General Info

File name

283b19b27b290d8cf4e119e317badf76

Full analysis
https://app.any.run/tasks/048715c5-9e5b-4bd5-b52f-ddcbe0537b06
Verdict
Malicious activity
Analysis date
4/15/2019, 08:51:08
OS:
Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:

MIME:
application/x-dosexec
File info:
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5

283b19b27b290d8cf4e119e317badf76

SHA1

e3f3d5bed0348f52702fc94a21626a6e1712355a

SHA256

81c61bb115f31892c01845e6baf599d746410d1c11f7ba65ee6c0a83f4debc71

SSDEEP

12288:00GZxajc/iiyPMJrVnFbNECyyQxSsycp7SSm/X:20cRqc9Fb

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distored by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Software environment set and analysis options

Launch configuration

Task duration
60 seconds
Additional time used
none
Fakenet option
off
Heavy Evaision option
off
MITM proxy
off
Route via Tor
off
Network geolocation
off
Privacy
Public submission
Autoconfirmation of UAC
on

Software preset

  • Internet Explorer 8.0.7601.17514
  • Adobe Acrobat Reader DC MUI (15.023.20070)
  • Adobe Flash Player 26 ActiveX (26.0.0.131)
  • Adobe Flash Player 26 NPAPI (26.0.0.131)
  • Adobe Flash Player 26 PPAPI (26.0.0.131)
  • Adobe Refresh Manager (1.8.0)
  • CCleaner (5.35)
  • FileZilla Client 3.36.0 (3.36.0)
  • Google Chrome (73.0.3683.75)
  • Google Update Helper (1.3.33.23)
  • Java 8 Update 92 (8.0.920.14)
  • Java Auto Updater (2.8.92.14)
  • Microsoft .NET Framework 4.6.1 (4.6.01055)
  • Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Professional 2010 (14.0.6029.1000)
  • Microsoft Office Proof (English) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (French) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
  • Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
  • Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Single Image 2010 (14.0.6029.1000)
  • Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
  • Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
  • Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
  • Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2017 Redistributable (x86) - 14.15.26706 (14.15.26706.0)
  • Microsoft Visual C++ 2017 x86 Additional Runtime - 14.15.26706 (14.15.26706)
  • Microsoft Visual C++ 2017 x86 Minimum Runtime - 14.15.26706 (14.15.26706)
  • Mozilla Firefox 65.0.2 (x86 en-US) (65.0.2)
  • Notepad++ (32-bit x86) (7.5.1)
  • Opera 12.15 (12.15.1748)
  • Skype version 8.29 (8.29)
  • VLC media player (2.2.6)
  • WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

  • Client LanguagePack Package
  • Client Refresh LanguagePack Package
  • CodecPack Basic Package
  • Foundation Package
  • IE Troubleshooters Package
  • InternetExplorer Optional Package
  • KB2534111
  • KB2999226
  • KB976902
  • LocalPack AU Package
  • LocalPack CA Package
  • LocalPack GB Package
  • LocalPack US Package
  • LocalPack ZA Package
  • ProfessionalEdition
  • UltimateEdition

Behavior activities

MALICIOUS SUSPICIOUS INFO
Changes the autorun value in the registry
  • explorer.exe (PID: 580)
  • explorer.exe (PID: 3660)
  • explorer.exe (PID: 772)
  • explorer.exe (PID: 1152)
Writes to a start menu file
  • 283b19b27b290d8cf4e119e317badf76.exe (PID: 2552)
Application was injected by another process
  • explorer.exe (PID: 2044)
Runs injected code in another process
  • explorer.exe (PID: 580)
Loads DLL from Mozilla Firefox
  • explorer.exe (PID: 1864)
Executable content was dropped or overwritten
  • explorer.exe (PID: 580)
  • explorer.exe (PID: 1152)
  • 283b19b27b290d8cf4e119e317badf76.exe (PID: 2552)
Creates files in the user directory
  • explorer.exe (PID: 1152)
  • explorer.exe (PID: 580)
  • explorer.exe (PID: 3456)
  • 283b19b27b290d8cf4e119e317badf76.exe (PID: 2552)
Application launched itself
  • explorer.exe (PID: 580)
  • explorer.exe (PID: 3660)
  • explorer.exe (PID: 772)
Starts itself from another location
  • 283b19b27b290d8cf4e119e317badf76.exe (PID: 2552)
  • winlogon.exe (PID: 3036)
  • explorer.exe (PID: 580)
  • winlogon.exe (PID: 1048)
  • explorer.exe (PID: 3456)
Creates executable files which already exist in Windows
  • 283b19b27b290d8cf4e119e317badf76.exe (PID: 2552)
Dropped object may contain Bitcoin addresses
  • explorer.exe (PID: 580)
  • 283b19b27b290d8cf4e119e317badf76.exe (PID: 2552)
  • explorer.exe (PID: 1152)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Static information

