General Info

File name

9d3a78f72dbd7351a999d6fd6f60b0c6ba79bc4279a347fd590af94a0224afad

Full analysis
https://app.any.run/tasks/3a5cf748-59d5-4e72-a1e7-fe4a47d5b485
Verdict
Malicious activity
Analysis date
4/15/2019, 08:06:14
OS:
Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:

MIME:
application/x-dosexec
File info:
PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
MD5

9b49fec7e03c33277f188a2819b8d726

SHA1

a7b6b4a0ecbeab9075c3e36ec2586ce8debbbc4f

SHA256

9d3a78f72dbd7351a999d6fd6f60b0c6ba79bc4279a347fd590af94a0224afad

SSDEEP

1536:mOC0FvV4OguHxjhpA4Bm7uW0vSUsghQevBFkutIbgTuFqKRr0aF5frleGhd9TfBi:mwV4OgSzBmh04eZFkz3Rr0gwGj9Tf8

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distored by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Software environment set and analysis options

Launch configuration

Task duration
60 seconds
Additional time used
none
Fakenet option
off
Heavy Evaision option
off
MITM proxy
off
Route via Tor
off
Network geolocation
off
Privacy
Public submission
Autoconfirmation of UAC
on

Software preset

  • Internet Explorer 8.0.7601.17514
  • Adobe Acrobat Reader DC MUI (15.023.20070)
  • Adobe Flash Player 26 ActiveX (26.0.0.131)
  • Adobe Flash Player 26 NPAPI (26.0.0.131)
  • Adobe Flash Player 26 PPAPI (26.0.0.131)
  • Adobe Refresh Manager (1.8.0)
  • CCleaner (5.35)
  • FileZilla Client 3.36.0 (3.36.0)
  • Google Chrome (73.0.3683.75)
  • Google Update Helper (1.3.33.23)
  • Java 8 Update 92 (8.0.920.14)
  • Java Auto Updater (2.8.92.14)
  • Microsoft .NET Framework 4.6.1 (4.6.01055)
  • Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Professional 2010 (14.0.6029.1000)
  • Microsoft Office Proof (English) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (French) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
  • Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
  • Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Single Image 2010 (14.0.6029.1000)
  • Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
  • Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
  • Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
  • Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2017 Redistributable (x86) - 14.15.26706 (14.15.26706.0)
  • Microsoft Visual C++ 2017 x86 Additional Runtime - 14.15.26706 (14.15.26706)
  • Microsoft Visual C++ 2017 x86 Minimum Runtime - 14.15.26706 (14.15.26706)
  • Mozilla Firefox 65.0.2 (x86 en-US) (65.0.2)
  • Notepad++ (32-bit x86) (7.5.1)
  • Opera 12.15 (12.15.1748)
  • Skype version 8.29 (8.29)
  • VLC media player (2.2.6)
  • WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

  • Client LanguagePack Package
  • Client Refresh LanguagePack Package
  • CodecPack Basic Package
  • Foundation Package
  • IE Troubleshooters Package
  • InternetExplorer Optional Package
  • KB2534111
  • KB2999226
  • KB976902
  • LocalPack AU Package
  • LocalPack CA Package
  • LocalPack GB Package
  • LocalPack US Package
  • LocalPack ZA Package
  • ProfessionalEdition
  • UltimateEdition

Behavior activities

MALICIOUS SUSPICIOUS INFO
Application was injected by another process
  • windanr.exe (PID: 2140)
  • explorer.exe (PID: 252)
  • dwm.exe (PID: 2016)
Writes to a start menu file
  • iexplore.exe (PID: 3620)
Runs injected code in another process
  • iexplore.exe (PID: 3812)
Starts Internet Explorer
  • 9d3a78f72dbd7351a999d6fd6f60b0c6ba79bc4279a347fd590af94a0224afad.exe (PID: 2916)
Creates files in the program directory
  • iexplore.exe (PID: 3620)
Creates files in the user directory
  • iexplore.exe (PID: 3620)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Static information

