General Info

File name

283b19b27b290d8cf4e119e317badf76

Full analysis
https://app.any.run/tasks/ef4fd9e2-9a50-4e84-a0a2-9e531ca28125
Verdict
Malicious activity
Analysis date
4/15/2019, 08:53:07
OS:
Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:

MIME:
application/x-dosexec
File info:
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5

283b19b27b290d8cf4e119e317badf76

SHA1

e3f3d5bed0348f52702fc94a21626a6e1712355a

SHA256

81c61bb115f31892c01845e6baf599d746410d1c11f7ba65ee6c0a83f4debc71

SSDEEP

12288:00GZxajc/iiyPMJrVnFbNECyyQxSsycp7SSm/X:20cRqc9Fb

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distored by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Software environment set and analysis options

Launch configuration

Task duration
60 seconds
Additional time used
none
Fakenet option
off
Heavy Evaision option
off
MITM proxy
off
Route via Tor
off
Network geolocation
off
Privacy
Public submission
Autoconfirmation of UAC
on

Software preset

  • Internet Explorer 8.0.7601.17514
  • Adobe Acrobat Reader DC MUI (15.023.20070)
  • Adobe Flash Player 26 ActiveX (26.0.0.131)
  • Adobe Flash Player 26 NPAPI (26.0.0.131)
  • Adobe Flash Player 26 PPAPI (26.0.0.131)
  • Adobe Refresh Manager (1.8.0)
  • CCleaner (5.35)
  • FileZilla Client 3.36.0 (3.36.0)
  • Google Chrome (73.0.3683.75)
  • Google Update Helper (1.3.33.23)
  • Java 8 Update 92 (8.0.920.14)
  • Java Auto Updater (2.8.92.14)
  • Microsoft .NET Framework 4.6.1 (4.6.01055)
  • Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Professional 2010 (14.0.6029.1000)
  • Microsoft Office Proof (English) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (French) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
  • Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
  • Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Single Image 2010 (14.0.6029.1000)
  • Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
  • Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
  • Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
  • Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2017 Redistributable (x86) - 14.15.26706 (14.15.26706.0)
  • Microsoft Visual C++ 2017 x86 Additional Runtime - 14.15.26706 (14.15.26706)
  • Microsoft Visual C++ 2017 x86 Minimum Runtime - 14.15.26706 (14.15.26706)
  • Mozilla Firefox 65.0.2 (x86 en-US) (65.0.2)
  • Notepad++ (32-bit x86) (7.5.1)
  • Opera 12.15 (12.15.1748)
  • Skype version 8.29 (8.29)
  • VLC media player (2.2.6)
  • WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

  • Client LanguagePack Package
  • Client Refresh LanguagePack Package
  • CodecPack Basic Package
  • Foundation Package
  • IE Troubleshooters Package
  • InternetExplorer Optional Package
  • KB2534111
  • KB2999226
  • KB976902
  • LocalPack AU Package
  • LocalPack CA Package
  • LocalPack GB Package
  • LocalPack US Package
  • LocalPack ZA Package
  • ProfessionalEdition
  • UltimateEdition

Behavior activities

MALICIOUS SUSPICIOUS INFO
Changes the autorun value in the registry
  • explorer.exe (PID: 2464)
  • explorer.exe (PID: 2556)
  • explorer.exe (PID: 3400)
  • explorer.exe (PID: 1524)
Application was injected by another process
  • explorer.exe (PID: 2036)
Runs injected code in another process
  • explorer.exe (PID: 2464)
Writes to a start menu file
  • 283b19b27b290d8cf4e119e317badf76.exe (PID: 2664)
Starts itself from another location
  • explorer.exe (PID: 2464)
  • winlogon.exe (PID: 3824)
  • 283b19b27b290d8cf4e119e317badf76.exe (PID: 2664)
  • winlogon.exe (PID: 2864)
  • explorer.exe (PID: 1040)
Executable content was dropped or overwritten
  • explorer.exe (PID: 2464)
  • explorer.exe (PID: 2556)
  • 283b19b27b290d8cf4e119e317badf76.exe (PID: 2664)
Loads DLL from Mozilla Firefox
  • explorer.exe (PID: 3220)
Creates files in the user directory
  • explorer.exe (PID: 1040)
  • explorer.exe (PID: 2556)
  • 283b19b27b290d8cf4e119e317badf76.exe (PID: 2664)
  • explorer.exe (PID: 2464)
Application launched itself
  • explorer.exe (PID: 3400)
  • explorer.exe (PID: 2556)
  • explorer.exe (PID: 2464)
Creates executable files which already exist in Windows
  • 283b19b27b290d8cf4e119e317badf76.exe (PID: 2664)
Dropped object may contain Bitcoin addresses
  • explorer.exe (PID: 2464)
  • 283b19b27b290d8cf4e119e317badf76.exe (PID: 2664)
  • explorer.exe (PID: 2556)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Static information

TRiD
.dll
|   Win32 Dynamic Link Library (generic) (38.3%)
.exe
|   Win32 Executable (generic) (26.2%)
.exe
|   Win16/32 Executable Delphi generic (12%)
.exe
|   Generic Win/DOS Executable (11.6%)
.exe
|   DOS Executable Generic (11.6%)
EXIF
EXE
MachineType:
Intel 386 or later, and compatibles
TimeStamp:
2019:04:15 05:19:30+02:00
PEType:
PE32
LinkerVersion:
8
CodeSize:
127488
InitializedDataSize:
305152
UninitializedDataSize:
null
EntryPoint:
0x7000a
OSVersion:
4
ImageVersion:
null
SubsystemVersion:
4
Subsystem:
Windows GUI
FileVersionNumber:
0.0.0.0
ProductVersionNumber:
0.0.0.0
FileFlagsMask:
0x003f
FileFlags:
(none)
FileOS:
Win32
ObjectFileType:
Executable application
FileSubtype:
null
LanguageCode:
Neutral
CharacterSet:
Unicode
FileDescription:
FileVersion:
0.0.0.0
InternalName:
4e5skquk.exe
LegalCopyright:
OriginalFileName:
4e5skquk.exe
ProductVersion:
0.0.0.0
AssemblyVersion:
0.0.0.0
Summary
Architecture:
IMAGE_FILE_MACHINE_I386
Subsystem:
IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date:
15-Apr-2019 03:19:30
FileDescription:
null
FileVersion:
0.0.0.0
InternalName:
4e5skquk.exe
LegalCopyright:
null
OriginalFilename:
4e5skquk.exe
ProductVersion:
0.0.0.0
Assembly Version:
0.0.0.0
DOS Header
Magic number:
MZ
Bytes on last page of file:
0x0090
Pages in file:
0x0003
Relocations:
0x0000
Size of header:
0x0004
Min extra paragraphs:
0x0000
Max extra paragraphs:
0xFFFF
Initial SS value:
0x0000
Initial SP value:
0x00B8
Checksum:
0x0000
Initial IP value:
0x0000
Initial CS value:
0x0000
Overlay number:
0x0000
OEM identifier:
0x0000
OEM information:
0x0000
Address of NE header:
0x00000080
PE Headers
Signature:
PE
Machine:
IMAGE_FILE_MACHINE_I386
Number of sections:
5
Time date stamp:
15-Apr-2019 03:19:30
Pointer to Symbol Table:
0x00000000
Number of symbols:
0
Size of Optional Header:
0x00E0
Characteristics
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_EXECUTABLE_IMAGE
Sections
Name Virtual Address Virtual Size Raw Size Charateristics Entropy
k+H7q\x0fTP\xdc\x98\x04 0x00002000 0x000498DC 0x00049A00 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_EXECUTE,IMAGE_SCN_MEM_READ,IMAGE_SCN_MEM_WRITE 7.99941
.text 0x0004C000 0x0001EF48 0x0001F000 IMAGE_SCN_CNT_CODE,IMAGE_SCN_MEM_EXECUTE,IMAGE_SCN_MEM_READ 5.23026
.rsrc 0x0006C000 0x00000BF0 0x00000C00 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ 3.40171
.reloc 0x0006E000 0x0000000C 0x00000200 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_DISCARDABLE,IMAGE_SCN_MEM_READ 0.0776332
0x00070000 0x00000010 0x00000200 IMAGE_SCN_CNT_CODE,IMAGE_SCN_MEM_EXECUTE,IMAGE_SCN_MEM_READ 0.11837
Resources
1

2

32512

Imports
    mscoree.dll

Exports

    No exports.