TRiD
.dll
|   Win32 Dynamic Link Library (generic) (38.3%)
.exe
|   Win32 Executable (generic) (26.2%)
.exe
|   Win16/32 Executable Delphi generic (12%)
.exe
|   Generic Win/DOS Executable (11.6%)
.exe
|   DOS Executable Generic (11.6%)
EXIF
EXE
MachineType:
Intel 386 or later, and compatibles
TimeStamp:
2019:04:15 05:19:30+02:00
PEType:
PE32
LinkerVersion:
8
CodeSize:
127488
InitializedDataSize:
305152
UninitializedDataSize:
null
EntryPoint:
0x7000a
OSVersion:
4
ImageVersion:
null
SubsystemVersion:
4
Subsystem:
Windows GUI
FileVersionNumber:
0.0.0.0
ProductVersionNumber:
0.0.0.0
FileFlagsMask:
0x003f
FileFlags:
(none)
FileOS:
Win32
ObjectFileType:
Executable application
FileSubtype:
null
LanguageCode:
Neutral
CharacterSet:
Unicode
FileDescription:
FileVersion:
0.0.0.0
InternalName:
4e5skquk.exe
LegalCopyright:
OriginalFileName:
4e5skquk.exe
ProductVersion:
0.0.0.0
AssemblyVersion:
0.0.0.0
Summary
Architecture:
IMAGE_FILE_MACHINE_I386
Subsystem:
IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date:
15-Apr-2019 03:19:30
FileDescription:
null
FileVersion:
0.0.0.0
InternalName:
4e5skquk.exe
LegalCopyright:
null
OriginalFilename:
4e5skquk.exe
ProductVersion:
0.0.0.0
Assembly Version:
0.0.0.0
DOS Header
Magic number:
MZ
Bytes on last page of file:
0x0090
Pages in file:
0x0003
Relocations:
0x0000
Size of header:
0x0004
Min extra paragraphs:
0x0000
Max extra paragraphs:
0xFFFF
Initial SS value:
0x0000
Initial SP value:
0x00B8
Checksum:
0x0000
Initial IP value:
0x0000
Initial CS value:
0x0000
Overlay number:
0x0000
OEM identifier:
0x0000
OEM information:
0x0000
Address of NE header:
0x00000080
PE Headers
Signature:
PE
Machine:
IMAGE_FILE_MACHINE_I386
Number of sections:
5
Time date stamp:
15-Apr-2019 03:19:30
Pointer to Symbol Table:
0x00000000
Number of symbols:
0
Size of Optional Header:
0x00E0
Characteristics
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_EXECUTABLE_IMAGE
Sections
Name Virtual Address Virtual Size Raw Size Charateristics Entropy
k+H7q\x0fTP\xdc\x98\x04 0x00002000 0x000498DC 0x00049A00 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_EXECUTE,IMAGE_SCN_MEM_READ,IMAGE_SCN_MEM_WRITE 7.99941
.text 0x0004C000 0x0001EF48 0x0001F000 IMAGE_SCN_CNT_CODE,IMAGE_SCN_MEM_EXECUTE,IMAGE_SCN_MEM_READ 5.23026
.rsrc 0x0006C000 0x00000BF0 0x00000C00 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ 3.40171
.reloc 0x0006E000 0x0000000C 0x00000200 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_DISCARDABLE,IMAGE_SCN_MEM_READ 0.0776332
0x00070000 0x00000010 0x00000200 IMAGE_SCN_CNT_CODE,IMAGE_SCN_MEM_EXECUTE,IMAGE_SCN_MEM_READ 0.11837
Resources
1

2

32512

Imports
    mscoree.dll

Exports

    No exports.

Screenshots

Processes

Total processes
40
Monitored processes
11
Malicious processes
4
Suspicious processes
5

Behavior graph

+
drop and start start drop and start inject drop and start drop and start 283b19b27b290d8cf4e119e317badf76.exe explorer.exe explorer.exe explorer.exe explorer.exe winlogon.exe no specs winlogon.exe no specs explorer.exe explorer.exe explorer.exe no specs explorer.exe no specs
Specs description
Program did not start
Integrity level elevation
Task сontains an error or was rebooted
Process has crashed
Task contains several apps running
Executable file was dropped
Debug information is available
Process was injected
Network attacks were detected
Application downloaded the executable file
Actions similar to stealing personal data
Behavior similar to exploiting the vulnerability
Inspected object has sucpicious PE structure
File is detected by antivirus software
CPU overrun
RAM overrun
Process starts the services
Process was added to the startup
Behavior similar to spam
Low-level access to the HDD
Probably Tor was used
System was rebooted
Connects to the network
Known threat

Process information

Click at the process to see the details.

