General Info

File name

ZIP-Password-IS-951951______VmProtect.zip

Full analysis
https://app.any.run/tasks/f8d41113-dd73-4d61-b68c-ee94b82967b6
Verdict
Malicious activity
Threats:

Raccoon is an info stealer type malware available as a Malware as a Service. It can be obtained for a subscription and costs $200 per month. Raccoon malware has already infected over 100,000 devices and became one of the most mentioned viruses on the underground forums in 2019.

RedLine Stealer is a malicious program that collects users’ confidential data from browsers, systems, and installed software. It also infects operating systems with other malware.

Analysis date
15/01/2022, 02:52:07
OS:
Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:

evasion

trojan

rat

redline

stealer

loader

raccoon

Indicators:

MIME:
application/zip
File info:
Zip archive data, at least v2.0 to extract
MD5

efe9e1bfe8405ae27dfada0d189f44ca

SHA1

efd3770edcebc03e5437945b50c0d784576f29e9

SHA256

659fe37447ff0d6a6b470144e321829140d3b4aab03488aac75c6571cad87ced

SSDEEP

98304:35W4nrEUX8K2qry24uzoTG04RPD9KRI0NBmDlWUKa+T4lmG+g8ILBVQaGKyHEsRw:35WW8QrFLJhKO0/0lxA4lm1acaykOwya

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Software environment set and analysis options

Launch configuration

Task duration
120 seconds
Additional time used
60 seconds
Fakenet option
off
Heavy Evaision option
off
MITM proxy
off
Route via Tor
off
Network geolocation
off
Privacy
Public submission
Autoconfirmation of UAC
on

Software preset

  • Internet Explorer 11.0.9600.19596 KB4534251
  • Adobe Acrobat Reader DC (20.013.20064)
  • Adobe Flash Player 32 ActiveX (32.0.0.453)
  • Adobe Flash Player 32 NPAPI (32.0.0.453)
  • Adobe Flash Player 32 PPAPI (32.0.0.453)
  • Adobe Refresh Manager (1.8.0)
  • CCleaner (5.74)
  • FileZilla Client 3.51.0 (3.51.0)
  • Google Chrome (86.0.4240.198)
  • Google Update Helper (1.3.36.31)
  • Java 8 Update 271 (8.0.2710.9)
  • Java Auto Updater (2.8.271.9)
  • Microsoft .NET Framework 4.5.2 (4.5.51209)
  • Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Access MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office Access MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office Access MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office Access MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office Access MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office Access MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office Access MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office Access MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office Access MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Excel MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office Excel MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office Excel MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office Excel MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office Excel MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office Excel MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office Excel MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office Excel MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office Excel MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office Groove MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office Groove MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office Groove MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office Groove MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office Groove MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office Groove MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office Groove MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office Groove MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office Groove MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office IME (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office IME (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office InfoPath MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office InfoPath MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office InfoPath MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office InfoPath MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office InfoPath MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office InfoPath MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office InfoPath MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office InfoPath MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office InfoPath MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office Language Pack 2010 - French/Français (14.0.4763.1000)
  • Microsoft Office Language Pack 2010 - German/Deutsch (14.0.4763.1000)
  • Microsoft Office Language Pack 2010 - Italian/Italiano (14.0.4763.1000)
  • Microsoft Office Language Pack 2010 - Japanese/日本語 (14.0.4763.1000)
  • Microsoft Office Language Pack 2010 - Korean/한국어 (14.0.4763.1000)
  • Microsoft Office Language Pack 2010 - Portuguese/Português (Brasil) (14.0.4763.1000)
  • Microsoft Office Language Pack 2010 - Russian/русский (14.0.4763.1000)
  • Microsoft Office Language Pack 2010 - Spanish/Español (14.0.4763.1000)
  • Microsoft Office Language Pack 2010 - Turkish/Türkçe (14.0.4763.1013)
  • Microsoft Office O MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office O MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office O MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office O MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office O MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office O MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office O MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office O MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office O MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office OneNote MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office OneNote MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office OneNote MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office OneNote MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office OneNote MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office OneNote MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office OneNote MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office OneNote MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office OneNote MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Outlook MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office Outlook MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office Outlook MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office Outlook MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office Outlook MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office Outlook MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office Outlook MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office Outlook MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office Outlook MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office PowerPoint MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office PowerPoint MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office PowerPoint MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office PowerPoint MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office PowerPoint MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office PowerPoint MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office PowerPoint MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office PowerPoint MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office PowerPoint MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office Professional 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Arabic) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (Basque) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (Catalan) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (Dutch) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (English) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (French) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Galician) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (German) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office Proof (Ukrainian) 2010 (14.0.4763.1000)
  • Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
  • Microsoft Office Proofing (French) 2010 (14.0.4763.1000)
  • Microsoft Office Proofing (German) 2010 (14.0.4763.1000)
  • Microsoft Office Proofing (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office Proofing (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office Proofing (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office Proofing (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office Proofing (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office Proofing (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office Proofing (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Publisher MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office Publisher MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office Publisher MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office Publisher MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office Publisher MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office Publisher MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office Publisher MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office Publisher MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office Publisher MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office SharePoint Designer MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office SharePoint Designer MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office SharePoint Designer MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office SharePoint Designer MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office SharePoint Designer MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office SharePoint Designer MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office SharePoint Designer MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office SharePoint Designer MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office SharePoint Designer MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office Shared MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office Shared MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office Shared MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office Shared MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office Shared MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office Shared MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office Shared MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office Shared MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Single Image 2010 (14.0.6029.1000)
  • Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Word MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office Word MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office Word MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office Word MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office Word MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office Word MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office Word MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office Word MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office Word MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office X MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office X MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office X MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office X MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office X MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office X MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office X MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office X MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office X MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
  • Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
  • Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
  • Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2015-2019 Redistributable (x86) - 14.21.27702 (14.21.27702.2)
  • Microsoft Visual C++ 2019 X86 Additional Runtime - 14.21.27702 (14.21.27702)
  • Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.21.27702 (14.21.27702)
  • Mozilla Firefox 83.0 (x86 en-US) (83.0)
  • Mozilla Maintenance Service (83.0.0.7621)
  • Notepad++ (32-bit x86) (7.9.1)
  • Opera 12.15 (12.15.1748)
  • QGA (2.14.33)
  • Skype version 8.29 (8.29)
  • VLC media player (3.0.11)
  • WinRAR 5.91 (32-bit) (5.91.0)

Hotfixes

  • Client LanguagePack Package
  • Client Refresh LanguagePack Package
  • CodecPack Basic Package
  • Foundation Package
  • IE Hyphenation Parent Package English
  • IE Spelling Parent Package English
  • IE Troubleshooters Package
  • InternetExplorer Optional Package
  • InternetExplorer Package TopLevel
  • KB2479943
  • KB2491683
  • KB2506212
  • KB2506928
  • KB2532531
  • KB2533552
  • KB2533623
  • KB2534111
  • KB2545698
  • KB2547666
  • KB2552343
  • KB2560656
  • KB2564958
  • KB2574819
  • KB2579686
  • KB2585542
  • KB2604115
  • KB2620704
  • KB2621440
  • KB2631813
  • KB2639308
  • KB2640148
  • KB2653956
  • KB2654428
  • KB2656356
  • KB2660075
  • KB2667402
  • KB2676562
  • KB2685811
  • KB2685813
  • KB2685939
  • KB2690533
  • KB2698365
  • KB2705219
  • KB2719857
  • KB2726535
  • KB2727528
  • KB2729094
  • KB2729452
  • KB2731771
  • KB2732059
  • KB2736422
  • KB2742599
  • KB2750841
  • KB2758857
  • KB2761217
  • KB2770660
  • KB2773072
  • KB2786081
  • KB2789645
  • KB2799926
  • KB2800095
  • KB2807986
  • KB2808679
  • KB2813347
  • KB2813430
  • KB2820331
  • KB2834140
  • KB2836942
  • KB2836943
  • KB2840631
  • KB2843630
  • KB2847927
  • KB2852386
  • KB2853952
  • KB2857650
  • KB2861698
  • KB2862152
  • KB2862330
  • KB2862335
  • KB2864202
  • KB2868038
  • KB2871997
  • KB2872035
  • KB2884256
  • KB2891804
  • KB2893294
  • KB2893519
  • KB2894844
  • KB2900986
  • KB2908783
  • KB2911501
  • KB2912390
  • KB2918077
  • KB2919469
  • KB2923545
  • KB2931356
  • KB2937610
  • KB2943357
  • KB2952664
  • KB2968294
  • KB2970228
  • KB2972100
  • KB2972211
  • KB2973112
  • KB2973201
  • KB2977292
  • KB2978120
  • KB2978742
  • KB2984972
  • KB2984976
  • KB2984976 SP1
  • KB2985461
  • KB2991963
  • KB2992611
  • KB2999226
  • KB3004375
  • KB3006121
  • KB3006137
  • KB3010788
  • KB3011780
  • KB3013531
  • KB3019978
  • KB3020370
  • KB3020388
  • KB3021674
  • KB3021917
  • KB3022777
  • KB3023215
  • KB3030377
  • KB3031432
  • KB3035126
  • KB3037574
  • KB3042058
  • KB3045685
  • KB3046017
  • KB3046269
  • KB3054476
  • KB3055642
  • KB3059317
  • KB3060716
  • KB3061518
  • KB3067903
  • KB3068708
  • KB3071756
  • KB3072305
  • KB3074543
  • KB3075226
  • KB3078667
  • KB3080149
  • KB3086255
  • KB3092601
  • KB3093513
  • KB3097989
  • KB3101722
  • KB3102429
  • KB3102810
  • KB3107998
  • KB3108371
  • KB3108664
  • KB3109103
  • KB3109560
  • KB3110329
  • KB3115858
  • KB3118401
  • KB3122648
  • KB3123479
  • KB3126587
  • KB3127220
  • KB3133977
  • KB3137061
  • KB3138378
  • KB3138612
  • KB3138910
  • KB3139398
  • KB3139914
  • KB3140245
  • KB3147071
  • KB3150220
  • KB3150513
  • KB3155178
  • KB3156016
  • KB3159398
  • KB3161102
  • KB3161949
  • KB3170735
  • KB3172605
  • KB3179573
  • KB3184143
  • KB3185319
  • KB4019990
  • KB4040980
  • KB4474419
  • KB4490628
  • KB4524752
  • KB4532945
  • KB4536952
  • KB4567409
  • KB958488
  • KB976902
  • KB982018
  • LocalPack AU Package
  • LocalPack CA Package
  • LocalPack GB Package
  • LocalPack US Package
  • LocalPack ZA Package
  • Package 21 for KB2984976
  • Package 38 for KB2984976
  • Package 45 for KB2984976
  • Package 59 for KB2984976
  • Package 7 for KB2984976
  • Package 76 for KB2984976
  • PlatformUpdate Win7 SRV08R2 Package TopLevel
  • ProfessionalEdition
  • RDP BlueIP Package TopLevel
  • RDP WinIP Package TopLevel
  • RollupFix
  • UltimateEdition
  • WUClient SelfUpdate ActiveX
  • WUClient SelfUpdate Aux TopLevel
  • WUClient SelfUpdate Core TopLevel
  • WinMan WinIP Package TopLevel

