General Info

File name

Un_A.zip

Full analysis
https://app.any.run/tasks/aa95e49b-99f8-4fc4-ab12-2981f20c214c
Verdict
Malicious activity
Analysis date
8/13/2019, 15:42:56
OS:
Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:

MIME:
application/zip
File info:
Zip archive data, at least v2.0 to extract
MD5

2794a5457da5eff41dafe6a0f82c22ae

SHA1

7c5e5966b28717ac9c03a32d4225a49f3636f7cc

SHA256

21f94b7d4ed622bb16950925ad12ef002a592137ddc4e70505adb9e9b8718ec7

SSDEEP

6144:+JskEKb9HMeQ2iJIL0O6x/qUMABetNln/3F:+auJ0O6xFmV9

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distored by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Software environment set and analysis options

Launch configuration

Task duration
300 seconds
Additional time used
240 seconds
Fakenet option
off
Heavy Evaision option
off
MITM proxy
off
Route via Tor
off
Network geolocation
off
Privacy
Public submission
Autoconfirmation of UAC
on

Software preset

  • Internet Explorer 8.0.7601.17514
  • Adobe Acrobat Reader DC MUI (15.023.20070)
  • Adobe Flash Player 26 ActiveX (26.0.0.131)
  • Adobe Flash Player 26 NPAPI (26.0.0.131)
  • Adobe Flash Player 26 PPAPI (26.0.0.131)
  • Adobe Refresh Manager (1.8.0)
  • CCleaner (5.35)
  • FileZilla Client 3.36.0 (3.36.0)
  • Google Chrome (75.0.3770.100)
  • Google Update Helper (1.3.34.7)
  • Java 8 Update 92 (8.0.920.14)
  • Java Auto Updater (2.8.92.14)
  • Microsoft .NET Framework 4.7.2 (4.7.03062)
  • Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Professional 2010 (14.0.6029.1000)
  • Microsoft Office Proof (English) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (French) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
  • Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
  • Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Single Image 2010 (14.0.6029.1000)
  • Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
  • Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
  • Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
  • Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2015-2019 Redistributable (x86) - 14.21.27702 (14.21.27702.2)
  • Microsoft Visual C++ 2019 X86 Additional Runtime - 14.21.27702 (14.21.27702)
  • Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.21.27702 (14.21.27702)
  • Mozilla Firefox 68.0.1 (x86 en-US) (68.0.1)
  • Notepad++ (32-bit x86) (7.5.1)
  • Opera 12.15 (12.15.1748)
  • Skype version 8.29 (8.29)
  • Update for Microsoft .NET Framework 4.7.2 (KB4087364) (1)
  • VLC media player (2.2.6)
  • WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

  • Client LanguagePack Package
  • Client Refresh LanguagePack Package
  • CodecPack Basic Package
  • Foundation Package
  • IE Troubleshooters Package
  • InternetExplorer Optional Package
  • KB2534111
  • KB2999226
  • KB4019990
  • KB976902
  • LocalPack AU Package
  • LocalPack CA Package
  • LocalPack GB Package
  • LocalPack US Package
  • LocalPack ZA Package
  • ProfessionalEdition
  • UltimateEdition

Behavior activities

MALICIOUS SUSPICIOUS INFO
Registers / Runs the DLL via REGSVR32.EXE
  • ns6D68.tmp (PID: 3172)
  • ns6E54.tmp (PID: 2968)
  • nsF3BA.tmp (PID: 3472)
  • nsF2CE.tmp (PID: 2944)
Application was dropped or rewritten from another process
  • ns6C3E.tmp (PID: 2764)
  • Un_A.exe (PID: 332)
  • ns6D68.tmp (PID: 3172)
  • Un_A.exe (PID: 3312)
  • ns6E54.tmp (PID: 2968)
  • Un_B.exe (PID: 1328)
  • Un_A.exe (PID: 1440)
  • nsF3BA.tmp (PID: 3472)
  • nsF1B4.tmp (PID: 384)
  • Un_A.exe (PID: 3728)
  • nsF2CE.tmp (PID: 2944)
Loads dropped or rewritten executable
  • Un_B.exe (PID: 1328)
  • Un_A.exe (PID: 3728)
Executable content was dropped or overwritten
  • Un_B.exe (PID: 1328)
  • Un_A.exe (PID: 332)
  • WinRAR.exe (PID: 1912)
  • Un_A.exe (PID: 3728)
  • Un_A.exe (PID: 1440)
Starts application with an unusual extension
  • Un_B.exe (PID: 1328)
  • Un_A.exe (PID: 3728)
Starts itself from another location
  • Un_A.exe (PID: 332)
Starts Internet Explorer
  • Un_A.exe (PID: 3728)
Reads internet explorer settings
  • iexplore.exe (PID: 4088)
Manual execution by user
  • explorer.exe (PID: 3368)
  • explorer.exe (PID: 944)
  • Un_A.exe (PID: 1440)
  • Un_A.exe (PID: 332)
Reads settings of System Certificates
  • iexplore.exe (PID: 4088)
Reads Internet Cache Settings
  • iexplore.exe (PID: 4088)
Creates files in the user directory
  • iexplore.exe (PID: 4088)
Changes internet zones settings
  • iexplore.exe (PID: 1716)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Static information

TRiD
.zip
|   ZIP compressed archive (100%)
EXIF
ZIP
ZipRequiredVersion:
20
ZipBitFlag:
0x0001
ZipCompression:
Deflated
ZipModifyDate:
2019:07:03 04:27:21
ZipCRC:
0xbf24f5e2
ZipCompressedSize:
255390
ZipUncompressedSize:
890392
ZipFileName:
Un_A.exe

Screenshots

Processes

Total processes
70
Monitored processes
20
Malicious processes
4
Suspicious processes
4

