File name:

SupportPackage.6263103980.zip

Full analysis: https://app.any.run/tasks/6475a0b9-7b22-44f4-b8e9-9e7ce0c538ef
Verdict: Malicious activity
Analysis date: April 10, 2019, 07:09:56
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

505285A1C72A5A749763A4C9ED3A44EA

SHA1:

A46536F3FD9DC557C783A924A8B703C5EF7C8EB6

SHA256:

8E74E83C017FD3E2E9C50AB958EB2D90D06890C496A3BA3850988C21BF4E3146

SSDEEP:

49152:INHfubpo7MqQ9GQc0z9DRyIZ3l0BoeXCwTgeGD9B+TN5Qksb98S3teYhyqc/LSzX:4Hf/7EpRLlCBj/Tu+TEvJ3tePqc/e3jH

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes settings of System certificates

      • msdt.exe (PID: 3712)
      • Autorunsc.exe (PID: 3876)

    • Application was dropped or rewritten from another process

      • ChecksymX86.exe (PID: 2148)
      • ChecksymX86.exe (PID: 1760)
      • ChecksymX86.exe (PID: 3940)
      • ChecksymX86.exe (PID: 3968)
      • ChecksymX86.exe (PID: 2388)
      • ChecksymX86.exe (PID: 1380)
      • ChecksymX86.exe (PID: 3984)
      • PstatX86.exe (PID: 3716)
      • Autorunsc.exe (PID: 3876)
      • fltrfind.exe (PID: 1140)
      • Showpriv.exe (PID: 3204)
      • Showpriv.exe (PID: 2920)
      • Showpriv.exe (PID: 1296)
      • Showpriv.exe (PID: 3748)
      • Showpriv.exe (PID: 3508)
      • Showpriv.exe (PID: 3532)
      • Showpriv.exe (PID: 2104)
      • Showpriv.exe (PID: 2852)
      • Showpriv.exe (PID: 4080)
      • Showpriv.exe (PID: 788)
      • Showpriv.exe (PID: 2788)
      • Showpriv.exe (PID: 2988)
      • Showpriv.exe (PID: 3728)
      • Showpriv.exe (PID: 1920)
      • Showpriv.exe (PID: 2268)
      • Showpriv.exe (PID: 2956)
      • Showpriv.exe (PID: 3692)
      • Showpriv.exe (PID: 2896)
      • Showpriv.exe (PID: 2712)
      • Showpriv.exe (PID: 2564)
      • Showpriv.exe (PID: 3332)
      • Showpriv.exe (PID: 2008)
      • Showpriv.exe (PID: 1424)
      • Showpriv.exe (PID: 2064)
      • Showpriv.exe (PID: 3428)
      • Showpriv.exe (PID: 1952)
      • Showpriv.exe (PID: 2364)
      • Showpriv.exe (PID: 3240)
      • Showpriv.exe (PID: 2968)
      • Showpriv.exe (PID: 4028)
      • Showpriv.exe (PID: 988)
      • Showpriv.exe (PID: 3140)
      • Showpriv.exe (PID: 2464)
      • Showpriv.exe (PID: 1684)
      • Showpriv.exe (PID: 3520)
      • Showpriv.exe (PID: 3708)
      • Showpriv.exe (PID: 3972)
      • Showpriv.exe (PID: 2124)
      • Showpriv.exe (PID: 2720)
      • Showpriv.exe (PID: 3608)
      • Showpriv.exe (PID: 2948)
      • Showpriv.exe (PID: 3044)
      • Showpriv.exe (PID: 676)
      • Showpriv.exe (PID: 2600)
      • Showpriv.exe (PID: 2844)

    • Loads the Task Scheduler COM API

      • schtasks.exe (PID: 3820)
      • ChecksymX86.exe (PID: 3984)
      • schtasks.exe (PID: 4088)
      • sdiagnhost.exe (PID: 2796)
      • ChecksymX86.exe (PID: 1760)
      • Autorunsc.exe (PID: 3876)
      • rundll32.exe (PID: 1276)

