General Info

File name

bf25b330975dc700be3f1f6b1b3362e34eb84b89725d4936d893cdd4f1499e69.exe

Full analysis
https://app.any.run/tasks/aaa4f397-1ee3-4a84-9294-98de7d62c4fc
Verdict
Malicious activity
Analysis date
12/2/2019, 23:12:53
OS:
Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:

installer

Indicators:

MIME:
application/x-dosexec
File info:
PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5

e486eddffd13bed33e68d6d8d4052270

SHA1

53184dcfcec948f02564234b5b8755fddf066376

SHA256

bf25b330975dc700be3f1f6b1b3362e34eb84b89725d4936d893cdd4f1499e69

SSDEEP

98304:lZnAjm6EkJuUj9NQf7ebPrApx/f14s5JCW+oEo74Am83DwsgYzhW0Mf8:lNl6XYUsfqD2/NhCVohvx3E5CX

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distored by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Software environment set and analysis options

Launch configuration

Task duration
60 seconds
Additional time used
none
Fakenet option
off
Heavy Evaision option
off
MITM proxy
off
Route via Tor
off
Network geolocation
off
Privacy
Public submission
Autoconfirmation of UAC
on

Software preset

  • Internet Explorer 8.0.7601.17514
  • Adobe Acrobat Reader DC MUI (15.023.20070)
  • Adobe Flash Player 26 ActiveX (26.0.0.131)
  • Adobe Flash Player 26 NPAPI (26.0.0.131)
  • Adobe Flash Player 26 PPAPI (26.0.0.131)
  • Adobe Refresh Manager (1.8.0)
  • CCleaner (5.35)
  • FileZilla Client 3.36.0 (3.36.0)
  • Google Chrome (75.0.3770.100)
  • Google Update Helper (1.3.34.7)
  • Java 8 Update 92 (8.0.920.14)
  • Java Auto Updater (2.8.92.14)
  • Microsoft .NET Framework 4.7.2 (4.7.03062)
  • Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Access MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office Access MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office Access MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office Access MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office Access MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office Access MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office Access MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office Access MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office Access MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Excel MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office Excel MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office Excel MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office Excel MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office Excel MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office Excel MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office Excel MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office Excel MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office Excel MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office Groove MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office Groove MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office Groove MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office Groove MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office Groove MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office Groove MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office Groove MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office Groove MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office Groove MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office IME (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office IME (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office InfoPath MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office InfoPath MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office InfoPath MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office InfoPath MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office InfoPath MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office InfoPath MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office InfoPath MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office InfoPath MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office InfoPath MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office Language Pack 2010 - French/Français (14.0.4763.1000)
  • Microsoft Office Language Pack 2010 - German/Deutsch (14.0.4763.1000)
  • Microsoft Office Language Pack 2010 - Italian/Italiano (14.0.4763.1000)
  • Microsoft Office Language Pack 2010 - Japanese/日本語 (14.0.4763.1000)
  • Microsoft Office Language Pack 2010 - Korean/한국어 (14.0.4763.1000)
  • Microsoft Office Language Pack 2010 - Portuguese/Português (Brasil) (14.0.4763.1000)
  • Microsoft Office Language Pack 2010 - Russian/русский (14.0.4763.1000)
  • Microsoft Office Language Pack 2010 - Spanish/Español (14.0.4763.1000)
  • Microsoft Office Language Pack 2010 - Turkish/Türkçe (14.0.4763.1013)
  • Microsoft Office O MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office O MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office O MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office O MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office O MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office O MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office O MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office O MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office O MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office OneNote MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office OneNote MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office OneNote MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office OneNote MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office OneNote MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office OneNote MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office OneNote MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office OneNote MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office OneNote MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Outlook MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office Outlook MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office Outlook MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office Outlook MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office Outlook MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office Outlook MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office Outlook MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office Outlook MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office Outlook MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office PowerPoint MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office PowerPoint MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office PowerPoint MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office PowerPoint MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office PowerPoint MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office PowerPoint MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office PowerPoint MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office PowerPoint MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office PowerPoint MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office Professional 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Arabic) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (Basque) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (Catalan) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (Dutch) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (English) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (French) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Galician) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (German) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office Proof (Ukrainian) 2010 (14.0.4763.1000)
  • Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
  • Microsoft Office Proofing (French) 2010 (14.0.4763.1000)
  • Microsoft Office Proofing (German) 2010 (14.0.4763.1000)
  • Microsoft Office Proofing (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office Proofing (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office Proofing (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office Proofing (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office Proofing (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office Proofing (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office Proofing (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Publisher MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office Publisher MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office Publisher MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office Publisher MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office Publisher MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office Publisher MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office Publisher MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office Publisher MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office Publisher MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office SharePoint Designer MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office SharePoint Designer MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office SharePoint Designer MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office SharePoint Designer MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office SharePoint Designer MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office SharePoint Designer MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office SharePoint Designer MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office SharePoint Designer MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office SharePoint Designer MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office Shared MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office Shared MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office Shared MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office Shared MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office Shared MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office Shared MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office Shared MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office Shared MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Single Image 2010 (14.0.6029.1000)
  • Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Word MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office Word MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office Word MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office Word MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office Word MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office Word MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office Word MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office Word MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office Word MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office X MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office X MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office X MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office X MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office X MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office X MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office X MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office X MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office X MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
  • Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
  • Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
  • Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2015-2019 Redistributable (x86) - 14.21.27702 (14.21.27702.2)
  • Microsoft Visual C++ 2019 X86 Additional Runtime - 14.21.27702 (14.21.27702)
  • Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.21.27702 (14.21.27702)
  • Mozilla Firefox 68.0.1 (x86 en-US) (68.0.1)
  • Notepad++ (32-bit x86) (7.5.1)
  • Opera 12.15 (12.15.1748)
  • Skype version 8.29 (8.29)
  • Update for Microsoft .NET Framework 4.7.2 (KB4087364) (1)
  • VLC media player (2.2.6)
  • WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

  • Client LanguagePack Package
  • Client Refresh LanguagePack Package
  • CodecPack Basic Package
  • Foundation Package
  • IE Troubleshooters Package
  • InternetExplorer Optional Package
  • KB2534111
  • KB2999226
  • KB4019990
  • KB976902
  • LocalPack AU Package
  • LocalPack CA Package
  • LocalPack GB Package
  • LocalPack US Package
  • LocalPack ZA Package
  • ProfessionalEdition
  • UltimateEdition

Behavior activities

MALICIOUS SUSPICIOUS INFO
Application was dropped or rewritten from another process
  • javaTM.exe (PID: 3420)
  • Java.exe (PID: 3040)
Loads dropped or rewritten executable
  • javaTM.exe (PID: 3420)
  • Java.exe (PID: 3040)
Uses Task Scheduler to run other applications
  • cmd.exe (PID: 3892)
  • cmd.exe (PID: 940)
  • cmd.exe (PID: 3940)
Writes to a start menu file
  • javaTM.exe (PID: 3420)
Loads the Task Scheduler COM API
  • schtasks.exe (PID: 1520)
  • schtasks.exe (PID: 1940)
  • schtasks.exe (PID: 624)
Starts Microsoft Office Application
  • bf25b330975dc700be3f1f6b1b3362e34eb84b89725d4936d893cdd4f1499e69.exe (PID: 2928)
Creates files in the user directory
  • bf25b330975dc700be3f1f6b1b3362e34eb84b89725d4936d893cdd4f1499e69.exe (PID: 2928)
  • javaTM.exe (PID: 3420)
  • Java.exe (PID: 3040)
Loads Python modules
  • javaTM.exe (PID: 3420)
  • Java.exe (PID: 3040)
Executable content was dropped or overwritten
  • bf25b330975dc700be3f1f6b1b3362e34eb84b89725d4936d893cdd4f1499e69.exe (PID: 2928)
  • JavaAlq.exe (PID: 4076)
  • javaTM.exe (PID: 3420)
Checks supported languages
  • POWERPNT.EXE (PID: 3876)
Starts CMD.EXE for commands execution
  • javaTM.exe (PID: 3420)
  • Java.exe (PID: 3040)
Uses IPCONFIG.EXE to discover IP address
  • cmd.exe (PID: 3344)
Dropped object may contain Bitcoin addresses
  • bf25b330975dc700be3f1f6b1b3362e34eb84b89725d4936d893cdd4f1499e69.exe (PID: 2928)
Reads Microsoft Office registry keys
  • POWERPNT.EXE (PID: 3876)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Static information

