General Info

File name

ye.exe

Full analysis
https://app.any.run/tasks/a5ac975f-5171-48ff-9d84-240c0525e94c
Verdict
Malicious activity
Analysis date
7/17/2019, 19:09:38
OS:
Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:

autoit

trojan

rat

stealer

avemaria

Indicators:

MIME:
application/x-dosexec
File info:
PE32 executable (GUI) Intel 80386, for MS Windows
MD5

7338b5bfedca98ec4fc567bf10726d0f

SHA1

d9fa5309de66b6c6a9ed340080ccfbaa357a95e0

SHA256

e67fdccb5410647c06ae3f33ae976285b51e119ec904cae768ed6392f5a5fbd6

SSDEEP

24576:bNA3R5drXTLPdKVjGe6PaxaQ1lrcltwA/tw+ww8FHDbeisNIfTKPWBcH:G5PlewPa3itwsn8x6IOPWBy

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distored by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Software environment set and analysis options

Launch configuration

Task duration
60 seconds
Additional time used
none
Fakenet option
off
Heavy Evaision option
off
MITM proxy
off
Route via Tor
off
Network geolocation
off
Privacy
Public submission
Autoconfirmation of UAC
off

Software preset

  • Internet Explorer 8.0.7601.17514
  • Adobe Acrobat Reader DC MUI (15.023.20070)
  • Adobe Flash Player 26 ActiveX (26.0.0.131)
  • Adobe Flash Player 26 NPAPI (26.0.0.131)
  • Adobe Flash Player 26 PPAPI (26.0.0.131)
  • Adobe Refresh Manager (1.8.0)
  • CCleaner (5.35)
  • FileZilla Client 3.36.0 (3.36.0)
  • Google Chrome (75.0.3770.100)
  • Google Update Helper (1.3.34.7)
  • Java 8 Update 92 (8.0.920.14)
  • Java Auto Updater (2.8.92.14)
  • Microsoft .NET Framework 4.7.2 (4.7.03062)
  • Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Professional 2010 (14.0.6029.1000)
  • Microsoft Office Proof (English) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (French) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
  • Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
  • Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Single Image 2010 (14.0.6029.1000)
  • Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
  • Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
  • Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
  • Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2015-2019 Redistributable (x86) - 14.21.27702 (14.21.27702.2)
  • Microsoft Visual C++ 2019 X86 Additional Runtime - 14.21.27702 (14.21.27702)
  • Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.21.27702 (14.21.27702)
  • Mozilla Firefox 67.0.4 (x86 en-US) (67.0.4)
  • Notepad++ (32-bit x86) (7.5.1)
  • Opera 12.15 (12.15.1748)
  • Skype version 8.29 (8.29)
  • Update for Microsoft .NET Framework 4.7.2 (KB4087364) (1)
  • VLC media player (2.2.6)
  • WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

  • Client LanguagePack Package
  • Client Refresh LanguagePack Package
  • CodecPack Basic Package
  • Foundation Package
  • IE Troubleshooters Package
  • InternetExplorer Optional Package
  • KB2534111
  • KB2999226
  • KB4019990
  • KB976902
  • LocalPack AU Package
  • LocalPack CA Package
  • LocalPack GB Package
  • LocalPack US Package
  • LocalPack ZA Package
  • ProfessionalEdition
  • UltimateEdition

Behavior activities

MALICIOUS SUSPICIOUS INFO
Loads dropped or rewritten executable
  • dism.exe (PID: 3796)
Application was dropped or rewritten from another process
  • frq.exe (PID: 1600)
  • frq.exe (PID: 2984)
Runs app for hidden code execution
  • RegSvcs.exe (PID: 2076)
Changes the autorun value in the registry
  • frq.exe (PID: 1600)
AVEMARIA was detected
  • RegSvcs.exe (PID: 2076)
Executable content was dropped or overwritten
  • cmd.exe (PID: 1552)
  • DllHost.exe (PID: 2116)
  • ye.exe (PID: 3524)
Executes scripts
  • ye.exe (PID: 3524)
Application launched itself
  • frq.exe (PID: 2984)
Drop AutoIt3 executable file
  • ye.exe (PID: 3524)
Executed via COM
  • DllHost.exe (PID: 2116)
Starts CMD.EXE for commands execution
  • RegSvcs.exe (PID: 2076)

No info indicators.