Screenshots

Processes

Total processes
40
Monitored processes
11
Malicious processes
4
Suspicious processes
5

Behavior graph

+
drop and start start drop and start inject drop and start drop and start 283b19b27b290d8cf4e119e317badf76.exe explorer.exe explorer.exe explorer.exe explorer.exe winlogon.exe no specs winlogon.exe no specs explorer.exe explorer.exe no specs explorer.exe explorer.exe no specs
Specs description
Program did not start
Integrity level elevation
Task сontains an error or was rebooted
Process has crashed
Task contains several apps running
Executable file was dropped
Debug information is available
Process was injected
Network attacks were detected
Application downloaded the executable file
Actions similar to stealing personal data
Behavior similar to exploiting the vulnerability
Inspected object has sucpicious PE structure
File is detected by antivirus software
CPU overrun
RAM overrun
Process starts the services
Process was added to the startup
Behavior similar to spam
Low-level access to the HDD
Probably Tor was used
System was rebooted
Connects to the network
Known threat

Process information

Click at the process to see the details.

PID
2036
CMD
C:\Windows\Explorer.EXE
Path
C:\Windows\explorer.exe
Indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Version:
Company
Microsoft Corporation
Description
Windows Explorer
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\shell32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\explorerframe.dll
c:\windows\system32\duser.dll
c:\windows\system32\dui70.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\slc.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\propsys.dll
c:\windows\system32\cryptbase.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\profapi.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\ehstorshell.dll
c:\windows\system32\cscui.dll
c:\windows\system32\cscdll.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\iconcodecservice.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\sndvolsso.dll
c:\windows\system32\hid.dll
c:\windows\system32\mmdevapi.dll
c:\windows\system32\timedate.cpl
c:\windows\system32\atl.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\actxprxy.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\linkinfo.dll
c:\windows\system32\userenv.dll
c:\windows\system32\shacct.dll
c:\windows\system32\samlib.dll
c:\windows\system32\samcli.dll
c:\windows\system32\netutils.dll
c:\windows\system32\msftedit.dll
c:\windows\system32\msls31.dll
c:\program files\common files\microsoft shared\ink\tiptsf.dll
c:\windows\system32\authui.dll
c:\windows\system32\cryptui.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\gameux.dll
c:\windows\system32\xmllite.dll
c:\windows\system32\wer.dll
c:\windows\system32\msiltcfg.dll
c:\windows\system32\version.dll
c:\windows\system32\msi.dll
c:\windows\system32\winsta.dll
c:\windows\system32\psapi.dll
c:\windows\system32\networkexplorer.dll
c:\windows\system32\winmm.dll
c:\windows\system32\wdmaud.drv
c:\windows\system32\ksuser.dll
c:\windows\system32\avrt.dll
c:\windows\system32\audioses.dll
c:\windows\system32\msacm32.drv
c:\windows\system32\msacm32.dll
c:\windows\system32\midimap.dll
c:\windows\system32\stobject.dll
c:\windows\system32\batmeter.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\es.dll
c:\windows\system32\prnfldr.dll
c:\windows\system32\winspool.drv
c:\windows\system32\dxp.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\syncreg.dll
c:\windows\ehome\ehsso.dll
c:\windows\system32\netshell.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\nsi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\alttab.dll
c:\windows\system32\wpdshserviceobj.dll
c:\windows\system32\portabledevicetypes.dll
c:\windows\system32\portabledeviceapi.dll
c:\program files\filezilla ftp client\fzshellext.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\taskschd.dll
c:\windows\system32\mssprxy.dll
c:\windows\system32\pnidui.dll
c:\windows\system32\qutil.dll
c:\windows\system32\wevtapi.dll
c:\windows\system32\dhcpcsvc6.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\npmproxy.dll
c:\windows\system32\wlanapi.dll
c:\windows\system32\wlanutil.dll
c:\windows\system32\wwanapi.dll
c:\windows\system32\wwapi.dll
c:\windows\system32\qagent.dll
c:\windows\system32\srchadmin.dll
c:\windows\system32\sxs.dll
c:\windows\system32\bthprops.cpl
c:\windows\system32\ieframe.dll
c:\windows\system32\oleacc.dll
c:\windows\system32\synccenter.dll
c:\windows\system32\actioncenter.dll
c:\windows\system32\imapi2.dll
c:\windows\system32\hgcpl.dll
c:\windows\system32\provsvc.dll
c:\windows\system32\netprofm.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\fxsst.dll
c:\windows\system32\fxsapi.dll
c:\windows\system32\fxsresm.dll
c:\windows\system32\wscinterop.dll
c:\windows\system32\wscapi.dll
c:\windows\system32\wscui.cpl
c:\windows\system32\werconcpl.dll
c:\windows\system32\framedynos.dll
c:\windows\system32\wercplsupport.dll
c:\windows\system32\msxml6.dll
c:\windows\system32\hcproviders.dll
c:\program files\internet explorer\ieproxy.dll
c:\windows\system32\mpr.dll
c:\windows\system32\drprov.dll
c:\windows\system32\ntlanman.dll
c:\windows\system32\davclnt.dll
c:\windows\system32\davhlpr.dll
c:\windows\system32\devrtl.dll
c:\windows\system32\thumbcache.dll
c:\windows\system32\winanr.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\users\admin\appdata\local\temp\283b19b27b290d8cf4e119e317badf76.exe
c:\windows\system32\sfc.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\avicap32.dll
c:\windows\system32\msvfw32.dll
c:\windows\system32\wsock32.dll

PID
2664
CMD
"C:\Users\admin\AppData\Local\Temp\283b19b27b290d8cf4e119e317badf76.exe"
Path
C:\Users\admin\AppData\Local\Temp\283b19b27b290d8cf4e119e317badf76.exe
Indicators
Parent process
explorer.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Description
Version
0.0.0.0
Modules
Image
c:\users\admin\appdata\local\temp\283b19b27b290d8cf4e119e317badf76.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\version.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorwks.dll
c:\windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\msvcr80.dll
c:\windows\system32\shell32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\profapi.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\mscorlib\62a0b3e4b40ec0e8c5cfaa0c8848e64a\mscorlib.ni.dll
c:\windows\system32\cryptbase.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorjit.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system\9e0a3b9b9f457233a335d7fba8f95419\system.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.visualbas#\08d608378aa405adc844f3cf36974b8c\microsoft.visualbasic.ni.dll
c:\windows\system32\shfolder.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.drawing\dbfe8642a8ed7b2b103ad28e0c96418a\system.drawing.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.windows.forms\3afcd5168c7a6cb02eab99d7fd71e102\system.windows.forms.ni.dll
c:\windows\system32\propsys.dll
c:\windows\system32\oleaut32.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\sspicli.dll
c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\explorer.exe
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll

PID
2556
CMD
"C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe"
Path
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe
Indicators
Parent process
283b19b27b290d8cf4e119e317badf76.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Description
Version
0.0.0.0
Modules
Image
c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\explorer.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\version.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorwks.dll
c:\windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\msvcr80.dll
c:\windows\system32\shell32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\profapi.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\mscorlib\62a0b3e4b40ec0e8c5cfaa0c8848e64a\mscorlib.ni.dll
c:\windows\system32\cryptbase.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorjit.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system\9e0a3b9b9f457233a335d7fba8f95419\system.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.visualbas#\08d608378aa405adc844f3cf36974b8c\microsoft.visualbasic.ni.dll
c:\windows\system32\shfolder.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.drawing\dbfe8642a8ed7b2b103ad28e0c96418a\system.drawing.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.windows.forms\3afcd5168c7a6cb02eab99d7fd71e102\system.windows.forms.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.xml\461d3b6b3f43e6fbe6c897d5936e17e4\system.xml.ni.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\sxs.dll
c:\windows\system32\wshom.ocx
c:\windows\system32\mpr.dll
c:\windows\system32\scrrun.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\microsoft.net\framework\v2.0.50727\culture.dll
c:\windows\system32\apphelp.dll

PID
2464
CMD
"C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe"
Path
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe
Indicators
Parent process
explorer.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Description
Version
0.0.0.0
Modules
Image
c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\explorer.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\pstorec.dll
c:\windows\system32\atl.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\propsys.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\users\admin\appdata\roaming\security\winlogon.exe

PID
1040
CMD
explorer.exe
Path
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe
Indicators
Parent process
explorer.exe
User
admin
Integrity Level
MEDIUM
Version:
Company
Description
Version
0.0.0.0
Modules
Image
c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\explorer.exe
c:\windows\system32\mscoree.dll
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\avicap32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\winmm.dll
c:\windows\system32\version.dll
c:\windows\system32\msvfw32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\ole32.dll
c:\windows\system32\mpr.dll
c:\windows\system32\msacm32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\wininet.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\wsock32.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\profapi.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\propsys.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\twext.dll
c:\windows\system32\cscui.dll
c:\windows\system32\cscdll.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\userenv.dll
c:\windows\system32\gameux.dll
c:\windows\system32\xmllite.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\wer.dll
c:\program files\winrar\rarext.dll
c:\windows\system32\msimg32.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\slc.dll
c:\windows\system32\netutils.dll
c:\windows\system32\syncui.dll
c:\windows\system32\synceng.dll
c:\windows\system32\linkinfo.dll
c:\program files\notepad++\nppshell_06.dll
c:\windows\system32\acppage.dll
c:\windows\system32\sfc.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\msi.dll
c:\windows\system32\devrtl.dll
c:\users\admin\appdata\roaming\security\winlogon.exe
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\napinsp.dll
c:\windows\system32\pnrpnsp.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\winrnr.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\rasadhlp.dll

PID
3824
CMD
"C:\Users\admin\AppData\Roaming\security\winlogon.exe"
Path
C:\Users\admin\AppData\Roaming\security\winlogon.exe
Indicators
No indicators
Parent process
explorer.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Description
Version
0.0.0.0
Modules
Image
c:\users\admin\appdata\roaming\security\winlogon.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\version.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorwks.dll
c:\windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\msvcr80.dll
c:\windows\system32\shell32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\profapi.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\mscorlib\62a0b3e4b40ec0e8c5cfaa0c8848e64a\mscorlib.ni.dll
c:\windows\system32\cryptbase.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorjit.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system\9e0a3b9b9f457233a335d7fba8f95419\system.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.visualbas#\08d608378aa405adc844f3cf36974b8c\microsoft.visualbasic.ni.dll
c:\windows\system32\shfolder.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.drawing\dbfe8642a8ed7b2b103ad28e0c96418a\system.drawing.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.windows.forms\3afcd5168c7a6cb02eab99d7fd71e102\system.windows.forms.ni.dll
c:\windows\system32\propsys.dll
c:\windows\system32\oleaut32.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\sspicli.dll
c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\explorer.exe
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll

PID
2864
CMD
"C:\Users\admin\AppData\Roaming\security\winlogon.exe"
Path
C:\Users\admin\AppData\Roaming\security\winlogon.exe
Indicators
No indicators
Parent process
explorer.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Description
Version
0.0.0.0
Modules
Image
c:\users\admin\appdata\roaming\security\winlogon.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\version.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorwks.dll
c:\windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\msvcr80.dll
c:\windows\system32\shell32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\profapi.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\mscorlib\62a0b3e4b40ec0e8c5cfaa0c8848e64a\mscorlib.ni.dll
c:\windows\system32\cryptbase.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorjit.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system\9e0a3b9b9f457233a335d7fba8f95419\system.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.visualbas#\08d608378aa405adc844f3cf36974b8c\microsoft.visualbasic.ni.dll
c:\windows\system32\shfolder.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.drawing\dbfe8642a8ed7b2b103ad28e0c96418a\system.drawing.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.windows.forms\3afcd5168c7a6cb02eab99d7fd71e102\system.windows.forms.ni.dll
c:\windows\system32\propsys.dll
c:\windows\system32\oleaut32.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\sspicli.dll
c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\explorer.exe
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll

PID
3400
CMD
"C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe"
Path
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe
Indicators
Parent process
winlogon.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Description
Version
0.0.0.0
Modules
Image
c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\explorer.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\version.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorwks.dll
c:\windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\msvcr80.dll
c:\windows\system32\shell32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\profapi.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\mscorlib\62a0b3e4b40ec0e8c5cfaa0c8848e64a\mscorlib.ni.dll
c:\windows\system32\cryptbase.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorjit.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system\9e0a3b9b9f457233a335d7fba8f95419\system.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.visualbas#\08d608378aa405adc844f3cf36974b8c\microsoft.visualbasic.ni.dll
c:\windows\system32\shfolder.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.drawing\dbfe8642a8ed7b2b103ad28e0c96418a\system.drawing.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.windows.forms\3afcd5168c7a6cb02eab99d7fd71e102\system.windows.forms.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.xml\461d3b6b3f43e6fbe6c897d5936e17e4\system.xml.ni.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\sxs.dll
c:\windows\system32\wshom.ocx
c:\windows\system32\mpr.dll
c:\windows\system32\scrrun.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\microsoft.net\framework\v2.0.50727\culture.dll
c:\windows\system32\apphelp.dll

PID
3220
CMD
"C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe"
Path
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe
Indicators
No indicators
Parent process
explorer.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Description
Version
0.0.0.0
Modules
Image
c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\explorer.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\ole32.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\pstorec.dll
c:\windows\system32\atl.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\sspicli.dll
c:\program files\mozilla firefox\softokn3.dll
c:\program files\mozilla firefox\nss3.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\profapi.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\psapi.dll
c:\windows\system32\oleacc.dll
c:\windows\system32\iertutil.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\mlang.dll
c:\windows\system32\wininet.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\userenv.dll

PID
1524
CMD
"C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe"
Path
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe
Indicators
Parent process
winlogon.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Description
Version
0.0.0.0
Modules
Image
c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\explorer.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\lpk.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\version.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorwks.dll
c:\windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\msvcr80.dll
c:\windows\system32\shell32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\profapi.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\mscorlib\62a0b3e4b40ec0e8c5cfaa0c8848e64a\mscorlib.ni.dll
c:\windows\system32\cryptbase.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorjit.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system\9e0a3b9b9f457233a335d7fba8f95419\system.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.visualbas#\08d608378aa405adc844f3cf36974b8c\microsoft.visualbasic.ni.dll
c:\windows\system32\shfolder.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.drawing\dbfe8642a8ed7b2b103ad28e0c96418a\system.drawing.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.windows.forms\3afcd5168c7a6cb02eab99d7fd71e102\system.windows.forms.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.xml\461d3b6b3f43e6fbe6c897d5936e17e4\system.xml.ni.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\sxs.dll
c:\windows\system32\wshom.ocx
c:\windows\system32\mpr.dll
c:\windows\system32\scrrun.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\microsoft.net\framework\v2.0.50727\culture.dll
c:\windows\system32\apphelp.dll

PID
3700
CMD
"C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe"
Path
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe
Indicators
No indicators
Parent process
explorer.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Description
Version
0.0.0.0
Modules
Image
c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\explorer.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\pstorec.dll
c:\windows\system32\atl.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\sspicli.dll

