General Info

File name

Woxy Cracked by Crank and Yuki.rar

Full analysis
https://app.any.run/tasks/d466692a-8fb3-427c-a565-3ddb686ba295
Verdict
Malicious activity
Analysis date
12/6/2018, 08:46:23
OS:
Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:

ransomware

evasion

Indicators:

MIME:
application/x-rar
File info:
RAR archive data, v5
MD5

10419f8f6e1a25f43e4b3347ff1676d6

SHA1

d93624ef949ea0bbced6427a2f0d5d79e428547c

SHA256

c4cb51aa8d733bcbf8c64e1768158594d0b69926c574f28222f7cbb6d9677463

SSDEEP

196608:JQYH11ve3hR7eOet0KhqEAIwHYalwQWx6ouNZJawvrDtGiF+8o/Dj8yPaT7FTpVi:Jfve3hR7eOet0KwQwHYRDsouu4UYcj8u

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distored by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Software environment set and analysis options

Launch configuration

Task duration
300 seconds
Additional time used
240 seconds
Fakenet option
off
Heavy Evaision option
off
MITM proxy
off
Route via Tor
off
Network geolocation
off
Privacy
Public submission
Autoconfirmation of UAC
on

Software preset

  • Internet Explorer 8.0.7601.17514
  • Adobe Acrobat Reader DC MUI (15.023.20070)
  • Adobe Flash Player 26 ActiveX (26.0.0.131)
  • Adobe Flash Player 26 NPAPI (26.0.0.131)
  • Adobe Flash Player 26 PPAPI (26.0.0.131)
  • Adobe Refresh Manager (1.8.0)
  • CCleaner (5.35)
  • FileZilla Client 3.36.0 (3.36.0)
  • Google Chrome (68.0.3440.106)
  • Google Update Helper (1.3.33.17)
  • Java 8 Update 92 (8.0.920.14)
  • Java Auto Updater (2.8.92.14)
  • Microsoft .NET Framework 4.6.1 (4.6.01055)
  • Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Professional 2010 (14.0.6029.1000)
  • Microsoft Office Proof (English) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (French) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
  • Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
  • Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Single Image 2010 (14.0.6029.1000)
  • Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
  • Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
  • Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
  • Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2017 Redistributable (x86) - 14.15.26706 (14.15.26706.0)
  • Microsoft Visual C++ 2017 x86 Additional Runtime - 14.15.26706 (14.15.26706)
  • Microsoft Visual C++ 2017 x86 Minimum Runtime - 14.15.26706 (14.15.26706)
  • Mozilla Firefox 61.0.2 (x86 en-US) (61.0.2)
  • Notepad++ (32-bit x86) (7.5.1)
  • Opera 12.15 (12.15.1748)
  • Skype version 8.29 (8.29)
  • VLC media player (2.2.6)
  • WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

  • Client LanguagePack Package
  • Client Refresh LanguagePack Package
  • CodecPack Basic Package
  • Foundation Package
  • IE Troubleshooters Package
  • InternetExplorer Optional Package
  • KB2534111
  • KB2999226
  • KB976902
  • LocalPack AU Package
  • LocalPack CA Package
  • LocalPack GB Package
  • LocalPack US Package
  • LocalPack ZA Package
  • ProfessionalEdition
  • UltimateEdition

Behavior activities

MALICIOUS SUSPICIOUS INFO
Loads dropped or rewritten executable
  • explorer.exe (PID: 756)
  • SearchProtocolHost.exe (PID: 1904)
Application was dropped or rewritten from another process
  • explorer.exe (PID: 756)
  • SeafkoAgent.exe (PID: 2196)
  • woxy.exe (PID: 3964)
  • Woxy Cracked by Crank and Yuki.exe (PID: 3788)
Changes the autorun value in the registry
  • explorer.exe (PID: 756)
Changes settings of System certificates
  • explorer.exe (PID: 756)
Checks for external IP
  • explorer.exe (PID: 756)
Executable content was dropped or overwritten
  • SeafkoAgent.exe (PID: 2196)
  • explorer.exe (PID: 756)
  • woxy.exe (PID: 3964)
  • WinRAR.exe (PID: 3292)
Adds / modifies Windows certificates
  • explorer.exe (PID: 756)
Creates executable files which already exist in Windows
  • explorer.exe (PID: 756)
  • SeafkoAgent.exe (PID: 2196)
Connects to unusual port
  • explorer.exe (PID: 756)
Starts itself from another location
  • SeafkoAgent.exe (PID: 2196)
Application was crashed
  • Woxy Cracked by Crank and Yuki.exe (PID: 3788)
Dropped object may contain Bitcoin addresses
  • woxy.exe (PID: 3964)
  • WinRAR.exe (PID: 3292)
Reads Microsoft Office registry keys
  • WinRAR.exe (PID: 3292)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Static information

TRiD
.rar
|   RAR compressed archive (v5.0) (61.5%)
.rar
|   RAR compressed archive (gen) (38.4%)

Screenshots

Processes

Total processes
45
Monitored processes
7
Malicious processes
4
Suspicious processes
0

Behavior graph

+
start drop and start drop and start drop and start winrar.exe searchprotocolhost.exe no specs woxy.exe woxy cracked by crank and yuki.exe seafkoagent.exe explorer.exe wmiapsrv.exe no specs
Specs description
Program did not start
Integrity level elevation
Task сontains an error or was rebooted
Process has crashed
Task contains several apps running
Executable file was dropped
Debug information is available
Process was injected
Network attacks were detected
Application downloaded the executable file
Actions similar to stealing personal data
Behavior similar to exploiting the vulnerability
Inspected object has sucpicious PE structure
File is detected by antivirus software
CPU overrun
RAM overrun
Process starts the services
Process was added to the startup
Behavior similar to spam
Low-level access to the HDD
Probably Tor was used
System was rebooted
Connects to the network
Known threat

Process information

Click at the process to see the details.

PID
1904
CMD
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe6_ Global\UsGthrCtrlFltPipeMssGthrPipe6 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
Path
C:\Windows\System32\SearchProtocolHost.exe
Indicators
No indicators
Parent process
––
User
SYSTEM
Integrity Level
SYSTEM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Microsoft Windows Search Protocol Host
Version
7.00.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\searchprotocolhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\tquery.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\msshooks.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\msidle.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\mssprxy.dll
c:\windows\system32\mssph.dll
c:\windows\system32\mapi32.dll
c:\windows\system32\authz.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\shell32.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\propsys.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\profapi.dll
c:\windows\system32\version.dll
c:\users\admin\desktop\colorful.console.dll
c:\users\admin\desktop\woxy.exe
c:\windows\system32\notepad.exe
c:\users\admin\desktop\newtonsoft.json.dll
c:\windows\system32\ieframe.dll
c:\users\admin\desktop\mail.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\slc.dll
c:\windows\system32\netutils.dll