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Static information

TRiD
.exe
|   Win64 Executable (generic) (64.6%)
.dll
|   Win32 Dynamic Link Library (generic) (15.4%)
.exe
|   Win32 Executable (generic) (10.5%)
.exe
|   Generic Win/DOS Executable (4.6%)
.exe
|   DOS Executable Generic (4.6%)
EXIF
EXE
MachineType:
Intel 386 or later, and compatibles
TimeStamp:
2019:04:27 22:03:27+02:00
PEType:
PE32
LinkerVersion:
14
CodeSize:
190976
InitializedDataSize:
138240
UninitializedDataSize:
null
EntryPoint:
0x1d759
OSVersion:
5.1
ImageVersion:
null
SubsystemVersion:
5.1
Subsystem:
Windows GUI
Summary
Architecture:
IMAGE_FILE_MACHINE_I386
Subsystem:
IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date:
27-Apr-2019 20:03:27
Detected languages
English - United States
Process Default Language
Debug artifacts
D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb
DOS Header
Magic number:
MZ
Bytes on last page of file:
0x0090
Pages in file:
0x0003
Relocations:
0x0000
Size of header:
0x0004
Min extra paragraphs:
0x0000
Max extra paragraphs:
0xFFFF
Initial SS value:
0x0000
Initial SP value:
0x00B8
Checksum:
0x0000
Initial IP value:
0x0000
Initial CS value:
0x0000
Overlay number:
0x0000
OEM identifier:
0x0000
OEM information:
0x0000
Address of NE header:
0x00000110
PE Headers
Signature:
PE
Machine:
IMAGE_FILE_MACHINE_I386
Number of sections:
6
Time date stamp:
27-Apr-2019 20:03:27
Pointer to Symbol Table:
0x00000000
Number of symbols:
0
Size of Optional Header:
0x00E0
Characteristics
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_EXECUTABLE_IMAGE
Sections
Name Virtual Address Virtual Size Raw Size Charateristics Entropy
.text 0x00001000 0x0002E854 0x0002EA00 IMAGE_SCN_CNT_CODE,IMAGE_SCN_MEM_EXECUTE,IMAGE_SCN_MEM_READ 6.69231
.rdata 0x00030000 0x00009A9C 0x00009C00 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ 5.13286
.data 0x0003A000 0x000213D0 0x00000C00 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ,IMAGE_SCN_MEM_WRITE 3.25381
.gfids 0x0005C000 0x000000E8 0x00000200 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ 2.11154
.rsrc 0x0005D000 0x0001516C 0x00015200 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ 6.79068
.reloc 0x00073000 0x00001FCC 0x00002000 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_DISCARDABLE,IMAGE_SCN_MEM_READ 6.64554
Resources
1

7

8

9

10

11

12

13

14

15

16

100

101

102

ASKNEXTVOL

GETPASSWORD1

LICENSEDLG

RENAMEDLG

REPLACEFILEDLG

STARTDLG

Imports
    KERNEL32.dll

    gdiplus.dll

    USER32.dll (delay-loaded)

Exports

    No exports.

Screenshots

Processes

Total processes
48
Monitored processes
11
Malicious processes
5
Suspicious processes
0

Behavior graph

+
start ye.exe wscript.exe no specs frq.exe no specs frq.exe #AVEMARIA regsvcs.exe cmd.exe Copy/Move/Rename/Delete/Link Object pkgmgr.exe no specs pkgmgr.exe dism.exe no specs regsvcs.exe no specs
Specs description
Program did not start
Integrity level elevation
Task сontains an error or was rebooted
Process has crashed
Task contains several apps running
Executable file was dropped
Debug information is available
Process was injected
Network attacks were detected
Application downloaded the executable file
Actions similar to stealing personal data
Behavior similar to exploiting the vulnerability
Inspected object has sucpicious PE structure
File is detected by antivirus software
CPU overrun
RAM overrun
Process starts the services
Process was added to the startup
Behavior similar to spam
Low-level access to the HDD
Probably Tor was used
System was rebooted
Connects to the network
Known threat

Process information

Click at the process to see the details.

