General Info

File name

file32.exe

Full analysis
https://app.any.run/tasks/e3e9a158-a08c-4fca-9db1-9f94d4cb713d
Verdict
Malicious activity
Analysis date
9/11/2019, 02:18:31
OS:
Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:

danabot

trojan

stealer

Indicators:

MIME:
application/x-dosexec
File info:
PE32 executable (GUI) Intel 80386, for MS Windows
MD5

273d942f836a3b6a30823a967b73f42e

SHA1

65b4d8a117d74796d9d6737b363a6f0e28e426a4

SHA256

8e64e3cf269b87f4e6f0c634e50c1946259b6017d4a7e6fcf36a27cafa0ba821

SSDEEP

24576:rFbsLyjADERKMhp3KY8n+WZgMfGGD1qZ7HilX/T78PTGajiZeaEZB5QfFs41m:rFbskoCpMn5fbJqAl7IPT2BqMu41m

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distored by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Software environment set and analysis options

Launch configuration

Task duration
180 seconds
Additional time used
120 seconds
Fakenet option
off
Heavy Evaision option
on
MITM proxy
off
Route via Tor
off
Network geolocation
off
Privacy
Public submission
Autoconfirmation of UAC
on

Software preset

  • Internet Explorer 8.0.7601.17514
  • Adobe Acrobat Reader DC MUI (15.023.20070)
  • Adobe Flash Player 26 ActiveX (26.0.0.131)
  • Adobe Flash Player 26 NPAPI (26.0.0.131)
  • Adobe Flash Player 26 PPAPI (26.0.0.131)
  • Adobe Refresh Manager (1.8.0)
  • CCleaner (5.35)
  • FileZilla Client 3.36.0 (3.36.0)
  • Google Chrome (75.0.3770.100)
  • Google Update Helper (1.3.34.7)
  • Java 8 Update 92 (8.0.920.14)
  • Java Auto Updater (2.8.92.14)
  • Microsoft .NET Framework 4.7.2 (4.7.03062)
  • Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Professional 2010 (14.0.6029.1000)
  • Microsoft Office Proof (English) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (French) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
  • Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
  • Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Single Image 2010 (14.0.6029.1000)
  • Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
  • Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
  • Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
  • Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2015-2019 Redistributable (x86) - 14.21.27702 (14.21.27702.2)
  • Microsoft Visual C++ 2019 X86 Additional Runtime - 14.21.27702 (14.21.27702)
  • Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.21.27702 (14.21.27702)
  • Mozilla Firefox 68.0.1 (x86 en-US) (68.0.1)
  • Notepad++ (32-bit x86) (7.5.1)
  • Opera 12.15 (12.15.1748)
  • Skype version 8.29 (8.29)
  • Update for Microsoft .NET Framework 4.7.2 (KB4087364) (1)
  • VLC media player (2.2.6)
  • WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

  • Client LanguagePack Package
  • Client Refresh LanguagePack Package
  • CodecPack Basic Package
  • Foundation Package
  • IE Troubleshooters Package
  • InternetExplorer Optional Package
  • KB2534111
  • KB2999226
  • KB4019990
  • KB976902
  • LocalPack AU Package
  • LocalPack CA Package
  • LocalPack GB Package
  • LocalPack US Package
  • LocalPack ZA Package
  • ProfessionalEdition
  • UltimateEdition

Behavior activities

MALICIOUS SUSPICIOUS INFO
Loads dropped or rewritten executable
  • RUNDLL32.EXE (PID: 2732)
  • explorer.exe (PID: 276)
  • services.exe (PID: 492)
  • RUNDLL32.EXE (PID: 4056)
  • RUNDLL32.EXE (PID: 3896)
  • winlogon.exe (PID: 444)
  • svchost.exe (PID: 2720)
  • RUNDLL32.EXE (PID: 3768)
  • RUNDLL32.EXE (PID: 2348)
  • rundll32.exe (PID: 2676)
  • rundll32.exe (PID: 2980)
  • regsvr32.exe (PID: 3912)
Changes settings of System certificates
  • RUNDLL32.EXE (PID: 4056)
DanaBot detected
  • RUNDLL32.EXE (PID: 2732)
  • services.exe (PID: 492)
  • explorer.exe (PID: 276)
  • RUNDLL32.EXE (PID: 4056)
  • RUNDLL32.EXE (PID: 3896)
  • winlogon.exe (PID: 444)
  • RUNDLL32.EXE (PID: 3768)
  • RUNDLL32.EXE (PID: 2348)
  • svchost.exe (PID: 2720)
  • rundll32.exe (PID: 2980)
Application was injected by another process
  • explorer.exe (PID: 276)
  • services.exe (PID: 492)
  • winlogon.exe (PID: 444)
Stealing of credential data
  • RUNDLL32.EXE (PID: 2348)
Runs injected code in another process
  • svchost.exe (PID: 2720)
DANABOT was detected
  • rundll32.exe (PID: 2676)
Connects to CnC server
  • rundll32.exe (PID: 2676)
Registers / Runs the DLL via REGSVR32.EXE
  • file32.exe (PID: 3208)
Actions looks like stealing of personal data
  • RUNDLL32.EXE (PID: 2348)
Creates files in the program directory
  • RUNDLL32.EXE (PID: 2348)
  • RUNDLL32.EXE (PID: 4056)
  • svchost.exe (PID: 2720)
  • rundll32.exe (PID: 2980)
  • rundll32.exe (PID: 2676)
Loads DLL from Mozilla Firefox
  • RUNDLL32.EXE (PID: 4056)
  • RUNDLL32.EXE (PID: 2732)
  • RUNDLL32.EXE (PID: 2348)
Creates files in the user directory
  • RUNDLL32.EXE (PID: 4056)
Reads Windows Product ID
  • RUNDLL32.EXE (PID: 2348)
Reads the cookies of Mozilla Firefox
  • RUNDLL32.EXE (PID: 2348)
Reads the cookies of Google Chrome
  • RUNDLL32.EXE (PID: 2348)
Uses RUNDLL32.EXE to load library
  • svchost.exe (PID: 2720)
  • rundll32.exe (PID: 2980)
  • regsvr32.exe (PID: 3912)
  • rundll32.exe (PID: 2676)
Creates or modifies windows services
  • RUNDLL32.EXE (PID: 3768)
  • services.exe (PID: 492)
Application launched itself
  • rundll32.exe (PID: 2980)
  • rundll32.exe (PID: 2676)
Executable content was dropped or overwritten
  • rundll32.exe (PID: 2676)
  • file32.exe (PID: 3208)
Searches for installed software
  • RUNDLL32.EXE (PID: 2348)
Application was crashed
  • file32.exe (PID: 3208)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Static information

