General Info

File name

order%23July.tbz2.zip

Full analysis
https://app.any.run/tasks/b6f61f02-f75c-4f89-9f47-0ebb43af042c
Verdict
Malicious activity
Analysis date
7/18/2019, 15:19:47
OS:
Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:

autoit

rat

nanocore

Indicators:

MIME:
application/zip
File info:
Zip archive data, at least v2.0 to extract
MD5

bb7006504608abc97cb8371ed53e22bf

SHA1

961169db99602f88d391cf24bcc4b2b0240d7223

SHA256

fd7b9e2be56ae3969065654eaae3f36d67349f3660afe808b9693c8181b43e70

SSDEEP

24576:+yEMCWO79/fyDkZYX5EcVM2zbrJpCNMrO+5TDEdT0VCjfHEqw:RCWsVqDkOJ57jCNMa+lDQT0VCjvs

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distored by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Software environment set and analysis options

Launch configuration

Task duration
60 seconds
Additional time used
none
Fakenet option
off
Heavy Evaision option
off
MITM proxy
off
Route via Tor
off
Network geolocation
off
Privacy
Public submission
Autoconfirmation of UAC
on

Software preset

  • Internet Explorer 8.0.7601.17514
  • Adobe Acrobat Reader DC MUI (15.023.20070)
  • Adobe Flash Player 26 ActiveX (26.0.0.131)
  • Adobe Flash Player 26 NPAPI (26.0.0.131)
  • Adobe Flash Player 26 PPAPI (26.0.0.131)
  • Adobe Refresh Manager (1.8.0)
  • CCleaner (5.35)
  • FileZilla Client 3.36.0 (3.36.0)
  • Google Chrome (75.0.3770.100)
  • Google Update Helper (1.3.34.7)
  • Java 8 Update 92 (8.0.920.14)
  • Java Auto Updater (2.8.92.14)
  • Microsoft .NET Framework 4.7.2 (4.7.03062)
  • Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Professional 2010 (14.0.6029.1000)
  • Microsoft Office Proof (English) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (French) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
  • Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
  • Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Single Image 2010 (14.0.6029.1000)
  • Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
  • Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
  • Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
  • Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2015-2019 Redistributable (x86) - 14.21.27702 (14.21.27702.2)
  • Microsoft Visual C++ 2019 X86 Additional Runtime - 14.21.27702 (14.21.27702)
  • Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.21.27702 (14.21.27702)
  • Mozilla Firefox 67.0.4 (x86 en-US) (67.0.4)
  • Notepad++ (32-bit x86) (7.5.1)
  • Opera 12.15 (12.15.1748)
  • Skype version 8.29 (8.29)
  • Update for Microsoft .NET Framework 4.7.2 (KB4087364) (1)
  • VLC media player (2.2.6)
  • WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

  • Client LanguagePack Package
  • Client Refresh LanguagePack Package
  • CodecPack Basic Package
  • Foundation Package
  • IE Troubleshooters Package
  • InternetExplorer Optional Package
  • KB2534111
  • KB2999226
  • KB4019990
  • KB976902
  • LocalPack AU Package
  • LocalPack CA Package
  • LocalPack GB Package
  • LocalPack US Package
  • LocalPack ZA Package
  • ProfessionalEdition
  • UltimateEdition

Behavior activities

MALICIOUS SUSPICIOUS INFO
Application was dropped or rewritten from another process
  • DYQRJ.exe (PID: 3636)
  • QRPJF.exe (PID: 2884)
  • QRPJF.exe (PID: 3160)
  • P.O#JULY06.scr (PID: 3532)
NanoCore was detected
  • RegSvcs.exe (PID: 3408)
Changes the autorun value in the registry
  • DYQRJ.exe (PID: 3636)
  • QRPJF.exe (PID: 2884)
Creates files in the user directory
  • RegSvcs.exe (PID: 3408)
Executable content was dropped or overwritten
  • QRPJF.exe (PID: 2884)
  • WScript.exe (PID: 3044)
  • WinRAR.exe (PID: 3000)
Drop AutoIt3 executable file
  • WScript.exe (PID: 3044)
Executes scripts
  • P.O#JULY06.scr (PID: 3532)
Starts application with an unusual extension
  • WinRAR.exe (PID: 2968)
Application launched itself
  • WinRAR.exe (PID: 3000)
Dropped object may contain Bitcoin addresses
  • P.O#JULY06.scr (PID: 3532)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Static information