PID
3524
CMD
"C:\Users\admin\AppData\Local\Temp\ye.exe"
Path
C:\Users\admin\AppData\Local\Temp\ye.exe
Indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Description
Version
Modules
Image
c:\users\admin\appdata\local\temp\ye.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\version.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\riched20.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\shell32.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\oleaut32.dll
c:\program files\common files\microsoft shared\ink\tiptsf.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\wscript.exe
c:\windows\system32\sfc.dll

PID
1476
CMD
"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\43555320\wdg.vbs"
Path
C:\Windows\System32\WScript.exe
Indicators
No indicators
Parent process
ye.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Microsoft ® Windows Based Script Host
Version
5.8.7600.16385
Modules
Image
c:\windows\system32\wscript.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\version.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\sxs.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\vbscript.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\msisip.dll
c:\windows\system32\wshext.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\scrobj.dll
c:\windows\system32\wshom.ocx
c:\windows\system32\mpr.dll
c:\windows\system32\scrrun.dll
c:\windows\system32\propsys.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\psapi.dll
c:\windows\system32\oleacc.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\twext.dll
c:\windows\system32\cscui.dll
c:\windows\system32\cscdll.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\userenv.dll
c:\program files\winrar\rarext.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\msimg32.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\slc.dll
c:\windows\system32\netutils.dll
c:\windows\system32\syncui.dll
c:\windows\system32\synceng.dll
c:\windows\system32\linkinfo.dll
c:\program files\notepad++\nppshell_06.dll
c:\windows\system32\acppage.dll
c:\windows\system32\sfc.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\msi.dll
c:\windows\system32\wer.dll
c:\windows\system32\devrtl.dll
c:\windows\system32\sspicli.dll
c:\users\admin\appdata\local\temp\43555320\frq.exe

PID
2984
CMD
"C:\Users\admin\AppData\Local\Temp\43555320\frq.exe" mca=vqw
Path
C:\Users\admin\AppData\Local\Temp\43555320\frq.exe
Indicators
No indicators
Parent process
WScript.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
AutoIt Team
Description
AutoIt v3 Script
Version
3, 3, 14, 4
Modules
Image
c:\users\admin\appdata\local\temp\43555320\frq.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\wsock32.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\windows\system32\version.dll
c:\windows\system32\winmm.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\mpr.dll
c:\windows\system32\wininet.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\psapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\apphelp.dll

PID
1600
CMD
C:\Users\admin\AppData\Local\Temp\43555320\frq.exe C:\Users\admin\AppData\Local\Temp\43555320\IBWTI
Path
C:\Users\admin\AppData\Local\Temp\43555320\frq.exe
Indicators
Parent process
frq.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
AutoIt Team
Description
AutoIt v3 Script
Version
3, 3, 14, 4
Modules
Image
c:\users\admin\appdata\local\temp\43555320\frq.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\wsock32.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\windows\system32\version.dll
c:\windows\system32\winmm.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\mpr.dll
c:\windows\system32\wininet.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\psapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\apphelp.dll
c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll

PID
2076
CMD
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Path
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Indicators
Parent process
frq.exe
User
admin
Integrity Level
MEDIUM
Version:
Company
Microsoft Corporation
Description
Microsoft .NET Services Installation Utility
Version
4.7.3062.0 built by: NET472REL1
Modules
Image
c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\samcli.dll
c:\windows\system32\psapi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\devenum.dll
c:\windows\system32\winmm.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\msdmo.dll
c:\windows\system32\avicap32.dll
c:\windows\system32\version.dll
c:\windows\system32\msvfw32.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\wship6.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\fwpuclnt.dll

PID
1552
CMD
"C:\Windows\System32\cmd.exe"
Path
C:\Windows\System32\cmd.exe
Indicators
Parent process
RegSvcs.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows Command Processor
Version
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Image
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\usp10.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\ole32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\oleaut32.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\comsvcs.dll
c:\windows\system32\atl.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\dui70.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\duser.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\xmllite.dll
c:\windows\system32\oleacc.dll
c:\windows\system32\explorerframe.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\actxprxy.dll
c:\windows\system32\mssprxy.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\pkgmgr.exe
c:\windows\system32\mpr.dll
c:\windows\system32\sfc.dll
c:\windows\system32\sfc_os.dll