Behavior activities

MALICIOUS SUSPICIOUS INFO
Application was injected by another process
  • svchost.exe (PID: 924)
Application was dropped or rewritten from another process
  • 149_setupInstaller.exe (PID: 684)
  • 149_setupInstaller.exe (PID: 3628)
  • setup_installer.exe (PID: 760)
  • setup_install.exe (PID: 3324)
  • 61e231ad0641a_Sat02817ac1e8.exe (PID: 2920)
  • 61e231ab47792_Sat02fb6439.exe (PID: 1444)
  • 61e231ae18706_Sat028e900d3.exe (PID: 1304)
  • 61e231b686514_Sat020f28d97695.exe (PID: 3412)
  • 61e231b18bfb5_Sat022d459aaa7.exe (PID: 3520)
  • 61e231b0801f9_Sat02dabcd2901f.exe (PID: 3016)
  • 61e231b2a394a_Sat02fc0e52.exe (PID: 3992)
  • 61e231c208b88_Sat021d6cb0.exe (PID: 2368)
  • 61e231c431105_Sat0296c511cdf.exe (PID: 3928)
  • 61e231afbd0ff_Sat0275ca378161.exe (PID: 356)
  • 61e231c8a77c0_Sat021d76eef2.exe (PID: 2080)
  • 61e231c2c70ca_Sat02e1a7ed.exe (PID: 3436)
  • 61e231c7536eb_Sat028b7251.exe (PID: 2608)
  • 61e231afbd0ff_Sat0275ca378161.exe (PID: 1324)
  • 61e231b2a394a_Sat02fc0e52.exe (PID: 3564)
  • 61e231ab47792_Sat02fb6439.exe (PID: 2584)
  • 61e231b0801f9_Sat02dabcd2901f.exe (PID: 2560)
  • 3ea4339b-068c-41c7-9e2b-9b2faaf10297.exe (PID: 3224)
  • c2001101-5d15-47d7-997d-9d9bd627547e.exe (PID: 684)
  • dfa475ad-b6b6-4938-956f-6f01c20d7fb7.exe (PID: 2744)
  • 22b3368b-da1a-4cd8-924a-4d0abaff18f1.exe (PID: 576)
  • db3b8f82-a67a-4fd1-9805-66fc2ffbd6ae.exe (PID: 2420)
  • 517A.tmp.exe (PID: 3364)
  • 57D4.tmp.exe (PID: 3172)
  • 53027.exe (PID: 4076)
  • 61e231c208b88_Sat021d6cb0.exe (PID: 560)
Drops executable file immediately after starts
  • setup_installer.exe (PID: 760)
  • 61e231b2a394a_Sat02fc0e52.exe (PID: 3992)
  • 61e231b2a394a_Sat02fc0e52.exe (PID: 3564)
  • 61e231b2a394a_Sat02fc0e52.tmp (PID: 1688)
Executes PowerShell scripts
  • cmd.exe (PID: 984)
Loads dropped or rewritten executable
  • setup_install.exe (PID: 3324)
  • 57D4.tmp.exe (PID: 3172)
  • rundll32.exe (PID: 3148)
Connects to CnC server
  • 61e231b686514_Sat020f28d97695.exe (PID: 3412)
  • 61e231c8a77c0_Sat021d76eef2.exe (PID: 2080)
  • 61e231b0801f9_Sat02dabcd2901f.exe (PID: 2560)
  • 61e231ab47792_Sat02fb6439.exe (PID: 2584)
  • dfa475ad-b6b6-4938-956f-6f01c20d7fb7.exe (PID: 2744)
  • 22b3368b-da1a-4cd8-924a-4d0abaff18f1.exe (PID: 576)
  • 57D4.tmp.exe (PID: 3172)
  • 61e231c208b88_Sat021d6cb0.exe (PID: 560)
Changes settings of System certificates
  • 61e231afbd0ff_Sat0275ca378161.exe (PID: 1324)
Steals credentials from Web Browsers
  • 61e231b0801f9_Sat02dabcd2901f.exe (PID: 2560)
  • 61e231ab47792_Sat02fb6439.exe (PID: 2584)
  • c2001101-5d15-47d7-997d-9d9bd627547e.exe (PID: 684)
  • dfa475ad-b6b6-4938-956f-6f01c20d7fb7.exe (PID: 2744)
  • 22b3368b-da1a-4cd8-924a-4d0abaff18f1.exe (PID: 576)
  • 57D4.tmp.exe (PID: 3172)
  • 61e231c208b88_Sat021d6cb0.exe (PID: 560)
REDLINE was detected
  • 61e231ab47792_Sat02fb6439.exe (PID: 2584)
  • 61e231b0801f9_Sat02dabcd2901f.exe (PID: 2560)
  • dfa475ad-b6b6-4938-956f-6f01c20d7fb7.exe (PID: 2744)
  • 22b3368b-da1a-4cd8-924a-4d0abaff18f1.exe (PID: 576)
  • 61e231c208b88_Sat021d6cb0.exe (PID: 560)
Actions looks like stealing of personal data
  • 61e231ab47792_Sat02fb6439.exe (PID: 2584)
  • 61e231b0801f9_Sat02dabcd2901f.exe (PID: 2560)
  • c2001101-5d15-47d7-997d-9d9bd627547e.exe (PID: 684)
  • dfa475ad-b6b6-4938-956f-6f01c20d7fb7.exe (PID: 2744)
  • 22b3368b-da1a-4cd8-924a-4d0abaff18f1.exe (PID: 576)
  • 57D4.tmp.exe (PID: 3172)
  • 61e231c208b88_Sat021d6cb0.exe (PID: 560)
Stealing of credential data
  • c2001101-5d15-47d7-997d-9d9bd627547e.exe (PID: 684)
  • 57D4.tmp.exe (PID: 3172)
RACCOON was detected
  • 57D4.tmp.exe (PID: 3172)
Runs injected code in another process
  • rundll32.exe (PID: 3148)
Reads the computer name
  • WinRAR.exe (PID: 2280)
  • setup_installer.exe (PID: 760)
  • 149_setupInstaller.exe (PID: 3628)
  • setup_install.exe (PID: 3324)
  • 61e231ab47792_Sat02fb6439.exe (PID: 1444)
  • powershell.exe (PID: 2736)
  • 61e231ad0641a_Sat02817ac1e8.exe (PID: 2920)
  • 61e231b0801f9_Sat02dabcd2901f.exe (PID: 3016)
  • 61e231b686514_Sat020f28d97695.exe (PID: 3412)
  • 61e231b18bfb5_Sat022d459aaa7.exe (PID: 3520)
  • 61e231afbd0ff_Sat0275ca378161.exe (PID: 356)
  • 61e231c8a77c0_Sat021d76eef2.exe (PID: 2080)
  • 61e231c431105_Sat0296c511cdf.exe (PID: 3928)
  • 61e231c208b88_Sat021d6cb0.exe (PID: 2368)
  • 61e231c7536eb_Sat028b7251.exe (PID: 2608)
  • 61e231c2c70ca_Sat02e1a7ed.exe (PID: 3436)
  • 61e231b2a394a_Sat02fc0e52.tmp (PID: 2972)
  • powershell.exe (PID: 2100)
  • 61e231afbd0ff_Sat0275ca378161.exe (PID: 1324)
  • 61e231b0801f9_Sat02dabcd2901f.exe (PID: 2560)
  • 61e231ab47792_Sat02fb6439.exe (PID: 2584)
  • 61e231b2a394a_Sat02fc0e52.tmp (PID: 1688)
  • c2001101-5d15-47d7-997d-9d9bd627547e.exe (PID: 684)
  • dfa475ad-b6b6-4938-956f-6f01c20d7fb7.exe (PID: 2744)
  • 3ea4339b-068c-41c7-9e2b-9b2faaf10297.exe (PID: 3224)
  • 22b3368b-da1a-4cd8-924a-4d0abaff18f1.exe (PID: 576)
  • db3b8f82-a67a-4fd1-9805-66fc2ffbd6ae.exe (PID: 2420)
  • 517A.tmp.exe (PID: 3364)
  • 57D4.tmp.exe (PID: 3172)
  • 53027.exe (PID: 4076)
  • 61e231c208b88_Sat021d6cb0.exe (PID: 560)
Checks supported languages
  • WinRAR.exe (PID: 2280)
  • 149_setupInstaller.exe (PID: 3628)
  • setup_installer.exe (PID: 760)
  • setup_install.exe (PID: 3324)
  • cmd.exe (PID: 984)
  • cmd.exe (PID: 3648)
  • 61e231ab47792_Sat02fb6439.exe (PID: 1444)
  • cmd.exe (PID: 4012)
  • powershell.exe (PID: 2736)
  • cmd.exe (PID: 1424)
  • cmd.exe (PID: 3012)
  • 61e231ad0641a_Sat02817ac1e8.exe (PID: 2920)
  • cmd.exe (PID: 4004)
  • cmd.exe (PID: 1536)
  • cmd.exe (PID: 2724)
  • cmd.exe (PID: 2236)
  • cmd.exe (PID: 564)
  • cmd.exe (PID: 3176)
  • cmd.exe (PID: 1500)
  • 61e231ae18706_Sat028e900d3.exe (PID: 1304)
  • cmd.exe (PID: 3208)
  • cmd.exe (PID: 2136)
  • 61e231b686514_Sat020f28d97695.exe (PID: 3412)
  • cmd.exe (PID: 3236)
  • 61e231b0801f9_Sat02dabcd2901f.exe (PID: 3016)
  • 61e231b18bfb5_Sat022d459aaa7.exe (PID: 3520)
  • 61e231c431105_Sat0296c511cdf.exe (PID: 3928)
  • 61e231c8a77c0_Sat021d76eef2.exe (PID: 2080)
  • 61e231afbd0ff_Sat0275ca378161.exe (PID: 356)
  • 61e231b2a394a_Sat02fc0e52.exe (PID: 3992)
  • 61e231c208b88_Sat021d6cb0.exe (PID: 2368)
  • 61e231c2c70ca_Sat02e1a7ed.exe (PID: 3436)
  • 61e231c7536eb_Sat028b7251.exe (PID: 2608)
  • 61e231b2a394a_Sat02fc0e52.tmp (PID: 2972)
  • powershell.exe (PID: 2100)
  • 61e231afbd0ff_Sat0275ca378161.exe (PID: 1324)
  • 61e231b2a394a_Sat02fc0e52.exe (PID: 3564)
  • 61e231b0801f9_Sat02dabcd2901f.exe (PID: 2560)
  • 61e231ab47792_Sat02fb6439.exe (PID: 2584)
  • 61e231b2a394a_Sat02fc0e52.tmp (PID: 1688)
  • c2001101-5d15-47d7-997d-9d9bd627547e.exe (PID: 684)
  • 3ea4339b-068c-41c7-9e2b-9b2faaf10297.exe (PID: 3224)
  • dfa475ad-b6b6-4938-956f-6f01c20d7fb7.exe (PID: 2744)
  • 22b3368b-da1a-4cd8-924a-4d0abaff18f1.exe (PID: 576)
  • db3b8f82-a67a-4fd1-9805-66fc2ffbd6ae.exe (PID: 2420)
  • 517A.tmp.exe (PID: 3364)
  • 57D4.tmp.exe (PID: 3172)
  • cmd.exe (PID: 532)
  • 53027.exe (PID: 4076)
  • cmd.exe (PID: 3808)
  • 61e231c208b88_Sat021d6cb0.exe (PID: 560)
  • cmd.exe (PID: 2664)
Drops a file with too old compile date
  • setup_installer.exe (PID: 760)
  • 61e231b2a394a_Sat02fc0e52.exe (PID: 3992)
  • 61e231b2a394a_Sat02fc0e52.tmp (PID: 2972)
  • 61e231b2a394a_Sat02fc0e52.exe (PID: 3564)
  • 61e231b2a394a_Sat02fc0e52.tmp (PID: 1688)
  • 57D4.tmp.exe (PID: 3172)
Drops a file with a compile date too recent
  • setup_installer.exe (PID: 760)
  • 61e231ad0641a_Sat02817ac1e8.exe (PID: 2920)
  • 61e231c208b88_Sat021d6cb0.exe (PID: 2368)
  • 61e231c2c70ca_Sat02e1a7ed.exe (PID: 3436)
  • 61e231afbd0ff_Sat0275ca378161.exe (PID: 1324)
  • 57D4.tmp.exe (PID: 3172)
Executable content was dropped or overwritten
  • WinRAR.exe (PID: 2280)
  • setup_installer.exe (PID: 760)
  • 149_setupInstaller.exe (PID: 3628)
  • 61e231ad0641a_Sat02817ac1e8.exe (PID: 2920)
  • 61e231b2a394a_Sat02fc0e52.exe (PID: 3992)
  • 61e231c208b88_Sat021d6cb0.exe (PID: 2368)
  • 61e231c2c70ca_Sat02e1a7ed.exe (PID: 3436)
  • 61e231b2a394a_Sat02fc0e52.tmp (PID: 2972)
  • 61e231afbd0ff_Sat0275ca378161.exe (PID: 1324)
  • 61e231b2a394a_Sat02fc0e52.exe (PID: 3564)
  • 61e231b2a394a_Sat02fc0e52.tmp (PID: 1688)
  • db3b8f82-a67a-4fd1-9805-66fc2ffbd6ae.exe (PID: 2420)
  • 57D4.tmp.exe (PID: 3172)
Starts CMD.EXE for commands execution
  • setup_install.exe (PID: 3324)
  • 61e231ad0641a_Sat02817ac1e8.exe (PID: 2920)
  • 61e231b686514_Sat020f28d97695.exe (PID: 3412)
  • 57D4.tmp.exe (PID: 3172)
Drops a file that was compiled in debug mode
  • setup_installer.exe (PID: 760)
  • 61e231ad0641a_Sat02817ac1e8.exe (PID: 2920)
  • 61e231c208b88_Sat021d6cb0.exe (PID: 2368)
  • 61e231b2a394a_Sat02fc0e52.tmp (PID: 2972)
  • 61e231b2a394a_Sat02fc0e52.tmp (PID: 1688)
  • db3b8f82-a67a-4fd1-9805-66fc2ffbd6ae.exe (PID: 2420)
  • 57D4.tmp.exe (PID: 3172)
Application launched itself
  • 61e231ab47792_Sat02fb6439.exe (PID: 1444)
  • 61e231b0801f9_Sat02dabcd2901f.exe (PID: 3016)
  • 61e231afbd0ff_Sat0275ca378161.exe (PID: 356)
Starts CMD.EXE for self-deleting
  • 61e231ad0641a_Sat02817ac1e8.exe (PID: 2920)
  • 57D4.tmp.exe (PID: 3172)
Creates files in the user directory
  • 61e231ad0641a_Sat02817ac1e8.exe (PID: 2920)
  • 61e231c8a77c0_Sat021d76eef2.exe (PID: 2080)
  • db3b8f82-a67a-4fd1-9805-66fc2ffbd6ae.exe (PID: 2420)
  • rundll32.exe (PID: 3148)
Reads default file associations for system extensions
  • 61e231c431105_Sat0296c511cdf.exe (PID: 3928)
Executes PowerShell scripts
  • 61e231c208b88_Sat021d6cb0.exe (PID: 2368)
Reads Environment values
  • 61e231c208b88_Sat021d6cb0.exe (PID: 2368)
  • 61e231c2c70ca_Sat02e1a7ed.exe (PID: 3436)
  • 61e231ab47792_Sat02fb6439.exe (PID: 2584)
  • 61e231b0801f9_Sat02dabcd2901f.exe (PID: 2560)
  • c2001101-5d15-47d7-997d-9d9bd627547e.exe (PID: 684)
  • dfa475ad-b6b6-4938-956f-6f01c20d7fb7.exe (PID: 2744)
  • 22b3368b-da1a-4cd8-924a-4d0abaff18f1.exe (PID: 576)
  • db3b8f82-a67a-4fd1-9805-66fc2ffbd6ae.exe (PID: 2420)
  • 517A.tmp.exe (PID: 3364)
  • 57D4.tmp.exe (PID: 3172)
  • 61e231c208b88_Sat021d6cb0.exe (PID: 560)
Starts itself from another location
  • 61e231c208b88_Sat021d6cb0.exe (PID: 2368)
Reads Windows owner or organization settings
  • 61e231b2a394a_Sat02fc0e52.tmp (PID: 2972)
  • 61e231b2a394a_Sat02fc0e52.tmp (PID: 1688)
Reads the Windows organization settings
  • 61e231b2a394a_Sat02fc0e52.tmp (PID: 2972)
  • 61e231b2a394a_Sat02fc0e52.tmp (PID: 1688)
Adds / modifies Windows certificates
  • 61e231afbd0ff_Sat0275ca378161.exe (PID: 1324)
Reads the cookies of Google Chrome
  • 61e231b0801f9_Sat02dabcd2901f.exe (PID: 2560)
  • 61e231ab47792_Sat02fb6439.exe (PID: 2584)
  • c2001101-5d15-47d7-997d-9d9bd627547e.exe (PID: 684)
  • dfa475ad-b6b6-4938-956f-6f01c20d7fb7.exe (PID: 2744)
  • 22b3368b-da1a-4cd8-924a-4d0abaff18f1.exe (PID: 576)
  • 61e231c208b88_Sat021d6cb0.exe (PID: 560)
Searches for installed software
  • 61e231ab47792_Sat02fb6439.exe (PID: 2584)
  • 61e231b0801f9_Sat02dabcd2901f.exe (PID: 2560)
  • c2001101-5d15-47d7-997d-9d9bd627547e.exe (PID: 684)
  • dfa475ad-b6b6-4938-956f-6f01c20d7fb7.exe (PID: 2744)
  • 57D4.tmp.exe (PID: 3172)
  • 22b3368b-da1a-4cd8-924a-4d0abaff18f1.exe (PID: 576)
  • 61e231c208b88_Sat021d6cb0.exe (PID: 560)
Reads the cookies of Mozilla Firefox
  • 61e231b0801f9_Sat02dabcd2901f.exe (PID: 2560)
  • 61e231ab47792_Sat02fb6439.exe (PID: 2584)
  • c2001101-5d15-47d7-997d-9d9bd627547e.exe (PID: 684)
  • dfa475ad-b6b6-4938-956f-6f01c20d7fb7.exe (PID: 2744)
  • 22b3368b-da1a-4cd8-924a-4d0abaff18f1.exe (PID: 576)
  • 61e231c208b88_Sat021d6cb0.exe (PID: 560)
Uses RUNDLL32.EXE to load library
  • control.exe (PID: 2696)
Creates a directory in Program Files
  • 61e231b2a394a_Sat02fc0e52.tmp (PID: 1688)
Uses TASKKILL.EXE to kill process
  • cmd.exe (PID: 3808)
Executed via WMI
  • rundll32.exe (PID: 3148)
Reads settings of System Certificates
  • powershell.exe (PID: 2736)
  • 61e231ad0641a_Sat02817ac1e8.exe (PID: 2920)
  • 61e231b686514_Sat020f28d97695.exe (PID: 3412)
  • 61e231b18bfb5_Sat022d459aaa7.exe (PID: 3520)
  • 61e231c208b88_Sat021d6cb0.exe (PID: 2368)
  • 61e231c2c70ca_Sat02e1a7ed.exe (PID: 3436)
  • 61e231c7536eb_Sat028b7251.exe (PID: 2608)
  • 61e231afbd0ff_Sat0275ca378161.exe (PID: 1324)
  • c2001101-5d15-47d7-997d-9d9bd627547e.exe (PID: 684)
  • dfa475ad-b6b6-4938-956f-6f01c20d7fb7.exe (PID: 2744)
  • 22b3368b-da1a-4cd8-924a-4d0abaff18f1.exe (PID: 576)
  • db3b8f82-a67a-4fd1-9805-66fc2ffbd6ae.exe (PID: 2420)
Checks Windows Trust Settings
  • powershell.exe (PID: 2736)
  • 61e231ad0641a_Sat02817ac1e8.exe (PID: 2920)
  • 61e231c7536eb_Sat028b7251.exe (PID: 2608)
  • powershell.exe (PID: 2100)
Application was dropped or rewritten from another process
  • 61e231b2a394a_Sat02fc0e52.tmp (PID: 2972)
  • 61e231b2a394a_Sat02fc0e52.tmp (PID: 1688)
Loads dropped or rewritten executable
  • 61e231b2a394a_Sat02fc0e52.tmp (PID: 2972)
  • 61e231b2a394a_Sat02fc0e52.tmp (PID: 1688)
Creates files in the program directory
  • 61e231b2a394a_Sat02fc0e52.tmp (PID: 1688)
Checks supported languages
  • control.exe (PID: 2696)
  • rundll32.exe (PID: 1148)
  • PING.EXE (PID: 3968)
  • taskkill.exe (PID: 1520)
  • msiexec.exe (PID: 3280)
  • rundll32.exe (PID: 3148)
  • timeout.exe (PID: 2632)
Creates a software uninstall entry
  • 61e231b2a394a_Sat02fc0e52.tmp (PID: 1688)
Reads the computer name
  • control.exe (PID: 2696)
  • PING.EXE (PID: 3968)
  • taskkill.exe (PID: 1520)
  • rundll32.exe (PID: 3148)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Static information

TRiD
.zip
|   ZIP compressed archive (100%)
EXIF
ZIP
ZipRequiredVersion:
20
ZipBitFlag:
0x0001
ZipCompression:
Deflated
ZipModifyDate:
2022:01:15 04:30:21
ZipCRC:
0x8f8191d0
ZipCompressedSize:
5835653
ZipUncompressedSize:
5847902
ZipFileName:
149_setupInstaller.exe

Screenshots

Processes

Total processes
108
Monitored processes
61
Malicious processes
23
Suspicious processes
8

Behavior graph

+
drop and start drop and start start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start inject winrar.exe 149_setupinstaller.exe no specs 149_setupinstaller.exe setup_installer.exe setup_install.exe cmd.exe no specs cmd.exe no specs cmd.exe no specs powershell.exe no specs cmd.exe no specs cmd.exe no specs 61e231ab47792_sat02fb6439.exe no specs cmd.exe no specs 61e231ad0641a_sat02817ac1e8.exe cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs 61e231ae18706_sat028e900d3.exe cmd.exe no specs 61e231b686514_sat020f28d97695.exe cmd.exe no specs cmd.exe no specs 61e231b0801f9_sat02dabcd2901f.exe no specs 61e231b18bfb5_sat022d459aaa7.exe 61e231afbd0ff_sat0275ca378161.exe no specs 61e231b2a394a_sat02fc0e52.exe 61e231c431105_sat0296c511cdf.exe no specs 61e231c8a77c0_sat021d76eef2.exe 61e231c208b88_sat021d6cb0.exe 61e231c2c70ca_sat02e1a7ed.exe 61e231c7536eb_sat028b7251.exe 61e231b2a394a_sat02fc0e52.tmp powershell.exe no specs 61e231afbd0ff_sat0275ca378161.exe 61e231b2a394a_sat02fc0e52.exe #REDLINE 61e231b0801f9_sat02dabcd2901f.exe #REDLINE 61e231ab47792_sat02fb6439.exe 61e231b2a394a_sat02fc0e52.tmp control.exe no specs rundll32.exe no specs c2001101-5d15-47d7-997d-9d9bd627547e.exe 3ea4339b-068c-41c7-9e2b-9b2faaf10297.exe no specs #REDLINE dfa475ad-b6b6-4938-956f-6f01c20d7fb7.exe #REDLINE 22b3368b-da1a-4cd8-924a-4d0abaff18f1.exe db3b8f82-a67a-4fd1-9805-66fc2ffbd6ae.exe 517a.tmp.exe no specs #RACCOON 57d4.tmp.exe 53027.exe no specs cmd.exe no specs ping.exe no specs cmd.exe no specs taskkill.exe no specs msiexec.exe no specs rundll32.exe svchost.exe #REDLINE 61e231c208b88_sat021d6cb0.exe cmd.exe no specs timeout.exe no specs
Specs description
Program did not start
Integrity level elevation
Task сontains an error or was rebooted
Process has crashed
Task contains several apps running
Executable file was dropped
Debug information is available
Process was injected
Network attacks were detected
Application downloaded the executable file
Actions similar to stealing personal data
Behavior similar to exploiting the vulnerability
Inspected object has sucpicious PE structure
File is detected by antivirus software
CPU overrun
RAM overrun
Process starts the services
Process was added to the startup
Behavior similar to spam
Low-level access to the HDD
Probably Tor was used
System was rebooted
Connects to the network
Known threat

Process information

Click at the process to see the details.

