General Info

File name

f5d95a88f78ec551e648a68f084faecc98d94b22.exe

Full analysis
https://app.any.run/tasks/79a0a4d7-aa42-4f75-a471-5fff1b92cf3e
Verdict
Malicious activity
Analysis date
1/10/2019, 20:49:34
OS:
Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:

autoit

Indicators:

MIME:
application/x-dosexec
File info:
PE32 executable (GUI) Intel 80386, for MS Windows, RAR self-extracting archive
MD5

b34a49301f280a04d59ab288630855ee

SHA1

f5d95a88f78ec551e648a68f084faecc98d94b22

SHA256

e59515a8baa2988627ba68c97928f77d11fd11f93527c7359c2d7897fd5fd464

SSDEEP

24576:f2O/Gl8O9ZwSPLY1C71LwR71+wmxhKbH3rUO46Gm:E8C71L48wmxUT3ie

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distored by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Software environment set and analysis options

Launch configuration

Task duration
300 seconds
Additional time used
240 seconds
Fakenet option
off
Heavy Evaision option
on
MITM proxy
off
Route via Tor
off
Network geolocation
off
Privacy
Public submission
Autoconfirmation of UAC
off

Software preset

  • Internet Explorer 8.0.7601.17514
  • Adobe Acrobat Reader DC MUI (15.023.20070)
  • Adobe Flash Player 26 ActiveX (26.0.0.131)
  • Adobe Flash Player 26 NPAPI (26.0.0.131)
  • Adobe Flash Player 26 PPAPI (26.0.0.131)
  • Adobe Refresh Manager (1.8.0)
  • CCleaner (5.35)
  • FileZilla Client 3.36.0 (3.36.0)
  • Google Chrome (68.0.3440.106)
  • Google Update Helper (1.3.33.17)
  • Java 8 Update 92 (8.0.920.14)
  • Java Auto Updater (2.8.92.14)
  • Microsoft .NET Framework 4.6.1 (4.6.01055)
  • Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Professional 2010 (14.0.6029.1000)
  • Microsoft Office Proof (English) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (French) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
  • Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
  • Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Single Image 2010 (14.0.6029.1000)
  • Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
  • Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
  • Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
  • Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2017 Redistributable (x86) - 14.15.26706 (14.15.26706.0)
  • Microsoft Visual C++ 2017 x86 Additional Runtime - 14.15.26706 (14.15.26706)
  • Microsoft Visual C++ 2017 x86 Minimum Runtime - 14.15.26706 (14.15.26706)
  • Mozilla Firefox 61.0.2 (x86 en-US) (61.0.2)
  • Notepad++ (32-bit x86) (7.5.1)
  • Opera 12.15 (12.15.1748)
  • Skype version 8.29 (8.29)
  • VLC media player (2.2.6)
  • WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

  • Client LanguagePack Package
  • Client Refresh LanguagePack Package
  • CodecPack Basic Package
  • Foundation Package
  • IE Troubleshooters Package
  • InternetExplorer Optional Package
  • KB2534111
  • KB2999226
  • KB976902
  • LocalPack AU Package
  • LocalPack CA Package
  • LocalPack GB Package
  • LocalPack US Package
  • LocalPack ZA Package
  • ProfessionalEdition
  • UltimateEdition

Behavior activities

MALICIOUS SUSPICIOUS INFO
Application was dropped or rewritten from another process
  • lwh.exe (PID: 3012)
  • lwh.exe (PID: 4080)
Changes the autorun value in the registry
  • lwh.exe (PID: 4080)
Executable content was dropped or overwritten
  • f5d95a88f78ec551e648a68f084faecc98d94b22.exe (PID: 3132)
Drop AutoIt3 executable file
  • f5d95a88f78ec551e648a68f084faecc98d94b22.exe (PID: 3132)
Connects to unusual port
  • RegSvcs.exe (PID: 3248)
Application launched itself
  • lwh.exe (PID: 3012)
Dropped object may contain Bitcoin addresses
  • f5d95a88f78ec551e648a68f084faecc98d94b22.exe (PID: 3132)
  • lwh.exe (PID: 3012)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Static information