Registry activity

Total events
2776
Read events
2673
Write events
103
Delete events
0

Modification events

PID
Process
Operation
Key
Name
Value
2036
explorer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count
{N77S5Q77-2R2O-44P3-N6N2-NON601054N51}\Fgneghc\rkcybere.rkr
00000000000000000000000098060000000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BFFFFFFFFF000000000000000000000000
2036
explorer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count
HRZR_PGYFRFFVBA
000000000400000003000000718C00000200000002000000724300004D006900630072006F0073006F00660074002E004100750074006F00470065006E006500720061007400650064002E007B00310035003900360032003100370035002D0037004400460043002D0042003100440037002D0042003000440031002D004500420034004300300038004600460044003700350034007D000000120200000000CC0B120200000000CC0B12020400050005001F02280C12020800050005001F026CE71F020100000154001F0200000100B8139D75444812020C0003000300000000000500280C12020000000005000000CC0B120201000000C8E91F02C0E91F0200000000C8FDDE02C0FCDE0244E71F023DA9457600000000FBFFFF7F68E71F02987880574F8C6244BB6371042380B1090000000001100211FFFFFFFF00000000000000000000000035EE190651EE190635EE1906000000000000000000000000080000002E006C006E006B0000005300630068006500640075006C00650072002E006C006E006B00000014000000140050000000070000000200060026030200A5863C750800000064021400E72F1B77B5863C753F030000CC04140000001400A86D150011000000B8451700B045170005000000F8F3DD0270E80000F28635BB20E81F028291457670E81F0224E81F022795457600000000ECD2DD024CE81F02CD944576ECD2DD02F8E81F0260CEDD02E19445760000000060CEDD02F8E81F0254E81F020200000002000000724300004D006900630072006F0073006F00660074002E004100750074006F00470065006E006500720061007400650064002E007B00310035003900360032003100370035002D0037004400460043002D0042003100440037002D0042003000440031002D004500420034004300300038004600460044003700350034007D000000120200000000CC0B120200000000CC0B12020400050005001F02280C12020800050005001F026CE71F020100000154001F0200000100B8139D75444812020C0003000300000000000500280C12020000000005000000CC0B120201000000C8E91F02C0E91F0200000000C8FDDE02C0FCDE0244E71F023DA9457600000000FBFFFF7F68E71F02987880574F8C6244BB6371042380B1090000000001100211FFFFFFFF00000000000000000000000035EE190651EE190635EE1906000000000000000000000000080000002E006C006E006B0000005300630068006500640075006C00650072002E006C006E006B00000014000000140050000000070000000200060026030200A5863C750800000064021400E72F1B77B5863C753F030000CC04140000001400A86D150011000000B8451700B045170005000000F8F3DD0270E80000F28635BB20E81F028291457670E81F0224E81F022795457600000000ECD2DD024CE81F02CD944576ECD2DD02F8E81F0260CEDD02E19445760000000060CEDD02F8E81F0254E81F020200000002000000724300004D006900630072006F0073006F00660074002E004100750074006F00470065006E006500720061007400650064002E007B00310035003900360032003100370035002D0037004400460043002D0042003100440037002D0042003000440031002D004500420034004300300038004600460044003700350034007D000000120200000000CC0B120200000000CC0B12020400050005001F02280C12020800050005001F026CE71F020100000154001F0200000100B8139D75444812020C0003000300000000000500280C12020000000005000000CC0B120201000000C8E91F02C0E91F0200000000C8FDDE02C0FCDE0244E71F023DA9457600000000FBFFFF7F68E71F02987880574F8C6244BB6371042380B1090000000001100211FFFFFFFF00000000000000000000000035EE190651EE190635EE1906000000000000000000000000080000002E006C006E006B0000005300630068006500640075006C00650072002E006C006E006B00000014000000140050000000070000000200060026030200A5863C750800000064021400E72F1B77B5863C753F030000CC04140000001400A86D150011000000B8451700B045170005000000F8F3DD0270E80000F28635BB20E81F028291457670E81F0224E81F022795457600000000ECD2DD024CE81F02CD944576ECD2DD02F8E81F0260CEDD02E19445760000000060CEDD02F8E81F0254E81F02
2036
explorer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count
{N77S5Q77-2R2O-44P3-N6N2-NON601054N51}\Fgneghc\rkcybere.rkr
00000000000000000100000098060000000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BFFFFFFFFF000000000000000000000000
2036
explorer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count
HRZR_PGYFRFFVBA
000000000400000004000000718C00000200000002000000724300004D006900630072006F0073006F00660074002E004100750074006F00470065006E006500720061007400650064002E007B00310035003900360032003100370035002D0037004400460043002D0042003100440037002D0042003000440031002D004500420034004300300038004600460044003700350034007D000000120200000000CC0B120200000000CC0B12020400050005001F02280C12020800050005001F026CE71F020100000154001F0200000100B8139D75444812020C0003000300000000000500280C12020000000005000000CC0B120201000000C8E91F02C0E91F0200000000C8FDDE02C0FCDE0244E71F023DA9457600000000FBFFFF7F68E71F02987880574F8C6244BB6371042380B1090000000001100211FFFFFFFF00000000000000000000000035EE190651EE190635EE1906000000000000000000000000080000002E006C006E006B0000005300630068006500640075006C00650072002E006C006E006B00000014000000140050000000070000000200060026030200A5863C750800000064021400E72F1B77B5863C753F030000CC04140000001400A86D150011000000B8451700B045170005000000F8F3DD0270E80000F28635BB20E81F028291457670E81F0224E81F022795457600000000ECD2DD024CE81F02CD944576ECD2DD02F8E81F0260CEDD02E19445760000000060CEDD02F8E81F0254E81F020200000002000000724300004D006900630072006F0073006F00660074002E004100750074006F00470065006E006500720061007400650064002E007B00310035003900360032003100370035002D0037004400460043002D0042003100440037002D0042003000440031002D004500420034004300300038004600460044003700350034007D000000120200000000CC0B120200000000CC0B12020400050005001F02280C12020800050005001F026CE71F020100000154001F0200000100B8139D75444812020C0003000300000000000500280C12020000000005000000CC0B120201000000C8E91F02C0E91F0200000000C8FDDE02C0FCDE0244E71F023DA9457600000000FBFFFF7F68E71F02987880574F8C6244BB6371042380B1090000000001100211FFFFFFFF00000000000000000000000035EE190651EE190635EE1906000000000000000000000000080000002E006C006E006B0000005300630068006500640075006C00650072002E006C006E006B00000014000000140050000000070000000200060026030200A5863C750800000064021400E72F1B77B5863C753F030000CC04140000001400A86D150011000000B8451700B045170005000000F8F3DD0270E80000F28635BB20E81F028291457670E81F0224E81F022795457600000000ECD2DD024CE81F02CD944576ECD2DD02F8E81F0260CEDD02E19445760000000060CEDD02F8E81F0254E81F020200000002000000724300004D006900630072006F0073006F00660074002E004100750074006F00470065006E006500720061007400650064002E007B00310035003900360032003100370035002D0037004400460043002D0042003100440037002D0042003000440031002D004500420034004300300038004600460044003700350034007D000000120200000000CC0B120200000000CC0B12020400050005001F02280C12020800050005001F026CE71F020100000154001F0200000100B8139D75444812020C0003000300000000000500280C12020000000005000000CC0B120201000000C8E91F02C0E91F0200000000C8FDDE02C0FCDE0244E71F023DA9457600000000FBFFFF7F68E71F02987880574F8C6244BB6371042380B1090000000001100211FFFFFFFF00000000000000000000000035EE190651EE190635EE1906000000000000000000000000080000002E006C006E006B0000005300630068006500640075006C00650072002E006C006E006B00000014000000140050000000070000000200060026030200A5863C750800000064021400E72F1B77B5863C753F030000CC04140000001400A86D150011000000B8451700B045170005000000F8F3DD0270E80000F28635BB20E81F028291457670E81F0224E81F022795457600000000ECD2DD024CE81F02CD944576ECD2DD02F8E81F0260CEDD02E19445760000000060CEDD02F8E81F0254E81F02
