General Info

File name

server.exe

Full analysis
https://app.any.run/tasks/f92fdaf1-25ee-4e5d-b350-6f8fb984b9a9
Verdict
Malicious activity
Analysis date
12/2/2019, 20:43:20
OS:
Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:

MIME:
application/x-dosexec
File info:
PE32 executable (GUI) Intel 80386, for MS Windows
MD5

d3dc24d9c47a01a3d4e913874bacc1e9

SHA1

2318a366fb027d9af549c1393d936f0622bd5ccb

SHA256

0d0e767bde1b924aa888a40a4cfeb3f3135eb8688c6d872619bb54040e48ba67

SSDEEP

6144:8mcD66RRjV5JGmrpQsK3RD2u270jupCJsCxCu:NcD663wZ2zkPaCx3

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distored by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Software environment set and analysis options

Launch configuration

Task duration
60 seconds
Additional time used
none
Fakenet option
off
Heavy Evaision option
off
MITM proxy
off
Route via Tor
off
Network geolocation
off
Privacy
Public submission
Autoconfirmation of UAC
on

Software preset

  • Internet Explorer 8.0.7601.17514
  • Adobe Acrobat Reader DC MUI (15.023.20070)
  • Adobe Flash Player 26 ActiveX (26.0.0.131)
  • Adobe Flash Player 26 NPAPI (26.0.0.131)
  • Adobe Flash Player 26 PPAPI (26.0.0.131)
  • Adobe Refresh Manager (1.8.0)
  • CCleaner (5.35)
  • FileZilla Client 3.36.0 (3.36.0)
  • Google Chrome (75.0.3770.100)
  • Google Update Helper (1.3.34.7)
  • Java 8 Update 92 (8.0.920.14)
  • Java Auto Updater (2.8.92.14)
  • Microsoft .NET Framework 4.7.2 (4.7.03062)
  • Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Access MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office Access MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office Access MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office Access MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office Access MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office Access MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office Access MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office Access MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office Access MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Excel MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office Excel MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office Excel MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office Excel MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office Excel MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office Excel MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office Excel MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office Excel MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office Excel MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office Groove MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office Groove MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office Groove MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office Groove MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office Groove MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office Groove MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office Groove MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office Groove MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office Groove MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office IME (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office IME (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office InfoPath MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office InfoPath MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office InfoPath MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office InfoPath MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office InfoPath MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office InfoPath MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office InfoPath MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office InfoPath MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office InfoPath MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office Language Pack 2010 - French/Français (14.0.4763.1000)
  • Microsoft Office Language Pack 2010 - German/Deutsch (14.0.4763.1000)
  • Microsoft Office Language Pack 2010 - Italian/Italiano (14.0.4763.1000)
  • Microsoft Office Language Pack 2010 - Japanese/日本語 (14.0.4763.1000)
  • Microsoft Office Language Pack 2010 - Korean/한국어 (14.0.4763.1000)
  • Microsoft Office Language Pack 2010 - Portuguese/Português (Brasil) (14.0.4763.1000)
  • Microsoft Office Language Pack 2010 - Russian/русский (14.0.4763.1000)
  • Microsoft Office Language Pack 2010 - Spanish/Español (14.0.4763.1000)
  • Microsoft Office Language Pack 2010 - Turkish/Türkçe (14.0.4763.1013)
  • Microsoft Office O MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office O MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office O MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office O MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office O MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office O MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office O MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office O MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office O MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office OneNote MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office OneNote MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office OneNote MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office OneNote MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office OneNote MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office OneNote MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office OneNote MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office OneNote MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office OneNote MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Outlook MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office Outlook MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office Outlook MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office Outlook MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office Outlook MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office Outlook MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office Outlook MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office Outlook MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office Outlook MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office PowerPoint MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office PowerPoint MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office PowerPoint MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office PowerPoint MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office PowerPoint MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office PowerPoint MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office PowerPoint MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office PowerPoint MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office PowerPoint MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office Professional 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Arabic) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (Basque) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (Catalan) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (Dutch) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (English) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (French) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Galician) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (German) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office Proof (Ukrainian) 2010 (14.0.4763.1000)
  • Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
  • Microsoft Office Proofing (French) 2010 (14.0.4763.1000)
  • Microsoft Office Proofing (German) 2010 (14.0.4763.1000)
  • Microsoft Office Proofing (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office Proofing (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office Proofing (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office Proofing (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office Proofing (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office Proofing (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office Proofing (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Publisher MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office Publisher MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office Publisher MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office Publisher MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office Publisher MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office Publisher MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office Publisher MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office Publisher MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office Publisher MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office SharePoint Designer MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office SharePoint Designer MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office SharePoint Designer MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office SharePoint Designer MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office SharePoint Designer MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office SharePoint Designer MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office SharePoint Designer MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office SharePoint Designer MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office SharePoint Designer MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office Shared MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office Shared MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office Shared MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office Shared MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office Shared MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office Shared MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office Shared MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office Shared MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Single Image 2010 (14.0.6029.1000)
  • Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Word MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office Word MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office Word MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office Word MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office Word MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office Word MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office Word MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office Word MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office Word MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office X MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office X MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office X MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office X MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office X MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office X MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office X MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office X MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office X MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
  • Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
  • Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
  • Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2015-2019 Redistributable (x86) - 14.21.27702 (14.21.27702.2)
  • Microsoft Visual C++ 2019 X86 Additional Runtime - 14.21.27702 (14.21.27702)
  • Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.21.27702 (14.21.27702)
  • Mozilla Firefox 68.0.1 (x86 en-US) (68.0.1)
  • Notepad++ (32-bit x86) (7.5.1)
  • Opera 12.15 (12.15.1748)
  • Skype version 8.29 (8.29)
  • Update for Microsoft .NET Framework 4.7.2 (KB4087364) (1)
  • VLC media player (2.2.6)
  • WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