PID
2044
CMD
C:\Windows\Explorer.EXE
Path
C:\Windows\explorer.exe
Indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Version:
Company
Microsoft Corporation
Description
Windows Explorer
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\shell32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\explorerframe.dll
c:\windows\system32\duser.dll
c:\windows\system32\dui70.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\slc.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\propsys.dll
c:\windows\system32\cryptbase.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\profapi.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\ehstorshell.dll
c:\windows\system32\cscui.dll
c:\windows\system32\cscdll.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\iconcodecservice.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\sndvolsso.dll
c:\windows\system32\hid.dll
c:\windows\system32\mmdevapi.dll
c:\windows\system32\timedate.cpl
c:\windows\system32\atl.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\actxprxy.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\linkinfo.dll
c:\windows\system32\userenv.dll
c:\windows\system32\shacct.dll
c:\windows\system32\samlib.dll
c:\windows\system32\samcli.dll
c:\windows\system32\netutils.dll
c:\windows\system32\msftedit.dll
c:\windows\system32\msls31.dll
c:\program files\common files\microsoft shared\ink\tiptsf.dll
c:\windows\system32\authui.dll
c:\windows\system32\cryptui.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\gameux.dll
c:\windows\system32\xmllite.dll
c:\windows\system32\wer.dll
c:\windows\system32\winsta.dll
c:\windows\system32\msiltcfg.dll
c:\windows\system32\version.dll
c:\windows\system32\msi.dll
c:\windows\system32\psapi.dll
c:\windows\system32\networkexplorer.dll
c:\windows\system32\winmm.dll
c:\windows\system32\wdmaud.drv
c:\windows\system32\ksuser.dll
c:\windows\system32\avrt.dll
c:\windows\system32\audioses.dll
c:\windows\system32\msacm32.drv
c:\windows\system32\msacm32.dll
c:\windows\system32\midimap.dll
c:\windows\system32\stobject.dll
c:\windows\system32\batmeter.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\es.dll
c:\windows\system32\prnfldr.dll
c:\windows\system32\winspool.drv
c:\windows\system32\dxp.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\syncreg.dll
c:\windows\ehome\ehsso.dll
c:\windows\system32\netshell.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\nsi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\alttab.dll
c:\windows\system32\wpdshserviceobj.dll
c:\windows\system32\portabledevicetypes.dll
c:\windows\system32\portabledeviceapi.dll
c:\program files\filezilla ftp client\fzshellext.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\taskschd.dll
c:\windows\system32\pnidui.dll
c:\windows\system32\qutil.dll
c:\windows\system32\wevtapi.dll
c:\windows\system32\dhcpcsvc6.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\npmproxy.dll
c:\windows\system32\mssprxy.dll
c:\windows\system32\wlanapi.dll
c:\windows\system32\wlanutil.dll
c:\windows\system32\wwanapi.dll
c:\windows\system32\wwapi.dll
c:\windows\system32\qagent.dll
c:\windows\system32\srchadmin.dll
c:\windows\system32\sxs.dll
c:\windows\system32\bthprops.cpl
c:\windows\system32\ieframe.dll
c:\windows\system32\oleacc.dll
c:\windows\system32\synccenter.dll
c:\windows\system32\actioncenter.dll
c:\windows\system32\imapi2.dll
c:\windows\system32\hgcpl.dll
c:\windows\system32\provsvc.dll
c:\windows\system32\netprofm.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\fxsst.dll
c:\windows\system32\fxsapi.dll
c:\windows\system32\fxsresm.dll
c:\windows\system32\msxml3.dll
c:\program files\internet explorer\ieproxy.dll
c:\windows\system32\systemcpl.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\dsrole.dll
c:\windows\system32\sppc.dll
c:\windows\system32\wbem\wbemprox.dll
c:\windows\system32\wbemcomn.dll
c:\windows\system32\wbem\wbemsvc.dll
c:\windows\system32\wbem\fastprox.dll
c:\windows\system32\ntdsapi.dll
c:\windows\system32\winsatapi.dll
c:\windows\system32\dxgi.dll
c:\windows\system32\msxml6.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\devrtl.dll
c:\windows\system32\spinf.dll
c:\windows\system32\wscinterop.dll
c:\windows\system32\wscapi.dll
c:\windows\system32\wscui.cpl
c:\windows\system32\werconcpl.dll
c:\windows\system32\framedynos.dll
c:\windows\system32\wercplsupport.dll
c:\windows\system32\hcproviders.dll
c:\windows\system32\mpr.dll
c:\windows\system32\drprov.dll
c:\windows\system32\ntlanman.dll
c:\windows\system32\davclnt.dll
c:\windows\system32\davhlpr.dll
c:\windows\system32\thumbcache.dll
c:\windows\system32\winanr.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\users\admin\appdata\local\temp\283b19b27b290d8cf4e119e317badf76.exe
c:\windows\system32\sfc.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\avicap32.dll
c:\windows\system32\msvfw32.dll
c:\windows\system32\wsock32.dll

PID
2552
CMD
"C:\Users\admin\AppData\Local\Temp\283b19b27b290d8cf4e119e317badf76.exe"
Path
C:\Users\admin\AppData\Local\Temp\283b19b27b290d8cf4e119e317badf76.exe
Indicators
Parent process
explorer.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Description
Version
0.0.0.0
Modules
Image
c:\users\admin\appdata\local\temp\283b19b27b290d8cf4e119e317badf76.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\version.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorwks.dll
c:\windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\msvcr80.dll
c:\windows\system32\shell32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\profapi.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\mscorlib\62a0b3e4b40ec0e8c5cfaa0c8848e64a\mscorlib.ni.dll
c:\windows\system32\cryptbase.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorjit.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system\9e0a3b9b9f457233a335d7fba8f95419\system.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.visualbas#\08d608378aa405adc844f3cf36974b8c\microsoft.visualbasic.ni.dll
c:\windows\system32\shfolder.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.drawing\dbfe8642a8ed7b2b103ad28e0c96418a\system.drawing.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.windows.forms\3afcd5168c7a6cb02eab99d7fd71e102\system.windows.forms.ni.dll
c:\windows\system32\propsys.dll
c:\windows\system32\oleaut32.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\sspicli.dll
c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\explorer.exe
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll

PID
1152
CMD
"C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe"
Path
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe
Indicators
Parent process
283b19b27b290d8cf4e119e317badf76.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Description
Version
0.0.0.0
Modules
Image
c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\explorer.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\version.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorwks.dll
c:\windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\msvcr80.dll
c:\windows\system32\shell32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\profapi.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\mscorlib\62a0b3e4b40ec0e8c5cfaa0c8848e64a\mscorlib.ni.dll
c:\windows\system32\cryptbase.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorjit.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system\9e0a3b9b9f457233a335d7fba8f95419\system.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.visualbas#\08d608378aa405adc844f3cf36974b8c\microsoft.visualbasic.ni.dll
c:\windows\system32\shfolder.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.drawing\dbfe8642a8ed7b2b103ad28e0c96418a\system.drawing.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.windows.forms\3afcd5168c7a6cb02eab99d7fd71e102\system.windows.forms.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.xml\461d3b6b3f43e6fbe6c897d5936e17e4\system.xml.ni.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\sxs.dll
c:\windows\system32\wshom.ocx
c:\windows\system32\mpr.dll
c:\windows\system32\scrrun.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\microsoft.net\framework\v2.0.50727\culture.dll
c:\windows\system32\apphelp.dll

PID
580
CMD
"C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe"
Path
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe
Indicators
Parent process
explorer.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Description
Version
0.0.0.0
Modules
Image
c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\explorer.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\pstorec.dll
c:\windows\system32\atl.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\propsys.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\users\admin\appdata\roaming\security\winlogon.exe