2036
explorer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count
{N77S5Q77-2R2O-44P3-N6N2-NON601054N51}\Fgneghc\rkcybere.rkr
000000000000000001000000260C0000000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BFFFFFFFFF000000000000000000000000
2036
explorer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count
HRZR_PGYFRFFVBA
000000000400000004000000FF9100000200000002000000724300004D006900630072006F0073006F00660074002E004100750074006F00470065006E006500720061007400650064002E007B00310035003900360032003100370035002D0037004400460043002D0042003100440037002D0042003000440031002D004500420034004300300038004600460044003700350034007D000000120200000000CC0B120200000000CC0B12020400050005001F02280C12020800050005001F026CE71F020100000154001F0200000100B8139D75444812020C0003000300000000000500280C12020000000005000000CC0B120201000000C8E91F02C0E91F0200000000C8FDDE02C0FCDE0244E71F023DA9457600000000FBFFFF7F68E71F02987880574F8C6244BB6371042380B1090000000001100211FFFFFFFF00000000000000000000000035EE190651EE190635EE1906000000000000000000000000080000002E006C006E006B0000005300630068006500640075006C00650072002E006C006E006B00000014000000140050000000070000000200060026030200A5863C750800000064021400E72F1B77B5863C753F030000CC04140000001400A86D150011000000B8451700B045170005000000F8F3DD0270E80000F28635BB20E81F028291457670E81F0224E81F022795457600000000ECD2DD024CE81F02CD944576ECD2DD02F8E81F0260CEDD02E19445760000000060CEDD02F8E81F0254E81F020200000002000000724300004D006900630072006F0073006F00660074002E004100750074006F00470065006E006500720061007400650064002E007B00310035003900360032003100370035002D0037004400460043002D0042003100440037002D0042003000440031002D004500420034004300300038004600460044003700350034007D000000120200000000CC0B120200000000CC0B12020400050005001F02280C12020800050005001F026CE71F020100000154001F0200000100B8139D75444812020C0003000300000000000500280C12020000000005000000CC0B120201000000C8E91F02C0E91F0200000000C8FDDE02C0FCDE0244E71F023DA9457600000000FBFFFF7F68E71F02987880574F8C6244BB6371042380B1090000000001100211FFFFFFFF00000000000000000000000035EE190651EE190635EE1906000000000000000000000000080000002E006C006E006B0000005300630068006500640075006C00650072002E006C006E006B00000014000000140050000000070000000200060026030200A5863C750800000064021400E72F1B77B5863C753F030000CC04140000001400A86D150011000000B8451700B045170005000000F8F3DD0270E80000F28635BB20E81F028291457670E81F0224E81F022795457600000000ECD2DD024CE81F02CD944576ECD2DD02F8E81F0260CEDD02E19445760000000060CEDD02F8E81F0254E81F020200000002000000724300004D006900630072006F0073006F00660074002E004100750074006F00470065006E006500720061007400650064002E007B00310035003900360032003100370035002D0037004400460043002D0042003100440037002D0042003000440031002D004500420034004300300038004600460044003700350034007D000000120200000000CC0B120200000000CC0B12020400050005001F02280C12020800050005001F026CE71F020100000154001F0200000100B8139D75444812020C0003000300000000000500280C12020000000005000000CC0B120201000000C8E91F02C0E91F0200000000C8FDDE02C0FCDE0244E71F023DA9457600000000FBFFFF7F68E71F02987880574F8C6244BB6371042380B1090000000001100211FFFFFFFF00000000000000000000000035EE190651EE190635EE1906000000000000000000000000080000002E006C006E006B0000005300630068006500640075006C00650072002E006C006E006B00000014000000140050000000070000000200060026030200A5863C750800000064021400E72F1B77B5863C753F030000CC04140000001400A86D150011000000B8451700B045170005000000F8F3DD0270E80000F28635BB20E81F028291457670E81F0224E81F022795457600000000ECD2DD024CE81F02CD944576ECD2DD02F8E81F0260CEDD02E19445760000000060CEDD02F8E81F0254E81F02
2036
explorer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count
{N77S5Q77-2R2O-44P3-N6N2-NON601054N51}\Fgneghc\rkcybere.rkr
000000000000000002000000260C0000000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BFFFFFFFFF000000000000000000000000
2036
explorer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count
HRZR_PGYFRFFVBA
000000000400000005000000FF9100000200000002000000724300004D006900630072006F0073006F00660074002E004100750074006F00470065006E006500720061007400650064002E007B00310035003900360032003100370035002D0037004400460043002D0042003100440037002D0042003000440031002D004500420034004300300038004600460044003700350034007D000000120200000000CC0B120200000000CC0B12020400050005001F02280C12020800050005001F026CE71F020100000154001F0200000100B8139D75444812020C0003000300000000000500280C12020000000005000000CC0B120201000000C8E91F02C0E91F0200000000C8FDDE02C0FCDE0244E71F023DA9457600000000FBFFFF7F68E71F02987880574F8C6244BB6371042380B1090000000001100211FFFFFFFF00000000000000000000000035EE190651EE190635EE1906000000000000000000000000080000002E006C006E006B0000005300630068006500640075006C00650072002E006C006E006B00000014000000140050000000070000000200060026030200A5863C750800000064021400E72F1B77B5863C753F030000CC04140000001400A86D150011000000B8451700B045170005000000F8F3DD0270E80000F28635BB20E81F028291457670E81F0224E81F022795457600000000ECD2DD024CE81F02CD944576ECD2DD02F8E81F0260CEDD02E19445760000000060CEDD02F8E81F0254E81F020200000002000000724300004D006900630072006F0073006F00660074002E004100750074006F00470065006E006500720061007400650064002E007B00310035003900360032003100370035002D0037004400460043002D0042003100440037002D0042003000440031002D004500420034004300300038004600460044003700350034007D000000120200000000CC0B120200000000CC0B12020400050005001F02280C12020800050005001F026CE71F020100000154001F0200000100B8139D75444812020C0003000300000000000500280C12020000000005000000CC0B120201000000C8E91F02C0E91F0200000000C8FDDE02C0FCDE0244E71F023DA9457600000000FBFFFF7F68E71F02987880574F8C6244BB6371042380B1090000000001100211FFFFFFFF00000000000000000000000035EE190651EE190635EE1906000000000000000000000000080000002E006C006E006B0000005300630068006500640075006C00650072002E006C006E006B00000014000000140050000000070000000200060026030200A5863C750800000064021400E72F1B77B5863C753F030000CC04140000001400A86D150011000000B8451700B045170005000000F8F3DD0270E80000F28635BB20E81F028291457670E81F0224E81F022795457600000000ECD2DD024CE81F02CD944576ECD2DD02F8E81F0260CEDD02E19445760000000060CEDD02F8E81F0254E81F020200000002000000724300004D006900630072006F0073006F00660074002E004100750074006F00470065006E006500720061007400650064002E007B00310035003900360032003100370035002D0037004400460043002D0042003100440037002D0042003000440031002D004500420034004300300038004600460044003700350034007D000000120200000000CC0B120200000000CC0B12020400050005001F02280C12020800050005001F026CE71F020100000154001F0200000100B8139D75444812020C0003000300000000000500280C12020000000005000000CC0B120201000000C8E91F02C0E91F0200000000C8FDDE02C0FCDE0244E71F023DA9457600000000FBFFFF7F68E71F02987880574F8C6244BB6371042380B1090000000001100211FFFFFFFF00000000000000000000000035EE190651EE190635EE1906000000000000000000000000080000002E006C006E006B0000005300630068006500640075006C00650072002E006C006E006B00000014000000140050000000070000000200060026030200A5863C750800000064021400E72F1B77B5863C753F030000CC04140000001400A86D150011000000B8451700B045170005000000F8F3DD0270E80000F28635BB20E81F028291457670E81F0224E81F022795457600000000ECD2DD024CE81F02CD944576ECD2DD02F8E81F0260CEDD02E19445760000000060CEDD02F8E81F0254E81F02
