General Info

File name

fusioninventory-agent_windows-x86_2.4.3.exe

Full analysis
https://app.any.run/tasks/8647b1e8-1baf-4618-876a-663fd7ab4fb0
Verdict
Malicious activity
Analysis date
5/14/2019, 23:04:03
OS:
Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:

MIME:
application/x-dosexec
File info:
PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5

7a3197375fb29177d4c002959002d2dd

SHA1

a0e3418c973eae3eda2a8246d8f5d1b060e7aa57

SHA256

731c0185164bdb8863c433398f498ba575afda318db448310d4d7e79e187852b

SSDEEP

196608:79OIN4fnOQ756YuZrY3lHMTAxDxqhNl7htG8S1Wz6sLP4:795cOQYYuZ81HMAD8h3lUI6QA

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distored by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Software environment set and analysis options

Launch configuration

Task duration
60 seconds
Additional time used
none
Fakenet option
off
Heavy Evaision option
off
MITM proxy
off
Route via Tor
off
Network geolocation
off
Privacy
Public submission
Autoconfirmation of UAC
on

Software preset

  • Internet Explorer 8.0.7601.17514
  • Adobe Acrobat Reader DC MUI (15.023.20070)
  • Adobe Flash Player 26 ActiveX (26.0.0.131)
  • Adobe Flash Player 26 NPAPI (26.0.0.131)
  • Adobe Flash Player 26 PPAPI (26.0.0.131)
  • Adobe Refresh Manager (1.8.0)
  • CCleaner (5.35)
  • FileZilla Client 3.36.0 (3.36.0)
  • Google Chrome (73.0.3683.75)
  • Google Update Helper (1.3.33.23)
  • Java 8 Update 92 (8.0.920.14)
  • Java Auto Updater (2.8.92.14)
  • Microsoft .NET Framework 4.6.1 (4.6.01055)
  • Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Professional 2010 (14.0.6029.1000)
  • Microsoft Office Proof (English) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (French) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
  • Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
  • Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Single Image 2010 (14.0.6029.1000)
  • Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
  • Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
  • Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
  • Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2017 Redistributable (x86) - 14.15.26706 (14.15.26706.0)
  • Microsoft Visual C++ 2017 x86 Additional Runtime - 14.15.26706 (14.15.26706)
  • Microsoft Visual C++ 2017 x86 Minimum Runtime - 14.15.26706 (14.15.26706)
  • Mozilla Firefox 65.0.2 (x86 en-US) (65.0.2)
  • Notepad++ (32-bit x86) (7.5.1)
  • Opera 12.15 (12.15.1748)
  • Skype version 8.29 (8.29)
  • VLC media player (2.2.6)
  • WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

  • Client LanguagePack Package
  • Client Refresh LanguagePack Package
  • CodecPack Basic Package
  • Foundation Package
  • IE Troubleshooters Package
  • InternetExplorer Optional Package
  • KB2534111
  • KB2999226
  • KB976902
  • LocalPack AU Package
  • LocalPack CA Package
  • LocalPack GB Package
  • LocalPack US Package
  • LocalPack ZA Package
  • ProfessionalEdition
  • UltimateEdition

Behavior activities

MALICIOUS SUSPICIOUS INFO
Uses Task Scheduler to run other applications
  • cmd.exe (PID: 1332)
Application was dropped or rewritten from another process
  • ns26F3.tmp (PID: 2436)
  • ns2443.tmp (PID: 4064)
Loads the Task Scheduler COM API
  • schtasks.exe (PID: 1740)
Loads dropped or rewritten executable
  • fusioninventory-agent_windows-x86_2.4.3.exe (PID: 3240)
Starts CMD.EXE for commands execution
  • ns26F3.tmp (PID: 2436)
Executable content was dropped or overwritten
  • fusioninventory-agent_windows-x86_2.4.3.exe (PID: 3240)
Uses NETSH.EXE for network configuration
  • ns2443.tmp (PID: 4064)
Starts application with an unusual extension
  • fusioninventory-agent_windows-x86_2.4.3.exe (PID: 3240)
Creates files in the program directory
  • fusioninventory-agent_windows-x86_2.4.3.exe (PID: 3240)

No info indicators.