TRiD
.exe
|   Win32 Executable MS Visual C++ (generic) (35.8%)
.exe
|   Win64 Executable (generic) (31.7%)
.scr
|   Windows screen saver (15%)
.dll
|   Win32 Dynamic Link Library (generic) (7.5%)
.exe
|   Win32 Executable (generic) (5.1%)
EXIF
EXE
MachineType:
Intel 386 or later, and compatibles
TimeStamp:
2012:06:09 15:19:49+02:00
PEType:
PE32
LinkerVersion:
9
CodeSize:
74752
InitializedDataSize:
58880
UninitializedDataSize:
null
EntryPoint:
0xac87
OSVersion:
5
ImageVersion:
null
SubsystemVersion:
5
Subsystem:
Windows GUI
Summary
Architecture:
IMAGE_FILE_MACHINE_I386
Subsystem:
IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date:
09-Jun-2012 13:19:49
Detected languages
English - United States
Process Default Language
Debug artifacts
d:\Projects\WinRAR\SFX\build\sfxrar32\Release\sfxrar.pdb
DOS Header
Magic number:
MZ
Bytes on last page of file:
0x0090
Pages in file:
0x0003
Relocations:
0x0000
Size of header:
0x0004
Min extra paragraphs:
0x0000
Max extra paragraphs:
0xFFFF
Initial SS value:
0x0000
Initial SP value:
0x00B8
Checksum:
0x0000
Initial IP value:
0x0000
Initial CS value:
0x0000
Overlay number:
0x0000
OEM identifier:
0x0000
OEM information:
0x0000
Address of NE header:
0x000000F0
PE Headers
Signature:
PE
Machine:
IMAGE_FILE_MACHINE_I386
Number of sections:
5
Time date stamp:
09-Jun-2012 13:19:49
Pointer to Symbol Table:
0x00000000
Number of symbols:
0
Size of Optional Header:
0x00E0
Characteristics
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_RELOCS_STRIPPED
Sections
Name Virtual Address Virtual Size Raw Size Charateristics Entropy
.text 0x00001000 0x0001231E 0x00012400 IMAGE_SCN_CNT_CODE,IMAGE_SCN_MEM_EXECUTE,IMAGE_SCN_MEM_READ 6.55555
.rdata 0x00014000 0x00001D15 0x00001E00 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ 4.99401
.data 0x00016000 0x00017724 0x00000200 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ,IMAGE_SCN_MEM_WRITE 3.54914
.CRT 0x0002E000 0x00000020 0x00000200 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ 0.394141
.rsrc 0x0002F000 0x0000C2C0 0x0000C400 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ 6.48584
Resources
1

7

8

9

10

11

12

100

101

ASKNEXTVOL

GETPASSWORD1

LICENSEDLG

RENAMEDLG

REPLACEFILEDLG

STARTDLG

Imports
    COMCTL32.dll

    SHLWAPI.dll

    KERNEL32.dll

    USER32.dll

    GDI32.dll

    COMDLG32.dll

    ADVAPI32.dll

    SHELL32.dll

    ole32.dll

    OLEAUT32.dll

Exports

    No exports.

Screenshots

Processes

Total processes
34
Monitored processes
4
Malicious processes
2
Suspicious processes
1

Behavior graph

+
drop and start start f5d95a88f78ec551e648a68f084faecc98d94b22.exe lwh.exe no specs lwh.exe regsvcs.exe
Specs description
Program did not start
Integrity level elevation
Task сontains an error or was rebooted
Process has crashed
Task contains several apps running
Executable file was dropped
Debug information is available
Process was injected
Network attacks were detected
Application downloaded the executable file
Actions similar to stealing personal data
Behavior similar to exploiting the vulnerability
Inspected object has sucpicious PE structure
File is detected by antivirus software
CPU overrun
RAM overrun
Process starts the services
Process was added to the startup
Behavior similar to spam
Low-level access to the HDD
Probably Tor was used
System was rebooted
Connects to the network
Known threat

Process information

Click at the process to see the details.