PID
2116
CMD
C:\Windows\system32\DllHost.exe /Processid:{3AD05575-8857-4850-9277-11B85BDB8E09}
Path
C:\Windows\system32\DllHost.exe
Indicators
Parent process
––
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
Microsoft Corporation
Description
COM Surrogate
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\dllhost.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\actxprxy.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\mssprxy.dll

PID
3212
CMD
"C:\Windows\system32\pkgmgr.exe" /n:%temp%\ellocnak.xml
Path
C:\Windows\system32\pkgmgr.exe
Indicators
No indicators
Parent process
cmd.exe
User
admin
Integrity Level
MEDIUM
Exit code
3221226540
Version:
Company
Microsoft Corporation
Description
Windows Package Manager
Version
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Image
c:\windows\system32\pkgmgr.exe
c:\systemroot\system32\ntdll.dll

PID
3552
CMD
"C:\Windows\system32\pkgmgr.exe" /n:%temp%\ellocnak.xml
Path
C:\Windows\system32\pkgmgr.exe
Indicators
Parent process
cmd.exe
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows Package Manager
Version
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Image
c:\windows\system32\pkgmgr.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\wdscore.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\dbghelp.dll
c:\windows\system32\dism.exe
c:\windows\system32\apphelp.dll

PID
3796
CMD
"C:\Windows\system32\dism.exe" /online /norestart /apply-unattend:"C:\Users\admin\AppData\Local\Temp\ellocnak.xml"
Path
C:\Windows\system32\dism.exe
Indicators
No indicators
Parent process
pkgmgr.exe
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
Microsoft Corporation
Description
Dism Image Servicing Utility
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\dism.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\version.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\dismcore.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\apphelp.dll
c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe

PID
1868
CMD
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Path
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Indicators
No indicators
Parent process
dism.exe
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
Microsoft Corporation
Description
Microsoft .NET Services Installation Utility
Version
4.7.3062.0 built by: NET472REL1
Modules
Image
c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\version.dll
c:\windows\microsoft.net\framework\v4.0.30319\clr.dll
c:\windows\system32\msvcr120_clr0400.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\mscorlib\97e047cf68e9a7d90e196d072cd49cac\mscorlib.ni.dll
c:\windows\system32\ole32.dll
c:\windows\system32\cryptbase.dll
c:\windows\microsoft.net\framework\v4.0.30319\clrjit.dll
c:\windows\system32\oleaut32.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system\e071297bb06faa961bef045ae5f25fdc\system.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.ente96d83b35#\6682e8964200a1336f1dbe49392f7797\system.enterpriseservices.ni.dll
c:\windows\microsoft.net\assembly\gac_32\system.enterpriseservices\v4.0_4.0.0.0__b03f5f7f11d50a3a\system.enterpriseservices.wrapper.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.ente96d83b35#\6682e8964200a1336f1dbe49392f7797\system.enterpriseservices.wrapper.dll
c:\windows\microsoft.net\framework\v4.0.30319\nlssorting.dll

Registry activity

Total events
1291
Read events
1216
Write events
75
Delete events
0

Modification events

PID
Process
Operation
Key
Name
Value
3524
ye.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
3524
ye.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
1476
WScript.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\70\52C64B7E
LanguageList
en-US
1476
WScript.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
1476
WScript.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
1600
frq.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
qwertyujhgfdf.exe
C:\Users\admin\AppData\Local\Temp\43555320\frq.exe C:\Users\admin\AppData\Local\Temp\43555320\MCA_VQ~1
2076
RegSvcs.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
MaxConnectionsPer1_0Server
10
2076
RegSvcs.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
MaxConnectionsPerServer
10
2076
RegSvcs.exe
write
HKEY_CURRENT_USER\Software\_rptls
Install
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
1552
cmd.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
1552
cmd.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1