TRiD
.exe
|   NSIS - Nullsoft Scriptable Install System (91.9%)
.exe
|   Win32 Executable MS Visual C++ (generic) (3.3%)
.exe
|   Win64 Executable (generic) (3%)
.dll
|   Win32 Dynamic Link Library (generic) (0.7%)
.exe
|   Win32 Executable (generic) (0.4%)
EXIF
EXE
MachineType:
Intel 386 or later, and compatibles
TimeStamp:
2008:08:16 22:26:10+02:00
PEType:
PE32
LinkerVersion:
6
CodeSize:
22528
InitializedDataSize:
119808
UninitializedDataSize:
1024
EntryPoint:
0x30b4
OSVersion:
4
ImageVersion:
null
SubsystemVersion:
4
Subsystem:
Windows GUI
FileVersionNumber:
13.0.0.0
ProductVersionNumber:
13.0.0.0
FileFlagsMask:
0x0000
FileFlags:
(none)
FileOS:
Win32
ObjectFileType:
Executable application
FileSubtype:
null
LanguageCode:
Neutral
CharacterSet:
Windows, Latin1
Comments:
A build of the Microsoft Windows.
CompanyName:
2.449 KB
FileDescription:
Microsoft Office Power Point 97-2003 Slide Show
FileVersion:
13.0.0.0
InternalName:
Microsoft Office Power Point
LegalCopyright:
Microsoft Windows
LegalTrademarks:
(SO) Microsoft Windows
OriginalFileName:
.\dist\Reclamo.exe
ProductName:
Documento
ProductVersion:
13.0.0.0
Summary
Architecture:
IMAGE_FILE_MACHINE_I386
Subsystem:
IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date:
16-Aug-2008 20:26:10
Detected languages
English - United States
Comments:
A build of the Microsoft Windows.
CompanyName:
2.449 KB
FileDescription:
Microsoft Office Power Point 97-2003 Slide Show
FileVersion:
13.0.0.0
InternalName:
Microsoft Office Power Point
LegalCopyright:
Microsoft Windows
LegalTrademarks:
(SO) Microsoft Windows
OriginalFilename:
.\dist\Reclamo.exe
ProductName:
Documento
ProductVersion:
13.0.0.0
DOS Header
Magic number:
MZ
Bytes on last page of file:
0x0090
Pages in file:
0x0003
Relocations:
0x0000
Size of header:
0x0004
Min extra paragraphs:
0x0000
Max extra paragraphs:
0xFFFF
Initial SS value:
0x0000
Initial SP value:
0x00B8
Checksum:
0x0000
Initial IP value:
0x0000
Initial CS value:
0x0000
Overlay number:
0x0000
OEM identifier:
0x0000
OEM information:
0x0000
Address of NE header:
0x000000D0
PE Headers
Signature:
PE
Machine:
IMAGE_FILE_MACHINE_I386
Number of sections:
5
Time date stamp:
16-Aug-2008 20:26:10
Pointer to Symbol Table:
0x00000000
Number of symbols:
0
Size of Optional Header:
0x00E0
Characteristics
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_RELOCS_STRIPPED
Sections
Name Virtual Address Virtual Size Raw Size Charateristics Entropy
.text 0x00001000 0x000057EC 0x00005800 IMAGE_SCN_CNT_CODE,IMAGE_SCN_MEM_EXECUTE,IMAGE_SCN_MEM_READ 6.47541
.rdata 0x00007000 0x00001190 0x00001200 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ 5.17644
.data 0x00009000 0x0001AF58 0x00000400 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ,IMAGE_SCN_MEM_WRITE 4.59051
.ndata 0x00024000 0x00009000 0x00000000 IMAGE_SCN_CNT_UNINITIALIZED_DATA,IMAGE_SCN_MEM_READ,IMAGE_SCN_MEM_WRITE 0
.rsrc 0x0002D000 0x0000E950 0x0000EA00 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ 7.15135
Resources
1

2

3

4

5

6

7

8

9

103

105

106

111

Imports
    KERNEL32.dll

    USER32.dll

    GDI32.dll

    SHELL32.dll

    ADVAPI32.dll

    COMCTL32.dll

    ole32.dll

    VERSION.dll

Exports

    No exports.

Screenshots

Processes

Total processes
51
Monitored processes
13
Malicious processes
4
Suspicious processes
0

Behavior graph

+
start drop and start drop and start bf25b330975dc700be3f1f6b1b3362e34eb84b89725d4936d893cdd4f1499e69.exe powerpnt.exe no specs javaalq.exe javatm.exe cmd.exe no specs schtasks.exe no specs cmd.exe no specs schtasks.exe no specs cmd.exe no specs schtasks.exe no specs java.exe no specs cmd.exe no specs ipconfig.exe no specs
Specs description
Program did not start
Integrity level elevation
Task сontains an error or was rebooted
Process has crashed
Task contains several apps running
Executable file was dropped
Debug information is available
Process was injected
Network attacks were detected
Application downloaded the executable file
Actions similar to stealing personal data
Behavior similar to exploiting the vulnerability
Inspected object has sucpicious PE structure
File is detected by antivirus software
CPU overrun
RAM overrun
Process starts the services
Process was added to the startup
Behavior similar to spam
Low-level access to the HDD
Probably Tor was used
System was rebooted
Connects to the network
Known threat

Process information

Click at the process to see the details.

PID
2928
CMD
"C:\Users\admin\AppData\Local\Temp\bf25b330975dc700be3f1f6b1b3362e34eb84b89725d4936d893cdd4f1499e69.exe"
Path
C:\Users\admin\AppData\Local\Temp\bf25b330975dc700be3f1f6b1b3362e34eb84b89725d4936d893cdd4f1499e69.exe
Indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
2.449 KB
Description
Microsoft Office Power Point 97-2003 Slide Show
Version
13.0.0.0
Modules
Image
c:\users\admin\appdata\local\temp\bf25b330975dc700be3f1f6b1b3362e34eb84b89725d4936d893cdd4f1499e69.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\version.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\shfolder.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\msiltcfg.dll
c:\windows\system32\msi.dll
c:\windows\system32\sfc.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\sxs.dll
c:\program files\microsoft office\office14\powerpnt.exe
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\sspicli.dll
c:\users\admin\appdata\roaming\java\javaalq.exe

PID
3876
CMD
"C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE" /s "C:\Users\admin\AppData\Roaming\java.\Hermosa_XXX.pps"
Path
C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE
Indicators
No indicators
Parent process
bf25b330975dc700be3f1f6b1b3362e34eb84b89725d4936d893cdd4f1499e69.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Microsoft PowerPoint
Version
14.0.6009.1000
Modules
Image
c:\program files\microsoft office\office14\powerpnt.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\program files\microsoft office\office14\ppcore.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\program files\microsoft office\office14\oart.dll
c:\program files\microsoft office\office14\gfx.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\msimg32.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\program files\common files\microsoft shared\office14\mso.dll
c:\windows\system32\msi.dll
c:\windows\system32\shlwapi.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\program files\common files\microsoft shared\office14\cultures\office.odf
c:\program files\microsoft office\office14\1033\ppintl.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msimtf.dll
c:\windows\system32\version.dll
c:\program files\common files\microsoft shared\office14\msores.dll
c:\program files\common files\microsoft shared\office14\1033\msointl.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\mscoree.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorwks.dll
c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\osppc.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\uxtheme.dll
c:\program files\common files\microsoft shared\office14\riched20.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\msxml6.dll
c:\windows\system32\winspool.drv
c:\windows\system32\winsta.dll
c:\windows\system32\d3d9.dll
c:\windows\system32\d3d8thk.dll
c:\windows\system32\spool\drivers\w32x86\3\unidrvui.dll
c:\windows\system32\spool\drivers\w32x86\3\sendtoonenoteui.dll
c:\windows\system32\spool\drivers\w32x86\3\mxdwdrv.dll
c:\windows\system32\fontsub.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\sxs.dll
c:\windows\system32\shell32.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\sspicli.dll
c:\program files\common files\microsoft shared\office14\1033\alrtintl.dll
c:\program files\microsoft office\office14\gkpowerpoint.dll
c:\windows\system32\oleacc.dll
c:\program files\common files\system\ado\msadox.dll