TRiD
.exe
|   Generic Win/DOS Executable (50%)
.exe
|   DOS Executable Generic (49.9%)
EXIF
EXE
MachineType:
Intel 386 or later, and compatibles
TimeStamp:
2007:08:23 07:00:50+02:00
PEType:
PE32
LinkerVersion:
7.4
CodeSize:
77824
InitializedDataSize:
32768
UninitializedDataSize:
237568
EntryPoint:
0x4d240
OSVersion:
5
ImageVersion:
7.2
SubsystemVersion:
4
Subsystem:
Windows GUI
Summary
Architecture:
IMAGE_FILE_MACHINE_I386
Subsystem:
IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date:
23-Aug-2007 05:00:50
Detected languages
Russian - Russia
DOS Header
Magic number:
MZ
Bytes on last page of file:
0x0090
Pages in file:
0x0003
Relocations:
0x0000
Size of header:
0x0004
Min extra paragraphs:
0x0000
Max extra paragraphs:
0xFFFF
Initial SS value:
0x0000
Initial SP value:
0x00B8
Checksum:
0x0000
Initial IP value:
0x0000
Initial CS value:
0x0000
Overlay number:
0x0000
OEM identifier:
0x0000
OEM information:
0x0000
Address of NE header:
0x00000088
PE Headers
Signature:
PE
Machine:
IMAGE_FILE_MACHINE_I386
Number of sections:
3
Time date stamp:
23-Aug-2007 05:00:50
Pointer to Symbol Table:
0x00000000
Number of symbols:
0
Size of Optional Header:
0x00E0
Characteristics
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_RELOCS_STRIPPED
Sections
Name Virtual Address Virtual Size Raw Size Charateristics Entropy
UPX0 0x00001000 0x0003A000 0x00000000 IMAGE_SCN_CNT_UNINITIALIZED_DATA,IMAGE_SCN_MEM_EXECUTE,IMAGE_SCN_MEM_READ,IMAGE_SCN_MEM_WRITE 0
UPX1 0x0003B000 0x00013000 0x00012400 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_EXECUTE,IMAGE_SCN_MEM_READ,IMAGE_SCN_MEM_WRITE 7.97255
.rsrc 0x0004E000 0x00020000 0x00008000 IMAGE_SCN_CNT_CODE,IMAGE_SCN_MEM_EXECUTE,IMAGE_SCN_MEM_READ,IMAGE_SCN_MEM_WRITE 4.99873
Resources
1

2

3

4

5

6

7

8

9

10

11

12

Imports
    KERNEL32.DLL

    user32.dll

Exports

    No exports.

Screenshots

Processes

Total processes
33
Monitored processes
6
Malicious processes
4
Suspicious processes
0

Behavior graph

+
start inject inject inject 9d3a78f72dbd7351a999d6fd6f60b0c6ba79bc4279a347fd590af94a0224afad.exe no specs iexplore.exe iexplore.exe no specs dwm.exe explorer.exe windanr.exe
Specs description
Program did not start
Integrity level elevation
Task сontains an error or was rebooted
Process has crashed
Task contains several apps running
Executable file was dropped
Debug information is available
Process was injected
Network attacks were detected
Application downloaded the executable file
Actions similar to stealing personal data
Behavior similar to exploiting the vulnerability
Inspected object has sucpicious PE structure
File is detected by antivirus software
CPU overrun
RAM overrun
Process starts the services
Process was added to the startup
Behavior similar to spam
Low-level access to the HDD
Probably Tor was used
System was rebooted
Connects to the network
Known threat

Process information

Click at the process to see the details.

PID
2016
CMD
"C:\Windows\system32\Dwm.exe"
Path
C:\Windows\System32\dwm.exe
Indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Version:
Company
Microsoft Corporation
Description
Desktop Window Manager
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\dwm.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\dwmredir.dll
c:\windows\system32\dwmcore.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\ole32.dll
c:\windows\system32\d3d10_1.dll
c:\windows\system32\d3d10_1core.dll
c:\windows\system32\dxgi.dll
c:\windows\system32\version.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\psapi.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll

PID
252
CMD
C:\Windows\Explorer.EXE
Path
C:\Windows\explorer.exe
Indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Version:
Company
Microsoft Corporation
Description
Windows Explorer
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\shell32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\explorerframe.dll
c:\windows\system32\duser.dll
c:\windows\system32\dui70.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\slc.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\propsys.dll
c:\windows\system32\cryptbase.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\profapi.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\ehstorshell.dll
c:\windows\system32\cscui.dll
c:\windows\system32\cscdll.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\iconcodecservice.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\sndvolsso.dll
c:\windows\system32\hid.dll
c:\windows\system32\mmdevapi.dll
c:\windows\system32\timedate.cpl
c:\windows\system32\atl.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\actxprxy.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\linkinfo.dll
c:\windows\system32\userenv.dll
c:\windows\system32\shacct.dll
c:\windows\system32\samlib.dll
c:\windows\system32\samcli.dll
c:\windows\system32\netutils.dll
c:\windows\system32\msftedit.dll
c:\windows\system32\msls31.dll
c:\program files\common files\microsoft shared\ink\tiptsf.dll
c:\windows\system32\authui.dll
c:\windows\system32\cryptui.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\gameux.dll
c:\windows\system32\xmllite.dll
c:\windows\system32\wer.dll
c:\windows\system32\msiltcfg.dll
c:\windows\system32\version.dll
c:\windows\system32\msi.dll
c:\windows\system32\winsta.dll
c:\windows\system32\psapi.dll
c:\windows\system32\networkexplorer.dll
c:\windows\system32\winmm.dll
c:\windows\system32\wdmaud.drv
c:\windows\system32\ksuser.dll
c:\windows\system32\avrt.dll
c:\windows\system32\audioses.dll
c:\windows\system32\msacm32.drv
c:\windows\system32\msacm32.dll
c:\windows\system32\midimap.dll
c:\windows\system32\stobject.dll
c:\windows\system32\batmeter.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\es.dll
c:\windows\system32\prnfldr.dll
c:\windows\system32\winspool.drv
c:\windows\system32\dxp.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\syncreg.dll
c:\windows\ehome\ehsso.dll
c:\windows\system32\netshell.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\nsi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\alttab.dll
c:\windows\system32\wpdshserviceobj.dll
c:\windows\system32\portabledevicetypes.dll
c:\windows\system32\portabledeviceapi.dll
c:\program files\filezilla ftp client\fzshellext.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\taskschd.dll
c:\windows\system32\pnidui.dll
c:\windows\system32\qutil.dll
c:\windows\system32\wevtapi.dll
c:\windows\system32\dhcpcsvc6.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\mssprxy.dll
c:\windows\system32\npmproxy.dll
c:\windows\system32\wlanapi.dll
c:\windows\system32\wlanutil.dll
c:\windows\system32\wwanapi.dll
c:\windows\system32\wwapi.dll
c:\windows\system32\qagent.dll
c:\windows\system32\srchadmin.dll
c:\windows\system32\sxs.dll
c:\windows\system32\bthprops.cpl
c:\windows\system32\ieframe.dll
c:\windows\system32\oleacc.dll
c:\windows\system32\synccenter.dll
c:\windows\system32\actioncenter.dll
c:\windows\system32\imapi2.dll
c:\windows\system32\hgcpl.dll
c:\windows\system32\provsvc.dll
c:\windows\system32\netprofm.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\fxsst.dll
c:\windows\system32\fxsapi.dll
c:\windows\system32\fxsresm.dll
c:\windows\system32\wscinterop.dll
c:\windows\system32\wscapi.dll
c:\windows\system32\wscui.cpl
c:\windows\system32\werconcpl.dll
c:\windows\system32\framedynos.dll
c:\windows\system32\wercplsupport.dll
c:\windows\system32\msxml6.dll
c:\windows\system32\hcproviders.dll
c:\program files\internet explorer\ieproxy.dll
c:\windows\system32\mpr.dll
c:\windows\system32\drprov.dll
c:\windows\system32\ntlanman.dll
c:\windows\system32\davclnt.dll
c:\windows\system32\davhlpr.dll
c:\windows\system32\searchfolder.dll
c:\windows\system32\structuredquery.dll
c:\windows\system32\naturallanguage6.dll
c:\windows\system32\nlsdata0009.dll
c:\windows\system32\nlslexicons0009.dll
c:\windows\system32\thumbcache.dll
c:\windows\system32\tquery.dll
c:\program files\microsoft office\office14\onfilter.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\windows\system32\sfc.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\devrtl.dll
c:\windows\system32\winanr.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\users\admin\appdata\local\temp\9d3a78f72dbd7351a999d6fd6f60b0c6ba79bc4279a347fd590af94a0224afad.exe