TRiD
.exe
|   Win32 Executable MS Visual C++ (generic) (42.2%)
.exe
|   Win64 Executable (generic) (37.3%)
.dll
|   Win32 Dynamic Link Library (generic) (8.8%)
.exe
|   Win32 Executable (generic) (6%)
.exe
|   Generic Win/DOS Executable (2.7%)
EXIF
EXE
MachineType:
Intel 386 or later, and compatibles
TimeStamp:
2016:04:16 13:22:44+02:00
PEType:
PE32
LinkerVersion:
9
CodeSize:
172032
InitializedDataSize:
134656
UninitializedDataSize:
null
EntryPoint:
0x15a63
OSVersion:
5
ImageVersion:
null
SubsystemVersion:
5
Subsystem:
Windows GUI
FileVersionNumber:
1.0.0.1
ProductVersionNumber:
1.0.0.1
FileFlagsMask:
0x003f
FileFlags:
(none)
FileOS:
Win32
ObjectFileType:
Executable application
FileSubtype:
null
LanguageCode:
English (U.S.)
CharacterSet:
Unicode
CompanyName:
Faith LTD
FileDescription:
Faith Versioning System Client
FileVersion:
1, 0, 0, 1
InternalName:
CWebUpdatePrj
LegalCopyright:
Copyright (C) 2013 Faith LTD
OriginalFileName:
faithversion.exe
ProductName:
Faith Versioning System
ProductVersion:
1, 0, 0, 1
Summary
Architecture:
IMAGE_FILE_MACHINE_I386
Subsystem:
IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date:
16-Apr-2016 11:22:44
Detected languages
English - United Kingdom
English - United States
CompanyName:
Faith LTD
FileDescription:
Faith Versioning System Client
FileVersion:
1, 0, 0, 1
InternalName:
CWebUpdatePrj
LegalCopyright:
Copyright (C) 2013 Faith LTD
OriginalFilename:
faithversion.exe
ProductName:
Faith Versioning System
ProductVersion:
1, 0, 0, 1
DOS Header
Magic number:
MZ
Bytes on last page of file:
0x0090
Pages in file:
0x0003
Relocations:
0x0000
Size of header:
0x0004
Min extra paragraphs:
0x0000
Max extra paragraphs:
0xFFFF
Initial SS value:
0x0000
Initial SP value:
0x00B8
Checksum:
0x0000
Initial IP value:
0x0000
Initial CS value:
0x0000
Overlay number:
0x0000
OEM identifier:
0x0000
OEM information:
0x0000
Address of NE header:
0x000000F0
PE Headers
Signature:
PE
Machine:
IMAGE_FILE_MACHINE_I386
Number of sections:
4
Time date stamp:
16-Apr-2016 11:22:44
Pointer to Symbol Table:
0x00000000
Number of symbols:
0
Size of Optional Header:
0x00E0
Characteristics
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_RELOCS_STRIPPED
Sections
Name Virtual Address Virtual Size Raw Size Charateristics Entropy
.text 0x00001000 0x00029E5F 0x0002A000 IMAGE_SCN_CNT_CODE,IMAGE_SCN_MEM_EXECUTE,IMAGE_SCN_MEM_READ 6.59724
.data 0x0002B000 0x0001619A 0x00016200 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ,IMAGE_SCN_MEM_WRITE 5.70428
.rsrc 0x00042000 0x0000AA2C 0x0000AC00 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ 4.2696
.lord 0x0004D000 0x0012C01F 0x0012C200 IMAGE_SCN_MEM_READ,IMAGE_SCN_MEM_WRITE 5.98167
Resources
1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

102

128

129

130

131

132

3841

3842

3843

3857

3858

3859

3860

3865

3866

3867

3868

3869

3887

30721

30734

30977

30994

30996

30998

30999

31000

31001

31002

31003

31004

31005

31006

31007

31008

31009

31010

31011

Imports
    KERNEL32.dll

    USER32.dll

    GDI32.dll

    COMDLG32.dll

    WINSPOOL.DRV

    ADVAPI32.dll

    COMCTL32.dll

    SHLWAPI.dll

    OLEAUT32.dll

    urlmon.dll

    OLEACC.dll

Exports

    No exports.

Screenshots

Processes

Total processes
48
Monitored processes
15
Malicious processes
13
Suspicious processes
0

Behavior graph

+
start inject inject inject file32.exe regsvr32.exe no specs #DANABOT rundll32.exe #DANABOT rundll32.exe no specs #DANABOT rundll32.exe wusa.exe no specs wusa.exe #DANABOT rundll32.exe #DANABOT svchost.exe no specs #DANABOT rundll32.exe no specs #DANABOT winlogon.exe #DANABOT rundll32.exe no specs #DANABOT services.exe #DANABOT explorer.exe #DANABOT rundll32.exe no specs
Specs description
Program did not start
Integrity level elevation
Task сontains an error or was rebooted
Process has crashed
Task contains several apps running
Executable file was dropped
Debug information is available
Process was injected
Network attacks were detected
Application downloaded the executable file
Actions similar to stealing personal data
Behavior similar to exploiting the vulnerability
Inspected object has sucpicious PE structure
File is detected by antivirus software
CPU overrun
RAM overrun
Process starts the services
Process was added to the startup
Behavior similar to spam
Low-level access to the HDD
Probably Tor was used
System was rebooted
Connects to the network
Known threat

Process information

Click at the process to see the details.