PID
3456
CMD
explorer.exe
Path
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe
Indicators
Parent process
explorer.exe
User
admin
Integrity Level
MEDIUM
Version:
Company
Description
Version
0.0.0.0
Modules
Image
c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\explorer.exe
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\avicap32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\winmm.dll
c:\windows\system32\version.dll
c:\windows\system32\msvfw32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\ole32.dll
c:\windows\system32\mpr.dll
c:\windows\system32\msacm32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\wininet.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\wsock32.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\profapi.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\propsys.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\twext.dll
c:\windows\system32\cscui.dll
c:\windows\system32\cscdll.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\userenv.dll
c:\windows\system32\gameux.dll
c:\windows\system32\xmllite.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\wer.dll
c:\program files\winrar\rarext.dll
c:\windows\system32\msimg32.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\slc.dll
c:\windows\system32\netutils.dll
c:\windows\system32\syncui.dll
c:\windows\system32\synceng.dll
c:\windows\system32\linkinfo.dll
c:\program files\notepad++\nppshell_06.dll
c:\windows\system32\acppage.dll
c:\windows\system32\sfc.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\msi.dll
c:\windows\system32\devrtl.dll
c:\users\admin\appdata\roaming\security\winlogon.exe
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\napinsp.dll
c:\windows\system32\pnrpnsp.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\winrnr.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\rasadhlp.dll

PID
3036
CMD
"C:\Users\admin\AppData\Roaming\security\winlogon.exe"
Path
C:\Users\admin\AppData\Roaming\security\winlogon.exe
Indicators
No indicators
Parent process
explorer.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Description
Version
0.0.0.0
Modules
Image
c:\users\admin\appdata\roaming\security\winlogon.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\version.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorwks.dll
c:\windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\msvcr80.dll
c:\windows\system32\shell32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\profapi.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\mscorlib\62a0b3e4b40ec0e8c5cfaa0c8848e64a\mscorlib.ni.dll
c:\windows\system32\cryptbase.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorjit.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system\9e0a3b9b9f457233a335d7fba8f95419\system.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.visualbas#\08d608378aa405adc844f3cf36974b8c\microsoft.visualbasic.ni.dll
c:\windows\system32\shfolder.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.drawing\dbfe8642a8ed7b2b103ad28e0c96418a\system.drawing.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.windows.forms\3afcd5168c7a6cb02eab99d7fd71e102\system.windows.forms.ni.dll
c:\windows\system32\propsys.dll
c:\windows\system32\oleaut32.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\sspicli.dll
c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\explorer.exe
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll

PID
1048
CMD
"C:\Users\admin\AppData\Roaming\security\winlogon.exe"
Path
C:\Users\admin\AppData\Roaming\security\winlogon.exe
Indicators
No indicators
Parent process
explorer.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Description
Version
0.0.0.0
Modules
Image
c:\users\admin\appdata\roaming\security\winlogon.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\version.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorwks.dll
c:\windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\msvcr80.dll
c:\windows\system32\shell32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\profapi.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\mscorlib\62a0b3e4b40ec0e8c5cfaa0c8848e64a\mscorlib.ni.dll
c:\windows\system32\cryptbase.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorjit.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system\9e0a3b9b9f457233a335d7fba8f95419\system.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.visualbas#\08d608378aa405adc844f3cf36974b8c\microsoft.visualbasic.ni.dll
c:\windows\system32\shfolder.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.drawing\dbfe8642a8ed7b2b103ad28e0c96418a\system.drawing.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.windows.forms\3afcd5168c7a6cb02eab99d7fd71e102\system.windows.forms.ni.dll
c:\windows\system32\propsys.dll
c:\windows\system32\oleaut32.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\sspicli.dll
c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\explorer.exe
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll

PID
772
CMD
"C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe"
Path
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe
Indicators
Parent process
winlogon.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Description
Version
0.0.0.0
Modules
Image
c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\explorer.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\version.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorwks.dll
c:\windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\msvcr80.dll
c:\windows\system32\shell32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\profapi.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\mscorlib\62a0b3e4b40ec0e8c5cfaa0c8848e64a\mscorlib.ni.dll
c:\windows\system32\cryptbase.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorjit.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system\9e0a3b9b9f457233a335d7fba8f95419\system.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.visualbas#\08d608378aa405adc844f3cf36974b8c\microsoft.visualbasic.ni.dll
c:\windows\system32\shfolder.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.drawing\dbfe8642a8ed7b2b103ad28e0c96418a\system.drawing.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.windows.forms\3afcd5168c7a6cb02eab99d7fd71e102\system.windows.forms.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.xml\461d3b6b3f43e6fbe6c897d5936e17e4\system.xml.ni.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\sxs.dll
c:\windows\system32\wshom.ocx
c:\windows\system32\mpr.dll
c:\windows\system32\scrrun.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\microsoft.net\framework\v2.0.50727\culture.dll
c:\windows\system32\apphelp.dll

PID
3660
CMD
"C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe"
Path
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe
Indicators
Parent process
winlogon.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Description
Version
0.0.0.0
Modules
Image
c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\explorer.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\user32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\version.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorwks.dll
c:\windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\msvcr80.dll
c:\windows\system32\shell32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\profapi.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\mscorlib\62a0b3e4b40ec0e8c5cfaa0c8848e64a\mscorlib.ni.dll
c:\windows\system32\cryptbase.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorjit.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system\9e0a3b9b9f457233a335d7fba8f95419\system.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.visualbas#\08d608378aa405adc844f3cf36974b8c\microsoft.visualbasic.ni.dll
c:\windows\system32\shfolder.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.drawing\dbfe8642a8ed7b2b103ad28e0c96418a\system.drawing.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.windows.forms\3afcd5168c7a6cb02eab99d7fd71e102\system.windows.forms.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.xml\461d3b6b3f43e6fbe6c897d5936e17e4\system.xml.ni.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\sxs.dll
c:\windows\system32\wshom.ocx
c:\windows\system32\mpr.dll
c:\windows\system32\scrrun.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\microsoft.net\framework\v2.0.50727\culture.dll
c:\windows\system32\apphelp.dll