PID
3132
CMD
"C:\Users\admin\AppData\Local\Temp\f5d95a88f78ec551e648a68f084faecc98d94b22.exe"
Path
C:\Users\admin\AppData\Local\Temp\f5d95a88f78ec551e648a68f084faecc98d94b22.exe
Indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Description
Version
Modules
Image
c:\users\admin\appdata\local\temp\f5d95a88f78ec551e648a68f084faecc98d94b22.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\aclayers.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\winspool.drv
c:\windows\system32\mpr.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\riched32.dll
c:\windows\system32\riched20.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\clbcatq.dll
c:\program files\common files\microsoft shared\ink\tiptsf.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\users\admin\appdata\local\temp\88465914\lwh.exe
c:\windows\system32\sfc.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\devrtl.dll

PID
3012
CMD
"C:\Users\admin\AppData\Local\Temp\88465914\lwh.exe" fld=ktl
Path
C:\Users\admin\AppData\Local\Temp\88465914\lwh.exe
Indicators
No indicators
Parent process
f5d95a88f78ec551e648a68f084faecc98d94b22.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
AutoIt Team
Description
AutoIt v3 Script
Version
3, 3, 14, 5
Modules
Image
c:\users\admin\appdata\local\temp\88465914\lwh.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\wsock32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\version.dll
c:\windows\system32\winmm.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\mpr.dll
c:\windows\system32\wininet.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\psapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\aclayers.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\winspool.drv
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll

PID
4080
CMD
C:\Users\admin\AppData\Local\Temp\88465914\lwh.exe C:\Users\admin\AppData\Local\Temp\88465914\HAWRN
Path
C:\Users\admin\AppData\Local\Temp\88465914\lwh.exe
Indicators
Parent process
lwh.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
AutoIt Team
Description
AutoIt v3 Script
Version
3, 3, 14, 5
Modules
Image
c:\users\admin\appdata\local\temp\88465914\lwh.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\wsock32.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\windows\system32\version.dll
c:\windows\system32\winmm.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\mpr.dll
c:\windows\system32\wininet.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\psapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\aclayers.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\winspool.drv
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe

PID
3248
CMD
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Path
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Indicators
Parent process
lwh.exe
User
admin
Integrity Level
MEDIUM
Version:
Company
Microsoft Corporation
Description
Microsoft .NET Services Installation Utility
Version
4.6.1055.0 built by: NETFXREL2
Modules
Image
c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\avicap32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\winmm.dll
c:\windows\system32\version.dll
c:\windows\system32\msvfw32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msacm32.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\shfolder.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\wsock32.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\aclayers.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\winspool.drv
c:\windows\system32\mpr.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\devobj.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\napinsp.dll
c:\windows\system32\pnrpnsp.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\winrnr.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\rasadhlp.dll

Registry activity

Total events
391
Read events
385
Write events
6
Delete events
0

Modification events

PID
Process
Operation
Key
Name
Value
3132
f5d95a88f78ec551e648a68f084faecc98d94b22.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
3132
f5d95a88f78ec551e648a68f084faecc98d94b22.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
4080
lwh.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
qwertyhfdsd.exe
C:\Users\admin\AppData\Local\Temp\88465914\lwh.exe C:\Users\admin\AppData\Local\Temp\88465914\FLD_KT~1