2036
explorer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count
{N77S5Q77-2R2O-44P3-N6N2-NON601054N51}\Fgneghc\rkcybere.rkr
0000000000000000020000007D150000000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BFFFFFFFFF000000000000000000000000
2036
explorer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count
HRZR_PGYFRFFVBA
000000000400000005000000569B00000200000002000000724300004D006900630072006F0073006F00660074002E004100750074006F00470065006E006500720061007400650064002E007B00310035003900360032003100370035002D0037004400460043002D0042003100440037002D0042003000440031002D004500420034004300300038004600460044003700350034007D000000120200000000CC0B120200000000CC0B12020400050005001F02280C12020800050005001F026CE71F020100000154001F0200000100B8139D75444812020C0003000300000000000500280C12020000000005000000CC0B120201000000C8E91F02C0E91F0200000000C8FDDE02C0FCDE0244E71F023DA9457600000000FBFFFF7F68E71F02987880574F8C6244BB6371042380B1090000000001100211FFFFFFFF00000000000000000000000035EE190651EE190635EE1906000000000000000000000000080000002E006C006E006B0000005300630068006500640075006C00650072002E006C006E006B00000014000000140050000000070000000200060026030200A5863C750800000064021400E72F1B77B5863C753F030000CC04140000001400A86D150011000000B8451700B045170005000000F8F3DD0270E80000F28635BB20E81F028291457670E81F0224E81F022795457600000000ECD2DD024CE81F02CD944576ECD2DD02F8E81F0260CEDD02E19445760000000060CEDD02F8E81F0254E81F020200000002000000724300004D006900630072006F0073006F00660074002E004100750074006F00470065006E006500720061007400650064002E007B00310035003900360032003100370035002D0037004400460043002D0042003100440037002D0042003000440031002D004500420034004300300038004600460044003700350034007D000000120200000000CC0B120200000000CC0B12020400050005001F02280C12020800050005001F026CE71F020100000154001F0200000100B8139D75444812020C0003000300000000000500280C12020000000005000000CC0B120201000000C8E91F02C0E91F0200000000C8FDDE02C0FCDE0244E71F023DA9457600000000FBFFFF7F68E71F02987880574F8C6244BB6371042380B1090000000001100211FFFFFFFF00000000000000000000000035EE190651EE190635EE1906000000000000000000000000080000002E006C006E006B0000005300630068006500640075006C00650072002E006C006E006B00000014000000140050000000070000000200060026030200A5863C750800000064021400E72F1B77B5863C753F030000CC04140000001400A86D150011000000B8451700B045170005000000F8F3DD0270E80000F28635BB20E81F028291457670E81F0224E81F022795457600000000ECD2DD024CE81F02CD944576ECD2DD02F8E81F0260CEDD02E19445760000000060CEDD02F8E81F0254E81F020200000002000000724300004D006900630072006F0073006F00660074002E004100750074006F00470065006E006500720061007400650064002E007B00310035003900360032003100370035002D0037004400460043002D0042003100440037002D0042003000440031002D004500420034004300300038004600460044003700350034007D000000120200000000CC0B120200000000CC0B12020400050005001F02280C12020800050005001F026CE71F020100000154001F0200000100B8139D75444812020C0003000300000000000500280C12020000000005000000CC0B120201000000C8E91F02C0E91F0200000000C8FDDE02C0FCDE0244E71F023DA9457600000000FBFFFF7F68E71F02987880574F8C6244BB6371042380B1090000000001100211FFFFFFFF00000000000000000000000035EE190651EE190635EE1906000000000000000000000000080000002E006C006E006B0000005300630068006500640075006C00650072002E006C006E006B00000014000000140050000000070000000200060026030200A5863C750800000064021400E72F1B77B5863C753F030000CC04140000001400A86D150011000000B8451700B045170005000000F8F3DD0270E80000F28635BB20E81F028291457670E81F0224E81F022795457600000000ECD2DD024CE81F02CD944576ECD2DD02F8E81F0260CEDD02E19445760000000060CEDD02F8E81F0254E81F02
2664
283b19b27b290d8cf4e119e317badf76.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
2664
283b19b27b290d8cf4e119e317badf76.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
2556
explorer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
18.exe
C:\Users\admin\AppData\RoamingMicrosoft\System\Services\18.exe
2556
explorer.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
18.exe
C:\Users\admin\AppData\RoamingMicrosoft\System\Services\18.exe
2464
explorer.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKLM
C:\Users\admin\AppData\Roaming\security\winlogon.exe
2464
explorer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKCU
C:\Users\admin\AppData\Roaming\security\winlogon.exe
2464
explorer.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{T173U17B-R086-28U3-DDP2-8332T7CUC038}
StubPath
C:\Users\admin\AppData\Roaming\security\winlogon.exe Restart
2464
explorer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
2464
explorer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
1040
explorer.exe
write
HKEY_CURRENT_USER\Software\remote
FirstExecution
15/04/2019 -- 07:53
1040
explorer.exe
write
HKEY_CURRENT_USER\Software\remote
NewIdentification
remote
1040
explorer.exe
write
HKEY_CURRENT_USER\Software\remote
NewGroup
1040
explorer.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
LanguageList
en-US
1040
explorer.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@C:\Windows\system32\ntshrui.dll,-103
S&hare with
1040
explorer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
1040
explorer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
3824
winlogon.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
3824
winlogon.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
2864
winlogon.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
2864
winlogon.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
3400
explorer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
18.exe
C:\Users\admin\AppData\RoamingMicrosoft\System\Services\18.exe
3400
explorer.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
18.exe
C:\Users\admin\AppData\RoamingMicrosoft\System\Services\18.exe
1524
explorer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
18.exe
C:\Users\admin\AppData\RoamingMicrosoft\System\Services\18.exe
1524
explorer.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
18.exe
C:\Users\admin\AppData\RoamingMicrosoft\System\Services\18.exe