    • Uses Task Scheduler to run other applications

      • cmd.exe (PID: 3212)
      • cmd.exe (PID: 2520)

    • Loads the Task Scheduler DLL interface

      • ChecksymX86.exe (PID: 1760)

    • Application was injected by another process

      • svchost.exe (PID: 1224)

    • Runs injected code in another process

      • rundll32.exe (PID: 1276)

    • Starts NET.EXE to view/change shared resources

      • cmd.exe (PID: 1440)

    • Starts NET.EXE to view/change login properties

      • cmd.exe (PID: 1296)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • msdt.exe (PID: 3952)
      • msdt.exe (PID: 3712)

    • Application launched itself

      • msdt.exe (PID: 3952)

    • Creates files in the Windows directory

      • powershell.exe (PID: 572)
      • sdiagnhost.exe (PID: 2796)
      • cscript.exe (PID: 4016)
      • msdt.exe (PID: 3712)
      • cscript.exe (PID: 3208)
      • cscript.exe (PID: 3640)
      • cmd.exe (PID: 2408)
      • cmd.exe (PID: 392)
      • cmd.exe (PID: 3216)
      • cmd.exe (PID: 3956)
      • ChecksymX86.exe (PID: 1380)
      • ChecksymX86.exe (PID: 2148)
      • cmd.exe (PID: 2696)
      • cmd.exe (PID: 1892)
      • ChecksymX86.exe (PID: 2388)
      • cmd.exe (PID: 3212)
      • ChecksymX86.exe (PID: 3984)
      • cmd.exe (PID: 2520)
      • CMD.EXE (PID: 2580)
      • cmd.exe (PID: 300)
      • ChecksymX86.exe (PID: 3940)
      • ChecksymX86.exe (PID: 3968)
      • ChecksymX86.exe (PID: 1760)
      • tracerpt.exe (PID: 4072)
      • cscript.exe (PID: 1404)
      • rundll32.exe (PID: 1276)
      • cmd.exe (PID: 3692)
      • gpresult.exe (PID: 3724)
      • netsh.exe (PID: 1076)
      • netsh.exe (PID: 728)
      • netsh.exe (PID: 3800)
      • netsh.exe (PID: 2708)
      • netsh.exe (PID: 2568)
      • reg.exe (PID: 1492)
      • cscript.exe (PID: 324)
      • netsh.exe (PID: 1356)

    • Adds / modifies Windows certificates

      • msdt.exe (PID: 3712)
      • Autorunsc.exe (PID: 3876)

    • Executes PowerShell scripts

      • sdiagnhost.exe (PID: 2796)

    • Creates files in the user directory

      • powershell.exe (PID: 572)

    • Uses NETSTAT.EXE to discover network connections

      • cmd.exe (PID: 2080)
      • cmd.exe (PID: 2572)
      • cmd.exe (PID: 2148)
      • cmd.exe (PID: 2056)

    • Uses NETSH.EXE for network configuration

      • cmd.exe (PID: 1828)
      • cmd.exe (PID: 3788)
      • cmd.exe (PID: 3576)
      • cmd.exe (PID: 3324)
      • cmd.exe (PID: 1896)
      • cmd.exe (PID: 2840)
      • cmd.exe (PID: 1784)
      • cmd.exe (PID: 2856)
      • cmd.exe (PID: 1752)
      • cmd.exe (PID: 2348)
      • cmd.exe (PID: 996)
      • cmd.exe (PID: 788)
      • cmd.exe (PID: 344)
      • cmd.exe (PID: 408)
      • sdiagnhost.exe (PID: 2796)
      • cmd.exe (PID: 2404)
      • cmd.exe (PID: 288)
      • cmd.exe (PID: 2152)
      • cmd.exe (PID: 1136)
      • cmd.exe (PID: 308)
      • cmd.exe (PID: 2008)