TRiD
.zip
|   ZIP compressed archive (100%)
EXIF
ZIP
ZipRequiredVersion:
20
ZipBitFlag:
null
ZipCompression:
Deflated
ZipModifyDate:
2019:07:08 07:36:00
ZipCRC:
0xa3fe6e85
ZipCompressedSize:
1216337
ZipUncompressedSize:
1408025
ZipFileName:
P.O#JULY06.scr

Screenshots

Processes

Total processes
42
Monitored processes
8
Malicious processes
8
Suspicious processes
0

Behavior graph

+
start drop and start drop and start winrar.exe winrar.exe no specs p.o#july06.scr no specs wscript.exe qrpjf.exe no specs qrpjf.exe #NANOCORE regsvcs.exe dyqrj.exe
Specs description
Program did not start
Integrity level elevation
Task сontains an error or was rebooted
Process has crashed
Task contains several apps running
Executable file was dropped
Debug information is available
Process was injected
Network attacks were detected
Application downloaded the executable file
Actions similar to stealing personal data
Behavior similar to exploiting the vulnerability
Inspected object has sucpicious PE structure
File is detected by antivirus software
CPU overrun
RAM overrun
Process starts the services
Process was added to the startup
Behavior similar to spam
Low-level access to the HDD
Probably Tor was used
System was rebooted
Connects to the network
Known threat

Process information

Click at the process to see the details.

PID
3000
CMD
"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\6907f6f7-c070-4a12-b7f1-92fc42ea00dd.zip"
Path
C:\Program Files\WinRAR\WinRAR.exe
Indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Version:
Company
Alexander Roshal
Description
WinRAR archiver
Version
5.60.0
Modules
Image
c:\program files\winrar\winrar.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\shlwapi.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\uxtheme.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\msimg32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\riched20.dll
c:\program files\common files\microsoft shared\ink\tiptsf.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ehstorshell.dll
c:\windows\system32\cscui.dll
c:\windows\system32\cscdll.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\slc.dll
c:\windows\system32\imageres.dll
c:\windows\system32\mpr.dll
c:\windows\system32\drprov.dll
c:\windows\system32\winsta.dll
c:\windows\system32\ntlanman.dll
c:\windows\system32\davclnt.dll
c:\windows\system32\davhlpr.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\netutils.dll
c:\windows\system32\wpdshext.dll
c:\windows\system32\winmm.dll
c:\windows\system32\portabledeviceapi.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\audiodev.dll
c:\windows\system32\wmvcore.dll
c:\windows\system32\wmasf.dll
c:\windows\system32\ehstorapi.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\samcli.dll
c:\windows\system32\samlib.dll
c:\windows\system32\profapi.dll
c:\windows\system32\explorerframe.dll
c:\windows\system32\duser.dll
c:\windows\system32\dui70.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll

PID
2968
CMD
"C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\AppData\Local\Temp\Rar$DIa3000.2764\P.O#JULY06.scr
Path
C:\Program Files\WinRAR\WinRAR.exe
Indicators
No indicators
Parent process
WinRAR.exe
User
admin
Integrity Level
MEDIUM
Version:
Company
Alexander Roshal
Description
WinRAR archiver
Version
5.60.0
Modules
Image
c:\program files\winrar\winrar.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\shlwapi.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\uxtheme.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\msimg32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\riched20.dll
c:\program files\common files\microsoft shared\ink\tiptsf.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ehstorshell.dll
c:\windows\system32\cscui.dll
c:\windows\system32\cscdll.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\slc.dll
c:\windows\system32\imageres.dll
c:\windows\system32\mpr.dll
c:\windows\system32\drprov.dll
c:\windows\system32\winsta.dll
c:\windows\system32\ntlanman.dll
c:\windows\system32\davclnt.dll
c:\windows\system32\davhlpr.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\netutils.dll
c:\windows\system32\wpdshext.dll
c:\windows\system32\winmm.dll
c:\windows\system32\portabledeviceapi.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\audiodev.dll
c:\windows\system32\wmvcore.dll
c:\windows\system32\wmasf.dll
c:\windows\system32\ehstorapi.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\samcli.dll
c:\windows\system32\samlib.dll
c:\windows\system32\profapi.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\users\admin\appdata\local\temp\rar$dia3000.2764\p.o#july06.scr
c:\windows\system32\wshext.dll
c:\windows\system32\wscript.exe
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\psapi.dll
c:\windows\system32\oleacc.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll

PID
3532
CMD
"C:\Users\admin\AppData\Local\Temp\Rar$DIa3000.2764\P.O#JULY06.scr" /S
Path
C:\Users\admin\AppData\Local\Temp\Rar$DIa3000.2764\P.O#JULY06.scr
Indicators
No indicators
Parent process
WinRAR.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Easeware
Description
DriverEasy
Version
5.6.9
Modules
Image
c:\users\admin\appdata\local\temp\rar$dia3000.2764\p.o#july06.scr
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\ole32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\aclayers.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\winspool.drv
c:\windows\system32\mpr.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\riched32.dll
c:\windows\system32\riched20.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\clbcatq.dll
c:\program files\common files\microsoft shared\ink\tiptsf.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\wscript.exe
c:\windows\system32\sfc.dll
c:\windows\system32\sfc_os.dll

PID
3044
CMD
"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\LNBQJ\C0hD8z7e.vbe"
Path
C:\Windows\System32\WScript.exe
Indicators
Parent process
P.O#JULY06.scr
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Microsoft ® Windows Based Script Host
Version
5.8.7600.16385
Modules
Image
c:\windows\system32\wscript.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\version.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\sxs.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\vbscript.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\msisip.dll
c:\windows\system32\wshext.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\scrobj.dll
c:\windows\system32\msxml3.dll
c:\windows\system32\rpcrtremote.dll
c:\program files\common files\system\ado\msado15.dll
c:\windows\system32\msdart.dll
c:\windows\system32\wshom.ocx
c:\windows\system32\mpr.dll
c:\windows\system32\scrrun.dll
c:\windows\system32\propsys.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\sspicli.dll
c:\users\admin\appdata\local\lnbqj\qrpjf.exe
c:\windows\system32\wbem\wbemdisp.dll
c:\windows\system32\wbemcomn.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\wbem\wbemprox.dll
c:\windows\system32\wbem\wmiutils.dll
c:\windows\system32\wbem\wbemsvc.dll
c:\windows\system32\wbem\fastprox.dll
c:\windows\system32\ntdsapi.dll

PID
3160
CMD
"C:\Users\admin\AppData\Local\LNBQJ\QRPJF.exe" C:\Users\admin\AppData\Local\LNBQJ\QPTRP
Path
C:\Users\admin\AppData\Local\LNBQJ\QRPJF.exe
Indicators
No indicators
Parent process
WScript.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
AutoIt Team
Description
AutoIt v3 Script
Version
3, 3, 8, 1
Modules
Image
c:\users\admin\appdata\local\lnbqj\qrpjf.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\wsock32.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\windows\system32\version.dll
c:\windows\system32\winmm.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\mpr.dll
c:\windows\system32\wininet.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\psapi.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\devobj.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\apphelp.dll

PID
2884
CMD
C:\Users\admin\AppData\Local\LNBQJ\QRPJF.exe C:\Users\admin\AppData\Local\LNBQJ\JHCXY
Path
C:\Users\admin\AppData\Local\LNBQJ\QRPJF.exe
Indicators
Parent process
QRPJF.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
AutoIt Team
Description
AutoIt v3 Script
Version
3, 3, 8, 1
Modules
Image
c:\users\admin\appdata\local\lnbqj\qrpjf.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\wsock32.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\windows\system32\version.dll
c:\windows\system32\winmm.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\mpr.dll
c:\windows\system32\wininet.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\psapi.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\apphelp.dll
c:\windows\microsoft.net\framework\v2.0.50727\regsvcs.exe
c:\users\admin\appdata\local\temp\dyqrj.exe