PID
1864
CMD
"C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe"
Path
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe
Indicators
No indicators
Parent process
explorer.exe
User
admin
Integrity Level
MEDIUM
Version:
Company
Description
Version
0.0.0.0
Modules
Image
c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\explorer.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\pstorec.dll
c:\windows\system32\atl.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\nsi.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\sspicli.dll
c:\program files\mozilla firefox\softokn3.dll

PID
2200
CMD
"C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe"
Path
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe
Indicators
No indicators
Parent process
explorer.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Description
Version
0.0.0.0
Modules
Image
c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\explorer.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\pstorec.dll
c:\windows\system32\atl.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\sspicli.dll

Registry activity

Total events
2747
Read events
2652
Write events
95
Delete events
0

Modification events

PID
Process
Operation
Key
Name
Value
2044
explorer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count
{N77S5Q77-2R2O-44P3-N6N2-NON601054N51}\Fgneghc\rkcybere.rkr
00000000000000000000000078060000000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BFFFFFFFFF000000000000000000000000
2044
explorer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count
HRZR_PGYFRFFVBA
0000000004000000030000001DA700000200000002000000724300004D006900630072006F0073006F00660074002E004100750074006F00470065006E006500720061007400650064002E007B00310035003900360032003100370035002D0037004400460043002D0042003100440037002D0042003000440031002D004500420034004300300038004600460044003700350034007D000000120200000000CC0B120200000000CC0B12020400050005001F02280C12020800050005001F026CE71F020100000154001F0200000100B8139D75444812020C0003000300000000000500280C12020000000005000000CC0B120201000000C8E91F02C0E91F0200000000C8FDDE02C0FCDE0244E71F023DA9457600000000FBFFFF7F68E71F02987880574F8C6244BB6371042380B1090000000001100211FFFFFFFF00000000000000000000000035EE190651EE190635EE1906000000000000000000000000080000002E006C006E006B0000005300630068006500640075006C00650072002E006C006E006B00000014000000140050000000070000000200060026030200A5863C750800000064021400E72F1B77B5863C753F030000CC04140000001400A86D150011000000B8451700B045170005000000F8F3DD0270E80000F28635BB20E81F028291457670E81F0224E81F022795457600000000ECD2DD024CE81F02CD944576ECD2DD02F8E81F0260CEDD02E19445760000000060CEDD02F8E81F0254E81F020200000002000000724300004D006900630072006F0073006F00660074002E004100750074006F00470065006E006500720061007400650064002E007B00310035003900360032003100370035002D0037004400460043002D0042003100440037002D0042003000440031002D004500420034004300300038004600460044003700350034007D000000120200000000CC0B120200000000CC0B12020400050005001F02280C12020800050005001F026CE71F020100000154001F0200000100B8139D75444812020C0003000300000000000500280C12020000000005000000CC0B120201000000C8E91F02C0E91F0200000000C8FDDE02C0FCDE0244E71F023DA9457600000000FBFFFF7F68E71F02987880574F8C6244BB6371042380B1090000000001100211FFFFFFFF00000000000000000000000035EE190651EE190635EE1906000000000000000000000000080000002E006C006E006B0000005300630068006500640075006C00650072002E006C006E006B00000014000000140050000000070000000200060026030200A5863C750800000064021400E72F1B77B5863C753F030000CC04140000001400A86D150011000000B8451700B045170005000000F8F3DD0270E80000F28635BB20E81F028291457670E81F0224E81F022795457600000000ECD2DD024CE81F02CD944576ECD2DD02F8E81F0260CEDD02E19445760000000060CEDD02F8E81F0254E81F020200000002000000724300004D006900630072006F0073006F00660074002E004100750074006F00470065006E006500720061007400650064002E007B00310035003900360032003100370035002D0037004400460043002D0042003100440037002D0042003000440031002D004500420034004300300038004600460044003700350034007D000000120200000000CC0B120200000000CC0B12020400050005001F02280C12020800050005001F026CE71F020100000154001F0200000100B8139D75444812020C0003000300000000000500280C12020000000005000000CC0B120201000000C8E91F02C0E91F0200000000C8FDDE02C0FCDE0244E71F023DA9457600000000FBFFFF7F68E71F02987880574F8C6244BB6371042380B1090000000001100211FFFFFFFF00000000000000000000000035EE190651EE190635EE1906000000000000000000000000080000002E006C006E006B0000005300630068006500640075006C00650072002E006C006E006B00000014000000140050000000070000000200060026030200A5863C750800000064021400E72F1B77B5863C753F030000CC04140000001400A86D150011000000B8451700B045170005000000F8F3DD0270E80000F28635BB20E81F028291457670E81F0224E81F022795457600000000ECD2DD024CE81F02CD944576ECD2DD02F8E81F0260CEDD02E19445760000000060CEDD02F8E81F0254E81F02
2552
283b19b27b290d8cf4e119e317badf76.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
2552
283b19b27b290d8cf4e119e317badf76.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
1152
explorer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
18.exe
C:\Users\admin\AppData\RoamingMicrosoft\System\Services\18.exe
1152
explorer.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
18.exe
C:\Users\admin\AppData\RoamingMicrosoft\System\Services\18.exe
580
explorer.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKLM
C:\Users\admin\AppData\Roaming\security\winlogon.exe
580
explorer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKCU
C:\Users\admin\AppData\Roaming\security\winlogon.exe
580
explorer.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{T173U17B-R086-28U3-DDP2-8332T7CUC038}
StubPath
C:\Users\admin\AppData\Roaming\security\winlogon.exe Restart
580
explorer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
580
explorer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
3456
explorer.exe
write
HKEY_CURRENT_USER\Software\remote
FirstExecution
15/04/2019 -- 07:51
3456
explorer.exe
write
HKEY_CURRENT_USER\Software\remote
NewIdentification
remote
3456
explorer.exe
write
HKEY_CURRENT_USER\Software\remote
NewGroup
3456
explorer.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
LanguageList
en-US
3456
explorer.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@C:\Windows\system32\ntshrui.dll,-103
S&hare with
3456
explorer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
3456
explorer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
3036
winlogon.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
3036
winlogon.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
1048
winlogon.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
1048
winlogon.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
772
explorer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
18.exe
C:\Users\admin\AppData\RoamingMicrosoft\System\Services\18.exe
772
explorer.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
18.exe
C:\Users\admin\AppData\RoamingMicrosoft\System\Services\18.exe
3660
explorer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
18.exe
C:\Users\admin\AppData\RoamingMicrosoft\System\Services\18.exe
3660
explorer.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
18.exe
C:\Users\admin\AppData\RoamingMicrosoft\System\Services\18.exe