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Static information

TRiD
.exe
|   Win32 Executable MS Visual C++ (generic) (67.4%)
.dll
|   Win32 Dynamic Link Library (generic) (14.2%)
.exe
|   Win32 Executable (generic) (9.7%)
.exe
|   Generic Win/DOS Executable (4.3%)
.exe
|   DOS Executable Generic (4.3%)
EXIF
EXE
MachineType:
Intel 386 or later, and compatibles
TimeStamp:
2018:01:30 04:57:38+01:00
PEType:
PE32
LinkerVersion:
6
CodeSize:
25088
InitializedDataSize:
118784
UninitializedDataSize:
1024
EntryPoint:
0x3328
OSVersion:
4
ImageVersion:
6
SubsystemVersion:
4
Subsystem:
Windows GUI
FileVersionNumber:
2.4.3.23
ProductVersionNumber:
2.4.3.23
FileFlagsMask:
0x0000
FileFlags:
(none)
FileOS:
Win32
ObjectFileType:
Executable application
FileSubtype:
null
LanguageCode:
English (U.S.)
CharacterSet:
Windows, Latin1
Comments:
Setup FusionInventory Agent for Microsoft Windows
CompanyName:
FusionInventory Team (http://www.fusioninventory.org)
FileDescription:
FusionInventory Agent for Microsoft Windows
FileVersion:
2.4.3.23
InternalName:
FusionInventory-Agent
LegalCopyright:
FusionInventory Team
LegalTrademarks:
FusionInventory Agent is distributed under GNU GPL License
ProductName:
FusionInventory Agent
ProductVersion:
2.4.3
Summary
Architecture:
IMAGE_FILE_MACHINE_I386
Subsystem:
IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date:
30-Jan-2018 03:57:38
Detected languages
English - United States
French - France
Spanish - Spain (Traditional sort)
Comments:
fSetup FusionInventory Agent for Microsoft Windows
CompanyName:
FusionInventory Team (http://www.fusioninventory.org)
FileDescription:
fFusionInventory Agent for Microsoft Windows
FileVersion:
2.4.3.23
InternalName:
FusionInventory-Agent
LegalCopyright:
FusionInventory Team
LegalTrademarks:
fFusionInventory Agent is distributed under GNU GPL License
ProductName:
FusionInventory Agent
ProductVersion:
2.4.3
DOS Header
Magic number:
MZ
Bytes on last page of file:
0x0090
Pages in file:
0x0003
Relocations:
0x0000
Size of header:
0x0004
Min extra paragraphs:
0x0000
Max extra paragraphs:
0xFFFF
Initial SS value:
0x0000
Initial SP value:
0x00B8
Checksum:
0x0000
Initial IP value:
0x0000
Initial CS value:
0x0000
Overlay number:
0x0000
OEM identifier:
0x0000
OEM information:
0x0000
Address of NE header:
0x000000D8
PE Headers
Signature:
PE
Machine:
IMAGE_FILE_MACHINE_I386
Number of sections:
5
Time date stamp:
30-Jan-2018 03:57:38
Pointer to Symbol Table:
0x00000000
Number of symbols:
0
Size of Optional Header:
0x00E0
Characteristics
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_RELOCS_STRIPPED
Sections
Name Virtual Address Virtual Size Raw Size Charateristics Entropy
.text 0x00001000 0x00006077 0x00006200 IMAGE_SCN_CNT_CODE,IMAGE_SCN_MEM_EXECUTE,IMAGE_SCN_MEM_READ 6.40397
.rdata 0x00008000 0x00001248 0x00001400 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ 5.04426
.data 0x0000A000 0x0001A838 0x00000400 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ,IMAGE_SCN_MEM_WRITE 5.22445
.ndata 0x00025000 0x00031000 0x00000000 IMAGE_SCN_CNT_UNINITIALIZED_DATA,IMAGE_SCN_MEM_READ,IMAGE_SCN_MEM_WRITE 0
.rsrc 0x00056000 0x00006E60 0x00007000 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ 4.03692
Resources
1

2

103

104

105

106

107

109

110

111

Imports
    KERNEL32.dll

    USER32.dll

    GDI32.dll

    SHELL32.dll

    ADVAPI32.dll

    COMCTL32.dll

    ole32.dll

Exports

    No exports.