    • Starts CMD.EXE for commands execution

      • cscript.exe (PID: 4016)
      • cscript.exe (PID: 3208)
      • sdiagnhost.exe (PID: 2796)
      • cscript.exe (PID: 1404)
      • cscript.exe (PID: 3752)
      • cscript.exe (PID: 3328)
      • cscript.exe (PID: 324)
      • cscript.exe (PID: 3732)

    • Executes scripts

      • sdiagnhost.exe (PID: 2796)

    • Removes files from Windows directory

      • sdiagnhost.exe (PID: 2796)
      • tracerpt.exe (PID: 4072)
      • rundll32.exe (PID: 1276)
      • reg.exe (PID: 1492)
      • msdt.exe (PID: 3712)

    • Uses TASKLIST.EXE to query information about running processes

      • sdiagnhost.exe (PID: 2796)

    • Uses SYSTEMINFO.EXE to read environment

      • cmd.exe (PID: 2140)

    • Starts SC.EXE for service management

      • cmd.exe (PID: 2636)

    • Low-level read access rights to disk partition

      • bcdedit.exe (PID: 3160)
      • bcdedit.exe (PID: 3448)
      • bcdedit.exe (PID: 3424)

    • Uses REG.EXE to modify Windows registry

      • cmd.exe (PID: 4080)
      • cmd.exe (PID: 3004)
      • cmd.exe (PID: 2964)
      • cmd.exe (PID: 2400)
      • cmd.exe (PID: 3532)
      • cmd.exe (PID: 764)
      • cmd.exe (PID: 1752)
      • cmd.exe (PID: 1452)
      • cmd.exe (PID: 3160)
      • cmd.exe (PID: 2144)
      • cmd.exe (PID: 1864)
      • cmd.exe (PID: 3100)
      • cmd.exe (PID: 1664)
      • cmd.exe (PID: 1704)
      • sdiagnhost.exe (PID: 2796)
      • cmd.exe (PID: 3172)
      • cmd.exe (PID: 3660)
      • cmd.exe (PID: 3432)
      • cmd.exe (PID: 2884)
      • cmd.exe (PID: 2760)

    • Uses IPCONFIG.EXE to discover IP address

      • cmd.exe (PID: 2748)
      • cmd.exe (PID: 2488)

  • INFO

    • Dropped object may contain Bitcoin addresses

      • msdt.exe (PID: 3952)
      • msdt.exe (PID: 3712)

    • Low-level read access rights to disk partition

      • vssvc.exe (PID: 768)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: Deflated
ZipModifyDate: 2018:09:03 09:55:12
ZipCRC: 0x816e32c7
ZipCompressedSize: 2965571
ZipUncompressedSize: 3012178
ZipFileName: SupportPackage.6263103980.diagcab
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
320
Monitored processes
276
Malicious processes
13
Suspicious processes
17

