General Info

File name

jnn.bin

Full analysis
https://app.any.run/tasks/e7bb5db8-7735-4998-8433-2ed82d7d33a9
Verdict
Malicious activity
Analysis date
3/14/2019, 12:30:49
OS:
Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:

autoit

rat

nanocore

Indicators:

MIME:
application/x-dosexec
File info:
PE32 executable (GUI) Intel 80386, for MS Windows, RAR self-extracting archive
MD5

22cf84a2fd381a3e383e65c933553fe1

SHA1

b17a2dcd93d21f2f83b02c6e29cd0794c33aec47

SHA256

f62a182a1b4bd3f05ad0a639b3c5333990a6721dae6715ca6863e5e97d03a6e8

SSDEEP

24576:f2O/GltplwJ6XsdSK44oEbAs+VwmxhKbH3rUO46Gk:SlmkKcVwmxUT3is

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distored by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Software environment set and analysis options

Launch configuration

Task duration
60 seconds
Additional time used
none
Fakenet option
off
Heavy Evaision option
off
MITM proxy
off
Route via Tor
off
Network geolocation
off
Privacy
Public submission
Autoconfirmation of UAC
on

Software preset

  • Internet Explorer 8.0.7601.17514
  • Adobe Acrobat Reader DC MUI (15.023.20070)
  • Adobe Flash Player 26 ActiveX (26.0.0.131)
  • Adobe Flash Player 26 NPAPI (26.0.0.131)
  • Adobe Flash Player 26 PPAPI (26.0.0.131)
  • Adobe Refresh Manager (1.8.0)
  • CCleaner (5.35)
  • FileZilla Client 3.36.0 (3.36.0)
  • Google Chrome (68.0.3440.106)
  • Google Update Helper (1.3.33.17)
  • Java 8 Update 92 (8.0.920.14)
  • Java Auto Updater (2.8.92.14)
  • Microsoft .NET Framework 4.6.1 (4.6.01055)
  • Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Professional 2010 (14.0.6029.1000)
  • Microsoft Office Proof (English) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (French) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
  • Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
  • Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Single Image 2010 (14.0.6029.1000)
  • Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
  • Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
  • Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
  • Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2017 Redistributable (x86) - 14.15.26706 (14.15.26706.0)
  • Microsoft Visual C++ 2017 x86 Additional Runtime - 14.15.26706 (14.15.26706)
  • Microsoft Visual C++ 2017 x86 Minimum Runtime - 14.15.26706 (14.15.26706)
  • Mozilla Firefox 61.0.2 (x86 en-US) (61.0.2)
  • Notepad++ (32-bit x86) (7.5.1)
  • Opera 12.15 (12.15.1748)
  • Skype version 8.29 (8.29)
  • VLC media player (2.2.6)
  • WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

  • Client LanguagePack Package
  • Client Refresh LanguagePack Package
  • CodecPack Basic Package
  • Foundation Package
  • IE Troubleshooters Package
  • InternetExplorer Optional Package
  • KB2534111
  • KB2999226
  • KB976902
  • LocalPack AU Package
  • LocalPack CA Package
  • LocalPack GB Package
  • LocalPack US Package
  • LocalPack ZA Package
  • ProfessionalEdition
  • UltimateEdition

Behavior activities

MALICIOUS SUSPICIOUS INFO
NanoCore was detected
  • RegSvcs.exe (PID: 2180)
Changes the autorun value in the registry
  • mdo.exe (PID: 3060)
Application was dropped or rewritten from another process
  • mdo.exe (PID: 3380)
  • mdo.exe (PID: 3060)
Creates files in the user directory
  • RegSvcs.exe (PID: 2180)
Connects to unusual port
  • RegSvcs.exe (PID: 2180)
Executable content was dropped or overwritten
  • jnn.bin.exe (PID: 3468)
Application launched itself
  • mdo.exe (PID: 3380)
Drop AutoIt3 executable file
  • jnn.bin.exe (PID: 3468)
Dropped object may contain Bitcoin addresses
  • jnn.bin.exe (PID: 3468)
  • mdo.exe (PID: 3380)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Static information

