General Info

File name

ScannerInstallationAssistant.exe

Full analysis
https://app.any.run/tasks/c410ac71-5f44-4094-b028-4dad48b129b9
Verdict
Malicious activity
Analysis date
8/13/2019, 16:49:21
OS:
Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:

MIME:
application/x-dosexec
File info:
PE32 executable (GUI) Intel 80386, for MS Windows
MD5

0d4f5ff4c29619ee92df0aebc885871b

SHA1

44f8b4ce62bce297cb82a028257d4d6db2cab8cc

SHA256

93c1db9260a12fdb7d9a3f75dab4682a9eaac86037ce9b0567fb7a2e85df3037

SSDEEP

12288:4utPrtlDAs3WLOAjMJa+QaAnuID7hzwy6W9skHWobUCTDh/jhCQ:5tz3DAs3WLOAAs+Q3v7hvpskHWobFZ7Z

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distored by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Software environment set and analysis options

Launch configuration

Task duration
120 seconds
Additional time used
60 seconds
Fakenet option
off
Heavy Evaision option
off
MITM proxy
off
Route via Tor
off
Network geolocation
off
Privacy
Public submission
Autoconfirmation of UAC
on

Software preset

  • Internet Explorer 8.0.7601.17514
  • Adobe Acrobat Reader DC MUI (15.023.20070)
  • Adobe Flash Player 26 ActiveX (26.0.0.131)
  • Adobe Flash Player 26 NPAPI (26.0.0.131)
  • Adobe Flash Player 26 PPAPI (26.0.0.131)
  • Adobe Refresh Manager (1.8.0)
  • CCleaner (5.35)
  • FileZilla Client 3.36.0 (3.36.0)
  • Google Chrome (75.0.3770.100)
  • Google Update Helper (1.3.34.7)
  • Java 8 Update 92 (8.0.920.14)
  • Java Auto Updater (2.8.92.14)
  • Microsoft .NET Framework 4.7.2 (4.7.03062)
  • Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Professional 2010 (14.0.6029.1000)
  • Microsoft Office Proof (English) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (French) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
  • Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
  • Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Single Image 2010 (14.0.6029.1000)
  • Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
  • Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
  • Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
  • Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2015-2019 Redistributable (x86) - 14.21.27702 (14.21.27702.2)
  • Microsoft Visual C++ 2019 X86 Additional Runtime - 14.21.27702 (14.21.27702)
  • Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.21.27702 (14.21.27702)
  • Mozilla Firefox 68.0.1 (x86 en-US) (68.0.1)
  • Notepad++ (32-bit x86) (7.5.1)
  • Opera 12.15 (12.15.1748)
  • Skype version 8.29 (8.29)
  • Update for Microsoft .NET Framework 4.7.2 (KB4087364) (1)
  • VLC media player (2.2.6)
  • WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

  • Client LanguagePack Package
  • Client Refresh LanguagePack Package
  • CodecPack Basic Package
  • Foundation Package
  • IE Troubleshooters Package
  • InternetExplorer Optional Package
  • KB2534111
  • KB2999226
  • KB4019990
  • KB976902
  • LocalPack AU Package
  • LocalPack CA Package
  • LocalPack GB Package
  • LocalPack US Package
  • LocalPack ZA Package
  • ProfessionalEdition
  • UltimateEdition

Behavior activities

MALICIOUS SUSPICIOUS INFO
Renames files like Ransomware
  • Opera.exe (PID: 356)
Application was dropped or rewritten from another process
  • Elevate32.exe (PID: 2392)
  • IsAdmin.exe (PID: 3512)
  • IsAdmin.exe (PID: 3144)
Runs PING.EXE for delay simulation
  • cmd.exe (PID: 2324)
  • cmd.exe (PID: 3888)
Changes internet zones settings
  • reg.exe (PID: 284)
  • reg.exe (PID: 3460)
Starts Internet Explorer
  • Opera.exe (PID: 356)
  • cmd.exe (PID: 2324)
Starts CMD.EXE for commands execution
  • Opera.exe (PID: 356)
  • ScannerInstallationAssistant.exe (PID: 2948)
  • Elevate32.exe (PID: 2392)
Creates files in the program directory
  • Opera.exe (PID: 356)
Executed via COM
  • DllHost.exe (PID: 3464)
Uses RUNDLL32.EXE to load library
  • control.exe (PID: 284)
Executable content was dropped or overwritten
  • ScannerInstallationAssistant.exe (PID: 2948)
Uses REG.EXE to modify Windows registry
  • cmd.exe (PID: 3888)
  • cmd.exe (PID: 2324)
Reads internet explorer settings
  • iexplore.exe (PID: 1996)
Reads Internet Cache Settings
  • iexplore.exe (PID: 3664)
  • iexplore.exe (PID: 1996)
Creates files in the user directory
  • iexplore.exe (PID: 1996)
  • Opera.exe (PID: 356)
Changes internet zones settings
  • iexplore.exe (PID: 3652)
  • iexplore.exe (PID: 2916)
Application launched itself
  • iexplore.exe (PID: 2916)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Static information

TRiD
.exe
|   Win32 Executable MS Visual C++ (generic) (67.4%)
.dll
|   Win32 Dynamic Link Library (generic) (14.2%)
.exe
|   Win32 Executable (generic) (9.7%)
.exe
|   Generic Win/DOS Executable (4.3%)
.exe
|   DOS Executable Generic (4.3%)
EXIF
EXE
MachineType:
Intel 386 or later, and compatibles
TimeStamp:
2010:03:15 07:27:58+01:00
PEType:
PE32
LinkerVersion:
9
CodeSize:
49152
InitializedDataSize:
144896
UninitializedDataSize:
null
EntryPoint:
0x913f
OSVersion:
5
ImageVersion:
null
SubsystemVersion:
4
Subsystem:
Windows GUI
Summary
Architecture:
IMAGE_FILE_MACHINE_I386
Subsystem:
IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date:
15-Mar-2010 06:27:58
Detected languages
English - United States
Process Default Language
Debug artifacts
d:\Projects\WinRAR\SFX\build\sfxzip32\Release\sfxzip.pdb
DOS Header
Magic number:
MZ
Bytes on last page of file:
0x0090
Pages in file:
0x0003
Relocations:
0x0000
Size of header:
0x0004
Min extra paragraphs:
0x0000
Max extra paragraphs:
0xFFFF
Initial SS value:
0x0000
Initial SP value:
0x00B8
Checksum:
0x0000
Initial IP value:
0x0000
Initial CS value:
0x0000
Overlay number:
0x0000
OEM identifier:
0x0000
OEM information:
0x0000
Address of NE header:
0x000000E8
PE Headers
Signature:
PE
Machine:
IMAGE_FILE_MACHINE_I386
Number of sections:
5
Time date stamp:
15-Mar-2010 06:27:58
Pointer to Symbol Table:
0x00000000
Number of symbols:
0
Size of Optional Header:
0x00E0
Characteristics
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_RELOCS_STRIPPED
Sections
Name Virtual Address Virtual Size Raw Size Charateristics Entropy
.text 0x00001000 0x0000BE8F 0x0000C000 IMAGE_SCN_CNT_CODE,IMAGE_SCN_MEM_EXECUTE,IMAGE_SCN_MEM_READ 6.52204
.rdata 0x0000D000 0x00001855 0x00001A00 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ 5.17849
.data 0x0000F000 0x00019CB8 0x00000200 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ,IMAGE_SCN_MEM_WRITE 1.31023
.CRT 0x00029000 0x00000010 0x00000200 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ 0.213101
.rsrc 0x0002A000 0x0002178C 0x00021800 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ 7.54973
Resources
1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

100

101

ASKNEXTVOL

GETPASSWORD1

LICENSEDLG

RENAMEDLG

REPLACEFILEDLG

STARTDLG

Imports
    COMCTL32.dll

    KERNEL32.dll

    USER32.dll

    GDI32.dll

    ADVAPI32.dll

    SHELL32.dll

    ole32.dll

    OLEAUT32.dll

Exports

    No exports.