PID
2140
CMD
"windanr.exe"
Path
C:\Windows\system32\windanr.exe
Indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Version:
Company
Description
Version
Modules
Image
c:\windows\system32\windanr.exe
c:\windows\system32\kernel32.dll
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winanr.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\winsanr.dll
c:\windows\system32\psapi.dll
c:\windows\system32\version.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll

PID
2916
CMD
"C:\Users\admin\AppData\Local\Temp\9d3a78f72dbd7351a999d6fd6f60b0c6ba79bc4279a347fd590af94a0224afad.exe"
Path
C:\Users\admin\AppData\Local\Temp\9d3a78f72dbd7351a999d6fd6f60b0c6ba79bc4279a347fd590af94a0224afad.exe
Indicators
No indicators
Parent process
explorer.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Description
Version
Modules
Image
c:\users\admin\appdata\local\temp\9d3a78f72dbd7351a999d6fd6f60b0c6ba79bc4279a347fd590af94a0224afad.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\apphelp.dll

PID
3620
CMD
"C:\Program Files\Internet Explorer\iexplore.exe"
Path
C:\Program Files\Internet Explorer\iexplore.exe
Indicators
Parent process
9d3a78f72dbd7351a999d6fd6f60b0c6ba79bc4279a347fd590af94a0224afad.exe
User
admin
Integrity Level
MEDIUM
Version:
Company
Microsoft Corporation
Description
Internet Explorer
Version
8.00.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\usp10.dll
c:\windows\system32\shell32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\imagehlp.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\napinsp.dll
c:\windows\system32\pnrpnsp.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\winrnr.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\rasadhlp.dll

PID
3812
CMD
"C:\Program Files\Internet Explorer\iexplore.exe"
Path
C:\Program Files\Internet Explorer\iexplore.exe
Indicators
No indicators
Parent process
9d3a78f72dbd7351a999d6fd6f60b0c6ba79bc4279a347fd590af94a0224afad.exe
User
admin
Integrity Level
MEDIUM
Version:
Company
Microsoft Corporation
Description
Internet Explorer
Version
8.00.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\user32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\shell32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll

Registry activity

Total events
879
Read events
865
Write events
14
Delete events
0

Modification events

PID
Process
Operation
Key
Name
Value
2140
windanr.exe
write
HKEY_CURRENT_USER\Control Panel\Cursors
APPSTARTING
%SystemRoot%\cursors\clearcur.cur
2140
windanr.exe
write
HKEY_CURRENT_USER\Control Panel\Cursors
ARROW
%SystemRoot%\cursors\clearcur.cur
2140
windanr.exe
write
HKEY_CURRENT_USER\Control Panel\Cursors
CROSS
%SystemRoot%\cursors\clearcur.cur
2140
windanr.exe
write
HKEY_CURRENT_USER\Control Panel\Cursors
HAND
%SystemRoot%\cursors\clearcur.cur
2140
windanr.exe
write
HKEY_CURRENT_USER\Control Panel\Cursors
HELP
%SystemRoot%\cursors\clearcur.cur
2140
windanr.exe
write
HKEY_CURRENT_USER\Control Panel\Cursors
IBEAM
%SystemRoot%\cursors\clearcur.cur
2140
windanr.exe
write
HKEY_CURRENT_USER\Control Panel\Cursors
NO
%SystemRoot%\cursors\clearcur.cur
2140
windanr.exe
write
HKEY_CURRENT_USER\Control Panel\Cursors
SIZEALL
%SystemRoot%\cursors\clearcur.cur
2140
windanr.exe
write
HKEY_CURRENT_USER\Control Panel\Cursors
SIZENESW
%SystemRoot%\cursors\clearcur.cur
2140
windanr.exe
write
HKEY_CURRENT_USER\Control Panel\Cursors
SIZENS
%SystemRoot%\cursors\clearcur.cur
2140
windanr.exe
write
HKEY_CURRENT_USER\Control Panel\Cursors
SIZENWSE
%SystemRoot%\cursors\clearcur.cur
2140
windanr.exe
write
HKEY_CURRENT_USER\Control Panel\Cursors
SIZEWE
%SystemRoot%\cursors\clearcur.cur
2140
windanr.exe
write
HKEY_CURRENT_USER\Control Panel\Cursors
UPARROW
%SystemRoot%\cursors\clearcur.cur
2140
windanr.exe
write
HKEY_CURRENT_USER\Control Panel\Cursors
WAIT
%SystemRoot%\cursors\clearcur.cur