Behavior graph

Click at the process to see the details
start inject winrar.exe no specs msdt.exe msdt.exe sdiagnhost.exe no specs powershell.exe no specs cmd.exe no specs netsh.exe no specs cmd.exe no specs netstat.exe no specs cscript.exe no specs cmd.exe no specs wevtutil.exe no specs wevtutil.exe no specs cmd.exe no specs wevtutil.exe no specs cmd.exe no specs wevtutil.exe no specs cscript.exe no specs cmd.exe no specs wevtutil.exe no specs wevtutil.exe no specs cmd.exe no specs wevtutil.exe no specs cmd.exe no specs wevtutil.exe no specs cscript.exe no specs cmd.exe no specs checksymx86.exe no specs cmd.exe no specs checksymx86.exe no specs cmd.exe no specs checksymx86.exe no specs cmd.exe no specs checksymx86.exe no specs cmd.exe no specs checksymx86.exe no specs tasklist.exe no specs cmd.exe no specs checksymx86.exe no specs cmd.exe no specs checksymx86.exe no specs cmd.exe no specs systeminfo.exe no specs cmd.exe no specs pstatx86.exe no specs cmd.exe no specs sc.exe no specs cscript.exe no specs cmd.exe no specs schtasks.exe no specs cmd.exe no specs cmd.exe no specs schtasks.exe no specs fltmc.exe no specs cmd.exe no specs cmd.exe no specs fltmc.exe no specs autorunsc.exe cmd.exe no specs fltrfind.exe no specs wmiapsrv.exe no specs rundll32.exe no specs svchost.exe tracerpt.exe no specs cmd.exe no specs bcdedit.exe no specs cmd.exe no specs bcdedit.exe no specs cmd.exe no specs bcdedit.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cscript.exe no specs showpriv.exe no specs showpriv.exe no specs showpriv.exe no specs showpriv.exe no specs showpriv.exe no specs showpriv.exe no specs showpriv.exe no specs showpriv.exe no specs showpriv.exe no specs showpriv.exe no specs showpriv.exe no specs showpriv.exe no specs showpriv.exe no specs showpriv.exe no specs showpriv.exe no specs showpriv.exe no specs showpriv.exe no specs showpriv.exe no specs showpriv.exe no specs showpriv.exe no specs showpriv.exe no specs showpriv.exe no specs showpriv.exe no specs showpriv.exe no specs showpriv.exe no specs showpriv.exe no specs showpriv.exe no specs showpriv.exe no specs showpriv.exe no specs showpriv.exe no specs showpriv.exe no specs showpriv.exe no specs showpriv.exe no specs showpriv.exe no specs showpriv.exe no specs showpriv.exe no specs showpriv.exe no specs showpriv.exe no specs showpriv.exe no specs showpriv.exe no specs showpriv.exe no specs showpriv.exe no specs showpriv.exe no specs showpriv.exe no specs showpriv.exe no specs cmd.exe no specs gpresult.exe no specs gpresult.exe no specs cmd.exe no specs hostname.exe no specs cmd.exe no specs ipconfig.exe no specs cmd.exe no specs arp.exe no specs cmd.exe no specs nbtstat.exe no specs cmd.exe no specs netstat.exe no specs cmd.exe no specs netstat.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs netsh.exe no specs cmd.exe no specs netsh.exe no specs cmd.exe no specs netstat.exe no specs cmd.exe no specs net.exe no specs net1.exe no specs cmd.exe no specs net.exe no specs net1.exe no specs cmd.exe no specs net.exe no specs net1.exe no specs cmd.exe no specs net.exe no specs net1.exe no specs cmd.exe no specs net.exe no specs net1.exe no specs cmd.exe no specs net.exe no specs cmd.exe no specs net.exe no specs net1.exe no specs cmd.exe no specs net.exe no specs net1.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs ipconfig.exe no specs cmd.exe no specs netsh.