General Info

File name

tnq092.exe

Full analysis
https://app.any.run/tasks/aaef408d-cbbd-4ac6-828c-7a87b5b9f848
Verdict
Malicious activity
Threats:

TrickBot is an advanced banking Trojan that attackers can use to steal payment credentials from the victims. It can redirect the victim to a fake banking cabinet and retrieve credentials typed in on the webpage.

Analysis date
2/27/2019, 06:03:52
OS:
Windows 7 Professional Service Pack 1 (build: 7601, 64 bit)
Tags:

evasion

trickbot

trojan

stealer

Indicators:

MIME:
application/x-dosexec
File info:
PE32 executable (GUI) Intel 80386, for MS Windows
MD5

476cc8ab088196733c2752cb26db2350

SHA1

42994ab8b8cbe1e40d559f98d8032fc875edf487

SHA256

868a571010696e5a8cd5d1a0330f84708e402c879e726b4b76e42170d3de5897

SSDEEP

12288:tYwlwh1xRt5oRAfPaseDJqMsZemK3iV5HeIBv7p0/c:tYth5t5oRp5JlsZ7KyVdeIBTa/c

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Software environment set and analysis options

Launch configuration

Task duration
720 seconds
Additional time used
120 seconds
Fakenet option
off
Heavy Evaision option
on
MITM proxy
off
Route via Tor
off
Network geolocation
off
Privacy
Who has a link
Autoconfirmation of UAC
on

Software preset

  • Internet Explorer 11.0.9600.18860 KB4052978
  • 7-Zip 18.01 (x64) (18.01)
  • Adobe Acrobat Reader DC MUI (15.007.20033)
  • Adobe Flash Player 27 ActiveX (27.0.0.187)
  • Adobe Flash Player 27 NPAPI (27.0.0.187)
  • Adobe Flash Player 27 PPAPI (27.0.0.187)
  • CCleaner (5.35)
  • Google Chrome (61.0.3163.91)
  • Google Update Helper (1.3.33.5)
  • Java 8 Update 92 (64-bit) (8.0.920.14)
  • Java Auto Updater (2.8.92.14)
  • Microsoft .NET Framework 4.6.1 (4.6.01055)
  • Microsoft Office Access MUI (English) 2010 (14.0.4763.1000)
  • Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.4763.1000)
  • Microsoft Office Excel MUI (English) 2010 (14.0.4763.1000)
  • Microsoft Office Office 32-bit Components 2010 (14.0.4763.1000)
  • Microsoft Office OneNote MUI (English) 2010 (14.0.4763.1000)
  • Microsoft Office Outlook MUI (English) 2010 (14.0.4763.1000)
  • Microsoft Office PowerPoint MUI (English) 2010 (14.0.4763.1000)
  • Microsoft Office Professional 2010 (14.0.4763.1000)
  • Microsoft Office Proof (English) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (French) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office Proofing (English) 2010 (14.0.4763.1000)
  • Microsoft Office Publisher MUI (English) 2010 (14.0.4763.1000)
  • Microsoft Office Shared 32-bit MUI (English) 2010 (14.0.4763.1000)
  • Microsoft Office Shared MUI (English) 2010 (14.0.4763.1000)
  • Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.4763.1000)
  • Microsoft Office Single Image 2010 (14.0.4763.1000)
  • Microsoft Office Word MUI (English) 2010 (14.0.4763.1000)
  • Microsoft Visual C++ 2005 Redistributable (x64) (8.0.61000)
  • Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (9.0.30729.6161)
  • Microsoft Visual C++ 2010 x64 Redistributable - 10.0.40219 (10.0.40219)
  • Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030 (11.0.61030.0)
  • Microsoft Visual C++ 2012 x64 Additional Runtime - 11.0.61030 (11.0.61030)
  • Microsoft Visual C++ 2012 x64 Minimum Runtime - 11.0.61030 (11.0.61030)
  • Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
  • Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2017 Redistributable (x64) - 14.12.25810 (14.12.25810.0)
  • Microsoft Visual C++ 2017 Redistributable (x86) - 14.11.25325 (14.11.25325.0)
  • Microsoft Visual C++ 2017 x64 Additional Runtime - 14.12.25810 (14.12.25810)
  • Microsoft Visual C++ 2017 x64 Minimum Runtime - 14.12.25810 (14.12.25810)
  • Microsoft Visual C++ 2017 x86 Additional Runtime - 14.11.25325 (14.11.25325)
  • Microsoft Visual C++ 2017 x86 Minimum Runtime - 14.11.25325 (14.11.25325)
  • Mozilla Firefox 56.0 (x64 en-US) (56.0)
  • Mozilla Maintenance Service (55.0.3)
  • Notepad++ (64-bit x64) (7.5.1)
  • Opera 12.15 (12.15.1748)
  • Skype™ 7.39 (7.39.102)
  • VLC media player (2.2.6)

Hotfixes

  • Client LanguagePack Package
  • Client Refresh LanguagePack Package
  • CodecPack Basic Package
  • Foundation Package
  • IE Hyphenation Parent Package English
  • IE Spelling Parent Package English
  • IE Troubleshooters Package
  • InternetExplorer Optional Package
  • InternetExplorer Package TopLevel
  • KB2479943
  • KB2491683
  • KB2506014
  • KB2506212
  • KB2506928
  • KB2509553
  • KB2532531
  • KB2533552
  • KB2534111
  • KB2545698
  • KB2547666
  • KB2552343
  • KB2560656
  • KB2563227
  • KB2564958
  • KB2579686
  • KB2585542
  • KB2585542 SP1
  • KB2598845
  • KB2603229
  • KB2604115
  • KB2620704
  • KB2621440
  • KB2631813
  • KB2640148
  • KB2653956
  • KB2654428
  • KB2656356
  • KB2656356 SP1
  • KB2660075
  • KB2667402
  • KB2685811
  • KB2685813
  • KB2685939
  • KB2690533
  • KB2698365
  • KB2705219
  • KB2706045
  • KB2719857
  • KB2726535
  • KB2727528
  • KB2729094
  • KB2729452
  • KB2732059
  • KB2732487
  • KB2736422
  • KB2742599
  • KB2750841
  • KB2758857
  • KB2761217
  • KB2763523
  • KB2770660
  • KB2773072
  • KB2786081
  • KB2789645
  • KB2789645 SP1
  • KB2791765
  • KB2799926
  • KB2800095
  • KB2807986
  • KB2808679
  • KB2813430
  • KB2834140
  • KB2836942
  • KB2836943
  • KB2840631
  • KB2843630
  • KB2847927
  • KB2852386
  • KB2853952
  • KB2861698
  • KB2862152
  • KB2862330
  • KB2862335
  • KB2864202
  • KB2868038
  • KB2871997
  • KB2884256
  • KB2888049
  • KB2891804
  • KB2892074
  • KB2893294
  • KB2893519
  • KB2894844
  • KB2900986
  • KB2908783
  • KB2911501
  • KB2912390
  • KB2918077
  • KB2919469
  • KB2931356
  • KB2937610
  • KB2943357
  • KB2952664
  • KB2966583
  • KB2968294
  • KB2970228
  • KB2972100
  • KB2972211
  • KB2973112
  • KB2973201
  • KB2973351
  • KB2977292
  • KB2978120
  • KB2978742
  • KB2984972
  • KB2985461
  • KB2991963
  • KB2992611
  • KB3003743
  • KB3004361
  • KB3004375
  • KB3006121
  • KB3006137
  • KB3010788
  • KB3011780
  • KB3013531
  • KB3019978
  • KB3020370
  • KB3021674
  • KB3021917
  • KB3022777
  • KB3023215
  • KB3030377
  • KB3031432
  • KB3035126
  • KB3035132
  • KB3037574
  • KB3042058
  • KB3045685
  • KB3046017
  • KB3046269
  • KB3054476
  • KB3055642
  • KB3059317
  • KB3060716
  • KB3067903
  • KB3068708
  • KB3071756
  • KB3072305
  • KB3074543
  • KB3075220
  • KB3076895
  • KB3078601
  • KB3078667
  • KB3080149
  • KB3084135
  • KB3086255
  • KB3092601
  • KB3092627
  • KB3093513
  • KB3097989
  • KB3101722
  • KB3107998
  • KB3108371
  • KB3108381
  • KB3108664
  • KB3109103
  • KB3109560
  • KB3110329
  • KB3115858
  • KB3115858 SP1
  • KB3122648
  • KB3124275
  • KB3126587
  • KB3127220
  • KB3133977
  • KB3137061
  • KB3138378
  • KB3138612
  • KB3138910
  • KB3139398
  • KB3139914
  • KB3140245
  • KB3147071
  • KB3150220
  • KB3155178
  • KB3156016
  • KB3156019
  • KB3159398
  • KB3161102
  • KB3161949
  • KB3161958
  • KB3170735
  • KB3170735 SP1
  • KB3172605
  • KB3177467
  • KB3179573
  • KB3184143
  • KB4019990
  • KB4040980
  • KB976902
  • KB982018
  • LocalPack AU Package
  • LocalPack CA Package
  • LocalPack GB Package
  • LocalPack US Package
  • LocalPack ZA Package
  • Package 1 for KB2656356
  • Package 1 for KB2789645
  • Package 1 for KB3115858
  • Package 1 for KB3170735
  • Package 2 for KB2585542
  • Package 2 for KB2656356
  • Package 2 for KB2789645
  • Package 2 for KB3115858
  • Package 2 for KB3170735
  • Package 3 for KB2585542
  • Package 3 for KB2656356
  • Package 4 for KB2656356
  • Package 4 for KB2789645
  • Package 5 for KB2656356
  • Package 7 for KB2656356
  • PlatformUpdate Win7 SRV08R2 Package TopLevel
  • ProfessionalEdition
  • RollupFix
  • UltimateEdition
  • WUClient SelfUpdate ActiveX
  • WUClient SelfUpdate Aux TopLevel
  • WUClient SelfUpdate Core TopLevel