PID
924
CMD
C:\Windows\system32\svchost.exe -k netsvcs
Path
C:\Windows\system32\svchost.exe
Indicators
Parent process
––
User
SYSTEM
Integrity Level
SYSTEM
Version:
Company
Microsoft Corporation
Description
Host Process for Windows Services
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\kernelbase.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\schedsvc.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\iphlpsvc.dll
c:\windows\system32\browser.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\avrt.dll
c:\windows\system32\profapi.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\vssapi.dll
c:\windows\system32\resutils.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\rasman.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sxs.dll
c:\windows\system32\xmllite.dll
c:\windows\system32\credssp.dll
c:\windows\system32\taskcomp.dll
c:\windows\system32\firewallapi.dll
c:\windows\system32\nci.dll
c:\windows\system32\netprofm.dll
c:\windows\system32\propsys.dll
c:\windows\system32\mmcss.dll
c:\windows\system32\sysntfy.dll
c:\windows\system32\userenv.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\slc.dll
c:\windows\system32\secur32.dll
c:\windows\system32\ikeext.dll
c:\windows\system32\samlib.dll
c:\windows\system32\tschannel.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\ntdsapi.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\ktmw32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\logoncli.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\sqmapi.dll
c:\windows\system32\wbem\wmiutils.dll
c:\windows\system32\wbem\repdrvfs.dll
c:\windows\system32\appinfo.dll
c:\windows\system32\mprapi.dll
c:\windows\system32\profsvc.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\shsvcs.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ndiscapcfg.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\winsta.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\wbemcomn2.dll
c:\windows\system32\srvsvc.dll
c:\windows\system32\pcwum.dll
c:\windows\system32\shell32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\wevtapi.dll
c:\windows\system32\authz.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\wdscore.dll
c:\windows\system32\clusapi.dll
c:\windows\system32\wbem\esscli.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\netcfgx.dll
c:\windows\system32\wbem\wbemprox.dll
c:\windows\system32\msctf.dll
c:\windows\system32\gpapi.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\dhcpcsvc6.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\dsrole.dll
c:\windows\system32\vsstrace.dll
c:\windows\system32\imm32.dll
c:\windows\system32\themeservice.dll
c:\windows\system32\sens.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\tbs.dll
c:\windows\system32\wship6.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\sscore.dll
c:\windows\system32\wbem\wbemcore.dll
c:\windows\system32\aelupsvc.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\fveapi.dll
c:\windows\system32\wbem\wmiprvsd.dll
c:\windows\system32\wbem\wbemess.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\version.dll
c:\windows\system32\samcli.dll
c:\windows\system32\cryptdll.dll
c:\windows\system32\wbem\wbemsvc.dll
c:\windows\system32\ncobjapi.dll
c:\windows\system32\svchost.exe
c:\windows\system32\atl.dll
c:\windows\system32\ubpm.dll
c:\windows\system32\netjoin.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\wbem\ncprov.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\devobj.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\fvecerts.dll
c:\windows\system32\wbem\wmisvc.dll
c:\windows\system32\devrtl.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\spinf.dll
c:\windows\system32\user32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\wbem\fastprox.dll
c:\windows\system32\npmproxy.dll
c:\windows\system32\hnetcfg.dll
c:\windows\system32\rascfg.dll
c:\windows\system32\tcpipcfg.dll
c:\users\admin\appdata\local\temp\rar$exb2280.29416\149_setupinstaller.exe
c:\windows\system32\ieframe.dll
c:\windows\system32\shdocvw.dll
c:\users\admin\appdata\local\temp\7zs8f245514\setup_install.exe
c:\users\admin\appdata\local\temp\wn_kezh.cpl
c:\windows\system32\api-ms-win-downlevel-shlwapi-l1-1-0.dll
c:\windows\system32\api-ms-win-downlevel-normaliz-l1-1-0.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\psapi.dll
c:\windows\system32\wininet.dll
c:\windows\system32\mpr.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\winmm.dll
c:\windows\system32\api-ms-win-downlevel-user32-l1-1-0.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll

PID
2280
CMD
"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\ZIP-Password-IS-951951______VmProtect.zip"
Path
C:\Program Files\WinRAR\WinRAR.exe
Indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Alexander Roshal
Description
WinRAR archiver
Version
5.91.0
Modules
Image
c:\windows\system32\sechost.dll
c:\windows\system32\cscdll.dll
c:\windows\system32\shlwapi.dll
c:\program files\common files\microsoft shared\ink\tiptsf.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\imageres.dll
c:\windows\system32\samlib.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\winsta.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\usp10.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\ehstorshell.dll
c:\windows\system32\cscui.dll
c:\windows\system32\msctf.dll
c:\windows\system32\lpk.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ntlanman.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\dui70.dll
c:\windows\system32\slc.dll
c:\program files\winrar\winrar.exe
c:\windows\system32\cryptbase.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\ehstorapi.dll
c:\windows\system32\davclnt.dll
c:\windows\system32\davhlpr.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ntdll.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\secur32.dll
c:\windows\system32\samcli.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\mpr.dll
c:\windows\system32\netutils.dll
c:\windows\system32\wpdshext.dll
c:\windows\system32\audiodev.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\winmm.dll
c:\windows\system32\portabledeviceapi.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\riched20.dll
c:\windows\system32\duser.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\msimg32.dll
c:\windows\system32\propsys.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\explorerframe.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.24542_none_5c0717c7a00ddc6d\gdiplus.dll
c:\windows\system32\wmvcore.dll
c:\windows\system32\wmasf.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\user32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\drprov.dll
c:\windows\system32\profapi.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
c:\windows\system32\api-ms-win-downlevel-normaliz-l1-1-0.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l2-1-0.dll
c:\users\admin\appdata\local\temp\rar$exb2280.29416\149_setupinstaller.exe
c:\windows\system32\urlmon.dll
c:\windows\system32\api-ms-win-downlevel-shlwapi-l1-1-0.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\wininet.dll
c:\windows\system32\api-ms-win-downlevel-ole32-l1-1-0.dll
c:\windows\system32\version.dll
c:\windows\system32\userenv.dll
c:\windows\system32\api-ms-win-downlevel-user32-l1-1-0.dll
c:\windows\system32\iertutil.dll

PID
684
CMD
"C:\Users\admin\AppData\Local\Temp\Rar$EXb2280.29416\149_setupInstaller.exe"
Path
C:\Users\admin\AppData\Local\Temp\Rar$EXb2280.29416\149_setupInstaller.exe
Indicators
No indicators
Parent process
WinRAR.exe
User
admin
Integrity Level
MEDIUM
Exit code
3221226540
Version:
Company
Description
Version
Modules
Image
c:\windows\system32\ntdll.dll
c:\users\admin\appdata\local\temp\rar$exb2280.29416\149_setupinstaller.exe

PID
3628
CMD
"C:\Users\admin\AppData\Local\Temp\Rar$EXb2280.29416\149_setupInstaller.exe"
Path
C:\Users\admin\AppData\Local\Temp\Rar$EXb2280.29416\149_setupInstaller.exe
Indicators
Parent process
WinRAR.exe
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
Description
Version
Modules
Image
c:\windows\system32\ntdll.dll
c:\windows\system32\sechost.dll
c:\windows\system32\usp10.dll
c:\users\admin\appdata\local\temp\rar$exb2280.29416\149_setupinstaller.exe
c:\windows\system32\apphelp.dll
c:\windows\system32\shell32.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\ole32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\shfolder.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.18837_none_ec86b8d6858ec0bc\comctl32.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\oleacc.dll
c:\windows\system32\userenv.dll
c:\windows\system32\lpk.dll
c:\windows\system32\msctf.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\version.dll
c:\windows\system32\profapi.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\propsys.dll
c:\windows\system32\devobj.dll
c:\windows\system32\clbcatq.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\api-ms-win-downlevel-shlwapi-l1-1-0.dll
c:\windows\system32\api-ms-win-downlevel-normaliz-l1-1-0.dll
c:\windows\system32\api-ms-win-downlevel-user32-l1-1-0.dll
c:\windows\system32\api-ms-win-downlevel-ole32-l1-1-0.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\secur32.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\wininet.dll
c:\users\admin\appdata\local\temp\setup_installer.exe
c:\windows\system32\api-ms-win-downlevel-advapi32-l2-1-0.dll

PID
760
CMD
"C:\Users\admin\AppData\Local\Temp\setup_installer.exe"
Path
C:\Users\admin\AppData\Local\Temp\setup_installer.exe
Indicators
Parent process
149_setupInstaller.exe
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
Igor Pavlov
Description
7z Setup SFX
Version
19.00
Modules
Image
c:\windows\system32\kernelbase.dll
c:\windows\system32\lpk.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\msacm32.dll
c:\users\admin\appdata\local\temp\setup_installer.exe
c:\windows\system32\gdi32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\userenv.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\samcli.dll
c:\windows\system32\sfc.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\devobj.dll
c:\windows\system32\api-ms-win-downlevel-ole32-l1-1-0.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\mpr.dll
c:\windows\apppatch\acgenral.dll
c:\windows\system32\usp10.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\profapi.dll
c:\windows\system32\api-ms-win-downlevel-shlwapi-l1-1-0.dll
c:\windows\system32\msctf.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\system32\version.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\wininet.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\sechost.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\api-ms-win-downlevel-user32-l1-1-0.dll
c:\windows\system32\api-ms-win-downlevel-normaliz-l1-1-0.dll
c:\windows\system32\imm32.dll
c:\windows\system32\winmm.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l2-1-0.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\winhttp.dll
c:\users\admin\appdata\local\temp\7zs8f245514\setup_install.exe
c:\windows\system32\webio.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\secur32.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\api-ms-win-downlevel-shell32-l1-1-0.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\devrtl.dll

PID
3324
CMD
"C:\Users\admin\AppData\Local\Temp\7zS8F245514\setup_install.exe"
Path
C:\Users\admin\AppData\Local\Temp\7zS8F245514\setup_install.exe
Indicators
Parent process
setup_installer.exe
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
Description
Version
Modules
Image
c:\users\admin\appdata\local\temp\7zs8f245514\setup_install.exe
c:\windows\system32\gdi32.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\winmm.dll
c:\windows\system32\nsi.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\profapi.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\apphelp.dll
c:\users\admin\appdata\local\temp\7zs8f245514\libgcc_s_dw2-1.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\mpr.dll
c:\windows\system32\devobj.dll
c:\users\admin\appdata\local\temp\7zs8f245514\libcurlpp.dll
c:\windows\system32\samcli.dll
c:\users\admin\appdata\local\temp\7zs8f245514\libwinpthread-1.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\cmd.exe
c:\windows\system32\lpk.dll
c:\windows\system32\msacm32.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\api-ms-win-downlevel-ole32-l1-1-0.dll
c:\windows\system32\api-ms-win-downlevel-user32-l1-1-0.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
c:\windows\system32\shell32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\ws2_32.dll
c:\users\admin\appdata\local\temp\7zs8f245514\libstdc++-6.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\iphlpapi.dll
c:\windows\apppatch\acgenral.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\ole32.dll
c:\windows\system32\userenv.dll
c:\windows\system32\wininet.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\sechost.dll
c:\windows\system32\sfc.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\api-ms-win-downlevel-normaliz-l1-1-0.dll
c:\windows\system32\msctf.dll
c:\users\admin\appdata\local\temp\7zs8f245514\libcurl.dll
c:\windows\system32\api-ms-win-downlevel-shlwapi-l1-1-0.dll
c:\windows\system32\wship6.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\dnsapi.dll

PID
984
CMD
C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable
Path
C:\Windows\system32\cmd.exe
Indicators
No indicators
Parent process
setup_install.exe
User
admin
Integrity Level
HIGH
Exit code
1
Version:
Company
Microsoft Corporation
Description
Windows Command Processor
Version
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Image
c:\windows\system32\gdi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imm32.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\cmd.exe
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\lpk.dll
c:\windows\system32\msctf.dll
c:\windows\system32\windowspowershell\v1.0\powershell.exe

PID
4012
CMD
C:\Windows\system32\cmd.exe /c 61e231ab47792_Sat02fb6439.exe
Path
C:\Windows\system32\cmd.exe
Indicators
No indicators
Parent process
setup_install.exe
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows Command Processor
Version
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Image
c:\windows\system32\apphelp.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\cmd.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\users\admin\appdata\local\temp\7zs8f245514\61e231ab47792_sat02fb6439.exe
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imm32.dll

PID
3012
CMD
C:\Windows\system32\cmd.exe /c 61e231ae18706_Sat028e900d3.exe
Path
C:\Windows\system32\cmd.exe
Indicators
No indicators
Parent process
setup_install.exe
User
admin
Integrity Level
HIGH
Exit code
3221225477
Version:
Company
Microsoft Corporation
Description
Windows Command Processor
Version
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Image
c:\windows\system32\lpk.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\cmd.exe
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\imm32.dll
c:\users\admin\appdata\local\temp\7zs8f245514\61e231ae18706_sat028e900d3.exe
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msctf.dll