Files activity

Executable files
3
Suspicious files
1
Text files
721
Unknown types
0

Dropped files

PID
Process
Filename
Type
2552
283b19b27b290d8cf4e119e317badf76.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe
executable
MD5: 283b19b27b290d8cf4e119e317badf76
SHA256: 81c61bb115f31892c01845e6baf599d746410d1c11f7ba65ee6c0a83f4debc71
1152
explorer.exe
C:\Users\admin\AppData\RoamingMicrosoft\System\Services\18.exe
executable
MD5: 283b19b27b290d8cf4e119e317badf76
SHA256: 81c61bb115f31892c01845e6baf599d746410d1c11f7ba65ee6c0a83f4debc71
580
explorer.exe
C:\Users\admin\AppData\Roaming\security\winlogon.exe
executable
MD5: 283b19b27b290d8cf4e119e317badf76
SHA256: 81c61bb115f31892c01845e6baf599d746410d1c11f7ba65ee6c0a83f4debc71
3456
explorer.exe
C:\Users\admin\AppData\Local\Temp\admin8
text
MD5: 7ee05348abf3e6ed4cc2b37f91ab5593
SHA256: a429ff26c8385b07723848b2e8fd0ebdbd06b946f27c0e9e9d17618ded5818af
3456
explorer.exe
C:\Users\admin\AppData\Local\Temp\admin7
text
MD5: 7ee05348abf3e6ed4cc2b37f91ab5593
SHA256: a429ff26c8385b07723848b2e8fd0ebdbd06b946f27c0e9e9d17618ded5818af
3456
explorer.exe
C:\Users\admin\AppData\Local\Temp\admin7
text
MD5: dd5ac9f680b941a88af6fa1189c63842
SHA256: edce759f27cbf8a462e1de8c014b36a474ce0f860a66fc886d571ece4424bf82
3456
explorer.exe
C:\Users\admin\AppData\Local\Temp\admin7
text
MD5: b5630f56ff00cd7d882c7b156f854c30
SHA256: 25560f58cebd5aecf2d8b29868740ef5c8cdeef4154b14293e3e702a83124376
3456
explorer.exe
C:\Users\admin\AppData\Local\Temp\admin7
text
MD5: 1ac5dc51cd8f8a889b881ec9657efe8c
SHA256: 591233b09ec10a85f769287a179dd263526d854f625c44b4ca5bfed57099c52a
3456
explorer.exe
C:\Users\admin\AppData\Local\Temp\admin7
text
MD5: dd91753d70d660bf4548ba729d3b34da
SHA256: 3628d9604ce212e4aeeab7354f616874883cf19c250e9fac35797777121ffc0c
3456
explorer.exe
C:\Users\admin\AppData\Local\Temp\admin7
text
MD5: 86b66621b02a9f65b0a7ed51c96dfc8f
SHA256: 335c966c8cd9bdaf776b0a6c342897cf2eefc022dd2cbc767d66a552f17146e2
3456
explorer.exe
C:\Users\admin\AppData\Local\Temp\admin7
text
MD5: 4e9e905dfd135049e73b4f8333cb01fb
SHA256: 28a5dffeca4b84931f3172d00b8ed6645de3abdaf558d02641bcd3cefa725e26
3456
explorer.exe
C:\Users\admin\AppData\Local\Temp\admin7
text
MD5: a36cc59f4d64d49e676248353afcbed2
SHA256: abcb21db093cf306186f642d2d905da65d9ddf31171fc6b772a75c663bf4d626
3456
explorer.exe
C:\Users\admin\AppData\Local\Temp\admin8
text
MD5: a36cc59f4d64d49e676248353afcbed2
SHA256: abcb21db093cf306186f642d2d905da65d9ddf31171fc6b772a75c663bf4d626
3456
explorer.exe
C:\Users\admin\AppData\Local\Temp\admin7
text
MD5: 1987317337abb6043ab0441ac78eccd8
SHA256: 63722b38b0a5f4c2500e18a90a3a2aec0b281174ef2ed80010b9063f0906a53b
3456
explorer.exe
C:\Users\admin\AppData\Local\Temp\admin7
text
MD5: 5a35693c844c09d151c7dd2e06eb4541
SHA256: ddb9dc6a244d3cde31d3fef7d2645da166ddb7e73b8c55b4fc7f3656c6266a30
3456
explorer.exe
C:\Users\admin\AppData\Local\Temp\admin7
text
MD5: 387a5c4a728acfdf9c3892ee93dbce87
SHA256: a8e0368bde17c4a1f4f04083ef19d2ef6e072f0e260d0d1d9972b3c8c1f3e180
3456
explorer.exe
C:\Users\admin\AppData\Local\Temp\admin7
text
MD5: 3cbdc70ca5035655a0c9dd901b4bca48
SHA256: d874fdadb25b63cd475cdf9d717f14fbc829930da16e02c191e61836e7491ba7
3456
explorer.exe
C:\Users\admin\AppData\Local\Temp\admin7
text
MD5: 3cb97c38709ced99662ea03b14496ebb
SHA256: cac0dd9b2627726626ab816b1f90cad3519062ffff8397731c90b41b662582e9
3456
explorer.exe
C:\Users\admin\AppData\Local\Temp\admin7
text
MD5: 2ce903062940d08b0ef6b96f5f94aec9
SHA256: d31cbf63806e49aa07860f356195248b244fb6e3c291608cf84ff49202a8af36
3456
explorer.exe
C:\Users\admin\AppData\Local\Temp\admin7
text
MD5: fbba005e4ff3a33a98970e679528b59a
SHA256: 210f08d6b7a8f2226504e870741c0e6828eab8b79e876711391a1435f35403ff