Files activity

Executable files
0
Suspicious files
0
Text files
0
Unknown types
75

Dropped files

PID
Process
Filename
Type
3620
iexplore.exe
C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat Reader DC\Reader\Legal\UKR\license.html
gpx
MD5: 79b60cf2c821b6da51e036e9d70493d2
SHA256: 1717d033bc360bda2ddb57f3d1d1370124a060d9ad66b70521736ab4288d89d3
3620
iexplore.exe
C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat Reader DC\Reader\Legal\ESP\license.html
gpx
MD5: 228110f7930bf1d9e7431aee51181467
SHA256: b44a01b86ef4fb6d2272799b4e19d0801bc5e7ec57ae81b60654e1dac5808101
3620
iexplore.exe
C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat Reader DC\Reader\Legal\TUR\license.html
gpx
MD5: 59ef45c820e231211a18d8ce96032142
SHA256: b95750a878e6209be24aa8640e38701c75a1b027bd2198447400978179d12128
3620
iexplore.exe
C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat Reader DC\Reader\Legal\SVE\license.html
gpx
MD5: 1528582aca1b43f0a35dd51975e6d4b7
SHA256: 737c4965cf4ca02d5cd7a6ad27f79885ad1c8083eda52b92f52103d1796bf8e3
3620
iexplore.exe
C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat Reader DC\Reader\Legal\SUO\license.html
gpx
MD5: c1da02b7eb52148d470a909ab4028cae
SHA256: f6da035297fff9951a830d9d08f92b5e217230e802249322c1f263dcfe883851
3620
iexplore.exe
C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat Reader DC\Reader\Legal\SLV\license.html
gpx
MD5: 3380d42b82eea57545c1b735c80c8ae1
SHA256: 35947f865b252846d9397f04f106dab2bdc5182d310a4c69725eec2d2e95651b
3620
iexplore.exe
C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat Reader DC\Reader\Legal\SKY\license.html
gpx
MD5: 174d922bad069ab5fd5f111ee5d4725a
SHA256: 31da639dc82ec2e37b8e5f5b72021abdda05b098a8f7227b3c52910c5698c927
3620
iexplore.exe
C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat Reader DC\Reader\Legal\RUS\license.html
gpx
MD5: fe76d6a7748eda7c4614889c2556d143
SHA256: 0e166310596211a480a68b8778d1dac1781a78b039b9daa903846ce3ba1cc18b
3620
iexplore.exe
C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat Reader DC\Reader\Legal\RUM\license.html
gpx
MD5: 964d5ee387362e82d0eda026ecb0e7fc
SHA256: 4f6ab9fe86208854ddb324eef227ba6990c51f551157030cc9d0c2cb9e1d4e40
3620
iexplore.exe
C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat Reader DC\Reader\Legal\PTB\license.html
gpx
MD5: df578a97797916160f634fc977a2fdd1
SHA256: 025e6f62feb34fe45786a2e708e98a7738256c1bb79e802dbd2f635e7450070d
3620
iexplore.exe
C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat Reader DC\Reader\Legal\POL\license.html
gpx
MD5: 006bcfa8c093a2e67743521cbe582eb2
SHA256: e9c5e4f445c4244f399d8bb90564448dc1437e6ac2875edaafa748ebe03a1690
3620
iexplore.exe
C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat Reader DC\Reader\Legal\NOR\license.html
gpx
MD5: b121e0427a0bdf53e6c9baef2a7948b5
SHA256: da2903cf885997b000420aaeacd430b11d07b271c088270b70974d8caf99a221
3620
iexplore.exe
C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat Reader DC\Reader\Legal\NLD\license.html
gpx
MD5: 0887ee6dc69d0a86584acc82fa815254
SHA256: 3342ded3352a6ba00666a2b32ce6676e74c252c59bc222b978e2e90987082c2e
3620
iexplore.exe
C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat Reader DC\Reader\Legal\KOR\license.html
gpx
MD5: 9c342de5345088075546824c61697b13
SHA256: f0ed3c155e4b272256a5b7df2bd7c7db0d9883691ab2e05e6c3e1b516240eda9