Screenshots

Processes

Total processes
68
Monitored processes
24
Malicious processes
6
Suspicious processes
2

Behavior graph

+
start scannerinstallationassistant.exe cmd.exe no specs mode.com no specs ping.exe no specs reg.exe no specs isadmin.exe no specs elevate32.exe no specs cmd.exe mode.com no specs ping.exe no specs reg.exe no specs isadmin.exe no specs ping.exe no specs control.exe no specs rundll32.exe no specs appwiz.cpl no specs opera.exe no specs iexplore.exe iexplore.exe cmd.exe no specs reg.exe no specs find.exe no specs iexplore.exe no specs iexplore.exe
Specs description
Program did not start
Integrity level elevation
Task сontains an error or was rebooted
Process has crashed
Task contains several apps running
Executable file was dropped
Debug information is available
Process was injected
Network attacks were detected
Application downloaded the executable file
Actions similar to stealing personal data
Behavior similar to exploiting the vulnerability
Inspected object has sucpicious PE structure
File is detected by antivirus software
CPU overrun
RAM overrun
Process starts the services
Process was added to the startup
Behavior similar to spam
Low-level access to the HDD
Probably Tor was used
System was rebooted
Connects to the network
Known threat

Process information

Click at the process to see the details.

PID
2948
CMD
"C:\Users\admin\AppData\Local\Temp\ScannerInstallationAssistant.exe"
Path
C:\Users\admin\AppData\Local\Temp\ScannerInstallationAssistant.exe
Indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Description
Version
Modules
Image
c:\users\admin\appdata\local\temp\scannerinstallationassistant.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\aclayers.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\winspool.drv
c:\windows\system32\mpr.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\riched32.dll
c:\windows\system32\riched20.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\clbcatq.dll
c:\program files\common files\microsoft shared\ink\tiptsf.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll

PID
3888
CMD
cmd /c ""C:\Users\admin\AppData\Local\Temp\InstallAssist.bat" https://direct.imagedepositgateway.com/Documentation/Scanners/Drivers 16.0 15.0 2"
Path
C:\Windows\system32\cmd.exe
Indicators
No indicators
Parent process
ScannerInstallationAssistant.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows Command Processor
Version
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Image
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\mode.com
c:\windows\system32\ping.exe
c:\windows\system32\reg.exe
c:\users\admin\appdata\local\temp\isadmin.exe
c:\users\admin\appdata\local\temp\elevate32.exe

PID
2644
CMD
mode con: cols=80 lines=50
Path
C:\Windows\system32\mode.com
Indicators
No indicators
Parent process
cmd.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
DOS Device MODE Utility
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\mode.com
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ulib.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ureg.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll

PID
3696
CMD
ping 127.0.0.1 -n 3 -w 500
Path
C:\Windows\system32\PING.EXE
Indicators
No indicators
Parent process
cmd.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
TCP/IP Ping Command
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\ping.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\nsi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshqos.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\wship6.dll

PID
284
CMD
REG IMPORT "C:\Users\admin\AppData\Local\Temp\\IntConf.reg"
Path
C:\Windows\system32\reg.exe
Indicators
No indicators
Parent process
cmd.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Registry Console Tool
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\reg.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll

PID
3144
CMD
"C:\Users\admin\AppData\Local\Temp\\isadmin.exe"
Path
C:\Users\admin\AppData\Local\Temp\IsAdmin.exe
Indicators
No indicators
Parent process
cmd.exe
User
admin
Integrity Level
MEDIUM
Exit code
2
Version:
Company
Description
Version
7.2.0.0
Modules
Image
c:\users\admin\appdata\local\temp\isadmin.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\aclayers.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\winspool.drv
c:\windows\system32\mpr.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll

PID
2392
CMD
"C:\Users\admin\AppData\Local\Temp\\Elevate32.exe" -q -- "C:\Users\admin\AppData\Local\Temp\InstallAssist.bat" https://direct.imagedepositgateway.com/Documentation/Scanners/Drivers 16.0 15.0 1
Path
C:\Users\admin\AppData\Local\Temp\Elevate32.exe
Indicators
No indicators
Parent process
cmd.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Description
Runs a program elevated
Version
1.0.0.0
Modules
Image
c:\users\admin\appdata\local\temp\elevate32.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\aclayers.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\winspool.drv
c:\windows\system32\mpr.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\propsys.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\version.dll
c:\windows\system32\cmd.exe

PID
2324
CMD
"C:\Windows\System32\cmd.exe" /C "C:\Users\admin\AppData\Local\Temp\InstallAssist.bat" https://direct.imagedepositgateway.com/Documentation/Scanners/Drivers 16.0 15.0 1
Path
C:\Windows\System32\cmd.exe
Indicators
Parent process
Elevate32.exe
User
admin
Integrity Level
HIGH
Version:
Company
Microsoft Corporation
Description
Windows Command Processor
Version
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Image
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\mode.com
c:\users\admin\appdata\local\temp\isadmin.exe
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\propsys.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\version.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\control.exe
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\find.exe
c:\program files\internet explorer\iexplore.exe

PID
3292
CMD
mode con: cols=80 lines=50
Path
C:\Windows\system32\mode.com
Indicators
No indicators
Parent process
cmd.exe
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
Microsoft Corporation
Description
DOS Device MODE Utility
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\mode.com
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ulib.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ureg.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll

PID
3192
CMD
ping 127.0.0.1 -n 3 -w 500
Path
C:\Windows\system32\PING.EXE
Indicators
No indicators
Parent process
cmd.exe
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
Microsoft Corporation
Description
TCP/IP Ping Command
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\ping.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\nsi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshqos.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\wship6.dll

PID
3460
CMD
REG IMPORT "C:\Users\admin\AppData\Local\Temp\\IntConf.reg"
Path
C:\Windows\system32\reg.exe
Indicators
No indicators
Parent process
cmd.exe
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
Microsoft Corporation
Description
Registry Console Tool
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\reg.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll

PID
3512
CMD
"C:\Users\admin\AppData\Local\Temp\\isadmin.exe"
Path
C:\Users\admin\AppData\Local\Temp\IsAdmin.exe
Indicators
No indicators
Parent process
cmd.exe
User
admin
Integrity Level
HIGH
Exit code
1
Version:
Company
Description
Version
Modules
Image
c:\users\admin\appdata\local\temp\isadmin.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll

PID
2284
CMD
ping 127.0.0.1 -n 3 -w 500
Path
C:\Windows\system32\PING.EXE
Indicators
No indicators
Parent process
cmd.exe
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
Microsoft Corporation
Description
TCP/IP Ping Command
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\ping.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\nsi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshqos.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\wship6.dll

PID
284
CMD
"C:\Windows\System32\control.exe" "C:\Windows\system32\appwiz.cpl",
Path
C:\Windows\System32\control.exe
Indicators
No indicators
Parent process
cmd.exe
User
admin
Integrity Level
HIGH
Exit code
1
Version:
Company
Microsoft Corporation
Description
Windows Control Panel
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\imm32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\user32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\reg.exe
c:\windows\system32\control.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\propsys.dll
c:\windows\system32\oleaut32.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\version.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\rundll32.exe

PID
3176
CMD
"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Windows\system32\appwiz.cpl",
Path
C:\Windows\system32\rundll32.exe
Indicators
No indicators
Parent process
control.exe
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows host process (Rundll32)
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\rundll32.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imagehlp.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\aclayers.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\winspool.drv
c:\windows\system32\mpr.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\propsys.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\appwiz.cpl
c:\windows\system32\atl.dll
c:\windows\system32\duser.dll
c:\windows\system32\msi.dll
c:\windows\system32\osbaseln.dll
c:\windows\system32\explorerframe.dll
c:\windows\system32\dui70.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\sxs.dll
c:\windows\system32\actxprxy.dll

PID
3464
CMD
C:\Windows\system32\DllHost.exe /Processid:{FCC74B77-EC3E-4DD8-A80B-008A702075A9}
Path
C:\Windows\system32\DllHost.exe
Indicators
No indicators
Parent process
––
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
Microsoft Corporation
Description
COM Surrogate
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\dllhost.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\appwiz.cpl
c:\windows\system32\atl.dll
c:\windows\system32\duser.dll
c:\windows\system32\msi.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\shell32.dll
c:\windows\system32\osbaseln.dll
c:\windows\system32\propsys.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\apphelp.dll

PID
356
CMD
"C:\Program Files\Opera\Opera.exe" /uninstall
Path
C:\Program Files\Opera\Opera.exe
Indicators
No indicators
Parent process
DllHost.exe
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
Opera Software
Description
Opera Internet Browser
Version
1748
Modules
Image
c:\program files\opera\opera.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\psapi.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\ole32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\program files\opera\opera.dll
c:\windows\system32\oleacc.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\msimg32.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\winmm.dll
c:\windows\system32\version.dll
c:\windows\system32\wsock32.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\profapi.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\linkinfo.dll
c:\windows\system32\devenum.dll
c:\windows\system32\msdmo.dll
c:\windows\system32\avicap32.dll
c:\windows\system32\msvfw32.dll
c:\windows\system32\quartz.dll
c:\windows\system32\dllhost.exe
c:\windows\system32\imagehlp.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ehstorshell.dll
c:\windows\system32\cscui.dll
c:\windows\system32\cscdll.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\slc.dll
c:\windows\system32\imageres.dll
c:\windows\system32\dwmapi.dll
c:\program files\adobe\acrobat reader dc\reader\browser\nppdf32.dll
c:\windows\system32\macromed\flash\npswf32_26_0_0_131.dll
c:\program files\java\jre1.8.0_92\bin\dtplugin\npdeployjava1.dll
c:\program files\java\jre1.8.0_92\bin\plugin2\npjp2.dll
c:\progra~1\micros~1\office14\npauthz.dll
c:\progra~1\micros~1\office14\npspwrap.dll
c:\program files\google\update\1.3.34.11\npgoogleupdate3.dll
c:\program files\videolan\vlc\npvlc.dll
c:\program files\adobe\acrobat reader dc\reader\air\nppdf32.dll
c:\windows\system32\taskeng.exe
c:\windows\system32\dwm.exe
c:\windows\explorer.exe
c:\windows\system32\ctfmon.exe
c:\windows\system32\searchfilterhost.exe
c:\windows\system32\windanr.exe
c:\windows\system32\cmd.exe
c:\windows\system32\conhost.exe
c:\windows\system32\twext.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\userenv.dll
c:\windows\system32\zipfldr.dll
c:\windows\system32\shdocvw.dll
c:\program files\winrar\rarext.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\syncui.dll
c:\windows\system32\synceng.dll
c:\program files\notepad++\nppshell_06.dll
c:\windows\system32\acppage.dll
c:\windows\system32\sfc.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\msi.dll
c:\windows\system32\wer.dll
c:\windows\system32\devrtl.dll
c:\windows\system32\thumbcache.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\program files\internet explorer\iexplore.exe

PID
2916
CMD
"C:\Program Files\Internet Explorer\iexplore.exe" -nohome
Path
C:\Program Files\Internet Explorer\iexplore.exe
Indicators
Parent process
Opera.exe
User
admin
Integrity Level
HIGH
Exit code
1
Version:
Company
Microsoft Corporation
Description
Internet Explorer
Version
8.00.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\shell32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\psapi.dll
c:\windows\system32\oleacc.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\profapi.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\cryptbase.dll
c:\program files\internet explorer\sqmapi.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\sensapi.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\ieui.dll
c:\windows\system32\msimg32.dll
c:\windows\system32\clbcatq.dll
c:\program files\internet explorer\ieproxy.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\url.dll
c:\windows\system32\version.dll
c:\windows\system32\xmllite.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\propsys.dll
c:\windows\system32\explorerframe.dll
c:\windows\system32\duser.dll
c:\windows\system32\dui70.dll
c:\windows\system32\msfeeds.dll
c:\windows\system32\sxs.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\wship6.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\mlang.dll
c:\windows\system32\mssprxy.dll
c:\windows\system32\userenv.dll
c:\windows\system32\linkinfo.dll

PID
1996
CMD
"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2916 CREDAT:79873
Path
C:\Program Files\Internet Explorer\iexplore.exe
Indicators
Parent process
iexplore.exe
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
Microsoft Corporation
Description
Internet Explorer
Version
8.00.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\ole32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\psapi.dll
c:\windows\system32\oleacc.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\comdlg32.dll
c:\program files\internet explorer\ieshims.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\rpcrtremote.dll
c:\program files\internet explorer\sqmapi.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\program files\internet explorer\ieproxy.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\mlang.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\apphelp.dll
c:\program files\java\jre1.8.0_92\bin\ssv.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\version.dll
c:\progra~1\micros~1\office14\urlredir.dll
c:\windows\system32\secur32.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\progra~1\micros~1\office14\msohev.dll
c:\program files\java\jre1.8.0_92\bin\jp2ssv.dll
c:\program files\java\jre1.8.0_92\bin\msvcr100.dll
c:\program files\java\jre1.8.0_92\bin\deploy.dll
c:\windows\system32\imagehlp.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\sxs.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\sensapi.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\wship6.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\userenv.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\schannel.dll
c:\windows\system32\credssp.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\gpapi.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\msls31.dll
c:\windows\system32\msimtf.dll
c:\windows\system32\jscript.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\macromed\flash\flash32_26_0_0_131.ocx
c:\windows\system32\winmm.dll
c:\windows\system32\dsound.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\msimg32.dll
c:\windows\system32\mscms.dll
c:\windows\system32\dinput8.dll