  • Client LanguagePack Package
  • Client Refresh LanguagePack Package
  • CodecPack Basic Package
  • Foundation Package
  • IE Troubleshooters Package
  • InternetExplorer Optional Package
  • KB2534111
  • KB2999226
  • KB4019990
  • KB976902
  • LocalPack AU Package
  • LocalPack CA Package
  • LocalPack GB Package
  • LocalPack US Package
  • LocalPack ZA Package
  • ProfessionalEdition
  • UltimateEdition

Behavior activities

MALICIOUS SUSPICIOUS INFO
Changes the autorun value in the registry
  • server.exe (PID: 2132)
Application was injected by another process
  • taskeng.exe (PID: 2032)
  • windanr.exe (PID: 3716)
  • explorer.exe (PID: 352)
  • dwm.exe (PID: 280)
  • ctfmon.exe (PID: 708)
Runs injected code in another process
  • server.exe (PID: 2132)
  • iexplore.exe (PID: 2388)
Creates executable files which already exist in Windows
  • server.exe (PID: 2132)
Executable content was dropped or overwritten
  • server.exe (PID: 2132)
Starts Internet Explorer
  • server.exe (PID: 2132)
Loads DLL from Mozilla Firefox
  • iexplore.exe (PID: 592)
Creates files in the user directory
  • iexplore.exe (PID: 2388)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Static information

TRiD
.exe
|   Win32 Executable (generic) (42.6%)
.exe
|   Win16/32 Executable Delphi generic (19.5%)
.exe
|   Generic Win/DOS Executable (18.9%)
.exe
|   DOS Executable Generic (18.9%)
EXIF
EXE
MachineType:
Intel 386 or later, and compatibles
TimeStamp:
1992:06:20 00:22:17+02:00
PEType:
PE32
LinkerVersion:
2.25
CodeSize:
45568
InitializedDataSize:
261632
UninitializedDataSize:
null
EntryPoint:
0xbbf4
OSVersion:
4
ImageVersion:
null
SubsystemVersion:
4
Subsystem:
Windows GUI
Summary
Architecture:
IMAGE_FILE_MACHINE_I386
Subsystem:
IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date:
19-Jun-1992 22:22:17
DOS Header
Magic number:
MZ
Bytes on last page of file:
0x0050
Pages in file:
0x0002
Relocations:
0x0000
Size of header:
0x0004
Min extra paragraphs:
0x000F
Max extra paragraphs:
0xFFFF
Initial SS value:
0x0000
Initial SP value:
0x00B8
Checksum:
0x0000
Initial IP value:
0x0000
Initial CS value:
0x0000
Overlay number:
0x001A
OEM identifier:
0x0000
OEM information:
0x0000
Address of NE header:
0x00000100
PE Headers
Signature:
PE
Machine:
IMAGE_FILE_MACHINE_I386
Number of sections:
8
Time date stamp:
19-Jun-1992 22:22:17
Pointer to Symbol Table:
0x00000000
Number of symbols:
0
Size of Optional Header:
0x00E0
Characteristics
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_BYTES_REVERSED_HI
IMAGE_FILE_BYTES_REVERSED_LO
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
Sections
Name Virtual Address Virtual Size Raw Size Charateristics Entropy
CODE 0x00001000 0x0000B1C8 0x0000B200 IMAGE_SCN_CNT_CODE,IMAGE_SCN_MEM_EXECUTE,IMAGE_SCN_MEM_READ 6.41418
DATA 0x0000D000 0x00000220 0x00000400 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ,IMAGE_SCN_MEM_WRITE 2.76426
BSS 0x0000E000 0x000011F1 0x00000000 IMAGE_SCN_MEM_READ,IMAGE_SCN_MEM_WRITE 0
.idata 0x00010000 0x00000BE4 0x00000C00 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ,IMAGE_SCN_MEM_WRITE 4.77096
.tls 0x00011000 0x00000008 0x00000000 IMAGE_SCN_MEM_READ,IMAGE_SCN_MEM_WRITE 0
.rdata 0x00012000 0x00000018 0x00000200 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ,IMAGE_SCN_MEM_SHARED 0.205446
.reloc 0x00013000 0x00000A60 0x00000C00 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ,IMAGE_SCN_MEM_SHARED 6.2459
.rsrc 0x00014000 0x0003DF64 0x0003E000 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ,IMAGE_SCN_MEM_SHARED 7.90399
Resources
1

50

51

DVCLAL

PACKAGEINFO

XX-XX-XX-XX

ICON_STANDARD

MAINICON

Imports
    kernel32.dll

    user32.dll

    oleaut32.dll

    advapi32.dll

    ole32.dll

    pstorec.dll

    rasapi32.dll

    shell32.dll

    crypt32.dll

Exports

    No exports.