Files activity

Executable files
3
Suspicious files
1
Text files
761
Unknown types
0

Dropped files

PID
Process
Filename
Type
2664
283b19b27b290d8cf4e119e317badf76.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe
executable
MD5: 283b19b27b290d8cf4e119e317badf76
SHA256: 81c61bb115f31892c01845e6baf599d746410d1c11f7ba65ee6c0a83f4debc71
2556
explorer.exe
C:\Users\admin\AppData\RoamingMicrosoft\System\Services\18.exe
executable
MD5: 283b19b27b290d8cf4e119e317badf76
SHA256: 81c61bb115f31892c01845e6baf599d746410d1c11f7ba65ee6c0a83f4debc71
2464
explorer.exe
C:\Users\admin\AppData\Roaming\security\winlogon.exe
executable
MD5: 283b19b27b290d8cf4e119e317badf76
SHA256: 81c61bb115f31892c01845e6baf599d746410d1c11f7ba65ee6c0a83f4debc71
1040
explorer.exe
C:\Users\admin\AppData\Local\Temp\admin7
text
MD5: a9a6eb14c09ca0f9fefbe211cb73c2da
SHA256: 977f0d62ca61b236b14d6b998489e2aa46988484779105e2663fca2c6739e0ae
1040
explorer.exe
C:\Users\admin\AppData\Local\Temp\admin7
text
MD5: f2339bcd255d19b96b111538577809c2
SHA256: 47faba998cad441767ab894dd5d6df5e49f18055fe1e78b3162ea58e9abd75eb
1040
explorer.exe
C:\Users\admin\AppData\Local\Temp\admin7
text
MD5: b1bf37b1281ed8dad1d0cb188e25c310
SHA256: dd0277931c51d0b6d363e1c7723254ebd6910c701d8af04f2f2ed3f97de69c3e
1040
explorer.exe
C:\Users\admin\AppData\Local\Temp\admin7
text
MD5: 94aa1e0c793c2d3b3b2063249d81e741
SHA256: 994a3c76e3c691909a92e8945454b7274104263fc8e150bae4eee5f106f8b62c
1040
explorer.exe
C:\Users\admin\AppData\Local\Temp\admin7
text
MD5: cde306d5b02f2c9a461a5ae68a16c801
SHA256: 7d976aa59cd4a94c25c70144005586d189b9049b1a72670e920df361cd042788
1040
explorer.exe
C:\Users\admin\AppData\Local\Temp\admin7
text
MD5: db494fe77270262120620c460b9f72eb
SHA256: 31d814fcd250a6654d401e78e84f06036928450cb30837513be17de6fd624e84
1040
explorer.exe
C:\Users\admin\AppData\Local\Temp\admin7
text
MD5: ea635a8c838b91c25cab47a482008a3d
SHA256: c9e3fa42863fafdadc50d079432e9bccbd5ac8ab3ba7207bd6023c427a67b86f
1040
explorer.exe
C:\Users\admin\AppData\Local\Temp\admin8
text
MD5: 284be89193b98b32a4c1f26ddddf42ba
SHA256: 5664f093f1a64c35ef10a0278768c57bf0e1ac694e845bf68e6070580b784e47
1040
explorer.exe
C:\Users\admin\AppData\Local\Temp\admin7
text
MD5: 284be89193b98b32a4c1f26ddddf42ba
SHA256: 5664f093f1a64c35ef10a0278768c57bf0e1ac694e845bf68e6070580b784e47
1040
explorer.exe
C:\Users\admin\AppData\Local\Temp\admin7
text
MD5: 30332167bdf4c8daa98a7223106dd67e
SHA256: 97ea12e78c46bc9cbace3d52a64e6e13778d0d016bc272b5c6fe2fa711b24ba2
1040
explorer.exe
C:\Users\admin\AppData\Local\Temp\admin7
––
MD5:  ––
SHA256:  ––
1040
explorer.exe
C:\Users\admin\AppData\Local\Temp\admin7
text
MD5: 9419e0b6e3e697b8e62d3bfa9932be3d
SHA256: 8f3d56d236b18a57f8b46e4cc277c6144e0bd2863b84e09feb30073aff0a5fea
1040
explorer.exe
C:\Users\admin\AppData\Local\Temp\admin7
text
MD5: 4a203c8dbd35d1c85cfe600d4b62aef2
SHA256: f2bb9a437e76eff91d30fc24dea37def4f2df3cb10358c9ad75d2b1500b89da4
1040
explorer.exe
C:\Users\admin\AppData\Local\Temp\admin7
text
MD5: d71d55b496327cfa7813e6a7e8937422
SHA256: b0d9e17660d13b57cf40b0fbf193e38f5c947fd170babad18ebbdbd8cefdac98
1040
explorer.exe
C:\Users\admin\AppData\Local\Temp\admin7
text
MD5: 47d8c977502fca4c3ad85e103ef25aa2
SHA256: 0c8832a3dc899dca634f198c8f2e810006bbe7a4990fa9265f3d787d444e6300
1040
explorer.exe
C:\Users\admin\AppData\Local\Temp\admin7
text
MD5: a0501f63f16292a4b9f3de041ae7609d
SHA256: bcd9929eccf38688b68071d1733a52ca8520b6f760be3af00052c519b400bd25
1040
explorer.exe
C:\Users\admin\AppData\Local\Temp\admin7
text
MD5: 79496cd99a2954252ad4e7fad153bcef
SHA256: 657d429d4f5268831394e46a05a6c2966feda4ceba8ef8946544bba77dd4a5c8
1040
explorer.exe
C:\Users\admin\AppData\Local\Temp\admin8
text
MD5: 6eb58e29b2d7355f32286003e0e07e11
SHA256: 1a94bd7d46ceed4b63f92ce28ebf6d9fb72bdeaa7f9c78722c4bb2e32d1ee66e
1040
explorer.exe
C:\Users\admin\AppData\Local\Temp\admin7
text
MD5: 6eb58e29b2d7355f32286003e0e07e11
SHA256: 1a94bd7d46ceed4b63f92ce28ebf6d9fb72bdeaa7f9c78722c4bb2e32d1ee66e
1040
explorer.exe
C:\Users\admin\AppData\Local\Temp\admin7
text
MD5: 32c6dd21e938465392f1d5641195a968
SHA256: 992382ecfcb8acaf41c56ff3c9890aad79c2d0f9987ab20aab45198f466c6b59
1040
explorer.exe
C:\Users\admin\AppData\Local\Temp\admin7
text
MD5: fe7b0ca3813d30ff8cce0dc7cf59e220
SHA256: 0c4383173fc4354a5e035584f63f6fb6646cc2170a8601bad572958c3ecd780b
1040
explorer.exe
C:\Users\admin\AppData\Local\Temp\admin7
text
MD5: 1f3b8017214eb43f9f8155dbd00e16cd
SHA256: cd7f4359320dbcb8e87797a5b3c0d7051754572ddc089bf3667ef7582a2ed999
1040
explorer.exe
C:\Users\admin\AppData\Local\Temp\admin7
text
MD5: b859f62757aa7a364b26e71504764b4d
SHA256: 1130b27d3130f51c295af2882de05afead303ee11e89f81afb067fa673ac53c6
1040
explorer.exe
C:\Users\admin\AppData\Local\Temp\admin7
text
MD5: 04f07669ac3e9ed5308d85c8e6ed4aa0
SHA256: 5351aadf976fa13f9baf5c5f572bfae60b518814bc492efde5b07270edae0fd7
1040
explorer.exe
C:\Users\admin\AppData\Local\Temp\admin7
text
MD5: 724b4ff21a46a3b37f77f6e1207aea02
SHA256: 1b2a8b76db9b1188ce5ed59fa8535e4da024393d1c56de84ada381af5b988db2
1040
explorer.exe
C:\Users\admin\AppData\Local\Temp\admin7
text
MD5: cbe067dd31f5801794cabe0010be3de2
SHA256: c98cc0dc83bd35cfd3df8ae1c215ea43ed42cc76252ce9a31ffa10441d9fda84
1040
explorer.exe
C:\Users\admin\AppData\Local\Temp\admin8
text
MD5: cbe067dd31f5801794cabe0010be3de2
SHA256: c98cc0dc83bd35cfd3df8ae1c215ea43ed42cc76252ce9a31ffa10441d9fda84
1040
explorer.exe
C:\Users\admin\AppData\Local\Temp\admin7
text
MD5: ae9184b3de4e5fbf4dbecb3fb8378fe2
SHA256: d78b4726546fc224b6f0a711a9da4394975a882f7ab3d128aef4fec52b9b282e
1040
explorer.exe
C:\Users\admin\AppData\Local\Temp\admin7
text
MD5: df8dad938a9eab4cf4b021665c188c60