PID
4076
CMD
"C:\Users\admin\AppData\Roaming\java.\JavaAlq.exe"
Path
C:\Users\admin\AppData\Roaming\java.\JavaAlq.exe
Indicators
Parent process
bf25b330975dc700be3f1f6b1b3362e34eb84b89725d4936d893cdd4f1499e69.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Description
Version
Modules
Image
c:\users\admin\appdata\roaming\java\javaalq.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\aclayers.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\winspool.drv
c:\windows\system32\mpr.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\riched32.dll
c:\windows\system32\riched20.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\clbcatq.dll
c:\program files\common files\microsoft shared\ink\tiptsf.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\users\admin\appdata\local\temp\rarsfx0\javatm.exe
c:\program files\filezilla ftp client\fzshellext.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\slc.dll
c:\windows\system32\netutils.dll

PID
3420
CMD
"C:\Users\admin\AppData\Local\Temp\RarSFX0\javaTM.exe"
Path
C:\Users\admin\AppData\Local\Temp\RarSFX0\javaTM.exe
Indicators
Parent process
JavaAlq.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Java(TM) Platfom SE 7 U11
Description
Java(TM) Platform SE binary
Version
7.0.110.21
Modules
Image
c:\users\admin\appdata\local\temp\rarsfx0\javatm.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\aclayers.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\winspool.drv
c:\windows\system32\mpr.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\users\admin\appdata\local\temp\rarsfx0\python27.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\users\admin\appdata\local\temp\rarsfx0\win32api.pyd
c:\windows\system32\version.dll
c:\users\admin\appdata\local\temp\rarsfx0\pywintypes27.dll
c:\windows\system32\secur32.dll
c:\users\admin\appdata\local\temp\rarsfx0\win32pdh.pyd
c:\windows\system32\pdh.dll
c:\users\admin\appdata\local\temp\rarsfx0\pythoncom27.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\sxs.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\wshom.ocx
c:\windows\system32\scrrun.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\cmd.exe
c:\windows\system32\perfproc.dll
c:\windows\system32\wpdshext.dll
c:\windows\system32\winmm.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\psapi.dll
c:\windows\system32\oleacc.dll
c:\windows\system32\wbem\wbemdisp.dll
c:\windows\system32\wbemcomn.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\wbem\wbemprox.dll
c:\windows\system32\wbem\wmiutils.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\wbem\wbemsvc.dll
c:\windows\system32\wbem\fastprox.dll
c:\windows\system32\ntdsapi.dll
c:\users\admin\appdata\roaming\bin\jre6\java.exe

PID
3892
CMD
C:\Windows\system32\cmd.exe /c SCHTASKS /Delete /TN "Microsoft_up" /F
Path
C:\Windows\system32\cmd.exe
Indicators
No indicators
Parent process
javaTM.exe
User
admin
Integrity Level
MEDIUM
Exit code
1
Version:
Company
Microsoft Corporation
Description
Windows Command Processor
Version
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Image
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\schtasks.exe

PID
1520
CMD
SCHTASKS /Delete /TN "Microsoft_up" /F
Path
C:\Windows\system32\schtasks.exe
Indicators
No indicators
Parent process
cmd.exe
User
admin
Integrity Level
MEDIUM
Exit code
1
Version:
Company
Microsoft Corporation
Description
Manages scheduled tasks
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\schtasks.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\ktmw32.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\version.dll
c:\windows\system32\sechost.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\taskschd.dll
c:\windows\system32\sspicli.dll

PID
940
CMD
C:\Windows\system32\cmd.exe /c SCHTASKS /Delete /TN "Microsoft_up" /F
Path
C:\Windows\system32\cmd.exe
Indicators
No indicators
Parent process
javaTM.exe
User
admin
Integrity Level
MEDIUM
Exit code
1
Version:
Company
Microsoft Corporation
Description
Windows Command Processor
Version
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Image
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\schtasks.exe

PID
624
CMD
SCHTASKS /Delete /TN "Microsoft_up" /F
Path
C:\Windows\system32\schtasks.exe
Indicators
No indicators
Parent process
cmd.exe
User
admin
Integrity Level
MEDIUM
Exit code
1
Version:
Company
Microsoft Corporation
Description
Manages scheduled tasks
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\schtasks.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\ktmw32.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\version.dll
c:\windows\system32\sechost.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\taskschd.dll
c:\windows\system32\sspicli.dll

PID
3940
CMD
C:\Windows\system32\cmd.exe /c SCHTASKS /create /ST 00:00:01 /SC MINUTE /MO 60 /TR "\"C:\Users\admin\AppData\Roaming/MicroDes/JavaH.exe"\" /TN Microsoft_up
Path
C:\Windows\system32\cmd.exe
Indicators
No indicators
Parent process
javaTM.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows Command Processor
Version
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Image
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\schtasks.exe

PID
1940
CMD
SCHTASKS /create /ST 00:00:01 /SC MINUTE /MO 60 /TR "\"C:\Users\admin\AppData\Roaming/MicroDes/JavaH.exe"\" /TN Microsoft_up
Path
C:\Windows\system32\schtasks.exe
Indicators
No indicators
Parent process
cmd.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Manages scheduled tasks
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\schtasks.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\ktmw32.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\version.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\taskschd.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\xmllite.dll

PID
3040
CMD
C:\Users\admin\AppData\Roaming/Bin//Jre6/Java.exe
Path
C:\Users\admin\AppData\Roaming\Bin\Jre6\Java.exe
Indicators
No indicators
Parent process
javaTM.exe
User
admin
Integrity Level
MEDIUM
Version:
Company
Java(TM) Platfom SE 7 U11
Description
Java(TM) Platform SE binary
Version
7.0.110.21
Modules
Image
c:\users\admin\appdata\roaming\bin\jre6\java.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\aclayers.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\winspool.drv
c:\windows\system32\mpr.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\users\admin\appdata\roaming\bin\jre6\python27.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\users\admin\appdata\roaming\bin\jre6\pyhook._cpyhook.pyd
c:\users\admin\appdata\roaming\bin\jre6\pywintypes27.dll
c:\users\admin\appdata\roaming\bin\jre6\pythoncom27.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\ws2_32.dll
c:\users\admin\appdata\roaming\bin\jre6\_socket.pyd
c:\windows\system32\nsi.dll
c:\users\admin\appdata\roaming\bin\jre6\_ssl.pyd
c:\users\admin\appdata\roaming\bin\jre6\_ctypes.pyd
c:\users\admin\appdata\roaming\bin\jre6\win32ui.pyd
c:\windows\winsxs\x86_microsoft.vc90.mfc_1fc8b3b9a1e18e3b_9.0.30729.6161_none_4bf7e3e2bf9ada4c\mfc90.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\msimg32.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\dwmapi.dll
c:\windows\winsxs\x86_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.6161_none_49768ef57548175e\mfc90enu.dll
c:\users\admin\appdata\roaming\bin\jre6\win32api.pyd
c:\windows\system32\version.dll
c:\windows\system32\secur32.dll
c:\users\admin\appdata\roaming\bin\jre6\win32gui.pyd
c:\windows\system32\comdlg32.dll
c:\users\admin\appdata\roaming\bin\jre6\win32clipboard.pyd
c:\users\admin\appdata\roaming\bin\jre6\win32pdh.pyd
c:\windows\system32\pdh.dll
c:\users\admin\appdata\roaming\bin\jre6\win32file.pyd
c:\windows\system32\mswsock.dll
c:\windows\system32\sfc.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\sxs.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\wshom.ocx
c:\windows\system32\scrrun.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\cmd.exe
c:\users\admin\appdata\roaming\bin\jre6\_hashlib.pyd
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\wship6.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\rasadhlp.dll

PID
3344
CMD
C:\Windows\system32\cmd.exe /c ipconfig /all
Path
C:\Windows\system32\cmd.exe
Indicators
No indicators
Parent process
Java.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows Command Processor
Version
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Image
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\ipconfig.exe

PID
1748
CMD
ipconfig /all
Path
C:\Windows\system32\ipconfig.exe
Indicators
No indicators
Parent process
cmd.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
IP Configuration Utility
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\ipconfig.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\dhcpcsvc6.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\qagent.dll
c:\windows\system32\qutil.dll
c:\windows\system32\wevtapi.dll