Behavior graph

+
start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start winrar.exe explorer.exe no specs un_a.exe un_a.exe nsf1b4.tmp no specs nsf2ce.tmp no specs regsvr32.exe no specs nsf3ba.tmp no specs regsvr32.exe no specs iexplore.exe iexplore.exe explorer.exe no specs un_a.exe un_a.exe no specs un_b.exe ns6c3e.tmp no specs ns6d68.tmp no specs regsvr32.exe no specs ns6e54.tmp no specs regsvr32.exe no specs
Specs description
Program did not start
Integrity level elevation
Task сontains an error or was rebooted
Process has crashed
Task contains several apps running
Executable file was dropped
Debug information is available
Process was injected
Network attacks were detected
Application downloaded the executable file
Actions similar to stealing personal data
Behavior similar to exploiting the vulnerability
Inspected object has sucpicious PE structure
File is detected by antivirus software
CPU overrun
RAM overrun
Process starts the services
Process was added to the startup
Behavior similar to spam
Low-level access to the HDD
Probably Tor was used
System was rebooted
Connects to the network
Known threat

Process information

Click at the process to see the details.

PID
1912
CMD
"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Un_A.zip"
Path
C:\Program Files\WinRAR\WinRAR.exe
Indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Version:
Company
Alexander Roshal
Description
WinRAR archiver
Version
5.60.0
Modules
Image
c:\program files\winrar\winrar.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\shlwapi.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\uxtheme.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\msimg32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\riched20.dll
c:\program files\common files\microsoft shared\ink\tiptsf.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ehstorshell.dll
c:\windows\system32\cscui.dll
c:\windows\system32\cscdll.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\slc.dll
c:\windows\system32\imageres.dll
c:\windows\system32\mpr.dll
c:\windows\system32\drprov.dll
c:\windows\system32\winsta.dll
c:\windows\system32\ntlanman.dll
c:\windows\system32\davclnt.dll
c:\windows\system32\davhlpr.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\netutils.dll
c:\windows\system32\wpdshext.dll
c:\windows\system32\winmm.dll
c:\windows\system32\portabledeviceapi.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\audiodev.dll
c:\windows\system32\wmvcore.dll
c:\windows\system32\wmasf.dll
c:\windows\system32\ehstorapi.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\samcli.dll
c:\windows\system32\samlib.dll
c:\windows\system32\profapi.dll
c:\windows\system32\explorerframe.dll
c:\windows\system32\duser.dll
c:\windows\system32\dui70.dll

PID
944
CMD
"C:\Windows\explorer.exe"
Path
C:\Windows\explorer.exe
Indicators
No indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
1
Version:
Company
Microsoft Corporation
Description
Windows Explorer
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\explorer.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\shell32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\explorerframe.dll
c:\windows\system32\duser.dll
c:\windows\system32\dui70.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\devobj.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\slc.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\propsys.dll
c:\windows\system32\cryptbase.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\actxprxy.dll

PID
1440
CMD
"C:\Users\admin\AppData\Local\Temp\Un_A.exe"
Path
C:\Users\admin\AppData\Local\Temp\Un_A.exe
Indicators
Parent process
––
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
TeamViewer
Description
TeamViewer Remote Control Application Installer
Version
Modules
Image
c:\users\admin\appdata\local\temp\un_a.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\propsys.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\oleacc.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\version.dll
c:\windows\system32\shfolder.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\shdocvw.dll
c:\users\admin\appdata\local\temp\~nsua.tmp\un_a.exe

PID
3728
CMD
"C:\Users\admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe" _?=C:\Users\admin\AppData\Local\Temp\
Path
C:\Users\admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe
Indicators
Parent process
Un_A.exe
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
TeamViewer
Description
TeamViewer Remote Control Application Installer
Version
Modules
Image
c:\users\admin\appdata\local\temp\~nsua.tmp\un_a.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\propsys.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\oleacc.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\version.dll
c:\windows\system32\shfolder.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\shdocvw.dll
c:\users\admin\appdata\local\temp\nsub97d.tmp\installoptions.dll
c:\windows\system32\comdlg32.dll
c:\users\admin\appdata\local\temp\nsub97d.tmp\tvgetversion.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\msi.dll
c:\windows\system32\psapi.dll
c:\windows\system32\winspool.drv
c:\users\admin\appdata\local\temp\nsub97d.tmp\userinfo.dll
c:\users\admin\appdata\local\temp\nsub97d.tmp\uac.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\users\admin\appdata\local\temp\nsub97d.tmp\system.dll
c:\windows\system32\riched20.dll
c:\users\admin\appdata\local\temp\nsub97d.tmp\findprocdll.dll
c:\users\admin\appdata\local\temp\nsub97d.tmp\nsexec.dll
c:\users\admin\appdata\local\temp\nsub97d.tmp\nsf1b4.tmp
c:\users\admin\appdata\local\temp\nsub97d.tmp\nsarray.dll
c:\users\admin\appdata\local\temp\nsub97d.tmp\nsf2ce.tmp
c:\users\admin\appdata\local\temp\nsub97d.tmp\nsf3ba.tmp
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\firewallapi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll

PID
384
CMD
"C:\Users\admin\AppData\Local\Temp\nsuB97D.tmp\nsF1B4.tmp" "C:\Users\admin\AppData\Local\Temp\TeamViewer_Service.exe" -uninstall
Path
C:\Users\admin\AppData\Local\Temp\nsuB97D.tmp\nsF1B4.tmp
Indicators
No indicators
Parent process
Un_A.exe
User
admin
Integrity Level
HIGH
Exit code
3221225501
Version:
Company
Description
Version
Modules
Image
c:\users\admin\appdata\local\temp\nsub97d.tmp\nsf1b4.tmp
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll

PID
2944
CMD
"C:\Users\admin\AppData\Local\Temp\nsuB97D.tmp\nsF2CE.tmp" "C:\Windows\system32\regsvr32.exe" /s /u "C:\Users\admin\AppData\Local\Temp\outlook\TeamViewerMeetingAddinShim.dll"
Path
C:\Users\admin\AppData\Local\Temp\nsuB97D.tmp\nsF2CE.tmp
Indicators
No indicators
Parent process
Un_A.exe
User
admin
Integrity Level
HIGH
Exit code
3
Version:
Company
Description
Version
Modules
Image
c:\users\admin\appdata\local\temp\nsub97d.tmp\nsf2ce.tmp
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\regsvr32.exe