PID
3292
CMD
"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Woxy Cracked by Crank and Yuki.rar"
Path
C:\Program Files\WinRAR\WinRAR.exe
Indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Alexander Roshal
Description
WinRAR archiver
Version
5.60.0
Modules
Image
c:\program files\winrar\winrar.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\shlwapi.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\uxtheme.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\msimg32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\riched20.dll
c:\program files\common files\microsoft shared\ink\tiptsf.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ehstorshell.dll
c:\windows\system32\cscui.dll
c:\windows\system32\cscdll.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\slc.dll
c:\windows\system32\imageres.dll
c:\windows\system32\mpr.dll
c:\windows\system32\drprov.dll
c:\windows\system32\winsta.dll
c:\windows\system32\ntlanman.dll
c:\windows\system32\davclnt.dll
c:\windows\system32\davhlpr.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\netutils.dll
c:\windows\system32\wpdshext.dll
c:\windows\system32\winmm.dll
c:\windows\system32\portabledeviceapi.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\audiodev.dll
c:\windows\system32\wmvcore.dll
c:\windows\system32\wmasf.dll
c:\windows\system32\ehstorapi.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\samcli.dll
c:\windows\system32\samlib.dll
c:\windows\system32\profapi.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\program files\microsoft office\office14\msohevi.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ieframe.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\explorerframe.dll
c:\windows\system32\duser.dll
c:\windows\system32\dui70.dll

PID
3964
CMD
"C:\Users\admin\Desktop\woxy.exe"
Path
C:\Users\admin\Desktop\woxy.exe
Indicators
Parent process
––
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
Description
Version
0.0.0.0
Modules
Image
c:\users\admin\desktop\woxy.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\version.dll
c:\windows\microsoft.net\framework\v4.0.30319\clr.dll
c:\windows\system32\msvcr120_clr0400.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\mscorlib\225759bb87c854c0fff27b1d84858c21\mscorlib.ni.dll
c:\windows\system32\ole32.dll
c:\windows\system32\cryptbase.dll
c:\windows\microsoft.net\framework\v4.0.30319\clrjit.dll
c:\windows\system32\oleaut32.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system\52cca48930e580e3189eac47158c20be\system.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.core\55560c2014611e9119f99923c9ebdeef\system.core.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\microsoft.v9921e851#\7ca6a7b9413844e82108a9d62f88a2d9\microsoft.visualbasic.ni.dll
c:\windows\microsoft.net\framework\v4.0.30319\nlssorting.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\shell32.dll
c:\windows\system32\propsys.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\sspicli.dll
c:\users\admin\appdata\local\temp\woxy cracked by crank and yuki.exe
c:\users\admin\appdata\local\temp\seafkoagent.exe
c:\windows\system32\rpcrtremote.dll

PID
3788
CMD
"C:\Users\admin\AppData\Local\Temp\Woxy Cracked by Crank and Yuki.exe"
Path
C:\Users\admin\AppData\Local\Temp\Woxy Cracked by Crank and Yuki.exe
Indicators
Parent process
woxy.exe
User
admin
Integrity Level
HIGH
Exit code
3762504530
Version:
Company
Description
Woxy
Version
1.0.0.0
Modules
Image
c:\users\admin\appdata\local\temp\woxy cracked by crank and yuki.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\version.dll
c:\windows\microsoft.net\framework\v4.0.30319\clr.dll
c:\windows\system32\msvcr120_clr0400.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\mscorlib\225759bb87c854c0fff27b1d84858c21\mscorlib.ni.dll
c:\windows\system32\ole32.dll
c:\windows\system32\cryptbase.dll
c:\windows\microsoft.net\framework\v4.0.30319\clrjit.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system\52cca48930e580e3189eac47158c20be\system.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.core\55560c2014611e9119f99923c9ebdeef\system.core.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.drawing\646b4b01cb29986f8e076aa65c9e9753\system.drawing.ni.dll
c:\windows\microsoft.net\framework\v4.0.30319\diasymreader.dll

PID
2196
CMD
"C:\Users\admin\AppData\Local\Temp\SeafkoAgent.exe"
Path
C:\Users\admin\AppData\Local\Temp\SeafkoAgent.exe
Indicators
Parent process
woxy.exe
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
Microsoft
Description
Windows Explorer
Version
1.0.0.0
Modules
Image
c:\users\admin\appdata\local\temp\seafkoagent.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\version.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorwks.dll
c:\windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\msvcr80.dll
c:\windows\system32\shell32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\profapi.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\mscorlib\62a0b3e4b40ec0e8c5cfaa0c8848e64a\mscorlib.ni.dll
c:\windows\system32\cryptbase.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorjit.dll
c:\windows\system32\shfolder.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system\9e0a3b9b9f457233a335d7fba8f95419\system.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.drawing\dbfe8642a8ed7b2b103ad28e0c96418a\system.drawing.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.windows.forms\3afcd5168c7a6cb02eab99d7fd71e102\system.windows.forms.ni.dll
c:\windows\system32\propsys.dll
c:\windows\system32\oleaut32.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\sspicli.dll
c:\users\admin\appdata\local\explorer.exe
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll

PID
756
CMD
"C:\Users\admin\AppData\Local\explorer.exe"
Path
C:\Users\admin\AppData\Local\explorer.exe
Indicators
Parent process
SeafkoAgent.exe
User
admin
Integrity Level
HIGH
Version:
Company
Microsoft
Description
Windows Explorer
Version
1.0.0.0
Modules
Image
c:\users\admin\appdata\local\explorer.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\version.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorwks.dll
c:\windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\msvcr80.dll
c:\windows\system32\shell32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\profapi.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\mscorlib\62a0b3e4b40ec0e8c5cfaa0c8848e64a\mscorlib.ni.dll
c:\windows\system32\cryptbase.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorjit.dll
c:\windows\system32\shfolder.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system\9e0a3b9b9f457233a335d7fba8f95419\system.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.drawing\dbfe8642a8ed7b2b103ad28e0c96418a\system.drawing.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.windows.forms\3afcd5168c7a6cb02eab99d7fd71e102\system.windows.forms.ni.dll
c:\windows\microsoft.net\framework\v2.0.50727\culture.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\uxtheme.dll
c:\windows\assembly\gac_msil\system.windows.forms\2.0.0.0__b77a5c561934e089\system.windows.forms.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.configuration\bc09ad2d49d8535371845cd7532f9271\system.configuration.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.xml\461d3b6b3f43e6fbe6c897d5936e17e4\system.xml.ni.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\wship6.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\webio.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\dhcpcsvc6.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\pcwum.dll
c:\windows\system32\netfxperf.dll
c:\windows\microsoft.net\framework\v4.0.30319\clr.dll
c:\windows\microsoft.net\framework\v4.0.30319\perfcounter.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\pdh.dll
c:\windows\microsoft.net\framework\v4.0.30319\corperfmonext.dll
c:\windows\system32\msvcr120_clr0400.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\aspnet_counters.dll
c:\windows\microsoft.net\framework\v4.0.30319\aspnet_perf.dll
c:\windows\system32\bitsperf.dll
c:\windows\system32\esentprf.dll
c:\windows\system32\secur32.dll
c:\windows\system32\msdtcuiu.dll
c:\windows\system32\atl.dll
c:\windows\system32\msdtcprx.dll
c:\windows\system32\mtxclu.dll
c:\windows\system32\clusapi.dll
c:\windows\system32\cryptdll.dll
c:\windows\system32\resutils.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ktmw32.dll
c:\windows\system32\msscntrs.dll
c:\progra~1\micros~1\office14\olmapi32.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcp90.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\perfdisk.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\perfnet.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\browcli.dll
c:\windows\system32\perfos.dll
c:\windows\system32\perfproc.dll
c:\windows\system32\sysmain.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\devobj.dll
c:\windows\system32\rasctrs.dll
c:\windows\system32\winspool.drv
c:\windows\system32\tapiperf.dll
c:\windows\system32\perfctrs.dll
c:\windows\system32\perfts.dll
c:\windows\system32\winsta.dll
c:\windows\system32\utildll.dll
c:\windows\system32\logoncli.dll
c:\windows\system32\samcli.dll
c:\windows\system32\usbperf.dll
c:\windows\system32\wbem\wmiaprpl.dll
c:\windows\system32\loadperf.dll
c:\windows\system32\wbemcomn.dll
c:\windows\system32\tquery.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.data\1e85062785e286cd9eae9c26d2c61f73\system.data.ni.dll
c:\windows\assembly\gac_32\system.data\2.0.0.0__b77a5c561934e089\system.data.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\users\admin\appdata\local\sqlite3.dll
c:\users\admin\appdata\local\newtonsoft.json.dll
c:\windows\system32\security.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\credssp.dll
c:\windows\system32\schannel.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\userenv.dll
c:\windows\system32\gpapi.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.core\fbc05b5b05dc6366b02b8e2f77d080f1\system.core.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.runtime.seri#\4a984a9ad59d14063bc6ae64a0c8f62a\system.runtime.serialization.ni.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\cryptnet.dll
c:\windows\system32\sensapi.dll
c:\windows\system32\cabinet.dll
c:\windows\system32\devrtl.dll
c:\windows\system32\psapi.dll