Files activity

Executable files
3
Suspicious files
0
Text files
53
Unknown types
0

Dropped files

PID
Process
Filename
Type
1552
cmd.exe
C:\Users\admin\AppData\Local\Temp\dismcore.dll
executable
MD5: 6b906764a35508a7fd266cdd512e46b1
SHA256: fc0c90044b94b080f307c16494369a0796ac1d4e74e7912ba79c15cca241801c
3524
ye.exe
C:\Users\admin\AppData\Local\Temp\43555320\frq.exe
executable
MD5: 6ee7ddebff0a2b78c7ac30f6e00d1d11
SHA256: 865347471135bb5459ad0e647e75a14ad91424b6f13a5c05d9ecd9183a8a1cf4
2116
DllHost.exe
C:\Windows\System32\dismcore.dll
executable
MD5: 6b906764a35508a7fd266cdd512e46b1
SHA256: fc0c90044b94b080f307c16494369a0796ac1d4e74e7912ba79c15cca241801c
3524
ye.exe
C:\Users\admin\AppData\Local\Temp\43555320\vvh.ico
text
MD5: b2f8b00d24d96ecf869ddddeff8c1a28
SHA256: 3d978bb366e5c750a0780380cebd52419bf143d19883476f92d3e3da44f5b456
2984
frq.exe
C:\Users\admin\AppData\Local\Temp\43555320\IBWTI
text
MD5: b79c9ed1d94b13dc6af7c8cce14ea2b7
SHA256: 58f96fc1cd01791bc5b54ab62399d306f582e383deb9c509dd1dfd194b50ee56
3524
ye.exe
C:\Users\admin\AppData\Local\Temp\43555320\ibh.ppt
text
MD5: 7759e32734fe10c640b7829eefa01056
SHA256: 2e1d04d6e6ca4cdbf5fb13657f7cf50f8b579a50f6287248163e421791923de8
3524
ye.exe
C:\Users\admin\AppData\Local\Temp\43555320\vib.txt
text
MD5: 2a3895a699e40d6bdaa3681ff91b0e75
SHA256: bb8c439a01b8a966f60dad85287ba336b01a8a29c7118a50b20e4fa3c3c51654
3524
ye.exe
C:\Users\admin\AppData\Local\Temp\43555320\gfr.mp3
text
MD5: 6406fb5c652cf4f118ea939613d9ec38
SHA256: 5a784946d7b5dc596e4241372597221e20cbd444f0adb2e4d2ccdba95dc4299a
3524
ye.exe
C:\Users\admin\AppData\Local\Temp\43555320\uhe.ico
text
MD5: d37776a871be1c90c8242686d10ca9bd
SHA256: 7bc6a8fd769b0b8875098cb1a09c35a537b941dce658ecdc7573674b500b7090
3524
ye.exe
C:\Users\admin\AppData\Local\Temp\43555320\cla.pdf
text
MD5: 83dbd87b1bfe2abe5e5b2dbc2d6e8064
SHA256: 33a624a4c704a1c3884125de5cc1808d586818180188166220b81e8f37d7880b
3524
ye.exe
C:\Users\admin\AppData\Local\Temp\43555320\cov.bmp
text
MD5: 56b6d0ccf774511bccb54a40c0aece16
SHA256: 04472f9981ac19cafc3eb7a79d42666bfc3fe1969c86263056cb89984c7f5eae
3524
ye.exe
C:\Users\admin\AppData\Local\Temp\43555320\xqq.pdf
text
MD5: b22bc2d2e04d33f94a4112e9df98e59c
SHA256: 613cc8c810fc8f9eeedd7c1dc36f3de274bbb43435b7ad9d73fa556754c06cc0
3524
ye.exe
C:\Users\admin\AppData\Local\Temp\43555320\moi.mp4
text
MD5: 3a52d72f1fa758c4c16cb15cec17c568
SHA256: f44d4914355553b7f15d8c830ea14643817162486450268d0a52857fac796849
3524
ye.exe
C:\Users\admin\AppData\Local\Temp\43555320\sou.icm
text
MD5: 924a760716030c16d6da730c6f55242f
SHA256: 1b502c4173589b52660407c17a07ae99c98a42323f819b69ebd8f6919ef6b050
3524
ye.exe