PID
2736
CMD
powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable
Path
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Indicators
No indicators
Parent process
cmd.exe
User
admin
Integrity Level
HIGH
Exit code
1
Version:
Company
Microsoft Corporation
Description
Windows PowerShell
Version
10.0.14409.1005 (rs1_srvoob.161208-1155)
Modules
Image
c:\windows\system32\version.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\msctf.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\system32\imm32.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\cryptsp.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\gdi32.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\microsoft.pb378ec07#\f1d8ac3fc151a1b35ead27559bc8a3f2\microsoft.powershell.consolehost.ni.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\atl.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.core\e0fea191b75897ec38735bfc31b89fe0\system.core.ni.dll
c:\windows\microsoft.net\assembly\gac_msil\system.management.automation\v4.0_3.0.0.0__31bf3856ad364e35\system.management.automation.dll
c:\windows\microsoft.net\framework\v4.0.30319\nlssorting.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\msvcr120_clr0400.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\cryptbase.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.manaa57fc8cc#\f708839fba911a86a06614a9e93dff91\system.management.automation.ni.dll
c:\windows\system32\psapi.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system\b75ba99f72f116d8951b0f2bba8c276a\system.ni.dll
c:\windows\microsoft.net\framework\v4.0.30319\clr.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\mscorlib\d1265d6159ea876f9d63ea4c1361b587\mscorlib.ni.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\crypt32.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\microsoft.mf49f6405#\f72ae7289194b13172020e33d50f6f38\microsoft.management.infrastructure.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.dired13b18a9#\0d2b4443c599d5abb019993d813d4e89\system.directoryservices.ni.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.18837_none_ec86b8d6858ec0bc\comctl32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\msasn1.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.xml\668bc5e53fd656dc16c9f40ea15e872e\system.xml.ni.dll
c:\windows\system32\shell32.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.management\945435ba615b8bd1ff688ebfa43fae39\system.management.ni.dll
c:\windows\system32\nsi.dll
c:\windows\microsoft.net\assembly\gac_32\system.data\v4.0_4.0.0.0__b77a5c561934e089\system.data.dll
c:\windows\microsoft.net\framework\v4.0.30319\clrjit.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.configuration\7ece7799d670cdfc1393b98b0668a046\system.configuration.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.numerics\de2a832558f95db343e443c365bd3575\system.numerics.ni.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\msisip.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.data\add15017f88a7eccb8676d7239297d1c\system.data.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\microsoft.p6f792626#\d4c6baaee5b33b9a03a9afd841050c89\microsoft.powershell.security.ni.dll
c:\windows\system32\wshext.dll
c:\windows\system32\windowspowershell\v1.0\pwrshsip.dll
c:\windows\microsoft.net\assembly\gac_32\system.transactions\v4.0_4.0.0.0__b77a5c561934e089\system.transactions.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\secur32.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.transactions\18afe632acb8900be8188ec43a24784d\system.transactions.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\microsoft.csharp\1648a6a48cb8705ca13d482d0e9a5a4f\microsoft.csharp.ni.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.confe64a9051#\979591075e378389170a3e094c90b43b\system.configuration.install.ni.dll
c:\windows\system32\windowspowershell\v1.0\modules\microsoft.powershell.localaccounts\1.0.0.0\microsoft.powershell.localaccounts.dll
c:\windows\system32\iertutil.dll
c:\windows\assembly\gac_msil\microsoft.security.applicationid.policymanagement.xmlhelper\6.1.0.0__31bf3856ad364e35\microsoft.security.applicationid.policymanagement.xmlhelper.dll
c:\windows\assembly\gac_msil\microsoft.security.applicationid.policymanagement.cmdlets\6.1.0.0__31bf3856ad364e35\microsoft.security.applicationid.policymanagement.cmdlets.dll
c:\windows\assembly\gac_msil\microsoft.security.applicationid.policymanagement.policymodel\6.1.0.0__31bf3856ad364e35\microsoft.security.applicationid.policymanagement.policymodel.dll
c:\windows\assembly\gac_msil\microsoft.security.applicationid.policymanagement.policymanager\6.1.0.0__31bf3856ad364e35\microsoft.security.applicationid.policymanagement.policymanager.dll
c:\windows\system32\api-ms-win-downlevel-ole32-l1-1-0.dll
c:\windows\system32\userenv.dll
c:\windows\system32\api-ms-win-downlevel-shlwapi-l1-1-0.dll
c:\windows\system32\api-ms-win-downlevel-normaliz-l1-1-0.dll
c:\windows\assembly\gac_msil\microsoft.backgroundintelligenttransfer.management\1.0.0.0__31bf3856ad364e35\microsoft.backgroundintelligenttransfer.management.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\microsoft.m870d558a#\ef9d2180a14c81c0b92daf314e56342a\microsoft.management.infrastructure.native.ni.dll
c:\windows\assembly\gac_32\microsoft.security.applicationid.policymanagement.policyengineapi.interop\6.1.0.0__31bf3856ad364e35\microsoft.security.applicationid.policymanagement.policyengineapi.interop.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\wininet.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\microsoft.pae3498d9#\e8948a2d96b83812948847619fc784bc\microsoft.powershell.commands.management.ni.dll
c:\windows\system32\api-ms-win-downlevel-user32-l1-1-0.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l2-1-0.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\assembly\gac_msil\microsoft.windows.diagnosis.troubleshootingpack\6.1.0.0__31bf3856ad364e35\microsoft.windows.diagnosis.troubleshootingpack.dll
c:\windows\microsoft.net\framework\v4.0.30319\diasymreader.dll
c:\windows\assembly\gac_32\microsoft.windows.diagnosis.sdengine\6.1.0.0__31bf3856ad364e35\microsoft.windows.diagnosis.sdengine.dll
c:\windows\system32\gpapi.dll

PID
3648
CMD
C:\Windows\system32\cmd.exe /c 61e231ad0641a_Sat02817ac1e8.exe
Path
C:\Windows\system32\cmd.exe
Indicators
No indicators
Parent process
setup_install.exe
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows Command Processor
Version
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Image
c:\users\admin\appdata\local\temp\7zs8f245514\61e231ad0641a_sat02817ac1e8.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imm32.dll
c:\windows\system32\cmd.exe
c:\windows\system32\usp10.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\lpk.dll
c:\windows\system32\msctf.dll
c:\windows\system32\gdi32.dll

PID
1424
CMD
C:\Windows\system32\cmd.exe /c 61e231af132e7_Sat020ee35cf.exe
Path
C:\Windows\system32\cmd.exe
Indicators
No indicators
Parent process
setup_install.exe
User
admin
Integrity Level
HIGH
Exit code
1
Version:
Company
Microsoft Corporation
Description
Windows Command Processor
Version
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Image
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\cmd.exe
c:\windows\system32\msvcrt.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\lpk.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msctf.dll
c:\windows\system32\imm32.dll

PID
1444
CMD
61e231ab47792_Sat02fb6439.exe
Path
C:\Users\admin\AppData\Local\Temp\7zS8F245514\61e231ab47792_Sat02fb6439.exe
Indicators
No indicators
Parent process
cmd.exe
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
Description
Version
0.0.0.0
Modules
Image
c:\windows\system32\uxtheme.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\version.dll
c:\windows\system32\imm32.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\lpk.dll
c:\users\admin\appdata\local\temp\7zs8f245514\61e231ab47792_sat02fb6439.exe
c:\windows\system32\dwmapi.dll
c:\windows\microsoft.net\framework\v4.0.30319\nlssorting.dll
c:\windows\system32\winmm.dll
c:\windows\system32\samcli.dll
c:\windows\system32\api-ms-win-downlevel-user32-l1-1-0.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system\b75ba99f72f116d8951b0f2bba8c276a\system.ni.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\api-ms-win-downlevel-ole32-l1-1-0.dll
c:\windows\system32\msvcr120_clr0400.dll
c:\windows\apppatch\acgenral.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\user32.dll
c:\windows\system32\userenv.dll
c:\windows\system32\wininet.dll
c:\windows\system32\profapi.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\normaliz.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\mscorlib\d1265d6159ea876f9d63ea4c1361b587\mscorlib.ni.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\mpr.dll
c:\windows\system32\sfc.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\api-ms-win-downlevel-normaliz-l1-1-0.dll
c:\windows\microsoft.net\framework\v4.0.30319\clr.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\api-ms-win-downlevel-shlwapi-l1-1-0.dll
c:\windows\microsoft.net\framework\v4.0.30319\clrjit.dll
c:\windows\system32\sechost.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
c:\windows\system32\msacm32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\shell32.dll
c:\windows\system32\iertutil.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\microsoft.csharp\1648a6a48cb8705ca13d482d0e9a5a4f\microsoft.csharp.ni.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\cryptsp.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.core\e0fea191b75897ec38735bfc31b89fe0\system.core.ni.dll
c:\windows\system32\psapi.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.dynamic\eb179b0220d2d10f67e3a5c64f4a7ff8\system.dynamic.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.drawing\ce11900fa489575613dc777c7fbb0d7d\system.drawing.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.windows.forms\ac38cb30c15eb9e4a54459ee01e9f8e6\system.windows.forms.ni.dll

PID
4004
CMD
C:\Windows\system32\cmd.exe /c 61e231afbd0ff_Sat0275ca378161.exe
Path
C:\Windows\system32\cmd.exe
Indicators
No indicators
Parent process
setup_install.exe
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows Command Processor
Version
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Image
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\msctf.dll
c:\users\admin\appdata\local\temp\7zs8f245514\61e231afbd0ff_sat0275ca378161.exe
c:\windows\system32\lpk.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\user32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\kernelbase.dll

PID
2920
CMD
61e231ad0641a_Sat02817ac1e8.exe
Path
C:\Users\admin\AppData\Local\Temp\7zS8F245514\61e231ad0641a_Sat02817ac1e8.exe
Indicators
Parent process
cmd.exe
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
Description
Version
Modules
Image
c:\windows\system32\ntdll.dll
c:\users\admin\appdata\local\temp\7zs8f245514\61e231ad0641a_sat02817ac1e8.exe
c:\windows\system32\gdi32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\nsi.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\api-ms-win-downlevel-ole32-l1-1-0.dll
c:\windows\system32\api-ms-win-downlevel-shlwapi-l1-1-0.dll
c:\windows\system32\wininet.dll
c:\windows\system32\ole32.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\api-ms-win-downlevel-user32-l1-1-0.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\sechost.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\userenv.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\profapi.dll
c:\windows\system32\user32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l2-1-0.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\imm32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\secur32.dll
c:\windows\system32\api-ms-win-downlevel-normaliz-l1-1-0.dll
c:\windows\system32\mpr.dll
c:\windows\system32\lpk.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\shell32.dll
c:\windows\system32\samcli.dll
c:\windows\system32\webio.dll
c:\windows\system32\msacm32.dll
c:\windows\system32\sfc.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\version.dll
c:\windows\apppatch\acgenral.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\winmm.dll
c:\windows\system32\api-ms-win-downlevel-shlwapi-l2-1-0.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\netprofm.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\dhcpcsvc6.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\wship6.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\npmproxy.dll
c:\windows\system32\wshqos.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\system32\credssp.dll
c:\windows\system32\schannel.dll
c:\windows\system32\cryptnet.dll
c:\windows\system32\sensapi.dll
c:\windows\system32\gpapi.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\propsys.dll
c:\users\admin\appdata\roaming\517a.tmp.exe
c:\windows\system32\shdocvw.dll
c:\users\admin\appdata\roaming\57d4.tmp.exe
c:\windows\system32\cmd.exe

PID
1500
CMD
C:\Windows\system32\cmd.exe /c 61e231b0801f9_Sat02dabcd2901f.exe
Path
C:\Windows\system32\cmd.exe
Indicators
No indicators
Parent process
setup_install.exe
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows Command Processor
Version
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Image
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msctf.dll
c:\windows\system32\imm32.dll
c:\windows\system32\user32.dll
c:\users\admin\appdata\local\temp\7zs8f245514\61e231b0801f9_sat02dabcd2901f.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\lpk.dll
c:\windows\system32\kernelbase.dll

PID
3208
CMD
C:\Windows\system32\cmd.exe /c 61e231b18bfb5_Sat022d459aaa7.exe
Path
C:\Windows\system32\cmd.exe
Indicators
No indicators
Parent process
setup_install.exe
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows Command Processor
Version
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Image
c:\windows\system32\ntdll.dll
c:\windows\system32\cmd.exe
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\users\admin\appdata\local\temp\7zs8f245514\61e231b18bfb5_sat022d459aaa7.exe
c:\windows\system32\lpk.dll
c:\windows\system32\msctf.dll

PID
1536
CMD
C:\Windows\system32\cmd.exe /c 61e231b2a394a_Sat02fc0e52.exe
Path
C:\Windows\system32\cmd.exe
Indicators
No indicators
Parent process
setup_install.exe
User
admin
Integrity Level
HIGH
Exit code
1
Version:
Company
Microsoft Corporation
Description
Windows Command Processor
Version
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Image
c:\windows\system32\ntdll.dll
c:\windows\system32\cmd.exe
c:\users\admin\appdata\local\temp\7zs8f245514\61e231b2a394a_sat02fc0e52.exe
c:\windows\system32\imm32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msctf.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\winbrand.dll

PID
2236
CMD
C:\Windows\system32\cmd.exe /c 61e231b686514_Sat020f28d97695.exe /mixtwo
Path
C:\Windows\system32\cmd.exe
Indicators
No indicators
Parent process
setup_install.exe
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows Command Processor
Version
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Image
c:\windows\system32\usp10.dll
c:\users\admin\appdata\local\temp\7zs8f245514\61e231b686514_sat020f28d97695.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\cmd.exe
c:\windows\system32\winbrand.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\imm32.dll
c:\windows\system32\user32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll

PID
2724
CMD
C:\Windows\system32\cmd.exe /c 61e231c208b88_Sat021d6cb0.exe
Path
C:\Windows\system32\cmd.exe
Indicators
No indicators
Parent process
setup_install.exe
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows Command Processor
Version
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Image
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msctf.dll
c:\windows\system32\usp10.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\imm32.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\cmd.exe
c:\windows\system32\user32.dll
c:\windows\system32\winbrand.dll
c:\users\admin\appdata\local\temp\7zs8f245514\61e231c208b88_sat021d6cb0.exe
c:\windows\system32\lpk.dll
c:\windows\system32\kernel32.dll

PID
2136
CMD
C:\Windows\system32\cmd.exe /c 61e231c2c70ca_Sat02e1a7ed.exe
Path
C:\Windows\system32\cmd.exe
Indicators
No indicators
Parent process
setup_install.exe
User
admin
Integrity Level
HIGH
Exit code
4294967295
Version:
Company
Microsoft Corporation
Description
Windows Command Processor
Version
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Image
c:\windows\system32\gdi32.dll
c:\users\admin\appdata\local\temp\7zs8f245514\61e231c2c70ca_sat02e1a7ed.exe
c:\windows\system32\imm32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\usp10.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\cmd.exe

PID
1304
CMD
61e231ae18706_Sat028e900d3.exe
Path
C:\Users\admin\AppData\Local\Temp\7zS8F245514\61e231ae18706_Sat028e900d3.exe
Indicators
Parent process
cmd.exe
User
admin
Integrity Level
HIGH
Exit code
3221225477
Version:
Company
Description
Version
Modules
Image
c:\windows\system32\shlwapi.dll
c:\windows\system32\user32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msacm32.dll
c:\windows\system32\api-ms-win-downlevel-normaliz-l1-1-0.dll
c:\windows\system32\mpr.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\sechost.dll
c:\windows\apppatch\acgenral.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\sfc.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\api-ms-win-downlevel-shlwapi-l1-1-0.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
c:\users\admin\appdata\local\temp\7zs8f245514\61e231ae18706_sat028e900d3.exe
c:\windows\system32\dwmapi.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\devobj.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\version.dll
c:\windows\system32\msctf.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\profapi.dll
c:\windows\system32\api-ms-win-downlevel-ole32-l1-1-0.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\samcli.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-user32-l1-1-0.dll
c:\windows\system32\winmm.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\userenv.dll
c:\windows\system32\wininet.dll
c:\windows\system32\msvcr100.dll

PID
3176
CMD
C:\Windows\system32\cmd.exe /c 61e231c431105_Sat0296c511cdf.exe
Path
C:\Windows\system32\cmd.exe
Indicators
No indicators
Parent process
setup_install.exe
User
admin
Integrity Level
HIGH
Exit code
1001
Version:
Company
Microsoft Corporation
Description
Windows Command Processor
Version
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Image
c:\windows\system32\apphelp.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\lpk.dll
c:\windows\system32\user32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\msctf.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\usp10.dll
c:\windows\system32\cmd.exe
c:\users\admin\appdata\local\temp\7zs8f245514\61e231c431105_sat0296c511cdf.exe

PID
3412
CMD
61e231b686514_Sat020f28d97695.exe /mixtwo
Path
C:\Users\admin\AppData\Local\Temp\7zS8F245514\61e231b686514_Sat020f28d97695.exe
Indicators
Parent process
cmd.exe
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
Description
Version
Modules
Image
c:\windows\system32\uxtheme.dll
c:\windows\apppatch\acgenral.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\shell32.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\msctf.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\version.dll
c:\users\admin\appdata\local\temp\7zs8f245514\61e231b686514_sat020f28d97695.exe
c:\windows\system32\sfc.dll
c:\windows\system32\winmm.dll
c:\windows\system32\wininet.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\api-ms-win-downlevel-ole32-l1-1-0.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\devobj.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\mpr.dll
c:\windows\system32\usp10.dll
c:\windows\system32\api-ms-win-downlevel-normaliz-l1-1-0.dll
c:\windows\system32\samcli.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
c:\windows\system32\userenv.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\imm32.dll
c:\windows\system32\api-ms-win-downlevel-user32-l1-1-0.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msacm32.dll
c:\windows\system32\api-ms-win-downlevel-shlwapi-l1-1-0.dll
c:\windows\system32\sechost.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\webio.dll
c:\windows\system32\wship6.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\credssp.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\msvcr100.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\schannel.dll
c:\windows\system32\cabinet.dll
c:\windows\system32\secur32.dll
c:\windows\system32\gpapi.dll
c:\windows\system32\cryptnet.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\devrtl.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\dhcpcsvc6.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\sensapi.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\system32\cmd.exe
c:\windows\system32\propsys.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\ntmarta.dll

PID
3236
CMD
C:\Windows\system32\cmd.exe /c 61e231c8a77c0_Sat021d76eef2.exe
Path
C:\Windows\system32\cmd.exe
Indicators
No indicators
Parent process
setup_install.exe
User
admin
Integrity Level
HIGH
Version:
Company
Microsoft Corporation
Description
Windows Command Processor
Version
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Image
c:\windows\system32\msvcrt.dll
c:\windows\system32\cmd.exe
c:\windows\system32\apphelp.dll
c:\windows\system32\imm32.dll
c:\windows\system32\user32.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\usp10.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\winbrand.dll
c:\users\admin\appdata\local\temp\7zs8f245514\61e231c8a77c0_sat021d76eef2.exe
c:\windows\system32\msctf.dll
c:\windows\system32\lpk.dll