PID
3408
CMD
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
Path
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
Indicators
Parent process
QRPJF.exe
User
admin
Integrity Level
MEDIUM
Version:
Company
Microsoft Corporation
Description
Microsoft .NET Services Installation Utility
Version
2.0.50727.5420 (Win7SP1.050727-5400)
Modules
Image
c:\windows\microsoft.net\framework\v2.0.50727\regsvcs.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\version.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorwks.dll
c:\windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\msvcr80.dll
c:\windows\system32\shell32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\profapi.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\mscorlib\62a0b3e4b40ec0e8c5cfaa0c8848e64a\mscorlib.ni.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system\9e0a3b9b9f457233a335d7fba8f95419\system.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.drawing\dbfe8642a8ed7b2b103ad28e0c96418a\system.drawing.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.windows.forms\3afcd5168c7a6cb02eab99d7fd71e102\system.windows.forms.ni.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorjit.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.visualbas#\08d608378aa405adc844f3cf36974b8c\microsoft.visualbasic.ni.dll
c:\windows\system32\uxtheme.dll
c:\windows\assembly\gac_msil\system.windows.forms\2.0.0.0__b77a5c561934e089\system.windows.forms.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\shfolder.dll
c:\windows\microsoft.net\framework\v2.0.50727\culture.dll
c:\windows\microsoft.net\framework\v2.0.50727\diasymreader.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\psapi.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\wship6.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.configuration\bc09ad2d49d8535371845cd7532f9271\system.configuration.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.xml\461d3b6b3f43e6fbe6c897d5936e17e4\system.xml.ni.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll

PID
3636
CMD
C:\Users\admin\AppData\Local\LNBQJ\JHCXY
Path
C:\Users\admin\AppData\Local\Temp\DYQRJ.exe
Indicators
Parent process
QRPJF.exe
User
admin
Integrity Level
MEDIUM
Version:
Company
Description
Version
Modules
Image
c:\users\admin\appdata\local\temp\dyqrj.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\wsock32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\windows\system32\version.dll
c:\windows\system32\winmm.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\mpr.dll
c:\windows\system32\wininet.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\psapi.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\devobj.dll
c:\windows\system32\cryptbase.dll

Registry activity

Total events
1701
Read events
1652
Write events
49
Delete events
0

Modification events

PID
Process
Operation
Key
Name
Value
2968
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
ShellExtBMP
2968
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
ShellExtIcon
2968
WinRAR.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\70\52C64B7E
LanguageList
en-US
2968
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
1
C:\Users\admin\AppData\Local\Temp\6907f6f7-c070-4a12-b7f1-92fc42ea00dd.zip
2968
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
0
C:\Users\admin\AppData\Local\Temp\Rar$DIa3000.2764\P.O#JULY06.scr
2968
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
name
120
2968
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
size
80
2968
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
type
120
2968
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
mtime
100
2968
WinRAR.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\70\52C64B7E
@C:\Windows\System32\wshext.dll,-4803
VBScript Encoded Script File
2968
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\Interface\Comment
LeftBorder
476
2968
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\ArcColumnWidths
name
120
2968
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\ArcColumnWidths
size
80
2968
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\ArcColumnWidths
psize
80
2968
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\ArcColumnWidths
type
120
2968
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\ArcColumnWidths
mtime
100
2968
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\ArcColumnWidths
crc
70
2968
WinRAR.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
2968
WinRAR.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
3000
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
ShellExtBMP
3000
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
ShellExtIcon
3000
WinRAR.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\70\52C64B7E
LanguageList
en-US
3000
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
0
C:\Users\admin\AppData\Local\Temp\6907f6f7-c070-4a12-b7f1-92fc42ea00dd.zip
3000
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
name
120
3000
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
size
80
3000
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
type
120
3000
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
mtime
100
3000
WinRAR.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\70\52C64B7E
@shell32,-10162
Screen saver
3000
WinRAR.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
3000
WinRAR.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
3532
P.O#JULY06.scr
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
3532
P.O#JULY06.scr
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
3044
WScript.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
3044
WScript.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
2884
QRPJF.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
micro
C:\Users\admin\AppData\Local\LNBQJ\C0hD8z7e.vbe
3636
DYQRJ.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
micro
C:\Users\admin\AppData\Local\LNBQJ\C0hD8z7e.vbe