PID
2500
CMD
cmd /c ""C:\Program Files\Opera\k.bat" "
Path
C:\Windows\system32\cmd.exe
Indicators
No indicators
Parent process
Opera.exe
User
admin
Integrity Level
HIGH
Exit code
1
Version:
Company
Microsoft Corporation
Description
Windows Command Processor
Version
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Image
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll

PID
2708
CMD
REG.exe QUERY HKLM\Hardware\Description\System\CentralProcessor\0 /v Identifier
Path
C:\Windows\system32\reg.exe
Indicators
No indicators
Parent process
cmd.exe
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
Microsoft Corporation
Description
Registry Console Tool
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\reg.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll

PID
3104
CMD
FIND /I "x86"
Path
C:\Windows\system32\find.exe
Indicators
No indicators
Parent process
cmd.exe
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
Microsoft Corporation
Description
Find String (grep) Utility
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\find.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ulib.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll

PID
3652
CMD
"C:\Program Files\Internet Explorer\IEXPLORE.EXE" "https://direct.imagedepositgateway.com/Documentation/Scanners/Drivers/ScannerDriver_SmartSource-64bit.Zip"
Path
C:\Program Files\Internet Explorer\iexplore.exe
Indicators
No indicators
Parent process
cmd.exe
User
admin
Integrity Level
HIGH
Exit code
1
Version:
Company
Microsoft Corporation
Description
Internet Explorer
Version
8.00.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\shell32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\psapi.dll
c:\windows\system32\oleacc.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\profapi.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\cryptbase.dll
c:\program files\internet explorer\sqmapi.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\version.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\sensapi.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\ieui.dll
c:\windows\system32\msimg32.dll
c:\program files\internet explorer\ieproxy.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\url.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\xmllite.dll
c:\windows\system32\propsys.dll
c:\windows\system32\explorerframe.dll
c:\windows\system32\duser.dll
c:\windows\system32\dui70.dll
c:\windows\system32\msfeeds.dll
c:\windows\system32\sxs.dll
c:\windows\system32\mlang.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\userenv.dll
c:\windows\system32\linkinfo.dll

PID
3664
CMD
"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3652 CREDAT:79873
Path
C:\Program Files\Internet Explorer\iexplore.exe
Indicators
Parent process
iexplore.exe
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
Microsoft Corporation
Description
Internet Explorer
Version
8.00.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\shell32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\psapi.dll
c:\windows\system32\oleacc.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\comdlg32.dll
c:\program files\internet explorer\ieshims.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\rpcrtremote.dll
c:\program files\internet explorer\sqmapi.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\sspicli.dll
c:\program files\internet explorer\ieproxy.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\mlang.dll
c:\windows\system32\uxtheme.dll
c:\program files\java\jre1.8.0_92\bin\ssv.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\version.dll
c:\progra~1\micros~1\office14\urlredir.dll
c:\windows\system32\secur32.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\progra~1\micros~1\office14\msohev.dll
c:\program files\java\jre1.8.0_92\bin\jp2ssv.dll
c:\program files\java\jre1.8.0_92\bin\msvcr100.dll
c:\program files\java\jre1.8.0_92\bin\deploy.dll
c:\windows\system32\imagehlp.dll
c:\windows\system32\sxs.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\sensapi.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\userenv.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\schannel.dll
c:\windows\system32\wship6.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\credssp.dll