PID
3804
CMD
C:\Windows\system32\wbem\WmiApSrv.exe
Path
C:\Windows\system32\wbem\WmiApSrv.exe
Indicators
No indicators
Parent process
––
User
SYSTEM
Integrity Level
SYSTEM
Exit code
0
Version:
Company
Microsoft Corporation
Description
WMI Performance Reverse Adapter
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\wbem\wmiapsrv.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\wbemcomn.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\loadperf.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\psapi.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\wbem\wbemprox.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\wbem\wbemsvc.dll
c:\windows\system32\wbem\fastprox.dll
c:\windows\system32\ntdsapi.dll
c:\windows\system32\wbem\wmiutils.dll
c:\windows\system32\wbem\wmiprov.dll

Registry activity

Total events
1676
Read events
1616
Write events
60
Delete events
0

Modification events

PID
Process
Operation
Key
Name
Value
1904
SearchProtocolHost.exe
write
HKEY_USERS\.DEFAULT\Software\Classes\Local Settings\MuiCache\5F\52C64B7E
LanguageList
en-US
1904
SearchProtocolHost.exe
write
HKEY_USERS\.DEFAULT\Software\Classes\Local Settings\MuiCache\5F\52C64B7E
@C:\Windows\system32\notepad.exe,-469
Text Document
1904
SearchProtocolHost.exe
write
HKEY_USERS\.DEFAULT\Software\Classes\Local Settings\MuiCache\5F\52C64B7E
@C:\Windows\System32\ieframe.dll,-912
HTML Document
3292
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
ShellExtBMP
3292
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
ShellExtIcon
3292
WinRAR.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
LanguageList
en-US
3292
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
0
C:\Users\admin\AppData\Local\Temp\Woxy Cracked by Crank and Yuki.rar
3292
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
name
120
3292
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
size
80
3292
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
type
120
3292
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
mtime
100
3292
WinRAR.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@C:\Windows\System32\ieframe.dll,-912
HTML Document
3292
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\Interface\MainWin
Placement
2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF42000000420000000204000037020000
3292
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\General
LastFolder
C:\Users\admin\AppData\Local\Temp
3292
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\ArcColumnWidths
name
120
3292
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\ArcColumnWidths
size
80
3292
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\ArcColumnWidths
psize
80
3292
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\ArcColumnWidths
type
120
3292
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\ArcColumnWidths
mtime
100
3292
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\ArcColumnWidths
crc
70
3292
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\General\Toolbar\Layout
Band56_0
38000000730100000402000000000000D4D0C800000000000000000000000000880103000000000039000000B40200000000000001000000
3292
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\General\Toolbar\Layout
Band56_1
38000000730100000500000000000000D4D0C8000000000000000000000000003C01020000000000160000002A0000000000000002000000
3292
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\General\Toolbar\Layout
Band56_2
38000000730100000400000000000000D4D0C8000000000000000000000000009A0103000000000016000000640000000000000003000000
3964
woxy.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
3964
woxy.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
2196
SeafkoAgent.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
2196
SeafkoAgent.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
756
explorer.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
explorer
C:\Users\admin\AppData\Local\explorer.exe
756
explorer.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\.NET Memory Cache 4.0\Linkage
Export
.NET Memory Cache 4.0
756
explorer.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\MSDTC Bridge 3.0.0.0\Linkage
Export
MSDTC Bridge 3.0.0.0
756
explorer.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\MSDTC Bridge 4.0.0.0\Linkage
Export
MSDTC Bridge 4.0.0.0
756
explorer.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\ServiceModelEndpoint 3.0.0.0\Linkage
Export
ServiceModelEndpoint 3.0.0.0
756
explorer.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\ServiceModelOperation 3.0.0.0\Linkage
Export
ServiceModelOperation 3.0.0.0
756
explorer.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\ServiceModelService 3.0.0.0\Linkage
Export
ServiceModelService 3.0.0.0
756
explorer.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SMSvcHost 3.0.0.0\Linkage
Export
SMSvcHost 3.0.0.0
756
explorer.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SMSvcHost 4.0.0.0\Linkage
Export
SMSvcHost 4.0.0.0
756
explorer.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Windows Workflow Foundation 3.0.0.0\Linkage
Export
Windows Workflow Foundation 3.0.0.0
756
explorer.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Windows Workflow Foundation 4.0.0.0\Linkage
Export
Windows Workflow Foundation 4.0.0.0
756
explorer.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
LanguageList
en-US
756
explorer.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13
Blob
040000000100000010000000410352DC0FF7501B16F0028EBA6F45C50F00000001000000140000005BCAA1C2780F0BCB5A90770451D96F38963F012D090000000100000042000000304006082B0601050507030406082B0601050507030106082B0601050507030206082B06010505070308060A2B0601040182370A0304060A2B0601040182370A030C6200000001000000200000000687260331A72403D909F105E69BCF0D32E1BD2493FFC6D9206D11BCD67707390B000000010000001E000000440053005400200052006F006F0074002000430041002000580033000000140000000100000014000000C4A7B1A47B2C71FADBE14B9075FFC415608589101D00000001000000100000004558D512EECB27464920897DE7B66053030000000100000014000000DAC9024F54D8F6DF94935FB1732638CA6AD77C131900000001000000100000006CF252FEC3E8F20996DE5D4DD9AEF42420000000010000004E0300003082034A30820232A003020102021044AFB080D6A327BA893039862EF8406B300D06092A864886F70D0101050500303F31243022060355040A131B4469676974616C205369676E617475726520547275737420436F2E311730150603550403130E44535420526F6F74204341205833301E170D3030303933303231313231395A170D3231303933303134303131355A303F31243022060355040A131B4469676974616C205369676E617475726520547275737420436F2E311730150603550403130E44535420526F6F7420434120583330820122300D06092A864886F70D01010105000382010F003082010A0282010100DFAFE99750088357B4CC6265F69082ECC7D32C6B30CA5BECD9C37DC740C118148BE0E83376492AE33F214993AC4E0EAF3E48CB65EEFCD3210F65D22AD9328F8CE5F777B0127BB595C089A3A9BAED732E7A0C063283A27E8A1430CD11A0E12A38B9790A31FD50BD8065DFB7516383C8E28861EA4B6181EC526BB9A2E24B1A289F48A39E0CDA098E3E172E1EDD20DF5BC62A8AAB2EBD70ADC50B1A25907472C57B6AAB34D63089FFE568137B540BC8D6AEEC5A9C921E3D64B38CC6DFBFC94170EC1672D526EC38553943D0FCFD185C40F197EBD59A9B8D1DBADA25B9C6D8DFC115023AABDA6EF13E2EF55C089C3CD68369E4109B192AB62957E3E53D9B9FF0025D0203010001A3423040300F0603551D130101FF040530030101FF300E0603551D0F0101FF040403020106301D0603551D0E04160414C4A7B1A47B2C71FADBE14B9075FFC41560858910300D06092A864886F70D01010505000382010100A31A2C9B17005CA91EEE2866373ABF83C73F4BC309A095205DE3D95944D23E0D3EBD8A4BA0741FCE10829C741A1D7E981ADDCB134BB32044E491E9CCFC7DA5DB6AE5FEE6FDE04EDDB7003AB57049AFF2E5EB02F1D1028B19CB943A5E48C4181E58195F1E025AF00CF1B1ADA9DC59868B6EE991F586CAFAB96633AA595BCEE2A7167347CB2BCC99B03748CFE3564BF5CF0F0C723287C6F044BB53726D43F526489A5267B758ABFE67767178DB0DA256141339243185A2A8025A3047E1DD5007BC02099000EB6463609B16BC88C912E6D27D918BF93D328D65B4E97CB15776EAC5B62839BF15651CC8F677966A0A8D770BD8910B048E07DB29B60AEE9D82353510
756
explorer.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4
Blob