Screenshots

Processes

Total processes
35
Monitored processes
8
Malicious processes
3
Suspicious processes
0

Behavior graph

+
inject start inject inject inject server.exe explorer.exe iexplore.exe taskeng.exe dwm.exe ctfmon.exe windanr.exe iexplore.exe no specs
Specs description
Program did not start
Integrity level elevation
Task сontains an error or was rebooted
Process has crashed
Task contains several apps running
Executable file was dropped
Debug information is available
Process was injected
Network attacks were detected
Application downloaded the executable file
Actions similar to stealing personal data
Behavior similar to exploiting the vulnerability
Inspected object has sucpicious PE structure
File is detected by antivirus software
CPU overrun
RAM overrun
Process starts the services
Process was added to the startup
Behavior similar to spam
Low-level access to the HDD
Probably Tor was used
System was rebooted
Connects to the network
Known threat

Process information

Click at the process to see the details.

PID
2032
CMD
taskeng.exe {532150F8-214C-4D30-9483-0A3BC3E44D0E}
Path
C:\Windows\System32\taskeng.exe
Indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Version:
Company
Microsoft Corporation
Description
Task Scheduler Engine
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\taskeng.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ole32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\tschannel.dll
c:\windows\system32\xmllite.dll
c:\windows\system32\apphelp.dll

PID
280
CMD
"C:\Windows\system32\Dwm.exe"
Path
C:\Windows\System32\dwm.exe
Indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Version:
Company
Microsoft Corporation
Description
Desktop Window Manager
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\dwm.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\dwmredir.dll
c:\windows\system32\dwmcore.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\ole32.dll
c:\windows\system32\d3d10_1.dll
c:\windows\system32\d3d10_1core.dll
c:\windows\system32\dxgi.dll
c:\windows\system32\version.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\psapi.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\oleaut32.dll

PID
352
CMD
C:\Windows\Explorer.EXE
Path
C:\Windows\explorer.exe
Indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Version:
Company
Microsoft Corporation
Description
Windows Explorer
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\shell32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\explorerframe.dll
c:\windows\system32\duser.dll
c:\windows\system32\dui70.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\slc.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\propsys.dll
c:\windows\system32\cryptbase.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\profapi.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\ehstorshell.dll
c:\windows\system32\cscui.dll
c:\windows\system32\cscdll.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\iconcodecservice.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\sndvolsso.dll
c:\windows\system32\hid.dll
c:\windows\system32\mmdevapi.dll
c:\windows\system32\timedate.cpl
c:\windows\system32\atl.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\actxprxy.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\linkinfo.dll
c:\windows\system32\msutb.dll
c:\windows\system32\userenv.dll
c:\windows\system32\shacct.dll
c:\windows\system32\samlib.dll
c:\windows\system32\samcli.dll
c:\windows\system32\netutils.dll
c:\windows\system32\msftedit.dll
c:\windows\system32\msls31.dll
c:\program files\common files\microsoft shared\ink\tiptsf.dll
c:\windows\system32\authui.dll
c:\windows\system32\cryptui.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\winsta.dll
c:\windows\system32\psapi.dll
c:\windows\system32\networkexplorer.dll
c:\windows\system32\xmllite.dll
c:\windows\system32\winmm.dll
c:\windows\system32\wdmaud.drv
c:\windows\system32\ksuser.dll
c:\windows\system32\avrt.dll
c:\windows\system32\audioses.dll
c:\windows\system32\msacm32.drv
c:\windows\system32\msacm32.dll
c:\windows\system32\midimap.dll
c:\windows\system32\gameux.dll
c:\windows\system32\wer.dll
c:\windows\system32\msiltcfg.dll
c:\windows\system32\version.dll
c:\windows\system32\msi.dll
c:\windows\system32\stobject.dll
c:\windows\system32\batmeter.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\es.dll
c:\windows\system32\prnfldr.dll
c:\windows\system32\winspool.drv
c:\windows\system32\dxp.dll
c:\windows\system32\syncreg.dll
c:\windows\ehome\ehsso.dll
c:\windows\system32\netshell.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\nsi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\alttab.dll
c:\windows\system32\wpdshserviceobj.dll
c:\windows\system32\portabledevicetypes.dll
c:\windows\system32\portabledeviceapi.dll
c:\program files\filezilla ftp client\fzshellext.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\pnidui.dll
c:\windows\system32\qutil.dll
c:\windows\system32\wevtapi.dll
c:\windows\system32\dhcpcsvc6.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\npmproxy.dll
c:\windows\system32\mssprxy.dll
c:\windows\system32\wlanapi.dll
c:\windows\system32\wlanutil.dll
c:\windows\system32\wwanapi.dll
c:\windows\system32\wwapi.dll
c:\windows\system32\srchadmin.dll
c:\windows\system32\qagent.dll
c:\windows\system32\sxs.dll
c:\windows\system32\bthprops.cpl
c:\windows\system32\ieframe.dll
c:\windows\system32\oleacc.dll
c:\windows\system32\synccenter.dll
c:\windows\system32\actioncenter.dll
c:\windows\system32\imapi2.dll
c:\windows\system32\hgcpl.dll
c:\windows\system32\provsvc.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\fxsst.dll
c:\windows\system32\fxsapi.dll
c:\windows\system32\fxsresm.dll
c:\windows\system32\msimg32.dll
c:\windows\system32\wscinterop.dll
c:\windows\system32\wscapi.dll
c:\windows\system32\wscui.cpl
c:\windows\system32\werconcpl.dll
c:\windows\system32\framedynos.dll
c:\windows\system32\wercplsupport.dll
c:\windows\system32\msxml6.dll
c:\windows\system32\hcproviders.dll
c:\program files\internet explorer\ieproxy.dll
c:\windows\system32\mpr.dll
c:\windows\system32\drprov.dll
c:\windows\system32\ntlanman.dll
c:\windows\system32\davclnt.dll
c:\windows\system32\davhlpr.dll
c:\windows\system32\thumbcache.dll
c:\windows\system32\wpdshext.dll
c:\windows\system32\structuredquery.dll
c:\windows\system32\audiodev.dll
c:\windows\system32\wmvcore.dll
c:\windows\system32\wmasf.dll
c:\windows\system32\ehstorapi.dll
c:\windows\system32\searchfolder.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\program files\microsoft office\office14\onfilter.dll
c:\windows\system32\rstrtmgr.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\netprofm.dll
c:\windows\system32\winanr.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\users\admin\appdata\local\temp\server.exe
c:\windows\system32\sfc.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\devrtl.dll
c:\windows\system32\avicap32.dll
c:\windows\system32\msvfw32.dll
c:\windows\system32\wsock32.dll

