128
INVOICE_CONFIRMATION9298398392832928.scr
C:\Users\admin\AppData\Local\Temp\70231609\ToolTipConstants.docx
text
MD5: 2062684eab1048b65b17087619810fb3
SHA256: 42180b49238ab13c874bf956e3869090d6d18972502fe7b3e8c59c6b6a6723c3
2128
INVOICE_CONFIRMATION9298398392832928.scr
C:\Users\admin\AppData\Local\Temp\70231609\dbc=flb
text
MD5: 9a556be696b5343b57812e98dba079ad
SHA256: f5a38e90148c6813642294891540bcbf36ac5e5a4fa22f85cae4fa513d2d8567
3512
bgq.exe
C:\Users\admin\AppData\Local\Temp\70231609\XLNAK
text
MD5: 800770b4e0ee61a8150363424951a00d
SHA256: 07efb454c91149bb4243cbd3eb2b7afa5bed60d6e99668e7bc2a1a49d7c6264c
4060
RegSvcs.exe
C:\Users\admin\AppData\Roaming\90059C37-1320-41A4-B58D-2B75A9850D2F\run.dat
text
MD5: 39893d1b3517ae03ac32615b4f15f384
SHA256: 535b147db35bdea8c842d9f066d8e73cc888c427bc22ae13a14cf1760efbb989

Find more information of the staic content and download it at the full report

Network activity

HTTP(S) requests
0
TCP/UDP connections
13
DNS requests
5
Threats
5

HTTP requests

No HTTP requests.

Connections

PID Process IP ASN CN Reputation
4060 RegSvcs.exe 8.8.8.8:53 Google Inc. US whitelisted
4060 RegSvcs.exe 91.192.100.18:64599 SOFTplus Entwicklungen GmbH CH malicious
4060 RegSvcs.exe 79.134.225.23:64599 Andreas Fink trading as Fink Telecom Services CH malicious

DNS requests

Domain IP Reputation
stannanoserve.duckdns.org 91.192.100.18
malicious

Threats

PID Process Class Message
4060 RegSvcs.exe Misc activity ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
4060 RegSvcs.exe Misc activity ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
4060 RegSvcs.exe Misc activity ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
4060 RegSvcs.exe Misc activity ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
4060 RegSvcs.exe Misc activity ET INFO DYNAMIC_DNS Query to *.duckdns. Domain

Debug output strings

No debug info.