PID
444
CMD
winlogon.exe
Path
C:\Windows\System32\winlogon.exe
Indicators
Parent process
––
User
SYSTEM
Integrity Level
SYSTEM
Version:
Company
Microsoft Corporation
Description
Windows Logon Application
Version
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Image
c:\windows\system32\winlogon.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winsta.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\profapi.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\uxinit.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\ole32.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\netjoin.dll
c:\windows\system32\netutils.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\slc.dll
c:\windows\system32\mpr.dll
c:\progra~2\cd7092af\f78e05d4.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\version.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\wininet.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\shell32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\winmm.dll
c:\windows\system32\avifil32.dll
c:\windows\system32\msacm32.dll
c:\windows\system32\msvfw32.dll
c:\windows\system32\comctl32.dll

PID
492
CMD
C:\Windows\system32\services.exe
Path
C:\Windows\System32\services.exe
Indicators
Parent process
––
User
SYSTEM
Integrity Level
SYSTEM
Version:
Company
Microsoft Corporation
Description
Services and Controller app
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\services.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\profapi.dll
c:\windows\system32\sechost.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\scext.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\secur32.dll
c:\windows\system32\scesrv.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\credssp.dll
c:\windows\system32\authz.dll
c:\windows\system32\ubpm.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\wship6.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\winsta.dll
c:\progra~2\cd7092af\f78e05d4.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\version.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\wininet.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\winmm.dll
c:\windows\system32\avifil32.dll
c:\windows\system32\msacm32.dll
c:\windows\system32\msvfw32.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll

PID
276
CMD
C:\Windows\Explorer.EXE
Path
C:\Windows\explorer.exe
Indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Version:
Company
Microsoft Corporation
Description
Windows Explorer
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\shell32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\explorerframe.dll
c:\windows\system32\duser.dll
c:\windows\system32\dui70.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\slc.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\propsys.dll
c:\windows\system32\cryptbase.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\profapi.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\ehstorshell.dll
c:\windows\system32\cscui.dll
c:\windows\system32\cscdll.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\iconcodecservice.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\sndvolsso.dll
c:\windows\system32\hid.dll
c:\windows\system32\mmdevapi.dll
c:\windows\system32\timedate.cpl
c:\windows\system32\atl.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\actxprxy.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\linkinfo.dll
c:\windows\system32\userenv.dll
c:\windows\system32\shacct.dll
c:\windows\system32\samlib.dll
c:\windows\system32\samcli.dll
c:\windows\system32\netutils.dll
c:\windows\system32\msftedit.dll
c:\windows\system32\msls31.dll
c:\program files\common files\microsoft shared\ink\tiptsf.dll
c:\windows\system32\authui.dll
c:\windows\system32\cryptui.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\gameux.dll
c:\windows\system32\xmllite.dll
c:\windows\system32\wer.dll
c:\windows\system32\msiltcfg.dll
c:\windows\system32\version.dll
c:\windows\system32\msi.dll
c:\windows\system32\winsta.dll
c:\windows\system32\psapi.dll
c:\windows\system32\networkexplorer.dll
c:\windows\system32\winmm.dll
c:\windows\system32\wdmaud.drv
c:\windows\system32\ksuser.dll
c:\windows\system32\avrt.dll
c:\windows\system32\audioses.dll
c:\windows\system32\msacm32.drv
c:\windows\system32\msacm32.dll
c:\windows\system32\midimap.dll
c:\windows\system32\msutb.dll
c:\windows\system32\stobject.dll
c:\windows\system32\batmeter.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\es.dll
c:\windows\system32\prnfldr.dll
c:\windows\system32\winspool.drv
c:\windows\system32\dxp.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\syncreg.dll
c:\windows\ehome\ehsso.dll
c:\windows\system32\netshell.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\nsi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\alttab.dll
c:\windows\system32\wpdshserviceobj.dll
c:\windows\system32\portabledevicetypes.dll
c:\windows\system32\portabledeviceapi.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\taskschd.dll
c:\windows\system32\pnidui.dll
c:\windows\system32\qutil.dll
c:\windows\system32\wevtapi.dll
c:\windows\system32\dhcpcsvc6.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\mssprxy.dll
c:\windows\system32\npmproxy.dll
c:\windows\system32\wlanapi.dll
c:\windows\system32\wlanutil.dll
c:\windows\system32\wwanapi.dll
c:\windows\system32\wwapi.dll
c:\windows\system32\qagent.dll
c:\windows\system32\srchadmin.dll
c:\windows\system32\sxs.dll
c:\windows\system32\bthprops.cpl
c:\windows\system32\ieframe.dll
c:\windows\system32\oleacc.dll
c:\windows\system32\synccenter.dll
c:\windows\system32\actioncenter.dll
c:\windows\system32\imapi2.dll
c:\windows\system32\hgcpl.dll
c:\windows\system32\provsvc.dll
c:\windows\system32\netprofm.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\fxsst.dll
c:\windows\system32\fxsapi.dll
c:\windows\system32\fxsresm.dll
c:\windows\system32\wscinterop.dll
c:\windows\system32\wscapi.dll
c:\windows\system32\wscui.cpl
c:\windows\system32\werconcpl.dll
c:\windows\system32\framedynos.dll
c:\windows\system32\wercplsupport.dll
c:\windows\system32\msxml6.dll
c:\windows\system32\hcproviders.dll
c:\program files\internet explorer\ieproxy.dll
c:\windows\system32\mpr.dll
c:\windows\system32\drprov.dll
c:\windows\system32\ntlanman.dll
c:\windows\system32\davclnt.dll
c:\windows\system32\davhlpr.dll
c:\windows\system32\thumbcache.dll
c:\windows\system32\winanr.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\users\admin\appdata\local\temp\file32.exe
c:\windows\system32\sfc.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\devrtl.dll
c:\windows\system32\werfault.exe
c:\progra~2\cd7092af\f78e05d4.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\avifil32.dll
c:\windows\system32\msvfw32.dll