PID
564
CMD
C:\Windows\system32\cmd.exe /c 61e231c7536eb_Sat028b7251.exe
Path
C:\Windows\system32\cmd.exe
Indicators
No indicators
Parent process
setup_install.exe
User
admin
Integrity Level
HIGH
Exit code
3
Version:
Company
Microsoft Corporation
Description
Windows Command Processor
Version
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Image
c:\windows\system32\msctf.dll
c:\windows\system32\user32.dll
c:\windows\system32\apphelp.dll
c:\users\admin\appdata\local\temp\7zs8f245514\61e231c7536eb_sat028b7251.exe
c:\windows\system32\lpk.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\imm32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\cmd.exe
c:\windows\system32\usp10.dll
c:\windows\system32\kernel32.dll

PID
3016
CMD
61e231b0801f9_Sat02dabcd2901f.exe
Path
C:\Users\admin\AppData\Local\Temp\7zS8F245514\61e231b0801f9_Sat02dabcd2901f.exe
Indicators
No indicators
Parent process
cmd.exe
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
Description
Version
0.0.0.0
Modules
Image
c:\windows\system32\mscoree.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\users\admin\appdata\local\temp\7zs8f245514\61e231b0801f9_sat02dabcd2901f.exe
c:\windows\system32\msctf.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\wininet.dll
c:\windows\system32\msvcr120_clr0400.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\apppatch\acgenral.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\system32\shell32.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\winmm.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msacm32.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\api-ms-win-downlevel-normaliz-l1-1-0.dll
c:\windows\microsoft.net\framework\v4.0.30319\clr.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\version.dll
c:\windows\system32\profapi.dll
c:\windows\system32\devobj.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\mpr.dll
c:\windows\system32\user32.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\lpk.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\imm32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\api-ms-win-downlevel-ole32-l1-1-0.dll
c:\windows\system32\usp10.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\samcli.dll
c:\windows\system32\sfc.dll
c:\windows\system32\userenv.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\mscorlib\d1265d6159ea876f9d63ea4c1361b587\mscorlib.ni.dll
c:\windows\microsoft.net\framework\v4.0.30319\nlssorting.dll
c:\windows\system32\api-ms-win-downlevel-user32-l1-1-0.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\api-ms-win-downlevel-shlwapi-l1-1-0.dll
c:\windows\microsoft.net\framework\v4.0.30319\clrjit.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system\b75ba99f72f116d8951b0f2bba8c276a\system.ni.dll
c:\windows\system32\cryptsp.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.dynamic\eb179b0220d2d10f67e3a5c64f4a7ff8\system.dynamic.ni.dll
c:\windows\system32\psapi.dll
c:\windows\system32\rsaenh.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.core\e0fea191b75897ec38735bfc31b89fe0\system.core.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\microsoft.csharp\1648a6a48cb8705ca13d482d0e9a5a4f\microsoft.csharp.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.drawing\ce11900fa489575613dc777c7fbb0d7d\system.drawing.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.windows.forms\ac38cb30c15eb9e4a54459ee01e9f8e6\system.windows.forms.ni.dll

PID
3520
CMD
61e231b18bfb5_Sat022d459aaa7.exe
Path
C:\Users\admin\AppData\Local\Temp\7zS8F245514\61e231b18bfb5_Sat022d459aaa7.exe
Indicators
Parent process
cmd.exe
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
React
Description
React Dispatcher
Version
1.11020.9.51
Modules
Image
c:\windows\system32\msacm32.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\users\admin\appdata\local\temp\7zs8f245514\61e231b18bfb5_sat022d459aaa7.exe
c:\windows\system32\sspicli.dll
c:\windows\system32\userenv.dll
c:\windows\system32\usp10.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\winmm.dll
c:\windows\system32\user32.dll
c:\windows\system32\version.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\api-ms-win-downlevel-shlwapi-l1-1-0.dll
c:\windows\system32\wininet.dll
c:\windows\system32\mpr.dll
c:\windows\system32\samcli.dll
c:\windows\system32\sechost.dll
c:\windows\system32\api-ms-win-downlevel-normaliz-l1-1-0.dll
c:\windows\system32\api-ms-win-downlevel-user32-l1-1-0.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\sfc.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\api-ms-win-downlevel-ole32-l1-1-0.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\devobj.dll
c:\windows\system32\lpk.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\ole32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\sfc_os.dll
c:\windows\apppatch\acgenral.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\msctf.dll
c:\windows\system32\imm32.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\webio.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\credssp.dll
c:\windows\system32\nsi.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\wship6.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\schannel.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\gpapi.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\secur32.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\bcrypt.dll

PID
356
CMD
61e231afbd0ff_Sat0275ca378161.exe
Path
C:\Users\admin\AppData\Local\Temp\7zS8F245514\61e231afbd0ff_Sat0275ca378161.exe
Indicators
No indicators
Parent process
cmd.exe
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
DCloud
Description
HBuilder X
Version
1.0.0.0
Modules
Image
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\system32\oledlg.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\kernelbase.dll
c:\users\admin\appdata\local\temp\7zs8f245514\61e231afbd0ff_sat0275ca378161.exe
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\lpk.dll
c:\windows\system32\winspool.drv
c:\windows\system32\sspicli.dll
c:\windows\system32\imm32.dll
c:\windows\system32\user32.dll
c:\windows\system32\mpr.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\usp10.dll
c:\windows\system32\sechost.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\winmm.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\advapi32.dll
c:\windows\apppatch\acgenral.dll
c:\windows\system32\devobj.dll
c:\windows\system32\userenv.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\propsys.dll
c:\windows\system32\sfc.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\samcli.dll
c:\windows\system32\api-ms-win-downlevel-ole32-l1-1-0.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\msacm32.dll
c:\windows\system32\version.dll
c:\windows\system32\profapi.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\api-ms-win-downlevel-user32-l1-1-0.dll
c:\windows\system32\wininet.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\api-ms-win-downlevel-shlwapi-l1-1-0.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\api-ms-win-downlevel-normaliz-l1-1-0.dll
c:\windows\system32\secur32.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l2-1-0.dll
c:\windows\system32\shdocvw.dll

PID
3992
CMD
61e231b2a394a_Sat02fc0e52.exe
Path
C:\Users\admin\AppData\Local\Temp\7zS8F245514\61e231b2a394a_Sat02fc0e52.exe
Indicators
Parent process
cmd.exe
User
admin
Integrity Level
HIGH
Exit code
1
Version:
Company
Description
AtomTweaker Setup
Version
Modules
Image
c:\windows\system32\gdi32.dll
c:\users\admin\appdata\local\temp\7zs8f245514\61e231b2a394a_sat02fc0e52.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\api-ms-win-downlevel-shlwapi-l1-1-0.dll
c:\windows\system32\api-ms-win-downlevel-normaliz-l1-1-0.dll
c:\windows\system32\imm32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\mpr.dll
c:\windows\system32\ole32.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\winmm.dll
c:\windows\system32\msctf.dll
c:\windows\system32\usp10.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\api-ms-win-downlevel-user32-l1-1-0.dll
c:\windows\system32\wininet.dll
c:\windows\system32\user32.dll
c:\windows\system32\advapi32.dll
c:\windows\apppatch\acgenral.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
c:\windows\system32\samcli.dll
c:\windows\system32\version.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\shell32.dll
c:\windows\system32\userenv.dll
c:\windows\system32\msacm32.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\api-ms-win-downlevel-ole32-l1-1-0.dll
c:\windows\system32\sfc.dll
c:\windows\system32\devobj.dll
c:\users\admin\appdata\local\temp\is-p6s15.tmp\61e231b2a394a_sat02fc0e52.tmp
c:\windows\system32\profapi.dll

PID
3928
CMD
61e231c431105_Sat0296c511cdf.exe
Path
C:\Users\admin\AppData\Local\Temp\7zS8F245514\61e231c431105_Sat0296c511cdf.exe
Indicators
No indicators
Parent process
cmd.exe
User
admin
Integrity Level
HIGH
Exit code
1001
Version:
Company
Description
Version
Modules
Image
c:\windows\system32\user32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\lpk.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\shlwapi.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.24542_none_5c0717c7a00ddc6d\gdiplus.dll
c:\windows\system32\ole32.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\winmm.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\users\admin\appdata\local\temp\7zs8f245514\61e231c431105_sat0296c511cdf.exe
c:\windows\system32\rpcrt4.dll
c:\windows\apppatch\acgenral.dll
c:\windows\system32\usp10.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\api-ms-win-downlevel-user32-l1-1-0.dll
c:\windows\system32\version.dll
c:\windows\system32\profapi.dll
c:\windows\system32\shell32.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\devobj.dll
c:\windows\system32\sfc.dll
c:\windows\system32\msacm32.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
c:\windows\system32\wininet.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\samcli.dll
c:\windows\system32\userenv.dll
c:\windows\system32\api-ms-win-downlevel-ole32-l1-1-0.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\api-ms-win-downlevel-normaliz-l1-1-0.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\api-ms-win-downlevel-shlwapi-l1-1-0.dll
c:\windows\system32\mpr.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\cryptbase.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\riched20.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\msctf.dll
c:\program files\common files\microsoft shared\ink\tiptsf.dll
c:\windows\system32\control.exe
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\propsys.dll
c:\windows\system32\secur32.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l2-1-0.dll

PID
2080
CMD
61e231c8a77c0_Sat021d76eef2.exe
Path
C:\Users\admin\AppData\Local\Temp\7zS8F245514\61e231c8a77c0_Sat021d76eef2.exe
Indicators
Parent process
cmd.exe
User
admin
Integrity Level
HIGH
Version:
Company
Description
Version
Modules
Image
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sspicli.dll
c:\users\admin\appdata\local\temp\7zs8f245514\61e231c8a77c0_sat021d76eef2.exe
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\lpk.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\user32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\winmm.dll
c:\windows\system32\advapi32.dll
c:\windows\apppatch\acgenral.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\samcli.dll
c:\windows\system32\userenv.dll
c:\windows\system32\sfc.dll
c:\windows\system32\shell32.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\wininet.dll
c:\windows\system32\devobj.dll
c:\windows\system32\imm32.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msacm32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\api-ms-win-downlevel-shlwapi-l1-1-0.dll
c:\windows\system32\api-ms-win-downlevel-user32-l1-1-0.dll
c:\windows\system32\api-ms-win-downlevel-normaliz-l1-1-0.dll
c:\windows\system32\msctf.dll
c:\windows\system32\version.dll
c:\windows\system32\api-ms-win-downlevel-ole32-l1-1-0.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\mpr.dll
c:\windows\system32\msvcr100.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\dhcpcsvc6.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\wship6.dll
c:\windows\system32\secur32.dll
c:\windows\system32\netprofm.dll
c:\windows\system32\nsi.dll
c:\windows\system32\api-ms-win-downlevel-shlwapi-l2-1-0.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\webio.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l2-1-0.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\npmproxy.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\credssp.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\schannel.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\wshqos.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\bcryptprimitives.dll

PID
2368
CMD
61e231c208b88_Sat021d6cb0.exe
Path
C:\Users\admin\AppData\Local\Temp\7zS8F245514\61e231c208b88_Sat021d6cb0.exe
Indicators
Parent process
cmd.exe
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
Installer
Description
Installer
Version
6.3.0.8
Modules
Image
c:\windows\system32\ntdll.dll
c:\users\admin\appdata\local\temp\7zs8f245514\61e231c208b88_sat021d6cb0.exe
c:\windows\system32\apphelp.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\msvcr120_clr0400.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.xml\668bc5e53fd656dc16c9f40ea15e872e\system.xml.ni.dll
c:\windows\system32\lpk.dll
c:\windows\system32\msacm32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\uxtheme.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\mscorlib\d1265d6159ea876f9d63ea4c1361b587\mscorlib.ni.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\winmm.dll
c:\windows\system32\normaliz.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.configuration\7ece7799d670cdfc1393b98b0668a046\system.configuration.ni.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\api-ms-win-downlevel-ole32-l1-1-0.dll
c:\windows\system32\api-ms-win-downlevel-shell32-l1-1-0.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\propsys.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\webio.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\sfc_os.dll
c:\windows\microsoft.net\framework\v4.0.30319\clrjit.dll
c:\windows\system32\sechost.dll
c:\windows\system32\devobj.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\user32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\sfc.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\api-ms-win-downlevel-shlwapi-l1-1-0.dll
c:\windows\system32\api-ms-win-downlevel-normaliz-l1-1-0.dll
c:\windows\system32\imm32.dll
c:\windows\system32\secur32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-user32-l1-1-0.dll
c:\windows\system32\mpr.dll
c:\windows\microsoft.net\framework\v4.0.30319\nlssorting.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\wininet.dll
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\userenv.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\samcli.dll
c:\windows\system32\version.dll
c:\windows\system32\msctf.dll
c:\windows\microsoft.net\framework\v4.0.30319\clr.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system\b75ba99f72f116d8951b0f2bba8c276a\system.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.windows.forms\ac38cb30c15eb9e4a54459ee01e9f8e6\system.windows.forms.ni.dll
c:\windows\apppatch\acgenral.dll
c:\windows\system32\ole32.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.drawing\ce11900fa489575613dc777c7fbb0d7d\system.drawing.ni.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\rasapi32.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.core\e0fea191b75897ec38735bfc31b89fe0\system.core.ni.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\rasman.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\credssp.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\nsi.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\wship6.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\dhcpcsvc6.dll
c:\windows\system32\schannel.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\gpapi.dll
c:\windows\system32\psapi.dll
c:\users\admin\appdata\local\temp\61e231c208b88_sat021d6cb0.exe

PID
3436
CMD
61e231c2c70ca_Sat02e1a7ed.exe
Path
C:\Users\admin\AppData\Local\Temp\7zS8F245514\61e231c2c70ca_Sat02e1a7ed.exe
Indicators
Parent process
cmd.exe
User
admin
Integrity Level
HIGH
Exit code
4294967295
Version:
Company
hrtgerwer
Description
hrtgerwer
Version
1.0.0.0
Modules
Image
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\apppatch\acgenral.dll
c:\windows\system32\msvcrt.dll
c:\users\admin\appdata\local\temp\7zs8f245514\61e231c2c70ca_sat02e1a7ed.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\version.dll
c:\windows\system32\userenv.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\api-ms-win-downlevel-user32-l1-1-0.dll
c:\windows\system32\mpr.dll
c:\windows\microsoft.net\framework\v4.0.30319\clrjit.dll
c:\windows\system32\api-ms-win-downlevel-normaliz-l1-1-0.dll
c:\windows\system32\msvcr120_clr0400.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\devobj.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sfc.dll
c:\windows\system32\api-ms-win-downlevel-shlwapi-l1-1-0.dll
c:\windows\system32\imm32.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system\b75ba99f72f116d8951b0f2bba8c276a\system.ni.dll
c:\windows\system32\wininet.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\msctf.dll
c:\windows\system32\api-ms-win-downlevel-ole32-l1-1-0.dll
c:\windows\system32\samcli.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\dwmapi.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.drawing\ce11900fa489575613dc777c7fbb0d7d\system.drawing.ni.dll
c:\windows\system32\winmm.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\microsoft.net\framework\v4.0.30319\clr.dll
c:\windows\system32\msacm32.dll
c:\windows\system32\sfc_os.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\mscorlib\d1265d6159ea876f9d63ea4c1361b587\mscorlib.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.windows.forms\ac38cb30c15eb9e4a54459ee01e9f8e6\system.windows.forms.ni.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\dhcpcsvc6.dll
c:\windows\system32\rasapi32.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.configuration\7ece7799d670cdfc1393b98b0668a046\system.configuration.ni.dll
c:\windows\system32\webio.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\credssp.dll
c:\windows\system32\wship6.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.xml\668bc5e53fd656dc16c9f40ea15e872e\system.xml.ni.dll
c:\windows\system32\rasman.dll
c:\windows\microsoft.net\framework\v4.0.30319\nlssorting.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\nsi.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\gpapi.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\secur32.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\schannel.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\cryptnet.dll
c:\windows\system32\devrtl.dll
c:\windows\system32\sensapi.dll
c:\windows\system32\cabinet.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\propsys.dll
c:\windows\system32\clbcatq.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l2-1-0.dll
c:\users\admin\appdata\local\temp\c2001101-5d15-47d7-997d-9d9bd627547e.exe
c:\users\admin\appdata\local\temp\3ea4339b-068c-41c7-9e2b-9b2faaf10297.exe
c:\users\admin\appdata\local\temp\dfa475ad-b6b6-4938-956f-6f01c20d7fb7.exe
c:\users\admin\appdata\local\temp\22b3368b-da1a-4cd8-924a-4d0abaff18f1.exe
c:\users\admin\appdata\local\temp\db3b8f82-a67a-4fd1-9805-66fc2ffbd6ae.exe