PID
2620
CMD
"C:\Windows\system32\regsvr32.exe" /s /u "C:\Users\admin\AppData\Local\Temp\outlook\TeamViewerMeetingAddinShim.dll"
Path
C:\Windows\system32\regsvr32.exe
Indicators
No indicators
Parent process
nsF2CE.tmp
User
admin
Integrity Level
HIGH
Exit code
3
Version:
Company
Microsoft Corporation
Description
Microsoft(C) Register Server
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\regsvr32.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\acgenral.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\winmm.dll
c:\windows\system32\samcli.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msacm32.dll
c:\windows\system32\version.dll
c:\windows\system32\shell32.dll
c:\windows\system32\sfc.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\mpr.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll

PID
3472
CMD
"C:\Users\admin\AppData\Local\Temp\nsuB97D.tmp\nsF3BA.tmp" "C:\Windows\system32\regsvr32.exe" /s /u "C:\Users\admin\AppData\Local\Temp\outlook\TeamViewerMeetingAddinShim64.dll"
Path
C:\Users\admin\AppData\Local\Temp\nsuB97D.tmp\nsF3BA.tmp
Indicators
No indicators
Parent process
Un_A.exe
User
admin
Integrity Level
HIGH
Exit code
3
Version:
Company
Description
Version
Modules
Image
c:\users\admin\appdata\local\temp\nsub97d.tmp\nsf3ba.tmp
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\regsvr32.exe

PID
1640
CMD
"C:\Windows\system32\regsvr32.exe" /s /u "C:\Users\admin\AppData\Local\Temp\outlook\TeamViewerMeetingAddinShim64.dll"
Path
C:\Windows\system32\regsvr32.exe
Indicators
No indicators
Parent process
nsF3BA.tmp
User
admin
Integrity Level
HIGH
Exit code
3
Version:
Company
Microsoft Corporation
Description
Microsoft(C) Register Server
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\regsvr32.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\acgenral.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\winmm.dll
c:\windows\system32\samcli.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msacm32.dll
c:\windows\system32\version.dll
c:\windows\system32\shell32.dll
c:\windows\system32\sfc.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\mpr.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll

PID
1716
CMD
"C:\Program Files\Internet Explorer\iexplore.exe" -nohome
Path
C:\Program Files\Internet Explorer\iexplore.exe
Indicators
Parent process
Un_A.exe
User
admin
Integrity Level
HIGH
Exit code
1
Version:
Company
Microsoft Corporation
Description
Internet Explorer
Version
8.00.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\shell32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\psapi.dll
c:\windows\system32\oleacc.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\profapi.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\cryptbase.dll
c:\program files\internet explorer\sqmapi.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\sensapi.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\ieui.dll
c:\windows\system32\msimg32.dll
c:\windows\system32\clbcatq.dll
c:\program files\internet explorer\ieproxy.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\url.dll
c:\windows\system32\version.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\propsys.dll
c:\windows\system32\xmllite.dll
c:\windows\system32\explorerframe.dll
c:\windows\system32\duser.dll
c:\windows\system32\dui70.dll
c:\windows\system32\msfeeds.dll
c:\windows\system32\sxs.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\wship6.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\mlang.dll
c:\windows\system32\mssprxy.dll
c:\program files\common files\microsoft shared\ink\tiptsf.dll
c:\windows\system32\userenv.dll
c:\windows\system32\linkinfo.dll

PID
4088
CMD
"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:1716 CREDAT:79873
Path
C:\Program Files\Internet Explorer\iexplore.exe
Indicators
Parent process
iexplore.exe
User
admin
Integrity Level
HIGH
Exit code
3221225547
Version:
Company
Microsoft Corporation
Description
Internet Explorer
Version
8.00.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\shell32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\psapi.dll
c:\windows\system32\oleacc.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\comdlg32.dll
c:\program files\internet explorer\ieshims.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\rpcrtremote.dll
c:\program files\internet explorer\sqmapi.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\rsaenh.dll
c:\program files\internet explorer\ieproxy.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\mlang.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\apphelp.dll
c:\program files\java\jre1.8.0_92\bin\ssv.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\version.dll
c:\progra~1\micros~1\office14\urlredir.dll
c:\windows\system32\secur32.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\progra~1\micros~1\office14\msohev.dll
c:\program files\java\jre1.8.0_92\bin\jp2ssv.dll
c:\program files\java\jre1.8.0_92\bin\msvcr100.dll
c:\program files\java\jre1.8.0_92\bin\deploy.dll
c:\windows\system32\imagehlp.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\sxs.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\sensapi.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\wship6.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\msls31.dll
c:\windows\system32\msimtf.dll
c:\windows\system32\jscript.dll
c:\windows\system32\userenv.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\schannel.dll
c:\windows\system32\dxtrans.dll
c:\windows\system32\atl.dll
c:\windows\system32\ddrawex.dll
c:\windows\system32\ddraw.dll
c:\windows\system32\dciman32.dll
c:\windows\system32\credssp.dll
c:\windows\system32\dxtmsft.dll
c:\windows\system32\imgutil.dll
c:\windows\system32\pngfilt.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\gpapi.dll
c:\windows\system32\macromed\flash\flash32_26_0_0_131.ocx
c:\windows\system32\winmm.dll
c:\windows\system32\dsound.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\msimg32.dll
c:\windows\system32\mscms.dll
c:\windows\system32\dinput8.dll

PID
3368
CMD
"C:\Windows\explorer.exe"
Path
C:\Windows\explorer.exe
Indicators
No indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
1
Version:
Company
Microsoft Corporation
Description
Windows Explorer
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\explorer.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\ole32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\explorerframe.dll
c:\windows\system32\duser.dll
c:\windows\system32\dui70.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\slc.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\propsys.dll
c:\windows\system32\cryptbase.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\actxprxy.dll