Registry activity

Total events
1476
Read events
1415
Write events
57
Delete events
4

Modification events

PID
Process
Operation
Key
Name
Value
2928
bf25b330975dc700be3f1f6b1b3362e34eb84b89725d4936d893cdd4f1499e69.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
PPTFiles
1333919768
2928
bf25b330975dc700be3f1f6b1b3362e34eb84b89725d4936d893cdd4f1499e69.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
2928
bf25b330975dc700be3f1f6b1b3362e34eb84b89725d4936d893cdd4f1499e69.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
3876
POWERPNT.EXE
delete key
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\PowerPoint\Resiliency\StartupItems
3876
POWERPNT.EXE
delete key
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\PowerPoint\Resiliency\DocumentRecovery\38ED9C
3876
POWERPNT.EXE
delete key
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\PowerPoint\Resiliency\DocumentRecovery
3876
POWERPNT.EXE
delete key
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\PowerPoint\Resiliency
3876
POWERPNT.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\PowerPoint\Resiliency\StartupItems
isg
69736700240F0000010000000000000000000000
3876
POWERPNT.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1033
Off
3876
POWERPNT.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1041
Off
3876
POWERPNT.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1046
Off
3876
POWERPNT.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1036
Off
3876
POWERPNT.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1031
Off
3876
POWERPNT.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1040
Off
3876
POWERPNT.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1049
Off
3876
POWERPNT.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
3082
Off
3876
POWERPNT.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
PPTFiles
1333919769
3876
POWERPNT.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
ProductFiles
1333919924
3876
POWERPNT.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources
UISnapshot
1033;1046;1036;1031;1040;1041;1049;3082;1042;1055
3876
POWERPNT.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources
UIFallback
1040;0;1033;1046;1036;1031;1041;1049;3082;1042;1055
3876
POWERPNT.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources
HelpFallback
0;1033;1046;1036;1031;1040;1041;1049;3082;1042;1055
3876
POWERPNT.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1033
On
3876
POWERPNT.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1046
On
3876
POWERPNT.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1036
On
3876
POWERPNT.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1031
On
3876
POWERPNT.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1040
On
3876
POWERPNT.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1041
On
3876
POWERPNT.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1049
On
3876
POWERPNT.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
3082
On
3876
POWERPNT.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1042
On
3876
POWERPNT.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1055
On
3876
POWERPNT.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\Common\Smart Tag\Recognizers\{0C12CF48-451D-45AC-A927-F5FDBFC07C96}
3876
POWERPNT.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\Common\Smart Tag\Recognizers\{9C3CFE2A-537A-479A-A1E2-85728C400F7D}
3876
POWERPNT.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\Common\Smart Tag\Recognizers\{A8716C2B-35ED-4EE7-A138-FBA0A7C9B5B0}
3876
POWERPNT.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\Common\Smart Tag\Recognizers\{AA3BD3AB-AD94-4243-86C5-8AE3D7D829BC}
3876
POWERPNT.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\Common\Smart Tag\Recognizers\{BC29864C-2254-4A9E-9F4D-721A388618BB}
3876
POWERPNT.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\User Settings\Kosmarttag_SmartTag
Count
1
3876
POWERPNT.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\PowerPoint
MTTT
240F0000CE24A6B05DA9D50100000000
3876
POWERPNT.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Direct3D\MostRecentApplication
Name
POWERPNT.EXE
3876
POWERPNT.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\PowerPoint\Resiliency\DocumentRecovery\38ED9C
38ED9C
04000000240F0000070000004100500050002D005000500054000000000000000000026000000000000000000000000000009CED38009CED3800000000000000000000000000
3876
POWERPNT.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\PowerPoint\Options
AppMaximized
0
3876
POWERPNT.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\PowerPoint\Resiliency\DocumentRecovery\38ED9C
38ED9C
04000000240F0000070000004100500050002D005000500054000000000000000000026000000000000040B232B15DA9D5019CED38009CED380000000000F8040000FDFCFBFA5C010100000000006E0000006E0000002E0400006302000000000000000000000000000000000000AA060000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002F07000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000AC06000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000F105000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000BD06000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000BD05000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000D805000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000A6060000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000004607000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000F0060000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002708000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000B505000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000B70500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000030060000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002F07000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000E9050000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000009A08000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000D20800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000
3876
POWERPNT.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\PowerPoint\Resiliency\DocumentRecovery\38ED9C
38ED9C
04000000240F0000070000004100500050002D0050005000540000000000000000000260000000000000A02A40B25DA9D5019CED38009CED380000000000F8040000FDFCFBFA5C010100000000006E0000006E0000002E0400006302000000000000000000000000000000000000AA060000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002F07000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000AC06000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000F105000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000BD06000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000BD05000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000D805000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000A6060000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000004607000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000F0060000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002708000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000B505000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000B70500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000030060000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002F07000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000E9050000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000009A08000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000D20800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000
3876
POWERPNT.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\Licensing
E72E0D200D63438BBC7192AB9F9E8B54
01000000270000007B39303134303030302D303033442D303030302D303030302D3030303030303046463143457D005A0000004F00660066006900630065002000310034002C0020004F0066006600690063006500500072006F00660065007300730069006F006E0061006C002D00520065007400610069006C002000650064006900740069006F006E000000
3876
POWERPNT.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
3876
POWERPNT.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
3876
POWERPNT.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109E60090400000000000F01FEC\Usage
ProductNonBootFilesIntl_1033
1333919760
3876
POWERPNT.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109E60090400000000000F01FEC\Usage
ProductNonBootFilesIntl_1033
1333919761
3876
POWERPNT.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109E60090400000000000F01FEC\Usage
ProductNonBootFilesIntl_1033
1333919762
3876
POWERPNT.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
ProductFiles
1333919925
3876
POWERPNT.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
ProductFiles
1333919926
3876
POWERPNT.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\PowerPoint
MTTF
31
3876
POWERPNT.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\PowerPoint
MTTA
31
4076
JavaAlq.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
4076
JavaAlq.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1