Behavior activities

MALICIOUS SUSPICIOUS INFO
Known privilege escalation attack
  • DllHost.exe (PID: 2872)
Uses SVCHOST.EXE for hidden code execution
  • tor092.exe (PID: 2508)
  • tor092.exe (PID: 2080)
  • svchost.exe (PID: 2396)
Connects to CnC server
  • svchost.exe (PID: 3000)
  • svchost.exe (PID: 2396)
Loads the Task Scheduler COM API
  • svchost.exe (PID: 3068)
  • mmc.exe (PID: 2996)
  • svchost.exe (PID: 2396)
Stealing of credential data
  • svchost.exe (PID: 3000)
Stops/Deletes Windows Defender service
  • cmd.exe (PID: 2432)
  • cmd.exe (PID: 2316)
  • cmd.exe (PID: 1772)
  • cmd.exe (PID: 2328)
Trickbot detected
  • svchost.exe (PID: 2396)
TRICKBOT was detected
  • svchost.exe (PID: 3000)
Checks for external IP
  • svchost.exe (PID: 2396)
Executable content was dropped or overwritten
  • tnq092.exe (PID: 1708)
Starts CMD.EXE for commands execution
  • tnq092.exe (PID: 1708)
  • tor092.exe (PID: 2508)
Creates files in the user directory
  • powershell.exe (PID: 1716)
  • powershell.exe (PID: 1724)
  • svchost.exe (PID: 2396)
  • tnq092.exe (PID: 1708)
Connects to unusual port
  • svchost.exe (PID: 2396)
  • svchost.exe (PID: 3000)
Executes PowerShell scripts
  • cmd.exe (PID: 864)
  • cmd.exe (PID: 1816)
Creates files in the Windows directory
  • svchost.exe (PID: 2396)
Reads the machine GUID from the registry
  • explorer.exe (PID: 3048)
  • mmc.exe (PID: 2996)
  • svchost.exe (PID: 3000)
  • svchost.exe (PID: 2396)
Removes files from Windows directory
  • svchost.exe (PID: 2396)
Application launched itself
  • svchost.exe (PID: 2396)
Loads DLL from Mozilla Firefox
  • svchost.exe (PID: 3000)
Reads settings of System Certificates
  • svchost.exe (PID: 2396)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Static information

TRiD
.exe
|   Win64 Executable (generic) (56.1%)
.scr
|   Windows screen saver (26.6%)
.exe
|   Win32 Executable (generic) (9.1%)
.exe
|   Generic Win/DOS Executable (4%)
.exe
|   DOS Executable Generic (4%)
EXIF
EXE
SpecialBuild:
Converter
ProductVersion:
1, 0, 0, 1
ProductName:
EliteConv Application
PrivateBuild:
EliteDecoder
OriginalFileName:
EliteConv.EXE
LegalTrademarks:
hAx Studios Ltd., Root-hack, fritz
LegalCopyright:
Copyright (C) 2004
InternalName:
EliteConverter
FileVersion:
1, 0, 0, 1
FileDescription:
Elite Converter | hex, dec, bin, oct and ascii
CompanyName:
hAx Studios Ltd.
Comments:
Elite Character Conversion by: http://hax-studios.net && http://root-hack.org || fritzy
CharacterSet:
Unicode
LanguageCode:
English (U.S.)
FileSubtype:
null
ObjectFileType:
Executable application
FileOS:
Win32
FileFlags:
Private build, Special build
FileFlagsMask:
0x003f
ProductVersionNumber:
1.0.0.1
FileVersionNumber:
1.0.0.1
Subsystem:
Windows GUI
SubsystemVersion:
5
ImageVersion:
null
OSVersion:
5
EntryPoint:
0x2069f
UninitializedDataSize:
null
InitializedDataSize:
320000
CodeSize:
207872
LinkerVersion:
9
PEType:
PE32
TimeStamp:
2019:02:26 18:06:54+01:00
MachineType:
Intel 386 or later, and compatibles
Summary
Architecture:
IMAGE_FILE_MACHINE_I386
Subsystem:
IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date:
26-Feb-2019 17:06:54
Detected languages
English - United States
Comments:
Elite Character Conversion by: http://hax-studios.net && http://root-hack.org || fritzy
CompanyName:
hAx Studios Ltd.
FileDescription:
Elite Converter | hex, dec, bin, oct and ascii
FileVersion:
1, 0, 0, 1
InternalName:
EliteConverter
LegalCopyright:
Copyright (C) 2004
LegalTrademarks:
hAx Studios Ltd., Root-hack, fritz
OriginalFilename:
EliteConv.EXE
PrivateBuild:
EliteDecoder
ProductName:
EliteConv Application
ProductVersion:
1, 0, 0, 1
SpecialBuild:
Converter
DOS Header
Magic number:
MZ
Bytes on last page of file:
0x0090
Pages in file:
0x0003
Relocations:
0x0000
Size of header:
0x0004
Min extra paragraphs:
0x0000
Max extra paragraphs:
0xFFFF
Initial SS value:
0x0000
Initial SP value:
0x00B8
Checksum:
0x0000
Initial IP value:
0x0000
Initial CS value:
0x0000
Overlay number:
0x0000
OEM identifier:
0x0000
OEM information:
0x0000
Address of NE header:
0x00000100
PE Headers
Signature:
PE
Machine:
IMAGE_FILE_MACHINE_I386
Number of sections:
4
Time date stamp:
26-Feb-2019 17:06:54
Pointer to Symbol Table:
0x00000000
Number of symbols:
0
Size of Optional Header:
0x00E0
Characteristics
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_RELOCS_STRIPPED
Sections
Name Virtual Address Virtual Size Raw Size Charateristics Entropy
.text 0x00001000 0x00032B0E 0x00032C00 IMAGE_SCN_CNT_CODE,IMAGE_SCN_MEM_EXECUTE,IMAGE_SCN_MEM_READ 6.56678
.rdata 0x00034000 0x0000C8FC 0x0000CA00 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ 5.04583
.data 0x00041000 0x0002FD5C 0x0002C200 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ,IMAGE_SCN_MEM_WRITE 7.94181
.rsrc 0x00071000 0x00015494 0x00015600 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ 6.60822
Resources
1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

100

102

128

130

132

3841

3842

3843

3857

3858

3859

3860

3865

3866

3867

3868

3869

3887

30721

30734

30977

30994

30996

30998

30999

31000

31001

31002

31003

31004

31005

31006

31007

31008

31009

31010

31011

IDR_CHIMES

Imports
    KERNEL32.dll

    USER32.dll

    GDI32.dll

    COMDLG32.dll

    WINSPOOL.DRV

    ADVAPI32.dll

    SHELL32.dll

    SHLWAPI.dll

    oledlg.dll

    ole32.dll

    OLEAUT32.dll

    WINMM.dll

    OLEACC.dll (delay-loaded)

Exports

    No exports.