PID
708
CMD
C:\Windows\System32\ctfmon.exe
Path
C:\Windows\System32\ctfmon.exe
Indicators
Parent process
taskeng.exe
User
admin
Integrity Level
MEDIUM
Version:
Company
Microsoft Corporation
Description
CTF Loader
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\ctfmon.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\msctfmonitor.dll
c:\windows\system32\msctf.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msutb.dll
c:\windows\system32\ole32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\winsta.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msimg32.dll

PID
3716
CMD
"windanr.exe"
Path
C:\Windows\system32\windanr.exe
Indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Version:
Company
Description
Version
Modules
Image
c:\windows\system32\windanr.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winanr.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\winsanr.dll
c:\windows\system32\psapi.dll
c:\windows\system32\version.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\oleaut32.dll

PID
2132
CMD
"C:\Users\admin\AppData\Local\Temp\server.exe"
Path
C:\Users\admin\AppData\Local\Temp\server.exe
Indicators
Parent process
explorer.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Description
Version
Modules
Image
c:\users\admin\appdata\local\temp\server.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\pstorec.dll
c:\windows\system32\atl.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\sspicli.dll
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\apphelp.dll

PID
2388
CMD
"C:\Program Files\Internet Explorer\iexplore.exe"
Path
C:\Program Files\Internet Explorer\iexplore.exe
Indicators
Parent process
server.exe
User
admin
Integrity Level
MEDIUM
Version:
Company
Microsoft Corporation
Description
Internet Explorer
Version
8.00.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\systemroot\system32\ntdll.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\shell32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\avicap32.dll
c:\windows\system32\winmm.dll
c:\windows\system32\version.dll
c:\windows\system32\msvfw32.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\mpr.dll
c:\windows\system32\msacm32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\wsock32.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\profapi.dll
c:\windows\system32\propsys.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\twext.dll
c:\windows\system32\cscui.dll
c:\windows\system32\cscdll.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\userenv.dll
c:\windows\system32\shdocvw.dll
c:\program files\winrar\rarext.dll
c:\windows\system32\msimg32.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\slc.dll
c:\windows\system32\syncui.dll
c:\windows\system32\synceng.dll
c:\windows\system32\linkinfo.dll
c:\program files\notepad++\nppshell_06.dll
c:\windows\system32\acppage.dll
c:\windows\system32\sfc.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\msi.dll
c:\windows\system32\wer.dll
c:\windows\system32\devrtl.dll
c:\windows\system32\sspicli.dll
c:\microsoft explorer\iexplore.exe
c:\windows\system32\netutils.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\napinsp.dll
c:\windows\system32\pnrpnsp.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\winrnr.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\rasadhlp.dll