Files activity

Executable files
100
Suspicious files
1
Text files
12
Unknown types
1

Dropped files

PID
Process
Filename
Type
3420
javaTM.exe
C:\Users\admin\AppData\Roaming\Bin\Jre6\python27.dll
executable
MD5: fb9ecb14a14328711eef9aace1686614
SHA256: 7731e2cdb12d3bbf6c9c64e29f1883c36cb9d443a6fb5770a7d8b0e57d95c2be
3420
javaTM.exe
C:\Users\admin\AppData\Roaming\MicroDes\JavaS.exe
executable
MD5: 514814aa471f9923df393a2f6ea51722
SHA256: d0d15987adc76f56b79115db12d3244259dac4b63c1a11f0ef02c487c0b397bc
4076
JavaAlq.exe
C:\Users\admin\AppData\Local\Temp\RarSFX0\pyexpat.pyd
executable
MD5: 36733a799d1759e5ff6135fa19aeef5b
SHA256: 103f4329d53cf937c7023e8f2c21d008b9b7abe88d78bc3b05bf048c63735d88
3420
javaTM.exe
C:\Users\admin\AppData\Roaming\MicroDes\PIL._imaging.pyd
executable
MD5: 23ab1444349edf1b863c64536663675b
SHA256: 76a9c05d1e906ce419f708448eec364c16a3717ab14f5167e1d5cce44e612986
4076
JavaAlq.exe
C:\Users\admin\AppData\Local\Temp\RarSFX0\select.pyd
executable
MD5: 3449bbfac55bfa14cdfd83e2d90f3d7e
SHA256: edccb048476f4b029eb3e675b16e0cfbe0bbc4d795977e4c7fcf6ae520d453f1
3420
javaTM.exe
C:\Users\admin\AppData\Roaming\MicroDes\PIL._imagingft.pyd
executable
MD5: 1598372ffebd87ddaa89381d97e39f8c
SHA256: 29e1c7b1e8dcb48deecb2152c4a561aa9377fbbe6661a66a0760b7bf6494daac
4076
JavaAlq.exe
C:\Users\admin\AppData\Local\Temp\RarSFX0\pyHook._cpyHook.pyd
executable
MD5: 3c7cb79171e636137acd8fdf42ea10df
SHA256: 03a59137ca8f9dda395079daddd7fcf0636543f41cc0c2fcf19bea492eb4ad80
3420
javaTM.exe
C:\Users\admin\AppData\Roaming\MicroDes\pyHook._cpyHook.pyd
executable
MD5: 3c7cb79171e636137acd8fdf42ea10df
SHA256: 03a59137ca8f9dda395079daddd7fcf0636543f41cc0c2fcf19bea492eb4ad80
4076
JavaAlq.exe
C:\Users\admin\AppData\Local\Temp\RarSFX0\Crypto.Cipher.AES.pyd
executable
MD5: 6d706762fd3d320ebb95a0f40b854feb
SHA256: 03c9e41ea1ddd2e0f6b4737c5e24b70a50d2e63d8374d36e889fc8cd4d6d0aaa
3420
javaTM.exe
C:\Users\admin\AppData\Roaming\MicroDes\JavaUe.exe
executable
MD5: 1487b0e079d59641b401b3927d611b3d
SHA256: 3d7bc2e260d48a3bf0c228f6d054b92067b6c99000d87abb3dc78753a637c9af
3420
javaTM.exe
C:\Users\admin\AppData\Roaming\MicroDes\Javak.exe
executable
MD5: bb5f90d26c56ece868dd9eade8832244
SHA256: cbb5ec654606691c0f8083ae285c4c7022b07ed0832797020feb82482153907b
4076
JavaAlq.exe
C:\Users\admin\AppData\Local\Temp\RarSFX0\PIL._imaging.pyd
executable
MD5: 23ab1444349edf1b863c64536663675b
SHA256: 76a9c05d1e906ce419f708448eec364c16a3717ab14f5167e1d5cce44e612986
4076
JavaAlq.exe
C:\Users\admin\AppData\Local\Temp\RarSFX0\vidcap.pyd
executable
MD5: 64de300d0d2780d5b302fd34813edbd6
SHA256: aec9c4ff94868387b50ae02c16311b26fa90596f37ff4521ff027488346244ef
3420
javaTM.exe
C:\Users\admin\AppData\Roaming\Bin\Jre6\win32pdh.pyd
executable
MD5: 0c70d89ff28838ac2cbf5479ba585b86
SHA256: c28af233d7bea71f1094716f547b2059f10fc98ce8eddde7496e1a8e745ed640
3420
javaTM.exe
C:\Users\admin\AppData\Roaming\MicroDes\javaTM.exe
executable
MD5: 942172d1f38e0770d0f31f919066b024
SHA256: ff28f588ddaff462e63520468e95b2859a92c8c64e2e2649836793e7858ca69b
4076
JavaAlq.exe
C:\Users\admin\AppData\Local\Temp\RarSFX0\bz2.pyd
executable
MD5: 2309952a1136740f3871869cc13ab620
SHA256: 2e54bdd269ceaba1368298407245787de76f25210fed08e3338de9f8a579dcf7
4076
JavaAlq.exe
C:\Users\admin\AppData\Local\Temp\RarSFX0\win32api.pyd
executable
MD5: cd646e722c515cd13540b4b3d0e46e4b
SHA256: 9f3d6583a669ceb3cb5660786fbfbcd23472aa1ab76d9c0eb24302b6138baf3d
3420
javaTM.exe
C:\Users\admin\AppData\Roaming\MicroDes\UJavap.exe
executable
MD5: 348a477dc04d2c79d59f034c65aeb99c
SHA256: 436d25aca152949cda2af245e882f680c26a74fceabe445937cc9d93f1d5a88b
3420
javaTM.exe
C:\Users\admin\AppData\Roaming\MicroDes\JavaH.exe
executable
MD5: c16607a726c5fb5e74cdbe508026ed97
SHA256: f22749d502fafb619868d6ec207991fdb7ac4d1d2ba0d1b1e4d02456a30ba7e4
4076
JavaAlq.exe
C:\Users\admin\AppData\Local\Temp\RarSFX0\_win32sysloader.pyd
executable
MD5: 85cf2bb56729200902a204e688103148
SHA256: b14541d5bb6e50658132ea42f5fc0fb011881e124c8285f026989a96113bd933
4076
JavaAlq.exe
C:\Users\admin\AppData\Local\Temp\RarSFX0\win32clipboard.pyd
executable
MD5: 76d5a9112b0c12a8839fcbd76edbe87e
SHA256: e54f82c6d85a5d3fce65713f79667e33f6232809163f987985020ba59c063287
3420
javaTM.exe
C:\Users\admin\AppData\Roaming\MicroDes\select.pyd
executable
MD5: 3449bbfac55bfa14cdfd83e2d90f3d7e
SHA256: edccb048476f4b029eb3e675b16e0cfbe0bbc4d795977e4c7fcf6ae520d453f1
3420
javaTM.exe
C:\Users\admin\AppData\Roaming\MicroDes\JavaD.exe
executable
MD5: 1fdc5e5d687814ee26e49b8a39725aac
SHA256: 9ef41cdb656944d242e107be1465ef83118263977115291c166b9579cc1a3066
4076
JavaAlq.exe
C:\Users\admin\AppData\Local\Temp\RarSFX0\_ssl.pyd
executable
MD5: 12fb0bcc8b79ecadd52ba8d97e08bfed
SHA256: 360b506df81ffc0b49ac15924314fa549084227b998b202572eed90b695dfd3a
4076
JavaAlq.exe
C:\Users\admin\AppData\Local\Temp\RarSFX0\win32file.pyd
executable
MD5: 7519d78535ec10fdc687da7d90ea9cd7
SHA256: 11609667fa37e2f6269d38d558dd42358360f97652bc37b80cb06a3f99b0e810
3420
javaTM.exe
C:\Users\admin\AppData\Roaming\MicroDes\python27.dll
executable
MD5: fb9ecb14a14328711eef9aace1686614
SHA256: 7731e2cdb12d3bbf6c9c64e29f1883c36cb9d443a6fb5770a7d8b0e57d95c2be
3420
javaTM.exe
C:\Users\admin\AppData\Roaming\MicroDes\java.exe
executable
MD5: b78e32681d191ed34a02d8e814aa8914
SHA256: f1d4eb894ea21f435f1a4986d1998473db2754ea3e5bad20031cc0cd49569391
4076
JavaAlq.exe
C:\Users\admin\AppData\Local\Temp\RarSFX0\_portaudio.pyd
executable
MD5: bb57a7c75998d4a86d6d2c2bd2b2e232
SHA256: ca4af7257334104e6f1743125bec896ab7a7ecf058e7edf95b803c2aa37fa1ec
4076
JavaAlq.exe
C:\Users\admin\AppData\Local\Temp\RarSFX0\win32gui.pyd
executable
MD5: d0f1dcb9d3c02d8c9175eb1d8d8855a7