Files activity

Executable files
1
Suspicious files
0
Text files
50
Unknown types
0

Dropped files

PID
Process
Filename
Type
3132
f5d95a88f78ec551e648a68f084faecc98d94b22.exe
C:\Users\admin\AppData\Local\Temp\88465914\lwh.exe
executable
MD5: c56b5f0201a3b3de53e561fe76912bfd
SHA256: 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
3132
f5d95a88f78ec551e648a68f084faecc98d94b22.exe
C:\Users\admin\AppData\Local\Temp\88465914\plv.mp4
text
MD5: 61f1aa2f3a4ec269b21904a9501f5f67
SHA256: dbadef1663555f8d0aa056a87cf9e7403926b26d44d45198982973e41836dd95
3132
f5d95a88f78ec551e648a68f084faecc98d94b22.exe
C:\Users\admin\AppData\Local\Temp\88465914\qtj.xl
text
MD5: eb0f3fe4ce0a1084a869d54355d09c4d
SHA256: c04037373979c876eae016a9bd101d603ab8bd53f605aa49cde4c83798de15c8
3132
f5d95a88f78ec551e648a68f084faecc98d94b22.exe
C:\Users\admin\AppData\Local\Temp\88465914\sut.bmp
text
MD5: 12d2ff5f2bd1226155cf398b2611f24c
SHA256: 5dbe01f939754dddc3bdb93f6973e6abc5f9f77d3db23ae408a2eba0bc91f0bc
3132
f5d95a88f78ec551e648a68f084faecc98d94b22.exe
C:\Users\admin\AppData\Local\Temp\88465914\cao.mp3
text
MD5: 043f82458c6773f731b5696043c362da
SHA256: d59b678abd525d18297b899f27899119dc99464b15fe49f7fe56cd69ae7d6e70
3132
f5d95a88f78ec551e648a68f084faecc98d94b22.exe
C:\Users\admin\AppData\Local\Temp\88465914\hwf.jpg
text
MD5: 1fc66383e0f54920395adf32b8f09dd2
SHA256: ae09367185471cbab68f65dbbd944b66d5591f7bc6b95b7684b99285c36dd245
3132
f5d95a88f78ec551e648a68f084faecc98d94b22.exe
C:\Users\admin\AppData\Local\Temp\88465914\gcf.txt
text
MD5: b33c8f0b801470de2fabd49e5b3199cb
SHA256: e29f4464e89acd12cdeca9f02a383df2cddc9de841ab11ef749b56a7c78a95e6
3132
f5d95a88f78ec551e648a68f084faecc98d94b22.exe
C:\Users\admin\AppData\Local\Temp\88465914\tad.ico
text
MD5: 103b96bcb66f2209287408a5cbf39c54
SHA256: 91d3daa3d9736f8162035c883f2f03566f9fae655fffb758dfe1ace25d3c43fc
3132
f5d95a88f78ec551e648a68f084faecc98d94b22.exe
C:\Users\admin\AppData\Local\Temp\88465914\pgk.mp3
text
MD5: e6280f412c6b8205fdc11bc1b40c7227
SHA256: b9937317673bb29304856556083e8147efa0ab3ef4d18bc9c185542098c7b8a3
3132
f5d95a88f78ec551e648a68f084faecc98d94b22.exe
C:\Users\admin\AppData\Local\Temp\88465914\toi.ppt
text
MD5: 5bc1af579a99121ac35ab6e3ff7d470b
SHA256: 1b2006d22c8b4b264339acc62b103785d73c735097a3147308067575c4367735
3132
f5d95a88f78ec551e648a68f084faecc98d94b22.exe
C:\Users\admin\AppData\Local\Temp\88465914\mhp.mp4
text
MD5: 553707dc56652e93ccef5c41b70d98b0
SHA256: 56ea1dbace1467d0f3fae8649811d5c47b2dd837d9d28728147dea6ee0c0383b
3132
f5d95a88f78ec551e648a68f084faecc98d94b22.exe
C:\Users\admin\AppData\Local\Temp\88465914\dum.dat
text
MD5: d431ffef88fddf1d223cdedde385422c
SHA256: 066d8823d1d986cbcfab41c84909b5f3ff1911dc9b7e558ba08efabbf3d7ab30
3132
f5d95a88f78ec551e648a68f084faecc98d94b22.exe
C:\Users\admin\AppData\Local\Temp\88465914\ldr.jpg
text
MD5: 421005e70abcbf87222d73d0d8c9ffbf
SHA256: 0d985b3ae47bceff4f774bc0498d21de91ad48436bebc42714a15d8428ca37f6
3132
f5d95a88f78ec551e648a68f084faecc98d94b22.exe
