General Info

File name

Sample1.zip

Full analysis
https://app.any.run/tasks/4719dfb2-30c8-4cfb-9b10-526122b68410
Verdict
Malicious activity
Analysis date
7/18/2019, 15:51:53
OS:
Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:

trojan

formbook

stealer

Indicators:

MIME:
application/zip
File info:
Zip archive data, at least v2.0 to extract
MD5

a0c6d990462ac9cc0b6e3c24aaee0739

SHA1

f55c51d24466f5879513111bc9fce3817bb518a9

SHA256

8ea2888dbd5d09954fc81e6bf9e60c5e15f632a0691e7773b74c11127cb60ed8

SSDEEP

24576:kju0tZyEpqN2DQ6HS+UNLJnNSzjcgwjQLnsciAq:wGNgD5MLNgcjotiV

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distored by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Software environment set and analysis options

Launch configuration

Task duration
240 seconds
Additional time used
180 seconds
Fakenet option
off
Heavy Evaision option
off
MITM proxy
off
Route via Tor
off
Network geolocation
off
Privacy
Public submission
Autoconfirmation of UAC
on

Software preset

  • Internet Explorer 8.0.7601.17514
  • Adobe Acrobat Reader DC MUI (15.023.20070)
  • Adobe Flash Player 26 ActiveX (26.0.0.131)
  • Adobe Flash Player 26 NPAPI (26.0.0.131)
  • Adobe Flash Player 26 PPAPI (26.0.0.131)
  • Adobe Refresh Manager (1.8.0)
  • CCleaner (5.35)
  • FileZilla Client 3.36.0 (3.36.0)
  • Google Chrome (75.0.3770.100)
  • Google Update Helper (1.3.34.7)
  • Java 8 Update 92 (8.0.920.14)
  • Java Auto Updater (2.8.92.14)
  • Microsoft .NET Framework 4.7.2 (4.7.03062)
  • Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Professional 2010 (14.0.6029.1000)
  • Microsoft Office Proof (English) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (French) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
  • Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
  • Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Single Image 2010 (14.0.6029.1000)
  • Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
  • Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
  • Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
  • Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2015-2019 Redistributable (x86) - 14.21.27702 (14.21.27702.2)
  • Microsoft Visual C++ 2019 X86 Additional Runtime - 14.21.27702 (14.21.27702)
  • Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.21.27702 (14.21.27702)
  • Mozilla Firefox 67.0.4 (x86 en-US) (67.0.4)
  • Notepad++ (32-bit x86) (7.5.1)
  • Opera 12.15 (12.15.1748)
  • Skype version 8.29 (8.29)
  • Update for Microsoft .NET Framework 4.7.2 (KB4087364) (1)
  • VLC media player (2.2.6)
  • WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

  • Client LanguagePack Package
  • Client Refresh LanguagePack Package
  • CodecPack Basic Package
  • Foundation Package
  • IE Troubleshooters Package
  • InternetExplorer Optional Package
  • KB2534111
  • KB2999226
  • KB4019990
  • KB976902
  • LocalPack AU Package
  • LocalPack CA Package
  • LocalPack GB Package
  • LocalPack US Package
  • LocalPack ZA Package
  • ProfessionalEdition
  • UltimateEdition

Behavior activities

MALICIOUS SUSPICIOUS INFO
Application was dropped or rewritten from another process
  • ayy.exe (PID: 3240)
  • ayy.exe (PID: 3764)
  • ayy.exe (PID: 3432)
  • ayy.exe (PID: 1868)
  • ayy.exe (PID: 3252)
  • ayy.exe (PID: 3328)
  • ayy.exe (PID: 592)
  • ayy.exe (PID: 3588)
  • ayy.exe (PID: 3972)
  • utylw4f4hd.exe (PID: 952)
  • ayy.exe (PID: 2516)
  • ayy.exe (PID: 3952)
  • utylw4f4hd.exe (PID: 4040)
  • utylw4f4hd.exe (PID: 2128)
  • utylw4f4hd.exe (PID: 1104)
  • utylw4f4hd.exe (PID: 2432)
  • ayy.exe (PID: 2912)
  • ayy.exe (PID: 3504)
  • ayy.exe (PID: 1980)
  • ayy.exe (PID: 2816)
  • ayy.exe (PID: 2776)
  • utylw4f4hd.exe (PID: 3020)
  • ayy.exe (PID: 2256)
  • ayy.exe (PID: 3848)
  • ayy.exe (PID: 3392)
  • ayy.exe (PID: 3760)
  • ayy.exe (PID: 312)
  • ayy.exe (PID: 1844)
  • ayy.exe (PID: 3572)
  • ayy.exe (PID: 3704)
  • utylw4f4hd.exe (PID: 2252)
  • ayy.exe (PID: 1468)
  • ayy.exe (PID: 1996)
  • ayy.exe (PID: 2704)
  • ayy.exe (PID: 1940)
  • ayy.exe (PID: 2948)
  • ayy.exe (PID: 3836)
  • ayy.exe (PID: 2712)
Connects to CnC server
  • explorer.exe (PID: 292)
Actions looks like stealing of personal data
  • mstsc.exe (PID: 2352)
Formbook was detected
  • Firefox.exe (PID: 4008)
  • mstsc.exe (PID: 2352)
Changes the autorun value in the registry
  • ayy.exe (PID: 2712)
  • utylw4f4hd.exe (PID: 3020)
  • mstsc.exe (PID: 2352)
FORMBOOK was detected
  • explorer.exe (PID: 292)
Stealing of credential data
  • mstsc.exe (PID: 2352)
Creates files in the program directory
  • DllHost.exe (PID: 2260)
Executed via COM
  • DllHost.exe (PID: 2260)
Application launched itself
  • ayy.exe (PID: 2712)
  • utylw4f4hd.exe (PID: 3020)
Executable content was dropped or overwritten
  • ayy.exe (PID: 2712)
  • DllHost.exe (PID: 2260)
  • explorer.exe (PID: 292)
  • WinRAR.exe (PID: 3852)
Suspicious files were dropped or overwritten
  • ayy.exe (PID: 2712)
Loads DLL from Mozilla Firefox
  • mstsc.exe (PID: 2352)
Executes scripts
  • explorer.exe (PID: 292)
Creates files in the user directory
  • mstsc.exe (PID: 2352)
Starts CMD.EXE for commands execution
  • mstsc.exe (PID: 2352)
Application was crashed
  • utylw4f4hd.exe (PID: 3020)
Manual execution by user
  • autoconv.exe (PID: 3040)
  • wuapp.exe (PID: 3112)
  • mstsc.exe (PID: 2352)
  • rdpclip.exe (PID: 3456)
  • msg.exe (PID: 1476)
  • ayy.exe (PID: 2712)
Creates files in the user directory
  • Firefox.exe (PID: 4008)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Static information

TRiD
.zip
|   ZIP compressed archive (100%)
EXIF
ZIP
ZipRequiredVersion:
788
ZipBitFlag:
0x0001
ZipCompression:
Deflated
ZipModifyDate:
2019:07:18 13:49:17
ZipCRC:
0x05ab6f62
ZipCompressedSize:
798572
ZipUncompressedSize:
1280512
ZipFileName:
a8c6430ab780a74ebc613dc3e67a7f15500301b025ec3c34b59d10303bba123b.bin

Screenshots

Processes

Total processes
99
Monitored processes
59
Malicious processes
5
Suspicious processes
0