Video and screenshots

Processes

Total processes
72
Monitored processes
24
Malicious processes
6
Suspicious processes
4

Behavior graph

+
start tnq092.exe cmd.exe no specs cmd.exe no specs cmd.exe no specs sc.exe no specs sc.exe no specs powershell.exe no specs CMSTPLUA no specs tor092.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs svchost.exe no specs sc.exe no specs sc.exe no specs powershell.exe no specs explorer.exe no specs mmc.exe no specs mmc.exe tor092.exe no specs #TRICKBOT svchost.exe svchost.exe no specs svchost.exe no specs #TRICKBOT svchost.exe
Specs description
Program did not start
Integrity level elevation
Task сontains an error or was rebooted
Process has crashed
Task contains several apps running
Executable file was dropped
Debug information is available
Process was injected
Network attacks were detected
Application downloaded the executable file
Actions similar to stealing personal data
Behavior similar to exploiting the vulnerability
Inspected object has sucpicious PE structure
File is detected by antivirus software
CPU overrun
RAM overrun
Process starts the services
Process was added to the startup
Behavior similar to spam
Low-level access to the HDD
Probably Tor was used
System was rebooted
Connects to the network
Known threat

Process information

Click at the process to see the details.

PID
1708
CMD
"C:\Users\admin\Desktop\tnq092.exe"
Path
C:\Users\admin\Desktop\tnq092.exe
Indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
hAx Studios Ltd.
Description
Elite Converter | hex, dec, bin, oct and ascii
Version
1, 0, 0, 1
Modules
Image
c:\systemroot\syswow64\ntdll.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\lpk.dll
c:\windows\syswow64\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.18837_none_ec86b8d6858ec0bc\comctl32.dll
c:\windows\syswow64\winspool.drv
c:\windows\syswow64\ole32.dll
c:\windows\syswow64\imm32.dll
c:\windows\syswow64\rsaenh.dll
c:\windows\syswow64\crypt32.dll
c:\windows\syswow64\cmd.exe
c:\windows\syswow64\clbcatq.dll
c:\windows\syswow64\cmlua.dll
c:\windows\syswow64\cmutil.dll
c:\windows\syswow64\version.dll
c:\systemroot\system32\ntdll.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\gdi32.dll
c:\windows\syswow64\usp10.dll
c:\windows\syswow64\comdlg32.dll
c:\users\admin\desktop\tnq092.exe
c:\windows\system32\wow64.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\sechost.dll
c:\windows\syswow64\sspicli.dll
c:\windows\syswow64\cryptbase.dll
c:\windows\syswow64\rpcrtremote.dll
c:\windows\syswow64\atl.dll
c:\windows\syswow64\comsvcs.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msasn1.dll
c:\windows\syswow64\profapi.dll
c:\windows\syswow64\userenv.dll
c:\windows\syswow64\cryptsp.dll
c:\windows\syswow64\msctf.dll
c:\windows\syswow64\winmm.dll
c:\windows\syswow64\oleaut32.dll
c:\windows\syswow64\oledlg.dll
c:\windows\syswow64\shell32.dll
c:\windows\syswow64\shlwapi.dll

PID
1772
CMD
/c sc stop WinDefend
Path
C:\Windows\SysWOW64\cmd.exe
Indicators
No indicators
Parent process
tnq092.exe
User
admin
Integrity Level
MEDIUM
Exit code
5
Version:
Company
Microsoft Corporation
Description
Windows Command Processor
Version
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Image
c:\systemroot\system32\ntdll.dll
c:\windows\system32\wow64win.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msctf.dll
c:\windows\syswow64\sspicli.dll
c:\windows\syswow64\gdi32.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\wow64.dll
c:\windows\syswow64\cmd.exe
c:\systemroot\syswow64\ntdll.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\sechost.dll
c:\windows\syswow64\imm32.dll
c:\windows\syswow64\sc.exe
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\cryptbase.dll
c:\windows\syswow64\lpk.dll
c:\windows\syswow64\winbrand.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\usp10.dll
c:\windows\syswow64\rpcrt4.dll

PID
2432
CMD
/c sc delete WinDefend
Path
C:\Windows\SysWOW64\cmd.exe
Indicators
No indicators
Parent process
tnq092.exe
User
admin
Integrity Level
MEDIUM
Exit code
5
Version:
Company
Microsoft Corporation
Description
Windows Command Processor
Version
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Image
c:\windows\syswow64\cmd.exe
c:\windows\system32\wow64.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\sc.exe
c:\windows\syswow64\imm32.dll
c:\windows\syswow64\cryptbase.dll
c:\windows\syswow64\sspicli.dll
c:\windows\syswow64\winbrand.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\wow64win.dll
c:\systemroot\syswow64\ntdll.dll
c:\systemroot\system32\ntdll.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msctf.dll
c:\windows\syswow64\rpcrt4.dll
c:\windows\syswow64\sechost.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\usp10.dll
c:\windows\syswow64\lpk.dll
c:\windows\syswow64\gdi32.dll
c:\windows\syswow64\user32.dll

PID
864
CMD
/c powershell Set-MpPreference -DisableRealtimeMonitoring $true
Path
C:\Windows\SysWOW64\cmd.exe
Indicators
No indicators
Parent process
tnq092.exe
User
admin
Integrity Level
MEDIUM
Exit code
1
Version:
Company
Microsoft Corporation
Description
Windows Command Processor
Version
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Image
c:\windows\syswow64\cmd.exe
c:\systemroot\syswow64\ntdll.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\winbrand.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\sechost.dll
c:\windows\syswow64\rpcrt4.dll
c:\windows\syswow64\sspicli.dll
c:\windows\syswow64\cryptbase.dll
c:\windows\syswow64\imm32.dll
c:\windows\syswow64\msctf.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\lpk.dll
c:\windows\syswow64\usp10.dll
c:\windows\system32\wow64.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\gdi32.dll

PID
2300
CMD
sc stop WinDefend
Path
C:\Windows\SysWOW64\sc.exe
Indicators
No indicators
Parent process
cmd.exe
User
admin
Integrity Level
MEDIUM
Exit code
5
Version:
Company
Microsoft Corporation
Description
A tool to aid in developing services for WindowsNT
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\syswow64\sc.exe
c:\systemroot\system32\ntdll.dll
c:\systemroot\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\cryptbase.dll
c:\windows\syswow64\sechost.dll
c:\windows\system32\user32.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\rpcrt4.dll
c:\windows\syswow64\sspicli.dll

PID
1420
CMD
sc delete WinDefend
Path
C:\Windows\SysWOW64\sc.exe
Indicators
No indicators
Parent process
cmd.exe
User
admin
Integrity Level
MEDIUM
Exit code
5
Version:
Company
Microsoft Corporation
Description
A tool to aid in developing services for WindowsNT
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\systemroot\system32\ntdll.dll
c:\systemroot\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\sspicli.dll
c:\windows\syswow64\rpcrt4.dll
c:\windows\syswow64\sechost.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\sc.exe
c:\windows\syswow64\cryptbase.dll
c:\windows\system32\wow64cpu.dll

PID
1724
CMD
powershell Set-MpPreference -DisableRealtimeMonitoring $true
Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Indicators
No indicators
Parent process
cmd.exe
User
admin
Integrity Level
MEDIUM
Exit code
1
Version:
Company
Microsoft Corporation
Description
Windows PowerShell
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\systemroot\syswow64\ntdll.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\rpcrt4.dll
c:\windows\syswow64\sspicli.dll
c:\windows\syswow64\cryptbase.dll
c:\windows\syswow64\gdi32.dll
c:\windows\syswow64\lpk.dll
c:\windows\syswow64\usp10.dll
c:\windows\syswow64\ole32.dll
c:\windows\syswow64\oleaut32.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\shlwapi.dll
c:\windows\syswow64\imm32.dll
c:\windows\syswow64\msctf.dll
c:\windows\syswow64\clbcatq.dll
c:\windows\syswow64\shell32.dll
c:\windows\syswow64\userenv.dll
c:\windows\syswow64\profapi.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d\comctl32.dll
c:\windows\syswow64\setupapi.dll
c:\windows\syswow64\cfgmgr32.dll
c:\windows\syswow64\devobj.dll
c:\windows\syswow64\propsys.dll
c:\windows\syswow64\ntmarta.dll
c:\windows\syswow64\wldap32.dll
c:\windows\syswow64\shdocvw.dll
c:\windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\msvcr80.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\mscorlib\9f895c66454577eff9c77442d0c84f71\mscorlib.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system\ad92dab7f418877d6a1e0358ce35658a\system.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.powershel#\18bfcf1ce2ee2590fab9e652aa2fb0f0\microsoft.powershell.consolehost.ni.dll
c:\windows\assembly\gac_msil\system.management.automation\1.0.0.0__31bf3856ad364e35\system.management.automation.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.management.a#\038e2b6a0fca5134cc94bdba268aa678\system.management.automation.ni.dll
c:\windows\syswow64\psapi.dll
c:\systemroot\system32\ntdll.dll
c:\windows\system32\wow64win.dll
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
c:\windows\system32\wow64.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\sechost.dll
c:\windows\syswow64\atl.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\linkinfo.dll
c:\windows\syswow64\ntshrui.dll
c:\windows\syswow64\srvcli.dll
c:\windows\syswow64\cscapi.dll
c:\windows\syswow64\slc.dll
c:\windows\syswow64\cryptsp.dll
c:\windows\syswow64\rsaenh.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\syswow64\version.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorwks.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.core\bd9ff1a4363781a57e8f7392f230a203\system.core.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.powershel#\5899ed26db2d3dcca2a333abb64e3fd5\microsoft.powershell.commands.diagnostics.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.configuratio#\d6acc39f6c1ea42d8b3150db6184a969\system.configuration.install.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.wsman.man#\dfeba9654bbb5cb83fd6b223bce5aa1a\microsoft.wsman.management.ni.dll
c:\windows\assembly\gac_msil\microsoft.wsman.runtime\1.0.0.0__31bf3856ad364e35\microsoft.wsman.runtime.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.transactions\fec007ea17ac8956cc5d6d4074dada6a\system.transactions.ni.dll
c:\windows\assembly\gac_32\system.transactions\2.0.0.0__b77a5c561934e089\system.transactions.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.powershel#\50e48d6dfa9faf86ed7827f4ea0cc52a\microsoft.powershell.commands.utility.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.powershel#\5f426e1d87e7c57b1650b2cd31ed90c5\microsoft.powershell.commands.management.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.powershel#\2e8571d116616c901756ee2259985925\microsoft.powershell.security.ni.dll
c:\windows\microsoft.net\framework\v2.0.50727\culture.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.xml\77c1dc46ea139bf5e1eaa9b87ef03c7a\system.xml.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.management\00c2b464e52d4e82c04d61592a12a89d\system.management.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.directoryser#\237ed1739105c1bebe48d41905fdb3ee\system.directoryservices.ni.dll
c:\windows\syswow64\shfolder.dll
c:\windows\syswow64\secur32.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.data\511c39d1efa06d262a6b2f47e2726c73\system.data.ni.dll
c:\windows\assembly\gac_32\system.data\2.0.0.0__b77a5c561934e089\system.data.dll
c:\windows\syswow64\ws2_32.dll
c:\windows\syswow64\nsi.dll
c:\windows\syswow64\crypt32.dll
c:\windows\syswow64\msasn1.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorjit.dll
c:\windows\microsoft.net\framework\v2.0.50727\diasymreader.dll
c:\windows\syswow64\netutils.dll

PID
2872
CMD
C:\Windows\SysWOW64\DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}
Path
C:\Windows\SysWOW64\DllHost.exe
Indicators
No indicators
Parent process
––
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
Microsoft Corporation
Description
COM Surrogate
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\syswow64\dllhost.exe
c:\systemroot\system32\ntdll.dll
c:\systemroot\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\ole32.dll
c:\windows\syswow64\gdi32.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\sechost.dll
c:\windows\syswow64\rpcrt4.dll
c:\windows\syswow64\sspicli.dll
c:\windows\syswow64\cryptbase.dll
c:\windows\syswow64\lpk.dll
c:\windows\syswow64\usp10.dll
c:\windows\syswow64\imm32.dll
c:\windows\syswow64\msctf.dll
c:\windows\syswow64\clbcatq.dll
c:\windows\syswow64\oleaut32.dll
c:\windows\syswow64\cryptsp.dll
c:\windows\syswow64\rsaenh.dll
c:\windows\syswow64\rpcrtremote.dll
c:\windows\syswow64\cmstplua.dll
c:\windows\syswow64\cmutil.dll
c:\windows\syswow64\version.dll
c:\windows\syswow64\shell32.dll
c:\windows\syswow64\shlwapi.dll
c:\windows\syswow64\cmlua.dll
c:\windows\syswow64\propsys.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d\comctl32.dll
c:\windows\syswow64\ntmarta.dll
c:\windows\syswow64\wldap32.dll
c:\windows\syswow64\profapi.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\shdocvw.dll
c:\windows\syswow64\setupapi.dll
c:\windows\syswow64\cfgmgr32.dll
c:\windows\syswow64\devobj.dll
c:\windows\syswow64\urlmon.dll
c:\windows\syswow64\api-ms-win-downlevel-ole32-l1-1-0.dll
c:\windows\syswow64\api-ms-win-downlevel-shlwapi-l1-1-0.dll
c:\windows\syswow64\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\syswow64\api-ms-win-downlevel-user32-l1-1-0.dll
c:\windows\syswow64\api-ms-win-downlevel-version-l1-1-0.dll
c:\windows\syswow64\api-ms-win-downlevel-normaliz-l1-1-0.dll
c:\windows\syswow64\normaliz.dll
c:\windows\syswow64\iertutil.dll
c:\windows\syswow64\wininet.dll
c:\windows\syswow64\userenv.dll
c:\windows\syswow64\secur32.dll
c:\windows\syswow64\api-ms-win-downlevel-advapi32-l2-1-0.dll
c:\users\admin\appdata\roaming\appnet\tor092.exe
c:\windows\syswow64\sfc.dll
c:\windows\syswow64\sfc_os.dll
c:\windows\syswow64\devrtl.dll
c:\windows\syswow64\mpr.dll

PID
2508
CMD
"C:\Users\admin\AppData\Roaming\appnet\tor092.exe"
Path
C:\Users\admin\AppData\Roaming\appnet\tor092.exe
Indicators
No indicators
Parent process
DllHost.exe
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
hAx Studios Ltd.
Description
Elite Converter | hex, dec, bin, oct and ascii
Version
1, 0, 0, 1
Modules
Image
c:\users\admin\appdata\roaming\appnet\tor092.exe
c:\systemroot\system32\ntdll.dll
c:\systemroot\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\gdi32.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\lpk.dll
c:\windows\syswow64\usp10.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\sechost.dll
c:\windows\syswow64\rpcrt4.dll
c:\windows\syswow64\sspicli.dll
c:\windows\syswow64\cryptbase.dll
c:\windows\syswow64\comdlg32.dll
c:\windows\syswow64\shlwapi.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.18837_none_ec86b8d6858ec0bc\comctl32.dll
c:\windows\syswow64\shell32.dll
c:\windows\syswow64\winspool.drv
c:\windows\syswow64\oledlg.dll
c:\windows\syswow64\ole32.dll
c:\windows\syswow64\oleaut32.dll
c:\windows\syswow64\winmm.dll
c:\windows\syswow64\imm32.dll
c:\windows\syswow64\msctf.dll
c:\windows\syswow64\cryptsp.dll
c:\windows\syswow64\rsaenh.dll
c:\windows\syswow64\userenv.dll
c:\windows\syswow64\profapi.dll
c:\windows\syswow64\msasn1.dll
c:\windows\syswow64\crypt32.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\cmd.exe
c:\windows\system32\kernelbase.dll

PID
2328
CMD
/c sc stop WinDefend
Path
C:\Windows\SysWOW64\cmd.exe
Indicators
No indicators
Parent process
tor092.exe
User
admin
Integrity Level
HIGH
Exit code
1062
Version:
Company
Microsoft Corporation
Description
Windows Command Processor
Version
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Image
c:\systemroot\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\winbrand.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\gdi32.dll
c:\windows\syswow64\lpk.dll
c:\windows\syswow64\usp10.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\sechost.dll
c:\windows\syswow64\rpcrt4.dll
c:\windows\syswow64\sspicli.dll
c:\windows\syswow64\cryptbase.dll
c:\windows\syswow64\imm32.dll
c:\windows\syswow64\msctf.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\sc.exe
c:\systemroot\system32\ntdll.dll
c:\windows\syswow64\cmd.exe

PID
2316
CMD
/c sc delete WinDefend
Path
C:\Windows\SysWOW64\cmd.exe
Indicators
No indicators
Parent process
tor092.exe
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows Command Processor
Version
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Image
c:\windows\syswow64\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\systemroot\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\winbrand.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\gdi32.dll
c:\windows\syswow64\lpk.dll
c:\windows\syswow64\usp10.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\sechost.dll
c:\windows\syswow64\rpcrt4.dll
c:\windows\syswow64\sspicli.dll
c:\windows\syswow64\cryptbase.dll
c:\windows\syswow64\imm32.dll
c:\windows\syswow64\msctf.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\sc.exe

PID
1816
CMD
/c powershell Set-MpPreference -DisableRealtimeMonitoring $true
Path
C:\Windows\SysWOW64\cmd.exe
Indicators
No indicators
Parent process
tor092.exe
User
admin
Integrity Level
HIGH
Exit code
1
Version:
Company
Microsoft Corporation
Description
Windows Command Processor
Version
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Image
c:\windows\syswow64\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\systemroot\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\winbrand.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\gdi32.dll
c:\windows\syswow64\lpk.dll
c:\windows\syswow64\usp10.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\sechost.dll
c:\windows\syswow64\rpcrt4.dll
c:\windows\syswow64\sspicli.dll
c:\windows\syswow64\cryptbase.dll
c:\windows\syswow64\imm32.dll
c:\windows\syswow64\msctf.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe

PID
3068
CMD
C:\Windows\system32\svchost.exe
Path
C:\Windows\system32\svchost.exe
Indicators
No indicators
Parent process
tor092.exe
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
Microsoft Corporation
Description
Host Process for Windows Services
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\svchost.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\nsi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\webio.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\taskschd.dll
c:\windows\system32\sspicli.dll

PID
2300
CMD
sc stop WinDefend
Path
C:\Windows\SysWOW64\sc.exe
Indicators
No indicators
Parent process
cmd.exe
User
admin
Integrity Level
HIGH
Exit code
1062
Version:
Company
Microsoft Corporation
Description
A tool to aid in developing services for WindowsNT
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\syswow64\sspicli.dll
c:\windows\syswow64\sechost.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\wow64win.dll
c:\systemroot\syswow64\ntdll.dll
c:\windows\syswow64\sc.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\rpcrt4.dll
c:\windows\syswow64\cryptbase.dll

PID
1400
CMD
sc delete WinDefend
Path
C:\Windows\SysWOW64\sc.exe
Indicators
No indicators
Parent process
cmd.exe
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
Microsoft Corporation
Description
A tool to aid in developing services for WindowsNT
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\syswow64\sc.exe
c:\systemroot\system32\ntdll.dll
c:\systemroot\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\sechost.dll
c:\windows\syswow64\rpcrt4.dll
c:\windows\syswow64\sspicli.dll
c:\windows\syswow64\cryptbase.dll

PID
1716
CMD
powershell Set-MpPreference -DisableRealtimeMonitoring $true
Path
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Indicators
No indicators
Parent process
cmd.exe
User
admin
Integrity Level
HIGH
Exit code
1
Version:
Company
Microsoft Corporation
Description
Windows PowerShell
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\syswow64\user32.dll
c:\windows\syswow64\gdi32.dll
c:\windows\syswow64\lpk.dll
c:\windows\syswow64\usp10.dll
c:\windows\syswow64\ole32.dll
c:\windows\syswow64\oleaut32.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\shlwapi.dll
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
c:\systemroot\system32\ntdll.dll
c:\systemroot\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\sechost.dll
c:\windows\syswow64\rpcrt4.dll
c:\windows\syswow64\sspicli.dll
c:\windows\syswow64\cryptbase.dll
c:\windows\syswow64\imm32.dll
c:\windows\syswow64\msctf.dll
c:\windows\syswow64\clbcatq.dll
c:\windows\syswow64\shell32.dll
c:\windows\syswow64\userenv.dll
c:\windows\syswow64\profapi.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d\comctl32.dll
c:\windows\syswow64\setupapi.dll
c:\windows\syswow64\cfgmgr32.dll
c:\windows\syswow64\devobj.dll
c:\windows\syswow64\propsys.dll
c:\windows\syswow64\ntmarta.dll
c:\windows\syswow64\wldap32.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\shdocvw.dll
c:\windows\syswow64\linkinfo.dll
c:\windows\syswow64\ntshrui.dll
c:\windows\syswow64\srvcli.dll
c:\windows\syswow64\cscapi.dll
c:\windows\syswow64\slc.dll
c:\windows\syswow64\cryptsp.dll
c:\windows\syswow64\rsaenh.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\syswow64\version.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorwks.dll
c:\windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\msvcr80.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\mscorlib\9f895c66454577eff9c77442d0c84f71\mscorlib.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system\ad92dab7f418877d6a1e0358ce35658a\system.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.powershel#\18bfcf1ce2ee2590fab9e652aa2fb0f0\microsoft.powershell.consolehost.ni.dll
c:\windows\assembly\gac_msil\system.management.automation\1.0.0.0__31bf3856ad364e35\system.management.automation.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.management.a#\038e2b6a0fca5134cc94bdba268aa678\system.management.automation.ni.dll
c:\windows\syswow64\psapi.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.core\bd9ff1a4363781a57e8f7392f230a203\system.core.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.powershel#\5899ed26db2d3dcca2a333abb64e3fd5\microsoft.powershell.commands.diagnostics.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.configuratio#\d6acc39f6c1ea42d8b3150db6184a969\system.configuration.install.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.wsman.man#\dfeba9654bbb5cb83fd6b223bce5aa1a\microsoft.wsman.management.ni.dll
c:\windows\assembly\gac_msil\microsoft.wsman.runtime\1.0.0.0__31bf3856ad364e35\microsoft.wsman.runtime.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.transactions\fec007ea17ac8956cc5d6d4074dada6a\system.transactions.ni.dll
c:\windows\assembly\gac_32\system.transactions\2.0.0.0__b77a5c561934e089\system.transactions.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.powershel#\50e48d6dfa9faf86ed7827f4ea0cc52a\microsoft.powershell.commands.utility.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.powershel#\5f426e1d87e7c57b1650b2cd31ed90c5\microsoft.powershell.commands.management.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.powershel#\2e8571d116616c901756ee2259985925\microsoft.powershell.security.ni.dll
c:\windows\microsoft.net\framework\v2.0.50727\culture.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.xml\77c1dc46ea139bf5e1eaa9b87ef03c7a\system.xml.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.management\00c2b464e52d4e82c04d61592a12a89d\system.management.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.directoryser#\237ed1739105c1bebe48d41905fdb3ee\system.directoryservices.ni.dll
c:\windows\syswow64\shfolder.dll
c:\windows\syswow64\secur32.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.data\511c39d1efa06d262a6b2f47e2726c73\system.data.ni.dll
c:\windows\assembly\gac_32\system.data\2.0.0.0__b77a5c561934e089\system.data.dll
c:\windows\syswow64\ws2_32.dll
c:\windows\syswow64\nsi.dll
c:\windows\syswow64\crypt32.dll
c:\windows\syswow64\msasn1.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorjit.dll
c:\windows\microsoft.net\framework\v2.0.50727\diasymreader.dll
c:\windows\syswow64\netutils.dll
c:\windows\syswow64\atl.dll

PID
3048
CMD
"C:\Windows\explorer.exe"
Path
C:\Windows\explorer.exe
Indicators
No indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
1
Version:
Company
Microsoft Corporation
Description
Windows Explorer
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\explorer.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\shell32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\explorerframe.dll
c:\windows\system32\duser.dll
c:\windows\system32\dui70.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\slc.dll
c:\windows\winsxs\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.23894_none_145eb2808b8d6928\gdiplus.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\propsys.dll
c:\windows\system32\cryptbase.dll
c:\windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_fa3b1e3d17594757\comctl32.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\actxprxy.dll

PID
2680
CMD
"C:\Windows\system32\mmc.exe" "C:\Windows\system32\taskschd.msc" /s
Path
C:\Windows\system32\mmc.exe
Indicators
No indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
3221226540
Version:
Company
Microsoft Corporation
Description
Microsoft Management Console
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\mmc.exe
c:\systemroot\system32\ntdll.dll

PID
2996
CMD
"C:\Windows\system32\mmc.exe" "C:\Windows\system32\taskschd.msc" /s
Path
C:\Windows\system32\mmc.exe
Indicators
Parent process
––
User
admin
Integrity Level
HIGH
Version:
Company
Microsoft Corporation
Description
Microsoft Management Console
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\mmc.exe
c:\windows\system32\kernelbase.dll
c:\windows\system32\lpk.dll
c:\windows\system32\mfc42u.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\msctf.dll
c:\windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_fa3b1e3d17594757\comctl32.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\version.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\profapi.dll
c:\windows\system32\msxml3.dll
c:\windows\system32\miguiresource.dll
c:\windows\system32\oleacc.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\devobj.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\xmllite.dll
c:\windows\microsoft.net\framework64\v2.0.50727\mscorwks.dll
c:\windows\winsxs\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.6195_none_88e41e092fab0294\msvcr80.dll
c:\windows\assembly\nativeimages_v2.0.50727_64\system\9b0615d346556a8ae639dcec168731cc\system.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_64\system.configuration\a2571a4e32a586b52463d88a83702aed\system.configuration.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_64\miguicontrols\3f5dd9d8b94bf201dd20485165cafc9a\miguicontrols.ni.dll
c:\windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.18837_none_a4d981ff711297b6\comctl32.dll
c:\windows\system32\taskschd.dll
c:\windows\assembly\nativeimages_v2.0.50727_64\custommarshalers\b78c08ac57ef3ed0fa122669719a89db\custommarshalers.ni.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\sspicli.dll
c:\windows\microsoft.net\framework64\v2.0.50727\diasymreader.dll
c:\windows\assembly\nativeimages_v2.0.50727_64\mscorlib\0478aed7fc25ae268474c704fd2a3e0f\mscorlib.ni.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\mmcndmgr.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\wininet.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
c:\windows\system32\api-ms-win-downlevel-ole32-l1-1-0.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\duser.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\usp10.dll
c:\systemroot\system32\ntdll.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\odbc32.dll
c:\windows\system32\mmcbase.dll
c:\windows\system32\odbcint.dll
c:\windows\system32\shell32.dll
c:\windows\system32\api-ms-win-downlevel-shlwapi-l1-1-0.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\userenv.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\dwmapi.dll
c:\windows\microsoft.net\framework64\v4.0.30319\mscoreei.dll
c:\windows\assembly\nativeimages_v2.0.50727_64\mmcex\43e41e76df61e51ec5697bffd6305357\mmcex.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_64\system.xml\e0542eb82c5f716397d316d5c88f7ae5\system.xml.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_64\system.windows.forms\e339f1036b8eb2c6be74704608908927\system.windows.forms.ni.dll
c:\windows\winsxs\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.23894_none_145eb2808b8d6928\gdiplus.dll
c:\windows\assembly\nativeimages_v2.0.50727_64\taskscheduler\8e5b3871639503250afc8dc86c878be7\taskscheduler.ni.dll
c:\windows\system32\windowscodecs.dll
c:\windows\microsoft.net\framework64\v2.0.50727\mscorjit.dll
c:\windows\assembly\nativeimages_v2.0.50727_64\microsoft.managemen#\2d61188e8d276b33baa851e130a85120\microsoft.managementconsole.ni.dll
c:\windows\system32\sxs.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\dui70.dll
c:\windows\system32\api-ms-win-downlevel-user32-l1-1-0.dll
c:\windows\system32\api-ms-win-downlevel-normaliz-l1-1-0.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\propsys.dll
c:\windows\system32\mlang.dll
c:\windows\system32\mscoree.dll
c:\windows\assembly\nativeimages_v2.0.50727_64\mmcfxcommon\a69fdb8d83766e888a267e918f352abd\mmcfxcommon.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_64\system.drawing\1deaddfc41ab5efdec9a9b9faa759ada\system.drawing.ni.dll
c:\windows\microsoft.net\framework64\v2.0.50727\culture.dll
c:\windows\system32\shfolder.dll
c:\windows\assembly\gac_64\custommarshalers\2.0.0.0__b03f5f7f11d50a3a\custommarshalers.dll
c:\windows\system32\wevtapi.dll
c:\windows\system32\secur32.dll
c:\windows\system32\riched20.dll
c:\windows\assembly\nativeimages_v2.0.50727_64\accessibility\74850dabe2a8ff9a9a6abd549c9fe653\accessibility.ni.dll
c:\program files\common files\microsoft shared\ink\tiptsf.dll
c:\windows\system32\netprofm.dll
c:\windows\system32\nsi.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\npmproxy.dll

PID
2080
CMD
C:\Users\admin\AppData\Roaming\appnet\tor092.exe
Path
C:\Users\admin\AppData\Roaming\appnet\tor092.exe
Indicators
No indicators
Parent process
––
User
SYSTEM
Integrity Level
SYSTEM
Exit code
0
Version:
Company
hAx Studios Ltd.
Description
Elite Converter | hex, dec, bin, oct and ascii
Version
1, 0, 0, 1
Modules
Image
c:\systemroot\system32\ntdll.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\gdi32.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\rpcrt4.dll
c:\windows\syswow64\comdlg32.dll
c:\windows\syswow64\shell32.dll
c:\systemroot\syswow64\ntdll.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\lpk.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\sspicli.dll
c:\windows\syswow64\shlwapi.dll
c:\windows\syswow64\winspool.drv
c:\windows\syswow64\oleaut32.dll
c:\windows\syswow64\imm32.dll
c:\windows\syswow64\cryptsp.dll
c:\windows\syswow64\crypt32.dll
c:\windows\syswow64\winsta.dll
c:\windows\syswow64\userenv.dll
c:\windows\syswow64\apphelp.dll
c:\windows\system32\kernelbase.dll
c:\windows\syswow64\wtsapi32.dll
c:\windows\syswow64\msasn1.dll
c:\windows\syswow64\profapi.dll
c:\windows\syswow64\msctf.dll
c:\windows\syswow64\winmm.dll
c:\windows\syswow64\oledlg.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.18837_none_ec86b8d6858ec0bc\comctl32.dll
c:\windows\syswow64\cryptbase.dll
c:\windows\syswow64\sechost.dll
c:\windows\syswow64\usp10.dll
c:\windows\syswow64\user32.dll
c:\windows\system32\wow64.dll
c:\users\admin\appdata\roaming\appnet\tor092.exe
c:\windows\syswow64\rsaenh.dll
c:\windows\syswow64\ole32.dll

PID
2396
CMD
C:\Windows\system32\svchost.exe
Path
C:\Windows\system32\svchost.exe
Indicators
Parent process
tor092.exe
User
SYSTEM
Integrity Level
SYSTEM
Version:
Company
Microsoft Corporation
Description
Host Process for Windows Services
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\taskschd.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\credssp.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wship6.dll
c:\windows\system32\svchost.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\ole32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\msctf.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\webio.dll
c:\windows\system32\userenv.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\schannel.dll
c:\windows\system32\secur32.dll
c:\windows\system32\gpapi.dll
c:\windows\system32\cryptnet.dll
c:\windows\system32\sensapi.dll
c:\windows\system32\devobj.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\winsta.dll
c:\windows\system32\cabinet.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\dhcpcsvc6.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devrtl.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\pnrpnsp.dll
c:\windows\system32\winrnr.dll
c:\windows\system32\napinsp.dll

PID
1400
CMD
svchost.exe
Path
C:\Windows\system32\svchost.exe
Indicators
No indicators
Parent process
svchost.exe
User
admin
Integrity Level
MEDIUM
Version:
Company
Microsoft Corporation
Description
Host Process for Windows Services
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\oleaut32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\samcli.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\wbem\wbemprox.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\wbem\wbemsvc.dll
c:\windows\syswow64\sspicli.dll
c:\windows\syswow64\sechost.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\wow64win.dll
c:\systemroot\syswow64\ntdll.dll
c:\windows\syswow64\sc.exe
c:\windows\system32\svchost.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\wbemcomn.dll
c:\windows\system32\nsi.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\wbem\fastprox.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\user32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\ntdsapi.dll
c:\windows\system32\propsys.dll
c:\windows\system32\samlib.dll

PID
996
CMD
svchost.exe
Path
C:\Windows\system32\svchost.exe
Indicators
No indicators
Parent process
svchost.exe
User
SYSTEM
Integrity Level
SYSTEM
Version:
Company
Microsoft Corporation
Description
Host Process for Windows Services
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\kernel32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\shell32.dll
c:\windows\system32\userenv.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\winsta.dll
c:\windows\system32\psapi.dll
c:\systemroot\system32\ntdll.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\svchost.exe
c:\windows\system32\kernelbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\profapi.dll
c:\windows\system32\ole32.dll
c:\windows\system32\sspicli.dll

PID
3000
CMD
svchost.exe
Path
C:\Windows\system32\svchost.exe
Indicators
Parent process
svchost.exe
User
admin
Integrity Level
MEDIUM
Version:
Company
Microsoft Corporation
Description
Host Process for Windows Services
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\msctf.dll
c:\windows\system32\ole32.dll
c:\windows\system32\svchost.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\userenv.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\api-ms-win-downlevel-user32-l1-1-0.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\shell32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\profapi.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\wininet.dll
c:\windows\system32\api-ms-win-downlevel-shlwapi-l1-1-0.dll
c:\windows\system32\version.dll
c:\windows\system32\api-ms-win-downlevel-normaliz-l1-1-0.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\vaultcli.dll
c:\windows\system32\sspicli.dll
c:\program files\mozilla firefox\nss3.dll
c:\windows\system32\vcruntime140.dll
c:\windows\system32\api-ms-win-crt-runtime-l1-1-0.dll
c:\windows\system32\api-ms-win-core-timezone-l1-1-0.dll
c:\windows\system32\api-ms-win-core-localization-l1-2-0.dll
c:\windows\system32\api-ms-win-core-file-l1-2-0.dll
c:\windows\system32\api-ms-win-crt-stdio-l1-1-0.dll
c:\windows\system32\api-ms-win-crt-locale-l1-1-0.dll
c:\windows\system32\api-ms-win-crt-time-l1-1-0.dll
c:\windows\system32\api-ms-win-crt-filesystem-l1-1-0.dll
c:\windows\system32\winmm.dll
c:\program files\mozilla firefox\softokn3.dll
c:\program files\mozilla firefox\nssdbm3.dll
c:\windows\system32\napinsp.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\secur32.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\dbghelp.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\api-ms-win-core-file-l2-1-0.dll
c:\windows\system32\api-ms-win-core-processthreads-l1-1-1.dll
c:\windows\system32\api-ms-win-crt-string-l1-1-0.dll
c:\windows\system32\api-ms-win-crt-heap-l1-1-0.dll
c:\windows\system32\api-ms-win-crt-convert-l1-1-0.dll
c:\windows\system32\api-ms-win-crt-math-l1-1-0.dll
c:\windows\system32\api-ms-win-crt-multibyte-l1-1-0.dll
c:\windows\system32\api-ms-win-crt-environment-l1-1-0.dll
c:\windows\system32\api-ms-win-crt-utility-l1-1-0.dll
c:\windows\system32\wsock32.dll
c:\windows\system32\api-ms-win-downlevel-ole32-l1-1-0.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l2-1-0.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\cryptbase.dll
c:\program files\mozilla firefox\freebl3.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\pnrpnsp.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\winrnr.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\urlmon.dll

Registry activity

Total events
9404
Read events
0
Write events
146
Delete events
0

Modification events

PID
Process
Operation
Key
Name
Value
1724
powershell.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\64\52C64B7E
LanguageList
en-US
2872
DllHost.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
ProxyBypass
1
2872
DllHost.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
IntranetName
1
2872
DllHost.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
1
2872
DllHost.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
0
1716
powershell.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\64\52C64B7E
LanguageList
en-US
2996
mmc.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\64\52C64B7E
LanguageList
en-US
2996
mmc.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\64\52C64B7E
@C:\Windows\system32\miguiresource.dll,-202
Schedule computer tasks to run automatically.
2996
mmc.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\64\52C64B7E
@C:\Windows\system32\miguiresource.dll,-203
Microsoft Corporation (c)
2996
mmc.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\64\52C64B7E
@C:\Windows\system32\miguiresource.dll,-104
1.0
2996
mmc.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MMC\SnapIns\FX:{c7b8fb06-bfe1-4c2e-9217-7a69a95bbac4}
HelpTopic
C:\Windows\Help\taskscheduler.chm
2996
mmc.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MMC\SnapIns\FX:{c7b8fb06-bfe1-4c2e-9217-7a69a95bbac4}
LinkedHelpTopics
C:\Windows\Help\taskscheduler.chm
2396
svchost.exe
write
HKEY_USERS\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\64\52C64B7E
LanguageList
en-US
996
svchost.exe
write
HKEY_USERS\S-1-5-21-3896776584-4254864009-862391680-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings
EnableHTTP2
0
996
svchost.exe
write
HKEY_USERS\S-1-5-21-3896776584-4254864009-862391680-1000\Software\Microsoft\Internet Explorer\Main
TabProcGrowth
0
3000
svchost.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
CachePrefix
3000
svchost.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
CachePrefix
Cookie:
3000
svchost.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
CachePrefix
Visited:

Files activity

Executable files
1
Suspicious files
15
Text files
2
Unknown types
2

Dropped files

PID
Process
Filename
Type
1708
tnq092.exe
C:\Users\admin\AppData\Roaming\appnet\tor092.exe
executable
MD5: 476cc8ab088196733c2752cb26db2350
SHA256: 868a571010696e5a8cd5d1a0330f84708e402c879e726b4b76e42170d3de5897
1708
tnq092.exe
C:\Users\admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3896776584-4254864009-862391680-1000\0f5007522459c86e95ffcc62f32308f1_eeeb5d54-7880-42a7-b542-739bbc26cf4b
binary
MD5: 40c6fc72bc1ff6788a80bcaf4a2ba011
SHA256: 6faeb36c84c291c8da1642372ce339091f9de06d13badc93803a6b17dff317fa
2396
svchost.exe
C:\Users\admin\AppData\Roaming\appnet\Data\pwgrab64_configs\dpost
binary
MD5: 951e985669a827f5713c220d10289691
SHA256: 0790e8ffb428e00c01cd499ee4ab16edad974147c07ea1709df23d6ad34ef417
3000
svchost.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Login Data.bak
sqlite
MD5: 7e38586b09ceb8dda44b0e2458a2ef86
SHA256: 95ea2827ad0f595dd383b2c93f913caa4b4f8fd6628b3c76d442c48f7fe6d159
2396
svchost.exe
C:\Users\admin\AppData\Roaming\appnet\Data\pwgrab64
binary
MD5: 539e8cf1b832a75e26d5df6524f26bdb
SHA256: c916848957d840eecb17252d6ae8f501027fa711cb48dd21d6603665ea78f1e6
2396
svchost.exe
C:\Users\admin\AppData\Roaming\appnet\Data\injectDll64_configs\dpost
binary
MD5: 951e985669a827f5713c220d10289691
SHA256: 0790e8ffb428e00c01cd499ee4ab16edad974147c07ea1709df23d6ad34ef417
2396
svchost.exe
C:\Users\admin\AppData\Roaming\appnet\Data\injectDll64_configs\sinj
binary
MD5: 16f4d6a4ee7f49810414ea156cb33f17
SHA256: 5d79e69c76531c5b8e4def11c41504f0d1fffcd67b78d63b42538edacdfa157d
2396
svchost.exe
C:\Users\admin\AppData\Roaming\appnet\Data\injectDll64_configs\dinj
binary
MD5: 147c1049e25a408078c0ecb158b437c5
SHA256: 3b033d79998bfb36d3abebd90a4efd34bf9895ca1186bf4c7671d9f62e1f613e
2396
svchost.exe
C:\Users\admin\AppData\Roaming\appnet\Data\injectDll64
binary
MD5: c704cfdaac1ee41d43d194cab3340b04
SHA256: 1f389b5260c20b7c2721310e4f0de57b685e2c86e3ac9a9c2528eee008704d5e
2396
svchost.exe
C:\Users\admin\AppData\Roaming\appnet\Data\systeminfo64
binary
MD5: 968518519928f5e4d20e8495b38c6665
SHA256: 8e5a3993054d1a72facff1e2d32b8df72f49c4a64a7c8f4d9655688216ba8ece
2396
svchost.exe
C:\Windows\TEMP\TarD49B.tmp
––
MD5:  ––
SHA256:  ––
2396
svchost.exe
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506
binary
MD5: 49747721216543791ef8b162f6bb56d1
SHA256: 537f1e667613d035a09f824c2d839a431a1eb1434d24dc26c7cd73cfd8ab67dc
2396
svchost.exe
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506
compressed
MD5: bb377df27a55c05bb3793cd1e125c869
SHA256: 3c4ec495f17d21cc236bc7238bc02728bd945c07157fbf875cac340269afc207
2396
svchost.exe
C:\Windows\TEMP\CabD49A.tmp
––
MD5:  ––
SHA256:  ––
2396
svchost.exe
C:\Users\admin\AppData\Roaming\appnet\settings.ini
text
MD5: 6bd191cb4462e841f3ebdff282de3505
SHA256: 39301c4d0badb1a2349385a0ce86fd84654449d6da1c90f1d831e95c97a21688
2080
tor092.exe
C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\6d14e4b1d8ca773bab785d1be032546e_eeeb5d54-7880-42a7-b542-739bbc26cf4b
binary
MD5: 24c9645a1861dc190e940ea9b98f1518
SHA256: 2079be4e38e17058efe6abd95ffdc303a22a67156dc13f8bfe2445f0ba3f0f8a
1716
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF1497ba.TMP
binary
MD5: 68ddcd94095de6b16893fee00dd712c3
SHA256: 7e40a9eaf34708fd6282e34227600c202529627be7df880792cb033b4d0cd835
1716
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
binary
MD5: 68ddcd94095de6b16893fee00dd712c3
SHA256: 7e40a9eaf34708fd6282e34227600c202529627be7df880792cb033b4d0cd835
1716
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\2IIZ010PDPECIP20DDRQ.temp
––
MD5:  ––
SHA256:  ––
2508
tor092.exe
C:\Users\admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3896776584-4254864009-862391680-1000\0f5007522459c86e95ffcc62f32308f1_eeeb5d54-7880-42a7-b542-739bbc26cf4b
binary
MD5: e75bb15e84288378c1393c21714fb10e
SHA256: 21ed7952772d8990f3f36b7aa3f9cbdd0dbc82b2c9b9c5f3f21ec6ef99a3d1ad
1724
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
binary
MD5: 68ddcd94095de6b16893fee00dd712c3
SHA256: 7e40a9eaf34708fd6282e34227600c202529627be7df880792cb033b4d0cd835
1724
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\4AA6LPA5U1G36T70CUUT.temp
––
MD5:  ––
SHA256:  ––
2396
svchost.exe
C:\Users\admin\AppData\Roaming\appnet\settings.ini
text
MD5: 7ae66d1f193940b5b8b10b0f18450197
SHA256: d7cf1fb8fee37b9ead2d74ba8ebe43e6dd2de1145faff4878287f0b541e9b992
3000
svchost.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Web Data.bak
sqlite
MD5: 0e7718a2a99444dc0b68c7fbc10ece79
SHA256: 9a72f9a714cbdfe2a6719b68e7c0be01bf13e2ad0d48e9c21740dda7b41adb01

Find more information of the staic content and download it at the full report

Network activity

HTTP(S) requests
5
TCP/UDP connections
14
DNS requests
2
Threats
18

HTTP requests

PID Process Method HTTP Code IP URL CN Type Size Reputation
2396 svchost.exe GET 200 147.75.89.25:80 http://icanhazip.com/ US
text
shared
2396 svchost.exe GET 200 8.248.237.254:80 http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?02c541413bd76ae3 US
compressed
whitelisted
3000 svchost.exe POST –– 190.146.112.216:8082 http://190.146.112.216:8082/ser0226us/USER-PC_W617601.CFBBC0882CE7C46266D13B3B474F8272/81/ CO
text
––
––
malicious
3000 svchost.exe POST 200 190.146.112.216:8082 http://190.146.112.216:8082/ser0226us/USER-PC_W617601.CFBBC0882CE7C46266D13B3B474F8272/81/ CO
text
text
malicious
3000 svchost.exe POST –– 190.146.112.216:8082 http://190.146.112.216:8082/ser0226us/USER-PC_W617601.CFBBC0882CE7C46266D13B3B474F8272/81/ CO
text
––
––
malicious

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID Process IP ASN CN Reputation
2396 svchost.exe 147.75.89.25:80 Packet Host, Inc. US suspicious
2396 svchost.exe 36.89.85.103:449 ID malicious
2396 svchost.exe 8.248.237.254:80 Level 3 Communications, Inc. US unknown
2396 svchost.exe 195.123.246.99:447 UA suspicious
3000 svchost.exe 190.146.112.216:8082 Telmex Colombia S.A. CO malicious
2396 svchost.exe 185.228.234.165:443 –– suspicious

DNS requests

Domain IP Reputation
icanhazip.com 147.75.89.25
147.75.40.2
shared
ctldl.windowsupdate.com 8.248.237.254
8.248.241.254
8.247.206.126
8.247.202.126
8.248.245.254
whitelisted

Threats

PID Process Class Message
2396 svchost.exe Attempted Information Leak ET POLICY IP Check Domain (icanhazip. com in HTTP Host)
2396 svchost.exe A Network Trojan was detected MALWARE [PTsecurity] Blacklist Malicious SSL certificate detected (Trickbot)
2396 svchost.exe A Network Trojan was detected ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex/Trickbot CnC)
2396 svchost.exe A Network Trojan was detected MALWARE [PTsecurity] Blacklist Malicious SSL certificate detected (Trickbot)
3000 svchost.exe A Network Trojan was detected ET TROJAN [PTsecurity] Trickbot Data Exfiltration
3000 svchost.exe A Network Trojan was detected MALWARE [PTsecurity] Trickbot Data Exfiltration
3000 svchost.exe Potentially Bad Traffic ET INFO GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1
3000 svchost.exe A Network Trojan was detected ET TROJAN [PTsecurity] Trickbot Data Exfiltration
3000 svchost.exe A Network Trojan was detected MALWARE [PTsecurity] Trickbot Data Exfiltration
3000 svchost.exe Potentially Bad Traffic ET INFO GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1
3000 svchost.exe A Network Trojan was detected ET TROJAN [PTsecurity] Trickbot Data Exfiltration
3000 svchost.exe A Network Trojan was detected MALWARE [PTsecurity] Trickbot Data Exfiltration
3000 svchost.exe Potentially Bad Traffic ET INFO GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1

5 ETPRO signatures available at the full report

Debug output strings

Process Message
mmc.exe Constructor: Microsoft.TaskScheduler.SnapIn.TaskSchedulerSnapIn
mmc.exe OnInitialize: Microsoft.TaskScheduler.SnapIn.TaskSchedulerSnapIn
mmc.exe AddIcons: Microsoft.TaskScheduler.SnapIn.TaskSchedulerSnapIn
mmc.exe ProcessCommandLineArguments: Microsoft.TaskScheduler.SnapIn.TaskSchedulerSnapIn