Registry activity

Total events
2157
Read events
1788
Write events
358
Delete events
11

Modification events

PID
Process
Operation
Key
Name
Value
2948
ScannerInstallationAssistant.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
2948
ScannerInstallationAssistant.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
284
reg.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\imagedepositgateway.com\*
https
2
284
reg.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
CurrentLevel
0
284
reg.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
1001
0
284
reg.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
1206
0
284
reg.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
1209
0
284
reg.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
1406
0
284
reg.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
1407
0
284
reg.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
1409
3
284
reg.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
1607
0
284
reg.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
1609
0
284
reg.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
1806
1
284
reg.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
1809
3
284
reg.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
1A04
0
284
reg.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
1A05
0
284
reg.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
1C00
131072
284
reg.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
2101
0
284
reg.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
2102
0
284
reg.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
2200
0
284
reg.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
2201
0
284
reg.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
2301
3
284
reg.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
2700
3
2392
Elevate32.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
2392
Elevate32.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
2324
cmd.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
2324
cmd.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
3460
reg.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\imagedepositgateway.com\*
https
2
3460
reg.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
CurrentLevel
0
3460
reg.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
1001
0
3460
reg.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
1206
0
3460
reg.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
1209
0
3460
reg.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
1406
0
3460
reg.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
1407
0
3460
reg.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
1409
3
3460
reg.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
1607
0
3460
reg.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
1609
0
3460
reg.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
1806
1
3460
reg.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
1809
3
3460
reg.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
1A04
0
3460
reg.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
1A05
0
3460
reg.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
1C00
131072
3460
reg.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
2101
0
3460
reg.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
2102
0
3460
reg.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
2200
0
3460
reg.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
2201
0
3460
reg.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
2301
3
3460
reg.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
2700
3
284
control.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
284
control.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
356
Opera.exe
write
HKEY_CURRENT_USER\Software\Opera Software
Last CommandLine v2
C:\Program Files\Opera\Opera.exe /uninstall
356
Opera.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\72\52C64B7E
LanguageList
en-US
356
Opera.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Taskband
Favorites
007C01000014001F80C827341F105C1042AA032EE45287D6685200310000000000454B864A11005461736B426172003C0008000400EFBE454B864A454B864A2A000000603E00000000040000000000000000000000000000005400610073006B00420061007200000016001401320085050000454B864A2000494E5445524E7E312E4C4E4B0000A60008000400EFBE454B864A454B864A2A000000613E000000000400000000000000000056000000000049006E007400650072006E006500740020004500780070006C006F007200650072002E006C006E006B000000400043003A005C00570069006E0064006F00770073005C00530079007300740065006D00330032005C00690065003400750069006E00690074002E006500780065002C002D0037003300310000001C00520000001D00EFBE02004D006900630072006F0073006F00660074002E0049006E007400650072006E00650074004500780070006C006F007200650072002E00440065006600610075006C00740000001C000000007601000014001F80C827341F105C1042AA032EE45287D6685200310000000000454B864A11005461736B426172003C0008000400EFBE454B864A454B864A2A000000603E00000000040000000000000000000000000000005400610073006B00420061007200000016000E013200CC040000EE3AB624200057494E444F577E312E4C4E4B00007E0008000400EFBE454B864A454B864A2A000000673E0000000005000000000000000000540000000000570069006E0064006F007700730020004500780070006C006F007200650072002E006C006E006B00000040007300680065006C006C00330032002E0064006C006C002C002D003200320030003600370000001C00740000001D00EFBE02007B00460033003800420046003400300034002D0031004400340033002D0034003200460032002D0039003300300035002D003600370044004500300042003200380046004300320033007D005C006500780070006C006F007200650072002E0065007800650000001C000000007801000014001F80C827341F105C1042AA032EE45287D6685200310000000000454B864A11005461736B426172003C0008000400EFBE454B864A454B864A2A000000603E00000000040000000000000000000000000000005400610073006B004200610072000000160010013200EB050000743D33AD200057494E444F577E322E4C4E4B0000A80008000400EFBE454B864A454B864A2A0000006B3E00000000050000000000000000005C0000000000570069006E0064006F007700730020004D006500640069006100200050006C0061007900650072002E006C006E006B000000400043003A005C00570069006E0064006F00770073005C00730079007300740065006D00330032005C0075006E007200650067006D00700032002E006500780065002C002D00340000001C004C0000001D00EFBE02004D006900630072006F0073006F00660074002E00570069006E0064006F00770073002E004D00650064006900610050006C0061007900650072003300320000001C00000000EE00000014001F80C827341F105C1042AA032EE45287D66852003100000000001C4D7D5911005461736B426172003C0008000400EFBE454B864A1C4D7D592A000000603E00000000040000000000000000000000000000005400610073006B0042006100720000001600860032007A0800001C4D59592000474F4F474C457E312E4C4E4B0000500008000400EFBE1C4D7D591C4D7D592A00000097C0000000000100000000000000000000000000000047006F006F0067006C00650020004300680072006F006D0065002E006C006E006B0000001C001A0000001D00EFBE02004300680072006F006D00650000001C000000FF
356
Opera.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Taskband
FavoritesChanges
10
356
Opera.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Taskband
FavoritesVersion
2
356
Opera.exe
delete key
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.oex\OpenWithProgIDs
356
Opera.exe
delete key
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.oex
356
Opera.exe
delete key
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Applications\Opera.exe\shell\open\command
356
Opera.exe
delete key
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Applications\Opera.exe\shell\open
356
Opera.exe
delete key
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Applications\Opera.exe\shell
356
Opera.exe
delete key
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Applications\Opera.exe
356
Opera.exe
delete key
HKEY_LOCAL_MACHINE\SOFTWARE\Netscape\Netscape Navigator\Opera\main
356
Opera.exe
delete key
HKEY_LOCAL_MACHINE\SOFTWARE\Netscape\Netscape Navigator\Opera
356
Opera.exe
delete key
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer\ShimInclusionList\OPERA.EXE
356
Opera.exe
delete key
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Opera 12.15.1748
356
Opera.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\Mail
Opera
356
Opera.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
GlobalAssocChangedCounter
65
356
Opera.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
356
Opera.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
2916
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
CompatibilityFlags
0
2916
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
2916
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
2916
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
SecuritySafe
1
2916
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
ProxyEnable
0
2916
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
SavedLegacySettings
4600000092000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
2916
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Recovery\AdminActive
{B0B1464E-BDD9-11E9-9885-5254004A04AF}
0
2916
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Type
4
2916
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Count
2
2916
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Time
E307080002000D000E00320022004802
2916
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}\iexplore
Type
4
2916
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}\iexplore
Count
2
2916
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}\iexplore
Time
E307080002000D000E00320022005802
2916
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
FullScreen
no
2916
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Window_Placement
2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF20000000200000004003000078020000
2916
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites\Links
Order
08000000020000000C01000001000000020000007E0000000000000070003200EC000000464B245120005355474745537E312E55524C0000540008000400EFBE454B974D464B24512A000000F94300000000020000000000000000000000000000005300750067006700650073007400650064002000530069007400650073002E00750072006C0000001C00000000000000820000000100000074003200E2000000464B24512000574542534C497E312E55524C0000580008000400EFBE454B864A464B24512A000000743E0000000003000000000000000000000000000000570065006200200053006C006900630065002000470061006C006C006500720079002E00750072006C0000001C00000000000000
2916
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\WindowsSearch
UpgradeTime
89A88979E651D501
1996
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\iexplore
Type
3
1996
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\iexplore
Count
2
1996
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\iexplore
Time
E307080002000D000E0032002300E402
1996
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\iexplore
LoadTime
21
1996
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
Type
3
1996
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
Count
2
1996
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
Time
E307080002000D000E00320023005203
1996
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
LoadTime
58
1996
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DBC80044-A445-435B-BC74-9C25C1C588A9}\iexplore
Type
3
1996
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DBC80044-A445-435B-BC74-9C25C1C588A9}\iexplore
Count
2
1996
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DBC80044-A445-435B-BC74-9C25C1C588A9}\iexplore
Time
E307080002000D000E0032002300CF03
1996
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DBC80044-A445-435B-BC74-9C25C1C588A9}\iexplore
LoadTime
55
1996
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
1996
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
1996
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
ProxyEnable
0
1996
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
SavedLegacySettings
4600000093000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
1996
iexplore.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\72\52C64B7E
LanguageList
en-US
1996
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012019081320190814
CachePath
%USERPROFILE%\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012019081320190814
1996
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012019081320190814
CachePrefix
:2019081320190814:
1996
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012019081320190814
CacheLimit
8192
1996
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012019081320190814
CacheOptions
11
1996
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012019081320190814
CacheRepair
0
1996
iexplore.exe
delete key
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012019032320190324
1996
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D27CDB6E-AE6D-11CF-96B8-444553540000}\iexplore
Type
1
1996
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D27CDB6E-AE6D-11CF-96B8-444553540000}\iexplore
Count
1
1996
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D27CDB6E-AE6D-11CF-96B8-444553540000}\iexplore
Time
E307080002000D000E0032002700A003
3652
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
CompatibilityFlags
0
3652
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
3652
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
3652
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
SecuritySafe
1
3652
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
ProxyEnable
0
3652
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
SavedLegacySettings
4600000094000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
3652
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Recovery\AdminActive
{D0735922-BDD9-11E9-9885-5254004A04AF}
0
3652
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Type
4
3652
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Count
3
3652
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Time
E307080002000D000E00330016009602
3652
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}\iexplore
Type
4
3652
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}\iexplore
Count
3
3652
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}\iexplore
Time
E307080002000D000E0033001600A602
3652
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
FullScreen
no
3652
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Window_Placement
2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF20000000200000004003000078020000
3652
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites\Links
Order
08000000020000000C01000001000000020000007E0000000000000070003200EC000000464B245120005355474745537E312E55524C0000540008000400EFBE454B974D464B24512A000000F94300000000020000000000000000000000000000005300750067006700650073007400650064002000530069007400650073002E00750072006C0000001C00000000000000820000000100000074003200E2000000464B24512000574542534C497E312E55524C0000580008000400EFBE454B864A464B24512A000000743E0000000003000000000000000000000000000000570065006200200053006C006900630065002000470061006C006C006500720079002E00750072006C0000001C00000000000000
3652
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\0
Path
C:\Users\admin\Favorites\Links\Suggested Sites.url
3652
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\0
Handler
{B0FA7D7C-7195-4F03-B03E-9DC1C9EBC394}
3652
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\0
FeedUrl
https://ieonline.microsoft.com/#ieslice
3652
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\0
DisplayName
3652
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\0
ErrorState
0
3652
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\0
DisplayMask
0
3652
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\1
Path
C:\Users\admin\Favorites\Links\Web Slice Gallery.url
3652
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\1
Handler
{B0FA7D7C-7195-4F03-B03E-9DC1C9EBC394}
3652
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\1
FeedUrl
http://go.microsoft.com/fwlink/?LinkId=121315
3652
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\1
DisplayName
3652
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\1
ErrorState
0
3652
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\1
DisplayMask
0
3664
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\iexplore
Type
3
3664
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\iexplore
Count
3
3664
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\iexplore
Time
E307080002000D000E00330016004203
3664
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\iexplore
LoadTime
18
3664
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
Type
3
3664
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
Count
3
3664
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
Time
E307080002000D000E00330016006103
3664
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
LoadTime
54
3664
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DBC80044-A445-435B-BC74-9C25C1C588A9}\iexplore
Type
3
3664
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DBC80044-A445-435B-BC74-9C25C1C588A9}\iexplore
Count
3
3664
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DBC80044-A445-435B-BC74-9C25C1C588A9}\iexplore
Time
E307080002000D000E00330016008103
3664
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DBC80044-A445-435B-BC74-9C25C1C588A9}\iexplore
LoadTime
44
3664
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
3664
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
3664
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
ProxyEnable
0
3664
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
SavedLegacySettings
4600000095000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000