Files activity

Executable files
3
Suspicious files
1
Text files
29
Unknown types
1

Dropped files

PID
Process
Filename
Type
3000
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$DIa3000.2764\P.O#JULY06.scr
executable
MD5: 4bd9459dba1951e3eb11ddaff1c32a75
SHA256: eb967345db027e172d0a5c00c057edea55e0a3b2d82eb2dace7897b12c61b21c
2884
QRPJF.exe
C:\Users\admin\AppData\Local\Temp\DYQRJ.exe
executable
MD5: 7b6b2d2bf2a15b2fb612324b95ff3134
SHA256: e6839914d5249432107be6c8a7e7d92d674976a270ab3e2ce2e646c27fa899cf
3044
WScript.exe
C:\Users\admin\AppData\Local\LNBQJ\QRPJF.exe
executable
MD5: 71d8f6d5dc35517275bc38ebcc815f9f
SHA256: fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b
3160
QRPJF.exe
C:\Users\admin\AppData\Local\LNBQJ\JHCXY
a3x
MD5: 86efdce5ffaab775c4a039fc685b0eaa
SHA256: 2a266bec1dc705c31a23d7cd236ab54bcc05ad462ffb21d5fe6a1280ace7fa41
3408
RegSvcs.exe
C:\Users\admin\AppData\Roaming\90059C37-1320-41A4-B58D-2B75A9850D2F\run.dat
text
MD5: f2627370a01f00cc088b622f2afddc58
SHA256: e1299cf8b93a4eca9edde351ae871a5e798fcf6f53b9c80ce84cc23ab5765b84
3532
P.O#JULY06.scr
C:\Users\admin\AppData\Local\LNBQJ\VIQRX.T035
text
MD5: e1f498c4a1679e93f249cdfdcabf7d27
SHA256: fd1ce47e4902167ef47a33f7890fef33553b9afc2ef4932a276b9a4d41deb576
3532
P.O#JULY06.scr
C:\Users\admin\AppData\Local\LNBQJ\NVAFA.7b65
text
MD5: 1d5015e82adace30a95485e908b86c3f
SHA256: 5e3bb40f0b96d3522c92d0f3f0c24300e8b561089eef8077d1f1ba62fd317a73
3532
P.O#JULY06.scr
C:\Users\admin\AppData\Local\LNBQJ\JNUNG.Vd27k
text
MD5: 5366c78ecbef247b9b1e7598dbd13ac8
SHA256: 201cef50144ac51d8cf5f165952acd84b6a628682316dcbb50b86daf6b35261e
3532
P.O#JULY06.scr
C:\Users\admin\AppData\Local\LNBQJ\JMNCP.5zE3W
text
MD5: 51a855db584aceb583cecdf7646d37dd
SHA256: 0a62c89f8e0be984d081454c4aa9cb781dc86c4bba4c4812e5ba78e0e15c1248
3532
P.O#JULY06.scr
C:\Users\admin\AppData\Local\LNBQJ\WJJBP.Z5U3g
text
MD5: 3c8a49145944fed2bbcaade178a426c4
SHA256: 17df374b296fed0a524ae8cc3765280acd2e168c9bce0e7403064998ffc6d640
3532
P.O#JULY06.scr
C:\Users\admin\AppData\Local\LNBQJ\KCWID.4y8H3
text
MD5: 443934cd5ba8879bde961f1be9407327
SHA256: f091942f8c73e02605558655a6fb44616b6b1d31771043a2328443a3130e3ed9
3532
P.O#JULY06.scr
C:\Users\admin\AppData\Local\LNBQJ\BWLBQ.9b3AU
text
MD5: e02c7bb436c6cc0ed8badd81b77c2a59