3456
explorer.exe
C:\Users\admin\AppData\Local\Temp\admin8
text
MD5: ffb14079dd2c7a035a94d25309a96682
SHA256: 38da1d4b645046b65ec1e7b69bae67c7384632446277a73ec296cbadf54bbd94
3456
explorer.exe
C:\Users\admin\AppData\Local\Temp\admin7
text
MD5: ffb14079dd2c7a035a94d25309a96682
SHA256: 38da1d4b645046b65ec1e7b69bae67c7384632446277a73ec296cbadf54bbd94
3456
explorer.exe
C:\Users\admin\AppData\Local\Temp\admin7
text
MD5: 46e9eb020725dc023233ca3eb22f9363
SHA256: 626a58e26e9ac97304e58cfacf6a05c574f4d285a2926624e9c6cf69268570e9
3456
explorer.exe
C:\Users\admin\AppData\Local\Temp\admin7
text
MD5: fbf554f89b2dadddbefb3f7f14fcfa10
SHA256: bdb688fd75af2d68cf234062d5a7faa372cd52218c4bdab149c5d21ed4097b16
3456
explorer.exe
C:\Users\admin\AppData\Local\Temp\admin7
text
MD5: d106dcda7924a9f6dd901265513d6e0b
SHA256: 75dd9fdaf94508ac660c15e7fd477df44fe096ec99b0112aa1be84c3aff22870
3456
explorer.exe
C:\Users\admin\AppData\Local\Temp\admin7
text
MD5: 16c0c092156d11d88beaed0d01705d25
SHA256: 39d22e29338455587f42f177dc4e65a1946d63302f8ed9ae3003077c65cc51be
3456
explorer.exe
C:\Users\admin\AppData\Local\Temp\admin7
text
MD5: a2b69710d8aae6aa833d47011788fcfe
SHA256: 203f8a0fa9ab9fe06ddff1fe7a7f4df927695bdd2a0cbf7627b2e96c826569a6
3456
explorer.exe
C:\Users\admin\AppData\Local\Temp\admin7
text
MD5: 247a36f2999f64d32c05644637ad6a0c
SHA256: aeda72039020911d817d3cd6cab20c06779e735f5d32199845ec0f94be4242bf
3456
explorer.exe
C:\Users\admin\AppData\Local\Temp\admin7
text
MD5: 5bb5169eeeaf07a452743999b0516db3
SHA256: 089c8e57ae86c23d8fc7b70f054e1ccd6a9564bf0f3224ec308cceaf6295ed5a
3456
explorer.exe
C:\Users\admin\AppData\Local\Temp\admin8
text
MD5: 5bb5169eeeaf07a452743999b0516db3
SHA256: 089c8e57ae86c23d8fc7b70f054e1ccd6a9564bf0f3224ec308cceaf6295ed5a
3456
explorer.exe
C:\Users\admin\AppData\Local\Temp\admin7
text
MD5: a313f2d1b6d1953751b6ed08419b63a3
SHA256: 05dc962e756f7e914175b4e8a0e28c3e07b57f69df04834390297861ca9c9a4a
3456
explorer.exe
C:\Users\admin\AppData\Local\Temp\admin7
text
MD5: 927e8c8f34dd0013c95348269fa4f86a
SHA256: 40be339be9f415d0e924c46a8efb24604e704f96e4bfe8ae7cb95ed938a57937
3456
explorer.exe
C:\Users\admin\AppData\Local\Temp\admin7
text
MD5: 56d6e3b7ba7e3a54b9d4ab0b50ffdde5
SHA256: e36176babe047acf4da19a884bad53d9d572e6a265d0fc00842851c687d2cbab
3456
explorer.exe
C:\Users\admin\AppData\Local\Temp\admin7
text
MD5: 71f8e4e4ba6a92948869654bc761c0f4
SHA256: 1db00d05fda3f24e953271ce9aae13df3fffa7cfb8a621b4ede8043d74937000
3456
explorer.exe
C:\Users\admin\AppData\Local\Temp\admin7
text
MD5: a67101fd91839dec21e6d958eaa1c382
SHA256: ecad4d28432a79671aa2fcfdbed04579dcb8d3ef3eced50295e655549a80e21e
3456
explorer.exe
C:\Users\admin\AppData\Local\Temp\admin7
text
MD5: 91f4ebf9c7bb5196ac16c93ebb6026fa
SHA256: dba27f2fdb473153143769cd40c8dedf4c1e725f4109f8d83111b23679abfe83
3456
explorer.exe
C:\Users\admin\AppData\Local\Temp\admin7
text
MD5: 495224b1636ae2c8f7abe96db0e55975
SHA256: 658866eeeabbc7550964b70b7fc5896b5d5e20ff39fadf63465f35a154d85ac3
3456
explorer.exe
C:\Users\admin\AppData\Local\Temp\admin8
text
MD5: cfae8a5fab3705ba5f8b95e68c9f3a0d
SHA256: f5d36ae017535a80a51dbaf02fc084f85134ad5bf835de6780a4c642bbfb2123
3456
explorer.exe
C:\Users\admin\AppData\Local\Temp\admin7
text
MD5: cfae8a5fab3705ba5f8b95e68c9f3a0d
SHA256: f5d36ae017535a80a51dbaf02fc084f85134ad5bf835de6780a4c642bbfb2123
3456
explorer.exe
C:\Users\admin\AppData\Local\Temp\admin7
text
MD5: 0abb855496ed3332ee8271dba63cc6b2
SHA256: 8c22f524ebd3668629054a05a3d9a498a86ed1c991701b83af753b4ff5347b82
3456
explorer.exe
C:\Users\admin\AppData\Local\Temp\admin7
text
MD5: f3677158104b70a5c3c41871867cfd01
SHA256: 0922d0bb150a6f4044506a3146e0333a7e3067fe441b587ad45ebb67a28a47c0