Files activity

Executable files
3
Suspicious files
11
Text files
23
Unknown types
10

Dropped files

PID
Process
Filename
Type
2948
ScannerInstallationAssistant.exe
C:\Users\admin\AppData\Local\Temp\IsAdmin.exe
executable
MD5: 7a3373f22eec15834dec404c6b2794bb
SHA256: 102f1fb98a7ab61b63c7857e1273d225d422385e054f7f64241508a65c30c8f4
2948
ScannerInstallationAssistant.exe
C:\Users\admin\AppData\Local\Temp\7za.exe
executable
MD5: 42badc1d2f03a8b1e4875740d3d49336
SHA256: c136b1467d669a725478a6110ebaaab3cb88a3d389dfa688e06173c066b76fcf
2948
ScannerInstallationAssistant.exe
C:\Users\admin\AppData\Local\Temp\Elevate32.exe
executable
MD5: e2cf3b43e996a1b6048cd67acaa443c3
SHA256: d086b2040a7aea864f96871cf781b8471b91a412bb711d5a1541bb4102db3ae7
3652
iexplore.exe
C:\Users\admin\AppData\Local\Temp\~DF5FBBA83E2CB8459A.TMP
––
MD5:  ––
SHA256:  ––
3652
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{D0735923-BDD9-11E9-9885-5254004A04AF}.dat
––
MD5:  ––
SHA256:  ––
3652
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Last Active\RecoveryStore.{B83C770F-BDD9-11E9-9885-5254004A04AF}.dat
binary
MD5: 262961d2a84a14dba2a73da57ceca537
SHA256: d7514786aa126bf801bfc5e489571f47e4f8db1790625f3c0f1f7016bdc5eba3
3652
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Last Active\{D789B6A9-BDD9-11E9-9885-5254004A04AF}.dat
binary
MD5: 624e891c25aab59ed4be19623cd6c360
SHA256: 20413613bc108c026b0e7545c2e22bd2c5edfb24be89c70c2984ad8ab5fe080b
3652
iexplore.exe
C:\Users\admin\AppData\Local\Temp\~DF92F7CF6703796BF6.TMP
––
MD5:  ––
SHA256:  ––
3652
iexplore.exe
C:\Users\admin\AppData\Local\Temp\~DFFDF1E739E3C678B7.TMP
––
MD5:  ––
SHA256:  ––
3652
iexplore.exe
C:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
––
MD5:  ––
SHA256:  ––
1996
iexplore.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
dat
MD5: d7a950fefd60dbaa01df2d85fefb3862
SHA256: 75d0b1743f61b76a35b1fedd32378837805de58d79fa950cb6e8164bfa72073a
2916
iexplore.exe
C:\Users\admin\AppData\Local\Temp\~DFC368A4F199C1C0F4.TMP
––
MD5:  ––
SHA256:  ––
2916
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{B0B1464E-BDD9-11E9-9885-5254004A04AF}.dat
––
MD5:  ––
SHA256:  ––
1996
iexplore.exe
C:\Users\admin\AppData\Local\Temp\JavaDeployReg.log
text
MD5: adcccbcf5e603523b4116ea4991f608d
SHA256: 50f6303d633f27cf0943dfa6808391775a6fe83da0affeff0ff3051e18b3b69d
2916
iexplore.exe
C:\Users\admin\AppData\Local\Temp\~DF056127FE5AB49F0B.TMP
––
MD5:  ––
SHA256:  ––
2916
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{B0B1464F-BDD9-11E9-9885-5254004A04AF}.dat
––
MD5:  ––
SHA256:  ––
2916
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Last Active\{B83C7710-BDD9-11E9-9885-5254004A04AF}.dat
binary
MD5: 7851bf7ee32ea5110dc7b58b8ed8e2ae
SHA256: 0fda4c5e7b7d14fa028738f268a6699a2d3bf795fa00b1b1ba8817e0d302c690
2916
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Last Active\RecoveryStore.{B83C770F-BDD9-11E9-9885-5254004A04AF}.dat
binary
MD5: f59c95c3d7caa8ef297339f2cd8c8df6
SHA256: fafafd41a8a08d2bb8e10645e100b0d385bcd77117d3c436cb13340ad24e6d5d
2916
iexplore.exe
C:\Users\admin\AppData\Local\Temp\~DFD81EF7ED1F55C9A6.TMP
––
MD5:  ––
SHA256:  ––
2916
iexplore.exe
C:\Users\admin\AppData\Local\Temp\~DFC9A5E85DEAC76FDD.TMP
––
MD5:  ––
SHA256:  ––
1996
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\js[1]
text
MD5: 11506cba81b20cc127c44497dbd43c52
SHA256: db946c299d939443029dd04400d6b6c032e9e67ca913695c6a99aa2ac0be2e93
1996
iexplore.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
text
MD5: 526f84da33d872cb7ad72c3648a93f28
SHA256: b9187a3279c20e1dd67995c1beaf0d006cd5030a7b14b7bf1a9608edc0d6c142
1996
iexplore.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][2].txt
––
MD5:  ––
SHA256:  ––
1996
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\gtm[1].js
text
MD5: 5041c6386a74fd5e2eac1625ac8d1cde
SHA256: 3aa91246660a29f8b44c5696c54e5d3421ba16355392942799ea6548da14893d
1996
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\favicon[1].ico
image
MD5: 94e3b24366e3faaceae2583c84668c09
SHA256: 07e8d69985547e670f5752809928fb887516ddd67e56d24c1323b4abc88723b3
1996
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\analytics[1].js
text
MD5: a477b40dcc869e74d6414e8e42e36844
SHA256: cec3748d0c3da4700300d5424aaea375b03550b0ee8b3dd38e242c4022261446
1996
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012019081320190814\index.dat
dat
MD5: 1ff42ca6ada1dbbb0867773b509bf51e
SHA256: 800b493ed0b2b07f5a0336a2cef36a67ee17ef2c17a343edc3c2a9a5614c0965
1996
iexplore.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\PrivacIE\index.dat
dat
MD5: 7edad93130d62011092ad5b6f8c7f27d
SHA256: 2076cc8d06ca7b5e07a0a37275c1ee15e0fbf0ab01d4f43bf6614964fedbf19d
1996
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JGRR2OYX\win_screens[1].jpg
image
MD5: ff3c4552fe27f0b4ce5daf2e05dd5799
SHA256: c9614d18b68395c380bdb5e1d3f8bfc2afbc5901984d49fba8cdbf7423b31dfe
1996
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\opera-logo[1].gif
image
MD5: 67cdff761dca1d07a58843e244fe7154
SHA256: 00b629289278bd3f3ed177904585c9af2b55f51f4a13848bdbc0b0f4aebcd46e
1996
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\windows-download-icon[1].gif
image
MD5: 15ec6120c2033c37ba8de2ab6cdd56e6
SHA256: 4424caaeaec6ca123f80bc11e451275b83c41113b7e9a419562c0b14853ca839
1996
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\browserinfo[1].js
text
MD5: 9d7abc4b579dd48d56e486afbbe94712
SHA256: 21250c89585f0d8a893cbeee1a83c57504c48ec3ed5f208d03e3baeea157e3be
1996
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JGRR2OYX\linkfeedback[1].js
text
MD5: f2076bd92047a97ce0fc82fe4ee81302
SHA256: 1df52f4ecc284d23e337f025c4c19391ce0bff6ef8a5145e6e41790f17953645
1996
iexplore.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
text
MD5: d6c10d21c3753cb1f50a4e2b1e321e54
SHA256: ba97c41d0daa4937fba34baf728735edf46aaf65b2434214956afc10b390a200
1996
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\ie-simple[1].htm
html
MD5: cf85b4d9721082dcc1d2972cd350fd54