C:\Users\admin\AppData\Local\Temp\43555320\dcu.icm
text
MD5: 51a8286b377a4c46f17720cf7d52305d
SHA256: d9135fdbee4e98b82c8e228da12a2741492e8046c28ecf57d7d838556b209cff
3524
ye.exe
C:\Users\admin\AppData\Local\Temp\43555320\lhq.icm
text
MD5: 24f84a56453d21c75ce5f0def3855f60
SHA256: 222e69f262f63114a0002e94c9d657234d5c98aeedc74a72c54e8c3de254a4e4
3524
ye.exe
C:\Users\admin\AppData\Local\Temp\43555320\ken.jpg
text
MD5: 7272693b03062d24263c9853e4c97014
SHA256: dec797b3d5045e98aca6bbe2334eab6efb9d49c10156ea137e0a670ec7e2bedf
3524
ye.exe
C:\Users\admin\AppData\Local\Temp\43555320\xvc.bmp
text
MD5: 346c7b4ec6d786cee28676ed76b0ebb7
SHA256: 77e5fa446cff3d1354b9760a86f11288b08d7cf116c17adab1048b577e0cff7b
3524
ye.exe
C:\Users\admin\AppData\Local\Temp\43555320\pdg.icm
text
MD5: 058c24e811d39c734d14e41c1adc41e4
SHA256: 075fd0a5a0d33c2b11fe937f96200d09c431bb9c60b073b269c1afa71e2ea4c4
3524
ye.exe
C:\Users\admin\AppData\Local\Temp\43555320\jsa.xl
text
MD5: cb3bf3ff500106e629032a1d153c8cda
SHA256: 6a3c9a681036d716fb327b6c3314d8bd6fb4bb2e8bab26f1eda5e6b055ff4295
3524
ye.exe
C:\Users\admin\AppData\Local\Temp\43555320\pkn.ico
text
MD5: e89936769eb835bf0280d0ed48cf0126
SHA256: dbc1d49c77f4b10417c2ea9b9a4107b4051c349e864e054a1553a0c2e350f611
3524
ye.exe
C:\Users\admin\AppData\Local\Temp\43555320\ljq.bmp
text
MD5: 41a0a7d0b0f47636b8072b066f297059
SHA256: 1309ad6355c9452c47f67ba86df33785102569e7050e6668c94ed47ba301e0ee
3524
ye.exe
C:\Users\admin\AppData\Local\Temp\43555320\esp.bmp
text
MD5: 6c13702aa59aaa2ab88e032c9f28d912
SHA256: 3175765da4ea7a5d4ed58bb7657d1ef85df853be261588a99088552c5aad0a13
3524
ye.exe
C:\Users\admin\AppData\Local\Temp\43555320\cdt.jpg
text
MD5: a26c6110c5138f8135679ab7f963cb53
SHA256: 20ce20f40dc5c21789ead0057a32096f7f9e5ee6202a7486fe6dbed84b1ab971
3524
ye.exe
C:\Users\admin\AppData\Local\Temp\43555320\dts.txt
text
MD5: 48cb8eaa02022ccab4302870db19c111
SHA256: ab62743e08580cf426dc22c6ddb5ae9038009f9f041f723826c4d5114b91e5dc
3524
ye.exe
C:\Users\admin\AppData\Local\Temp\43555320\hld.jpg
text
MD5: 6d5e9eaf0da7bd7fe31c6c93ed5af5ca
SHA256: e1a8599cd4462093c308be063540f8fa3e081894060bb65e0f23083f4200092d
3524
ye.exe
C:\Users\admin\AppData\Local\Temp\43555320\jsf.ppt
text
MD5: 5404ebb63ac111adf44393e8a4a88fbc
SHA256: 6847c7afed16f41e5da673d7360fdf96a2a87393cb7c7ccc6130f932785930b2
3524
ye.exe
C:\Users\admin\AppData\Local\Temp\43555320\fia.ppt
text
MD5: 10f4a3c92e4309db1876f976149f7a1f
SHA256: 82779b1349fb9b3b73313651c97c0afb0585566b9df418ee5d6d41a72a3219a4
3524
ye.exe
C:\Users\admin\AppData\Local\Temp\43555320\cee.jpg
text
MD5: 851b9fdf2a86816b55a28c411a141095
SHA256: 5ada33ba8c6976ef9bbd9b0655a5cc95c441daa8b6d47360150bdd0655392899
3524