3456
explorer.exe
C:\Users\admin\AppData\Local\Temp\admin7
text
MD5: e96ddd09d81e7e2bfc62240238c4dec8
SHA256: 40e78970de7e6b27231da271f08e4dee0f4a249aabf32aefa80b14dba9113b81
3456
explorer.exe
C:\Users\admin\AppData\Local\Temp\admin7
text
MD5: 3e9c2367d5051188127815a18cc487bb
SHA256: cf5db6265d3344f22e6bf61de49b8748e16d790c7b103955ed10cd26cad30e0a
3456
explorer.exe
C:\Users\admin\AppData\Local\Temp\admin7
text
MD5: 779355bfab8dc1619a0a9979842343a3
SHA256: 61106b95c93f2d81adf9ac7941f3ab9828255d7f1c949789b152fe48bf9bb5a3
3456
explorer.exe
C:\Users\admin\AppData\Local\Temp\admin7
text
MD5: ee4df73e05af4d1d2ed7387e39909c01
SHA256: baf66a8ead948a455eac7c4720bc7aabba41c62417b968296df4234b0979382a
3456
explorer.exe
C:\Users\admin\AppData\Local\Temp\admin7
text
MD5: cbd76bd6c35cddffa344687887f6aff9
SHA256: e37c6a30b91b9c6678a9a547134cc2a9344e49c19091ad7998e568f78d4daf43
3456
explorer.exe
C:\Users\admin\AppData\Local\Temp\admin8
text
MD5: cbd76bd6c35cddffa344687887f6aff9
SHA256: e37c6a30b91b9c6678a9a547134cc2a9344e49c19091ad7998e568f78d4daf43
3456
explorer.exe
C:\Users\admin\AppData\Local\Temp\admin7
text
MD5: df690bfc30cc89aeb5944b66602355de
SHA256: 62642b812ba49fc05f0404e0be224532718f1371556dca98f85c3232491ee9ba
3456
explorer.exe
C:\Users\admin\AppData\Local\Temp\admin7
text
MD5: 64b23b0ca8c58a876c1f99ce5360caed
SHA256: e17e31b99c1e600627fc264c8714697ba74aa2025bf3f81652449b0ff1cd52e3
3456
explorer.exe
C:\Users\admin\AppData\Local\Temp\admin7
text
MD5: de0bce5f59f8f07febf9f7ce76d2869b
SHA256: 643715454e4b1f425389f280ef71dbd8fb54b7e7c3c88c03a06406c754c0e257
3456
explorer.exe
C:\Users\admin\AppData\Local\Temp\admin7
text
MD5: e4b5454e70a5afd14a49003897ab8cf6
SHA256: 630f5d12f5eeacd65cdaccce8434eb54372b6d74e8b2e327188d81b18445e61a
3456
explorer.exe
C:\Users\admin\AppData\Local\Temp\admin7
text
MD5: 18d9515079b83a606cd9142598de8751
SHA256: 19913470dfda1e9abfdce753fccfcaa6d65c321eb4ee83c9d9ee22b9e585df53
3456
explorer.exe
C:\Users\admin\AppData\Local\Temp\admin8
text
MD5: 695fffed779d56b6c79204168d4b43bd
SHA256: 06b91eb93b1dabddcd06e15a5b7a7b88ca5874066b243feb3f20a0ed97f21e35
3456
explorer.exe
C:\Users\admin\AppData\Local\Temp\admin8
text
MD5: 5348871458ec4536eeeb2bd168394154
SHA256: b6b5dce90ae07b6c8352005978863b527ab769ab890c6cf10148b5b83daca0d2
3456
explorer.exe
C:\Users\admin\AppData\Local\Temp\admin7
text
MD5: 5348871458ec4536eeeb2bd168394154
SHA256: b6b5dce90ae07b6c8352005978863b527ab769ab890c6cf10148b5b83daca0d2
3456
explorer.exe
C:\Users\admin\AppData\Roaming\adminlog.dat
text
MD5: bf3dba41023802cf6d3f8c5fd683a0c7
SHA256: 4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d
3456
explorer.exe
C:\Users\admin\AppData\Local\Temp\admin7
text
MD5: 4bb79ac48473cc4eb6da285f57d53d7f
SHA256: 4c9560f000630fee3048c30fb1bfd3e7a5e8e60f90d58fa77ceb03806f60018e
580
explorer.exe
C:\Users\admin\AppData\Local\Temp\admin2.txt
binary
MD5: 138cc118844c5109c7bbeba75bc55dfb
SHA256: 48a14dd3bb35bd2f150c2c6c5def24efe67ad8746651ab91ef9e7a20203829f7
3456
explorer.exe
C:\Users\admin\AppData\Local\Temp\admin7
text
MD5: 10073d2e19c7bd50d99a076844611123
SHA256: d7a1c874fdd54128a1aabde0889c1b997b32933dfa13b61a08ab1fd9be3616f3
3456
explorer.exe
C:\Users\admin\AppData\Local\Temp\admin7
––
MD5:  ––
SHA256:  ––

Find more information of the staic content and download it at the full report

Network activity

HTTP(S) requests
0
TCP/UDP connections
7
DNS requests
1
Threats
0

HTTP requests

No HTTP requests.

Connections

PID Process IP ASN CN Reputation
3456 explorer.exe 79.151.109.87:4000 Telefonica De Espana ES unknown

DNS requests

Domain IP Reputation
satellite-5g.ddns.net 79.151.109.87
malicious

Threats

No threats detected.

Debug output strings

No debug info.