0F00000001000000200000004B4EB4B074298B828B5C003095A10B4523FB951C0C88348B09C53E5BABA408A3090000000100000034000000303206082B0601050507030106082B0601050507030206082B0601050507030406082B0601050507030306082B060105050703080B000000010000003000000044006900670069004300650072007400200047006C006F00620061006C00200052006F006F00740020004700320000005300000001000000230000003021301F06096086480186FD6C020130123010060A2B0601040182373C0101030200C0620000000100000020000000CB3CCBB76031E5E0138F8DD39A23F9DE47FFC35E43C1144CEA27D46A5AB1CB5F1400000001000000140000004E2254201895E6E36EE60FFAFAB912ED06178F391D00000001000000100000007DC30BC974695560A2F0090A6545556C030000000100000014000000DF3C24F9BFD666761B268073FE06D1CC8D4F82A42000000001000000920300003082038E30820276A0030201020210033AF1E6A711A9A0BB2864B11D09FAE5300D06092A864886F70D01010B05003061310B300906035504061302555331153013060355040A130C446967694365727420496E6331193017060355040B13107777772E64696769636572742E636F6D3120301E06035504031317446967694365727420476C6F62616C20526F6F74204732301E170D3133303830313132303030305A170D3338303131353132303030305A3061310B300906035504061302555331153013060355040A130C446967694365727420496E6331193017060355040B13107777772E64696769636572742E636F6D3120301E06035504031317446967694365727420476C6F62616C20526F6F7420473230820122300D06092A864886F70D01010105000382010F003082010A0282010100BB37CD34DC7B6BC9B26890AD4A75FF46BA210A088DF51954C9FB88DBF3AEF23A89913C7AE6AB061A6BCFAC2DE85E092444BA629A7ED6A3A87EE054752005AC50B79C631A6C30DCDA1F19B1D71EDEFDD7E0CB948337AEEC1F434EDD7B2CD2BD2EA52FE4A9B8AD3AD499A4B625E99B6B00609260FF4F214918F76790AB61069C8FF2BAE9B4E992326BB5F357E85D1BCD8C1DAB95049549F3352D96E3496DDD77E3FB494BB4AC5507A98F95B3B423BB4C6D45F0F6A9B29530B4FD4C558C274A57147C829DCD7392D3164A060C8C50D18F1E09BE17A1E621CAFD83E510BC83A50AC46728F67314143D4676C387148921344DAF0F450CA649A1BABB9CC5B1338329850203010001A3423040300F0603551D130101FF040530030101FF300E0603551D0F0101FF040403020186301D0603551D0E041604144E2254201895E6E36EE60FFAFAB912ED06178F39300D06092A864886F70D01010B05000382010100606728946F0E4863EB31DDEA6718D5897D3CC58B4A7FE9BEDB2B17DFB05F73772A3213398167428423F2456735EC88BFF88FB0610C34A4AE204C84C6DBF835E176D9DFA642BBC74408867F3674245ADA6C0D145935BDF249DDB61FC9B30D472A3D992FBB5CBBB5D420E1995F534615DB689BF0F330D53E31E28D849EE38ADADA963E3513A55FF0F970507047411157194EC08FAE06C49513172F1B259F75F2B18E99A16F13B14171FE882AC84F102055D7F31445E5E044F4EA879532930EFE5346FA2C9DFF8B22B94BD90945A4DEA4B89A58DD1B7D529F8E59438881A49E26D56FADDD0DC6377DED03921BE5775F76EE3C8DC45D565BA2D9666EB33537E532B6
756
explorer.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4
Blob
040000000100000010000000E4A68AC854AC5242460AFD72481B2A44030000000100000014000000DF3C24F9BFD666761B268073FE06D1CC8D4F82A41D00000001000000100000007DC30BC974695560A2F0090A6545556C1400000001000000140000004E2254201895E6E36EE60FFAFAB912ED06178F39620000000100000020000000CB3CCBB76031E5E0138F8DD39A23F9DE47FFC35E43C1144CEA27D46A5AB1CB5F5300000001000000230000003021301F06096086480186FD6C020130123010060A2B0601040182373C0101030200C00B000000010000003000000044006900670069004300650072007400200047006C006F00620061006C00200052006F006F0074002000470032000000090000000100000034000000303206082B0601050507030106082B0601050507030206082B0601050507030406082B0601050507030306082B060105050703080F00000001000000200000004B4EB4B074298B828B5C003095A10B4523FB951C0C88348B09C53E5BABA408A32000000001000000920300003082038E30820276A0030201020210033AF1E6A711A9A0BB2864B11D09FAE5300D06092A864886F70D01010B05003061310B300906035504061302555331153013060355040A130C446967694365727420496E6331193017060355040B13107777772E64696769636572742E636F6D3120301E06035504031317446967694365727420476C6F62616C20526F6F74204732301E170D3133303830313132303030305A170D3338303131353132303030305A3061310B300906035504061302555331153013060355040A130C446967694365727420496E6331193017060355040B13107777772E64696769636572742E636F6D3120301E06035504031317446967694365727420476C6F62616C20526F6F7420473230820122300D06092A864886F70D01010105000382010F003082010A0282010100BB37CD34DC7B6BC9B26890AD4A75FF46BA210A088DF51954C9FB88DBF3AEF23A89913C7AE6AB061A6BCFAC2DE85E092444BA629A7ED6A3A87EE054752005AC50B79C631A6C30DCDA1F19B1D71EDEFDD7E0CB948337AEEC1F434EDD7B2CD2BD2EA52FE4A9B8AD3AD499A4B625E99B6B00609260FF4F214918F76790AB61069C8FF2BAE9B4E992326BB5F357E85D1BCD8C1DAB95049549F3352D96E3496DDD77E3FB494BB4AC5507A98F95B3B423BB4C6D45F0F6A9B29530B4FD4C558C274A57147C829DCD7392D3164A060C8C50D18F1E09BE17A1E621CAFD83E510BC83A50AC46728F67314143D4676C387148921344DAF0F450CA649A1BABB9CC5B1338329850203010001A3423040300F0603551D130101FF040530030101FF300E0603551D0F0101FF040403020186301D0603551D0E041604144E2254201895E6E36EE60FFAFAB912ED06178F39300D06092A864886F70D01010B05000382010100606728946F0E4863EB31DDEA6718D5897D3CC58B4A7FE9BEDB2B17DFB05F73772A3213398167428423F2456735EC88BFF88FB0610C34A4AE204C84C6DBF835E176D9DFA642BBC74408867F3674245ADA6C0D145935BDF249DDB61FC9B30D472A3D992FBB5CBBB5D420E1995F534615DB689BF0F330D53E31E28D849EE38ADADA963E3513A55FF0F970507047411157194EC08FAE06C49513172F1B259F75F2B18E99A16F13B14171FE882AC84F102055D7F31445E5E044F4EA879532930EFE5346FA2C9DFF8B22B94BD90945A4DEA4B89A58DD1B7D529F8E59438881A49E26D56FADDD0DC6377DED03921BE5775F76EE3C8DC45D565BA2D9666EB33537E532B6
756
explorer.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4
Blob
19000000010000001000000014C3BD3549EE225AECE13734AD8CA0B80F00000001000000200000004B4EB4B074298B828B5C003095A10B4523FB951C0C88348B09C53E5BABA408A3090000000100000034000000303206082B0601050507030106082B0601050507030206082B0601050507030406082B0601050507030306082B060105050703080B000000010000003000000044006900670069004300650072007400200047006C006F00620061006C00200052006F006F00740020004700320000005300000001000000230000003021301F06096086480186FD6C020130123010060A2B0601040182373C0101030200C0620000000100000020000000CB3CCBB76031E5E0138F8DD39A23F9DE47FFC35E43C1144CEA27D46A5AB1CB5F1400000001000000140000004E2254201895E6E36EE60FFAFAB912ED06178F391D00000001000000100000007DC30BC974695560A2F0090A6545556C030000000100000014000000DF3C24F9BFD666761B268073FE06D1CC8D4F82A4040000000100000010000000E4A68AC854AC5242460AFD72481B2A442000000001000000920300003082038E30820276A0030201020210033AF1E6A711A9A0BB2864B11D09FAE5300D06092A864886F70D01010B05003061310B300906035504061302555331153013060355040A130C446967694365727420496E6331193017060355040B13107777772E64696769636572742E636F6D3120301E06035504031317446967694365727420476C6F62616C20526F6F74204732301E170D3133303830313132303030305A170D3338303131353132303030305A3061310B300906035504061302555331153013060355040A130C446967694365727420496E6331193017060355040B13107777772E64696769636572742E636F6D3120301E06035504031317446967694365727420476C6F62616C20526F6F7420473230820122300D06092A864886F70D01010105000382010F003082010A0282010100BB37CD34DC7B6BC9B26890AD4A75FF46BA210A088DF51954C9FB88DBF3AEF23A89913C7AE6AB061A6BCFAC2DE85E092444BA629A7ED6A3A87EE054752005AC50B79C631A6C30DCDA1F19B1D71EDEFDD7E0CB948337AEEC1F434EDD7B2CD2BD2EA52FE4A9B8AD3AD499A4B625E99B6B00609260FF4F214918F76790AB61069C8FF2BAE9B4E992326BB5F357E85D1BCD8C1DAB95049549F3352D96E3496DDD77E3FB494BB4AC5507A98F95B3B423BB4C6D45F0F6A9B29530B4FD4C558C274A57147C829DCD7392D3164A060C8C50D18F1E09BE17A1E621CAFD83E510BC83A50AC46728F67314143D4676C387148921344DAF0F450CA649A1BABB9CC5B1338329850203010001A3423040300F0603551D130101FF040530030101FF300E0603551D0F0101FF040403020186301D0603551D0E041604144E2254201895E6E36EE60FFAFAB912ED06178F39300D06092A864886F70D01010B05000382010100606728946F0E4863EB31DDEA6718D5897D3CC58B4A7FE9BEDB2B17DFB05F73772A3213398167428423F2456735EC88BFF88FB0610C34A4AE204C84C6DBF835E176D9DFA642BBC74408867F3674245ADA6C0D145935BDF249DDB61FC9B30D472A3D992FBB5CBBB5D420E1995F534615DB689BF0F330D53E31E28D849EE38ADADA963E3513A55FF0F970507047411157194EC08FAE06C49513172F1B259F75F2B18E99A16F13B14171FE882AC84F102055D7F31445E5E044F4EA879532930EFE5346FA2C9DFF8B22B94BD90945A4DEA4B89A58DD1B7D529F8E59438881A49E26D56FADDD0DC6377DED03921BE5775F76EE3C8DC45D565BA2D9666EB33537E532B6
3804
WmiApSrv.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\PROVIDERS\Performance
Performance Refreshed
0