PID
2608
CMD
61e231c7536eb_Sat028b7251.exe
Path
C:\Users\admin\AppData\Local\Temp\7zS8F245514\61e231c7536eb_Sat028b7251.exe
Indicators
Parent process
cmd.exe
User
admin
Integrity Level
HIGH
Exit code
3
Version:
Company
Description
Version
1.0.0.1
Modules
Image
c:\users\admin\appdata\local\temp\7zs8f245514\61e231c7536eb_sat028b7251.exe
c:\windows\system32\userenv.dll
c:\windows\system32\sechost.dll
c:\windows\system32\user32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\lpk.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\api-ms-win-downlevel-normaliz-l1-1-0.dll
c:\windows\system32\profapi.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\api-ms-win-downlevel-user32-l1-1-0.dll
c:\windows\system32\version.dll
c:\windows\system32\netutils.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\wininet.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\api-ms-win-downlevel-shlwapi-l1-1-0.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l2-1-0.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\api-ms-win-downlevel-ole32-l1-1-0.dll
c:\windows\system32\nsi.dll
c:\windows\system32\devobj.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\samcli.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\mpr.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\winmm.dll
c:\windows\system32\webio.dll
c:\windows\system32\secur32.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\sfc.dll
c:\windows\system32\imm32.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\wship6.dll
c:\windows\apppatch\acgenral.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\msacm32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\api-ms-win-downlevel-shlwapi-l2-1-0.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\netprofm.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\dhcpcsvc6.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\rsaenh.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\wshqos.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\npmproxy.dll
c:\windows\system32\schannel.dll
c:\windows\system32\credssp.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\gpapi.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\cryptnet.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\sensapi.dll
c:\windows\system32\netbios.dll

PID
2972
CMD
"C:\Users\admin\AppData\Local\Temp\is-P6S15.tmp\61e231b2a394a_Sat02fc0e52.tmp" /SL5="$60150,140765,56832,C:\Users\admin\AppData\Local\Temp\7zS8F245514\61e231b2a394a_Sat02fc0e52.exe"
Path
C:\Users\admin\AppData\Local\Temp\is-P6S15.tmp\61e231b2a394a_Sat02fc0e52.tmp
Indicators
Parent process
61e231b2a394a_Sat02fc0e52.exe
User
admin
Integrity Level
HIGH
Exit code
1
Version:
Company
Description
Setup/Uninstall
Version
51.52.0.0
Modules
Image
c:\users\admin\appdata\local\temp\is-p6s15.tmp\61e231b2a394a_sat02fc0e52.tmp
c:\windows\system32\ntdll.dll
c:\windows\system32\profapi.dll
c:\windows\system32\samcli.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\user32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\sfc.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\api-ms-win-downlevel-ole32-l1-1-0.dll
c:\windows\system32\api-ms-win-downlevel-user32-l1-1-0.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\api-ms-win-downlevel-normaliz-l1-1-0.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\mpr.dll
c:\windows\system32\msctf.dll
c:\windows\system32\lpk.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\shlwapi.dll
c:\windows\apppatch\acgenral.dll
c:\windows\system32\winmm.dll
c:\windows\system32\api-ms-win-downlevel-shlwapi-l1-1-0.dll
c:\windows\system32\imm32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msacm32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\userenv.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\normaliz.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
c:\windows\system32\version.dll
c:\windows\system32\shell32.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\ole32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\wininet.dll
c:\windows\system32\rstrtmgr.dll
c:\windows\system32\shfolder.dll
c:\windows\system32\ncrypt.dll
c:\users\admin\appdata\local\temp\is-0v0r6.tmp\_isetup\_shfoldr.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\propsys.dll
c:\windows\system32\secur32.dll
c:\windows\system32\ntmarta.dll
c:\users\admin\appdata\local\temp\is-0v0r6.tmp\idp.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l2-1-0.dll
c:\users\admin\appdata\local\temp\7zs8f245514\61e231b2a394a_sat02fc0e52.exe

PID
2100
CMD
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBzACAAMQAwADsAUwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBzACAAMQAwAA==
Path
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Indicators
No indicators
Parent process
61e231c208b88_Sat021d6cb0.exe
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows PowerShell
Version
10.0.14409.1005 (rs1_srvoob.161208-1155)
Modules
Image
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\ole32.dll
c:\windows\microsoft.net\framework\v4.0.30319\clr.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\atl.dll
c:\windows\microsoft.net\assembly\gac_msil\system.management.automation\v4.0_3.0.0.0__31bf3856ad364e35\system.management.automation.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\mscorlib\d1265d6159ea876f9d63ea4c1361b587\mscorlib.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\microsoft.pb378ec07#\f1d8ac3fc151a1b35ead27559bc8a3f2\microsoft.powershell.consolehost.ni.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.18837_none_ec86b8d6858ec0bc\comctl32.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\imm32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\version.dll
c:\windows\system32\psapi.dll
c:\windows\system32\msisip.dll
c:\windows\system32\sechost.dll
c:\windows\system32\gdi32.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.core\e0fea191b75897ec38735bfc31b89fe0\system.core.ni.dll
c:\windows\system32\profapi.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\windowspowershell\v1.0\pwrshsip.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system\b75ba99f72f116d8951b0f2bba8c276a\system.ni.dll
c:\windows\system32\shell32.dll
c:\windows\system32\apphelp.dll
c:\windows\microsoft.net\framework\v4.0.30319\nlssorting.dll
c:\windows\system32\user32.dll
c:\windows\system32\wshext.dll
c:\windows\system32\mscoree.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.manaa57fc8cc#\f708839fba911a86a06614a9e93dff91\system.management.automation.ni.dll
c:\windows\system32\lpk.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\msvcr120_clr0400.dll
c:\windows\system32\wintrust.dll
c:\windows\microsoft.net\assembly\gac_32\system.data\v4.0_4.0.0.0__b77a5c561934e089\system.data.dll
c:\windows\system32\sspicli.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\microsoft.mf49f6405#\f72ae7289194b13172020e33d50f6f38\microsoft.management.infrastructure.ni.dll
c:\windows\system32\secur32.dll
c:\windows\microsoft.net\framework\v4.0.30319\clrjit.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.management\945435ba615b8bd1ff688ebfa43fae39\system.management.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\microsoft.p6f792626#\d4c6baaee5b33b9a03a9afd841050c89\microsoft.powershell.security.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.transactions\18afe632acb8900be8188ec43a24784d\system.transactions.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.data\add15017f88a7eccb8676d7239297d1c\system.data.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.configuration\7ece7799d670cdfc1393b98b0668a046\system.configuration.ni.dll
c:\windows\system32\nsi.dll
c:\windows\system32\ws2_32.dll
c:\windows\microsoft.net\assembly\gac_32\system.transactions\v4.0_4.0.0.0__b77a5c561934e089\system.transactions.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\microsoft.csharp\1648a6a48cb8705ca13d482d0e9a5a4f\microsoft.csharp.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.dired13b18a9#\0d2b4443c599d5abb019993d813d4e89\system.directoryservices.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.numerics\de2a832558f95db343e443c365bd3575\system.numerics.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.xml\668bc5e53fd656dc16c9f40ea15e872e\system.xml.ni.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\microsoft.p521220ea#\8b7fa0532239a80583de711c612815cd\microsoft.powershell.commands.utility.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.confe64a9051#\979591075e378389170a3e094c90b43b\system.configuration.install.ni.dll

PID
1324
CMD
"C:\Users\admin\AppData\Local\Temp\7zS8F245514\61e231afbd0ff_Sat0275ca378161.exe" -a
Path
C:\Users\admin\AppData\Local\Temp\7zS8F245514\61e231afbd0ff_Sat0275ca378161.exe
Indicators
Parent process
61e231afbd0ff_Sat0275ca378161.exe
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
DCloud
Description
HBuilder X
Version
1.0.0.0
Modules
Image
c:\windows\apppatch\acgenral.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\oledlg.dll
c:\windows\system32\ole32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\sechost.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\usp10.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
c:\windows\system32\user32.dll
c:\users\admin\appdata\local\temp\7zs8f245514\61e231afbd0ff_sat0275ca378161.exe
c:\windows\system32\mpr.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\wininet.dll
c:\windows\system32\samcli.dll
c:\windows\system32\webio.dll
c:\windows\system32\api-ms-win-downlevel-ole32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\devobj.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\api-ms-win-downlevel-normaliz-l1-1-0.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\api-ms-win-downlevel-user32-l1-1-0.dll
c:\windows\system32\imm32.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\winspool.drv
c:\windows\system32\userenv.dll
c:\windows\system32\msacm32.dll
c:\windows\system32\api-ms-win-downlevel-shlwapi-l1-1-0.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\winmm.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\profapi.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\msctf.dll
c:\windows\system32\sfc.dll
c:\windows\system32\shell32.dll
c:\windows\system32\version.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\wship6.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\shlwapi.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\credssp.dll
c:\windows\system32\nsi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\secur32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\schannel.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\gpapi.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\cryptnet.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\dhcpcsvc6.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\sensapi.dll
c:\windows\system32\wbem\fastprox.dll
c:\windows\system32\ntdsapi.dll
c:\windows\system32\wbem\wbemsvc.dll
c:\windows\system32\wbem\wbemprox.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\wbemcomn2.dll

PID
3564
CMD
"C:\Users\admin\AppData\Local\Temp\7zS8F245514\61e231b2a394a_Sat02fc0e52.exe" /SILENT
Path
C:\Users\admin\AppData\Local\Temp\7zS8F245514\61e231b2a394a_Sat02fc0e52.exe
Indicators
Parent process
61e231b2a394a_Sat02fc0e52.tmp
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
Description
AtomTweaker Setup
Version
Modules
Image
c:\windows\system32\kernel32.dll
c:\windows\system32\ntdll.dll
c:\users\admin\appdata\local\temp\7zs8f245514\61e231b2a394a_sat02fc0e52.exe
c:\windows\system32\msacm32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\version.dll
c:\windows\system32\shell32.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\kernelbase.dll
c:\windows\apppatch\acgenral.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\sfc.dll
c:\windows\system32\userenv.dll
c:\windows\system32\api-ms-win-downlevel-user32-l1-1-0.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\wininet.dll
c:\windows\system32\winmm.dll
c:\windows\system32\usp10.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\samcli.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\imm32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\api-ms-win-downlevel-shlwapi-l1-1-0.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\api-ms-win-downlevel-normaliz-l1-1-0.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\devobj.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\system32\lpk.dll
c:\users\admin\appdata\local\temp\is-14q3b.tmp\61e231b2a394a_sat02fc0e52.tmp
c:\windows\system32\api-ms-win-downlevel-ole32-l1-1-0.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\mpr.dll
c:\windows\system32\msctf.dll
c:\windows\system32\profapi.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll

PID
2560
CMD
C:\Users\admin\AppData\Local\Temp\7zS8F245514\61e231b0801f9_Sat02dabcd2901f.exe
Path
C:\Users\admin\AppData\Local\Temp\7zS8F245514\61e231b0801f9_Sat02dabcd2901f.exe
Indicators
Parent process
61e231b0801f9_Sat02dabcd2901f.exe
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
Description
Version
0.0.0.0
Modules
Image
c:\windows\system32\wship6.dll
c:\windows\system32\wshtcpip.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.configuration\7ece7799d670cdfc1393b98b0668a046\system.configuration.ni.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\nsi.dll
c:\windows\system32\sechost.dll
c:\windows\system32\shell32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\clrjit.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\mscoree.dll
c:\users\admin\appdata\local\temp\7zs8f245514\61e231b0801f9_sat02dabcd2901f.exe
c:\windows\system32\msacm32.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
c:\windows\system32\iertutil.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.core\e0fea191b75897ec38735bfc31b89fe0\system.core.ni.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\api-ms-win-downlevel-ole32-l1-1-0.dll
c:\windows\system32\sfc_os.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system\b75ba99f72f116d8951b0f2bba8c276a\system.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.identitymodel\88b27ec2125720e652224a1fb387ed23\system.identitymodel.ni.dll
c:\windows\system32\samcli.dll
c:\windows\system32\api-ms-win-downlevel-shlwapi-l1-1-0.dll
c:\windows\apppatch\acgenral.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcr120_clr0400.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\profapi.dll
c:\windows\system32\wininet.dll
c:\windows\system32\msctf.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.servicemodel\478dc7fd10cabd3376199e7e857d4b5a\system.servicemodel.ni.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\mpr.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\mscorlib\d1265d6159ea876f9d63ea4c1361b587\mscorlib.ni.dll
c:\windows\system32\imm32.dll
c:\windows\microsoft.net\framework\v4.0.30319\clr.dll
c:\windows\system32\lpk.dll
c:\windows\system32\version.dll
c:\windows\system32\sfc.dll
c:\windows\system32\devobj.dll
c:\windows\system32\cryptbase.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\smdiagnostics\72f5d3ff58e143354c4c48149eba08d9\smdiagnostics.ni.dll
c:\windows\system32\userenv.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\rsaenh.dll
c:\windows\microsoft.net\framework\v4.0.30319\nlssorting.dll
c:\windows\system32\ole32.dll
c:\windows\system32\api-ms-win-downlevel-user32-l1-1-0.dll
c:\windows\system32\api-ms-win-downlevel-normaliz-l1-1-0.dll
c:\windows\system32\normaliz.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.runteb92aa12#\6184c7705ab9c508cde1318f284afa33\system.runtime.serialization.ni.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\usp10.dll
c:\windows\system32\winmm.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.xml\668bc5e53fd656dc16c9f40ea15e872e\system.xml.ni.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.servd1dec626#\7203a9da55580016b826a4cade6c5139\system.servicemodel.internals.ni.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.24542_none_5c0717c7a00ddc6d\gdiplus.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.web.28b9ef5a#\fc81fc5dfe5470ebfad8cbc93e1f5eb3\system.web.extensions.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.management\945435ba615b8bd1ff688ebfa43fae39\system.management.ni.dll
c:\windows\system32\ntdsapi.dll
c:\windows\microsoft.net\framework\v4.0.30319\wminet_utils.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\microsoft.csharp\1648a6a48cb8705ca13d482d0e9a5a4f\microsoft.csharp.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.windows.forms\ac38cb30c15eb9e4a54459ee01e9f8e6\system.windows.forms.ni.dll
c:\windows\system32\wbem\wbemsvc.dll
c:\windows\system32\clbcatq.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.dynamic\eb179b0220d2d10f67e3a5c64f4a7ff8\system.dynamic.ni.dll
c:\windows\system32\secur32.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\wbem\fastprox.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.drawing\ce11900fa489575613dc777c7fbb0d7d\system.drawing.ni.dll
c:\windows\system32\wbemcomn2.dll
c:\windows\system32\wbem\wbemprox.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.web\3d247ccfb800c38a29cf91c27a6339da\system.web.ni.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\wbem\wmiutils.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.security\4c1bdc03e699ab178db76a938fce6bc1\system.security.ni.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\windowscodecs.dll
c:\program files\mozilla firefox\firefox.exe
c:\program files\google\chrome\application\chrome.exe
c:\program files\opera\opera.exe
c:\program files\internet explorer\iexplore.exe