ye.exe
C:\Users\admin\AppData\Local\Temp\43555320\csp.dat
text
MD5: 2072ce93606de1ccd44d52012d75d445
SHA256: 6ee097f69b925246320e028862f89216c80c0e93f6d002cfda144321804c6ee2
3524
ye.exe
C:\Users\admin\AppData\Local\Temp\43555320\fbv.icm
text
MD5: 3318bac37b978691a6f2496abfb0707d
SHA256: 8d43e91b75c4ed3e3b6e9c5b2dbdb7c51535370f7deaa214de456fd08066f1b7
3524
ye.exe
C:\Users\admin\AppData\Local\Temp\43555320\lwr.mp4
text
MD5: 636028fd3892f72b1f9ee6d81cec72bc
SHA256: 28657b3efb4e6ac187759f19f146324a3b8d3d9c74857862be57129afbc4b0a5
3524
ye.exe
C:\Users\admin\AppData\Local\Temp\43555320\rjf.dat
text
MD5: 68b02a22f15f9696cf450d04b808573e
SHA256: 34887e7d9f4d86686cab982342648801d8328665f55647221bc3ce292a6922eb
3524
ye.exe
C:\Users\admin\AppData\Local\Temp\43555320\lgw.pdf
text
MD5: 29c77318642b06a8f0019edc6bded9ee
SHA256: 85cbd44842284c8416f9a0a8ac6c60260623c20529fb31e98ca0635865ab14f3
3524
ye.exe
C:\Users\admin\AppData\Local\Temp\43555320\ubl.pdf
text
MD5: fe4081336a3cad200c2257214a81a143
SHA256: 8d314e29b433b587dd9077f8948b871eac34ea7971bc332e61e4852fd483415a
3524
ye.exe
C:\Users\admin\AppData\Local\Temp\43555320\scg.bmp
text
MD5: 0602c2f4b254a2376df378d1af74ba3b
SHA256: 27cc615968afbed10eec4b746cb1cbb7484d9c040ed0934b074b73261ed652a4
3524
ye.exe
C:\Users\admin\AppData\Local\Temp\43555320\hjq.mp3
text
MD5: 18b153fead8045436442271db0f94ae6
SHA256: ed20d22c7cd98e1987f15586e1e8eb3201205cca22dc79e2b9ae7b1e7c77202c
3524
ye.exe
C:\Users\admin\AppData\Local\Temp\43555320\rbu.dat
text
MD5: a83c618cfcec29332ded44cb4a2dbcd7
SHA256: dfbd316ab903886f3410f752f39766f0db8a2cf007df0fbd89087be600961273
3524
ye.exe
C:\Users\admin\AppData\Local\Temp\43555320\lsf.ico
text
MD5: 7695d463cad63cd09b02be84d1f6f492
SHA256: 22c529cd77b5c4893b4ebe53bd0cdc634fae470784d3989729bec481842e6e68
3524
ye.exe
C:\Users\admin\AppData\Local\Temp\43555320\rfe.icm
text
MD5: 0b5209d830bc7b233407043b1c73fb83
SHA256: 87082214b329573af829e12d6caab83f6ad304efb0ec6032883c9a291111c3cd
3524
ye.exe
C:\Users\admin\AppData\Local\Temp\43555320\jet.xl
text
MD5: 62a4cd83d0123e82d82c87d545ff0c71
SHA256: 97ed23edfe8a35b33f3de3c9ad40553011e48076b942df9df2b891c81feaa710
3524
ye.exe
C:\Users\admin\AppData\Local\Temp\43555320\rne.pdf
text
MD5: 3d4cece5f11bc743788215eba029422d
SHA256: 3c45b665c3bf80622c49805b2ec8ce01c8f73b77ab48cd61705f851bce99d514
3524
ye.exe
C:\Users\admin\AppData\Local\Temp\43555320\nqt.xl
text
MD5: 5fa4c6bc54aeed84e8044fdc1f2c5480
SHA256: f56cc5140093ae4a788cad045ee4808208bf362d05dff19be230f0da7365345b
3524
ye.exe
C:\Users\admin\AppData\Local\Temp\43555320\hkc.bmp
text
MD5: 6357c7368d80ecadf1e45dfc1b62be2e
SHA256: f8b5b3f37df2feb8a4a7eb506d1e229431b504b301110fdb183777ae6eb8e587