SHA256: 32dda26ef2c58acd107f2e4916a5c22dd4111254cf708344c2073d7204c567d2
3420
javaTM.exe
C:\Users\admin\AppData\Roaming\MicroDes\pywintypes27.dll
executable
MD5: f0469abb4f2914c78ce875a430425958
SHA256: c97e1ab93e2d18a76b4bb1c8c43605d7de94d3baaeae0c9e28fd750e943d0335
3420
javaTM.exe
C:\Users\admin\AppData\Roaming\MicroDes\bz2.pyd
executable
MD5: 2309952a1136740f3871869cc13ab620
SHA256: 2e54bdd269ceaba1368298407245787de76f25210fed08e3338de9f8a579dcf7
4076
JavaAlq.exe
C:\Users\admin\AppData\Local\Temp\RarSFX0\_socket.pyd
executable
MD5: 07789a8c23bcebe32f8bfd4ce4af5ffb
SHA256: 235cc97584c3d31e5f3146121f64699d30cf372a86868ea755a9a0afa6c56144
4076
JavaAlq.exe
C:\Users\admin\AppData\Local\Temp\RarSFX0\win32pdh.pyd
executable
MD5: 0c70d89ff28838ac2cbf5479ba585b86
SHA256: c28af233d7bea71f1094716f547b2059f10fc98ce8eddde7496e1a8e745ed640
3420
javaTM.exe
C:\Users\admin\AppData\Roaming\MicroDes\pythoncom27.dll
executable
MD5: 72d8c1a1d90a3803ca16c8e49b3811a0
SHA256: e502aac9a5f0b66bddd4c29c9986c6aa93daa10ed4c02501fa27575369103bf6
3420
javaTM.exe
C:\Users\admin\AppData\Roaming\Bin\Jre6\_win32sysloader.pyd
executable
MD5: 85cf2bb56729200902a204e688103148
SHA256: b14541d5bb6e50658132ea42f5fc0fb011881e124c8285f026989a96113bd933
4076
JavaAlq.exe
C:\Users\admin\AppData\Local\Temp\RarSFX0\_multiprocessing.pyd
executable
MD5: 557ef00fca5a09ff4279ff79da7123e5
SHA256: 6c8095dd83694fbe58e9cfd9548d5559c5853b690e8f3761b3194edc374701d9
4076
JavaAlq.exe
C:\Users\admin\AppData\Local\Temp\RarSFX0\win32ui.pyd
executable
MD5: 6402424255b17023dd3cb287d778cc7a
SHA256: 5c7608a735b55300432902d8316254cd675a4a98045bf7729c11b9409ba3c8ef
3420
javaTM.exe
C:\Users\admin\AppData\Roaming\MicroDes\w9xpopen.exe
executable
MD5: 465182247770234ba25c6c78b29decd7
SHA256: 81e882c3771e038306348f1fd332138d95b0f545f393843122f1635264e81003
3420
javaTM.exe
C:\Users\admin\AppData\Roaming\MicroDes\Crypto.Cipher.AES.pyd
executable
MD5: 6d706762fd3d320ebb95a0f40b854feb
SHA256: 03c9e41ea1ddd2e0f6b4737c5e24b70a50d2e63d8374d36e889fc8cd4d6d0aaa
4076
JavaAlq.exe
C:\Users\admin\AppData\Local\Temp\RarSFX0\_hashlib.pyd
executable
MD5: 199bde23ef347dbccc6bf5a112b43c93
SHA256: 6f8a2f7fe1a702521706fcbe82592ac24e8c897f5bf47f798122dbd0b109c2a6
3420
javaTM.exe
C:\Users\admin\AppData\Roaming\Bin\Jre6\bz2.pyd
executable
MD5: 2309952a1136740f3871869cc13ab620
SHA256: 2e54bdd269ceaba1368298407245787de76f25210fed08e3338de9f8a579dcf7
3420
javaTM.exe
C:\Users\admin\AppData\Roaming\MicroDes\win32clipboard.pyd
executable
MD5: 76d5a9112b0c12a8839fcbd76edbe87e
SHA256: e54f82c6d85a5d3fce65713f79667e33f6232809163f987985020ba59c063287
3420
javaTM.exe
C:\Users\admin\AppData\Roaming\Bin\Jre6\_ssl.pyd
executable
MD5: 12fb0bcc8b79ecadd52ba8d97e08bfed
SHA256: 360b506df81ffc0b49ac15924314fa549084227b998b202572eed90b695dfd3a
4076
JavaAlq.exe
C:\Users\admin\AppData\Local\Temp\RarSFX0\pywintypes27.dll
executable
MD5: f0469abb4f2914c78ce875a430425958
SHA256: c97e1ab93e2d18a76b4bb1c8c43605d7de94d3baaeae0c9e28fd750e943d0335
3420
javaTM.exe
C:\Users\admin\AppData\Roaming\Bin\Jre6\Crypto.Cipher.AES.pyd
executable
MD5: 6d706762fd3d320ebb95a0f40b854feb
SHA256: 03c9e41ea1ddd2e0f6b4737c5e24b70a50d2e63d8374d36e889fc8cd4d6d0aaa
3420
javaTM.exe
C:\Users\admin\AppData\Roaming\MicroDes\vidcap.pyd
executable
MD5: 64de300d0d2780d5b302fd34813edbd6
SHA256: aec9c4ff94868387b50ae02c16311b26fa90596f37ff4521ff027488346244ef
3420
javaTM.exe
C:\Users\admin\AppData\Roaming\Bin\Jre6\win32ui.pyd
executable
MD5: 6402424255b17023dd3cb287d778cc7a
SHA256: 5c7608a735b55300432902d8316254cd675a4a98045bf7729c11b9409ba3c8ef
4076
JavaAlq.exe
C:\Users\admin\AppData\Local\Temp\RarSFX0\_ctypes.pyd
executable
MD5: f9982f8b1176597b81ed1285d1616ce7
SHA256: d14315cf03aa7d96b714bfc13f7990ec245d205e4a5f9f002d2805e369199239
3420
javaTM.exe
C:\Users\admin\AppData\Roaming\Bin\Jre6\java.exe
executable
MD5: b78e32681d191ed34a02d8e814aa8914
SHA256: f1d4eb894ea21f435f1a4986d1998473db2754ea3e5bad20031cc0cd49569391
3420
javaTM.exe
C:\Users\admin\AppData\Roaming\MicroDes\win32gui.pyd
executable
MD5: d0f1dcb9d3c02d8c9175eb1d8d8855a7
SHA256: 32dda26ef2c58acd107f2e4916a5c22dd4111254cf708344c2073d7204c567d2
3420
javaTM.exe
C:\Users\admin\AppData\Roaming\Bin\Jre6\_portaudio.pyd
executable
MD5: bb57a7c75998d4a86d6d2c2bd2b2e232
SHA256: ca4af7257334104e6f1743125bec896ab7a7ecf058e7edf95b803c2aa37fa1ec
4076
JavaAlq.exe
C:\Users\admin\AppData\Local\Temp\RarSFX0\python27.dll
executable
MD5: fb9ecb14a14328711eef9aace1686614
SHA256: 7731e2cdb12d3bbf6c9c64e29f1883c36cb9d443a6fb5770a7d8b0e57d95c2be
3420
javaTM.exe
C:\Users\admin\AppData\Roaming\Bin\Jre6\JavaD.exe
executable
MD5: 1fdc5e5d687814ee26e49b8a39725aac
SHA256: 9ef41cdb656944d242e107be1465ef83118263977115291c166b9579cc1a3066
3420
javaTM.exe
C:\Users\admin\AppData\Roaming\MicroDes\win32api.pyd
executable
MD5: cd646e722c515cd13540b4b3d0e46e4b
SHA256: 9f3d6583a669ceb3cb5660786fbfbcd23472aa1ab76d9c0eb24302b6138baf3d
3420
javaTM.exe
C:\Users\admin\AppData\Roaming\Bin\Jre6\_multiprocessing.pyd
executable
MD5: 557ef00fca5a09ff4279ff79da7123e5
SHA256: 6c8095dd83694fbe58e9cfd9548d5559c5853b690e8f3761b3194edc374701d9
4076
JavaAlq.exe
C:\Users\admin\AppData\Local\Temp\RarSFX0\pythoncom27.dll
executable
MD5: 72d8c1a1d90a3803ca16c8e49b3811a0
SHA256: e502aac9a5f0b66bddd4c29c9986c6aa93daa10ed4c02501fa27575369103bf6
3420
javaTM.exe
C:\Users\admin\AppData\Roaming\Bin\Jre6\JavaH.exe
executable
MD5: c16607a726c5fb5e74cdbe508026ed97
SHA256: f22749d502fafb619868d6ec207991fdb7ac4d1d2ba0d1b1e4d02456a30ba7e4
3420
javaTM.exe
C:\Users\admin\AppData\Roaming\MicroDes\win32file.pyd
executable
MD5: 7519d78535ec10fdc687da7d90ea9cd7
SHA256: 11609667fa37e2f6269d38d558dd42358360f97652bc37b80cb06a3f99b0e810