SHA256: d1b51b307cc70a99905ad17219d5e7dd1b81eb43e17efe7918153b19bdd1104f
1996
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\ie-simple[1].txt
––
MD5:  ––
SHA256:  ––
2916
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\favicon[1].png
image
MD5: 9fb559a691078558e77d6848202f6541
SHA256: 6d8a01dc7647bc218d003b58fe04049e24a9359900b7e0cebae76edf85b8b914
2916
iexplore.exe
C:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
––
MD5:  ––
SHA256:  ––
2916
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\favicon[1].ico
––
MD5:  ––
SHA256:  ––
356
Opera.exe
C:\Program Files\Opera\k.bat
text
MD5: 2a855f43fa2b156b2a83b4010dfdd91c
SHA256: e33dedfe3de1a6dae5193e974ebf3477de582dc08b62f0f7f32500788a3ba3f4
356
Opera.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\oprand.dat
––
MD5:  ––
SHA256:  ––
356
Opera.exe
C:\Users\admin\AppData\Local\Opera\Opera\application_cache\mcache\vlink4.dat
binary
MD5: 9b7e1769f56deedd364f9c444e75f7d8
SHA256: 90c916114e174bfceeb6bd5066b6d0810b53c55870284d290599e127c4c907a1
356
Opera.exe
C:\Users\admin\AppData\Local\Opera\Opera\application_cache\mcache\dcache4.url
binary
MD5: 269abfcdb8eb1886306172aad82c919b
SHA256: 6e5005153bf4250978bd0f260f94b47abfa8b8676b36d7e8b8b1703c36c47f59
356
Opera.exe
C:\Users\admin\AppData\Local\Opera\Opera\cache\revocation\vlink4.dat
binary
MD5: 9b7e1769f56deedd364f9c444e75f7d8
SHA256: 90c916114e174bfceeb6bd5066b6d0810b53c55870284d290599e127c4c907a1
356
Opera.exe
C:\Users\admin\AppData\Local\Opera\Opera\application_cache\mcache\oprC6E1.tmp
––
MD5:  ––
SHA256:  ––
356
Opera.exe
C:\Users\admin\AppData\Local\Opera\Opera\cache\revocation\oprC6D1.tmp
––
MD5:  ––
SHA256:  ––
356
Opera.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\vlink4.dat
binary
MD5: 9b7e1769f56deedd364f9c444e75f7d8
SHA256: 90c916114e174bfceeb6bd5066b6d0810b53c55870284d290599e127c4c907a1
356
Opera.exe
C:\Users\admin\AppData\Local\Opera\Opera\cache\revocation\dcache4.url
binary
MD5: e452c0391908b546eca0dd1a4019d50a
SHA256: fa560e81f1f74db3b88e030c8267e3490f9d544e2e7ec488579fc2f9d6643185
356
Opera.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\oprC6C0.tmp
––
MD5:  ––
SHA256:  ––
356
Opera.exe
C:\Users\admin\AppData\Local\Opera\Opera\cache\dcache4.url
binary
MD5: e452c0391908b546eca0dd1a4019d50a
SHA256: fa560e81f1f74db3b88e030c8267e3490f9d544e2e7ec488579fc2f9d6643185
356
Opera.exe
C:\Users\admin\AppData\Local\Opera\Opera\opcache\dcache4.url
binary
MD5: e452c0391908b546eca0dd1a4019d50a
SHA256: fa560e81f1f74db3b88e030c8267e3490f9d544e2e7ec488579fc2f9d6643185
356
Opera.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\opssl6.dat
––
MD5:  ––
SHA256:  ––
356
Opera.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\opcert6.dat
––
MD5:  ––
SHA256:  ––
356
Opera.exe
C:\Users\admin\AppData\Local\Opera\Opera\vps\0000\wb.vx
abr
MD5: 92e9c1cacdf89ee367f1defbe237750c
SHA256: de74d00b0be06c30ca17e1ff973617de8bf1571a24045b02fd505f614b6f3bee
356
Opera.exe
C:\Users\admin\AppData\Local\Opera\Opera\vps\0000\md.dat
abr
MD5: 4ccacb766afadcd2ae4c65e5eceaaec6
SHA256: b1c5eb9953002e3716807485e54ff249f2b7f4884083447eff8f38de1694f9a5
356
Opera.exe
C:\Users\admin\AppData\Local\Opera\Opera\application_cache\cache_groups.xml
xml
MD5: 0c3d13ca7a1b93960f71a49613f4aa5c
SHA256: eb9eaf372a1df1d4d3f389bb09f05b0cd8a1dbd838ae1247f34b36fa7566bb5a
356
Opera.exe
C:\Users\admin\AppData\Local\Opera\Opera\vps\0000\url.axx
abr
MD5: 04a1fb3bc2cdb697eec281ee1042d2aa
SHA256: dd9efd68d8bdb8cdabdee048202e38644ef8a9f7028d3e15643a3eca56f10b2b
356
Opera.exe
C:\Users\admin\AppData\Local\Opera\Opera\vps\0000\w.axx
abr
MD5: 04a1fb3bc2cdb697eec281ee1042d2aa
SHA256: dd9efd68d8bdb8cdabdee048202e38644ef8a9f7028d3e15643a3eca56f10b2b
356
Opera.exe
C:\Users\admin\AppData\Local\Opera\Opera\vps\0000\adoc.bx
abr
MD5: ad973d69060c288cf7c70e9ada4b4b81
SHA256: 998c3980d784c306a7b833e7fb914c731d3935d4b94894ba809bd90b11d7f496
356
Opera.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\typed_history.xml
xml
MD5: fce6a093a5af54a47ed465295e9c373b
SHA256: 2d60c9a416da348a79027cd2a38cac11f2c208681ffad4d40e918d834ffc70f1
356
Opera.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\webserver\users.xml
xml
MD5: 8f9bc25082526679d20832e134280689
SHA256: 0fede19a884e68af700217770d350b22bfe9cee4cf87ba9438d50f2341a85b2c
356
Opera.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\operaprefs.ini
––
MD5:  ––
SHA256:  ––
356
Opera.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\oprC6A0.tmp
––
MD5:  ––
SHA256:  ––
356
Opera.exe
C:\Program Files\Opera\opera_install_log.xml.12.15.bak
xml
MD5: 93ac890124b400a5b2cc2e0e0a16e610
SHA256: d1308e000830a8b429ece97d113f475c2d15de9d50c6fa2861fa0206402f5229
356
Opera.exe
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Opera.lnk.12.15.bak
lnk
MD5: 2c94cf6757670e81f91255d4bb3c43e5
SHA256: f094f1a9dc078bc89d9046679d1ddc1e5710cc26aed46c9223866af5c5e4ffce
356
Opera.exe
C:\Users\Public\Desktop\Opera.lnk.12.15.bak
lnk
MD5: 2f9d14b95db3d8a35729ce5c5c1fa090
SHA256: d4148a8d1b6b0539a1492acfae4d328614d184a990ffb64d830dfef968a9606b
356
Opera.exe
C:\Users\admin\AppData\Local\Opera\Opera\cache\CACHEDIR.TAG
text
MD5: e717f92fa29ae97dbe4f6f5c04b7a3d9
SHA256: 5bbd5dcbf87fd8cd7544c522badf22a2951cf010ad9f25c40f9726f09ea2b552
2948
ScannerInstallationAssistant.exe
C:\Users\admin\AppData\Local\Temp\InstallAssist.bat
text
MD5: 70c61e8190ac38534e7bb562f83ffd7d
SHA256: f19c0d95902f4006d6f61a7d39d19d5e310ae27add679ada01684158d208e001
3652
iexplore.exe
C:\Users\admin\AppData\Local\Temp\~DF902991DF4AB6AA80.TMP
––
MD5:  ––
SHA256:  ––
3664
iexplore.exe
C:\Users\admin\AppData\Local\Temp\JavaDeployReg.log
text
MD5: b8c3b6bc9ea20e9bca5cd692a6227dbf
SHA256: 9097e6d2597e8ee7d57c81593260ba361a68c9a1e06662cde668cef81bd09d4b
2948
ScannerInstallationAssistant.exe
C:\Users\admin\AppData\Local\Temp\IntConf.reg
text
MD5: a5fcc70938f1bcfb3d3b8e59590168e8
SHA256: f87e233de8016fc5c5b61ff7b9dca3e40978d3cb895f1f5a790722f9df199a1e
3652
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{D0735922-BDD9-11E9-9885-5254004A04AF}.dat
––
MD5:  ––
SHA256:  ––