Files activity

Executable files
13
Suspicious files
4
Text files
59
Unknown types
4

Dropped files

PID
Process
Filename
Type
3292
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$DRa3292.41690\Colorful.Console.dll
executable
MD5: c0049eec203866b1b032006cef00ffb7
SHA256: 2fb5df27fe90d3261a0ce2491315ea299b6a2d4399cc22c23272ee959b445559
756
explorer.exe
C:\Users\admin\AppData\Local\CommonData.dll
executable
MD5: a0728c8159a1dcf30a4722fbdc627539
SHA256: 74301172ab2cbf250183bd49127fc4bbf5ad8a87c11161ac5465aa33ffeff69a
2196
SeafkoAgent.exe
C:\Users\admin\AppData\Local\explorer.exe
executable
MD5: ce8e8120b521d78fdb8544946f3afcca
SHA256: fd55513987e9848f0438884d9b3237ab12495e828a8d740f29953119bc6f9b8f
3964
woxy.exe
C:\Users\admin\AppData\Local\Temp\SeafkoAgent.exe
executable
MD5: ce8e8120b521d78fdb8544946f3afcca
SHA256: fd55513987e9848f0438884d9b3237ab12495e828a8d740f29953119bc6f9b8f
756
explorer.exe
C:\Users\admin\AppData\Local\AForge.Video.DirectShow.dll
executable
MD5: 17ed442e8485ac3f7dc5b3c089654a61
SHA256: 666d44798d94eafa1ed21af79e9bc0293ffd96f863ab5d87f78bcee9ef9ffd6b
3292
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$DRa3292.41690\woxy.exe
executable
MD5: 18145033ad484e3ff1c9e3cc17aa975d
SHA256: efb7e424117bc9bd338aa6bcf668b2d37009579533e01201ef3f37bb99e27185
3292
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$DRa3292.41690\Newtonsoft.Json.dll
executable
MD5: 5afda7c7d4f7085e744c2e7599279db3
SHA256: f58c374ffcaae4e36d740d90fbf7fe70d0abb7328cd9af3a0a7b70803e994ba4
756
explorer.exe
C:\Users\admin\AppData\Local\sqlite3.dll
executable
MD5: 87f9e5a6318ac1ec5ee05aa94a919d7a
SHA256: 7705b87603e0d772e1753441001fcf1ac2643ee41bf14a8177de2c056628665c
3292
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$DRa3292.41690\Mail.dll
executable
MD5: 02d3665be12327062013a05f044235cb
SHA256: 2fc6995f4f2ad0aeda381b8a43141a4f20a3a207c283c3aae453043ad1448262
756
explorer.exe
C:\Users\admin\AppData\Local\AForge.dll
executable
MD5: 02c63f568e598aad85dd401d7b26e82a
SHA256: 966a474060a8aca70c73ba09d0b6fe2353035961c7107b9003ef879c010ff8da
756
explorer.exe
C:\Users\admin\AppData\Local\AForge.Video.dll
executable
MD5: 0bd34aa29c7ea4181900797395a6da78
SHA256: bafa6ed04ca2782270074127a0498dde022c2a9f4096c6bb2b8e3c08bb3d404d
756
explorer.exe
C:\Users\admin\AppData\Local\Newtonsoft.Json.dll
executable
MD5: 83222120c8095b8623fe827fb70faf6b
SHA256: eff79de319ca8941a2e62fb573230d82b79b80958e5a26ab1a4e87193eb13503
3964
woxy.exe
C:\Users\admin\AppData\Local\Temp\Woxy Cracked by Crank and Yuki.exe
executable
MD5: a768a7c7ece99fad51a61c7cabbe2db9
SHA256: de65f0a884c9202a9c261bbb224b9bb65a0133926ab2ccc2c76bcc18903fb345
756
explorer.exe
C:\Users\admin\AppData\Local\log.txt
text
MD5: b1ba38b1a3ea7b6c92453e502b3a9399
SHA256: 70c444228be0b3d0a662b40693b53c7f2c1e176e17386bd12d5fac56d7aae963
756
explorer.exe
C:\Users\admin\AppData\Local\Microsoft\explorer.exe_Url_ngrhffohuwb5vq4wdkmha13b4xo42qkl\1.0.0.0\abpw0ntr.newcfg
––
MD5:  ––
SHA256:  ––
756
explorer.exe
C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
binary
MD5: 82c60953f4fdfcffa1b09b952809deab
SHA256: 8e67ba0ba6c616f5c823a425dc278308b602af05fa39ed3ab7e4b91e60002daa
756
explorer.exe
C:\Users\admin\AppData\Local\Temp\Tar46AE.tmp
––
MD5:  ––
SHA256:  ––
756
explorer.exe
C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
compressed
MD5: a902cf373e02f7dc34f456ed7449279c
SHA256: ea0c12aedea644678014991a96534145e85aa12cd8955396dfdc98a4fc96f0d5
756
explorer.exe
C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
binary
MD5: 9d6e7b7fae0d929e265a0d4353874eb0
SHA256: 2674e951f689a1b823c620e60f279124523be554a5b871aba3272a6bcf872f15
756
explorer.exe
C:\Users\admin\AppData\Local\Temp\Cab46AD.tmp
––
MD5:  ––
SHA256:  ––
756
explorer.exe
C:\Users\admin\AppData\Local\Temp\Tar43ED.tmp
––
MD5:  ––
SHA256:  ––
756
explorer.exe
C:\Users\admin\AppData\Local\Temp\Cab43EC.tmp
––
MD5:  ––
SHA256:  ––
756
explorer.exe
C:\Users\admin\AppData\Local\Temp\Tar43DC.tmp
––
MD5:  ––
SHA256:  ––
3292
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$DRa3292.41690\Results\Netflix\10.09.18\3.5k\Total Hits.txt
text
MD5: 66111f1b80601c06518a21587fea4dc2
SHA256: 8e2105d6217c45f0e9b69bbcb65329f38b7383e1a577da072614c8a0ffaaf36c
3292
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$DRa3292.41690\Results\Netflix\10.09.18\3.5k\[email protected]
text
MD5: 5e67069d93f785fe56601122d79c3775
SHA256: 94287269215c6d4b19ce6d0f4d5fcfc055392652a70dcd19c7a9d3b3b02943ac
3292
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$DRa3292.41690\Configs\Wish.ini
text
MD5: 93eec1d90354c2e5d4f586e619029daa
SHA256: 166df51e0edf7c96a82b145842d88b9a6e41678ad43ca5a55d5f62e2cff49c6d
3292
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$DRa3292.41690\Configs\Walmart.ini
text
MD5: 4327d1ce565932a983619160e7636fe4
SHA256: f7f9f96e6e09baee97a4af9fae68033c8feaf481029936da893c0444076e3d39
3292
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$DRa3292.41690\Results\MailAccess\10.09.18\3.5k\Total Hits.txt
text
MD5: 5e7c5fe95ab9b54337e96811045fafc7
SHA256: 34c0b15f604d6905c0cd8555cfc6e94b8009723bf9e30726bc1fcec5253314ca
3292
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$DRa3292.41690\Configs\Very.ini
text
MD5: d9d8c2d290cd63898465638891dc1709
SHA256: 278b8ef6b12a623d9c0a3cfc6686b9c7b2d29812781952029e3f11bbe712e6ee
3292
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$DRa3292.41690\Configs\TwitchAffiliated.ini
text
MD5: 0db52a96a549373924f55a3ba50d3f66
SHA256: 71add41543660c1fd9623462b12cb6508f91231d911ea70e28f5559a5a9cb76c
3292