C:\Users\admin\AppData\Local\Temp\88465914\rcq.ico
text
MD5: 4d1d18662f21e21ef459232deada43f7
SHA256: 86ec0cb5c36dd91acf45577a049c82776328615910cad59c01f72ae907449f22
3132
f5d95a88f78ec551e648a68f084faecc98d94b22.exe
C:\Users\admin\AppData\Local\Temp\88465914\esj.bmp
text
MD5: 94069010e2039643feb6b1a176c32914
SHA256: cedce64510a5d8add40b2dedc4eedfbd8877427c5f136c0a2aff8ce84d417a3b
3132
f5d95a88f78ec551e648a68f084faecc98d94b22.exe
C:\Users\admin\AppData\Local\Temp\88465914\dtb.mp4
text
MD5: 186821a6a76a497ba83f77c2eb694ddf
SHA256: 7057045ecfa6d5b5c645d174489883fb4baac3a51690378bc9fcf8f305e78d41
3132
f5d95a88f78ec551e648a68f084faecc98d94b22.exe
C:\Users\admin\AppData\Local\Temp\88465914\nln.mp4
text
MD5: df9144baf063168d81b37fde1b5eb8c0
SHA256: c41f439b73af6a721e6f9cb8c16491854b0d47dfc1de8139a28060eac780a091
3132
f5d95a88f78ec551e648a68f084faecc98d94b22.exe
C:\Users\admin\AppData\Local\Temp\88465914\xnd.mp3
text
MD5: ce8320241e7e4d8ea08f632e0265a1f7
SHA256: c6cb40094e9771a469d59d5e30fbf5f537228551b5e9653ef1f056ccd7e24c96
3132
f5d95a88f78ec551e648a68f084faecc98d94b22.exe
C:\Users\admin\AppData\Local\Temp\88465914\brv.ppt
text
MD5: 02d041908329e615153fef40a54717ad
SHA256: ffa37afeddd510dc4731f20d0fbc9e4c16e0b4be08cef9d82b7e4ea4de339805
3132
f5d95a88f78ec551e648a68f084faecc98d94b22.exe
C:\Users\admin\AppData\Local\Temp\88465914\ils.icm
text
MD5: cf7c98814107d76fd65a8b1fa5e257f0
SHA256: c2c97e396c58b8586cad19af4d5fb3db14bbefa6df0d244fecc4683678457441
3132
f5d95a88f78ec551e648a68f084faecc98d94b22.exe
C:\Users\admin\AppData\Local\Temp\88465914\tst.mp4
text
MD5: b9a2c5e94ace453ac8bab48dc1fea869
SHA256: d958797f5d75d5803e3eb689b370de289995395c5764ad0298ff51eb91ba30d8
3132
f5d95a88f78ec551e648a68f084faecc98d94b22.exe
C:\Users\admin\AppData\Local\Temp\88465914\rdk.pdf
text
MD5: b4df41efd6c800138a77be1761152e50
SHA256: a0c9b59353c09784c8a22090a444eb50f6a426ab1c1fbdb4b14a66a16007b39f
3132
f5d95a88f78ec551e648a68f084faecc98d94b22.exe
C:\Users\admin\AppData\Local\Temp\88465914\mtw.dat
text
MD5: 128157fad0851e016a9d8c75d03270a6
SHA256: c5f2a7e4e5dcd9f984c60fcc5d508202652c6e7a2d5b83c94041166fea6b6c14
3132
f5d95a88f78ec551e648a68f084faecc98d94b22.exe
C:\Users\admin\AppData\Local\Temp\88465914\hoo.dat
text
MD5: 8f6f9814ba2e29d967309bb8e0a6380b
SHA256: 653c24e9331224c5215108d031334a9cf1131027800ec2caaf15642082145f01
3132
f5d95a88f78ec551e648a68f084faecc98d94b22.exe
C:\Users\admin\AppData\Local\Temp\88465914\lir.dat
text
MD5: 3a2ab15da2ae4b54778b55d0deb759c9
SHA256: 71994270ac757e6aa8ce7a03b9efbb0a7a7a4f0d71af80c9289cfcd1852654fd
3132
f5d95a88f78ec551e648a68f084faecc98d94b22.exe
C:\Users\admin\AppData\Local\Temp\88465914\vsx.xl
text
MD5: 3fe745b71e5034d2298f195b27951796
SHA256: d8fc9b9a9bd3b7a51311be20b11632053c7331369f3bb8cc3e475f990ae224aa
3132
f5d95a88f78ec551e648a68f084faecc98d94b22.exe
C:\Users\admin\AppData\Local\Temp\88465914\hpk.pdf
text
MD5: bf620765985336d62fb99f99ad8cd3ec
SHA256: b0863d4738f7e36575f9bd2b37d68663f61198d6545cfa6547f936f460cdd458
3132
f5d95a88f78ec551e648a68f084faecc98d94b22.exe