PID
332
CMD
"C:\Users\admin\AppData\Local\Temp\Un_A.exe"
Path
C:\Users\admin\AppData\Local\Temp\Un_A.exe
Indicators
Parent process
––
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
TeamViewer
Description
TeamViewer Remote Control Application Installer
Version
Modules
Image
c:\users\admin\appdata\local\temp\un_a.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\propsys.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\oleacc.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\version.dll
c:\windows\system32\shfolder.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\shdocvw.dll
c:\users\admin\appdata\local\temp\~nsua.tmp\un_a.exe
c:\users\admin\appdata\local\temp\~nsua.tmp\un_b.exe

PID
3312
CMD
"C:\Users\admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe" _?=C:\Users\admin\AppData\Local\Temp\
Path
C:\Users\admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe
Indicators
No indicators
Parent process
Un_A.exe
User
admin
Integrity Level
HIGH
Exit code
3221225758
Version:
Company
TeamViewer
Description
TeamViewer Remote Control Application Installer
Version
Modules
Image
c:\users\admin\appdata\local\temp\~nsua.tmp\un_a.exe
c:\systemroot\system32\ntdll.dll

PID
1328
CMD
"C:\Users\admin\AppData\Local\Temp\~nsuA.tmp\Un_B.exe" _?=C:\Users\admin\AppData\Local\Temp\
Path
C:\Users\admin\AppData\Local\Temp\~nsuA.tmp\Un_B.exe
Indicators
Parent process
Un_A.exe
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
TeamViewer
Description
TeamViewer Remote Control Application Installer
Version
Modules
Image
c:\users\admin\appdata\local\temp\~nsua.tmp\un_b.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\propsys.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\oleacc.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\version.dll
c:\windows\system32\shfolder.dll
c:\windows\system32\shdocvw.dll
c:\users\admin\appdata\local\temp\nsg6141.tmp\installoptions.dll
c:\windows\system32\comdlg32.dll
c:\users\admin\appdata\local\temp\nsg6141.tmp\tvgetversion.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\msi.dll
c:\windows\system32\psapi.dll
c:\windows\system32\winspool.drv
c:\users\admin\appdata\local\temp\nsg6141.tmp\userinfo.dll
c:\users\admin\appdata\local\temp\nsg6141.tmp\uac.dll
c:\users\admin\appdata\local\temp\nsg6141.tmp\system.dll
c:\windows\system32\riched20.dll
c:\users\admin\appdata\local\temp\nsg6141.tmp\findprocdll.dll
c:\users\admin\appdata\local\temp\nsg6141.tmp\nsexec.dll
c:\users\admin\appdata\local\temp\nsg6141.tmp\ns6c3e.tmp
c:\users\admin\appdata\local\temp\nsg6141.tmp\invokeshellverb.dll
c:\users\admin\appdata\local\temp\nsg6141.tmp\nsarray.dll
c:\users\admin\appdata\local\temp\nsg6141.tmp\ns6d68.tmp
c:\users\admin\appdata\local\temp\nsg6141.tmp\ns6e54.tmp
c:\windows\system32\firewallapi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\iertutil.dll

PID
2764
CMD
"C:\Users\admin\AppData\Local\Temp\nsg6141.tmp\ns6C3E.tmp" "C:\Users\admin\AppData\Local\Temp\TeamViewer_Service.exe" -uninstall
Path
C:\Users\admin\AppData\Local\Temp\nsg6141.tmp\ns6C3E.tmp
Indicators
No indicators
Parent process
Un_B.exe
User
admin
Integrity Level
HIGH
Exit code
3221225501
Version:
Company
Description
Version
Modules
Image
c:\users\admin\appdata\local\temp\nsg6141.tmp\ns6c3e.tmp
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll

PID
3172
CMD
"C:\Users\admin\AppData\Local\Temp\nsg6141.tmp\ns6D68.tmp" "C:\Windows\system32\regsvr32.exe" /s /u "C:\Users\admin\AppData\Local\Temp\outlook\TeamViewerMeetingAddinShim.dll"
Path
C:\Users\admin\AppData\Local\Temp\nsg6141.tmp\ns6D68.tmp
Indicators
No indicators
Parent process
Un_B.exe
User
admin
Integrity Level
HIGH
Exit code
3
Version:
Company
Description
Version
Modules
Image
c:\users\admin\appdata\local\temp\nsg6141.tmp\ns6d68.tmp
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\usp10.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\regsvr32.exe

PID
2864
CMD
"C:\Windows\system32\regsvr32.exe" /s /u "C:\Users\admin\AppData\Local\Temp\outlook\TeamViewerMeetingAddinShim.dll"
Path
C:\Windows\system32\regsvr32.exe
Indicators
No indicators
Parent process
ns6D68.tmp
User
admin
Integrity Level
HIGH
Exit code
3
Version:
Company
Microsoft Corporation
Description
Microsoft(C) Register Server
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\regsvr32.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\acgenral.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\winmm.dll
c:\windows\system32\samcli.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msacm32.dll
c:\windows\system32\version.dll
c:\windows\system32\shell32.dll
c:\windows\system32\sfc.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\mpr.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll

PID
2968
CMD
"C:\Users\admin\AppData\Local\Temp\nsg6141.tmp\ns6E54.tmp" "C:\Windows\system32\regsvr32.exe" /s /u "C:\Users\admin\AppData\Local\Temp\outlook\TeamViewerMeetingAddinShim64.dll"
Path
C:\Users\admin\AppData\Local\Temp\nsg6141.tmp\ns6E54.tmp
Indicators
No indicators
Parent process
Un_B.exe
User
admin
Integrity Level
HIGH
Exit code
3
Version:
Company
Description
Version
Modules
Image
c:\users\admin\appdata\local\temp\nsg6141.tmp\ns6e54.tmp
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\regsvr32.exe