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$DRa3292.41690\Configs\Staples.ini
text
MD5: 698aa59e25192fde5fd41506d0c4153f
SHA256: f6a2a1a1f645e03bc9d9130534a34bdb8824f99938b4f38e93c5614c506393ed
3292
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$DRa3292.41690\Configs\Steam Purchases.ini
text
MD5: b9d98957ac327451734079e4d240162f
SHA256: c96d7e30a4f40bebb3cf599e136ef5fb094c6a49eb5f799c384ee80875976e11
3292
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$DRa3292.41690\Configs\Target.ini
text
MD5: 7361c30ba31a25adde59b801d932d0f0
SHA256: 5442cf521aafa0376a93fe5cc46b5f5b88311a8e917c5bc016a2c61cba0d6ad1
3292
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$DRa3292.41690\Configs\Venmo.ini
text
MD5: 040f15e5467461b6162400f8f224b17c
SHA256: bb901cf14f66c09a92c594491ac644f79eb13118eede963df73e3f02ecd02c2b
3292
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$DRa3292.41690\Configs\Starbucks.ini
text
MD5: 7b5b5d609bd9225e073d7f83bf42ba3f
SHA256: 9a76a4f22b250cd5b6bae013e6a6059331369751050c4c36aae0b4f7142a31d5
3292
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$DRa3292.41690\Configs\Skrill.ini
text
MD5: cbbc7c6641321bd44589cd22ea7fccc2
SHA256: 333f1d70bf84fda18df87aae73ea513916dcfeb803b9c4c9ffe91eff39c85b13
3292
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$DRa3292.41690\Configs\Spotify.ini
text
MD5: f70fdb2cf9de55f87b59b5c5bdc2b6e8
SHA256: d3557ae9def3cb2cbe4f0c0614a45a6ad8d0373b679bf4ad0c2c647911ef1a2a
3292
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$DRa3292.41690\Configs\SocialClub.ini
text
MD5: 21c8b6660e9621c391ffac3eb786a883
SHA256: 33cb07ca8a251639675b75da9932bfb5f35a82674359143311e66527f78deac7
3292
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$DRa3292.41690\Configs\Skype.ini
text
MD5: f18533ca3193b619e4c903fe973f635d
SHA256: 3b5b645645bb0b1c706335beaff9fc9da69e8aa8016b7b0e6a7185ae4e06287e
3292
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$DRa3292.41690\Configs\Runescape.ini
text
MD5: 43fd9877cd013125b4bad196e092b7a0
SHA256: 71c133420cf4678cfde3babcac6a5053fb7131508d1856107b3b2ffe7ab74af7
3292
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$DRa3292.41690\Configs\SellyBuyer.ini
text
MD5: b4a9ed6a7b8835824f328787d2f238d8
SHA256: 29963333f626808392f685195745adf6ebe581c30d39a0cd6f1e2c7c23598050
3292
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$DRa3292.41690\Configs\SellySeller.ini
text
MD5: 2fbae4e990d88b0fe4894473b223fc20
SHA256: fc4fe463c647755ad27d00352488889966cdc9515b9adf32ae98fdc159c69b37
3292
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$DRa3292.41690\Configs\Origin.ini
text
MD5: 0a10e5d44114ace892c656e421a5ed7d
SHA256: a53dfbc79414ce327fe5cbb260dc94505557eb0e6c1c8a98eed12f4a7888569b
3292
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$DRa3292.41690\Configs\Microsoft Rewards.ini
text
MD5: 4f7660029d57f802af113b39b406891f
SHA256: d4c608f8866030e817ee6e0f087ed99450fb9febb0f526c8ad68e1c6d40d43b9
3292
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$DRa3292.41690\Configs\Nordstrom.ini
text
MD5: d9d892b0476f7e82f1361338bc6bdc06
SHA256: b9852e2773734a3e6421b596d18f8883d318d10b84e3c09e2a3ba7a3106902af
3292
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$DRa3292.41690\Configs\Roblox.ini
text
MD5: 4164e491b954d3f80e5e9a481db81ba3
SHA256: f7c5dd2240c1e42ec1aab16ad1b2e9be407b3c256ae760dc4c37a8d72b854f53
3292
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$DRa3292.41690\Configs\OPSkins.ini
text
MD5: dc8a3d1912a30523b2f3b17341f97bff
SHA256: a1276e8c7366417a9029ec636c440c8cde046c111c0a58c791db38d822e8f943
3292
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$DRa3292.41690\Configs\PSN.ini
html
MD5: 3e87c3522a883458f6387f7e5c0405e0
SHA256: d55dc24ca2a9c45de29c541dda1d7bfe769b2102538bd25484758aa974dfd2f5
3292
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$DRa3292.41690\Configs\Netflix.ini
text
MD5: 23b3e51de284912fbdde63d29ccb2b1c
SHA256: b84cfa6d0730a3619230f5241d11174b58b88b373ee7c4bcb5903d90755d8316
3292
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$DRa3292.41690\Configs\OfficeDepot.ini
text
MD5: 329161a3d82f59216b415714ebd34031
SHA256: 1b6d19b30cd8b1d8cf98ba07a930e6c80fb7f0f1c75aa10f79889eef6f986276
3292
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$DRa3292.41690\Configs\Microsoft.ini
text
MD5: 39b96d979ded2149792a35a3becca961
SHA256: 28fc262b7f71b6d7cd86e5dfb7a46e3a39b71ce63f8a392896b1abd94813c6ff
3292
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$DRa3292.41690\Configs\Macy's rewards.ini
text
MD5: 98c5bae4a957bdf4602651110a95df4f
SHA256: 5f022111d86f11404d5ff9652bf8504c63a480a8b1abfef6c3a8524f126830e6
3292
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$DRa3292.41690\Configs\GameTopUp.ini
text
MD5: 2a68855c3116ef9fce214cc39e8dfe80
SHA256: f31ef130e4ead0c89e32987cbc5b914874e49afcabf91861b53ae494ce71a90b
3292
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$DRa3292.41690\Configs\Kinguin.ini
text
MD5: 9ad0d9489b7cf354421eb16593a79918
SHA256: a1a917eb22889b60bf48525ce79b132db0dc0c36cff061c12f4675364c283de6
3292
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$DRa3292.41690\Configs\Macy's.ini
text
MD5: 29a22ce897e2449ab45a4548a4892666
SHA256: 3aac1f1f8e4f4e4d42a5b3613c40c0c1768aac04441d92daa9fef74de169280a
3292
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$DRa3292.41690\Configs\HRKGame.ini
text
MD5: 2b1377cd652925706736e7059ac11a42
SHA256: 4364db8ddb3e42822abe6332741f086dfde48cf7abf38a84a24b0902dfb7845c
3292
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$DRa3292.41690\Configs\Localbitcoins.ini
text
MD5: 3f8d31970cff67788902c14af92cf241