TRiD
.exe
|   Win32 Executable MS Visual C++ (generic) (35.8%)
.exe
|   Win64 Executable (generic) (31.7%)
.scr
|   Windows screen saver (15%)
.dll
|   Win32 Dynamic Link Library (generic) (7.5%)
.exe
|   Win32 Executable (generic) (5.1%)
EXIF
EXE
MachineType:
Intel 386 or later, and compatibles
TimeStamp:
2012:06:09 15:19:49+02:00
PEType:
PE32
LinkerVersion:
9
CodeSize:
74752
InitializedDataSize:
58880
UninitializedDataSize:
null
EntryPoint:
0xac87
OSVersion:
5
ImageVersion:
null
SubsystemVersion:
5
Subsystem:
Windows GUI
Summary
Architecture:
IMAGE_FILE_MACHINE_I386
Subsystem:
IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date:
09-Jun-2012 13:19:49
Detected languages
English - United States
Process Default Language
Debug artifacts
d:\Projects\WinRAR\SFX\build\sfxrar32\Release\sfxrar.pdb
DOS Header
Magic number:
MZ
Bytes on last page of file:
0x0090
Pages in file:
0x0003
Relocations:
0x0000
Size of header:
0x0004
Min extra paragraphs:
0x0000
Max extra paragraphs:
0xFFFF
Initial SS value:
0x0000
Initial SP value:
0x00B8
Checksum:
0x0000
Initial IP value:
0x0000
Initial CS value:
0x0000
Overlay number:
0x0000
OEM identifier:
0x0000
OEM information:
0x0000
Address of NE header:
0x000000F0
PE Headers
Signature:
PE
Machine:
IMAGE_FILE_MACHINE_I386
Number of sections:
5
Time date stamp:
09-Jun-2012 13:19:49
Pointer to Symbol Table:
0x00000000
Number of symbols:
0
Size of Optional Header:
0x00E0
Characteristics
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_RELOCS_STRIPPED
Sections
Name Virtual Address Virtual Size Raw Size Charateristics Entropy
.text 0x00001000 0x0001231E 0x00012400 IMAGE_SCN_CNT_CODE,IMAGE_SCN_MEM_EXECUTE,IMAGE_SCN_MEM_READ 6.55555
.rdata 0x00014000 0x00001D15 0x00001E00 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ 4.99401
.data 0x00016000 0x00017724 0x00000200 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ,IMAGE_SCN_MEM_WRITE 3.54914
.CRT 0x0002E000 0x00000020 0x00000200 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ 0.394141
.rsrc 0x0002F000 0x0000C2C0 0x0000C400 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ 4.80062
Resources
1

7

8

9

10

11

12

100

101

ASKNEXTVOL

GETPASSWORD1

LICENSEDLG

RENAMEDLG

REPLACEFILEDLG

STARTDLG

Imports
    COMCTL32.dll

    SHLWAPI.dll

    KERNEL32.dll

    USER32.dll

    GDI32.dll

    COMDLG32.dll

    ADVAPI32.dll

    SHELL32.dll

    ole32.dll

    OLEAUT32.dll

Exports

    No exports.

Screenshots

Processes

Total processes
32
Monitored processes
4
Malicious processes
4
Suspicious processes
0

Behavior graph

+
drop and start start jnn.bin.exe mdo.exe no specs mdo.exe #NANOCORE regsvcs.exe
Specs description
Program did not start
Integrity level elevation
Task сontains an error or was rebooted
Process has crashed
Task contains several apps running
Executable file was dropped
Debug information is available
Process was injected
Network attacks were detected
Application downloaded the executable file
Actions similar to stealing personal data
Behavior similar to exploiting the vulnerability
Inspected object has sucpicious PE structure
File is detected by antivirus software
CPU overrun
RAM overrun
Process starts the services
Process was added to the startup
Behavior similar to spam
Low-level access to the HDD
Probably Tor was used
System was rebooted
Connects to the network
Known threat

Process information

Click at the process to see the details.