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs netsh.exe no specs cmd.exe no specs netsh.exe no specs cmd.exe no specs netsh.exe no specs cmd.exe no specs netsh.exe no specs cmd.exe no specs netsh.exe no specs cmd.exe no specs netsh.exe no specs cmd.exe no specs netsh.exe no specs cmd.exe no specs netsh.exe no specs netsh.exe no specs cmd.exe no specs netsh.exe no specs cmd.exe no specs netsh.exe no specs cmd.exe no specs netsh.exe no specs cmd.exe no specs netsh.exe no specs cmd.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs cmd.exe no specs netsh.exe no specs cmd.exe no specs netsh.exe no specs cmd.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs cscript.exe no specs cmd.exe no specs wevtutil.exe no specs wevtutil.exe no specs cscript.exe no specs cmd.exe no specs wevtutil.exe no specs wevtutil.exe no specs cscript.exe no specs cmd.exe no specs wevtutil.exe no specs wevtutil.exe no specs cmd.exe no specs wevtutil.exe no specs cmd.exe no specs wevtutil.exe no specs cscript.exe no specs cmd.exe no specs wevtutil.exe no specs wevtutil.exe no specs cmd.exe no specs klist.exe no specs cmd.exe no specs klist.exe no specs cmd.exe no specs vssadmin.exe no specs vssvc.exe no specs cmd.exe no specs vssadmin.exe no specs cmd.exe no specs vssadmin.exe no specs cmd.exe no specs vssadmin.exe no specs cmd.exe no specs vssadmin.exe no specs cmd.exe no specs reg.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
276"C:\Windows\system32\cmd.exe" /c Fltmc.exe FiltersC:\Windows\system32\cmd.exesdiagnhost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
288"C:\Windows\system32\cmd.exe" /c netsh.exe advfirewall monitor show consec verboseC:\Windows\system32\cmd.exesdiagnhost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
1
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
296netsh.exe advfirewall consec show rule all any static verboseC:\Windows\system32\netsh.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Network Command Shell
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\netsh.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\credui.dll
c:\windows\system32\user32.dll
300"cmd.exe" /c FltrFind.exe > USER-PC_FltrFind.txtC:\Windows\System32\cmd.exesdiagnhost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
308"C:\Windows\system32\cmd.exe" /c netsh.exe wfp show options optionsfor=neteventsC:\Windows\system32\cmd.exesdiagnhost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
324"C:\Windows\system32\cscript.exe" //E:vbscript GetEvents.VBS "Microsoft-Windows-Windows Firewall With Advanced Security/Firewall" /channel /TXT /CSV /evtx /evt C:\Windows\TEMP\SDIAG_da99e268-7a54-44f7-895b-c9ddd499a19a\EventLogs /noextended /prefix:USER-PC_evt_ /suffix:_evt_C:\Windows\system32\cscript.exesdiagnhost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft ® Console Based Script Host
Exit code:
0
Version:
5.8.7600.16385
Modules
Images
c:\windows\system32\cscript.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
344"C:\Windows\system32\cmd.exe" /c netsh.exe advfirewall show publicprofileC:\Windows\system32\cmd.exesdiagnhost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
388reg.exe query "HKLM\SYSTEM\CurrentControlSet\Services\MpsSvc" /s C:\Windows\system32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\reg.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\user32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
392"cmd.exe" /c Checksymx86.exe -F "C:\Windows\System32\*.EXE;" -R -S -O2 "USER-PC_sym_System32_EXE.CSV" > "USER-PC_sym_System32_EXE.TXT"C:\Windows\System32\cmd.exesdiagnhost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
408"C:\Windows\system32\cmd.exe" /c netsh.exe advfirewall show storeC:\Windows\system32\cmd.exesdiagnhost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
Total events
5 333
Read events
3 490
Write events
1 834
Delete events
9