3420
javaTM.exe
C:\Users\admin\AppData\Roaming\Bin\Jre6\_ctypes.pyd
executable
MD5: f9982f8b1176597b81ed1285d1616ce7
SHA256: d14315cf03aa7d96b714bfc13f7990ec245d205e4a5f9f002d2805e369199239
4076
JavaAlq.exe
C:\Users\admin\AppData\Local\Temp\RarSFX0\JavaUe.exe
executable
MD5: 1487b0e079d59641b401b3927d611b3d
SHA256: 3d7bc2e260d48a3bf0c228f6d054b92067b6c99000d87abb3dc78753a637c9af
3420
javaTM.exe
C:\Users\admin\AppData\Roaming\Bin\Jre6\Javak.exe
executable
MD5: bb5f90d26c56ece868dd9eade8832244
SHA256: cbb5ec654606691c0f8083ae285c4c7022b07ed0832797020feb82482153907b
3420
javaTM.exe
C:\Users\admin\AppData\Roaming\MicroDes\win32pdh.pyd
executable
MD5: 0c70d89ff28838ac2cbf5479ba585b86
SHA256: c28af233d7bea71f1094716f547b2059f10fc98ce8eddde7496e1a8e745ed640
3420
javaTM.exe
C:\Users\admin\AppData\Roaming\Bin\Jre6\_hashlib.pyd
executable
MD5: 199bde23ef347dbccc6bf5a112b43c93
SHA256: 6f8a2f7fe1a702521706fcbe82592ac24e8c897f5bf47f798122dbd0b109c2a6
4076
JavaAlq.exe
C:\Users\admin\AppData\Local\Temp\RarSFX0\w9xpopen.exe
executable
MD5: 465182247770234ba25c6c78b29decd7
SHA256: 81e882c3771e038306348f1fd332138d95b0f545f393843122f1635264e81003
3420
javaTM.exe
C:\Users\admin\AppData\Roaming\Bin\Jre6\javaTM.exe
executable
MD5: 942172d1f38e0770d0f31f919066b024
SHA256: ff28f588ddaff462e63520468e95b2859a92c8c64e2e2649836793e7858ca69b
3420
javaTM.exe
C:\Users\admin\AppData\Roaming\MicroDes\_hashlib.pyd
executable
MD5: 199bde23ef347dbccc6bf5a112b43c93
SHA256: 6f8a2f7fe1a702521706fcbe82592ac24e8c897f5bf47f798122dbd0b109c2a6
3420
javaTM.exe
C:\Users\admin\AppData\Roaming\Bin\Jre6\_socket.pyd
executable
MD5: 07789a8c23bcebe32f8bfd4ce4af5ffb
SHA256: 235cc97584c3d31e5f3146121f64699d30cf372a86868ea755a9a0afa6c56144
4076
JavaAlq.exe
C:\Users\admin\AppData\Local\Temp\RarSFX0\UJavap.exe
executable
MD5: 348a477dc04d2c79d59f034c65aeb99c
SHA256: 436d25aca152949cda2af245e882f680c26a74fceabe445937cc9d93f1d5a88b
3420
javaTM.exe
C:\Users\admin\AppData\Roaming\Bin\Jre6\JavaS.exe
executable
MD5: 514814aa471f9923df393a2f6ea51722
SHA256: d0d15987adc76f56b79115db12d3244259dac4b63c1a11f0ef02c487c0b397bc
3420
javaTM.exe
C:\Users\admin\AppData\Roaming\MicroDes\_multiprocessing.pyd
executable
MD5: 557ef00fca5a09ff4279ff79da7123e5
SHA256: 6c8095dd83694fbe58e9cfd9548d5559c5853b690e8f3761b3194edc374701d9
3420
javaTM.exe
C:\Users\admin\AppData\Roaming\Bin\Jre6\win32gui.pyd
executable
MD5: d0f1dcb9d3c02d8c9175eb1d8d8855a7
SHA256: 32dda26ef2c58acd107f2e4916a5c22dd4111254cf708344c2073d7204c567d2
4076
JavaAlq.exe
C:\Users\admin\AppData\Local\Temp\RarSFX0\javaTM.exe
executable
MD5: 942172d1f38e0770d0f31f919066b024
SHA256: ff28f588ddaff462e63520468e95b2859a92c8c64e2e2649836793e7858ca69b
3420
javaTM.exe
C:\Users\admin\AppData\Roaming\Bin\Jre6\pyHook._cpyHook.pyd
executable
MD5: 3c7cb79171e636137acd8fdf42ea10df
SHA256: 03a59137ca8f9dda395079daddd7fcf0636543f41cc0c2fcf19bea492eb4ad80
3420
javaTM.exe
C:\Users\admin\AppData\Roaming\MicroDes\_portaudio.pyd
executable
MD5: bb57a7c75998d4a86d6d2c2bd2b2e232
SHA256: ca4af7257334104e6f1743125bec896ab7a7ecf058e7edf95b803c2aa37fa1ec
3420
javaTM.exe
C:\Users\admin\AppData\Roaming\Bin\Jre6\win32file.pyd
executable
MD5: 7519d78535ec10fdc687da7d90ea9cd7
SHA256: 11609667fa37e2f6269d38d558dd42358360f97652bc37b80cb06a3f99b0e810
4076
JavaAlq.exe
C:\Users\admin\AppData\Local\Temp\RarSFX0\Javak.exe
executable
MD5: bb5f90d26c56ece868dd9eade8832244
SHA256: cbb5ec654606691c0f8083ae285c4c7022b07ed0832797020feb82482153907b
3420
javaTM.exe
C:\Users\admin\AppData\Roaming\Bin\Jre6\PIL._imagingft.pyd
executable
MD5: 1598372ffebd87ddaa89381d97e39f8c
SHA256: 29e1c7b1e8dcb48deecb2152c4a561aa9377fbbe6661a66a0760b7bf6494daac
3420
javaTM.exe
C:\Users\admin\AppData\Roaming\MicroDes\_ctypes.pyd
executable
MD5: f9982f8b1176597b81ed1285d1616ce7
SHA256: d14315cf03aa7d96b714bfc13f7990ec245d205e4a5f9f002d2805e369199239
3420
javaTM.exe
C:\Users\admin\AppData\Roaming\Bin\Jre6\win32clipboard.pyd
executable
MD5: 76d5a9112b0c12a8839fcbd76edbe87e
SHA256: e54f82c6d85a5d3fce65713f79667e33f6232809163f987985020ba59c063287
4076
JavaAlq.exe
C:\Users\admin\AppData\Local\Temp\RarSFX0\JavaS.exe
executable
MD5: 514814aa471f9923df393a2f6ea51722
SHA256: d0d15987adc76f56b79115db12d3244259dac4b63c1a11f0ef02c487c0b397bc
3420
javaTM.exe
C:\Users\admin\AppData\Roaming\Bin\Jre6\pyexpat.pyd
executable
MD5: 36733a799d1759e5ff6135fa19aeef5b
SHA256: 103f4329d53cf937c7023e8f2c21d008b9b7abe88d78bc3b05bf048c63735d88
3420
javaTM.exe
C:\Users\admin\AppData\Roaming\MicroDes\win32ui.pyd
executable
MD5: 6402424255b17023dd3cb287d778cc7a
SHA256: 5c7608a735b55300432902d8316254cd675a4a98045bf7729c11b9409ba3c8ef
3420
javaTM.exe
C:\Users\admin\AppData\Roaming\Bin\Jre6\JavaUe.exe
executable
MD5: 1487b0e079d59641b401b3927d611b3d
SHA256: 3d7bc2e260d48a3bf0c228f6d054b92067b6c99000d87abb3dc78753a637c9af
4076
JavaAlq.exe
C:\Users\admin\AppData\Local\Temp\RarSFX0\JavaD.exe
executable
MD5: 1fdc5e5d687814ee26e49b8a39725aac
SHA256: 9ef41cdb656944d242e107be1465ef83118263977115291c166b9579cc1a3066
3420
javaTM.exe
C:\Users\admin\AppData\Roaming\Bin\Jre6\PIL._imaging.pyd
executable
MD5: 23ab1444349edf1b863c64536663675b
SHA256: 76a9c05d1e906ce419f708448eec364c16a3717ab14f5167e1d5cce44e612986
3420
javaTM.exe
C:\Users\admin\AppData\Roaming\MicroDes\_ssl.pyd
executable
MD5: 12fb0bcc8b79ecadd52ba8d97e08bfed
SHA256: 360b506df81ffc0b49ac15924314fa549084227b998b202572eed90b695dfd3a
3420
javaTM.exe
C:\Users\admin\AppData\Roaming\Bin\Jre6\pywintypes27.dll
executable
MD5: f0469abb4f2914c78ce875a430425958
SHA256: c97e1ab93e2d18a76b4bb1c8c43605d7de94d3baaeae0c9e28fd750e943d0335
4076
JavaAlq.exe
C:\Users\admin\AppData\Local\Temp\RarSFX0\JavaH.exe