PID
3468
CMD
"C:\Users\admin\AppData\Local\Temp\jnn.bin.exe"
Path
C:\Users\admin\AppData\Local\Temp\jnn.bin.exe
Indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Description
Version
Modules
Image
c:\users\admin\appdata\local\temp\jnn.bin.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\aclayers.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\winspool.drv
c:\windows\system32\mpr.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\riched32.dll
c:\windows\system32\riched20.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\clbcatq.dll
c:\program files\common files\microsoft shared\ink\tiptsf.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\users\admin\appdata\local\temp\88127361\mdo.exe
c:\windows\system32\sfc.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\devrtl.dll

PID
3380
CMD
"C:\Users\admin\AppData\Local\Temp\88127361\mdo.exe" seg=muu
Path
C:\Users\admin\AppData\Local\Temp\88127361\mdo.exe
Indicators
No indicators
Parent process
jnn.bin.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
AutoIt Team
Description
AutoIt v3 Script
Version
3, 3, 14, 5
Modules
Image
c:\users\admin\appdata\local\temp\88127361\mdo.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\wsock32.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\windows\system32\version.dll
c:\windows\system32\winmm.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\mpr.dll
c:\windows\system32\wininet.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\psapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\aclayers.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\winspool.drv
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll

PID
3060
CMD
C:\Users\admin\AppData\Local\Temp\88127361\mdo.exe C:\Users\admin\AppData\Local\Temp\88127361\VTRAN
Path
C:\Users\admin\AppData\Local\Temp\88127361\mdo.exe
Indicators
Parent process
mdo.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
AutoIt Team
Description
AutoIt v3 Script
Version
3, 3, 14, 5
Modules
Image
c:\users\admin\appdata\local\temp\88127361\mdo.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\wsock32.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\windows\system32\version.dll
c:\windows\system32\winmm.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\mpr.dll
c:\windows\system32\wininet.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\psapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\aclayers.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\winspool.drv
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe

PID
2180
CMD
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Path
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Indicators
Parent process
mdo.exe
User
admin
Integrity Level
MEDIUM
Version:
Company
Microsoft Corporation
Description
Microsoft .NET Services Installation Utility
Version
4.6.1055.0 built by: NETFXREL2
Modules
Image
c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\aclayers.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\shell32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\winspool.drv
c:\windows\system32\mpr.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\system32\version.dll
c:\windows\microsoft.net\framework\v4.0.30319\clr.dll
c:\windows\system32\msvcr120_clr0400.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\mscorlib\225759bb87c854c0fff27b1d84858c21\mscorlib.ni.dll
c:\windows\system32\cryptbase.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system\52cca48930e580e3189eac47158c20be\system.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.drawing\646b4b01cb29986f8e076aa65c9e9753\system.drawing.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.windows.forms\5aac750b35b27770dccb1a43f83cced7\system.windows.forms.ni.dll
c:\windows\microsoft.net\framework\v4.0.30319\clrjit.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.core\55560c2014611e9119f99923c9ebdeef\system.core.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\microsoft.v9921e851#\7ca6a7b9413844e82108a9d62f88a2d9\microsoft.visualbasic.ni.dll
c:\windows\microsoft.net\framework\v4.0.30319\nlssorting.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\uxtheme.dll
c:\windows\microsoft.net\assembly\gac_msil\system.windows.forms\v4.0_4.0.0.0__b77a5c561934e089\system.windows.forms.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\bcrypt.dll
c:\windows\microsoft.net\framework\v4.0.30319\diasymreader.dll
c:\windows\system32\psapi.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\wship6.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.configuration\46957030830964165644b52b0696c5d9\system.configuration.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.xml\d86b080a37c60a872c82b912a2a63dac\system.xml.ni.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\rasadhlp.dll

Registry activity

Total events
375
Read events
369
Write events
6
Delete events
0

Modification events

PID
Process
Operation
Key
Name
Value
3468
jnn.bin.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
3468
jnn.bin.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
3060
mdo.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
WindowsUpdatejnn
C:\Users\admin\AppData\Local\Temp\88127361\mdo.exe C:\Users\admin\AppData\Local\Temp\88127361\SEG_MU~1