PID
592
CMD
"C:\Microsoft Explorer\iexplore.exe"
Path
C:\Microsoft Explorer\iexplore.exe
Indicators
No indicators
Parent process
iexplore.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Description
Version
Modules
Image
c:\microsoft explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\pstorec.dll
c:\windows\system32\atl.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\shell32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\program files\mozilla firefox\softokn3.dll
c:\program files\mozilla firefox\nss3.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\profapi.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\psapi.dll
c:\windows\system32\oleacc.dll
c:\windows\system32\iertutil.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\mlang.dll
c:\windows\system32\wininet.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\userenv.dll

Registry activity

Total events
557
Read events
472
Write events
85
Delete events
0

Modification events

PID
Process
Operation
Key
Name
Value
352
explorer.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\12B\52C64B7E
LanguageList
en-US
3716
windanr.exe
write
HKEY_CURRENT_USER\Control Panel\Cursors
APPSTARTING
%SystemRoot%\cursors\clearcur.cur
3716
windanr.exe
write
HKEY_CURRENT_USER\Control Panel\Cursors
ARROW
%SystemRoot%\cursors\clearcur.cur
3716
windanr.exe
write
HKEY_CURRENT_USER\Control Panel\Cursors
CROSS
%SystemRoot%\cursors\clearcur.cur
3716
windanr.exe
write
HKEY_CURRENT_USER\Control Panel\Cursors
HAND
%SystemRoot%\cursors\clearcur.cur
3716
windanr.exe
write
HKEY_CURRENT_USER\Control Panel\Cursors
HELP
%SystemRoot%\cursors\clearcur.cur
3716
windanr.exe
write
HKEY_CURRENT_USER\Control Panel\Cursors
IBEAM
%SystemRoot%\cursors\clearcur.cur
3716
windanr.exe
write
HKEY_CURRENT_USER\Control Panel\Cursors
NO
%SystemRoot%\cursors\clearcur.cur
3716
windanr.exe
write
HKEY_CURRENT_USER\Control Panel\Cursors
SIZEALL
%SystemRoot%\cursors\clearcur.cur
3716
windanr.exe
write
HKEY_CURRENT_USER\Control Panel\Cursors
SIZENESW
%SystemRoot%\cursors\clearcur.cur
3716
windanr.exe
write
HKEY_CURRENT_USER\Control Panel\Cursors
SIZENS
%SystemRoot%\cursors\clearcur.cur
3716
windanr.exe
write
HKEY_CURRENT_USER\Control Panel\Cursors
SIZENWSE
%SystemRoot%\cursors\clearcur.cur
3716
windanr.exe
write
HKEY_CURRENT_USER\Control Panel\Cursors
SIZEWE
%SystemRoot%\cursors\clearcur.cur
3716
windanr.exe
write
HKEY_CURRENT_USER\Control Panel\Cursors
UPARROW
%SystemRoot%\cursors\clearcur.cur
3716
windanr.exe
write
HKEY_CURRENT_USER\Control Panel\Cursors
WAIT
%SystemRoot%\cursors\clearcur.cur
2132
server.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Microsoft Explorer
C:\Microsoft Explorer\iexplore.exe
2132
server.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Microsoft Explorer
C:\Microsoft Explorer\iexplore.exe
2132
server.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{BW7R262B-43E8-7WLY-2DIS-SV1O3GABB12X}
StubPath
C:\Microsoft Explorer\iexplore.exe Restart
2388
iexplore.exe
write
HKEY_CURRENT_USER\Software\vítima
FirstExecution
02/12/2019 -- 19:43
2388
iexplore.exe
write
HKEY_CURRENT_USER\Software\vítima
NewIdentification
vítima
2388
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft
PIDprocess
2388
2388
iexplore.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\12B\52C64B7E
LanguageList
en-US
2388
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
2388
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1