PID
2584
CMD
C:\Users\admin\AppData\Local\Temp\7zS8F245514\61e231ab47792_Sat02fb6439.exe
Path
C:\Users\admin\AppData\Local\Temp\7zS8F245514\61e231ab47792_Sat02fb6439.exe
Indicators
Parent process
61e231ab47792_Sat02fb6439.exe
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
Description
Version
0.0.0.0
Modules
Image
c:\windows\system32\sechost.dll
c:\windows\system32\devobj.dll
c:\windows\system32\usp10.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\msacm32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\sfc_os.dll
c:\users\admin\appdata\local\temp\7zs8f245514\61e231ab47792_sat02fb6439.exe
c:\windows\system32\api-ms-win-downlevel-user32-l1-1-0.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\smdiagnostics\72f5d3ff58e143354c4c48149eba08d9\smdiagnostics.ni.dll
c:\windows\system32\nsi.dll
c:\windows\apppatch\acgenral.dll
c:\windows\system32\samcli.dll
c:\windows\system32\api-ms-win-downlevel-shlwapi-l1-1-0.dll
c:\windows\system32\msctf.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.runteb92aa12#\6184c7705ab9c508cde1318f284afa33\system.runtime.serialization.ni.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\msvcr120_clr0400.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.servicemodel\478dc7fd10cabd3376199e7e857d4b5a\system.servicemodel.ni.dll
c:\windows\microsoft.net\framework\v4.0.30319\nlssorting.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\winmm.dll
c:\windows\system32\shell32.dll
c:\windows\system32\sfc.dll
c:\windows\system32\cryptbase.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.identitymodel\88b27ec2125720e652224a1fb387ed23\system.identitymodel.ni.dll
c:\windows\system32\api-ms-win-downlevel-normaliz-l1-1-0.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shlwapi.dll
c:\windows\microsoft.net\framework\v4.0.30319\clr.dll
c:\windows\system32\userenv.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
c:\windows\system32\mpr.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\mscorlib\d1265d6159ea876f9d63ea4c1361b587\mscorlib.ni.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\user32.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.xml\668bc5e53fd656dc16c9f40ea15e872e\system.xml.ni.dll
c:\windows\system32\lpk.dll
c:\windows\system32\ole32.dll
c:\windows\system32\normaliz.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.core\e0fea191b75897ec38735bfc31b89fe0\system.core.ni.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\api-ms-win-downlevel-ole32-l1-1-0.dll
c:\windows\microsoft.net\framework\v4.0.30319\clrjit.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\wininet.dll
c:\windows\system32\cryptsp.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.configuration\7ece7799d670cdfc1393b98b0668a046\system.configuration.ni.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\advapi32.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system\b75ba99f72f116d8951b0f2bba8c276a\system.ni.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wship6.dll
c:\windows\system32\version.dll
c:\windows\system32\profapi.dll
c:\windows\system32\imm32.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.servd1dec626#\7203a9da55580016b826a4cade6c5139\system.servicemodel.internals.ni.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\wbem\fastprox.dll
c:\windows\system32\clbcatq.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.management\945435ba615b8bd1ff688ebfa43fae39\system.management.ni.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\microsoft.csharp\1648a6a48cb8705ca13d482d0e9a5a4f\microsoft.csharp.ni.dll
c:\windows\system32\wbem\wbemsvc.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.drawing\ce11900fa489575613dc777c7fbb0d7d\system.drawing.ni.dll
c:\windows\system32\secur32.dll
c:\windows\system32\wbem\wbemprox.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.dynamic\eb179b0220d2d10f67e3a5c64f4a7ff8\system.dynamic.ni.dll
c:\windows\system32\ntdsapi.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.windows.forms\ac38cb30c15eb9e4a54459ee01e9f8e6\system.windows.forms.ni.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.24542_none_5c0717c7a00ddc6d\gdiplus.dll
c:\windows\system32\wbemcomn2.dll
c:\windows\microsoft.net\framework\v4.0.30319\wminet_utils.dll
c:\windows\system32\wbem\wmiutils.dll
c:\windows\system32\windowscodecs.dll
c:\program files\mozilla firefox\firefox.exe
c:\program files\google\chrome\application\chrome.exe
c:\program files\opera\opera.exe
c:\program files\internet explorer\iexplore.exe
c:\windows\assembly\nativeimages_v4.0.30319_32\system.security\4c1bdc03e699ab178db76a938fce6bc1\system.security.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.web.28b9ef5a#\fc81fc5dfe5470ebfad8cbc93e1f5eb3\system.web.extensions.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.web\3d247ccfb800c38a29cf91c27a6339da\system.web.ni.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\crypt32.dll

PID
1688
CMD
"C:\Users\admin\AppData\Local\Temp\is-14Q3B.tmp\61e231b2a394a_Sat02fc0e52.tmp" /SL5="$70150,140765,56832,C:\Users\admin\AppData\Local\Temp\7zS8F245514\61e231b2a394a_Sat02fc0e52.exe" /SILENT
Path
C:\Users\admin\AppData\Local\Temp\is-14Q3B.tmp\61e231b2a394a_Sat02fc0e52.tmp
Indicators
Parent process
61e231b2a394a_Sat02fc0e52.exe
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
Description
Setup/Uninstall
Version
51.52.0.0
Modules
Image
c:\windows\system32\webio.dll
c:\windows\system32\lpk.dll
c:\windows\system32\mpr.dll
c:\windows\system32\ole32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sfc.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\api-ms-win-downlevel-ole32-l1-1-0.dll
c:\users\admin\appdata\local\temp\is-eniep.tmp\idp.dll
c:\windows\system32\nsi.dll
c:\windows\system32\user32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\wininet.dll
c:\windows\system32\msctf.dll
c:\users\admin\appdata\local\temp\is-14q3b.tmp\61e231b2a394a_sat02fc0e52.tmp
c:\windows\system32\bcrypt.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\secur32.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\apppatch\acgenral.dll
c:\windows\system32\userenv.dll
c:\windows\system32\api-ms-win-downlevel-user32-l1-1-0.dll
c:\windows\system32\api-ms-win-downlevel-normaliz-l1-1-0.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l2-1-0.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\imm32.dll
c:\windows\system32\shfolder.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\iertutil.dll
c:\users\admin\appdata\local\temp\is-eniep.tmp\_isetup\_shfoldr.dll
c:\windows\system32\mswsock.dll
c:\program files\common files\microsoft shared\ink\tiptsf.dll
c:\windows\system32\samcli.dll
c:\windows\system32\msacm32.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\profapi.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\rstrtmgr.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\api-ms-win-downlevel-shlwapi-l2-1-0.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\version.dll
c:\windows\system32\winmm.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\api-ms-win-downlevel-shlwapi-l1-1-0.dll
c:\windows\system32\imageres.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\wship6.dll
c:\windows\system32\msvcrt.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\system32\riched20.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\netprofm.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\dhcpcsvc6.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\npmproxy.dll
c:\windows\system32\wshqos.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\devrtl.dll
c:\windows\system32\duser.dll
c:\windows\system32\explorerframe.dll
c:\windows\system32\dui70.dll

PID
2696
CMD
"C:\Windows\System32\control.exe" "C:\Users\admin\AppData\Local\Temp\WN_kEZH.Cpl",
Path
C:\Windows\System32\control.exe
Indicators
No indicators
Parent process
61e231c431105_Sat0296c511cdf.exe
User
admin
Integrity Level
HIGH
Exit code
1
Version:
Company
Microsoft Corporation
Description
Windows Control Panel
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\wldap32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\usp10.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\user32.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\msctf.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\ole32.dll
c:\windows\system32\control.exe
c:\windows\system32\shell32.dll
c:\windows\system32\api-ms-win-downlevel-user32-l1-1-0.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\api-ms-win-downlevel-normaliz-l1-1-0.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\devobj.dll
c:\windows\system32\propsys.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
c:\windows\system32\wininet.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\imm32.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\system32\api-ms-win-downlevel-shlwapi-l1-1-0.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\profapi.dll
c:\windows\system32\api-ms-win-downlevel-ole32-l1-1-0.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\version.dll
c:\windows\system32\userenv.dll
c:\windows\system32\secur32.dll
c:\windows\system32\rundll32.exe

PID
1148
CMD
"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\admin\AppData\Local\Temp\WN_kEZH.Cpl",
Path
C:\Windows\system32\rundll32.exe
Indicators
No indicators
Parent process
control.exe
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows host process (Rundll32)
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\profapi.dll
c:\windows\system32\version.dll
c:\windows\system32\usp10.dll
c:\windows\system32\shell32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\imagehlp.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\winspool.drv
c:\windows\system32\rundll32.exe
c:\windows\system32\ntdll.dll
c:\users\admin\appdata\local\temp\wn_kezh.cpl
c:\windows\system32\apphelp.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\lpk.dll
c:\windows\system32\ole32.dll
c:\windows\system32\sechost.dll
c:\windows\apppatch\aclayers.dll
c:\windows\system32\imm32.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.18837_none_ec86b8d6858ec0bc\comctl32.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\userenv.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\mpr.dll

PID
684
CMD
"C:\Users\admin\AppData\Local\Temp\c2001101-5d15-47d7-997d-9d9bd627547e.exe"
Path
C:\Users\admin\AppData\Local\Temp\c2001101-5d15-47d7-997d-9d9bd627547e.exe
Indicators
Parent process
61e231c2c70ca_Sat02e1a7ed.exe
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
Description
gdffgsdfsd
Version
1.0.0.0
Modules
Image
c:\windows\system32\user32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\lpk.dll
c:\windows\system32\msvcrt.dll
c:\users\admin\appdata\local\temp\c2001101-5d15-47d7-997d-9d9bd627547e.exe
c:\windows\system32\sechost.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\version.dll
c:\windows\system32\shell32.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
c:\windows\microsoft.net\framework\v4.0.30319\clr.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\mscorlib\d1265d6159ea876f9d63ea4c1361b587\mscorlib.ni.dll
c:\windows\system32\imm32.dll
c:\windows\microsoft.net\framework\v4.0.30319\clrjit.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcr120_clr0400.dll
c:\windows\apppatch\acgenral.dll
c:\windows\system32\api-ms-win-downlevel-ole32-l1-1-0.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\wininet.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\userenv.dll
c:\windows\system32\api-ms-win-downlevel-normaliz-l1-1-0.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\sfc.dll
c:\windows\system32\samcli.dll
c:\windows\system32\mpr.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\system32\winmm.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\profapi.dll
c:\windows\system32\api-ms-win-downlevel-shlwapi-l1-1-0.dll
c:\windows\system32\api-ms-win-downlevel-user32-l1-1-0.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\msctf.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\msacm32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\normaliz.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system\b75ba99f72f116d8951b0f2bba8c276a\system.ni.dll
c:\windows\system32\rsaenh.dll
c:\windows\microsoft.net\framework\v4.0.30319\nlssorting.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.web.28b9ef5a#\fc81fc5dfe5470ebfad8cbc93e1f5eb3\system.web.extensions.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.core\e0fea191b75897ec38735bfc31b89fe0\system.core.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.web\3d247ccfb800c38a29cf91c27a6339da\system.web.ni.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\cryptsp.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.configuration\7ece7799d670cdfc1393b98b0668a046\system.configuration.ni.dll
c:\windows\system32\crypt32.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.xml\668bc5e53fd656dc16c9f40ea15e872e\system.xml.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.security\4c1bdc03e699ab178db76a938fce6bc1\system.security.ni.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\microsoft.v9921e851#\48d37adc5c0d8744e13603707480d090\microsoft.visualbasic.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.management\945435ba615b8bd1ff688ebfa43fae39\system.management.ni.dll
c:\windows\system32\nsi.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\microsoft.net\framework\v4.0.30319\clrcompression.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.drawing\ce11900fa489575613dc777c7fbb0d7d\system.drawing.ni.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\wbem\wbemsvc.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.windows.forms\ac38cb30c15eb9e4a54459ee01e9f8e6\system.windows.forms.ni.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\wbem\wmiutils.dll
c:\windows\system32\wbem\fastprox.dll
c:\windows\system32\ntdsapi.dll
c:\windows\microsoft.net\framework\v4.0.30319\wminet_utils.dll
c:\windows\system32\wbemcomn2.dll
c:\windows\system32\wbem\wbemprox.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\dhcpcsvc6.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\credssp.dll
c:\windows\system32\webio.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\rasman.dll
c:\windows\system32\wship6.dll
c:\windows\system32\secur32.dll
c:\windows\system32\schannel.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\gpapi.dll

PID
3224
CMD
"C:\Users\admin\AppData\Local\Temp\3ea4339b-068c-41c7-9e2b-9b2faaf10297.exe"
Path
C:\Users\admin\AppData\Local\Temp\3ea4339b-068c-41c7-9e2b-9b2faaf10297.exe
Indicators
No indicators
Parent process
61e231c2c70ca_Sat02e1a7ed.exe
User
admin
Integrity Level
HIGH
Exit code
2
Version:
Company
Description
Version
Modules
Image
c:\windows\system32\version.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\usp10.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\samcli.dll
c:\windows\system32\api-ms-win-downlevel-normaliz-l1-1-0.dll
c:\windows\system32\mpr.dll
c:\users\admin\appdata\local\temp\7zs8f245514\61e231c2c70ca_sat02e1a7ed.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\userenv.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\api-ms-win-downlevel-ole32-l1-1-0.dll
c:\windows\system32\shell32.dll
c:\users\admin\appdata\local\temp\3ea4339b-068c-41c7-9e2b-9b2faaf10297.exe
c:\windows\system32\sspicli.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\psapi.dll
c:\windows\system32\ole32.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\sfc_os.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.18837_none_ec86b8d6858ec0bc\comctl32.dll
c:\windows\system32\api-ms-win-downlevel-shlwapi-l1-1-0.dll
c:\windows\system32\devobj.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\lpk.dll
c:\windows\system32\profapi.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\sechost.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
c:\windows\system32\api-ms-win-downlevel-user32-l1-1-0.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\winmm.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\msacm32.dll
c:\windows\apppatch\acgenral.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\wininet.dll
c:\windows\system32\sfc.dll
c:\windows\system32\msctf.dll
c:\windows\microsoft.net\framework\v4.0.30319\nlssorting.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\mscorlib\d1265d6159ea876f9d63ea4c1361b587\mscorlib.ni.dll
c:\windows\system32\cryptbase.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.windows.forms\ac38cb30c15eb9e4a54459ee01e9f8e6\system.windows.forms.ni.dll
c:\windows\microsoft.net\framework\v4.0.30319\clrjit.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\microsoft.net\framework\v4.0.30319\clr.dll
c:\windows\system32\mscoree.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system\b75ba99f72f116d8951b0f2bba8c276a\system.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.drawing\ce11900fa489575613dc777c7fbb0d7d\system.drawing.ni.dll
c:\windows\system32\msvcr120_clr0400.dll

PID
2744
CMD
"C:\Users\admin\AppData\Local\Temp\dfa475ad-b6b6-4938-956f-6f01c20d7fb7.exe"
Path
C:\Users\admin\AppData\Local\Temp\dfa475ad-b6b6-4938-956f-6f01c20d7fb7.exe
Indicators
Parent process
61e231c2c70ca_Sat02e1a7ed.exe
User
admin
Integrity Level
HIGH
Exit code
2
Version:
Company
Description
Version
Modules
Image
c:\windows\system32\mscoree.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.xml\668bc5e53fd656dc16c9f40ea15e872e\system.xml.ni.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system\b75ba99f72f116d8951b0f2bba8c276a\system.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.core\e0fea191b75897ec38735bfc31b89fe0\system.core.ni.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.servicemodel\478dc7fd10cabd3376199e7e857d4b5a\system.servicemodel.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.servd1dec626#\7203a9da55580016b826a4cade6c5139\system.servicemodel.internals.ni.dll
c:\windows\system32\msvcr120_clr0400.dll
c:\windows\system32\cryptbase.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\smdiagnostics\72f5d3ff58e143354c4c48149eba08d9\smdiagnostics.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\mscorlib\d1265d6159ea876f9d63ea4c1361b587\mscorlib.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.runteb92aa12#\6184c7705ab9c508cde1318f284afa33\system.runtime.serialization.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.identitymodel\88b27ec2125720e652224a1fb387ed23\system.identitymodel.ni.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\microsoft.net\framework\v4.0.30319\nlssorting.dll
c:\windows\microsoft.net\framework\v4.0.30319\clr.dll
c:\windows\microsoft.net\framework\v4.0.30319\clrjit.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.configuration\7ece7799d670cdfc1393b98b0668a046\system.configuration.ni.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\advapi32.dll
c:\users\admin\appdata\local\temp\dfa475ad-b6b6-4938-956f-6f01c20d7fb7.exe
c:\windows\system32\kernelbase.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\api-ms-win-downlevel-normaliz-l1-1-0.dll
c:\windows\system32\msacm32.dll
c:\windows\system32\api-ms-win-downlevel-shlwapi-l1-1-0.dll
c:\windows\system32\api-ms-win-downlevel-user32-l1-1-0.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\sfc.dll
c:\windows\system32\imm32.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\lpk.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\devobj.dll
c:\windows\system32\wininet.dll
c:\windows\system32\usp10.dll
c:\windows\system32\winmm.dll
c:\windows\system32\mpr.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\msctf.dll
c:\windows\system32\user32.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\acgenral.dll
c:\windows\system32\ole32.dll
c:\windows\system32\userenv.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\samcli.dll
c:\windows\system32\profapi.dll
c:\windows\system32\api-ms-win-downlevel-ole32-l1-1-0.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\wship6.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\nsi.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\dhcpcsvc6.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\schannel.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\secur32.dll
c:\windows\system32\webio.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\credssp.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\gpapi.dll
c:\windows\system32\bcrypt.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.web\3d247ccfb800c38a29cf91c27a6339da\system.web.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.web.28b9ef5a#\fc81fc5dfe5470ebfad8cbc93e1f5eb3\system.web.extensions.ni.dll
c:\windows\system32\wbem\wbemsvc.dll
c:\windows\system32\ntdsapi.dll
c:\windows\system32\wbem\fastprox.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.security\4c1bdc03e699ab178db76a938fce6bc1\system.security.ni.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.24542_none_5c0717c7a00ddc6d\gdiplus.dll
c:\windows\system32\clbcatq.dll
c:\windows\microsoft.net\framework\v4.0.30319\wminet_utils.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.drawing\ce11900fa489575613dc777c7fbb0d7d\system.drawing.ni.dll
c:\windows\system32\wbemcomn2.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\microsoft.csharp\1648a6a48cb8705ca13d482d0e9a5a4f\microsoft.csharp.ni.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\wbem\wbemprox.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.windows.forms\ac38cb30c15eb9e4a54459ee01e9f8e6\system.windows.forms.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.dynamic\eb179b0220d2d10f67e3a5c64f4a7ff8\system.dynamic.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.management\945435ba615b8bd1ff688ebfa43fae39\system.management.ni.dll
c:\windows\system32\wbem\wmiutils.dll
c:\program files\google\chrome\application\chrome.exe
c:\program files\internet explorer\iexplore.exe
c:\program files\mozilla firefox\firefox.exe
c:\program files\opera\opera.exe