Behavior graph

+
start drop and start winrar.exe ayy.exe ayy.exe no specs ayy.exe no specs ayy.exe no specs #FORMBOOK mstsc.exe cmd.exe no specs ayy.exe no specs ayy.exe no specs autoconv.exe no specs rdpclip.exe no specs ayy.exe no specs wuapp.exe no specs ayy.exe no specs msg.exe no specs #FORMBOOK explorer.exe #FORMBOOK firefox.exe no specs ayy.exe no specs ayy.exe no specs ayy.exe no specs ayy.exe no specs ayy.exe no specs chkdsk.exe no specs Copy/Move/Rename/Delete/Link Object utylw4f4hd.exe ayy.exe no specs audiodg.exe no specs ayy.exe no specs wscript.exe no specs ayy.exe no specs ayy.exe no specs services.exe no specs ayy.exe no specs ayy.exe no specs ayy.exe no specs cscript.exe no specs utylw4f4hd.exe no specs utylw4f4hd.exe no specs utylw4f4hd.exe no specs utylw4f4hd.exe no specs utylw4f4hd.exe no specs utylw4f4hd.exe no specs ayy.exe no specs ayy.exe no specs msdt.exe no specs ayy.exe no specs mstsc.exe no specs ayy.exe no specs wininit.exe no specs ayy.exe no specs ayy.exe no specs ayy.exe no specs cmmon32.exe no specs ayy.exe no specs ayy.exe no specs ayy.exe no specs services.exe no specs ayy.exe no specs wscript.exe no specs
Specs description
Program did not start
Integrity level elevation
Task сontains an error or was rebooted
Process has crashed
Task contains several apps running
Executable file was dropped
Debug information is available
Process was injected
Network attacks were detected
Application downloaded the executable file
Actions similar to stealing personal data
Behavior similar to exploiting the vulnerability
Inspected object has sucpicious PE structure
File is detected by antivirus software
CPU overrun
RAM overrun
Process starts the services
Process was added to the startup
Behavior similar to spam
Low-level access to the HDD
Probably Tor was used
System was rebooted
Connects to the network
Known threat

Process information

Click at the process to see the details.

PID
292
CMD
C:\Windows\Explorer.EXE
Path
C:\Windows\explorer.exe
Indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Version:
Company
Microsoft Corporation
Description
Windows Explorer
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\sfc.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\devrtl.dll
c:\program files\winrar\winrar.exe
c:\windows\system32\zipfldr.dll
c:\windows\system32\twext.dll
c:\windows\system32\sendmail.dll
c:\program files\notepad++\nppshell_06.dll
c:\windows\system32\mydocs.dll
c:\windows\system32\imageres.dll
c:\windows\system32\wfs.exe
c:\windows\system32\wfsr.dll
c:\windows\system32\wpdshext.dll
c:\windows\system32\audiodev.dll
c:\windows\system32\wmvcore.dll
c:\windows\system32\wmasf.dll
c:\users\admin\desktop\ayy.exe
c:\windows\system32\rdpclip.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\wuapp.exe
c:\windows\system32\dnsapi.dll
c:\windows\system32\msg.exe
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\wship6.dll
c:\windows\system32\comsvcs.dll
c:\windows\system32\chkdsk.exe
c:\program files\wkhylq\utylw4f4hd.exe
c:\windows\system32\audiodg.exe
c:\windows\system32\wscript.exe
c:\windows\system32\cscript.exe
c:\windows\system32\werfault.exe
c:\windows\system32\msdt.exe
c:\windows\system32\wininit.exe
c:\windows\system32\cmmon32.exe

PID
3852
CMD
"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Sample1.zip"
Path
C:\Program Files\WinRAR\WinRAR.exe
Indicators
Parent process
explorer.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Alexander Roshal
Description
WinRAR archiver
Version
5.60.0
Modules
Image
c:\program files\winrar\winrar.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\shlwapi.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\devobj.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\uxtheme.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\msimg32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\riched20.dll
c:\program files\common files\microsoft shared\ink\tiptsf.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ehstorshell.dll
c:\windows\system32\cscui.dll
c:\windows\system32\cscdll.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\slc.dll
c:\windows\system32\imageres.dll
c:\windows\system32\mpr.dll
c:\windows\system32\drprov.dll
c:\windows\system32\winsta.dll
c:\windows\system32\ntlanman.dll
c:\windows\system32\davclnt.dll
c:\windows\system32\davhlpr.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\netutils.dll
c:\windows\system32\wpdshext.dll
c:\windows\system32\winmm.dll
c:\windows\system32\portabledeviceapi.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\audiodev.dll
c:\windows\system32\wmvcore.dll
c:\windows\system32\wmasf.dll
c:\windows\system32\ehstorapi.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\samcli.dll
c:\windows\system32\samlib.dll
c:\windows\system32\profapi.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\explorerframe.dll
c:\windows\system32\duser.dll
c:\windows\system32\dui70.dll

PID
2712
CMD
"C:\Users\admin\Desktop\ayy.exe"
Path
C:\Users\admin\Desktop\ayy.exe
Indicators
Parent process
explorer.exe
User
admin
Integrity Level
MEDIUM
Version:
Company
diskraid
Description
Dism
Version
422.642.997.65
Modules
Image
c:\users\admin\desktop\ayy.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\wsock32.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\windows\system32\version.dll
c:\windows\system32\winmm.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\mpr.dll
c:\windows\system32\wininet.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\psapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\imm32.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\apphelp.dll

PID
2912
CMD
"C:\Users\admin\Desktop\ayy.exe"
Path
C:\Users\admin\Desktop\ayy.exe
Indicators
No indicators
Parent process
ayy.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
diskraid
Description
Dism
Version
422.642.997.65
Modules
Image
c:\users\admin\desktop\ayy.exe
c:\systemroot\system32\ntdll.dll

PID
2816
CMD
"C:\Users\admin\Desktop\ayy.exe"
Path
C:\Users\admin\Desktop\ayy.exe
Indicators
No indicators
Parent process
ayy.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
diskraid
Description
Dism
Version
422.642.997.65
Modules
Image
c:\users\admin\desktop\ayy.exe
c:\systemroot\system32\ntdll.dll

PID
1940
CMD
"C:\Users\admin\Desktop\ayy.exe"
Path
C:\Users\admin\Desktop\ayy.exe
Indicators
No indicators
Parent process
ayy.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
diskraid
Description
Dism
Version
422.642.997.65
Modules
Image
c:\users\admin\desktop\ayy.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll

PID
2352
CMD
"C:\Windows\System32\mstsc.exe"
Path
C:\Windows\System32\mstsc.exe
Indicators
Parent process
explorer.exe
User
admin
Integrity Level
MEDIUM
Version:
Company
Microsoft Corporation
Description
Remote Desktop Connection
Version
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Image
c:\windows\system32\mstsc.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\credui.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\cryptui.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\webio.dll
c:\windows\system32\winmm.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\psapi.dll
c:\windows\system32\oleacc.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\mlang.dll
c:\windows\system32\wininet.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\profapi.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\program files\mozilla firefox\nss3.dll
c:\windows\system32\vaultcli.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\windowscodecs.dll
c:\program files\mozilla firefox\firefox.exe

PID
2304
CMD
/c del "C:\Users\admin\Desktop\ayy.exe"
Path
C:\Windows\System32\cmd.exe
Indicators
No indicators
Parent process
mstsc.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows Command Processor
Version
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Image
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll

PID
3760
CMD
"C:\Users\admin\Desktop\ayy.exe"
Path
C:\Users\admin\Desktop\ayy.exe
Indicators
No indicators
Parent process
ayy.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
diskraid
Description
Dism
Version
422.642.997.65
Modules
Image
c:\users\admin\desktop\ayy.exe
c:\systemroot\system32\ntdll.dll

PID
3836
CMD
"C:\Users\admin\Desktop\ayy.exe"
Path
C:\Users\admin\Desktop\ayy.exe
Indicators
No indicators
Parent process
ayy.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
diskraid
Description
Dism
Version
422.642.997.65
Modules
Image
c:\users\admin\desktop\ayy.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll

PID
3040
CMD
"C:\Windows\System32\autoconv.exe"
Path
C:\Windows\System32\autoconv.exe
Indicators
No indicators
Parent process
explorer.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Auto File System Conversion Utility
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\autoconv.exe
c:\systemroot\system32\ntdll.dll

PID
3456
CMD
"C:\Windows\System32\rdpclip.exe"
Path
C:\Windows\System32\rdpclip.exe
Indicators
No indicators
Parent process
explorer.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
RDP Clip Monitor
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\rdpclip.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\winsta.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\mpr.dll
c:\windows\system32\winspool.drv
c:\windows\system32\ole32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll

PID
312
CMD
"C:\Users\admin\Desktop\ayy.exe"
Path
C:\Users\admin\Desktop\ayy.exe
Indicators
No indicators
Parent process
ayy.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
diskraid
Description
Dism
Version
422.642.997.65
Modules
Image
c:\users\admin\desktop\ayy.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll

PID
3112
CMD
"C:\Windows\System32\wuapp.exe"
Path
C:\Windows\System32\wuapp.exe
Indicators
No indicators
Parent process
explorer.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows Update Application Launcher
Version
7.5.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Image
c:\windows\system32\wuapp.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll

PID
2256
CMD
"C:\Users\admin\Desktop\ayy.exe"
Path
C:\Users\admin\Desktop\ayy.exe
Indicators
No indicators
Parent process
ayy.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
diskraid
Description
Dism
Version
422.642.997.65
Modules
Image
c:\users\admin\desktop\ayy.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll

PID
1476
CMD
"C:\Windows\System32\msg.exe"
Path
C:\Windows\System32\msg.exe
Indicators
No indicators
Parent process
explorer.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Message Utility
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\msg.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winsta.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll

PID
4008
CMD
"C:\Program Files\Mozilla Firefox\Firefox.exe"
Path
C:\Program Files\Mozilla Firefox\Firefox.exe
Indicators
Parent process
mstsc.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Mozilla Corporation
Description
Firefox
Version
67.0.4
Modules
Image
c:\program files\mozilla firefox\firefox.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\dbghelp.dll
c:\windows\system32\version.dll
c:\program files\mozilla firefox\msvcp140.dll
c:\program files\mozilla firefox\vcruntime140.dll
c:\program files\mozilla firefox\api-ms-win-crt-runtime-l1-1-0.dll
c:\program files\mozilla firefox\ucrtbase.dll
c:\program files\mozilla firefox\api-ms-win-core-localization-l1-2-0.dll
c:\program files\mozilla firefox\api-ms-win-core-processthreads-l1-1-1.dll
c:\program files\mozilla firefox\api-ms-win-core-file-l1-2-0.dll
c:\program files\mozilla firefox\api-ms-win-core-timezone-l1-1-0.dll
c:\program files\mozilla firefox\api-ms-win-core-file-l2-1-0.dll
c:\program files\mozilla firefox\api-ms-win-core-synch-l1-2-0.dll
c:\program files\mozilla firefox\api-ms-win-crt-string-l1-1-0.dll
c:\program files\mozilla firefox\api-ms-win-crt-heap-l1-1-0.dll
c:\program files\mozilla firefox\api-ms-win-crt-stdio-l1-1-0.dll
c:\program files\mozilla firefox\api-ms-win-crt-convert-l1-1-0.dll
c:\program files\mozilla firefox\api-ms-win-crt-locale-l1-1-0.dll
c:\program files\mozilla firefox\api-ms-win-crt-math-l1-1-0.dll
c:\program files\mozilla firefox\api-ms-win-crt-time-l1-1-0.dll
c:\program files\mozilla firefox\api-ms-win-crt-filesystem-l1-1-0.dll
c:\program files\mozilla firefox\api-ms-win-crt-environment-l1-1-0.dll
c:\program files\mozilla firefox\api-ms-win-crt-utility-l1-1-0.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\program files\mozilla firefox\nss3.dll
c:\windows\system32\winmm.dll
c:\windows\system32\wsock32.dll
c:\program files\mozilla firefox\api-ms-win-crt-multibyte-l1-1-0.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\program files\mozilla firefox\softokn3.dll
c:\program files\mozilla firefox\freebl3.dll
c:\windows\system32\cryptbase.dll

PID
1996
CMD
"C:\Users\admin\Desktop\ayy.exe"
Path
C:\Users\admin\Desktop\ayy.exe
Indicators
No indicators
Parent process
ayy.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
diskraid
Description
Dism
Version
422.642.997.65
Modules
Image
c:\users\admin\desktop\ayy.exe
c:\systemroot\system32\ntdll.dll

PID
1844
CMD
"C:\Users\admin\Desktop\ayy.exe"
Path
C:\Users\admin\Desktop\ayy.exe
Indicators
No indicators
Parent process
ayy.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
diskraid
Description
Dism
Version
422.642.997.65
Modules
Image
c:\users\admin\desktop\ayy.exe
c:\systemroot\system32\ntdll.dll

PID
2776
CMD
"C:\Users\admin\Desktop\ayy.exe"
Path
C:\Users\admin\Desktop\ayy.exe
Indicators
No indicators
Parent process
ayy.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
diskraid
Description
Dism
Version
422.642.997.65
Modules
Image
c:\users\admin\desktop\ayy.exe
c:\systemroot\system32\ntdll.dll

PID
3848
CMD
"C:\Users\admin\Desktop\ayy.exe"
Path
C:\Users\admin\Desktop\ayy.exe
Indicators
No indicators
Parent process
ayy.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
diskraid
Description
Dism
Version
422.642.997.65
Modules
Image
c:\users\admin\desktop\ayy.exe
c:\systemroot\system32\ntdll.dll

PID
3504
CMD
"C:\Users\admin\Desktop\ayy.exe"
Path
C:\Users\admin\Desktop\ayy.exe
Indicators
No indicators
Parent process
ayy.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
diskraid
Description
Dism
Version
422.642.997.65
Modules
Image
c:\users\admin\desktop\ayy.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll

PID
3272
CMD
"C:\Windows\System32\chkdsk.exe"
Path
C:\Windows\System32\chkdsk.exe
Indicators
No indicators
Parent process
explorer.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Check Disk Utility
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\chkdsk.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ulib.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ifsutil.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll

PID
2260
CMD
C:\Windows\system32\DllHost.exe /Processid:{3AD05575-8857-4850-9277-11B85BDB8E09}
Path
C:\Windows\system32\DllHost.exe
Indicators
Parent process
––
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
Microsoft Corporation
Description
COM Surrogate
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\dllhost.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\actxprxy.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\mssprxy.dll