executable
MD5: c16607a726c5fb5e74cdbe508026ed97
SHA256: f22749d502fafb619868d6ec207991fdb7ac4d1d2ba0d1b1e4d02456a30ba7e4
3420
javaTM.exe
C:\Users\admin\AppData\Roaming\Bin\Jre6\pythoncom27.dll
executable
MD5: 72d8c1a1d90a3803ca16c8e49b3811a0
SHA256: e502aac9a5f0b66bddd4c29c9986c6aa93daa10ed4c02501fa27575369103bf6
3420
javaTM.exe
C:\Users\admin\AppData\Roaming\MicroDes\_socket.pyd
executable
MD5: 07789a8c23bcebe32f8bfd4ce4af5ffb
SHA256: 235cc97584c3d31e5f3146121f64699d30cf372a86868ea755a9a0afa6c56144
3420
javaTM.exe
C:\Users\admin\AppData\Roaming\Bin\Jre6\win32api.pyd
executable
MD5: cd646e722c515cd13540b4b3d0e46e4b
SHA256: 9f3d6583a669ceb3cb5660786fbfbcd23472aa1ab76d9c0eb24302b6138baf3d
4076
JavaAlq.exe
C:\Users\admin\AppData\Local\Temp\RarSFX0\java.exe
executable
MD5: b78e32681d191ed34a02d8e814aa8914
SHA256: f1d4eb894ea21f435f1a4986d1998473db2754ea3e5bad20031cc0cd49569391
3420
javaTM.exe
C:\Users\admin\AppData\Roaming\Bin\Jre6\vidcap.pyd
executable
MD5: 64de300d0d2780d5b302fd34813edbd6
SHA256: aec9c4ff94868387b50ae02c16311b26fa90596f37ff4521ff027488346244ef
3420
javaTM.exe
C:\Users\admin\AppData\Roaming\MicroDes\_win32sysloader.pyd
executable
MD5: 85cf2bb56729200902a204e688103148
SHA256: b14541d5bb6e50658132ea42f5fc0fb011881e124c8285f026989a96113bd933
3420
javaTM.exe
C:\Users\admin\AppData\Roaming\Bin\Jre6\select.pyd
executable
MD5: 3449bbfac55bfa14cdfd83e2d90f3d7e
SHA256: edccb048476f4b029eb3e675b16e0cfbe0bbc4d795977e4c7fcf6ae520d453f1
2928
bf25b330975dc700be3f1f6b1b3362e34eb84b89725d4936d893cdd4f1499e69.exe
C:\Users\admin\AppData\Roaming\java\JavaAlq.exe
executable
MD5: be82fcea3aed84f561e57e7861add1ca
SHA256: 3937a4679abd97fe7e692b134b494cf823fa2d58f84aeccad86da11d15332016
3420
javaTM.exe
C:\Users\admin\AppData\Roaming\Bin\Jre6\UJavap.exe
executable
MD5: 348a477dc04d2c79d59f034c65aeb99c
SHA256: 436d25aca152949cda2af245e882f680c26a74fceabe445937cc9d93f1d5a88b
3420
javaTM.exe
C:\Users\admin\AppData\Roaming\Bin\Jre6\w9xpopen.exe
executable
MD5: 465182247770234ba25c6c78b29decd7
SHA256: 81e882c3771e038306348f1fd332138d95b0f545f393843122f1635264e81003
4076
JavaAlq.exe
C:\Users\admin\AppData\Local\Temp\RarSFX0\PIL._imagingft.pyd
executable
MD5: 1598372ffebd87ddaa89381d97e39f8c
SHA256: 29e1c7b1e8dcb48deecb2152c4a561aa9377fbbe6661a66a0760b7bf6494daac
3420
javaTM.exe
C:\Users\admin\AppData\Roaming\MicroDes\pyexpat.pyd
executable
MD5: 36733a799d1759e5ff6135fa19aeef5b
SHA256: 103f4329d53cf937c7023e8f2c21d008b9b7abe88d78bc3b05bf048c63735d88
3420
javaTM.exe
C:\Users\admin\AppData\Roaming\Bin\Jre6\date
text
MD5: 42a59a28c6b6b7381392f9b5cb64ed3b
SHA256: 8ca367b0ed5ed0e3034e2190e871da815f4c4d99dd15e53b73b0ee1d7b5c171c
3040
Java.exe
C:\Users\admin\AppData\Roaming\Bin\Encryp\Sysinfo.txt
text
MD5: 1b35281793907e837e79b97dec9d5267
SHA256: e9966fa4822489b7ed6519a4fabadcdaf94e997d4ee53e6b45c7c390b6dc2809
4076
JavaAlq.exe
C:\Users\admin\AppData\Local\Temp\RarSFX0\ver
text
MD5: 038a8a50b863780fe4a43b7a263bb12b
SHA256: 65cebb6f370f68502d4af051143fcd0def5afa569cf0176964bdf95bdf1ce5f1
3876
POWERPNT.EXE
C:\Users\admin\AppData\Local\Temp\CVREBE6.tmp.cvr
––
MD5:  ––
SHA256:  ––
4076
JavaAlq.exe
C:\Users\admin\AppData\Local\Temp\RarSFX0\ruta.txt
text
MD5: 2613ce97ca00f6b9e2fb4092729cd449
SHA256: b966682f8d987089603c13096f80ce6f32e0960796d8242920d972ec89ba2260
4076
JavaAlq.exe
C:\Users\admin\AppData\Local\Temp\RarSFX0\caso.txt
text
MD5: 2613ce97ca00f6b9e2fb4092729cd449
SHA256: b966682f8d987089603c13096f80ce6f32e0960796d8242920d972ec89ba2260
3420
javaTM.exe
C:\Users\admin\AppData\Roaming\MicroDes\ver
text
MD5: 038a8a50b863780fe4a43b7a263bb12b
SHA256: 65cebb6f370f68502d4af051143fcd0def5afa569cf0176964bdf95bdf1ce5f1
3420
javaTM.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java Update.lnk
lnk
MD5: 406afec8ae9ed79cee672c604bd9b312
SHA256: 2ff65ffd396532d3f8dc10d87bedc4a36b841ca1912ad88e500b200c294cd0a5
3420
javaTM.exe
C:\Users\admin\AppData\Roaming\Bin\Jre6\ruta.txt
text
MD5: 2613ce97ca00f6b9e2fb4092729cd449
SHA256: b966682f8d987089603c13096f80ce6f32e0960796d8242920d972ec89ba2260
3420
javaTM.exe
C:\Users\admin\AppData\Roaming\MicroDes\ruta.txt
text
MD5: 2613ce97ca00f6b9e2fb4092729cd449
SHA256: b966682f8d987089603c13096f80ce6f32e0960796d8242920d972ec89ba2260
3420
javaTM.exe
C:\Users\admin\AppData\Roaming\MicroDes\caso.txt
text
MD5: 2613ce97ca00f6b9e2fb4092729cd449
SHA256: b966682f8d987089603c13096f80ce6f32e0960796d8242920d972ec89ba2260
3040
Java.exe
C:\Users\admin\AppData\Roaming\Bin\Logs.htm
text
MD5: e643678d45828b5afe3b97e5e26d5d75
SHA256: 04741902942d4c7b62017584c391baacc3876c89094bed5033388310a0cb981f
3420
javaTM.exe
C:\Users\admin\AppData\Roaming\Bin\Jre6\ver
text
MD5: 038a8a50b863780fe4a43b7a263bb12b
SHA256: 65cebb6f370f68502d4af051143fcd0def5afa569cf0176964bdf95bdf1ce5f1
3420
javaTM.exe
C:\Users\admin\AppData\Roaming\Bin\Jre6\caso.txt
text
MD5: 2613ce97ca00f6b9e2fb4092729cd449
SHA256: b966682f8d987089603c13096f80ce6f32e0960796d8242920d972ec89ba2260
2928
bf25b330975dc700be3f1f6b1b3362e34eb84b89725d4936d893cdd4f1499e69.exe
C:\Users\admin\AppData\Roaming\java\Hermosa_XXX.pps
document
MD5: 67593be1586fa629d9ecae84b66c6a0c
SHA256: f21099e550f2cdee99c5f40267c6d4bac0f608f047ecd81dc89516c16fc87d25

Find more information of the staic content and download it at the full report

Network activity

HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
1
Threats
1

HTTP requests

No HTTP requests.

Connections

No connections.

DNS requests

Domain IP Reputation
java.serveblog.net No response unknown

Threats

PID Process Class Message
–– –– Potentially Bad Traffic ET POLICY DNS Query to DynDNS Domain *.serveblog .net

Debug output strings

No debug info.