Screenshots

Processes

Total processes
44
Monitored processes
8
Malicious processes
1
Suspicious processes
2

Behavior graph

+
drop and start drop and start start fusioninventory-agent_windows-x86_2.4.3.exe no specs fusioninventory-agent_windows-x86_2.4.3.exe ns2443.tmp no specs netsh.exe no specs ns26f3.tmp no specs cmd.exe no specs schtasks.exe no specs find.exe no specs
Specs description
Program did not start
Integrity level elevation
Task сontains an error or was rebooted
Process has crashed
Task contains several apps running
Executable file was dropped
Debug information is available
Process was injected
Network attacks were detected
Application downloaded the executable file
Actions similar to stealing personal data
Behavior similar to exploiting the vulnerability
Inspected object has sucpicious PE structure
File is detected by antivirus software
CPU overrun
RAM overrun
Process starts the services
Process was added to the startup
Behavior similar to spam
Low-level access to the HDD
Probably Tor was used
System was rebooted
Connects to the network
Known threat

Process information

Click at the process to see the details.

PID
2784
CMD
"C:\Users\admin\AppData\Local\Temp\fusioninventory-agent_windows-x86_2.4.3.exe"
Path
C:\Users\admin\AppData\Local\Temp\fusioninventory-agent_windows-x86_2.4.3.exe
Indicators
No indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
3221226540
Version:
Company
FusionInventory Team (http://www.fusioninventory.org)
Description
FusionInventory Agent for Microsoft Windows
Version
2.4.3.23
Modules
Image
c:\users\admin\appdata\local\temp\fusioninventory-agent_windows-x86_2.4.3.exe
c:\systemroot\system32\ntdll.dll

PID
3240
CMD
"C:\Users\admin\AppData\Local\Temp\fusioninventory-agent_windows-x86_2.4.3.exe"
Path
C:\Users\admin\AppData\Local\Temp\fusioninventory-agent_windows-x86_2.4.3.exe
Indicators
Parent process
––
User
admin
Integrity Level
HIGH
Version:
Company
FusionInventory Team (http://www.fusioninventory.org)
Description
FusionInventory Agent for Microsoft Windows
Version
2.4.3.23
Modules
Image
c:\users\admin\appdata\local\temp\fusioninventory-agent_windows-x86_2.4.3.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\propsys.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\oleacc.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\version.dll
c:\windows\system32\shfolder.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\shdocvw.dll
c:\users\admin\appdata\local\temp\nsd51cf.tmp\system.dll
c:\users\admin\appdata\local\temp\nsd51cf.tmp\langdll.dll
c:\users\admin\appdata\local\temp\nsd51cf.tmp\getversion.dll
c:\users\admin\appdata\local\temp\nsd51cf.tmp\registry.dll
c:\users\admin\appdata\local\temp\nsd51cf.tmp\enumini.dll
c:\windows\system32\riched20.dll
c:\users\admin\appdata\local\temp\nsd51cf.tmp\nsdialogs.dll
c:\windows\system32\comdlg32.dll
c:\program files\common files\microsoft shared\ink\tiptsf.dll
c:\users\admin\appdata\local\temp\nsd51cf.tmp\nsexec.dll
c:\users\admin\appdata\local\temp\nsd51cf.tmp\ns2443.tmp
c:\users\admin\appdata\local\temp\nsd51cf.tmp\simplesc.dll
c:\users\admin\appdata\local\temp\nsd51cf.tmp\ns26f3.tmp

PID
4064
CMD
"C:\Users\admin\AppData\Local\Temp\nsd51CF.tmp\ns2443.tmp" netsh advfirewall firewall delete rule name="FusionInventory-Agent"
Path
C:\Users\admin\AppData\Local\Temp\nsd51CF.tmp\ns2443.tmp
Indicators
No indicators
Parent process
fusioninventory-agent_windows-x86_2.4.3.exe
User
admin
Integrity Level
HIGH
Exit code
1
Version:
Company
Description
Version
Modules
Image
c:\users\admin\appdata\local\temp\nsd51cf.tmp\ns2443.tmp
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\apphelp.dll