PID
576
CMD
"C:\Users\admin\AppData\Local\Temp\22b3368b-da1a-4cd8-924a-4d0abaff18f1.exe"
Path
C:\Users\admin\AppData\Local\Temp\22b3368b-da1a-4cd8-924a-4d0abaff18f1.exe
Indicators
Parent process
61e231c2c70ca_Sat02e1a7ed.exe
User
admin
Integrity Level
HIGH
Version:
Company
Description
Version
Modules
Image
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\wininet.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\api-ms-win-downlevel-ole32-l1-1-0.dll
c:\windows\system32\api-ms-win-downlevel-user32-l1-1-0.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\ole32.dll
c:\windows\system32\api-ms-win-downlevel-shlwapi-l1-1-0.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\msacm32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\profapi.dll
c:\windows\system32\lpk.dll
c:\windows\apppatch\acgenral.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\userenv.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\user32.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
c:\windows\system32\normaliz.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\imm32.dll
c:\users\admin\appdata\local\temp\22b3368b-da1a-4cd8-924a-4d0abaff18f1.exe
c:\windows\system32\apphelp.dll
c:\windows\system32\mpr.dll
c:\windows\system32\winmm.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\msctf.dll
c:\windows\system32\sfc.dll
c:\windows\system32\api-ms-win-downlevel-normaliz-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\samcli.dll
c:\windows\system32\version.dll
c:\windows\system32\usp10.dll
c:\windows\system32\shell32.dll
c:\windows\system32\ws2_32.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.runteb92aa12#\6184c7705ab9c508cde1318f284afa33\system.runtime.serialization.ni.dll
c:\windows\system32\mscoree.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system\b75ba99f72f116d8951b0f2bba8c276a\system.ni.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\msvcr120_clr0400.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\microsoft.net\framework\v4.0.30319\nlssorting.dll
c:\windows\microsoft.net\framework\v4.0.30319\clrjit.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\smdiagnostics\72f5d3ff58e143354c4c48149eba08d9\smdiagnostics.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.configuration\7ece7799d670cdfc1393b98b0668a046\system.configuration.ni.dll
c:\windows\system32\mswsock.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.identitymodel\88b27ec2125720e652224a1fb387ed23\system.identitymodel.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.xml\668bc5e53fd656dc16c9f40ea15e872e\system.xml.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.core\e0fea191b75897ec38735bfc31b89fe0\system.core.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\mscorlib\d1265d6159ea876f9d63ea4c1361b587\mscorlib.ni.dll
c:\windows\system32\rsaenh.dll
c:\windows\microsoft.net\framework\v4.0.30319\clr.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.servd1dec626#\7203a9da55580016b826a4cade6c5139\system.servicemodel.internals.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.servicemodel\478dc7fd10cabd3376199e7e857d4b5a\system.servicemodel.ni.dll
c:\windows\system32\nsi.dll
c:\windows\system32\wship6.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\dhcpcsvc6.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\webio.dll
c:\windows\system32\rasman.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\credssp.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\secur32.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\schannel.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\gpapi.dll
c:\windows\system32\wbem\wmiutils.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.drawing\ce11900fa489575613dc777c7fbb0d7d\system.drawing.ni.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.24542_none_5c0717c7a00ddc6d\gdiplus.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\microsoft.net\framework\v4.0.30319\wminet_utils.dll
c:\windows\system32\wbem\wbemsvc.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\ntdsapi.dll
c:\windows\system32\wbem\fastprox.dll
c:\windows\system32\wbemcomn2.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.management\945435ba615b8bd1ff688ebfa43fae39\system.management.ni.dll
c:\windows\system32\wbem\wbemprox.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.dynamic\eb179b0220d2d10f67e3a5c64f4a7ff8\system.dynamic.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.windows.forms\ac38cb30c15eb9e4a54459ee01e9f8e6\system.windows.forms.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\microsoft.csharp\1648a6a48cb8705ca13d482d0e9a5a4f\microsoft.csharp.ni.dll
c:\program files\opera\opera.exe
c:\program files\internet explorer\iexplore.exe
c:\program files\google\chrome\application\chrome.exe
c:\program files\mozilla firefox\firefox.exe
c:\windows\assembly\nativeimages_v4.0.30319_32\system.security\4c1bdc03e699ab178db76a938fce6bc1\system.security.ni.dll
c:\windows\system32\windowscodecs.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.web\3d247ccfb800c38a29cf91c27a6339da\system.web.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.web.28b9ef5a#\fc81fc5dfe5470ebfad8cbc93e1f5eb3\system.web.extensions.ni.dll

PID
2420
CMD
"C:\Users\admin\AppData\Local\Temp\db3b8f82-a67a-4fd1-9805-66fc2ffbd6ae.exe"
Path
C:\Users\admin\AppData\Local\Temp\db3b8f82-a67a-4fd1-9805-66fc2ffbd6ae.exe
Indicators
Parent process
61e231c2c70ca_Sat02e1a7ed.exe
User
admin
Integrity Level
HIGH
Exit code
4294967295
Version:
Company
hdgrgrgdg
Description
hdgrgrgdg
Version
1.0.1.2
Modules
Image
c:\windows\system32\fwpuclnt.dll
c:\users\admin\appdata\local\temp\db3b8f82-a67a-4fd1-9805-66fc2ffbd6ae.exe
c:\windows\system32\msvcrt.dll
c:\windows\system32\msacm32.dll
c:\windows\system32\api-ms-win-downlevel-ole32-l1-1-0.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.xml\668bc5e53fd656dc16c9f40ea15e872e\system.xml.ni.dll
c:\windows\system32\nsi.dll
c:\windows\system32\msvcr120_clr0400.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\microsoft.net\framework\v4.0.30319\nlssorting.dll
c:\windows\system32\rasman.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\version.dll
c:\windows\system32\mpr.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\mscorlib\d1265d6159ea876f9d63ea4c1361b587\mscorlib.ni.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.configuration\7ece7799d670cdfc1393b98b0668a046\system.configuration.ni.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\profapi.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system\b75ba99f72f116d8951b0f2bba8c276a\system.ni.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\webio.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\winmm.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\userenv.dll
c:\windows\apppatch\acgenral.dll
c:\windows\system32\ole32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\api-ms-win-downlevel-normaliz-l1-1-0.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\credssp.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\sfc.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\api-ms-win-downlevel-user32-l1-1-0.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\api-ms-win-downlevel-shlwapi-l1-1-0.dll
c:\windows\microsoft.net\framework\v4.0.30319\clr.dll
c:\windows\system32\wship6.dll
c:\windows\system32\dhcpcsvc6.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\usp10.dll
c:\windows\system32\samcli.dll
c:\windows\system32\devobj.dll
c:\windows\system32\imm32.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\lpk.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\msctf.dll
c:\windows\microsoft.net\framework\v4.0.30319\clrjit.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\wininet.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\schannel.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\secur32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\gpapi.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\propsys.dll
c:\windows\system32\clbcatq.dll
c:\users\admin\appdata\roaming\53027.exe
c:\windows\system32\shdocvw.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l2-1-0.dll

PID
3364
CMD
"C:\Users\admin\AppData\Roaming\517A.tmp.exe"
Path
C:\Users\admin\AppData\Roaming\517A.tmp.exe
Indicators
No indicators
Parent process
61e231ad0641a_Sat02817ac1e8.exe
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
Description
Version
Modules
Image
c:\windows\system32\msvcrt.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\msacm32.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\api-ms-win-downlevel-ole32-l1-1-0.dll
c:\users\admin\appdata\roaming\517a.tmp.exe
c:\windows\system32\gdi32.dll
c:\windows\system32\userenv.dll
c:\windows\system32\devobj.dll
c:\windows\system32\api-ms-win-downlevel-user32-l1-1-0.dll
c:\windows\system32\api-ms-win-downlevel-normaliz-l1-1-0.dll
c:\windows\system32\lpk.dll
c:\windows\system32\winmm.dll
c:\windows\system32\ole32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\wininet.dll
c:\windows\system32\msctf.dll
c:\windows\system32\iertutil.dll
c:\windows\apppatch\acgenral.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\shell32.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\api-ms-win-downlevel-shlwapi-l1-1-0.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\user32.dll
c:\windows\system32\samcli.dll
c:\windows\system32\sfc.dll
c:\windows\system32\mpr.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\sechost.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\imm32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\profapi.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\version.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.xml\668bc5e53fd656dc16c9f40ea15e872e\system.xml.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\mscorlib\d1265d6159ea876f9d63ea4c1361b587\mscorlib.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.configuration\7ece7799d670cdfc1393b98b0668a046\system.configuration.ni.dll
c:\windows\system32\wbemcomn2.dll
c:\windows\system32\nsi.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\ntdsapi.dll
c:\windows\system32\wbem\fastprox.dll
c:\windows\microsoft.net\framework\v4.0.30319\wminet_utils.dll
c:\windows\microsoft.net\framework\v4.0.30319\clrjit.dll
c:\windows\system32\wbem\wmiutils.dll
c:\windows\microsoft.net\framework\v4.0.30319\clr.dll
c:\windows\system32\msvcr120_clr0400.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.windows.forms\ac38cb30c15eb9e4a54459ee01e9f8e6\system.windows.forms.ni.dll
c:\windows\microsoft.net\framework\v4.0.30319\nlssorting.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\wbem\wbemprox.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\wbem\wbemsvc.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system\b75ba99f72f116d8951b0f2bba8c276a\system.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.management\945435ba615b8bd1ff688ebfa43fae39\system.management.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.drawing\ce11900fa489575613dc777c7fbb0d7d\system.drawing.ni.dll

PID
3172
CMD
"C:\Users\admin\AppData\Roaming\57D4.tmp.exe"
Path
C:\Users\admin\AppData\Roaming\57D4.tmp.exe
Indicators
Parent process
61e231ad0641a_Sat02817ac1e8.exe
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
Description
Version
Modules
Image
c:\windows\system32\shell32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msacm32.dll
c:\windows\system32\gdi32.dll
c:\users\admin\appdata\roaming\57d4.tmp.exe
c:\windows\system32\lpk.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\user32.dll
c:\windows\system32\api-ms-win-downlevel-user32-l1-1-0.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\api-ms-win-downlevel-normaliz-l1-1-0.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\sechost.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\version.dll
c:\windows\system32\profapi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\winmm.dll
c:\windows\system32\samcli.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\userenv.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\api-ms-win-downlevel-ole32-l1-1-0.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
c:\windows\system32\kernelbase.dll
c:\windows\apppatch\acgenral.dll
c:\windows\system32\wininet.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\sfc.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\devobj.dll
c:\windows\system32\api-ms-win-downlevel-shlwapi-l1-1-0.dll
c:\windows\system32\mpr.dll
c:\windows\system32\msctf.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\ktmw32.dll
c:\windows\system32\msvcr100.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\credssp.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\webio.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\nsi.dll
c:\windows\system32\winhttp.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.24542_none_5c0717c7a00ddc6d\gdiplus.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\dnsapi.dll
c:\users\admin\appdata\locallow\sqlite3.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\secur32.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l2-1-0.dll
c:\windows\system32\mlang.dll
c:\windows\system32\propsys.dll
c:\windows\system32\vaultcli.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\api-ms-win-downlevel-shell32-l1-1-0.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\api-ms-win-downlevel-shlwapi-l2-1-0.dll
c:\windows\system32\pstorec.dll
c:\windows\system32\atl.dll
c:\users\admin\appdata\locallow\sg8rm8v\nss3.dll
c:\windows\system32\api-ms-win-core-localization-l1-2-0.dll
c:\windows\system32\api-ms-win-crt-environment-l1-1-0.dll
c:\windows\system32\dbghelp.dll
c:\windows\system32\api-ms-win-crt-stdio-l1-1-0.dll
c:\windows\system32\api-ms-win-core-file-l2-1-0.dll
c:\users\admin\appdata\locallow\sg8rm8v\mozglue.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\api-ms-win-core-timezone-l1-1-0.dll
c:\windows\system32\api-ms-win-crt-filesystem-l1-1-0.dll
c:\windows\system32\api-ms-win-core-processthreads-l1-1-1.dll
c:\windows\system32\api-ms-win-crt-time-l1-1-0.dll
c:\windows\system32\api-ms-win-crt-multibyte-l1-1-0.dll
c:\users\admin\appdata\locallow\sg8rm8v\softokn3.dll
c:\windows\system32\api-ms-win-crt-string-l1-1-0.dll
c:\users\admin\appdata\locallow\sg8rm8v\freebl3.dll
c:\windows\system32\api-ms-win-crt-runtime-l1-1-0.dll
c:\windows\system32\api-ms-win-core-file-l1-2-0.dll
c:\windows\system32\api-ms-win-crt-heap-l1-1-0.dll
c:\windows\system32\api-ms-win-crt-convert-l1-1-0.dll
c:\windows\system32\api-ms-win-crt-locale-l1-1-0.dll
c:\windows\system32\vcruntime140.dll
c:\windows\system32\api-ms-win-crt-utility-l1-1-0.dll
c:\windows\system32\api-ms-win-crt-math-l1-1-0.dll
c:\windows\system32\wsock32.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\cmd.exe

PID
4076
CMD
"C:\Users\admin\AppData\Roaming\53027.exe"
Path
C:\Users\admin\AppData\Roaming\53027.exe
Indicators
No indicators
Parent process
db3b8f82-a67a-4fd1-9805-66fc2ffbd6ae.exe
User
admin
Integrity Level
HIGH
Exit code
2147944514
Version:
Company
Description
Version
Modules
Image
c:\windows\system32\kernel32.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.24542_none_5c0717c7a00ddc6d\gdiplus.dll
c:\windows\system32\usp10.dll
c:\windows\system32\user32.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\sechost.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\version.dll
c:\windows\system32\profapi.dll
c:\windows\system32\ole32.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\lpk.dll
c:\windows\system32\setupapi.dll
c:\program files\common files\microsoft shared\ink\tiptsf.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\msacm32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\normaliz.dll
c:\users\admin\appdata\roaming\53027.exe
c:\windows\system32\cryptbase.dll
c:\windows\system32\samcli.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\shlwapi.dll
c:\windows\apppatch\acgenral.dll
c:\windows\system32\sfc.dll
c:\windows\system32\riched20.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\wininet.dll
c:\windows\system32\msctf.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\devobj.dll
c:\windows\system32\winmm.dll
c:\windows\system32\api-ms-win-downlevel-ole32-l1-1-0.dll
c:\windows\system32\api-ms-win-downlevel-normaliz-l1-1-0.dll
c:\windows\system32\mpr.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
c:\windows\system32\userenv.dll
c:\windows\system32\api-ms-win-downlevel-shlwapi-l1-1-0.dll
c:\windows\system32\api-ms-win-downlevel-user32-l1-1-0.dll
c:\windows\system32\api-ms-win-downlevel-shell32-l1-1-0.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webio.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\secur32.dll
c:\windows\system32\msiexec.exe

PID
532
CMD
"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\admin\AppData\Local\Temp\7zS8F245514\61e231ad0641a_Sat02817ac1e8.exe" >> NUL
Path
C:\Windows\system32\cmd.exe
Indicators
No indicators
Parent process
61e231ad0641a_Sat02817ac1e8.exe
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows Command Processor
Version
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Image
c:\windows\system32\kernelbase.dll
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\user32.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\lpk.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ping.exe
c:\windows\system32\apphelp.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\imm32.dll

PID
3968
CMD
ping 127.0.0.1
Path
C:\Windows\system32\PING.EXE
Indicators
No indicators
Parent process
cmd.exe
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
Microsoft Corporation
Description
TCP/IP Ping Command
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\imm32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\lpk.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\nsi.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\ping.exe
c:\windows\system32\iphlpapi.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msctf.dll
c:\windows\system32\wshtcpip.dll

PID
3808
CMD
"C:\Windows\System32\cmd.exe" /c taskkill /im "61e231b686514_Sat020f28d97695.exe" /f & erase "C:\Users\admin\AppData\Local\Temp\7zS8F245514\61e231b686514_Sat020f28d97695.exe" & exit
Path
C:\Windows\System32\cmd.exe
Indicators
No indicators
Parent process
61e231b686514_Sat020f28d97695.exe
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows Command Processor
Version
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Image
c:\windows\system32\msvcrt.dll
c:\windows\system32\msctf.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\usp10.dll
c:\windows\system32\cmd.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\user32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\taskkill.exe
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll

PID
1520
CMD
taskkill /im "61e231b686514_Sat020f28d97695.exe" /f
Path
C:\Windows\system32\taskkill.exe
Indicators
No indicators
Parent process
cmd.exe
User
admin
Integrity Level
HIGH
Exit code
128
Version:
Company
Microsoft Corporation
Description
Terminates Processes
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules