General Info

File name

storage.scr

Full analysis
https://app.any.run/tasks/c20f958a-2230-4889-96b7-68bd1eb57c3b
Verdict
Malicious activity
Analysis date
7/11/2019, 20:19:35
OS:
Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:

MIME:
application/x-dosexec
File info:
PE32 executable (GUI) Intel 80386, for MS Windows
MD5

4a3d629a649b025576aa9f7d701bcd77

SHA1

8dd19b4ea306ec0b3a0ec7c3249c1e36e49dbcbe

SHA256

995046c286b75fcf0d63610cfed339bf77015abbaab9b8c29f3b67860e6b832c

SSDEEP

6144:E1QMivgpQ25+yApTCg3cz6ufWeLuIrybTQg9o214QTB2I/51pftDKHpDbU69SWvG:0QMiG+2gef5x/xQTB2OfDKC7Wgca

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distored by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Software environment set and analysis options

Launch configuration

Task duration
60 seconds
Additional time used
none
Fakenet option
off
Heavy Evaision option
off
MITM proxy
off
Route via Tor
off
Network geolocation
off
Privacy
Public submission
Autoconfirmation of UAC
on

Software preset

  • Internet Explorer 8.0.7601.17514
  • Adobe Acrobat Reader DC MUI (15.023.20070)
  • Adobe Flash Player 26 ActiveX (26.0.0.131)
  • Adobe Flash Player 26 NPAPI (26.0.0.131)
  • Adobe Flash Player 26 PPAPI (26.0.0.131)
  • Adobe Refresh Manager (1.8.0)
  • CCleaner (5.35)
  • FileZilla Client 3.36.0 (3.36.0)
  • Google Chrome (75.0.3770.100)
  • Google Update Helper (1.3.34.7)
  • Java 8 Update 92 (8.0.920.14)
  • Java Auto Updater (2.8.92.14)
  • Microsoft .NET Framework 4.7.2 (4.7.03062)
  • Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Professional 2010 (14.0.6029.1000)
  • Microsoft Office Proof (English) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (French) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
  • Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
  • Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Single Image 2010 (14.0.6029.1000)
  • Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
  • Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
  • Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
  • Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2015-2019 Redistributable (x86) - 14.21.27702 (14.21.27702.2)
  • Microsoft Visual C++ 2019 X86 Additional Runtime - 14.21.27702 (14.21.27702)
  • Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.21.27702 (14.21.27702)
  • Mozilla Firefox 67.0.4 (x86 en-US) (67.0.4)
  • Notepad++ (32-bit x86) (7.5.1)
  • Opera 12.15 (12.15.1748)
  • Skype version 8.29 (8.29)
  • Update for Microsoft .NET Framework 4.7.2 (KB4087364) (1)
  • VLC media player (2.2.6)
  • WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

  • Client LanguagePack Package
  • Client Refresh LanguagePack Package
  • CodecPack Basic Package
  • Foundation Package
  • IE Troubleshooters Package
  • InternetExplorer Optional Package
  • KB2534111
  • KB2999226
  • KB4019990
  • KB976902
  • LocalPack AU Package
  • LocalPack CA Package
  • LocalPack GB Package
  • LocalPack US Package
  • LocalPack ZA Package
  • ProfessionalEdition
  • UltimateEdition

Behavior activities

MALICIOUS SUSPICIOUS INFO
Changes appearance of the explorer extensions
  • ccors.exe (PID: 1940)
  • ccors.exe (PID: 2876)
  • gegcazmfdfb.exe (PID: 2796)
Disables registry editing tools (regedit)
  • ccors.exe (PID: 1940)
  • ccors.exe (PID: 2876)
  • gegcazmfdfb.exe (PID: 2796)
Application was dropped or rewritten from another process
  • ccors.exe (PID: 1940)
  • ccors.exe (PID: 2876)
  • gegcazmfdfb.exe (PID: 2796)
Changes the login/logoff helper path in the registry
  • ccors.exe (PID: 1940)
  • ccors.exe (PID: 2876)
  • gegcazmfdfb.exe (PID: 2796)
Changes the autorun value in the registry
  • ccors.exe (PID: 1940)
  • ccors.exe (PID: 2876)
  • gegcazmfdfb.exe (PID: 2796)
UAC/LUA settings modification
  • ccors.exe (PID: 2876)
  • ccors.exe (PID: 1940)
  • gegcazmfdfb.exe (PID: 2796)
Creates files in the program directory
  • ccors.exe (PID: 2876)
Executable content was dropped or overwritten
  • gegcazmfdfb.exe (PID: 2796)
  • storage.scr (PID: 3712)
Dropped object may contain Bitcoin addresses
  • gegcazmfdfb.exe (PID: 2796)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Static information

TRiD
.exe
|   Win32 Executable MS Visual C++ (generic) (42.2%)
.exe
|   Win64 Executable (generic) (37.3%)
.dll
|   Win32 Dynamic Link Library (generic) (8.8%)
.exe
|   Win32 Executable (generic) (6%)
.exe
|   Generic Win/DOS Executable (2.7%)
EXIF
EXE
MachineType:
Intel 386 or later, and compatibles
TimeStamp:
2008:12:07 08:53:27+01:00
PEType:
PE32
LinkerVersion:
7.1
CodeSize:
20480
InitializedDataSize:
446464
UninitializedDataSize:
null
EntryPoint:
0x2095
OSVersion:
4
ImageVersion:
null
SubsystemVersion:
4
Subsystem:
Windows GUI
Summary
Architecture:
IMAGE_FILE_MACHINE_I386
Subsystem:
IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date:
07-Dec-2008 07:53:27
Detected languages
English - United States
DOS Header
Magic number:
MZ
Bytes on last page of file:
0x0090
Pages in file:
0x0003
Relocations:
0x0000
Size of header:
0x0004
Min extra paragraphs:
0x0000
Max extra paragraphs:
0xFFFF
Initial SS value:
0x0000
Initial SP value:
0x00B8
Checksum:
0x0000
Initial IP value:
0x0000
Initial CS value:
0x0000
Overlay number:
0x0000
OEM identifier:
0x0000
OEM information:
0x0000
Address of NE header:
0x000000F8
PE Headers
Signature:
PE
Machine:
IMAGE_FILE_MACHINE_I386
Number of sections:
4
Time date stamp:
07-Dec-2008 07:53:27
Pointer to Symbol Table:
0x00000000
Number of symbols:
0
Size of Optional Header:
0x00E0
Characteristics
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_RELOCS_STRIPPED
Sections
Name Virtual Address Virtual Size Raw Size Charateristics Entropy
.text 0x00001000 0x00004C2E 0x00005000 IMAGE_SCN_CNT_CODE,IMAGE_SCN_MEM_EXECUTE,IMAGE_SCN_MEM_READ 6.43598
.rdata 0x00006000 0x0000138A 0x00002000 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ 3.35663
.data 0x00008000 0x00064938 0x00065000 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ,IMAGE_SCN_MEM_WRITE 7.02347
.rsrc 0x0006D000 0x00005110 0x00006000 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ 4.31833
Resources
1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

Imports
    KERNEL32.dll

    SHELL32.dll

Exports

    No exports.

Screenshots

Processes

Total processes
43
Monitored processes
6
Malicious processes
4
Suspicious processes
0

Behavior graph

+
drop and start start drop and start drop and start storage.scr gegcazmfdfb.exe ccors.exe ccors.exe regedit.exe no specs regedit.exe
Specs description
Program did not start
Integrity level elevation
Task сontains an error or was rebooted
Process has crashed
Task contains several apps running
Executable file was dropped
Debug information is available
Process was injected
Network attacks were detected
Application downloaded the executable file
Actions similar to stealing personal data
Behavior similar to exploiting the vulnerability
Inspected object has sucpicious PE structure
File is detected by antivirus software
CPU overrun
RAM overrun
Process starts the services
Process was added to the startup
Behavior similar to spam
Low-level access to the HDD
Probably Tor was used
System was rebooted
Connects to the network
Known threat

Process information

Click at the process to see the details.

PID
3712
CMD
"C:\Users\admin\AppData\Local\Temp\storage.scr" /S
Path
C:\Users\admin\AppData\Local\Temp\storage.scr
Indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Version:
Company
Description
Version
Modules
Image
c:\users\admin\appdata\local\temp\storage.scr
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\ole32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\propsys.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\wpdshext.dll
c:\windows\system32\winmm.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\psapi.dll
c:\windows\system32\oleacc.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\sspicli.dll
c:\users\admin\appdata\local\temp\gegcazmfdfb.exe

PID
2796
CMD
"C:\Users\admin\AppData\Local\Temp\gegcazmfdfb.exe" "c:\users\admin\appdata\local\temp\storage.scr*/S"
Path
C:\Users\admin\AppData\Local\Temp\gegcazmfdfb.exe
Indicators
Parent process
storage.scr
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Description
Version
Modules
Image
c:\users\admin\appdata\local\temp\gegcazmfdfb.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\version.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\schedcli.dll
c:\windows\system32\samcli.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\psapi.dll
c:\windows\system32\wininet.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\propsys.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\sspicli.dll
c:\users\admin\appdata\local\temp\ccors.exe

PID
2876
CMD
"C:\Users\admin\AppData\Local\Temp\ccors.exe" "-C:\Users\admin\AppData\Local\Temp\zkhvhzkatjpszadh.exe"
Path
C:\Users\admin\AppData\Local\Temp\ccors.exe
Indicators
Parent process
gegcazmfdfb.exe
User
admin
Integrity Level
MEDIUM
Version:
Company
Description
Version
Modules
Image
c:\users\admin\appdata\local\temp\ccors.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\version.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\schedcli.dll
c:\windows\system32\samcli.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\psapi.dll
c:\windows\system32\wininet.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\cryptbase.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\sspicli.dll
c:\windows\regedit.exe
c:\windows\system32\mpr.dll

PID
1940
CMD
"C:\Users\admin\AppData\Local\Temp\ccors.exe" "-C:\Users\admin\AppData\Local\Temp\zkhvhzkatjpszadh.exe"
Path
C:\Users\admin\AppData\Local\Temp\ccors.exe
Indicators
Parent process
gegcazmfdfb.exe
User
admin
Integrity Level
MEDIUM
Version:
Company
Description
Version
Modules
Image
c:\users\admin\appdata\local\temp\ccors.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\usp10.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\version.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\schedcli.dll
c:\windows\system32\samcli.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\psapi.dll
c:\windows\system32\wininet.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\iertutil.dll

PID
1916
CMD
"regedit.exe" "C:\Users\admin\AppData\Local\Temp\zevdjvakxh.reg"
Path
C:\Windows\regedit.exe
Indicators
No indicators
Parent process
ccors.exe
User
admin
Integrity Level
MEDIUM
Exit code
3221226540
Version:
Company
Microsoft Corporation
Description
Registry Editor
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\regedit.exe
c:\systemroot\system32\ntdll.dll

PID
3036
CMD
"regedit.exe" "C:\Users\admin\AppData\Local\Temp\zevdjvakxh.reg"
Path
C:\Windows\regedit.exe
Indicators
Parent process
ccors.exe
User
admin
Integrity Level
HIGH
Version:
Company
Microsoft Corporation
Description
Registry Editor
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\regedit.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\shlwapi.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\authz.dll
c:\windows\system32\aclui.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ntdsapi.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\ulib.dll
c:\windows\system32\clb.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\duser.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\xmllite.dll
c:\windows\system32\cryptbase.dll

Registry activity

Total events
1186
Read events
1064
Write events
122
Delete events
0

Modification events

PID
Process
Operation
Key
Name
Value
3712
storage.scr
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
3712
storage.scr
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
2796
gegcazmfdfb.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
EnableLUA
0
2796
gegcazmfdfb.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell
Explorer.exe
2796
gegcazmfdfb.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
acqvyhj
gsqfslxoizgksuydw.exe
2796
gegcazmfdfb.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
pshnrbem
ncdvlhwqnhryjovdzpef.exe .
2796
gegcazmfdfb.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
zevdjvakxh
gsqfslxoizgksuydw.exe
2796
gegcazmfdfb.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
uasbivbmalm
zkhvhzkatjpszadh.exe .
2796
gegcazmfdfb.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
qysdmbjwmzccg
C:\Users\admin\AppData\Local\Temp\csunebrmkfqykqyhevlng.exe
2796
gegcazmfdfb.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
ryrbjxeqfrts
C:\Users\admin\AppData\Local\Temp\aoofupdwsluakoubwlz.exe .
2796
gegcazmfdfb.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
acqvyhj
C:\Users\admin\AppData\Local\Temp\aoofupdwsluakoubwlz.exe
2796
gegcazmfdfb.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
pshnrbem
C:\Users\admin\AppData\Local\Temp\ncdvlhwqnhryjovdzpef.exe .
2796
gegcazmfdfb.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
DisableRegistryTools
1
2796
gegcazmfdfb.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
ConsentPromptBehaviorAdmin
0
2796
gegcazmfdfb.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
ConsentPromptBehaviorUser
0
2796
gegcazmfdfb.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
EnableInstallerDetection
0
2796
gegcazmfdfb.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
EnableSecureUIAPaths
0
2796
gegcazmfdfb.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
EnableVirtualization
0
2796
gegcazmfdfb.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
PromptOnSecureDesktop
0
2796
gegcazmfdfb.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
ValidateAdminCodeSignatures
0
2796
gegcazmfdfb.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
FilterAdministratorToken
0
2796
gegcazmfdfb.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL
CheckedValue
145
2796
gegcazmfdfb.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
2796
gegcazmfdfb.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
2796
gegcazmfdfb.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
acqvyhj
aoofupdwsluakoubwlz.exe
2796
gegcazmfdfb.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
pshnrbem
pcbrfzmezrzenqvbvj.exe .
2796
gegcazmfdfb.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
zevdjvakxh
csunebrmkfqykqyhevlng.exe
2796
gegcazmfdfb.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
uasbivbmalm
aoofupdwsluakoubwlz.exe .
2796
gegcazmfdfb.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
qysdmbjwmzccg
C:\Users\admin\AppData\Local\Temp\pcbrfzmezrzenqvbvj.exe
2796
gegcazmfdfb.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
ryrbjxeqfrts
C:\Users\admin\AppData\Local\Temp\csunebrmkfqykqyhevlng.exe .
2796
gegcazmfdfb.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
acqvyhj
C:\Users\admin\AppData\Local\Temp\csunebrmkfqykqyhevlng.exe
2876
ccors.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
EnableLUA
0
2876
ccors.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell
Explorer.exe
2876
ccors.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
acqvyhj
pcbrfzmezrzenqvbvj.exe
2876
ccors.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
pshnrbem
aoofupdwsluakoubwlz.exe .
2876
ccors.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
zevdjvakxh
csunebrmkfqykqyhevlng.exe
2876
ccors.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
uasbivbmalm
aoofupdwsluakoubwlz.exe .
2876
ccors.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
qysdmbjwmzccg
C:\Users\admin\AppData\Local\Temp\pcbrfzmezrzenqvbvj.exe
2876
ccors.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
ryrbjxeqfrts
C:\Users\admin\AppData\Local\Temp\zkhvhzkatjpszadh.exe .
2876
ccors.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
acqvyhj
C:\Users\admin\AppData\Local\Temp\pcbrfzmezrzenqvbvj.exe
2876
ccors.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
pshnrbem
C:\Users\admin\AppData\Local\Temp\aoofupdwsluakoubwlz.exe .
2876
ccors.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
DisableRegistryTools
1
2876
ccors.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
ConsentPromptBehaviorAdmin
0
2876
ccors.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
ConsentPromptBehaviorUser
0
2876
ccors.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
EnableInstallerDetection
0
2876
ccors.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
EnableSecureUIAPaths
0
2876
ccors.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
EnableVirtualization
0
2876
ccors.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
PromptOnSecureDesktop
0
2876
ccors.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
ValidateAdminCodeSignatures
0
2876
ccors.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
FilterAdministratorToken
0
2876
ccors.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL
CheckedValue
145
2876
ccors.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
acqvyhj
csunebrmkfqykqyhevlng.exe
2876
ccors.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
zevdjvakxh
aoofupdwsluakoubwlz.exe
2876
ccors.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
uasbivbmalm
csunebrmkfqykqyhevlng.exe .
2876
ccors.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
qysdmbjwmzccg
C:\Users\admin\AppData\Local\Temp\ncdvlhwqnhryjovdzpef.exe
2876
ccors.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
ryrbjxeqfrts
C:\Users\admin\AppData\Local\Temp\csunebrmkfqykqyhevlng.exe .
2876
ccors.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
pshnrbem
C:\Users\admin\AppData\Local\Temp\ncdvlhwqnhryjovdzpef.exe .
2876
ccors.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
2876
ccors.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
1940
ccors.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
EnableLUA
0
1940
ccors.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell
Explorer.exe
1940
ccors.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
acqvyhj
zkhvhzkatjpszadh.exe
1940
ccors.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
pshnrbem
pcbrfzmezrzenqvbvj.exe .
1940
ccors.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
zevdjvakxh
gsqfslxoizgksuydw.exe
1940
ccors.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
uasbivbmalm
zkhvhzkatjpszadh.exe .
1940
ccors.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
qysdmbjwmzccg
C:\Users\admin\AppData\Local\Temp\ncdvlhwqnhryjovdzpef.exe
1940
ccors.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
ryrbjxeqfrts
C:\Users\admin\AppData\Local\Temp\aoofupdwsluakoubwlz.exe .
1940
ccors.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
acqvyhj
C:\Users\admin\AppData\Local\Temp\gsqfslxoizgksuydw.exe
1940
ccors.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
pshnrbem
C:\Users\admin\AppData\Local\Temp\aoofupdwsluakoubwlz.exe .
1940
ccors.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
DisableRegistryTools
1
1940
ccors.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
ConsentPromptBehaviorAdmin
0
1940
ccors.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
ConsentPromptBehaviorUser
0
1940
ccors.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
EnableInstallerDetection
0
1940
ccors.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
EnableSecureUIAPaths
0
1940
ccors.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
EnableVirtualization
0
1940
ccors.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
PromptOnSecureDesktop
0
1940
ccors.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
ValidateAdminCodeSignatures
0
1940
ccors.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
FilterAdministratorToken
0
1940
ccors.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL
CheckedValue
145
1940
ccors.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
acqvyhj
pcbrfzmezrzenqvbvj.exe
1940
ccors.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
uasbivbmalm
pcbrfzmezrzenqvbvj.exe .
1940
ccors.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
qysdmbjwmzccg
C:\Users\admin\AppData\Local\Temp\zkhvhzkatjpszadh.exe
1940
ccors.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
ryrbjxeqfrts
C:\Users\admin\AppData\Local\Temp\pcbrfzmezrzenqvbvj.exe .
1940
ccors.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
acqvyhj
C:\Users\admin\AppData\Local\Temp\ncdvlhwqnhryjovdzpef.exe
1940
ccors.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
pshnrbem
C:\Users\admin\AppData\Local\Temp\csunebrmkfqykqyhevlng.exe .

Files activity

Executable files
10
Suspicious files
6
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
3712
storage.scr
C:\Users\admin\AppData\Local\Temp\gegcazmfdfb.exe
executable
MD5: 304415df6ad55a90301aa8158e5e3582
SHA256: 34a5f9e2b494b086abad2721019be271fa43350c9146f000e50fe554f170743d
2796
gegcazmfdfb.exe
C:\Users\admin\AppData\Local\Temp\pcbrfzmezrzenqvbvj.exe
executable
MD5: 4a3d629a649b025576aa9f7d701bcd77
SHA256: 995046c286b75fcf0d63610cfed339bf77015abbaab9b8c29f3b67860e6b832c
2796
gegcazmfdfb.exe
C:\Users\admin\AppData\Local\Temp\zkhvhzkatjpszadh.exe
executable
MD5: 4a3d629a649b025576aa9f7d701bcd77
SHA256: 995046c286b75fcf0d63610cfed339bf77015abbaab9b8c29f3b67860e6b832c
2796
gegcazmfdfb.exe
C:\Users\admin\AppData\Local\Temp\aoofupdwsluakoubwlz.exe
executable
MD5: 4a3d629a649b025576aa9f7d701bcd77
SHA256: 995046c286b75fcf0d63610cfed339bf77015abbaab9b8c29f3b67860e6b832c
2796
gegcazmfdfb.exe
C:\Users\admin\AppData\Local\Temp\ccors.exe
executable
MD5: 9200e98a0c49edec2dd19f5a7cf2ee49
SHA256: decdb7b9c23bdd713fd8546e22222e2ac7741c022311e823ea6302114fcd5ebd
2796
gegcazmfdfb.exe
C:\Users\admin\AppData\Local\Temp\ccors.exe
executable
MD5: 304415df6ad55a90301aa8158e5e3582
SHA256: 34a5f9e2b494b086abad2721019be271fa43350c9146f000e50fe554f170743d
2796
gegcazmfdfb.exe
C:\Users\admin\AppData\Local\Temp\ncdvlhwqnhryjovdzpef.exe
executable
MD5: 4a3d629a649b025576aa9f7d701bcd77
SHA256: 995046c286b75fcf0d63610cfed339bf77015abbaab9b8c29f3b67860e6b832c
2796
gegcazmfdfb.exe
C:\Users\admin\AppData\Local\Temp\gsqfslxoizgksuydw.exe
executable
MD5: 4a3d629a649b025576aa9f7d701bcd77
SHA256: 995046c286b75fcf0d63610cfed339bf77015abbaab9b8c29f3b67860e6b832c
2796
gegcazmfdfb.exe
C:\Users\admin\AppData\Local\Temp\tknhzxokjfranudnlduxrj.exe
executable
MD5: 4a3d629a649b025576aa9f7d701bcd77
SHA256: 995046c286b75fcf0d63610cfed339bf77015abbaab9b8c29f3b67860e6b832c
2796
gegcazmfdfb.exe
C:\Users\admin\AppData\Local\Temp\csunebrmkfqykqyhevlng.exe
executable
MD5: 4a3d629a649b025576aa9f7d701bcd77
SHA256: 995046c286b75fcf0d63610cfed339bf77015abbaab9b8c29f3b67860e6b832c
2876
ccors.exe
C:\Users\admin\AppData\Local\VirtualStore\Program Files\mkuvuzxagjcsmaqhmljtutywz.ibr
binary
MD5: 86540a1314a13c057f4ebb3159dad2e0
SHA256: 2c41308512edc91224f9a7c19e9dfd4e18430b144866955c84d769eb5d933fea
2876
ccors.exe
C:\Users\admin\AppData\Local\VirtualStore\Windows\System32\mkuvuzxagjcsmaqhmljtutywz.ibr
binary
MD5: 86540a1314a13c057f4ebb3159dad2e0
SHA256: 2c41308512edc91224f9a7c19e9dfd4e18430b144866955c84d769eb5d933fea
2876
ccors.exe
C:\Users\admin\AppData\Local\Temp\mkuvuzxagjcsmaqhmljtutywz.ibr
binary
MD5: 86540a1314a13c057f4ebb3159dad2e0
SHA256: 2c41308512edc91224f9a7c19e9dfd4e18430b144866955c84d769eb5d933fea
2876
ccors.exe
C:\Users\admin\AppData\Local\mkuvuzxagjcsmaqhmljtutywz.ibr
binary
MD5: 86540a1314a13c057f4ebb3159dad2e0
SHA256: 2c41308512edc91224f9a7c19e9dfd4e18430b144866955c84d769eb5d933fea
2876
ccors.exe
C:\Users\admin\AppData\Local\VirtualStore\Windows\mkuvuzxagjcsmaqhmljtutywz.ibr
binary
MD5: 86540a1314a13c057f4ebb3159dad2e0
SHA256: 2c41308512edc91224f9a7c19e9dfd4e18430b144866955c84d769eb5d933fea
2876
ccors.exe
C:\Users\admin\AppData\Local\Temp\zevdjvakxh.reg
text
MD5: a8702bdff482e47b2e74b115ffaaf779
SHA256: 15bd561433c476cb5e4ad5eb3afe7eca32841149ffdc21e1d33181532669ee6b

Find more information of the staic content and download it at the full report

Network activity

HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

No network activity.

Debug output strings

No debug info.