3620
iexplore.exe
C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat Reader DC\Reader\Legal\JPN\license.html
gpx
MD5: 66c7365fc4111a8d9689ccce3f512992
SHA256: 748fce8cb3241b9b71aa637ca559f825e9d29c93504d1796ecd7dca55fe48381
3620
iexplore.exe
C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat Reader DC\Reader\Legal\ITA\license.html
gpx
MD5: c9a20a407eb055d60b3fa8538469e25b
SHA256: c87662ae2d21ee397a3dc5b98fc5885be7d20a6a9a9cebda7cba2919eb89163a
3620
iexplore.exe
C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat Reader DC\Reader\Legal\HUN\license.html
gpx
MD5: aac97ef3eff4dcdcda146656635ba24d
SHA256: f3cb347d9634d8b243e055d67e23633bd1977a9611d2b772fd831296ecc1a4dd
3620
iexplore.exe
C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat Reader DC\Reader\Legal\HRV\license.html
gpx
MD5: ee08ca669c3823f49f9bd162646b692a
SHA256: 4c3355f4a844f83399351076e204bc93a7dacac8b024e9cee0b94228f50e207c
3620
iexplore.exe
C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat Reader DC\Reader\Legal\FRA\license.html
gpx
MD5: ec3648bad73b4bdea3d6089ce3accdec
SHA256: 26e432971d0a8717a2247f0528cd8e13378b668784573ebddc747b14f94f3464
3620
iexplore.exe
C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat Reader DC\Reader\Legal\EUQ\license.html
gpx
MD5: 24c0dc6d274438076dbf58da2648cdbe
SHA256: fe909ddbbcf0607adb684791dd43a4f6396d75a3c8225b7ce1c96409f4c2d5be
3620
iexplore.exe
C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\index.html
html
MD5: 01ed6c57df78074b040d896297884ead
SHA256: 80323f20704e5557514aba3b2e07346d36f5670ab20eb1161b386dff46185068
3620
iexplore.exe
C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat Reader DC\Reader\Legal\ENU\license.html
gpx
MD5: 4e92dc8734f89ba8cd4c84c7cfaf83d3
SHA256: f0f287281fdd42ae9fadf1ba14b9d15596c03d725b0f2aab8c3dc1849938d88a
3620
iexplore.exe
C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat Reader DC\Reader\Legal\DEU\license.html
gpx
MD5: b6674a48fab87ac6199dd5948acc8e23
SHA256: b2c5c3d5fcc419c7b82cf92ef248c4955190f613270051989fee4107adb9160f
3620
iexplore.exe
C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat Reader DC\Reader\Legal\DAN\license.html
gpx
MD5: a8397ce223d3a7f23e7f5aa44aa77779
SHA256: 690fbc3f732d1bdc7ef3e3f9b112856e45975ba239f01294f0c4db0eeb579025
3620
iexplore.exe
C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat Reader DC\Reader\Legal\CZE\license.html
gpx
MD5: 4295372b92dd575de3e4d5c62a6f8387
SHA256: f7730090364edf8ede8743347d0daf0842722c2db14d6e787b344951c450f29d
3620
iexplore.exe
C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat Reader DC\Reader\Legal\CHT\license.html
gpx
MD5: d2c0676c9bb117c0f7612088da741c02
SHA256: 037cf17d9dabe91b852f46bbe806a539281a8dad8cf9e196ebf3978b872c02eb
3620
iexplore.exe
C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat Reader DC\Reader\Legal\CHS\license.html
gpx
MD5: f289c048ba0f505f42de6e77df90ed4d
SHA256: 4d6e98e5142fc2f21a148718e9ebd73a0c1b55211549f32edb1202ea85967d9b
3620
iexplore.exe
C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat Reader DC\Reader\Legal\CAT\license.html
gpx
MD5: f2ff1078c69faf14e11fa8a190887a6a
SHA256: c7c4584453b31ae801104b3584788eb259d168f6262d8a0c590d3dd673757026
3620
iexplore.exe
C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat Reader DC\LueMinut.htm
html
MD5: d24ae6e73286ba7c08441ccd56f534e8
SHA256: 9677629ff7255513c1e177f16c5ad65868d28d347410da9a2251c98c23de9628
3620
iexplore.exe
C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat Reader DC\Llegiu-me.htm
html
MD5: af4417ec6e53585b24df80810b9e3f6a
SHA256: f7e060e773771b3587e252f0ed6d3bf0ff2f3d6ad39249efc86d96b4c60480b5
3620
iexplore.exe
C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat Reader DC\Lisezmoi.htm
html
MD5: df93c7d2e7652d7185aeb7397cc00830
SHA256: fd752e18954df79c40748c3f863c47592c647fefb79131a1abe041be9d1ce661
3620
iexplore.exe
C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat Reader DC\Liesmich.htm
html
MD5: c5cb52c9ec191a45031ba303313ae252
SHA256: 37747248c6f6eda6e330e3e5274db4a2332bbb2479f3e1b74d0b6deefb3f395e
3620
iexplore.exe
C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat Reader DC\LeiaMe.htm
html
MD5: b1b1dee5b55aa18a3164cd36e435d91a
SHA256: 6c3e4039baf9720970bef0bebf86c8fa9f5f2a1be056d6d5dbe0c219b957a5d3
3620
iexplore.exe
C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat Reader DC\Leggimi.htm
html
MD5: ecc9c0472eda311981c5235e22301376
SHA256: 975f9883dfde259e8d1bd867bb49b5ed378816ebade8cd24ef74f7dbc4ba28ae
3620
iexplore.exe
C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat Reader DC\LeesMij.htm
html
MD5: b7e993ae8e96e553e4e997f5da12d31c
SHA256: 0b948c185e989ab209c12d1757ed8564d1c527bbfa039b8ee9a6e7a837dde1b6
3620
iexplore.exe
C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat Reader DC\Leame.htm
html
MD5: 90abaf90d10528d63ab3d940a27c9134
SHA256: a5d9032c4a25fbc198dd1a16ad09beac085887ac03b611bbbb90213ff2e1c05d
3620
iexplore.exe
C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat Reader DC\IrakHau.htm
html
MD5: a5962736bd2a179d755b11e8951311fb
SHA256: 3a713cb712e909057b937be6da5a9f95bf5e65b5ad716cc254206f3c13b1c2e9
3620
iexplore.exe
C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat Reader DC\Berime.htm
html
MD5: 06aabb6f9d311adfd0583423591807ba
SHA256: 59c2b43e8846e2a26ed3593f3ee010c24245ebd034cfe25a1aee31fe994d9f9b
3620
iexplore.exe
C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat Reader DC\Benioku.htm
html
MD5: 49945885d86e5e2616b8b2110c147209
SHA256: 31f08de7dc178230d5a00e621b9357af342d9292c059030b5bd518d5bba3eb3b
3620
iexplore.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\enbfqohg.exe
––
MD5:  ––
SHA256:  ––

Find more information of the staic content and download it at the full report

Network activity

HTTP(S) requests
0
TCP/UDP connections
7
DNS requests
5
Threats
0

HTTP requests

No HTTP requests.

Connections

PID Process IP ASN CN Reputation
3620 iexplore.exe 216.58.206.14:80 Google Inc. US whitelisted
3620 iexplore.exe 82.112.184.197:447 Vysokie tehnologii Limited Liability Company RU malicious
3620 iexplore.exe 13.107.21.200:80 Microsoft Corporation US whitelisted
3620 iexplore.exe 130.211.22.95:447 Google Inc. US whitelisted
3620 iexplore.exe 98.138.219.232:80 Yahoo US unknown

DNS requests

Domain IP Reputation
google.com 216.58.206.14
whitelisted
supnewdmn.com 82.112.184.197
malicious
bing.com 13.107.21.200
204.79.197.200
whitelisted
tvrstrynyvwstrtve.com 130.211.22.95
malicious
yahoo.com 98.138.219.232
98.138.219.231
72.30.35.10
72.30.35.9
98.137.246.8
98.137.246.7
whitelisted

Threats

No threats detected.

Debug output strings

No debug info.