PID
3208
CMD
"C:\Users\admin\AppData\Local\Temp\file32.exe"
Path
C:\Users\admin\AppData\Local\Temp\file32.exe
Indicators
Parent process
explorer.exe
User
admin
Integrity Level
MEDIUM
Exit code
3221225477
Version:
Company
Faith LTD
Description
Faith Versioning System Client
Version
1, 0, 0, 1
Modules
Image
c:\users\admin\appdata\local\temp\file32.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\shlwapi.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\winspool.drv
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\oleacc.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\mspaint.exe
c:\windows\system32\version.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\regsvr32.exe

PID
3912
CMD
C:\Windows\system32\regsvr32.exe -s C:\Users\admin\AppData\Local\Temp\file32.dll f1 C:\Users\admin\AppData\Local\Temp\[email protected]
Path
C:\Windows\system32\regsvr32.exe
Indicators
No indicators
Parent process
file32.exe
User
admin
Integrity Level
MEDIUM
Exit code
3
Version:
Company
Microsoft Corporation
Description
Microsoft(C) Register Server
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\regsvr32.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\acgenral.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\winmm.dll
c:\windows\system32\samcli.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msacm32.dll
c:\windows\system32\version.dll
c:\windows\system32\shell32.dll
c:\windows\system32\sfc.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\mpr.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\users\admin\appdata\local\temp\file32.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rundll32.exe

PID
2676
CMD
C:\Windows\system32\\rundll32.exe C:\Users\admin\AppData\Local\Temp\file32.dll,f0
Path
C:\Windows\system32\rundll32.exe
Indicators
Parent process
regsvr32.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows host process (Rundll32)
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\rundll32.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imagehlp.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\aclayers.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\winspool.drv
c:\windows\system32\mpr.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\users\admin\appdata\local\temp\file32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\version.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\wininet.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\winsta.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll

PID
2980
CMD
C:\Windows\system32\\rundll32.exe C:\PROGRA~2\CD7092AF\F78E05D4.dll,f1 C:\Users\admin\AppData\Local\Temp\[email protected]
Path
C:\Windows\system32\rundll32.exe
Indicators
Parent process
rundll32.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows host process (Rundll32)
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\rundll32.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imagehlp.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\aclayers.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\winspool.drv
c:\windows\system32\mpr.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\progra~2\cd7092af\f78e05d4.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\version.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\wininet.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\winmm.dll
c:\windows\system32\avifil32.dll
c:\windows\system32\msacm32.dll
c:\windows\system32\msvfw32.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\winsta.dll
c:\windows\system32\propsys.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\psapi.dll
c:\windows\system32\oleacc.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\wusa.exe
c:\windows\system32\sfc.dll
c:\windows\system32\sfc_os.dll

PID
2348
CMD
C:\Windows\system32\RUNDLL32.EXE C:\ProgramData\CD7092AF\F78E05D4.dll,f2 F7090F619059A3FEB3E71D0ADA462372
Path
C:\Windows\system32\RUNDLL32.EXE
Indicators
Parent process
rundll32.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows host process (Rundll32)
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\rundll32.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imagehlp.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\aclayers.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\winspool.drv
c:\windows\system32\mpr.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\progra~2\cd7092af\f78e05d4.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\version.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\wininet.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\winmm.dll
c:\windows\system32\avifil32.dll
c:\windows\system32\msacm32.dll
c:\windows\system32\msvfw32.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\pstorec.dll
c:\windows\system32\atl.dll
c:\windows\system32\rtutils.dll
c:\program files\mozilla firefox\nss3.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\dbghelp.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\vcruntime140.dll
c:\windows\system32\api-ms-win-crt-runtime-l1-1-0.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\api-ms-win-core-timezone-l1-1-0.dll
c:\windows\system32\api-ms-win-core-file-l2-1-0.dll
c:\windows\system32\api-ms-win-core-localization-l1-2-0.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\api-ms-win-core-processthreads-l1-1-1.dll
c:\windows\system32\api-ms-win-core-file-l1-2-0.dll
c:\windows\system32\api-ms-win-crt-heap-l1-1-0.dll
c:\windows\system32\api-ms-win-crt-string-l1-1-0.dll
c:\windows\system32\api-ms-win-crt-stdio-l1-1-0.dll
c:\windows\system32\api-ms-win-crt-convert-l1-1-0.dll
c:\windows\system32\api-ms-win-crt-locale-l1-1-0.dll
c:\windows\system32\api-ms-win-crt-math-l1-1-0.dll
c:\windows\system32\api-ms-win-crt-filesystem-l1-1-0.dll
c:\windows\system32\api-ms-win-crt-time-l1-1-0.dll
c:\windows\system32\api-ms-win-crt-environment-l1-1-0.dll
c:\windows\system32\api-ms-win-crt-utility-l1-1-0.dll
c:\windows\system32\wsock32.dll
c:\windows\system32\api-ms-win-crt-multibyte-l1-1-0.dll
c:\program files\mozilla firefox\softokn3.dll
c:\program files\mozilla firefox\freebl3.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\psapi.dll
c:\windows\system32\oleacc.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\mlang.dll
c:\windows\system32\msxml6.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\devobj.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll

PID
3724
CMD
"C:\Windows\System32\wusa.exe" /quiet
Path
C:\Windows\System32\wusa.exe
Indicators
No indicators
Parent process
rundll32.exe
User
admin
Integrity Level
MEDIUM
Exit code
3221226540
Version:
Company
Microsoft Corporation
Description
Windows Update Standalone Installer
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\wusa.exe
c:\systemroot\system32\ntdll.dll

PID
3216
CMD
"C:\Windows\System32\wusa.exe" /quiet
Path
C:\Windows\System32\wusa.exe
Indicators
Parent process
rundll32.exe
User
admin
Integrity Level
HIGH
Exit code
87
Version:
Company
Microsoft Corporation
Description
Windows Update Standalone Installer
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\wusa.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\dpx.dll
c:\windows\system32\wtsapi32.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll

PID
3768
CMD
C:\Windows\system32\RUNDLL32.EXE C:\ProgramData\CD7092AF\F78E05D4.dll,f8
Path
C:\Windows\system32\RUNDLL32.EXE
Indicators
Parent process
rundll32.exe
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows host process (Rundll32)
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\rundll32.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imagehlp.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\aclayers.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\winspool.drv
c:\windows\system32\mpr.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\progra~2\cd7092af\f78e05d4.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\version.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\wininet.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\winmm.dll
c:\windows\system32\avifil32.dll
c:\windows\system32\msacm32.dll
c:\windows\system32\msvfw32.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll

PID
2720
CMD
C:\Windows\system32\svchost.exe -k LocalService
Path
C:\Windows\system32\svchost.exe
Indicators
Parent process
services.exe
User
SYSTEM
Integrity Level
SYSTEM
Version:
Company
Microsoft Corporation
Description
Host Process for Windows Services
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\svchost.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\advapi32.dll
c:\progra~2\cd7092af\f78e05d4.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\version.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\wininet.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\profapi.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\winmm.dll
c:\windows\system32\avifil32.dll
c:\windows\system32\msacm32.dll
c:\windows\system32\msvfw32.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\winsta.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\rundll32.exe

PID
3896
CMD
C:\Windows\system32\RUNDLL32.EXE C:\ProgramData\CD7092AF\F78E05D4.dll,f3
Path
C:\Windows\system32\RUNDLL32.EXE
Indicators
Parent process
svchost.exe
User
admin
Integrity Level
HIGH
Version:
Company
Microsoft Corporation
Description
Windows host process (Rundll32)
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\rundll32.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imagehlp.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\aclayers.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\winspool.drv
c:\windows\system32\mpr.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\progra~2\cd7092af\f78e05d4.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\version.dll
c:\windows\system32\nsi.dll
c:\windows\system32\wininet.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\winmm.dll
c:\windows\system32\avifil32.dll
c:\windows\system32\msacm32.dll
c:\windows\system32\msvfw32.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\winsta.dll

PID
4056
CMD
C:\Windows\system32\RUNDLL32.EXE C:\ProgramData\CD7092AF\F78E05D4.dll,f7
Path
C:\Windows\system32\RUNDLL32.EXE
Indicators
Parent process
svchost.exe
User
SYSTEM
Integrity Level
SYSTEM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows host process (Rundll32)
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\rundll32.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imagehlp.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\aclayers.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\winspool.drv
c:\windows\system32\mpr.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\progra~2\cd7092af\f78e05d4.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\version.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\wininet.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\winmm.dll
c:\windows\system32\avifil32.dll
c:\windows\system32\msacm32.dll
c:\windows\system32\msvfw32.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\wls0wndh.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcrypt.dll
c:\program files\mozilla firefox\nss3.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\dbghelp.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\vcruntime140.dll
c:\windows\system32\api-ms-win-crt-runtime-l1-1-0.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\api-ms-win-core-timezone-l1-1-0.dll
c:\windows\system32\api-ms-win-core-file-l2-1-0.dll
c:\windows\system32\api-ms-win-core-localization-l1-2-0.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\api-ms-win-core-processthreads-l1-1-1.dll
c:\windows\system32\api-ms-win-core-file-l1-2-0.dll
c:\windows\system32\api-ms-win-crt-heap-l1-1-0.dll
c:\windows\system32\api-ms-win-crt-string-l1-1-0.dll
c:\windows\system32\api-ms-win-crt-stdio-l1-1-0.dll
c:\windows\system32\api-ms-win-crt-convert-l1-1-0.dll
c:\windows\system32\api-ms-win-crt-locale-l1-1-0.dll
c:\windows\system32\api-ms-win-crt-math-l1-1-0.dll
c:\windows\system32\api-ms-win-crt-filesystem-l1-1-0.dll
c:\windows\system32\api-ms-win-crt-time-l1-1-0.dll
c:\windows\system32\api-ms-win-crt-environment-l1-1-0.dll
c:\windows\system32\api-ms-win-crt-utility-l1-1-0.dll
c:\windows\system32\wsock32.dll
c:\windows\system32\api-ms-win-crt-multibyte-l1-1-0.dll
c:\program files\mozilla firefox\softokn3.dll
c:\program files\mozilla firefox\freebl3.dll

PID
2732
CMD
C:\Windows\system32\RUNDLL32.EXE C:\ProgramData\CD7092AF\F78E05D4.dll,f2 E48E292D52741264BCBA6B30A9CB2113
Path
C:\Windows\system32\RUNDLL32.EXE
Indicators
Parent process
svchost.exe
User
SYSTEM
Integrity Level
SYSTEM
Version:
Company
Microsoft Corporation
Description
Windows host process (Rundll32)
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\rundll32.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imagehlp.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\aclayers.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\shell32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\winspool.drv
c:\windows\system32\mpr.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\progra~2\cd7092af\f78e05d4.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\version.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\wininet.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\winmm.dll
c:\windows\system32\avifil32.dll
c:\windows\system32\msacm32.dll
c:\windows\system32\msvfw32.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\wls0wndh.dll
c:\windows\system32\cryptui.dll
c:\program files\mozilla firefox\nss3.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\dbghelp.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\vcruntime140.dll
c:\windows\system32\api-ms-win-crt-runtime-l1-1-0.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\api-ms-win-core-timezone-l1-1-0.dll
c:\windows\system32\api-ms-win-core-file-l2-1-0.dll
c:\windows\system32\api-ms-win-core-localization-l1-2-0.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\api-ms-win-core-processthreads-l1-1-1.dll
c:\windows\system32\api-ms-win-core-file-l1-2-0.dll
c:\windows\system32\api-ms-win-crt-heap-l1-1-0.dll
c:\windows\system32\api-ms-win-crt-string-l1-1-0.dll
c:\windows\system32\api-ms-win-crt-stdio-l1-1-0.dll
c:\windows\system32\api-ms-win-crt-convert-l1-1-0.dll
c:\windows\system32\api-ms-win-crt-locale-l1-1-0.dll
c:\windows\system32\api-ms-win-crt-math-l1-1-0.dll
c:\windows\system32\api-ms-win-crt-filesystem-l1-1-0.dll
c:\windows\system32\api-ms-win-crt-time-l1-1-0.dll
c:\windows\system32\api-ms-win-crt-environment-l1-1-0.dll
c:\windows\system32\api-ms-win-crt-utility-l1-1-0.dll
c:\windows\system32\wsock32.dll
c:\windows\system32\api-ms-win-crt-multibyte-l1-1-0.dll
c:\program files\mozilla firefox\softokn3.dll
c:\program files\mozilla firefox\freebl3.dll
c:\windows\system32\psapi.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll

Registry activity

Total events
371
Read events
308
Write events
63
Delete events
0

Modification events

PID
Process
Operation
Key
Name
Value
492
services.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\CD7092AF
Type
272
492
services.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\CD7092AF
Start
2
492
services.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\CD7092AF
ErrorControl
1
492
services.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\CD7092AF
ImagePath
C:\Windows\system32\svchost.exe -k LocalService
492
services.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\CD7092AF
DisplayName
CD7092AF
492
services.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\CD7092AF
Group
CD7092AF
492
services.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\CD7092AF
ObjectName
LocalSystem
2980
rundll32.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
2980
rundll32.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
2348
RUNDLL32.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RUNDLL32_RASAPI32
EnableFileTracing
0
2348
RUNDLL32.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RUNDLL32_RASAPI32
EnableConsoleTracing
0
2348
RUNDLL32.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RUNDLL32_RASAPI32
FileTracingMask
4294901760
2348
RUNDLL32.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RUNDLL32_RASAPI32
ConsoleTracingMask
4294901760
2348
RUNDLL32.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RUNDLL32_RASAPI32
MaxFileSize
1048576
2348
RUNDLL32.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RUNDLL32_RASAPI32
FileDirectory
%windir%\tracing
2348
RUNDLL32.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
2348
RUNDLL32.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
3768
RUNDLL32.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost
LocalService
CD7092AF
3768
RUNDLL32.EXE
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\CD7092AF
Description
@%SystemRoot%\system32\Sens.dll,-201
3768
RUNDLL32.EXE
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\CD7092AF
DisplayName
@%SystemRoot%\system32\Sens.dll,-200
3768
RUNDLL32.EXE
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\CD7092AF
Group
ProfSvc_Group
3768
RUNDLL32.EXE
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\CD7092AF
ObjectName
LocalSystem
3768
RUNDLL32.EXE
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\CD7092AF
ImagePath
C:\Windows\system32\svchost.exe -k LocalService
3768
RUNDLL32.EXE
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\CD7092AF\Parameters
ServiceDll
C:\ProgramData\CD7092AF\F78E05D4.dll
3768
RUNDLL32.EXE
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\CD7092AF
ErrorControl
1
3768
RUNDLL32.EXE
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\CD7092AF
Start
2
3768
RUNDLL32.EXE
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\CD7092AF
Type
272
3768
RUNDLL32.EXE
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control
WaitToKillServiceTimeout
120000
4056
RUNDLL32.EXE
write
HKEY_USERS\.DEFAULT\Software\Classes\Local Settings\MuiCache\72\52C64B7E
LanguageList
en-US
4056
RUNDLL32.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\0F1C4B9CF33160AB3F965A1D89A0320168A794F0
Blob
0300000001000000140000000F1C4B9CF33160AB3F965A1D89A0320168A794F002000000010000003C0000001C00000000000000010000002000000000000000000000000100000074006800610077007400650020003800380020002D002000460030000000000020000000010000000703000030820303308201EBA00302010202103DF55425C98E05954374BC6AF3FE9970300D06092A864886F70D01010505003033311730150603550403130E746861777465203838202D204630310B3009060355040A13024E54310B3009060355040B1302454E301E170D3139303931313030323030355A170D3234303931313030323030355A3033311730150603550403130E746861777465203838202D204630310B3009060355040A13024E54310B3009060355040B1302454E30820122300D06092A864886F70D01010105000382010F003082010A0282010100C1917A885F3B647532AC769CE964784D4DA57A8ED035EB70A9FCE8A4610770BF63F7C66861D914ACA2C95B6E95501EEAEEFE8DA9621C2A6F66872B65170AB156605F80FB3978B806E60D3C5A0CAF59461AA1DEA705D7C3029CD2B57A29DDCA79F155E0E80298F547179D6A8CFCEB995BCDB3D92EEDC66C4B16DAAB1ED7CF6E1866319538007AB94FF1E0ED83A8CD76130672088441CD6E1E3E127745E2585C737B164D2647D5C0CD8762C00749D6A91CC450C0ECA6BB41E4C9D6818EAE4FB61C1B56B3EA5A9A50AF9744E4CBED041DAC92756D90E1BD1514C773BB224464671634DCBCC2C9A68B07AC4D66CE96E2BB3165E77F88F8D9F68BAB10E88E67DC9BC50203010001A3133011300F0603551D130101FF040530030101FF300D06092A864886F70D01010505000382010100B2F79369A57C27A3C32319CEE4357EEC6A69EB4B6FECCF1F68C4DF020856ED2DD596BA1E851ADDD84DAF70DDCFCC66479AC8D8CC880AF692205641B4A1264B80CB6E0D25DF441A76D7E0C103B78104120CA763D3EBCCD5CC6B3FFD7F6BF7859457C709205707444911B7570547E3CB83D40BBE0BAECB31FECD51C212DB498AC0DE8E2579EABB60EA6100CA3EBC24B13A93459BAAD498A942A3F28FF1ED1FF3F8274FECD4B7F684874F3D2A304A95D9561DDFA7AF581B655D10EE2CDE5ABF9D320A2755512A1DD7A9E5DE859B3CF63F5E9C9A4AFADB1AAFCDB9276AA3E1983F09D3BC64A6AECD0929618E3E02C8381CE165BCC5F79371A512DE05CDF5CE239DFB
4056
RUNDLL32.EXE
write
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings
ProxyEnable
1
4056
RUNDLL32.EXE
write
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings
ProxyServer
127.0.0.1:8080
4056
RUNDLL32.EXE
write
HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings
ProxyEnable
1
4056
RUNDLL32.EXE
write
HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings
ProxyServer
127.0.0.1:8080
4056
RUNDLL32.EXE
write
HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings
ProxyEnable
1
4056
RUNDLL32.EXE
write
HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings
ProxyServer
127.0.0.1:8080
4056
RUNDLL32.EXE
write
HKEY_USERS\S-1-5-21-1302019708-1500728564-335382590-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings
ProxyEnable
1
4056
RUNDLL32.EXE
write
HKEY_USERS\S-1-5-21-1302019708-1500728564-335382590-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings
ProxyServer
127.0.0.1:8080
4056
RUNDLL32.EXE
write
HKEY_USERS\S-1-5-21-1302019708-1500728564-335382590-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Internet Settings
ProxyEnable
1
4056
RUNDLL32.EXE
write
HKEY_USERS\S-1-5-21-1302019708-1500728564-335382590-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Internet Settings
ProxyServer
127.0.0.1:8080
2732
RUNDLL32.EXE
write
HKEY_USERS\.DEFAULT\Software\Classes\Local Settings\MuiCache\72\52C64B7E
LanguageList
en-US