C:\Users\admin\AppData\Local\Temp\88465914\hrm.pdf
text
MD5: a8dd35c6c36f2c208d46c2189fa49a3c
SHA256: 66b1fdf9f7e71129a938ba8c8fe5bb4490d51a99b004bab9b5bf462404045156
3132
f5d95a88f78ec551e648a68f084faecc98d94b22.exe
C:\Users\admin\AppData\Local\Temp\88465914\coa.icm
text
MD5: d4a678eddee78c562ef20901cd8c7bbd
SHA256: 605dfa8f9f1dee525c73ca29d8ef30edea733fc8e8a135cd6128460ce28c429e
3132
f5d95a88f78ec551e648a68f084faecc98d94b22.exe
C:\Users\admin\AppData\Local\Temp\88465914\oih.jpg
text
MD5: 263c44e198ae2328042ba3e3377a9cea
SHA256: 58e518fc888f0886748732308e17cf751e3e687c2c605bdd5f25084b61f29486
3132
f5d95a88f78ec551e648a68f084faecc98d94b22.exe
C:\Users\admin\AppData\Local\Temp\88465914\sxr.txt
text
MD5: 72efb2da2feec77570c650a39589f28d
SHA256: cb1f1451cb7290c0391d1ff58578b7bfaf7213901789aeed3920703911fb4035
3132
f5d95a88f78ec551e648a68f084faecc98d94b22.exe
C:\Users\admin\AppData\Local\Temp\88465914\etl.mp3
text
MD5: 6c39e2343bd4bedb8810ae1ca1f6e9c0
SHA256: 7f3050a43efbd6d2e67c43e11002a3c99ce47e06f39a99bf645a1cc1667a0efa
3132
f5d95a88f78ec551e648a68f084faecc98d94b22.exe
C:\Users\admin\AppData\Local\Temp\88465914\bet.bmp
text
MD5: f7359b514d0a679665a288364b8b895a
SHA256: aa46e02d7052ae7af9843b20e2ded80af743b77624fb90aeb25481bdb608c2e4
3132
f5d95a88f78ec551e648a68f084faecc98d94b22.exe
C:\Users\admin\AppData\Local\Temp\88465914\sip.dat
text
MD5: abae0d20c022f7da8fb7cba3b36154d5
SHA256: 92187287285f74f30b457f2a69936d9d120a9445d3f29509f3753652e32becee
3132
f5d95a88f78ec551e648a68f084faecc98d94b22.exe
C:\Users\admin\AppData\Local\Temp\88465914\fri.pdf
text
MD5: 5c350476642a993b84d53a6edf31b482
SHA256: d4dbfc1f4218fdeccd73cc16a29a7a7b3b6f098b2a5274496738eca3bbc14e6b
3132
f5d95a88f78ec551e648a68f084faecc98d94b22.exe
C:\Users\admin\AppData\Local\Temp\88465914\cnk.txt
text
MD5: a6ea2d6bb0ac8834155d4091d4f81fec
SHA256: 7c7018ab6fc90a78f4be45d91dbca9d9b001e383e33866016d08f2b0f524a5b9
3132
f5d95a88f78ec551e648a68f084faecc98d94b22.exe
C:\Users\admin\AppData\Local\Temp\88465914\qrf.xl
text
MD5: e5703142fab8fbbcbf5cd39c9378b32d
SHA256: ab4ffda173db74183f0760d868d8d8accfb975c10067e2b8c45b8c0a272c727d
3132
f5d95a88f78ec551e648a68f084faecc98d94b22.exe
C:\Users\admin\AppData\Local\Temp\88465914\fjd.pdf
text
MD5: ea3e95e581795a8fad88e8f5bc6523bb
SHA256: fce44787111ed976da4eade1d9ff438d1854bc4b3a9a44c71936be4b8bcd53ca
3132
f5d95a88f78ec551e648a68f084faecc98d94b22.exe
C:\Users\admin\AppData\Local\Temp\88465914\qnf.pdf
text
MD5: fcc35763c67bcb2cc84d936278af25b1
SHA256: 0d14529aab80078efb3e893fd28beea72be9d5f4608f6e35dd233be19a76265d
3132
f5d95a88f78ec551e648a68f084faecc98d94b22.exe
C:\Users\admin\AppData\Local\Temp\88465914\olh.mp3
text
MD5: 7b4bc7c28ea0ffb5ba1b2668b5e49dcd
SHA256: 5d3cb61feffab53d0e3a8b651191ae33a309ff163e0d3a807f0b454fb5903bb8
3012
lwh.exe
C:\Users\admin\AppData\Local\Temp\88465914\HAWRN
text
MD5: a2a05c7c5c6e1f0e321ff04d189c807b
SHA256: 8f4cb5c38052838d008e31a32b73489920b31765fe77d0e856d632396aa55c08
3132
f5d95a88f78ec551e648a68f084faecc98d94b22.exe