PID
3304
CMD
netsh advfirewall firewall delete rule name="FusionInventory-Agent"
Path
C:\Windows\system32\netsh.exe
Indicators
No indicators
Parent process
ns2443.tmp
User
admin
Integrity Level
HIGH
Exit code
1
Version:
Company
Microsoft Corporation
Description
Network Command Shell
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\netsh.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\credui.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\mpr.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\rasmontr.dll
c:\windows\system32\mprapi.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\mfc42u.dll
c:\windows\system32\odbc32.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\odbcint.dll
c:\windows\system32\nshwfp.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\slc.dll
c:\windows\system32\dhcpcmonitor.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\dhcpcsvc6.dll
c:\windows\system32\dhcpqec.dll
c:\windows\system32\qutil.dll
c:\windows\system32\wevtapi.dll
c:\windows\system32\wshelper.dll
c:\windows\system32\ws2help.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\nshhttp.dll
c:\windows\system32\httpapi.dll
c:\windows\system32\fwcfg.dll
c:\windows\system32\firewallapi.dll
c:\windows\system32\version.dll
c:\windows\system32\authfwcfg.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\winipsec.dll
c:\windows\system32\ifmon.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\nci.dll
c:\windows\system32\devrtl.dll
c:\windows\system32\netiohlp.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\whhelper.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\webio.dll
c:\windows\system32\hnetmon.dll
c:\windows\system32\netshell.dll
c:\windows\system32\shell32.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\rpcnsh.dll
c:\windows\system32\dot3cfg.dll
c:\windows\system32\dot3api.dll
c:\windows\system32\atl.dll
c:\windows\system32\eappcfg.dll
c:\windows\system32\onex.dll
c:\windows\system32\eappprxy.dll
c:\windows\system32\napmontr.dll
c:\windows\system32\certcli.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\nshipsec.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\logoncli.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\activeds.dll
c:\windows\system32\adsldpc.dll
c:\windows\system32\polstore.dll
c:\windows\system32\nettrace.dll
c:\windows\system32\ndfapi.dll
c:\windows\system32\wdi.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\tdh.dll
c:\windows\system32\wcnnetsh.dll
c:\windows\system32\wlanapi.dll
c:\windows\system32\wlanutil.dll
c:\windows\system32\p2pnetsh.dll
c:\windows\system32\p2p.dll
c:\windows\system32\p2pcollab.dll
c:\windows\system32\wlancfg.dll
c:\windows\system32\wlanhlp.dll
c:\windows\system32\wwancfg.dll
c:\windows\system32\wwapi.dll
c:\windows\system32\peerdistsh.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\qagent.dll
c:\windows\system32\napipsec.dll
c:\windows\system32\tsgqec.dll
c:\windows\system32\eapqec.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\gpapi.dll
c:\windows\system32\bcryptprimitives.dll

PID
2436
CMD
"C:\Users\admin\AppData\Local\Temp\nsd51CF.tmp\ns26F3.tmp" "C:\Windows\system32\cmd.exe" /c schtasks /query /fo csv | find /c "FusionInventory-Agent"
Path
C:\Users\admin\AppData\Local\Temp\nsd51CF.tmp\ns26F3.tmp
Indicators
No indicators
Parent process
fusioninventory-agent_windows-x86_2.4.3.exe
User
admin
Integrity Level
HIGH
Exit code
1
Version:
Company
Description
Version
Modules
Image
c:\users\admin\appdata\local\temp\nsd51cf.tmp\ns26f3.tmp
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\apphelp.dll

PID
1332
CMD
"C:\Windows\system32\cmd.exe" /c schtasks /query /fo csv | find /c "FusionInventory-Agent"
Path
C:\Windows\system32\cmd.exe
Indicators
No indicators
Parent process
ns26F3.tmp
User
admin
Integrity Level
HIGH
Exit code
1
Version:
Company
Microsoft Corporation
Description
Windows Command Processor
Version
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Image
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\find.exe

PID
1740
CMD
schtasks /query /fo csv
Path
C:\Windows\system32\schtasks.exe
Indicators
No indicators
Parent process
cmd.exe
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
Microsoft Corporation
Description
Manages scheduled tasks
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\schtasks.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\ktmw32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\version.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\taskschd.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\xmllite.dll

PID
3612
CMD
find /c "FusionInventory-Agent"
Path
C:\Windows\system32\find.exe
Indicators
No indicators
Parent process
cmd.exe
User
admin
Integrity Level
HIGH
Exit code
1
Version:
Company
Microsoft Corporation
Description
Find String (grep) Utility
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\find.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ulib.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll

Registry activity

Total events
442
Read events
384
Write events
58
Delete events
0

Modification events

PID
Process
Operation
Key
Name
Value
3304
netsh.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
LanguageList
en-US
3304
netsh.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\dhcpqec.dll,-100
DHCP Quarantine Enforcement Client
3304
netsh.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\dhcpqec.dll,-101
Provides DHCP based enforcement for NAP
3304
netsh.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\dhcpqec.dll,-103
1.0
3304
netsh.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\dhcpqec.dll,-102
Microsoft Corporation
3304
netsh.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\napipsec.dll,-1
IPsec Relying Party
3304
netsh.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\napipsec.dll,-2
Provides IPsec based enforcement for Network Access Protection
3304
netsh.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\napipsec.dll,-4
1.0
3304
netsh.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\napipsec.dll,-3
Microsoft Corporation
3304
netsh.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\tsgqec.dll,-100
RD Gateway Quarantine Enforcement Client
3304
netsh.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\tsgqec.dll,-101
Provides RD Gateway enforcement for NAP
3304
netsh.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\tsgqec.dll,-102
1.0
3304
netsh.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\tsgqec.dll,-103
Microsoft Corporation
3304
netsh.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\eapqec.dll,-100
EAP Quarantine Enforcement Client
3304
netsh.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\eapqec.dll,-101
Provides Network Access Protection enforcement for EAP authenticated network connections, such as those used with 802.1X and VPN technologies.
3304
netsh.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\eapqec.dll,-102
1.0
3304
netsh.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\eapqec.dll,-103
Microsoft Corporation