Files activity

Executable files
1
Suspicious files
0
Text files
48
Unknown types
0

Dropped files

PID
Process
Filename
Type
3468
jnn.bin.exe
C:\Users\admin\AppData\Local\Temp\88127361\mdo.exe
executable
MD5: c56b5f0201a3b3de53e561fe76912bfd
SHA256: 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
3468
jnn.bin.exe
C:\Users\admin\AppData\Local\Temp\88127361\seg=muu
text
MD5: 451111d03bca3331e4d1f2631f56c494
SHA256: 98ec9a9a42575a0626ebffaf344487e26118ebca0d837d218cfc4dc446f37102
3468
jnn.bin.exe
C:\Users\admin\AppData\Local\Temp\88127361\otp.ico
text
MD5: b84743ee3bd9c88c1bf27279e3e1e8cc
SHA256: ca56196b6f06c185cf87311e6e49eb71393a2d3967fb6ce1213a50f122295491
3468
jnn.bin.exe
C:\Users\admin\AppData\Local\Temp\88127361\swq.xl
text
MD5: bc716dec0a405bd457fdb8aae6f880d4
SHA256: 521008524e25091b703c03e9c2b77388e24f0a1d89bf9c92d6ae453f8409c5b6
3468
jnn.bin.exe
C:\Users\admin\AppData\Local\Temp\88127361\iwc.txt
text
MD5: c7329353c0cdcdfbfbc625a5121fa4c0
SHA256: 0f6005a715a87630f15de43e21f0e88c1da01b0f7a95b4a9be92fb8c5acc94d8
3468
jnn.bin.exe
C:\Users\admin\AppData\Local\Temp\88127361\lph.xl
text
MD5: 602face6e7db59f16cdcf5c62a90fdf4
SHA256: bf42e5064bb8056a92711535f5c332500f7eb8351a6a7b076992e8d416445b83
3468
jnn.bin.exe
C:\Users\admin\AppData\Local\Temp\88127361\crc.bmp
text
MD5: c68768cbca85c691387a6dd545162283
SHA256: a2426d1643153e335aab55a4c8078e5dc42416142d9890ce9256e38b3ed63106
3468
jnn.bin.exe
C:\Users\admin\AppData\Local\Temp\88127361\iwd.docx
text
MD5: 52b5dd8a14c0e8b0c1348f1445c9605f
SHA256: 6dc83bc1f8f7e95296c7b70b68caa85056513f9e079137a843ef0fece00cd294
3468
jnn.bin.exe
C:\Users\admin\AppData\Local\Temp\88127361\wlx.mp3
text
MD5: 3ef0a39f10a6a648a1776e7a5fd356d1
SHA256: 3c5db10a768ddb3694a65cdd7f662411759a1f1b3f6d33b30030ef2e1826cb29
3468
jnn.bin.exe
C:\Users\admin\AppData\Local\Temp\88127361\ema.mp4
text
MD5: 19e2227a516dd3c03af3f429ad3cb801
SHA256: 6d7024ebd9a1ed69679795de3fd9cd93d8dc6cb00826822eed818b950ac1a403
3468
jnn.bin.exe
C:\Users\admin\AppData\Local\Temp\88127361\vur.mp4
text
MD5: 20458011d0d339b9d638cd696b112533
SHA256: 771530df8d287e3b3f6c1ef14cfc8d2104cd158a7cf73c3cf12b6ac18565d515
3468
jnn.bin.exe
C:\Users\admin\AppData\Local\Temp\88127361\dnq.mp3
text
MD5: 1770257b1d796e2c229417b1dd44171e
SHA256: 7dc9ca12a862d2f7ec48117148bdb82c53e001db155628de552bb84c033ec40e
3468
jnn.bin.exe
C:\Users\admin\AppData\Local\Temp\88127361\uvh.dat
text
MD5: f7d948d24ab00d59fda153ff1c40dad7
SHA256: 4f127ae7c1d45a796718fe442bf3eea86c3ed464a744fe20d2bcd244a843ee80
3468
jnn.bin.exe
C:\Users\admin\AppData\Local\Temp\88127361\hrp.jpg
text
MD5: 520be58348f83651a6a77d7180c18f1e
SHA256: 81061cb012d827dc6805d6f38e46069478d5ef4062809609ecc64abf8d410a73
3468
jnn.bin.exe
C:\Users\admin\AppData\Local\Temp\88127361\ucu.icm
text
MD5: d9b3eb6f6cbab2b8565265147411a2dd
SHA256: 16d9831ec31cc0696835b56cc4d7ff59cdd7f9380b0c12bc09fd8752d4b81223
3468
jnn.bin.exe
C:\Users\admin\AppData\Local\Temp\88127361\bkr.dat
text
MD5: 220534e4734ceeaae6bb055b4f0ce3cf
SHA256: 715de9c63dc88fd8f8e8540f067685ed620eff0178e16ae45853c454146287da
3468
jnn.bin.exe
C:\Users\admin\AppData\Local\Temp\88127361\bqc.pdf
text
MD5: dcc558713f18bb6f9f1986614670d633
SHA256: bd17ebfdfbbe72298118e4878256d0c306134dae72e24165ac9a9b96c5d7add3
3468
jnn.bin.exe
C:\Users\admin\AppData\Local\Temp\88127361\ras.mp3
text
MD5: f6002c65bf5773dbb147aa34813138f3
SHA256: f5fbdc98a578ca4fa9c0c0b9838ebc188ee55efcd5812b2adec14c8bea1281b1
3468
jnn.bin.exe
C:\Users\admin\AppData\Local\Temp\88127361\nkd.docx
text
MD5: 2a1f8daf674e9855126c8a9fe1f52f08
SHA256: a5ead5b669f54af308cd26009949e93dddf82721ecee453e7430639bb357f2e9
3468
jnn.bin.exe
C:\Users\admin\AppData\Local\Temp\88127361\bos.dat
text
MD5: af76971543c4ce9db8caf2e571875f4f
SHA256: fdb64db0910f2ec413da1e4c18c505c2cce72231b1e5ef007605f78a6e5dd1d6
3468
jnn.bin.exe
C:\Users\admin\AppData\Local\Temp\88127361\kgo.bmp
text
MD5: 4ef0cd3566b0cd7df92dd53b2615190b
SHA256: 86aa28bd8be550be1a2632f5ef119b78bf05efb98cf2316e777be81597c13c04
3468
jnn.bin.exe
C:\Users\admin\AppData\Local\Temp\88127361\gbd.ppt
text
MD5: 8ca027526de874041007ebbf4749597b
SHA256: d8e049827a9f7eb38557f48c134bf30893bb798af61878c5a2d9b512fb69022c
3468
jnn.bin.exe
C:\Users\admin\AppData\Local\Temp\88127361\tlr.txt
text
MD5: 19edfee859fce71ce355d9d7d9f2fae3
SHA256: f719a2229c9929c53a9b10b59a2d1ac20b86758c0d360233e01942fa31e29409
3468
jnn.bin.exe
C:\Users\admin\AppData\Local\Temp\88127361\wqh.ppt
text
MD5: 9c47a245493b6fdb09ebf389cbc97aa9
SHA256: b12245e281dbeb82ea9bd1574634a000ff06e26b14b377f82c820bd9f3af771a
3468
jnn.bin.exe
C:\Users\admin\AppData\Local\Temp\88127361\jrx.docx
text
MD5: 5744c7f84cdad1fb1027e90e02e33530
SHA256: da8e37eb2f0c1ba7d298a184c8e263ff81d84f5ff5cb4e52541edff939a7ccbe
3468
jnn.bin.exe
C:\Users\admin\AppData\Local\Temp\88127361\qaa.xl
text
MD5: f4712ebb85e9532888e8479a3d71448e
SHA256: 7ceea16b3c8eb2a38ed9e2bbb3462232f84c15dc66d4ab594ca1ff7c4d78954c
3468
jnn.bin.exe
C:\Users\admin\AppData\Local\Temp\88127361\hlk.mp3
text
MD5: 6b00ad93325c0a65afbb84f495edd1a8
SHA256: b079e22683fcd46b416a695a4550b6e06db15bba197179d6120904f90ddadb88
3468
jnn.bin.exe
C:\Users\admin\AppData\Local\Temp\88127361\nek.mp3
text
MD5: 6d9b924a1abf1d14608bcb066ddfe976
SHA256: fb433941510461f34c27bc1625e9d1a249e59a58132eb7a79ae0acf2bd0bcae7
3468
jnn.bin.exe
C:\Users\admin\AppData\Local\Temp\88127361\qtl.docx
text
MD5: eb59a1fe851e768f7bd175cc24217aac
SHA256: 7e30c168edd43afe3e0fb0d21485cf025d5f226d948cb4e56b9f722ba2281365
3468
jnn.bin.exe
C:\Users\admin\AppData\Local\Temp\88127361\sqj.dat
text
MD5: 42c1de8aafab368ba22a4c3504a35c19
SHA256: fca18198a5e5ce7a7438d9a0d5eabf81314f1b13eec4e7ab6b962cdcc60f3bf9
3468
jnn.bin.exe
C:\Users\admin\AppData\Local\Temp\88127361\nok.pdf
text
MD5: 1db14f74f3914de40c93043a5e0fd2b2
SHA256: 65ddd15ca974d5116f734ad62735fa5d25a298f46653433134ab9b509b3f37ea
3468
jnn.bin.exe
C:\Users\admin\AppData\Local\Temp\88127361\wnm.txt
text
MD5: 9d871b45be406860726b7127c3a443cf
SHA256: eb6bd3df86e186d00fdea3207eb712de268e2d8fcef9af8a9e8b73899f89957f
3468
jnn.bin.exe
C:\Users\admin\AppData\Local\Temp\88127361\lti.docx
text
MD5: 2571c4827b75254f512f67d569d4969e
SHA256: 72e1bf13d71df21ae55d248b6be66933e371cfc5bc7b0c33f4526f59e8f3f510
3468
jnn.bin.exe
C:\Users\admin\AppData\Local\Temp\88127361\tgo.ppt
text
MD5: da7da040fa0aac5f0434873dd878fd9c
SHA256: 57f6780fd5738439d4aa03b8f3aad8ceffaf99a2fb3e20b0e3916298ce09962a
3468
jnn.bin.exe
C:\Users\admin\AppData\Local\Temp\88127361\jkm.mp3
text
MD5: d764faade38682911bebbe4386b1ced4
SHA256: 27fa4da115127f99de35b1b6d2d241fd2e420ef7b14539bdaba45e33e5e0fdc4
3468
jnn.bin.exe
C:\Users\admin\AppData\Local\Temp\88127361\cll.ppt
text
MD5: c3038bb5d678596a20440872bb278380
SHA256: 70dcfc1d30a96aa81ca89c308a379a7458534b6c9cd469c8641e71842c188370
3468
jnn.bin.exe
C:\Users\admin\AppData\Local\Temp\88127361\wmg.mp4
text
MD5: 930e1630892a35d1cbd8a595e972eb0b
SHA256: 958e318f9c7d99abc90e5a98aee4f8af8205dcf542e28ebca2ed8ca6835f7577
3468
jnn.bin.exe
C:\Users\admin\AppData\Local\Temp\88127361\pou.icm
text
MD5: 53ce9c11f69ede839689a93ea34b9201
SHA256: 3d08042dbb0a693dd4f838236e5d7f5e40f5667ba6b33adcd605f26610817627
3468
jnn.bin.exe
C:\Users\admin\AppData\Local\Temp\88127361\ois.xl
text
MD5: 153b3b542f9cd17247811f7af364a980
SHA256: 7357786d348f08ab1e564efb68cc740e416828252c732721b44bf5f8b9f78303
3380
mdo.exe
C:\Users\admin\AppData\Local\Temp\88127361\VTRAN
text
MD5: 4d184c13b95c0c8d7cf644b9599bfed4
SHA256: 11ab9c4ce531bf94d9ffb7d242a41fae41ccb95e5fc9845c37d315e345b1e2ee
3468
jnn.bin.exe
C:\Users\admin\AppData\Local\Temp\88127361\bum.pdf
text
MD5: feaeea7208f7a411e4cdc0e3286a11db
SHA256: 1df03709f122f14e2606e94bccb74b47c6c48a483c68a45ed446c06c0ca01965
3468
jnn.bin.exe
C:\Users\admin\AppData\Local\Temp\88127361\dss.dat
text
MD5: c488c0eeaa4a77679f10a662945e5e4e
SHA256: db289b5f6cad00bf4b05ed3ba50825ac178119ea0d5f9f58f7a22f1ff670addf
3468
jnn.bin.exe
C:\Users\admin\AppData\Local\Temp\88127361\urr.docx
text
MD5: 1d37dace5d0be9a4c90b71036ffb43b0
SHA256: 040ed3cba92ec70663baecd5e7f4859776669f4405be70f6db3066bf984d16f4
3468
jnn.bin.exe
C:\Users\admin\AppData\Local\Temp\88127361\nbb.icm
text
MD5: 9b65c9d1111c7e0640ce5900f01dbf05
SHA256: f4b0ae209225a3321acd8b5303b09d8ba245aa4250620d1407356faf82e6f800
3468
jnn.bin.exe
C:\Users\admin\AppData\Local\Temp\88127361\jvk.mp3
text
MD5: d9b7cc3f58da6d96c3dbfb4008b26eb9
SHA256: 29f324a7980e633b0052b5bdb634833cd094e5a631380fe6049fc6f6daa7a48c
3468
jnn.bin.exe
C:\Users\admin\AppData\Local\Temp\88127361\bje.ppt
text
MD5: f77626bd4356a4ae7252eccf68ee9f35
SHA256: 0e385f3f3122f4a5bfa9ddfe1214ef92ead6eea3c834540a88d19f5f23085958
3468
jnn.bin.exe
C:\Users\admin\AppData\Local\Temp\88127361\nkq.docx
text
MD5: 51c9b23e003e3e14f4659bc60d4be131
SHA256: 3adc7f290017eb28aa34e8cec227e781e25d180c3eb77e03b01211369980e0b6
3468
jnn.bin.exe
C:\Users\admin\AppData\Local\Temp\88127361\lpr.mp4
text
MD5: 3576b5978b68394d98e25affd7225b83
SHA256: e182a17f5a6b486ff9410ecccbf9685bc5c54cf2ec314ae255040dabce04e895
3468
jnn.bin.exe
C:\Users\admin\AppData\Local\Temp\88127361\agf.mp3
text
MD5: 6b683766e31bf4c09e9606b132a0dcbb
SHA256: e73aef70c5db9d851d906b775e5aabe18888062af3faf53c0ec8cbca5b55e535

Find more information of the staic content and download it at the full report

Network activity

HTTP(S) requests
0
TCP/UDP connections
12
DNS requests
10
Threats
3

HTTP requests

No HTTP requests.

Connections

PID Process IP ASN CN Reputation
2180 RegSvcs.exe 8.8.8.8:53 Google Inc. US whitelisted
2180 RegSvcs.exe 8.8.4.4:53 Google Inc. US whitelisted
2180 RegSvcs.exe 185.163.45.48:58887 MivoCloud SRL MD suspicious

DNS requests

Domain IP Reputation
kgentle777.hopto.org No response unknown
kgentle77.duckdns.org 185.163.45.48
malicious

Threats

PID Process Class Message
2180 RegSvcs.exe Misc activity ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
2180 RegSvcs.exe Misc activity ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
2180 RegSvcs.exe Misc activity ET INFO DYNAMIC_DNS Query to *.duckdns. Domain

Debug output strings

No debug info.