PID
3020
CMD
"C:\Program Files\Wkhylq\utylw4f4hd.exe"
Path
C:\Program Files\Wkhylq\utylw4f4hd.exe
Indicators
Parent process
explorer.exe
User
admin
Integrity Level
MEDIUM
Exit code
3221225477
Version:
Company
diskraid
Description
Dism
Version
422.642.997.65
Modules
Image
c:\program files\wkhylq\utylw4f4hd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\wsock32.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\windows\system32\version.dll
c:\windows\system32\winmm.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\mpr.dll
c:\windows\system32\wininet.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\psapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\apphelp.dll

PID
2948
CMD
"C:\Users\admin\Desktop\ayy.exe"
Path
C:\Users\admin\Desktop\ayy.exe
Indicators
No indicators
Parent process
ayy.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
diskraid
Description
Dism
Version
422.642.997.65
Modules
Image
c:\users\admin\desktop\ayy.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll

PID
3224
CMD
"C:\Windows\System32\audiodg.exe"
Path
C:\Windows\System32\audiodg.exe
Indicators
No indicators
Parent process
explorer.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows Audio Device Graph Isolation
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\audiodg.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\mmdevapi.dll
c:\windows\system32\sechost.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\advapi32.dll

PID
1468
CMD
"C:\Users\admin\Desktop\ayy.exe"
Path
C:\Users\admin\Desktop\ayy.exe
Indicators
No indicators
Parent process
ayy.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
diskraid
Description
Dism
Version
422.642.997.65
Modules
Image
c:\users\admin\desktop\ayy.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll

PID
804
CMD
"C:\Windows\System32\wscript.exe"
Path
C:\Windows\System32\wscript.exe
Indicators
No indicators
Parent process
explorer.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Microsoft ® Windows Based Script Host
Version
5.8.7600.16385
Modules
Image
c:\windows\system32\wscript.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\version.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll

PID
1980
CMD
"C:\Users\admin\Desktop\ayy.exe"
Path
C:\Users\admin\Desktop\ayy.exe
Indicators
No indicators
Parent process
ayy.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
diskraid
Description
Dism
Version
422.642.997.65
Modules
Image
c:\users\admin\desktop\ayy.exe
c:\systemroot\system32\ntdll.dll

PID
3572
CMD
"C:\Users\admin\Desktop\ayy.exe"
Path
C:\Users\admin\Desktop\ayy.exe
Indicators
No indicators
Parent process
ayy.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
diskraid
Description
Dism
Version
422.642.997.65
Modules
Image
c:\users\admin\desktop\ayy.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll

PID
2156
CMD
"C:\Windows\System32\services.exe"
Path
C:\Windows\System32\services.exe
Indicators
No indicators
Parent process
explorer.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Services and Controller app
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\services.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\profapi.dll
c:\windows\system32\sechost.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\advapi32.dll

PID
3704
CMD
"C:\Users\admin\Desktop\ayy.exe"
Path
C:\Users\admin\Desktop\ayy.exe
Indicators
No indicators
Parent process
ayy.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
diskraid
Description
Dism
Version
422.642.997.65
Modules
Image
c:\users\admin\desktop\ayy.exe
c:\systemroot\system32\ntdll.dll

PID
2704
CMD
"C:\Users\admin\Desktop\ayy.exe"
Path
C:\Users\admin\Desktop\ayy.exe
Indicators
No indicators
Parent process
ayy.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
diskraid
Description
Dism
Version
422.642.997.65
Modules
Image
c:\users\admin\desktop\ayy.exe
c:\systemroot\system32\ntdll.dll

PID
3392
CMD
"C:\Users\admin\Desktop\ayy.exe"
Path
C:\Users\admin\Desktop\ayy.exe
Indicators
No indicators
Parent process
ayy.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
diskraid
Description
Dism
Version
422.642.997.65
Modules
Image
c:\users\admin\desktop\ayy.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll

PID
4064
CMD
"C:\Windows\System32\cscript.exe"
Path
C:\Windows\System32\cscript.exe
Indicators
No indicators
Parent process
explorer.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Microsoft ® Console Based Script Host
Version
5.8.7600.16385
Modules
Image
c:\windows\system32\cscript.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\version.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll

PID
2252
CMD
"C:\Program Files\Wkhylq\utylw4f4hd.exe"
Path
C:\Program Files\Wkhylq\utylw4f4hd.exe
Indicators
No indicators
Parent process
utylw4f4hd.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
diskraid
Description
Dism
Version
422.642.997.65
Modules
Image
c:\program files\wkhylq\utylw4f4hd.exe
c:\systemroot\system32\ntdll.dll

PID
4040
CMD
"C:\Program Files\Wkhylq\utylw4f4hd.exe"
Path
C:\Program Files\Wkhylq\utylw4f4hd.exe
Indicators
No indicators
Parent process
utylw4f4hd.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
diskraid
Description
Dism
Version
422.642.997.65
Modules
Image
c:\program files\wkhylq\utylw4f4hd.exe
c:\systemroot\system32\ntdll.dll

PID
2128
CMD
"C:\Program Files\Wkhylq\utylw4f4hd.exe"
Path
C:\Program Files\Wkhylq\utylw4f4hd.exe
Indicators
No indicators
Parent process
utylw4f4hd.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
diskraid
Description
Dism
Version
422.642.997.65
Modules
Image
c:\program files\wkhylq\utylw4f4hd.exe
c:\systemroot\system32\ntdll.dll

PID
952
CMD
"C:\Program Files\Wkhylq\utylw4f4hd.exe"
Path
C:\Program Files\Wkhylq\utylw4f4hd.exe
Indicators
No indicators
Parent process
utylw4f4hd.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
diskraid
Description
Dism
Version
422.642.997.65
Modules
Image
c:\program files\wkhylq\utylw4f4hd.exe
c:\systemroot\system32\ntdll.dll

PID
2432
CMD
"C:\Program Files\Wkhylq\utylw4f4hd.exe"
Path
C:\Program Files\Wkhylq\utylw4f4hd.exe
Indicators
No indicators
Parent process
utylw4f4hd.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
diskraid
Description
Dism
Version
422.642.997.65
Modules
Image
c:\program files\wkhylq\utylw4f4hd.exe
c:\systemroot\system32\ntdll.dll

PID
1104
CMD
"C:\Program Files\Wkhylq\utylw4f4hd.exe"
Path
C:\Program Files\Wkhylq\utylw4f4hd.exe
Indicators
No indicators
Parent process
utylw4f4hd.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
diskraid
Description
Dism
Version
422.642.997.65
Modules
Image
c:\program files\wkhylq\utylw4f4hd.exe
c:\systemroot\system32\ntdll.dll

PID
3972
CMD
"C:\Users\admin\Desktop\ayy.exe"
Path
C:\Users\admin\Desktop\ayy.exe
Indicators
No indicators
Parent process
ayy.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
diskraid
Description
Dism
Version
422.642.997.65
Modules
Image
c:\users\admin\desktop\ayy.exe
c:\systemroot\system32\ntdll.dll

PID
3952
CMD
"C:\Users\admin\Desktop\ayy.exe"
Path
C:\Users\admin\Desktop\ayy.exe
Indicators
No indicators
Parent process
ayy.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
diskraid
Description
Dism
Version
422.642.997.65
Modules
Image
c:\users\admin\desktop\ayy.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll

PID
3712
CMD
"C:\Windows\System32\msdt.exe"
Path
C:\Windows\System32\msdt.exe
Indicators
No indicators
Parent process
explorer.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Diagnostics Troubleshooting Wizard
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\msdt.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\atl.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\duser.dll
c:\windows\system32\wer.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\dui70.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\webio.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll

PID
3240
CMD
"C:\Users\admin\Desktop\ayy.exe"
Path
C:\Users\admin\Desktop\ayy.exe
Indicators
No indicators
Parent process
ayy.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
diskraid
Description
Dism
Version
422.642.997.65
Modules
Image
c:\users\admin\desktop\ayy.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll

PID
2124
CMD
"C:\Windows\System32\mstsc.exe"
Path
C:\Windows\System32\mstsc.exe
Indicators
No indicators
Parent process
explorer.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Remote Desktop Connection
Version
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Image
c:\windows\system32\mstsc.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\ole32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\comdlg32.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\credui.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\cryptui.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\webio.dll
c:\windows\system32\winmm.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll

PID
3764
CMD
"C:\Users\admin\Desktop\ayy.exe"
Path
C:\Users\admin\Desktop\ayy.exe
Indicators
No indicators
Parent process
ayy.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
diskraid
Description
Dism
Version
422.642.997.65
Modules
Image
c:\users\admin\desktop\ayy.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll

PID
3304
CMD
"C:\Windows\System32\wininit.exe"
Path
C:\Windows\System32\wininit.exe
Indicators
No indicators
Parent process
explorer.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows Start-Up Application
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\wininit.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\profapi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\advapi32.dll

PID
592
CMD
"C:\Users\admin\Desktop\ayy.exe"
Path
C:\Users\admin\Desktop\ayy.exe
Indicators
No indicators
Parent process
ayy.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
diskraid
Description
Dism
Version
422.642.997.65
Modules
Image
c:\users\admin\desktop\ayy.exe
c:\systemroot\system32\ntdll.dll

PID
2516
CMD
"C:\Users\admin\Desktop\ayy.exe"
Path
C:\Users\admin\Desktop\ayy.exe
Indicators
No indicators
Parent process
ayy.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
diskraid
Description
Dism
Version
422.642.997.65
Modules
Image
c:\users\admin\desktop\ayy.exe
c:\systemroot\system32\ntdll.dll

PID
3432
CMD
"C:\Users\admin\Desktop\ayy.exe"
Path
C:\Users\admin\Desktop\ayy.exe
Indicators
No indicators
Parent process
ayy.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
diskraid
Description
Dism
Version
422.642.997.65
Modules
Image
c:\users\admin\desktop\ayy.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll

PID
184
CMD
"C:\Windows\System32\cmmon32.exe"
Path
C:\Windows\System32\cmmon32.exe
Indicators
No indicators
Parent process
explorer.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Microsoft Connection Manager Monitor
Version
7.02.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\cmmon32.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\cmutil.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\version.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll

PID
3328
CMD
"C:\Users\admin\Desktop\ayy.exe"
Path
C:\Users\admin\Desktop\ayy.exe
Indicators
No indicators
Parent process
ayy.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
diskraid
Description
Dism
Version
422.642.997.65
Modules
Image
c:\users\admin\desktop\ayy.exe
c:\systemroot\system32\ntdll.dll

PID
3252
CMD
"C:\Users\admin\Desktop\ayy.exe"
Path
C:\Users\admin\Desktop\ayy.exe
Indicators
No indicators
Parent process
ayy.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
diskraid
Description
Dism
Version
422.642.997.65
Modules
Image
c:\users\admin\desktop\ayy.exe
c:\systemroot\system32\ntdll.dll

PID
1868
CMD
"C:\Users\admin\Desktop\ayy.exe"
Path
C:\Users\admin\Desktop\ayy.exe
Indicators
No indicators
Parent process
ayy.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
diskraid
Description
Dism
Version
422.642.997.65
Modules
Image
c:\users\admin\desktop\ayy.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\user32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll

PID
1372
CMD
"C:\Windows\System32\services.exe"
Path
C:\Windows\System32\services.exe
Indicators
No indicators
Parent process
explorer.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Services and Controller app
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\services.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\profapi.dll
c:\windows\system32\sechost.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\advapi32.dll

PID
3588
CMD
"C:\Users\admin\Desktop\ayy.exe"
Path
C:\Users\admin\Desktop\ayy.exe
Indicators
No indicators
Parent process
ayy.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
diskraid
Description
Dism
Version
422.642.997.65
Modules
Image
c:\users\admin\desktop\ayy.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll

PID
2804
CMD
"C:\Windows\System32\wscript.exe"
Path
C:\Windows\System32\wscript.exe
Indicators
No indicators
Parent process
explorer.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Microsoft ® Windows Based Script Host
Version
5.8.7600.16385
Modules
Image
c:\windows\system32\wscript.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\version.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll

Registry activity

Total events
2260
Read events
2212
Write events
48
Delete events
0

Modification events

PID
Process
Operation
Key
Name
Value
292
explorer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.zip\OpenWithList
a
WinRAR.exe
292
explorer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.zip\OpenWithList
MRUList
a
292
explorer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count
{7P5N40RS-N0SO-4OSP-874N-P0S2R0O9SN8R}\JvaENE\JvaENE.rkr
00000000000000000000000000000000000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BFFFFFFFFF000000000000000000000000
292
explorer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count
HRZR_PGYFRFFVBA
000000001000000011000000777D0500040000000400000029E900004D006900630072006F0073006F00660074002E004100750074006F00470065006E006500720061007400650064002E007B00310035003900360032003100370035002D0037004400460043002D0042003100440037002D0042003000440031002D004500420034004300300038004600460044003700350034007D0000000000000000000100000064666C7464666C7400000000400000000459CA76C306012500000000000000000100000000000000000000000000000000000000E803000000000000FFFFFFFF000000000000000008B7540254E7D90105000000FFFFFFFFAC54CA76000000003853F6023052F602D0E7D9013DA9727500000000FBFFFF7FF4E7D901987880574F8C6244BB6371042380B1090000000001100211FFFFFFFF00000000000000000000000005DF440321DF440305DF4403000000000000000000000000080000002E006C006E006B0000005300630068006500640075006C00650072002E006C006E006B000000530000005300000000000000000007000A008F030000A487D8760800000064025300E72FF9769487D8763F030000CC045300000053000200D4001D7E010011000000B8455600B045560030C4F402FCE800004F88652EACE8D90182917275FCE8D901B0E8D9012795727500000000A486F602D8E8D901CD947275A486F60284E9D9011882F602E1947275000000001882F60284E9D901E0E8D901040000000400000029E900004D006900630072006F0073006F00660074002E004100750074006F00470065006E006500720061007400650064002E007B00310035003900360032003100370035002D0037004400460043002D0042003100440037002D0042003000440031002D004500420034004300300038004600460044003700350034007D0000000000000000000100000064666C7464666C7400000000400000000459CA76C306012500000000000000000100000000000000000000000000000000000000E803000000000000FFFFFFFF000000000000000008B7540254E7D90105000000FFFFFFFFAC54CA76000000003853F6023052F602D0E7D9013DA9727500000000FBFFFF7FF4E7D901987880574F8C6244BB6371042380B1090000000001100211FFFFFFFF00000000000000000000000005DF440321DF440305DF4403000000000000000000000000080000002E006C006E006B0000005300630068006500640075006C00650072002E006C006E006B000000530000005300000000000000000007000A008F030000A487D8760800000064025300E72FF9769487D8763F030000CC045300000053000200D4001D7E010011000000B8455600B045560030C4F402FCE800004F88652EACE8D90182917275FCE8D901B0E8D9012795727500000000A486F602D8E8D901CD947275A486F60284E9D9011882F602E1947275000000001882F60284E9D901E0E8D901040000000400000029E900004D006900630072006F0073006F00660074002E004100750074006F00470065006E006500720061007400650064002E007B00310035003900360032003100370035002D0037004400460043002D0042003100440037002D0042003000440031002D004500420034004300300038004600460044003700350034007D0000000000000000000100000064666C7464666C7400000000400000000459CA76C306012500000000000000000100000000000000000000000000000000000000E803000000000000FFFFFFFF000000000000000008B7540254E7D90105000000FFFFFFFFAC54CA76000000003853F6023052F602D0E7D9013DA9727500000000FBFFFF7FF4E7D901987880574F8C6244BB6371042380B1090000000001100211FFFFFFFF00000000000000000000000005DF440321DF440305DF4403000000000000000000000000080000002E006C006E006B0000005300630068006500640075006C00650072002E006C006E006B000000530000005300000000000000000007000A008F030000A487D8760800000064025300E72FF9769487D8763F030000CC045300000053000200D4001D7E010011000000B8455600B045560030C4F402FCE800004F88652EACE8D90182917275FCE8D901B0E8D9012795727500000000A486F602D8E8D901CD947275A486F60284E9D9011882F602E1947275000000001882F60284E9D901E0E8D901
292
explorer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count
{7P5N40RS-N0SO-4OSP-874N-P0S2R0O9SN8R}\JvaENE\JvaENE.rkr
000000000000000000000000B8180000000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BFFFFFFFFF000000000000000000000000
292
explorer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count
HRZR_PGYFRFFVBA
0000000010000000110000002F960500040000000400000029E900004D006900630072006F0073006F00660074002E004100750074006F00470065006E006500720061007400650064002E007B00310035003900360032003100370035002D0037004400460043002D0042003100440037002D0042003000440031002D004500420034004300300038004600460044003700350034007D0000000000000000000100000064666C7464666C7400000000400000000459CA76C306012500000000000000000100000000000000000000000000000000000000E803000000000000FFFFFFFF000000000000000008B7540254E7D90105000000FFFFFFFFAC54CA76000000003853F6023052F602D0E7D9013DA9727500000000FBFFFF7FF4E7D901987880574F8C6244BB6371042380B1090000000001100211FFFFFFFF00000000000000000000000005DF440321DF440305DF4403000000000000000000000000080000002E006C006E006B0000005300630068006500640075006C00650072002E006C006E006B000000530000005300000000000000000007000A008F030000A487D8760800000064025300E72FF9769487D8763F030000CC045300000053000200D4001D7E010011000000B8455600B045560030C4F402FCE800004F88652EACE8D90182917275FCE8D901B0E8D9012795727500000000A486F602D8E8D901CD947275A486F60284E9D9011882F602E1947275000000001882F60284E9D901E0E8D901040000000400000029E900004D006900630072006F0073006F00660074002E004100750074006F00470065006E006500720061007400650064002E007B00310035003900360032003100370035002D0037004400460043002D0042003100440037002D0042003000440031002D004500420034004300300038004600460044003700350034007D0000000000000000000100000064666C7464666C7400000000400000000459CA76C306012500000000000000000100000000000000000000000000000000000000E803000000000000FFFFFFFF000000000000000008B7540254E7D90105000000FFFFFFFFAC54CA76000000003853F6023052F602D0E7D9013DA9727500000000FBFFFF7FF4E7D901987880574F8C6244BB6371042380B1090000000001100211FFFFFFFF00000000000000000000000005DF440321DF440305DF4403000000000000000000000000080000002E006C006E006B0000005300630068006500640075006C00650072002E006C006E006B000000530000005300000000000000000007000A008F030000A487D8760800000064025300E72FF9769487D8763F030000CC045300000053000200D4001D7E010011000000B8455600B045560030C4F402FCE800004F88652EACE8D90182917275FCE8D901B0E8D9012795727500000000A486F602D8E8D901CD947275A486F60284E9D9011882F602E1947275000000001882F60284E9D901E0E8D901040000000400000029E900004D006900630072006F0073006F00660074002E004100750074006F00470065006E006500720061007400650064002E007B00310035003900360032003100370035002D0037004400460043002D0042003100440037002D0042003000440031002D004500420034004300300038004600460044003700350034007D0000000000000000000100000064666C7464666C7400000000400000000459CA76C306012500000000000000000100000000000000000000000000000000000000E803000000000000FFFFFFFF000000000000000008B7540254E7D90105000000FFFFFFFFAC54CA76000000003853F6023052F602D0E7D9013DA9727500000000FBFFFF7FF4E7D901987880574F8C6244BB6371042380B1090000000001100211FFFFFFFF00000000000000000000000005DF440321DF440305DF4403000000000000000000000000080000002E006C006E006B0000005300630068006500640075006C00650072002E006C006E006B000000530000005300000000000000000007000A008F030000A487D8760800000064025300E72FF9769487D8763F030000CC045300000053000200D4001D7E010011000000B8455600B045560030C4F402FCE800004F88652EACE8D90182917275FCE8D901B0E8D9012795727500000000A486F602D8E8D901CD947275A486F60284E9D9011882F602E1947275000000001882F60284E9D901E0E8D901
292
explorer.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\70\52C64B7E
LanguageList
en-US
292
explorer.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\70\52C64B7E
@sendmail.dll,-21
Desktop (create shortcut)
292
explorer.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\70\52C64B7E
@zipfldr.dll,-10148
Compressed (zipped) folder
292
explorer.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\70\52C64B7E
@sendmail.dll,-4
Mail recipient
292
explorer.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\70\52C64B7E
@C:\Windows\system32\FXSRESM.dll,-120
Fax recipient
292
explorer.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\MuiCache
C:\Windows\system32\WFS.exe
Microsoft Windows Fax and Scan
292
explorer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count
P:\Hfref\nqzva\Qrfxgbc\nll.rkr
00000000010000000000000000000000000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BFFFFFFFFF5017A81B703DD50100000000
292
explorer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count
HRZR_PGYFRFFVBA
0000000011000000110000002F960500040000000400000029E900004D006900630072006F0073006F00660074002E004100750074006F00470065006E006500720061007400650064002E007B00310035003900360032003100370035002D0037004400460043002D0042003100440037002D0042003000440031002D004500420034004300300038004600460044003700350034007D0000000000000000000100000064666C7464666C7400000000400000000459CA76C306012500000000000000000100000000000000000000000000000000000000E803000000000000FFFFFFFF000000000000000008B7540254E7D90105000000FFFFFFFFAC54CA76000000003853F6023052F602D0E7D9013DA9727500000000FBFFFF7FF4E7D901987880574F8C6244BB6371042380B1090000000001100211FFFFFFFF00000000000000000000000005DF440321DF440305DF4403000000000000000000000000080000002E006C006E006B0000005300630068006500640075006C00650072002E006C006E006B000000530000005300000000000000000007000A008F030000A487D8760800000064025300E72FF9769487D8763F030000CC045300000053000200D4001D7E010011000000B8455600B045560030C4F402FCE800004F88652EACE8D90182917275FCE8D901B0E8D9012795727500000000A486F602D8E8D901CD947275A486F60284E9D9011882F602E1947275000000001882F60284E9D901E0E8D901040000000400000029E900004D006900630072006F0073006F00660074002E004100750074006F00470065006E006500720061007400650064002E007B00310035003900360032003100370035002D0037004400460043002D0042003100440037002D0042003000440031002D004500420034004300300038004600460044003700350034007D0000000000000000000100000064666C7464666C7400000000400000000459CA76C306012500000000000000000100000000000000000000000000000000000000E803000000000000FFFFFFFF000000000000000008B7540254E7D90105000000FFFFFFFFAC54CA76000000003853F6023052F602D0E7D9013DA9727500000000FBFFFF7FF4E7D901987880574F8C6244BB6371042380B1090000000001100211FFFFFFFF00000000000000000000000005DF440321DF440305DF4403000000000000000000000000080000002E006C006E006B0000005300630068006500640075006C00650072002E006C006E006B000000530000005300000000000000000007000A008F030000A487D8760800000064025300E72FF9769487D8763F030000CC045300000053000200D4001D7E010011000000B8455600B045560030C4F402FCE800004F88652EACE8D90182917275FCE8D901B0E8D9012795727500000000A486F602D8E8D901CD947275A486F60284E9D9011882F602E1947275000000001882F60284E9D901E0E8D901040000000400000029E900004D006900630072006F0073006F00660074002E004100750074006F00470065006E006500720061007400650064002E007B00310035003900360032003100370035002D0037004400460043002D0042003100440037002D0042003000440031002D004500420034004300300038004600460044003700350034007D0000000000000000000100000064666C7464666C7400000000400000000459CA76C306012500000000000000000100000000000000000000000000000000000000E803000000000000FFFFFFFF000000000000000008B7540254E7D90105000000FFFFFFFFAC54CA76000000003853F6023052F602D0E7D9013DA9727500000000FBFFFF7FF4E7D901987880574F8C6244BB6371042380B1090000000001100211FFFFFFFF00000000000000000000000005DF440321DF440305DF4403000000000000000000000000080000002E006C006E006B0000005300630068006500640075006C00650072002E006C006E006B000000530000005300000000000000000007000A008F030000A487D8760800000064025300E72FF9769487D8763F030000CC045300000053000200D4001D7E010011000000B8455600B045560030C4F402FCE800004F88652EACE8D90182917275FCE8D901B0E8D9012795727500000000A486F602D8E8D901CD947275A486F60284E9D9011882F602E1947275000000001882F60284E9D901E0E8D901
3852
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
ShellExtBMP
3852
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
ShellExtIcon
3852
WinRAR.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\70\52C64B7E
LanguageList
en-US
3852
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
0
C:\Users\admin\AppData\Local\Temp\Sample1.zip
3852
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
name
120
3852
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
size
80
3852
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
type
120
3852
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
mtime
100
3852
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\Interface
ShowPassword
0
3852
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\Interface\MainWin
Placement
2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF42000000420000000204000037020000
3852
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\General
LastFolder
C:\Users\admin\AppData\Local\Temp
3852
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\ArcColumnWidths
name
120
3852
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\ArcColumnWidths
size
80
3852
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\ArcColumnWidths
psize
80
3852
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\ArcColumnWidths
type
120
3852
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\ArcColumnWidths
mtime
100
3852
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\ArcColumnWidths
crc
70
3852
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\General\Toolbar\Layout
Band56_0
38000000730100000402000000000000D4D0C800000000000000000000000000960111000000000039000000B40200000000000001000000
3852
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\General\Toolbar\Layout
Band56_1
38000000730100000500000000000000D4D0C8000000000000000000000000004E010F0000000000160000002A0000000000000002000000
3852
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\General\Toolbar\Layout
Band56_2
38000000730100000400000000000000D4D0C80000000000000000000000000058010C000000000016000000640000000000000003000000
2712
ayy.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
NeYQCBOkZD
C:\Users\Public\NeYQCBOkZD.vbs
2352
mstsc.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
WH54ANVPZF
C:\Program Files\Wkhylq\utylw4f4hd.exe
3020
utylw4f4hd.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
NeYQCBOkZD
C:\Users\Public\NeYQCBOkZD.vbs

Files activity

Executable files
6
Suspicious files
73
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
2260
DllHost.exe
C:\Program Files\Wkhylq\utylw4f4hd.exe
executable
MD5: ada39c2599eff32e7e39b19c74e567ed
SHA256: a8c6430ab780a74ebc613dc3e67a7f15500301b025ec3c34b59d10303bba123b
292
explorer.exe
C:\Users\admin\Desktop\a8c6430ab780a74ebc613dc3e67a7f15500301b025ec3c34b59d10303bba123b.bin
executable
MD5: ada39c2599eff32e7e39b19c74e567ed
SHA256: a8c6430ab780a74ebc613dc3e67a7f15500301b025ec3c34b59d10303bba123b
292
explorer.exe
C:\Users\admin\Desktop\ayy.exe
executable
MD5: ada39c2599eff32e7e39b19c74e567ed
SHA256: a8c6430ab780a74ebc613dc3e67a7f15500301b025ec3c34b59d10303bba123b
2712
ayy.exe
C:\Users\admin\AppData\Local\Temp\ActionCenterCPL\at.bat
executable
MD5: 6e2848091a70f9812bd5a23e5992fd14
SHA256: 12979cd3a8cba0a9194c59bd0a1867c4dabdbe517e63886f59c6f7bfb57b6a2a
3852
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$DRb3852.46259\a8c6430ab780a74ebc613dc3e67a7f15500301b025ec3c34b59d10303bba123b.bin
executable
MD5: ada39c2599eff32e7e39b19c74e567ed
SHA256: a8c6430ab780a74ebc613dc3e67a7f15500301b025ec3c34b59d10303bba123b
292
explorer.exe
C:\Users\admin\AppData\Local\Temp\Wkhylq\utylw4f4hd.exe
executable
MD5: ada39c2599eff32e7e39b19c74e567ed
SHA256: a8c6430ab780a74ebc613dc3e67a7f15500301b025ec3c34b59d10303bba123b
2352
mstsc.exe
C:\Users\admin\AppData\Roaming\OM718DVE\OM7logri.ini
binary
MD5: d63a82e5d81e02e399090af26db0b9cb
SHA256: eaece2eba6310253249603033c744dd5914089b0bb26bde6685ec9813611baae
2712
ayy.exe
C:\Users\Public\NeYQCBOkZD.vbs
text
MD5: 2129ccce1fa3864b7088a27e25ae9d26
SHA256: 0bb7b459cd9b48e846a3cd9d242c43944a6de5bc35598f9d435fe97459d016b9
2352
mstsc.exe
C:\Users\admin\AppData\Roaming\OM718DVE\OM7logrc.ini
binary
MD5: 2855a82ecdd565b4d957ec2ee05aed26
SHA256: 88e38da5b12dd96afd9dc90c79929ec31d8604b1afdebdd5a02b19249c08c939
2352
mstsc.exe
C:\Users\admin\AppData\Roaming\OM718DVE\OM7logrv.ini
binary
MD5: ba3b6bc807d4f76794c4b81b09bb9ba5
SHA256: 6eebf968962745b2e9de2ca969af7c424916d4e3fe3cc0bb9b3d414abfce9507
2352
mstsc.exe
C:\Users\admin\AppData\Roaming\OM718DVE\OM7logim.jpeg
image
MD5: 1c2a2de0e091475bcfa2c40d7e4337b5
SHA256: 3fad2244570bc770b81d01947127692296f83b7e270c9813e4d101feb71518b0
4008
Firefox.exe
C:\Users\admin\AppData\Roaming\OM718DVE\OM7logrf.ini
binary
MD5: 53028481b5b5795f1501241ccc7abff6
SHA256: 75b5f3045e20c80f264568707e2d444dc7498db119d9661ae51a91575960fc5a