C:\Users\admin\AppData\Local\Temp\88465914\jxn.txt
text
MD5: 11d8800a15ebdb99487edebc06ef86e8
SHA256: 7e63ef6f2a78b51ad2915d0ca50d0b0d0420600ba8f4a99ee6cdae3ac7868a99
3132
f5d95a88f78ec551e648a68f084faecc98d94b22.exe
C:\Users\admin\AppData\Local\Temp\88465914\dwa.icm
text
MD5: 3a5452c2af12fb5f972f8ff46c91888c
SHA256: cb857b22e73625770e18ec4029da260e7f99f4738e847b16b5eaa56d294f687b
3132
f5d95a88f78ec551e648a68f084faecc98d94b22.exe
C:\Users\admin\AppData\Local\Temp\88465914\mlk.mp4
text
MD5: 240a4e26582b6d589ff0e49c72e1007a
SHA256: 768bb11a1a76f4704fc35ea39e8f8926b998e1a2d1dadf87e7042ae29e3966e2
3132
f5d95a88f78ec551e648a68f084faecc98d94b22.exe
C:\Users\admin\AppData\Local\Temp\88465914\kwp.xl
text
MD5: 60bce68219ac22682488f4b02405694e
SHA256: dd206de951223be9b409fe0884603b17b35ff409ae19253e4b12ec09c77934e1
3132
f5d95a88f78ec551e648a68f084faecc98d94b22.exe
C:\Users\admin\AppData\Local\Temp\88465914\mvk.xl
text
MD5: b94467aef46e19383eb48c5a2471afe3
SHA256: c4c434ae9d22a3249c53af8c683adebd148e658c08f433533a1f067b3219d556
3132
f5d95a88f78ec551e648a68f084faecc98d94b22.exe
C:\Users\admin\AppData\Local\Temp\88465914\emu.mp3
text
MD5: 5709f32a91fe4fd8db720bcabd3546d1
SHA256: c9992eb858b214114aef5f2bdfae725920e4550a4b8e77301144d9363e3f9760
3132
f5d95a88f78ec551e648a68f084faecc98d94b22.exe
C:\Users\admin\AppData\Local\Temp\88465914\idn.docx
text
MD5: b0341df38a4783109002ab4cf33c9d55
SHA256: c2073ffebe269e494a467760438c9f2a34c109584965555e4a5ffe2febeb4858
3132
f5d95a88f78ec551e648a68f084faecc98d94b22.exe
C:\Users\admin\AppData\Local\Temp\88465914\fld=ktl
text
MD5: 2ab49ff2e034d5c9cd371aa68fb4b67b
SHA256: 04a711b91241c5d9b0513f02535b46c3cd9181ace04c6a673dde5da1486373df
3132
f5d95a88f78ec551e648a68f084faecc98d94b22.exe
C:\Users\admin\AppData\Local\Temp\88465914\ibw.mp4
text
MD5: 7cba224e33403861f74573f8464d3d2f
SHA256: ad912169922c0f25f333cf4235429b63c567e349080a4cb6c78f2f49f8279f7e
3132
f5d95a88f78ec551e648a68f084faecc98d94b22.exe
C:\Users\admin\AppData\Local\Temp\88465914\cxq.icm
text
MD5: 23605c61108c31c4842542688d923607
SHA256: 0f3f8bbc33c4670c44f4aa278399390b974032707feb28d0ea6036bf5053cef3

Find more information of the staic content and download it at the full report

Network activity

HTTP(S) requests
0
TCP/UDP connections
14
DNS requests
7
Threats
5

HTTP requests

No HTTP requests.

Connections

PID Process IP ASN CN Reputation
3248 RegSvcs.exe 45.249.90.124:1609 Korea Telecom KR malicious

DNS requests

Domain IP Reputation
idea1com2002.duckdns.org 45.249.90.124
malicious
dns.msftncsi.com 131.107.255.255
whitelisted

Threats

PID Process Class Message
–– –– Misc activity ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
–– –– Misc activity ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
–– –– Misc activity ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
–– –– Misc activity ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
–– –– Misc activity ET INFO DYNAMIC_DNS Query to *.duckdns. Domain

Debug output strings

No debug info.