Find more information of the staic content and download it at the full report

Network activity

HTTP(S) requests
3
TCP/UDP connections
12
DNS requests
11
Threats
0

HTTP requests

PID Process Method HTTP Code IP URL CN Type Size Reputation
1996 iexplore.exe GET 302 185.26.182.109:80 http://redir.opera.com/uninstallsurvey/?version=12.15.1748&firstruntime=1535456794 unknown
html
whitelisted
2916 iexplore.exe GET 200 204.79.197.200:80 http://www.bing.com/favicon.ico US
image
whitelisted
1996 iexplore.exe GET 301 18.197.61.146:80 http://www.opera.com/client/upgraded/ DE
html
whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID Process IP ASN CN Reputation
1996 iexplore.exe 185.26.182.109:80 Opera Software AS –– unknown
2916 iexplore.exe 204.79.197.200:80 Microsoft Corporation US whitelisted
1996 iexplore.exe 18.197.61.146:80 Amazon.com, Inc. DE unknown
1996 iexplore.exe 18.197.61.146:443 Amazon.com, Inc. DE unknown
1996 iexplore.exe 172.217.22.40:443 Google Inc. US whitelisted
1996 iexplore.exe 216.58.208.46:443 Google Inc. US whitelisted
1996 iexplore.exe 185.60.216.19:443 Facebook, Inc. IE whitelisted
1996 iexplore.exe 77.88.21.119:443 YANDEX LLC RU whitelisted
1996 iexplore.exe 147.75.32.75:443 Packet Host, Inc. US unknown
3664 iexplore.exe 2.16.187.64:443 Akamai International B.V. –– whitelisted

DNS requests

Domain IP Reputation
redir.opera.com 185.26.182.109
185.26.182.110
whitelisted
www.bing.com 204.79.197.200
13.107.21.200
whitelisted
www.opera.com 18.197.61.146
54.93.140.60
whitelisted
www.google-analytics.com 216.58.208.46
whitelisted
www.googletagmanager.com 172.217.22.40
whitelisted
static.hotjar.com 147.75.32.75
147.75.83.123
147.75.204.150
147.75.204.174
147.75.84.99
147.75.102.227
147.75.83.125
147.75.204.222
whitelisted
connect.facebook.net 185.60.216.19
whitelisted
mc.yandex.ru 77.88.21.119
87.250.250.119
87.250.251.119
93.158.134.119
whitelisted
direct.imagedepositgateway.com 2.16.187.64
2.16.187.40
unknown

Threats

No threats detected.

Debug output strings

No debug info.