Find more information of the staic content and download it at the full report

Network activity

HTTP(S) requests
16
TCP/UDP connections
17
DNS requests
6
Threats
28

HTTP requests

PID Process Method HTTP Code IP URL CN Type Size Reputation
292 explorer.exe GET 404 199.192.30.91:80 http://www.kerxbin.com/ki/?yVftqxDh=GUMbK9e7bDYWx5MZ5V13d8s+uoH9vku2W3mWGD6q3wUU6ffBAJF9lZjfFyLQx5Fwqvjy9Q==&1b3=o8TpZlH US
html
malicious
292 explorer.exe GET 404 91.184.0.100:80 http://www.zorgeloosontruimen.com/ki/?yVftqxDh=wplG0/9dvDGY5iUrxjBRxUnVFYbT692W7AlK5Bp4Cm37hopIlAgv4Nv5M4nhR3xgVBKtSA==&1b3=o8TpZlH&sql=1 NL
html
malicious
292 explorer.exe POST –– 91.184.0.100:80 http://www.zorgeloosontruimen.com/ki/ NL
text
––
––
malicious
292 explorer.exe POST –– 91.184.0.100:80 http://www.zorgeloosontruimen.com/ki/ NL
text
––
––
malicious
292 explorer.exe POST –– 91.184.0.100:80 http://www.zorgeloosontruimen.com/ki/ NL
text
––
––
malicious
292 explorer.exe GET –– 162.215.255.133:80 http://www.dducargo-vancouver.com/ki/?yVftqxDh=mM20bzQXHsnD3wKkmRZxih6GLVXnjRmY6kFRMh8bCXjRIQjwiJpWRc6F3caD/2adGz5fkw==&1b3=o8TpZlH&sql=1 US
––
––
malicious
292 explorer.exe POST –– 162.215.255.133:80 http://www.dducargo-vancouver.com/ki/ US
text
––
––
malicious
292 explorer.exe POST –– 162.215.255.133:80 http://www.dducargo-vancouver.com/ki/ US
text
––
––
malicious
292 explorer.exe POST –– 162.215.255.133:80 http://www.dducargo-vancouver.com/ki/ US
text
––
––
malicious
292 explorer.exe GET 403 107.154.192.178:80 http://www.xf6900.com/ki/?yVftqxDh=8vdrInXG4N3PWtPuwUHbTlb7crQLhHSvXYnRadqvPDximIIly4DY77YIaRWIXONSRshcNg==&1b3=o8TpZlH&sql=1 US
html
malicious
292 explorer.exe POST –– 107.154.192.178:80 http://www.xf6900.com/ki/ US
text
––
––
malicious
292 explorer.exe POST –– 107.154.192.178:80 http://www.xf6900.com/ki/ US
text
––
––
malicious
292 explorer.exe GET 404 54.36.26.9:80 http://www.paycatch.com/ki/?yVftqxDh=uxwzwj5xEs/I8jhTYDt5X8m+cyFMfosQDHRfcK7g00Fy5iQoBK/DEr6KNKL9jPjdKPhNUA==&1b3=o8TpZlH&sql=1 FR
html
malicious
292 explorer.exe POST –– 54.36.26.9:80 http://www.paycatch.com/ki/ FR
text
––
––
malicious
292 explorer.exe POST –– 54.36.26.9:80 http://www.paycatch.com/ki/ FR
text
––
––
malicious
292 explorer.exe POST –– 54.36.26.9:80 http://www.paycatch.com/ki/ FR
text
––
––
malicious

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID Process IP ASN CN Reputation
292 explorer.exe 199.192.30.91:80 US malicious
–– –– 91.184.0.100:80 Hostnet B.V. NL malicious
292 explorer.exe 91.184.0.100:80 Hostnet B.V. NL malicious
292 explorer.exe 162.215.255.133:80 Krypt Technologies US malicious
292 explorer.exe 107.154.192.178:80 Incapsula Inc US malicious
292 explorer.exe 54.36.26.9:80 OVH SAS FR malicious
–– –– 54.36.26.9:80 OVH SAS FR malicious

DNS requests

Domain IP Reputation
www.kerxbin.com 199.192.30.91
malicious
www.zorgeloosontruimen.com 91.184.0.100
malicious
www.dducargo-vancouver.com 162.215.255.133
malicious
www.xf6900.com 107.154.192.178
malicious
www.paycatch.com 54.36.26.9
malicious
www.easyvegefruits.com No response unknown

Threats

PID Process Class Message
292 explorer.exe A Network Trojan was detected MALWARE [PTsecurity] FormBook CnC Checkin (GET)
292 explorer.exe A Network Trojan was detected MALWARE [PTsecurity] FormBook CnC Checkin (GET)
292 explorer.exe A Network Trojan was detected MALWARE [PTsecurity] TrojanSpy:FormBook CnC Checkin (POST)
292 explorer.exe A Network Trojan was detected MALWARE [PTsecurity] TrojanSpy:FormBook CnC Checkin (POST)
292 explorer.exe A Network Trojan was detected MALWARE [PTsecurity] FormBook CnC Checkin (POST)
292 explorer.exe A Network Trojan was detected MALWARE [PTsecurity] FormBook CnC Checkin (GET)
292 explorer.exe A Network Trojan was detected MALWARE [PTsecurity] TrojanSpy:FormBook CnC Checkin (POST)
292 explorer.exe A Network Trojan was detected MALWARE [PTsecurity] FormBook CnC Checkin (POST)
292 explorer.exe A Network Trojan was detected MALWARE [PTsecurity] TrojanSpy:FormBook CnC Checkin (POST)
292 explorer.exe A Network Trojan was detected MALWARE [PTsecurity] FormBook CnC Checkin (GET)
292 explorer.exe A Network Trojan was detected MALWARE [PTsecurity] TrojanSpy:FormBook CnC Checkin (POST)
292 explorer.exe A Network Trojan was detected MALWARE [PTsecurity] TrojanSpy:FormBook CnC Checkin (POST)
292 explorer.exe A Network Trojan was detected MALWARE [PTsecurity] FormBook CnC Checkin (GET)
292 explorer.exe A Network Trojan was detected MALWARE [PTsecurity] TrojanSpy:FormBook CnC Checkin (POST)
292 explorer.exe A Network Trojan was detected MALWARE [PTsecurity] TrojanSpy:FormBook CnC Checkin (POST)
292 explorer.exe A Network Trojan was detected MALWARE [PTsecurity] FormBook CnC Checkin (POST)

12 ETPRO signatures available at the full report

Debug output strings

No debug info.