SHA256: 584cab152e60cdd01e30c217039a84eb72406188fc2e0495040ff5dbb11d2191
3532
P.O#JULY06.scr
C:\Users\admin\AppData\Local\LNBQJ\KKHBE.Z3z6r
text
MD5: caf0f491e1a261e233620174acdebcad
SHA256: 6ae2ad3e961c74943b105ba3e146d4b7b5a10d02f5d0ec02f1cabff618ef7345
3532
P.O#JULY06.scr
C:\Users\admin\AppData\Local\LNBQJ\YOYTQ.hu29
text
MD5: e275f1df176ab24dcec2c40dde1015d5
SHA256: 1ddc4c584a6f9831208d7e46ab49c821b07e59c3bd1be525e409b9d1141956d4
3532
P.O#JULY06.scr
C:\Users\admin\AppData\Local\LNBQJ\XOZXG.1P4b
text
MD5: e1a59f92f1f56afef56233d6b4dbb898
SHA256: f15becfed7425f16b7bda2e8fc0db6754e697908c804d72bf3ee6f0a6399e597
3532
P.O#JULY06.scr
C:\Users\admin\AppData\Local\LNBQJ\KFVEL.8Q2M
text
MD5: cea91ee3cd290e61d3c41d481710e563
SHA256: 001cf231eb34fd0fd929890ed12c2ecbafb10694993eed055f2955b46170203d
3532
P.O#JULY06.scr
C:\Users\admin\AppData\Local\LNBQJ\QMAVT.D6Wd
text
MD5: 25935d3a8175daf7d061b391a683a6c6
SHA256: c86358b4d38673128460c50dd24350563512e1ede289ef881b238237601c7fa2
3532
P.O#JULY06.scr
C:\Users\admin\AppData\Local\LNBQJ\YJNMV.5EtC
text
MD5: ee3d64dc67fed8a22ca58e5b45994e60
SHA256: dd9926171f7d416fb4ed82191d0df4ecc8b3d5b21393efb3dc40332fbcfd2518
3532
P.O#JULY06.scr
C:\Users\admin\AppData\Local\LNBQJ\OVWIO.5VY35
text
MD5: 5f3f1082febab085f2fed90f91b7faf4
SHA256: 7d16108e5947648d7b87845fc857c05c8ccc66e62b2e381b30190dc6d6f1a241
3532
P.O#JULY06.scr
C:\Users\admin\AppData\Local\LNBQJ\QWYTS.07S3
text
MD5: 8dd61f846890c42ea39d7379699ab58c
SHA256: 394667284e43d32f801c00e63bc0d3d50c6425604da4d134e04cc30f69ded34d
3532
P.O#JULY06.scr
C:\Users\admin\AppData\Local\LNBQJ\HGSVY.424Mn
text
MD5: f3277d27d1ee4614548bb712e3ed4658
SHA256: c167c1c3fa46d51bd2542d5db4f3de25f57959ebdd331cc5c3b361276c48b0a6
3532
P.O#JULY06.scr
C:\Users\admin\AppData\Local\LNBQJ\SSWOF.1X08
text
MD5: 935f6c7a6d905f8c28382c3b8289044a
SHA256: f66de737816c6420b9fa708256616bc20abf1909331cd71b06756130590fbd85
3532
P.O#JULY06.scr
C:\Users\admin\AppData\Local\LNBQJ\QJYWM.75ZEn
text
MD5: b6f6372790aa35a8e9ca4ce18dfaa08f
SHA256: f7fea59bef2db369c3cfb0dffab7c681f881f24d41a5298d2f04ec66d0e82216
3532
P.O#JULY06.scr
C:\Users\admin\AppData\Local\LNBQJ\VPECL.1p8j
text
MD5: fda3ba9725f9599bdbd02f1f39085dda
SHA256: 14f2545623161699ec92cec089360f6f215ef9aeb08208c7ce3dfa23213d4e89
3532
P.O#JULY06.scr
C:\Users\admin\AppData\Local\LNBQJ\VDEET.2nKA
text