Modification events

(PID) Process:(3388) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(3388) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(3388) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3388) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\SupportPackage.6263103980.zip
(PID) Process:(3388) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(3388) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(3388) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(3388) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(3388) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
Operation:writeName:@C:\Windows\system32\msdt.exe,-10012
Value:
Troubleshooting Pack Cabinet
(PID) Process:(3952) msdt.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
Executable files
52
Suspicious files
17
Text files
3 238
Unknown types
50

Dropped files

PID
Process
Filename
Type
3952msdt.exeC:\Users\admin\AppData\Local\Temp\msdt\_27B4A713-3AD1-4D34-9878-4DA9008AB289_\cabpkg\Package_0\AlaysOnDiagScript.sqltext
MD5:653B539701984315E1D407BFC9C08398
SHA256:1237E32A1786C49D4E75D0448118CE64128B9842EA8C5C1B05C0770ECDF0616A
3952msdt.exeC:\Users\admin\AppData\Local\Temp\msdt\_27B4A713-3AD1-4D34-9878-4DA9008AB289_\cabpkg\Package_0\Autorunsc.exeexecutable
MD5:07A5B1FD29084D54B0B0AFBAF1F37187
SHA256:86D2C5F48A671CBBFDA4C51C516A9A866D148F2854DB33AFDBB4CB83C0D833B3
3952msdt.exeC:\Users\admin\AppData\Local\Temp\msdt\_27B4A713-3AD1-4D34-9878-4DA9008AB289_\cabpkg\Package_0\Autoruns.vbstext
MD5:13A797E90810F1B6C1B97D44AD248428
SHA256:AB96E5A2994B1630EE8E95CE521054A72DD080D9A9A26B0CC8A6D301E5628ECC
3952msdt.exeC:\Users\admin\AppData\Local\Temp\msdt\_27B4A713-3AD1-4D34-9878-4DA9008AB289_\cabpkg\Package_0\AzureDHCPClient.cstext
MD5:A3E80BD1E100C3AA78B3776314459F54
SHA256:967FA63DEA763CF8825DBB93D2BD8BE20188B0B97F9952F9D94FACCDB3FD5DD2
3952msdt.exeC:\Users\admin\AppData\Local\Temp\msdt\_27B4A713-3AD1-4D34-9878-4DA9008AB289_\cabpkg\Package_0\dbgeng.dllexecutable
MD5:7E3C64CEADD26EA4764525DCC8943AC7
SHA256:83F7F92F20C7AFF57DC3FADC3246E0747BA1BF810414D7713254A3514C72376E
3952msdt.exeC:\Users\admin\AppData\Local\Temp\msdt\_27B4A713-3AD1-4D34-9878-4DA9008AB289_\cabpkg\Package_0\DC_BasicSystemInformation.psd1text
MD5:95A6E8176FC016CAF6C271F828FDA956
SHA256:2E78034B418731B688F0CC1D3E8DCFFC47EC83C1EFB32503CE280B80443EE0A5
3952msdt.exeC:\Users\admin\AppData\Local\Temp\msdt\_27B4A713-3AD1-4D34-9878-4DA9008AB289_\cabpkg\Package_0\ConfigExplorerClientView.xsltxml
MD5:D6F8B2D91E1316A5A31C57687C957FE1
SHA256:9ABBFCEF90CFA62AF1FAFF8CEB9ECDF1502327C6D1CE5E4F639335E9E1F8EF7B
3952msdt.exeC:\Users\admin\AppData\Local\Temp\msdt\_27B4A713-3AD1-4D34-9878-4DA9008AB289_\cabpkg\Package_0\ChecksymX86.exeexecutable
MD5:8B435C06FC3C6B7919D1EE1B82EFDA0C
SHA256:9626F0A20E70E724AEAC75ABD1CD305E4B425480C70CEAD959E692DFB678197C
3952msdt.exeC:\Users\admin\AppData\Local\Temp\msdt\_27B4A713-3AD1-4D34-9878-4DA9008AB289_\cabpkg\Package_0\clusmps.exeexecutable
MD5:F35C648EDD1245C561AA4885A4599A34
SHA256:25E4A75F21EEB1E1E4FA3FDBC6E45FFFB2FDA7B669BA6AFA8AB1CA0E15B59ACC
3952msdt.exeC:\Users\admin\AppData\Local\Temp\msdt\_27B4A713-3AD1-4D34-9878-4DA9008AB289_\cabpkg\Package_0\ConfigXPLSchema.xmlxml
MD5:19BFC27690306A484E50D44C9F3252E0
SHA256:89BCC5518BC537BEB771AB724BE97FE63DEE78E7A2273EA48B9B0EB4D4272212
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
2
DNS requests
2
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3876
Autorunsc.exe
GET
200
91.199.212.52:80
http://crt.comodoca.com/COMODORSAAddTrustCA.crt
GB
der
1.37 Kb
whitelisted
3876
Autorunsc.exe
GET
200
205.185.216.10:80
http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
US
compressed
55.6 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3876
Autorunsc.exe
205.185.216.10:80
www.download.windowsupdate.com
Highwinds Network Group, Inc.
US
whitelisted
3876
Autorunsc.exe
91.199.212.52:80
crt.comodoca.com
Comodo CA Ltd
GB
suspicious

DNS requests

Domain
IP
Reputation
www.download.windowsupdate.com
  • 205.185.216.10
  • 205.185.216.10
  • 205.185.216.10
  • 205.185.216.42
whitelisted
crt.comodoca.com
  • 91.199.212.52
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
SupportPackage.6263103980.zip