SHA256: e8be283fc3daf5bbb3472eb135a0905a18c3236b0f194d789bf733f9cce1ac52
1040
explorer.exe
C:\Users\admin\AppData\Local\Temp\admin7
text
MD5: e80890f5281eb116b514bc9a8e87587d
SHA256: 686d4ca09226b1d23db392f448446d29304dad4a68d2419ffb98d4b1d9ca0ba4
1040
explorer.exe
C:\Users\admin\AppData\Local\Temp\admin7
text
MD5: 647abe321ef2de0154d3ce0c0fda2bf8
SHA256: 29fe70a041d1eea5c53fa79067c65564e079e4797f1001c463cd2ce5c477504d
1040
explorer.exe
C:\Users\admin\AppData\Local\Temp\admin7
text
MD5: 91decc7145f87808ac543825011d8370
SHA256: 7d39e7686b0f7dead7d6966cf5054204e21c5eb046c7aade6c23e5da807bb128
1040
explorer.exe
C:\Users\admin\AppData\Local\Temp\admin7
text
MD5: 3d40f576bcbc9c21fb34469e55a5733d
SHA256: 56c6e4b5e0bc520e6ce3094be82fa75cfd0d0d4d011c91ac1a33e52bc461ed0f
1040
explorer.exe
C:\Users\admin\AppData\Local\Temp\admin7
text
MD5: 7588e4d068618f445a4ed0618e4d18cf
SHA256: 14ca6c8359d093948d8e1b8273454f94aac01542517dfa605eded7c6d6150661
1040
explorer.exe
C:\Users\admin\AppData\Local\Temp\admin8
text
MD5: a7131d9b39b77641b7d8b9e470ac201c
SHA256: b5a7ba961d69481c43d5179425a1cad5f61091f7c183489660f939cc8db720ef
1040
explorer.exe
C:\Users\admin\AppData\Local\Temp\admin7
text
MD5: a7131d9b39b77641b7d8b9e470ac201c
SHA256: b5a7ba961d69481c43d5179425a1cad5f61091f7c183489660f939cc8db720ef
1040
explorer.exe
C:\Users\admin\AppData\Local\Temp\admin7
text
MD5: df3f27a1ba7b59e23bfb268d6a949a1c
SHA256: 7f9012d49b9b6a2db6e0db85d5af35019ba2d517bf6562d0d80016b1cb6c1573
1040
explorer.exe
C:\Users\admin\AppData\Local\Temp\admin7
text
MD5: 1bf017d1708ff0916b0a482559633c39
SHA256: e5133edf0e7de430549216dc0acdcaab94110d8857af09d95492b6362c187abc
1040
explorer.exe
C:\Users\admin\AppData\Local\Temp\admin7
text
MD5: ce2d2194e25388acd299250b68255b09
SHA256: 5dd6d08081fc0b034a6d934eaaf44a0a253bb197c91e4e362d5179426351aa86
1040
explorer.exe
C:\Users\admin\AppData\Local\Temp\admin7
text
MD5: d8a52e61ead4bc371c03139a224e04fb
SHA256: d466fbece2187c271636c0aad168fa729b5ec0a2914e767fc4fc32640ca4a4e9
1040
explorer.exe
C:\Users\admin\AppData\Local\Temp\admin7
text
MD5: 16038941c95c5b9a32d10427304b87e6
SHA256: bac15fe21e3dcc230fd2ed8744d45d731de53a28aca2eedfbafbb6c0d115811d
1040
explorer.exe
C:\Users\admin\AppData\Local\Temp\admin7
text
MD5: 160439147445a1046ad6d22a25f325a1
SHA256: a38ddc445a4325b45b05f7ece6da545afb7bebd16bb43f3aeaa7d0c30c7f4cc2
1040
explorer.exe
C:\Users\admin\AppData\Local\Temp\admin7
text
MD5: f59bfa2374f87f755b0978730aea1ef7
SHA256: 0b7bdbe40ceea192d9f41bc2b0aaf9f7da7d526322207d2285150c29e93516f8
1040
explorer.exe
C:\Users\admin\AppData\Local\Temp\admin8
text
MD5: 128f1a928046244bd63fe5dff95fd626
SHA256: 87d6b021fb377cb733db4a65a2f77bbf97beff1162a1c32e5b1bbc8f5ad67bc1
1040
explorer.exe
C:\Users\admin\AppData\Local\Temp\admin7
text
MD5: 128f1a928046244bd63fe5dff95fd626
SHA256: 87d6b021fb377cb733db4a65a2f77bbf97beff1162a1c32e5b1bbc8f5ad67bc1
1040
explorer.exe
C:\Users\admin\AppData\Local\Temp\admin7
text
MD5: a23175839a53ffb142b8dfd103c3b495
SHA256: 286c9ce76a959ede8009c18a7d2a0006d1837d1c712fe4312507753b6ed7406d
1040
explorer.exe
C:\Users\admin\AppData\Local\Temp\admin7
text
MD5: 3e58532ff78b2a9dac8b41121d9d1388
SHA256: 41ab5d8fed57b0e725ab13b898b35a70a55812379153c3ebf7d6d4624fe6a230
1040
explorer.exe
C:\Users\admin\AppData\Local\Temp\admin7
text
MD5: 87625bee0e51ca7e56d8b98e749d1d09
SHA256: e1dd1fb9832193c37aad267b6107a5dc92bf193f1073f995b5e0bda61c2f51d0
1040
explorer.exe
C:\Users\admin\AppData\Local\Temp\admin7
text
MD5: 67024140d7606f44c7d5b47112675cbd
SHA256: d5229d9a156ea1957938297c10c2e8491ccaff051600873c7aefd45ff4c082ea
1040
explorer.exe
C:\Users\admin\AppData\Local\Temp\admin7
text
MD5: 6a6534f31187428212b36d39a9ee80b1
SHA256: 66b1c1a36c814bb5b4f69ee7b254e019f96a81d380f0a257af1f5803ae23dfc3
1040
explorer.exe
C:\Users\admin\AppData\Local\Temp\admin8
text
MD5: 4b8569f6af8aa102aa06c64254863da6
SHA256: 694172d5ac367552e30e37748b8ee8301bfe7b7f31ef95f77ae682c265a3a90c
1040
explorer.exe
C:\Users\admin\AppData\Local\Temp\admin8
text
MD5: 609de95f3652be4ef1b43326db3e6f77
SHA256: b80a4177cf9a416ca23c2dae3f96b9318a5044870f1d6fe9d1045fd1cd7baeb8
1040
explorer.exe
C:\Users\admin\AppData\Local\Temp\admin7
text
MD5: 609de95f3652be4ef1b43326db3e6f77
SHA256: b80a4177cf9a416ca23c2dae3f96b9318a5044870f1d6fe9d1045fd1cd7baeb8
1040
explorer.exe
C:\Users\admin\AppData\Roaming\adminlog.dat
text
MD5: bf3dba41023802cf6d3f8c5fd683a0c7
SHA256: 4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d
1040
explorer.exe
C:\Users\admin\AppData\Local\Temp\admin7
text
MD5: eede824779215f47e8d16feac6caef04
SHA256: 0264419fd036a6c719c298960adbcb25d718e47ed0bc1fadc299958d1d372783
2464
explorer.exe
C:\Users\admin\AppData\Local\Temp\admin2.txt
binary
MD5: 138cc118844c5109c7bbeba75bc55dfb
SHA256: 48a14dd3bb35bd2f150c2c6c5def24efe67ad8746651ab91ef9e7a20203829f7
1040
explorer.exe
C:\Users\admin\AppData\Local\Temp\admin8
text
MD5: cb05e461f050d3e084ca72fd85925e8a
SHA256: 090994ee147f88156863121bb587785b64d9e7b7e27cdbf1673a7595c8345110
1040
explorer.exe
C:\Users\admin\AppData\Local\Temp\admin7
text
MD5: cb05e461f050d3e084ca72fd85925e8a
SHA256: 090994ee147f88156863121bb587785b64d9e7b7e27cdbf1673a7595c8345110

Find more information of the staic content and download it at the full report

Network activity

HTTP(S) requests
0
TCP/UDP connections
7
DNS requests
2
Threats
0

HTTP requests

No HTTP requests.

Connections

PID Process IP ASN CN Reputation
1040 explorer.exe 79.151.109.87:4000 Telefonica De Espana ES unknown

DNS requests

Domain IP Reputation
satellite-5g.ddns.net 79.151.109.87
malicious

Threats

No threats detected.

Debug output strings

No debug info.