Files activity

Executable files
2
Suspicious files
3
Text files
3
Unknown types
15

Dropped files

PID
Process
Filename
Type
3208
file32.exe
C:\Users\admin\AppData\Local\Temp\file32.dll
executable
MD5: c769dccd113bc9bd6aa7d1995e33ea91
SHA256: 5ff7eecd396a8f7332442bcd461821595d928a59e102a55bccce0b309dfe9a52
2676
rundll32.exe
C:\ProgramData\CD7092AF\F78E05D4.dll
executable
MD5: 25de261a9234e01ad58185f19ac9fd79
SHA256: 2f84ba615ea5d79d902d8ce95e36a47a7c747a2441cb745f2d6f279d97dba60e
2348
RUNDLL32.EXE
C:\Users\admin\AppData\Local\Temp\1562875.tmp
sqlite
MD5: 9d0a95819e97b7aa666d2f1e1dc4a6c5
SHA256: b67b09717e75a9e5dc9f7dc4bb9c05069909cab47d9b12a2707d19ff7f6e8cb9
2348
RUNDLL32.EXE
C:\Users\admin\AppData\Local\Temp\1562859.tmp
sqlite
MD5: acfe428573bc93a1c2d167fa95961bb0
SHA256: beb40a8a26a3a77b8542de111f274c42b9095c5152322de1ea4e112308441338
2348
RUNDLL32.EXE
C:\Users\admin\AppData\Local\Temp\1562828.tmp
sqlite
MD5: e812b5aaa4ab657d430a930438dd0e7c
SHA256: 153a35f475f8b6ab4ae389da8be3ab7557250c46ce410c8d2c884c8ab418808f
2348
RUNDLL32.EXE
C:\Users\admin\AppData\Local\Temp\1562421.tmp-shm
––
MD5:  ––
SHA256:  ––
2348
RUNDLL32.EXE
C:\Users\admin\AppData\Local\Temp\1562421.tmp
––
MD5:  ––
SHA256:  ––
2348
RUNDLL32.EXE
C:\Users\admin\AppData\Local\Temp\1562312.tmp
sqlite
MD5: 60b51ba20224ac3783e213ea9f55f125
SHA256: 0e305ba02985f26b29b234cd79d2c2af0a51085da2db2bed98d20f8c61b76254
4056
RUNDLL32.EXE
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\prefs.js
text
MD5: 354459382f30b8994109c88659dfa1f3
SHA256: e3e8e2b7e7eeca231620d83c70fa5a926e8b9ce74c51f595f71191dc0b50527e
4056
RUNDLL32.EXE
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\key4.db
sqlite
MD5: d8a5285d10016f834a09bd25d7a84297
SHA256: 7f26b381122213661430423fc69429aa9a4454d1106ef86b624a39124b424c4c
4056
RUNDLL32.EXE
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\cert9.db
sqlite
MD5: 7f852030159a0f589d42d19806bc01f3
SHA256: b4de3286fc4d6c38365aebbc10e53a32374be59bd88550be540660fef57732ec
4056
RUNDLL32.EXE
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\cert9.db-journal
––
MD5:  ––
SHA256:  ––
4056
RUNDLL32.EXE
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\key4.db-journal
––
MD5:  ––
SHA256:  ––
4056
RUNDLL32.EXE
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\cert9.db
sqlite
MD5: e5baf532769a6dbef833dccdce3773e7
SHA256: 4b051957f58b2dfe164acc911fee844bcb44fb1fd4bb51d18f20f23ac12d880e
2348
RUNDLL32.EXE
C:\Users\admin\AppData\Local\Temp\1561031.tmp
sqlite
MD5: 60b51ba20224ac3783e213ea9f55f125
SHA256: 0e305ba02985f26b29b234cd79d2c2af0a51085da2db2bed98d20f8c61b76254
4056
RUNDLL32.EXE
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\00aaeb7f59366f65444e3db0c7d2e7da_90059c37-1320-41a4-b58d-2b75a9850d2f
binary
MD5: b5616f56209f17ad2b797b157247fb5c
SHA256: be641ff8e345457f079907054fbdedcc09eccbfee6ed1bf46f49984f53d79eea
4056
RUNDLL32.EXE
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\00aaeb7f59366f65444e3db0c7d2e7da_90059c37-1320-41a4-b58d-2b75a9850d2f
dbf
MD5: f67b4609dde75b893c85e8a881b98e6d
SHA256: 48497279ee5f6118e8ceec1630d1a94b088c131ceb9e0c2bfff3820c4781e358
2348
RUNDLL32.EXE
C:\Users\admin\AppData\Local\Temp\1558250.tmp
sqlite
MD5: 7c426e0fc19063a433349ce713da84a0
SHA256: 9925b2d80f8a85132ef4927979b25e0b9525e8317a71ffd844980b794b04234c
2348
RUNDLL32.EXE
C:\Users\admin\AppData\Local\Temp\1558250.tmp-shm
––
MD5:  ––
SHA256:  ––
2348
RUNDLL32.EXE
C:\Users\admin\AppData\Local\Temp\1558218.tmp
sqlite
MD5: dd9640af5f03807cf2e3921cba16af0d
SHA256: ecf72c454fef08c5948a565464839a554567e499f995483d6c8b54b32ea2c5f0
2720
svchost.exe
C:\ProgramData\CD7092AF\3E73D36A
text
MD5: 7775b74dda73a199a07c0ea54df08b3f
SHA256: fd63c9034395c7ebfc8e4e555f78c44cf1c9338949b06f67ba7c58b166e5b1c3
2348
RUNDLL32.EXE
C:\Users\admin\AppData\Local\Temp\1555359.tmp
sqlite
MD5: acfe428573bc93a1c2d167fa95961bb0
SHA256: beb40a8a26a3a77b8542de111f274c42b9095c5152322de1ea4e112308441338
2348
RUNDLL32.EXE
C:\Users\admin\AppData\Local\Temp\1555328.tmp
sqlite
MD5: e812b5aaa4ab657d430a930438dd0e7c
SHA256: 153a35f475f8b6ab4ae389da8be3ab7557250c46ce410c8d2c884c8ab418808f
2348
RUNDLL32.EXE
C:\Users\admin\AppData\Local\Temp\1550062.tmp
sqlite
MD5: 60b51ba20224ac3783e213ea9f55f125
SHA256: 0e305ba02985f26b29b234cd79d2c2af0a51085da2db2bed98d20f8c61b76254
2348
RUNDLL32.EXE
C:\Users\admin\AppData\Local\Temp\1549890.tmp
sqlite
MD5: 60b51ba20224ac3783e213ea9f55f125
SHA256: 0e305ba02985f26b29b234cd79d2c2af0a51085da2db2bed98d20f8c61b76254
2980
rundll32.exe
C:\ProgramData\CD7092AF\3E73D36A
text
MD5: 0959bb2affa5dfd8b2c64f9cf5afd77c
SHA256: 0139b3decd03f159d69fb4428e951f609873006d51d776524c760ea1a906e9b4
2980
rundll32.exe
C:\ProgramData\CD7092AF\6627FE4D\D018E930C7A5B5FC26BF0308E3F7A56E
binary
MD5: e308beb97fed11cf60461facd01e1e0b
SHA256: 71d141d3c43858017358ad41c557317d32fc5a3e081862c64d812f14d640b31a
2720
svchost.exe
C:\ProgramData\CD7092AF\45E29FAD\65F715BB40AC771809D92DBC951CCB3A.zip
––
MD5:  ––
SHA256:  ––
2676
rundll32.exe
C:\ProgramData\CD7092AF\88C0025B
––
MD5:  ––
SHA256:  ––
2348
RUNDLL32.EXE
C:\ProgramData\CD7092AF\6627FE4D\4036E2C924A7A78655970B9F1EE14A6D
binary
MD5: c7c126bb26ebb432f877aa00600b6d32
SHA256: 47adc5e53200849e80d56e352e7c7e872a5941d1d62e71eb37ea51e6a5c5a1c3