Files activity

Executable files
20
Suspicious files
0
Text files
127
Unknown types
0

Dropped files

PID
Process
Filename
Type
3240
fusioninventory-agent_windows-x86_2.4.3.exe
C:\Users\admin\AppData\Local\Temp\nsd51CF.tmp\System.dll
executable
MD5: b0c77267f13b2f87c084fd86ef51ccfc
SHA256: a0cac4cf4852895619bc7743ebeb89f9e4927ccdb9e66b1bcd92a4136d0f9c77
3240
fusioninventory-agent_windows-x86_2.4.3.exe
C:\Users\admin\AppData\Local\Temp\nsd51CF.tmp\EnumINI.dll
executable
MD5: 80403ca224c7aa80e92799b4d1eb242d
SHA256: e1852457fe4bbb8ffe90b711fd4eda3f37b5e1bb284673aef0f8aa57a9b0559d
3240
fusioninventory-agent_windows-x86_2.4.3.exe
C:\Users\admin\AppData\Local\Temp\nsd51CF.tmp\registry.dll
executable
MD5: 2b7007ed0262ca02ef69d8990815cbeb
SHA256: 0b25b20f26de5d5bd795f934c70447112b4981343fcb2dfab3374a4018d28c2d
3240
fusioninventory-agent_windows-x86_2.4.3.exe
C:\Users\admin\AppData\Local\Temp\nsd51CF.tmp\GetVersion.dll
executable
MD5: 225f776172f1baccd2721a6e5d512b36
SHA256: ecfcbe30f5b248673f9cbebb734b9981ed14b06380ea787c563d67b30e2d069e
3240
fusioninventory-agent_windows-x86_2.4.3.exe
C:\Users\admin\AppData\Local\Temp\nsd51CF.tmp\nsDialogs.dll
executable
MD5: eac1c3707970fe7c71b2d760c34763fa
SHA256: 062c75ad650548750564ffd7aef8cd553773b5c26cae7f25a5749b13165194e3
3240
fusioninventory-agent_windows-x86_2.4.3.exe
C:\Program Files\FusionInventory-Agent\perl\bin\zlib1_.dll
executable
MD5: c1faf35617e5a6edb418ff129048fd95
SHA256: 3285a82c1fe6165b92ebd8e15c66c7baaaace1e74ec2ad74c046c4d93a5b1733
3240
fusioninventory-agent_windows-x86_2.4.3.exe
C:\Users\admin\AppData\Local\Temp\nsd51CF.tmp\sed.exe
executable
MD5: 289c007f63e4216757e3c03c38555133
SHA256: 5c2e7c4e79b2af04f09ddec2b01bc68de99761a149e90a37319f515682843116
3240
fusioninventory-agent_windows-x86_2.4.3.exe
C:\Program Files\FusionInventory-Agent\perl\bin\ssleay32_.dll
executable
MD5: 5bc5a4ca6a5147b59840a657710d5e7a
SHA256: db485533433dc10e908f8956776beefe430b99f48f270a8b58d4fba5239ae92b
3240
fusioninventory-agent_windows-x86_2.4.3.exe
C:\Users\admin\AppData\Local\Temp\nsd51CF.tmp\libintl3.dll
executable
MD5: d202baa425176287017ffe1fb5d1b77c
SHA256: f48ce1866602b114e653c876334b771107559acf1c685373d2305034613958f0
3240
fusioninventory-agent_windows-x86_2.4.3.exe
C:\Program Files\FusionInventory-Agent\perl\bin\liblzma-5_.dll
executable
MD5: 4c219f4e078a4d34bac0947cd4f1709f
SHA256: 4d8b2d808929361538fa38a2299fca56659e02aa5e651906ca22b7c144958f09
3240
fusioninventory-agent_windows-x86_2.4.3.exe
C:\Program Files\FusionInventory-Agent\perl\bin\libbz2-1_.dll
executable
MD5: 0103bb5c0d184e25755336d48bc3e27c
SHA256: e0beb300c9c0c0b9c2ccee0e01ea89a2891e26c926a8b29faadb0eb77c284111
3240
fusioninventory-agent_windows-x86_2.4.3.exe
C:\Users\admin\AppData\Local\Temp\nsd51CF.tmp\libiconv2.dll
executable
MD5: e0dc8c6bbc787b972a9a468648dbfd85
SHA256: 6deedad652bfab7b09ebd0e06045810390b6ac6cb5aa9ef41c9daa5616181f22
3240
fusioninventory-agent_windows-x86_2.4.3.exe
C:\Users\admin\AppData\Local\Temp\nsd51CF.tmp\nsExec.dll
executable
MD5: 1f49d8af9be9e915d54b2441c4a79adf
SHA256: b22c8f676dec58be8d25fbad1a37835ffc4029f29aaf79f4dc0337ca73a38782
3240
fusioninventory-agent_windows-x86_2.4.3.exe
C:\Program Files\FusionInventory-Agent\Uninstall.exe
executable
MD5: a478209b32f757b655a22cf62197588f
SHA256: 77705464e34e8be65e8c9521998ff72ae0f304f820c249447b8f5410b4330683
3240
fusioninventory-agent_windows-x86_2.4.3.exe
C:\Users\admin\AppData\Local\Temp\nsd51CF.tmp\SimpleSC.dll
executable
MD5: d63975ce28f801f236c4aca5af726961
SHA256: e0c580bbe48a483075c21277c6e0f23f3cbd6ce3eb2ccd3bf48cf68f05628f43
3240
fusioninventory-agent_windows-x86_2.4.3.exe
C:\Users\admin\AppData\Local\Temp\nsd51CF.tmp\LangDLL.dll
executable
MD5: 77ff758c10c66937de6d86c388aa431c
SHA256: 6a033e367714ec0d13fca0589c165bdbf4d1dac459fa7ec7415815223fa3c008
3240