SHA256: 79a5d7624dcf561e9f18001a024b79b7921292935ddbaeeed8c396437983ec90
3292
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$DRa3292.41690\Configs\IQOptions.ini
text
MD5: 2f9088d7ad92db624e9c5fb6cd8284c9
SHA256: cadca65bcfe3fa36c2c69b895d7ef5e982609c00019f252c543d123eb0e99c0e
3292
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$DRa3292.41690\Configs\EscapeFromTarkov.com.ini
text
MD5: 233e7d6d25e7b8df21f9bf4163e18d33
SHA256: 133e1ca344fd530478590f6317a71e8c027d0e18106570abd3280e285b5fde7a
3292
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$DRa3292.41690\Configs\G2A.ini
text
MD5: b574a87f276f764d1bc0af8731168da3
SHA256: 1ff31a4f333d40b01054b9b5975abee9ce6eadfc6fee0e3f7a7ce3104c99bfe0
3292
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$DRa3292.41690\Configs\EpicGames.ini
text
MD5: 4a9b48b82fe09d74c1ad9729f764900d
SHA256: a9e9014d184572fd8f0a3c7c5fd95b47e9acd5e331c7c9403624f27b9be8c06a
3292
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$DRa3292.41690\Configs\DunkinDonuts.ini
text
MD5: 0d1b897f78de007c9425d9e185eefd67
SHA256: 4426316cf0cd1926849cd02025ee214061e3f12e92a23800c7c30d3f673ca2be
3292
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$DRa3292.41690\Configs\Cryptomate.ini
text
MD5: 1272a8374667832b4ec6f4bbd89e2ea9
SHA256: 456242e31d418322d9606944de014313117770d7dca441424b0287cd2b9ac997
3292
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$DRa3292.41690\Configs\Discord.ini
text
MD5: 2160e396dae406ab20597f0c7b5b8f35
SHA256: 47c7afaee5bcd2ffb8222ecab40239ef6d31bf2dc537ee38b05dea22cbaf4b17
3292
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$DRa3292.41690\Configs\Brazzers.ini
text
MD5: 92a5499c2819c1980a0ef2c320a956e8
SHA256: f147a2d20fce8d506c940f3e271e990191bac5eb286f3896ca5a2df2d0896f0a
3292
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$DRa3292.41690\Configs\Blockchain.ini
text
MD5: 99866bf06b8c87ba7e01e11f3e2a456f
SHA256: 10747dc84ab3d1ddfdccc6a800d2a02ad85a45f81eb55d4201f8427297db4c81
3292
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$DRa3292.41690\Configs\Coinbase.ini
text
MD5: 0523aab69d730e9f2f1925dc000918f6
SHA256: eb8488972f177a1ac59578c5f5bee6228f33b1eae79b311c8f4d1133701dc8c0
3292
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$DRa3292.41690\Configs\Currys.ini
text
MD5: a93b262da1a132fca462cea4de557282
SHA256: 5a5d57c9fab83e6d7e863cb9b28d687946b84cbe6a836c3fad3cacc36ffe1eba
3292
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$DRa3292.41690\Configs\Blizzard.ini
text
MD5: c0b49b202d279c8fee710a36d1ca3138
SHA256: 40c0520a640a32c2d915f831d327e16254f12c1293e5568b7840614d0d52bcbe
3292
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$DRa3292.41690\READ PLEASE.txt
text
MD5: ee870fc978170511f13d1b028b9ab212
SHA256: ebed6bce13950a45c20d53ae092bff11402e5033ed32739b7b09d7c67eb6644c
756
explorer.exe
C:\Users\admin\AppData\Local\Temp\Cab43DB.tmp
––
MD5:  ––
SHA256:  ––
3292
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$DRa3292.41690\Configs\Amazon.co.uk.ini
text
MD5: 20396613e4c5969fc48ca89ad0627c29
SHA256: 555980065c2d0d2824b651e310fddb2d1b336e1343df262b460777bdbbf543c8
3292
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$DRa3292.41690\Configs\Apple.ini
text
MD5: 8f57e156bc969b57213305c84f51970f
SHA256: 2f1114652372bc41f7b19c85c3fcb7c5d6c2753a46bcddadf73e9af034b3bb40
3292
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$DRa3292.41690\Configs\Artix.ini
text
MD5: 64b60521192e3f8d6158b9e1c2bfab0b
SHA256: 9b3e152127047a4a2a2ebe14da4ead31c15bc3700700c581517664023bddecd8
3292
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$DRa3292.41690\Configs\Amazon.de.ini
text
MD5: 2aeca9ee813b35918a4a465a255b7c36
SHA256: b28289f90fd7541192ea15615598e402fb21258ce0ab1e200bfd37e5b4b67ed8
3292
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$DRa3292.41690\Configs\Amazon.it.ini
text
MD5: 8d5c8bb74242589c778e80de2d3a7e16
SHA256: 65e000d286f9b1e278a5157b666207ad02379f324304689cf3b1af0231938d1e
3292
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$DRa3292.41690\Configs\Bitstamp.ini
text
MD5: f09318eb946b45c678471282c7575ee5
SHA256: 0d5d7099efadf623c88c9180a689ea50e57f1e1988d70ef3409f3f6e86f15ebc
3292
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$DRa3292.41690\Configs\Amazon.ini
text
MD5: 4ef53d09c02f3a1a5e79025bf42fc169
SHA256: 641ce969229fa21f07b5ad2979cc8348f09fd79a6c07fbc58d576820b5c51a27
3292
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$DRa3292.41690\Configs\Amazon.com.ini
text
MD5: 2afd5f14e39464fc84ea4e8eb1d1900d
SHA256: 4375339a0bc859948fea4718d8a11eca5880ec2e2709d622c038543cfd4b26a5
3292
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$DRa3292.41690\Configs\Bestbuy.ini
text
MD5: 5502553f370ce9c40e01d665e172b736
SHA256: 105a3ec63e47cc4973dc7e3e269c1287b76b12e9a15b61f22cb43b6d36484cbf
756
explorer.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\History1
sqlite
MD5: 8276cc06151ce7f948eaf3cf7f936e9a
SHA256: fbb6b589620e3fd9bfcec04a0bc42136fe73308aa68d1c6a04416142ec8a46a9
3292
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$DRa3292.41690\Making configs tutorial.html
html
MD5: 652fe189d0316045a425f0e5705a65ef
SHA256: 71992c72b2c76f4e81c51a1150807b6ea12bd937a8994800f4dc7b9ad254ba68
3292
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$DRa3292.41690\domains.txt
––
MD5:  ––
SHA256:  ––
756
explorer.exe
C:\Users\admin\AppData\Local\Microsoft\explorer.exe_Url_ngrhffohuwb5vq4wdkmha13b4xo42qkl\1.0.0.0\user.config
xml
MD5: 5a8943e9973400308245259e395ec451
SHA256: 7b6bda41cd608cc5ab95691273cc8689f0da1605126fa5156e13bd0f2668bbd3