Find more information of the staic content and download it at the full report

Network activity

HTTP(S) requests
0
TCP/UDP connections
2
DNS requests
0
Threats
15

HTTP requests

No HTTP requests.

Connections

PID Process IP ASN CN Reputation
2676 rundll32.exe 105.220.72.181:443 TICSA-ASN ZA malicious
2676 rundll32.exe 5.45.65.74:443 Serverius Holding B.V. NL malicious

DNS requests

No DNS requests.

Threats

PID Process Class Message
2676 rundll32.exe A Network Trojan was detected MALWARE [PTsecurity] Win32/Spy.Danabot.I
2676 rundll32.exe A Network Trojan was detected MALWARE [PTsecurity] Win32/Spy.Danabot.I
2676 rundll32.exe A Network Trojan was detected MALWARE [PTsecurity] Win32/Spy.Danabot.I
2676 rundll32.exe A Network Trojan was detected MALWARE [PTsecurity] Win32/Spy.Danabot.I
2676 rundll32.exe A Network Trojan was detected MALWARE [PTsecurity] Win32/Spy.Danabot.I
2676 rundll32.exe A Network Trojan was detected MALWARE [PTsecurity] Win32/Spy.Danabot.I
2676 rundll32.exe A Network Trojan was detected MALWARE [PTsecurity] Win32/Spy.Danabot.I
2676 rundll32.exe A Network Trojan was detected MALWARE [PTsecurity] Win32/Spy.Danabot.I
2676 rundll32.exe A Network Trojan was detected MALWARE [PTsecurity] Win32/Spy.Danabot.I
2676 rundll32.exe A Network Trojan was detected MALWARE [PTsecurity] Win32/Spy.Danabot.I
2676 rundll32.exe A Network Trojan was detected MALWARE [PTsecurity] Win32/Spy.Danabot.I
2676 rundll32.exe A Network Trojan was detected MALWARE [PTsecurity] Win32/Spy.Danabot.I
2676 rundll32.exe A Network Trojan was detected MALWARE [PTsecurity] Win32/Spy.Danabot.I
2676 rundll32.exe A Network Trojan was detected MALWARE [PTsecurity] Win32/Spy.Danabot.I

1 ETPRO signatures available at the full report

Debug output strings

No debug info.