fusioninventory-agent_windows-x86_2.4.3.exe
C:\Users\admin\AppData\Local\Temp\nsd51CF.tmp\ns26F3.tmp
executable
MD5: e2347a65b30ccc5b2c4230daaeefb897
SHA256: 79fd3041ab85e378839d2e3cf155fc91a2d541304d209f5d1d57ac7d791190ec
3240
fusioninventory-agent_windows-x86_2.4.3.exe
C:\Users\admin\AppData\Local\Temp\nsd51CF.tmp\ns2443.tmp
executable
MD5: e2347a65b30ccc5b2c4230daaeefb897
SHA256: 79fd3041ab85e378839d2e3cf155fc91a2d541304d209f5d1d57ac7d791190ec
3240
fusioninventory-agent_windows-x86_2.4.3.exe
C:\Users\admin\AppData\Local\Temp\nsd51CF.tmp\regex2.dll
executable
MD5: 547c43567ab8c08eb30f6c6bacb479a3
SHA256: 3a71bf90e8bddfb813b44f9cbcecf431311a7979c1debc976767b3e5e59031af
3240
fusioninventory-agent_windows-x86_2.4.3.exe
C:\Program Files\FusionInventory-Agent\perl\bin\libeay32_.dll
executable
MD5: 9a4799328793a2bea6facdaf2b20da3a
SHA256: a87fb088d811dec163221234461dcfa0865683be256f1ee9cddc18fc60ab3d1b
3240
fusioninventory-agent_windows-x86_2.4.3.exe
C:\Program Files\FusionInventory-Agent\perl\lib\Digest\base.pm
––
MD5:  ––
SHA256:  ––
3240
fusioninventory-agent_windows-x86_2.4.3.exe
C:\Users\admin\AppData\Local\Temp\nsd51CF.tmp\modern-header.bmp
image
MD5: 3b8557ba117a80d868ff767f1f618172
SHA256: 57d82a59be7c46ca546b8a7f3af3398be551c03147436786667a7034fc8e9914
3240
fusioninventory-agent_windows-x86_2.4.3.exe
C:\Program Files\FusionInventory-Agent\perl\bin\libwinpthread-1.dll
––
MD5:  ––
SHA256:  ––
3240
fusioninventory-agent_windows-x86_2.4.3.exe
C:\Users\admin\AppData\Local\Temp\nsd51CF.tmp\Options.ini
text
MD5: e364c301e53fa3952b206268c0e9ae2f
SHA256: bd7834a3158b66ad25c4482524426d0ecdf8f8aa9636872814b65eb91b99e79b
3240
fusioninventory-agent_windows-x86_2.4.3.exe
C:\Program Files\FusionInventory-Agent\perl\bin\libstdc++-6.dll
––
MD5:  ––
SHA256:  ––
3240
fusioninventory-agent_windows-x86_2.4.3.exe
C:\Users\admin\AppData\Local\Temp\nsd51CF.tmp\CommandLineParser.log
text
MD5: b8cc266cbc2c097bffb4f033e09df060
SHA256: d02a13d11ce5b9781022dbdfc7275bf6f38c1efc500799848cc356f9b498ab99
3240
fusioninventory-agent_windows-x86_2.4.3.exe
C:\Program Files\FusionInventory-Agent\perl\lib\Devel\PPPort.pm
––
MD5:  ––
SHA256:  ––
3240
fusioninventory-agent_windows-x86_2.4.3.exe
C:\Users\admin\AppData\Local\Temp\nsd51CF.tmp\modern-wizard.bmp
image
MD5: 3a0f1bdca9bd1895054ee17e351b6b37
SHA256: c53f73f21ee8d4a1a96acedeb5b5c32554c114c31fde8bf9a856371abac2da7f
3240
fusioninventory-agent_windows-x86_2.4.3.exe
C:\Program Files\FusionInventory-Agent\perl\lib\Digest\MD5.pm
––
MD5:  ––
SHA256:  ––
3240
fusioninventory-agent_windows-x86_2.4.3.exe
C:\Program Files\FusionInventory-Agent\perl\lib\Data\Dumper.pm
text
MD5: eeecd67170fe96cd7b9e1158df7d456c
SHA256: 4221f81f6fbe2599e1cf487271d5444aeb0bc54e16f3219e3ebcf49e6f686a91
3240
fusioninventory-agent_windows-x86_2.4.3.exe
C:\Program Files\FusionInventory-Agent\perl\lib\Digest\SHA.pm
––
MD5:  ––
SHA256:  ––
3240
fusioninventory-agent_windows-x86_2.4.3.exe
C:\Program Files\FusionInventory-Agent\perl\bin\libgcc_s_sjlj-1.dll
––
MD5:  ––
SHA256:  ––
3240
fusioninventory-agent_windows-x86_2.4.3.exe
C:\Users\admin\AppData\Local\Temp\nsd51CF.tmp\Options.ini
text
MD5: a592267f04307aabae56ca0db246f7c3
SHA256: 397d90b62e38b52ffa4cceb4d9b4fb476a447e0a4eb8dffe303bc3986e950a26
3240
fusioninventory-agent_windows-x86_2.4.3.exe
C:\Program Files\FusionInventory-Agent\perl\lib\Devel\Peek.pm
––
MD5:  ––
SHA256:  ––
3240
fusioninventory-agent_windows-x86_2.4.3.exe
C:\Users\admin\AppData\Local\Temp\nsd51CF.tmp\Options.ini
text
MD5: 7b128a65d7a347b327a4ec8de97d1311
SHA256: 01faa5fc79618695c185d0589220b211559ddeb43be35791760d81435b2f8969

Find more information of the staic content and download it at the full report

Network activity

HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

No network activity.

Debug output strings

No debug info.