PID
944
CMD
"C:\Windows\system32\regsvr32.exe" /s /u "C:\Users\admin\AppData\Local\Temp\outlook\TeamViewerMeetingAddinShim64.dll"
Path
C:\Windows\system32\regsvr32.exe
Indicators
No indicators
Parent process
ns6E54.tmp
User
admin
Integrity Level
HIGH
Exit code
3
Version:
Company
Microsoft Corporation
Description
Microsoft(C) Register Server
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\sspicli.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\msctf.dll
c:\windows\system32\dui70.dll
c:\windows\system32\explorerframe.dll
c:\windows\system32\ole32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\lpk.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\kernel32.dll
c:\windows\explorer.exe
c:\windows\system32\regsvr32.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\usp10.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\apppatch\acgenral.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\winmm.dll
c:\windows\system32\samcli.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msacm32.dll
c:\windows\system32\version.dll
c:\windows\system32\shell32.dll
c:\windows\system32\sfc.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\devobj.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\wininet.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\mpr.dll
c:\windows\system32\imm32.dll

Registry activity

Total events
2299
Read events
2198
Write events
100
Delete events
1

Modification events

PID
Process
Operation
Key
Name
Value
4088
iexplore.exe
delete key
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012019032320190324
4088
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\iexplore
Type
3
4088
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\iexplore
Count
2
4088
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\iexplore
Time
E307080002000D000D002C002A00EE01
4088
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\iexplore
LoadTime
9
4088
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
Type
3
4088
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
Count
2
4088
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
Time
E307080002000D000D002C002A000D02
4088
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
LoadTime
45
4088
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DBC80044-A445-435B-BC74-9C25C1C588A9}\iexplore
Type
3
4088
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DBC80044-A445-435B-BC74-9C25C1C588A9}\iexplore
Count
2
4088
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DBC80044-A445-435B-BC74-9C25C1C588A9}\iexplore
Time
E307080002000D000D002C002A005B02
4088
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DBC80044-A445-435B-BC74-9C25C1C588A9}\iexplore
LoadTime
26
4088
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
4088
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
4088
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
ProxyEnable
0
4088
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
SavedLegacySettings
4600000093000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
4088
iexplore.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication
Name
iexplore.exe
4088
iexplore.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication
ID
1290246418
4088
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012019081320190814
CachePath
%USERPROFILE%\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012019081320190814
4088
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012019081320190814
CachePrefix
:2019081320190814:
4088
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012019081320190814
CacheLimit
8192
4088
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012019081320190814
CacheOptions
11
4088
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012019081320190814
CacheRepair
0
4088
iexplore.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\72\52C64B7E
LanguageList
en-US
4088
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D27CDB6E-AE6D-11CF-96B8-444553540000}\iexplore
Type
1
4088
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D27CDB6E-AE6D-11CF-96B8-444553540000}\iexplore
Count
1
4088
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D27CDB6E-AE6D-11CF-96B8-444553540000}\iexplore
Time
E307080002000D000D002C002B00D500
1440
Un_A.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager
PendingFileRenameOperations
\??\C:\Program Files\Mozilla Firefox\tobedeleted\mozfbe5d5f7-8112-4126-966a-cd1572113b1d
1716
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
CompatibilityFlags
0
1716
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
1716
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
1716
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
SecuritySafe
1
1716
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
ProxyEnable
0
1716
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
SavedLegacySettings
4600000092000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
1716
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Recovery\AdminActive
{8014A9D7-BDD0-11E9-9885-5254004A04AF}
0
1716
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Type
4
1716
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Count
2
1716
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Time
E307080002000D000D002C002A006101
1716
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}\iexplore
Type
4
1716
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}\iexplore
Count
2
1716
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}\iexplore
Time
E307080002000D000D002C002A006101
1716
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
FullScreen
no
1716
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Window_Placement
2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF20000000200000004003000078020000
1716
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites\Links
Order
08000000020000000C01000001000000020000007E0000000000000070003200EC000000464B245120005355474745537E312E55524C0000540008000400EFBE454B974D464B24512A000000F94300000000020000000000000000000000000000005300750067006700650073007400650064002000530069007400650073002E00750072006C0000001C00000000000000820000000100000074003200E2000000464B24512000574542534C497E312E55524C0000580008000400EFBE454B864A464B24512A000000743E0000000003000000000000000000000000000000570065006200200053006C006900630065002000470061006C006C006500720079002E00750072006C0000001C00000000000000
1716
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\WindowsSearch
UpgradeTime
7AB40043DD51D501
1716
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\0
Path
C:\Users\admin\Favorites\Links\Suggested Sites.url
1716
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\0
Handler
{B0FA7D7C-7195-4F03-B03E-9DC1C9EBC394}
1716
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\0
FeedUrl
https://ieonline.microsoft.com/#ieslice
1716
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\0
DisplayName
1716
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\0
ErrorState
0
1716
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\0
DisplayMask
0
1716
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\1
Path
C:\Users\admin\Favorites\Links\Web Slice Gallery.url
1716
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\1
Handler
{B0FA7D7C-7195-4F03-B03E-9DC1C9EBC394}
1716
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\1
FeedUrl
http://go.microsoft.com/fwlink/?LinkId=121315
1716
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\1
DisplayName
1716
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\1
ErrorState
0
1716
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\1
DisplayMask
0
1912
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
ShellExtBMP
1912
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
ShellExtIcon
1912
WinRAR.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\72\52C64B7E
LanguageList
en-US
1912
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
0
C:\Users\admin\AppData\Local\Temp\Un_A.zip
1912
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
name
120
1912
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
size
80
1912
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
type
120
1912
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
mtime
100
1912
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\DialogEditHistory\ExtrPath
0
C:\Users\admin\AppData\Local\Temp
1912
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\Interface
ShowPassword
1
332
Un_A.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager
PendingFileRenameOperations
\??\C:\Program Files\Mozilla Firefox\tobedeleted\mozfbe5d5f7-8112-4126-966a-cd1572113b1d

Files activity

Executable files
24
Suspicious files
2
Text files
46
Unknown types
2

Dropped files

PID
Process
Filename
Type
1328
Un_B.exe
C:\Users\admin\AppData\Local\Temp\nsg6141.tmp\ns6E54.tmp
executable
MD5: 483a9b183523e7e2015ddec730e59f7b
SHA256: aef58b24cc84a798101f9603c986161b93d8bc3c84de4d48050e10f50ff3fb27
3728
Un_A.exe
C:\Users\admin\AppData\Local\Temp\nsuB97D.tmp\UAC.dll
executable
MD5: 113c5f02686d865bc9e8332350274fd1
SHA256: 0d21041a1b5cd9f9968fc1d457c78a802c9c5a23f375327e833501b65bcd095d
3728
Un_A.exe
C:\Users\admin\AppData\Local\Temp\nsuB97D.tmp\InstallOptions.dll
executable
MD5: 033ee34c40e8fa85bf2739bcb2f3e186
SHA256: c91c1796338a265b49039c0b2c7a312d764b99e5174fb2dae455ca54f8f41ec7
3728
Un_A.exe
C:\Users\admin\AppData\Local\Temp\nsuB97D.tmp\UserInfo.dll
executable
MD5: 9b0db6a6056e8e51ac35e602aeab769f
SHA256: 925d80c31702a95d58ede91ee97fd842de78ca6dde69156a6c1a755fba93cd5c
1440
Un_A.exe
C:\Users\admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe
executable
MD5: 256ee46d53e632e36664e2938eda8dbb
SHA256: ab8ef17a29f005964ba84bb7795ebb2f0195eb32e5e24b6a3723e12181b8b9f9
332
Un_A.exe
C:\Users\admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe
executable
MD5: 256ee46d53e632e36664e2938eda8dbb
SHA256: ab8ef17a29f005964ba84bb7795ebb2f0195eb32e5e24b6a3723e12181b8b9f9
1328
Un_B.exe
C:\Users\admin\AppData\Local\Temp\nsg6141.tmp\FindProcDLL.dll
executable
MD5: 6f73b00aef6c49eac62128ef3eca677e
SHA256: 6eb09ce25c7fc62e44dc2f71761c6d60dd4b2d0c7d15e9651980525103aac0a9
3728
Un_A.exe
C:\Users\admin\AppData\Local\Temp\nsuB97D.tmp\nsExec.dll
executable
MD5: 01e76fe9d2033606a48d4816bd9c2d9d
SHA256: ee052fd5141bf769b841846170aabf0d7c2bb922c74c623c3f109344534f7a70
1328
Un_B.exe
C:\Users\admin\AppData\Local\Temp\nsg6141.tmp\nsExec.dll
executable
MD5: 01e76fe9d2033606a48d4816bd9c2d9d
SHA256: ee052fd5141bf769b841846170aabf0d7c2bb922c74c623c3f109344534f7a70
3728
Un_A.exe
C:\Users\admin\AppData\Local\Temp\nsuB97D.tmp\nsF1B4.tmp
executable
MD5: 483a9b183523e7e2015ddec730e59f7b
SHA256: aef58b24cc84a798101f9603c986161b93d8bc3c84de4d48050e10f50ff3fb27
1328
Un_B.exe
C:\Users\admin\AppData\Local\Temp\nsg6141.tmp\InvokeShellVerb.dll
executable
MD5: 1a6e1ea7e90e50d9a18e034e7cde41a6
SHA256: 2fddc8b8ab4bf4838ea374d25e4cb9e83362c3f1cb24f380137d14c814d56169
332
Un_A.exe
C:\Users\admin\AppData\Local\Temp\~nsuA.tmp\Un_B.exe
executable
MD5: 256ee46d53e632e36664e2938eda8dbb
SHA256: ab8ef17a29f005964ba84bb7795ebb2f0195eb32e5e24b6a3723e12181b8b9f9
3728
Un_A.exe
C:\Users\admin\AppData\Local\Temp\nsuB97D.tmp\nsArray.dll
executable
MD5: 82d49c227928741f6f09c5cea3bde9f1
SHA256: 8bc5e75bbfa5a8f10526aec2af441153b2883d6d288726ed8f7c9af12a1ee02b
3728
Un_A.exe
C:\Users\admin\AppData\Local\Temp\nsuB97D.tmp\System.dll
executable
MD5: 0ff2d70cfdc8095ea99ca2dabbec3cd7
SHA256: 982c5fb7ada7d8c9bc3e419d1c35da6f05bc5dd845940c179af3a33d00a36a8b
1328
Un_B.exe
C:\Users\admin\AppData\Local\Temp\nsg6141.tmp\nsArray.dll
executable
MD5: 82d49c227928741f6f09c5cea3bde9f1
SHA256: 8bc5e75bbfa5a8f10526aec2af441153b2883d6d288726ed8f7c9af12a1ee02b
1328
Un_B.exe
C:\Users\admin\AppData\Local\Temp\nsg6141.tmp\InstallOptions.dll
executable
MD5: 033ee34c40e8fa85bf2739bcb2f3e186
SHA256: c91c1796338a265b49039c0b2c7a312d764b99e5174fb2dae455ca54f8f41ec7
3728
Un_A.exe
C:\Users\admin\AppData\Local\Temp\nsuB97D.tmp\nsF3BA.tmp
executable
MD5: 483a9b183523e7e2015ddec730e59f7b
SHA256: aef58b24cc84a798101f9603c986161b93d8bc3c84de4d48050e10f50ff3fb27
3728
Un_A.exe
C:\Users\admin\AppData\Local\Temp\nsuB97D.tmp\TvGetVersion.dll
executable
MD5: 05f51bc8ffb2c8f5a2825bf5680301cf
SHA256: c67cbd5e35e1ce0c7ba17c55d8e2bc33afd5e0a68774554a1fe7216d330c709e
1328
Un_B.exe
C:\Users\admin\AppData\Local\Temp\nsg6141.tmp\TvGetVersion.dll
executable
MD5: 05f51bc8ffb2c8f5a2825bf5680301cf
SHA256: c67cbd5e35e1ce0c7ba17c55d8e2bc33afd5e0a68774554a1fe7216d330c709e
1328
Un_B.exe
C:\Users\admin\AppData\Local\Temp\nsg6141.tmp\UserInfo.dll
executable
MD5: 9b0db6a6056e8e51ac35e602aeab769f
SHA256: 925d80c31702a95d58ede91ee97fd842de78ca6dde69156a6c1a755fba93cd5c
1912
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Un_A.exe
executable
MD5: 256ee46d53e632e36664e2938eda8dbb
SHA256: ab8ef17a29f005964ba84bb7795ebb2f0195eb32e5e24b6a3723e12181b8b9f9
1328
Un_B.exe
C:\Users\admin\AppData\Local\Temp\nsg6141.tmp\System.dll
executable
MD5: 0ff2d70cfdc8095ea99ca2dabbec3cd7
SHA256: 982c5fb7ada7d8c9bc3e419d1c35da6f05bc5dd845940c179af3a33d00a36a8b
1328
Un_B.exe
C:\Users\admin\AppData\Local\Temp\nsg6141.tmp\UAC.dll
executable
MD5: 113c5f02686d865bc9e8332350274fd1
SHA256: 0d21041a1b5cd9f9968fc1d457c78a802c9c5a23f375327e833501b65bcd095d
3728
Un_A.exe
C:\Users\admin\AppData\Local\Temp\nsuB97D.tmp\FindProcDLL.dll
executable
MD5: 6f73b00aef6c49eac62128ef3eca677e
SHA256: 6eb09ce25c7fc62e44dc2f71761c6d60dd4b2d0c7d15e9651980525103aac0a9
1716
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\favicon[1].png
image
MD5: 9fb559a691078558e77d6848202f6541
SHA256: 6d8a01dc7647bc218d003b58fe04049e24a9359900b7e0cebae76edf85b8b914
1716
iexplore.exe
C:\Users\admin\AppData\Local\Temp\~DF818A0FE894FECFEC.TMP
––
MD5:  ––
SHA256:  ––
4088
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JGRR2OYX\js[1]
text
MD5: ce240c1aba9e7ddb05bc81b709555cb2
SHA256: c57d09cc81f1071233da72895e1f6f4b4243db64561b3a464e65dfd1962c4dfd
4088
iexplore.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][2].txt
text
MD5: f95f3df087d1961e049d0df6a2e938dd
SHA256: 4f3b5299c89592225307b922d6007a2bb255f1041ff3da7adacd3a69c1dc6440
4088
iexplore.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
––
MD5:  ––
SHA256:  ––
4088
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\favicon[1].ico
image
MD5: 0d9b4730a23126f880da8b5e96f8d668
SHA256: 53e365e739d853f4ba161312ad00c57953921450e4eb3c28795bac49c64b8c12
4088
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\gtm[1].js
text
MD5: f1f175fa6e68ac177f216294ce69ef58
SHA256: 0ef3d18416884e714b926dbbd0f23181f180938a5db63db2041a31a550f30944
4088
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\analytics[1].js
text
MD5: a477b40dcc869e74d6414e8e42e36844
SHA256: cec3748d0c3da4700300d5424aaea375b03550b0ee8b3dd38e242c4022261446
4088
iexplore.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\PrivacIE\index.dat
dat
MD5: 370128b041afe0bfca704482d250bd62
SHA256: fc284f0257560babeedea1494f9a646c1065ca1b028cf51f79044b519881a011
4088
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012019081320190814\index.dat
dat
MD5: 602c75299ba2ce5a97a171a888622632
SHA256: e967ac566c3c9a014f66efc92f48df31c0659fe080a9ae999924252d1167211d
4088
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JGRR2OYX\facebook[1].png
image
MD5: 394d8ecd0068c2fe9322327d2ab64b92
SHA256: c9b8ab6775db1c4fc298d73a009514f1c02aaed88fa8233f656ab5e7e046459c
4088
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\rss[1].gif
image
MD5: ac1fcc1e069bef5d2cda420329acf5af
SHA256: 487fcfa804547b7506ef0be3ad97952016d0161d3209f5397db99d0883c61a8f
4088
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\blue-background[1].jpg
image
MD5: 50666eec9d38a7dcc7236e0d84ddf4e4
SHA256: 4523b35261819a528b2d2b1002da0f84c50bab99b00a52cf29d0d59563537f61
4088
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\twitter_mini-b[1].png
image
MD5: 9425a382040b9a67892a4469143b10a3
SHA256: 8fd28e495d95c6a0e6ba663bcc88cfd92a30dd886c5fd46b6bede673b99cb09e
4088
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\blue-gradient[1].jpg
image
MD5: 6ec1a879c2a93d07df04ac2a5633bd29
SHA256: 9405f2fd2e470115454d5629d7d9549461cc1e839c75e93e49fbf13646004163
4088
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JGRR2OYX\teamviewer-logo[1].png
image
MD5: 6bf20983ec12ea348331ac5eca35d217
SHA256: 1fbbcc007ab553bfc232191ecd4c7b8956907e652831f4900903e2b72875d488
4088
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\index[1].aspx
––
MD5:  ––
SHA256:  ––
4088
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\index[1].htm
html
MD5: cf5b1bfde00da656472ee11e03529b33
SHA256: dd9c3a6ee6c52840084014fe332c073aca3327b65cadcc27c3c736a12aa70cf6
1716
iexplore.exe
C:\Users\admin\AppData\Local\Temp\~DF8E27DEADB7EC6459.TMP
––
MD5:  ––
SHA256:  ––
1716
iexplore.exe
C:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
––
MD5:  ––
SHA256:  ––
1716
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\favicon[1].ico
––
MD5:  ––
SHA256:  ––
1716
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Last Active\{86298967-BDD0-11E9-9885-5254004A04AF}.dat
binary
MD5: 3aa0c8fd0ba2d88ae37dbe9ed11010c1
SHA256: bb11aedd12b1e9ccf970a954262f0d307ee41dc02c814c3225ca059bdd8328b6
3728
Un_A.exe
C:\Users\admin\AppData\Local\Temp\nsuB97D.tmp\nsF2CE.tmp
––
MD5:  ––
SHA256:  ––
1716
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Last Active\RecoveryStore.{86298966-BDD0-11E9-9885-5254004A04AF}.dat
binary
MD5: e869309bcdfca2bf1c946120ae2998c8
SHA256: 23aef499797fb6e26c161570c9aca0643abbaaacad579eaa97a9f2282b148027
1716
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{8014A9D8-BDD0-11E9-9885-5254004A04AF}.dat
––
MD5:  ––
SHA256:  ––
1716
iexplore.exe
C:\Users\admin\AppData\Local\Temp\~DF754E62A0A28DD393.TMP
––
MD5:  ––
SHA256:  ––
4088
iexplore.exe
C:\Users\admin\AppData\Local\Temp\JavaDeployReg.log
text
MD5: ae36d29cede45718715c0315f388b4de
SHA256: 53418c68d13b619dae6f01e22cd548e9f32a90f8b9fd788270306f9e00f228c0
3728
Un_A.exe
C:\Users\admin\AppData\Local\Temp\nsuB97D.tmp\uninstall_unicode.ini
text
MD5: ed434cb66adad8fbf2f5dc5eca0995b5
SHA256: 214b7754f75d10c89bb24f5daff9e10337d4c2675dc65a79f54be464ac13d706
3728
Un_A.exe
C:\Users\admin\AppData\Local\Temp\nsuB97D.tmp\uninstall_unicode.ini
text
MD5: 24cac3979e7f2c79eae35214cb755fc3
SHA256: 3ff506814f0c7c7614413327b9fb94487a795e135950037cc0444d838d6d8c67
1716
iexplore.exe
C:\Users\admin\AppData\Local\Temp\~DF302CFEF7450CF621.TMP
––
MD5:  ––
SHA256:  ––
1716
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{8014A9D7-BDD0-11E9-9885-5254004A04AF}.dat
––
MD5:  ––
SHA256:  ––
1328
Un_B.exe
C:\Users\admin\AppData\Local\Temp\nsg6141.tmp\uninstall_unicode.ini
text
MD5: 0b0da30c76029be86031debe8f4737e5
SHA256: 00522830c88db7b887cdf70303092710aa5337fd678e8ca408b6fbb13671bf3d
1328
Un_B.exe
C:\Users\admin\AppData\Local\Temp\nsg6141.tmp\uninstall_unicode.ini
text
MD5: 671708b5c8619a6fbd0d106ff929a96b
SHA256: 432c95ea3f907e18668177cc1e7b0ba28066bcf8191bed224ca7b2d4fb578bbc
1328
Un_B.exe
C:\Users\admin\AppData\Local\Temp\nsg6141.tmp\uninstall_unicode.ini
text
MD5: 71e75ba0cc973a0ce914bc2befc225bd
SHA256: ee56fbb3b1b5cbea08b1ba27cf483b3f4ed4e41c39e581ff925b44e6fce37985
1328
Un_B.exe
C:\Users\admin\AppData\Local\Temp\nsg6141.tmp\ns6C3E.tmp
––
MD5:  ––
SHA256:  ––
1328
Un_B.exe
C:\Users\admin\AppData\Local\Temp\nsg6141.tmp\ns6D68.tmp
––
MD5:  ––
SHA256:  ––

Find more information of the staic content and download it at the full report

Network activity

HTTP(S) requests
9
TCP/UDP connections
8
DNS requests
4
Threats
0

HTTP requests

PID Process Method HTTP Code IP URL CN Type Size Reputation
4088 iexplore.exe GET 200 52.232.106.174:80 http://client.teamviewer.com/uninstall/index.aspx?ID=&Version= NL
html
shared
1716 iexplore.exe GET 200 204.79.197.200:80 http://www.bing.com/favicon.ico US
image
whitelisted
4088 iexplore.exe GET 200 52.232.106.174:80 http://client.teamviewer.com/uninstall/images/teamviewer-logo.png NL
image
shared
4088 iexplore.exe GET 200 52.232.106.174:80 http://client.teamviewer.com/uninstall/images/rss.gif NL
image
shared
4088 iexplore.exe GET 200 52.232.106.174:80 http://client.teamviewer.com/uninstall/images/twitter_mini-b.png NL
image
shared
4088 iexplore.exe GET 200 52.232.106.174:80 http://client.teamviewer.com/uninstall/images/blue-gradient.jpg NL
image
shared
4088 iexplore.exe GET 200 52.232.106.174:80 http://client.teamviewer.com/uninstall/images/facebook.png NL
image
shared
4088 iexplore.exe GET 200 52.232.106.174:80 http://client.teamviewer.com/uninstall/images/blue-background.jpg NL
image
shared
4088 iexplore.exe GET 200 52.232.106.174:80 http://client.teamviewer.com/favicon.ico NL
image
shared

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID Process IP ASN CN Reputation
4088 iexplore.exe 52.232.106.174:80 Microsoft Corporation NL whitelisted
1716 iexplore.exe 204.79.197.200:80 Microsoft Corporation US whitelisted
4088 iexplore.exe 172.217.18.110:443 Google Inc. US whitelisted
4088 iexplore.exe 172.217.22.72:443 Google Inc. US whitelisted

DNS requests

Domain IP Reputation
www.bing.com 204.79.197.200
13.107.21.200
whitelisted
client.teamviewer.com 52.232.106.174
shared
www.google-analytics.com 172.217.18.110
whitelisted
www.googletagmanager.com 172.217.22.72
whitelisted

Threats

No threats detected.

Debug output strings

No debug info.