MD5: 92fed53e92907543316450b3188c9693
SHA256: dfab67b091aa09e646862fcb00bb395ac9e2b0ee73d3bead7bfc7606fcc6dac0
3532
P.O#JULY06.scr
C:\Users\admin\AppData\Local\LNBQJ\LVVXK.MhPj
text
MD5: 1c4999ecc70a08729f9d2f3d717ceb5f
SHA256: 188c56696472e546c2963562862ffe40d1fa2e1d9698ea2920d439ecd5969aad
3532
P.O#JULY06.scr
C:\Users\admin\AppData\Local\LNBQJ\MFZCI.7709
text
MD5: dccd3b50e0025cf6f5b7dfe5f6a0e09e
SHA256: f0fd51ee9940ccbe21e6be0e28e542ad9ac8573b7a2bfda5abd317d6f4d894ea
3532
P.O#JULY06.scr
C:\Users\admin\AppData\Local\LNBQJ\TIVLC.4yj4w
text
MD5: d34cc4b83389f762d4c074f848c15ea5
SHA256: 7f2c522ca2801e33773b09428ee9f6e9c002a30f5ecd69462c39414d488c0473
3532
P.O#JULY06.scr
C:\Users\admin\AppData\Local\LNBQJ\C0hD8z7e.vbe
text
MD5: 54b3cd60e096f2fec387c003a207e352
SHA256: 01c3b94f3271c54453bd2c2d621bcea64df48aa4ca428778548e40476a34571f
3532
P.O#JULY06.scr
C:\Users\admin\AppData\Local\LNBQJ\YMQGIX
text
MD5: c6dcedc4ee6e02e33aa706ce771f93bd
SHA256: 9140fe74c80f49639cd702d7e5ae10e202d6761322cddf31e9fa74971a85e640
3532
P.O#JULY06.scr
C:\Users\admin\AppData\Local\LNBQJ\QPTRP
text
MD5: e8e8bd60bc96077e45908781e7c03885
SHA256: e0c392ecb99a1702185721eae0daa4ec2bbe82b99b4099125322c7f7e430db19
3532
P.O#JULY06.scr
C:\Users\admin\AppData\Local\LNBQJ\CNYJI
binary
MD5: 6a235672751f5f32791f6cafc122b8b5
SHA256: 4717b1535bda0ea0b8bb0c0ebe3595048f9e0e7d6557f1b541c24fd9d93c654c
3532
P.O#JULY06.scr
C:\Users\admin\AppData\Local\LNBQJ\QTIWW
text
MD5: c3e78c5c1154bbb472fbbba46afe5667
SHA256: f08f5a1c562eae5c07cbf5a7daeee9117ecd0c77ac35c63cff4aa3bf48b861b4
2884
QRPJF.exe
C:\Users\admin\AppData\Local\LNBQJ\spd
text
MD5: 098f6bcd4621d373cade4e832627b4f6
SHA256: 9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08

Find more information of the staic content and download it at the full report

Network activity

HTTP(S) requests
0
TCP/UDP connections
2
DNS requests
1
Threats
1

HTTP requests

No HTTP requests.

Connections

PID Process IP ASN CN Reputation
3408 RegSvcs.exe 8.8.8.8:53 Google Inc. US whitelisted
3408 RegSvcs.exe 173.254.223.82:1384 QuadraNet, Inc US malicious

DNS requests

Domain IP Reputation
oamentyga.duckdns.org 173.254.223.82
malicious

Threats

PID Process Class Message
3408 RegSvcs.exe Misc activity ET INFO DYNAMIC_DNS Query to *.duckdns. Domain

Debug output strings

No debug info.