Files activity

Executable files
1
Suspicious files
1
Text files
660
Unknown types
0

Dropped files

PID
Process
Filename
Type
2132
server.exe
C:\Microsoft Explorer\iexplore.exe
executable
MD5: d3dc24d9c47a01a3d4e913874bacc1e9
SHA256: 0d0e767bde1b924aa888a40a4cfeb3f3135eb8688c6d872619bb54040e48ba67
2388
iexplore.exe
C:\Users\admin\AppData\Local\Temp\UuU.uUu
text
MD5: d5f60e9c466485c4750333ac103ddbf3
SHA256: 7272227dd795d554861005aa28ee5614912ed58199c9781b87ca9e98f4398c7a
2388
iexplore.exe
C:\Users\admin\AppData\Local\Temp\XxX.xXx
––
MD5:  ––
SHA256:  ––
2388
iexplore.exe
C:\Users\admin\AppData\Local\Temp\XxX.xXx
text
MD5: 50b1b2c0bce998911ed279ebdd9b35ce
SHA256: 58fbb67115235a3ed49a7959081c446ba14420420a6b38412e336bff9ce7d402
2388
iexplore.exe
C:\Users\admin\AppData\Local\Temp\XxX.xXx
text
MD5: 3a3aad73d2237a13ab4999da4fdc1af2
SHA256: ac8c7f66ba48d9455f29c8ba85d6bb2b0d124e3081194a2e660dd80488b758fe
2388
iexplore.exe
C:\Users\admin\AppData\Local\Temp\XxX.xXx
text
MD5: 04d040aa87433836c0c56d58bcce368e
SHA256: 06b489e1d087774ce8c44a40aad6fadaf79399f80a4b29ef41653da202f78e96
2388
iexplore.exe
C:\Users\admin\AppData\Local\Temp\XxX.xXx
text
MD5: 42e4595961d61d90b29ff07443a8b579
SHA256: 16329ca739c90779ffed58d804dabe665d4da0d49a813c60280335ece5eabf36
2388
iexplore.exe
C:\Users\admin\AppData\Local\Temp\XxX.xXx
text
MD5: 7797fb1a717f81e5b5ef52b963b91b54
SHA256: cf76cd015d309955daca057d9ee9c4335b8f7bf41b71ecb5a91722716f229b91
2388
iexplore.exe
C:\Users\admin\AppData\Local\Temp\XxX.xXx
text
MD5: 34f916f97037254b84a55d98dd2afa5b
SHA256: a8cf5bf2cc4805ee99714846467bf8c583a6d26b471bf02450e53351e797dbc9
2388
iexplore.exe
C:\Users\admin\AppData\Local\Temp\XxX.xXx
text
MD5: 67ba4fbcd11e721316d9bfd8480af230
SHA256: 791086aecf80c2b66c6cb93d4ed492543f07341c5293c71b2a1cf1ab06abbcd5
2388
iexplore.exe
C:\Users\admin\AppData\Local\Temp\XxX.xXx
text
MD5: 8b689485dcb508ffeacbf5c7a80d538d
SHA256: e72737ed0e6f57fa6eb4ffc0704473fe61d6835f2118fb9189780581a5f1640e
2388
iexplore.exe
C:\Users\admin\AppData\Local\Temp\XxX.xXx
text
MD5: b849ec985f56660b2d090c00739455b6
SHA256: 8166e6791e9f879b45a03eeb773a9c424feb95d1646dfad9c364c954119c7826
2388
iexplore.exe
C:\Users\admin\AppData\Local\Temp\XxX.xXx
text
MD5: ab2b648c7cb3f13f58094d0ba756c9c2
SHA256: d2added2f1a427a344c4997a0f6c208513afbd586fc56594d7f9a1ef370834c9
2388
iexplore.exe
C:\Users\admin\AppData\Local\Temp\XxX.xXx
text
MD5: 3d81dcc4abb28dbe1664767b34a4650f
SHA256: 0a9702809a73aa5a952ce6548a0c88ecd4e0654eac4bb9e6c445ae07081ec9da
2388
iexplore.exe
C:\Users\admin\AppData\Local\Temp\XxX.xXx
text
MD5: 169d25c5f96f6e7b65e1a281b74c8cd5
SHA256: 4c4dfc1c65c1a64641cc74d3bf1a434896cc5d1fcb820b086e8b4805f8a1259b
2388
iexplore.exe
C:\Users\admin\AppData\Local\Temp\XxX.xXx
text
MD5: 0e321a3609e32a10b71dfca7a88606dd
SHA256: 6f686a6ce1456e9b6fd433bc454577eaa9a7fc30c79c22caa6d5f7e5afaca6c7
2388
iexplore.exe
C:\Users\admin\AppData\Local\Temp\XxX.xXx
text
MD5: 8d89b28cff4735000f2c6b7b33932fdb
SHA256: 0188c5117978ac14994dddd0d3196950734e0b6473247f3111f4af1a23d2b0ca
2388
iexplore.exe
C:\Users\admin\AppData\Local\Temp\XxX.xXx
text
MD5: bf33bb67fbd8475a3699262544b983c1
SHA256: 9d77995566d17c8b100bbd521246398590ef4144bddfee49b969eb0e61069975
2388
iexplore.exe
C:\Users\admin\AppData\Local\Temp\XxX.xXx
text
MD5: c4f87bf457307cc793f492e953e03189
SHA256: a1591f8266ada44250e21d08b588ac49ab54ba597e88c2284923e756cce6f4ea
2388
iexplore.exe
C:\Users\admin\AppData\Local\Temp\XxX.xXx
text
MD5: ca9bf54ee280f74ab912c56fcaa0ab2d
SHA256: b2052bd22aebe9fdf7c4eb696348be8e4ed7a15e1540f39dae12777655b16f06
2388
iexplore.exe
C:\Users\admin\AppData\Local\Temp\XxX.xXx
text
MD5: 92b12a66791265fd53a5349e29f33d20
SHA256: 81ffa2c0ba983a51f5324026bcca2e91f6647a089a1cb8b657ccad7d6ea7124f
2388
iexplore.exe
C:\Users\admin\AppData\Local\Temp\XxX.xXx
text
MD5: ae39cd2421a9f58437360a8bd8a222f6
SHA256: ee6e3b37c8136715d82d29875e8e97f2f73c212bc6c9b5dcf611e8227496c01c
2388
iexplore.exe
C:\Users\admin\AppData\Local\Temp\XxX.xXx
text
MD5: b75a478ddce622f984e0cc1aa93235d2
SHA256: 7068f96395117f1d52cf5b248400bd8c33977234e626801187edc089e85874fc
2388
iexplore.exe
C:\Users\admin\AppData\Local\Temp\XxX.xXx
text
MD5: fdbf2df8c58abe574d3c62e5718b0116
SHA256: 3f543b70852fe9c6f7d245ad7b304dc52c0b53fb67d94ef9c9b3484cb6df45ad
2388
iexplore.exe
C:\Users\admin\AppData\Local\Temp\XxX.xXx
text
MD5: cd61b505ba55798141acc33028f0b018
SHA256: af193601f8d1bd8b5e8dc2d8d8720e484e5450dfc989253d94c37cef131e9a63
2388
iexplore.exe
C:\Users\admin\AppData\Local\Temp\XxX.xXx
text
MD5: 3773948fef38c7f2f2dbdec31f184863
SHA256: 129e516b1cf78ddbeb1e83ea18b648240ac0a87f7b52010f68ec1be34d20a823
2388
iexplore.exe
C:\Users\admin\AppData\Local\Temp\XxX.xXx
text
MD5: d94ad7768012d0ccbaed211be2aa55ff
SHA256: 5efe04e4801ec7d1236895c49c7cd4bb7e9f005b5c5c879edf0019cd313b6058
2388
iexplore.exe
C:\Users\admin\AppData\Local\Temp\XxX.xXx
text
MD5: 67109efae6a6ce3b39a8d3599b4b6901
SHA256: 23d16346b0f0a397f81b1aa68c3f089df5b01633d58a7f6bd9fddecd24eab55d
2388
iexplore.exe
C:\Users\admin\AppData\Local\Temp\XxX.xXx
text
MD5: d5f60e9c466485c4750333ac103ddbf3
SHA256: 7272227dd795d554861005aa28ee5614912ed58199c9781b87ca9e98f4398c7a
2388
iexplore.exe
C:\Users\admin\AppData\Local\Temp\XxX.xXx
text
MD5: fcb71d42840a13abfba82f6836ca0b88
SHA256: f8a63df8d4ba37c66206cb42e71959049913d751425c7d3da1ed51f482ae2500
2388
iexplore.exe
C:\Users\admin\AppData\Local\Temp\XxX.xXx
text
MD5: 4c4d07e9e2bd1cbfc375fec0fe2fc863
SHA256: a6babd0e332c962351084694228b253b447d1c3b310255092ecd9cad97f5e38d
2388
iexplore.exe
C:\Users\admin\AppData\Local\Temp\XxX.xXx
text
MD5: 0c5f9e1dfb7ba636ac3b22b2ff152085
SHA256: 01d0b4a29f93b492b2383ad4e8bd01edc86c5fe1f4ac0ae7420f6de926db2867
2388
iexplore.exe
C:\Users\admin\AppData\Local\Temp\XxX.xXx
text
MD5: 8efafad0304b0c5d1a8cb6d3e8073421
SHA256: 1562dd9ffb12f3bd861744e5782c0af736417d17f9dd990746f8b84bb10a7175
2388
iexplore.exe
C:\Users\admin\AppData\Local\Temp\XxX.xXx
text
MD5: 7584b64c56b8a4d3bbf6b28adca74d70
SHA256: 45744762620631b27991263efeda39da2730ea574c6cfa041e7e448789b2950d
2388
iexplore.exe
C:\Users\admin\AppData\Local\Temp\XxX.xXx
text
MD5: 145d427e16528d1dcda2d772a9d3a012
SHA256: 0d23061903255f30f32981d4e7bcd3ce90ce68a044f4efbeb1f11e13938fac7f
2388
iexplore.exe
C:\Users\admin\AppData\Local\Temp\XxX.xXx
text
MD5: 42f13b14144d80fb9adee5fc5ccdefd2
SHA256: 03f83a44ac74aa33d463d03fb1720935e6c2cdfb58c374cbbeb7f8af08a9c5a6
2388
iexplore.exe
C:\Users\admin\AppData\Local\Temp\XxX.xXx
text
MD5: 19812493504509381d5a15872c42c517
SHA256: 620cb103ef275c6b791e835f9863eb690fbe19543dd16e29c8c70fade696f965
2388
iexplore.exe
C:\Users\admin\AppData\Local\Temp\XxX.xXx
text
MD5: b86b564f06c4ff906dfd29016e3e1073
SHA256: c6d4663c96bf24fedb8ea4c01357635c9e4e1074146c3e87f52893046c2e87ae
2388
iexplore.exe
C:\Users\admin\AppData\Local\Temp\XxX.xXx
text
MD5: 64f8b0569d097edc283a8e66c1d3a434
SHA256: 1c9cde8710a2a0cddfe142f3649f2083be3d5ceaedc1aed32368b03d21a52713
2388
iexplore.exe
C:\Users\admin\AppData\Local\Temp\XxX.xXx
text
MD5: f5fe42e5c645c0e1cd794dc901098478
SHA256: d7587d0f8063250f7007ea421e6774246f7f40e3531963583fa5d2966d58159b
2388
iexplore.exe
C:\Users\admin\AppData\Local\Temp\XxX.xXx
text
MD5: 2687d922a64aeccf382b6a98851a6079
SHA256: 9639d7bf626a9e9258b2e1e232f2fe3c6d119b65418e73c158180626f3bab2e4
2388
iexplore.exe
C:\Users\admin\AppData\Local\Temp\XxX.xXx
text
MD5: c848c2ecef0db019db074c2f0361f933
SHA256: 107f767d5602635dd2e0b0120592f5f0eecbf5c1b4e9ab5f8ca1f20c117c4736
2388
iexplore.exe
C:\Users\admin\AppData\Local\Temp\XxX.xXx
text
MD5: e452e4938b660a6f88be5c54c20dd86f
SHA256: d841f8ac5ef7458ab9d933ee4633f925e1a0c8bb2f5c9b49d981c8953e442723
2388
iexplore.exe
C:\Users\admin\AppData\Local\Temp\XxX.xXx
text
MD5: e24d0b8320a435850b0a2264910b61ff
SHA256: 8311d6e117ec36c9bde8f94178182430b450594c687a70deb1ca2fa7fa7a6ef7
2388
iexplore.exe
C:\Users\admin\AppData\Local\Temp\XxX.xXx
text
MD5: 100a9521f4c494ab3c3e753f7810619a
SHA256: 92ac8ab1a50e629c4bb7aa3dd4ffbcdb997e8f6401ba99e35fd282de67f8af99
2388
iexplore.exe
C:\Users\admin\AppData\Local\Temp\XxX.xXx
text
MD5: 8efa41c96dea472470b9744da85c63be
SHA256: 0577190973c0ea893e8b92a331124590105a57d5efbdc419b9485b75d47b4230
2388
iexplore.exe
C:\Users\admin\AppData\Local\Temp\XxX.xXx
text
MD5: 8ad7e4ae66be9ef108f22a68e3f6d7bc
SHA256: 44b37dbfef9a7d568f04138609f6e7c83c4b1114b8e3b671684e2dbe3eca8880
2388
iexplore.exe
C:\Users\admin\AppData\Local\Temp\XxX.xXx
text
MD5: 5c0135c559b55da1567dcce1cebe9989
SHA256: 4c587c54f8f64daba6c027476ead33adb0e3304ee76d16ec6bef48b31f858361
2388
iexplore.exe
C:\Users\admin\AppData\Local\Temp\XxX.xXx
text
MD5: a624519102e066f3aadb3d836568700e
SHA256: 8fb473bd803b731e9e02c294e4d4665cb8ee40dbffa39f28a72448eecf723821
2388
iexplore.exe
C:\Users\admin\AppData\Local\Temp\XxX.xXx
text
MD5: 967ee8788a0a5e7da003aa6312e1c27d
SHA256: 3582e9b5044ed23321a4f81e97805c6a6df7456625bbefe10090f9d85a99679b
2388
iexplore.exe
C:\Users\admin\AppData\Local\Temp\UuU.uUu
text
MD5: 967ee8788a0a5e7da003aa6312e1c27d
SHA256: 3582e9b5044ed23321a4f81e97805c6a6df7456625bbefe10090f9d85a99679b
2388
iexplore.exe
C:\Users\admin\AppData\Roaming\logs.dat
text
MD5: e21bd9604efe8ee9b59dc7605b927a2a
SHA256: 51a3fe220229aa3fdddc909e20a4b107e7497320a00792a280a03389f2eacb46
2132
server.exe
C:\Users\admin\AppData\Local\Temp\XX--XX--XX.txt
binary
MD5: fc23bde2aa1a51e756194e0d42c7f378
SHA256: e8bd9cef8a765753ae73fc8124f241784195d158aa864ce6dd90c8de8d939158
2388
iexplore.exe
C:\Users\admin\AppData\Local\Temp\XxX.xXx
text
MD5: d53d8e617ba41faa8fdcc3f0d97a592d
SHA256: 98eb37ed20db2bdb3788a46ce78cdb8b9614f3bc0045d48eb1b01389aa45c180

Find more information of the staic content and download it at the full report

Network activity

HTTP(S) requests
0
TCP/UDP connections
2
DNS requests
1
Threats
1

HTTP requests

No HTTP requests.

Connections

PID Process IP ASN CN Reputation
2388 iexplore.exe 91.93.205.151:1604 Tellcom Iletisim Hizmetleri A.s. TR malicious
–– –– 91.93.205.151:1604 Tellcom Iletisim Hizmetleri A.s. TR malicious

DNS requests

Domain IP Reputation
kanat26.duckdns.org 91.93.205.151
malicious

Threats

PID Process Class Message
–– –– Misc activity ET INFO DYNAMIC_DNS Query to *.duckdns. Domain

Debug output strings

No debug info.