3524
ye.exe
C:\Users\admin\AppData\Local\Temp\43555320\lxr.docx
text
MD5: d6df24a3c81f8c0d5963de8152582e1d
SHA256: 409e997216ce8046948de3cbf9f183f1e8ed83f19d6fffcf16e2b7ffabe9ffbc
3524
ye.exe
C:\Users\admin\AppData\Local\Temp\43555320\dub.dat
text
MD5: 380ceeb42dcf21978a128938e4a5fad4
SHA256: 860c22aa2244e5d7e882f93957e7381344e6cfd8e24c0840e53b2c34c5113d81
3524
ye.exe
C:\Users\admin\AppData\Local\Temp\43555320\bur.jpg
text
MD5: 8fe271259e45c3f6f153649b3eff7bf5
SHA256: f38cf068e2d28b1123c6f6ce095885f2e7ca56061252c13767b3bb9b34014b70
3552
pkgmgr.exe
C:\Windows\Logs\CBS\CBS.log
text
MD5: cb2ee7e164553ec483aa1fa7331a84f1
SHA256: e6ddb436c7624725927db0ebd6b5c6d9276f26b05ec10a380516e4cb4e658b11
3524
ye.exe
C:\Users\admin\AppData\Local\Temp\43555320\qfd.pdf
text
MD5: 0503faaec3d91beb320866cc0dc996f2
SHA256: 79e87f0cb97ea1a84b77d49ca62275484ad6224511ba79e54dafe499d8bee7fd
3524
ye.exe
C:\Users\admin\AppData\Local\Temp\43555320\xmk.mp3
text
MD5: 894d406801f44dec2db1d5d7f9b09ece
SHA256: 721722682da7b4a8b6980f39b658cf1d45b4c25bdff2917f0b2dd9d1f6676726
3524
ye.exe
C:\Users\admin\AppData\Local\Temp\43555320\fpb.bmp
text
MD5: d7cd30e73b7691ae28dd97d96a320baa
SHA256: 9b780d2b801880bb32cf3e134b4f976a6250b1befb2fa0a032845eb3de393cb2
3524
ye.exe
C:\Users\admin\AppData\Local\Temp\43555320\gjg.mp4
text
MD5: cf150a922a20c537cc8441babeabe2fb
SHA256: 052d85f1de12c4b778acf41e948fab16c7406320cfcb6b9f0155dcb6ddd53865
3524
ye.exe
C:\Users\admin\AppData\Local\Temp\43555320\wdg.vbs
text
MD5: 0be243f6620271e916110c3ce5cf02e2
SHA256: 72105fcf240164c18fd8cfd63e22552dd56d818bf9fe0f43308837b2bb2c1087
3524
ye.exe
C:\Users\admin\AppData\Local\Temp\43555320\mca=vqw
text
MD5: 9bc54fd695ce13e0a88b521c693bf427
SHA256: 785543d179802dbbe40dc8d0860e369ea8bcd3ccf4a3919d78b1d80fe79a7d9b
3524
ye.exe
C:\Users\admin\AppData\Local\Temp\43555320\kiv.xl
text
MD5: d1eb7535d996695ae17d24c091dcd872
SHA256: 0f13cbba011db116a74421eb58c3e3b5a6181dfb0b54d8b118ed983c35d28b16
1552
cmd.exe
C:\Users\admin\AppData\Local\Temp\ellocnak.xml
xml
MD5: 427eb7374887305b72f5c552837c9036
SHA256: b3f421780a49cbe680a317259d4df9ce1d0cdaca3020b4df0dc18cc01d68ccbb

Find more information of the staic content and download it at the full report

Network activity

HTTP(S) requests
0
TCP/UDP connections
1
DNS requests
1
Threats
1

HTTP requests

No HTTP requests.

Connections

PID Process IP ASN CN Reputation
2076 RegSvcs.exe 193.176.87.214:4070 –– unknown

DNS requests

Domain IP Reputation
benzkartel.duckdns.org 193.176.87.214
malicious

Threats

PID Process Class Message
–– –– Misc activity ET INFO DYNAMIC_DNS Query to *.duckdns. Domain

Debug output strings

No debug info.