Find more information of the staic content and download it at the full report

Network activity

HTTP(S) requests
3
TCP/UDP connections
13
DNS requests
9
Threats
21

HTTP requests

PID Process Method HTTP Code IP URL CN Type Size Reputation
756 explorer.exe GET 204 216.58.212.206:80 http://clients3.google.com/generate_204 US
––
––
whitelisted
756 explorer.exe GET 200 205.185.216.42:80 http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab US
compressed
whitelisted
756 explorer.exe GET 200 205.185.216.42:80 http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/DF3C24F9BFD666761B268073FE06D1CC8D4F82A4.crt US
der
whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID Process IP ASN CN Reputation
756 explorer.exe 216.58.212.206:80 Google Inc. US whitelisted
756 explorer.exe 216.239.38.21:443 Google Inc. US whitelisted
756 explorer.exe 145.14.145.6:443 Hostinger International Limited US shared
756 explorer.exe 205.185.216.42:80 Highwinds Network Group, Inc. US whitelisted
756 explorer.exe 34.232.49.99:6667 Amazon.com, Inc. US unknown
756 explorer.exe 23.227.190.242:6667 Incero LLC US unknown
756 explorer.exe 54.38.217.240:6669 OVH SAS FR unknown
756 explorer.exe 107.170.56.30:6667 Digital Ocean, Inc. US unknown
756 explorer.exe 45.55.156.41:6669 Digital Ocean, Inc. US unknown

DNS requests

Domain IP Reputation
clients3.google.com 216.58.212.206
whitelisted
ipinfo.io 216.239.38.21
shared
a-rat.000webhostapp.com 145.14.145.6
shared
www.download.windowsupdate.com 205.185.216.42
whitelisted
irc.caelestia.net 34.232.49.99
unknown
irc.criten.net 23.227.190.242
unknown
irc.euirc.net 54.38.217.240
unknown
irc.swiftirc.net 107.170.56.30
unknown
irc.beyondirc.net 45.55.156.41
unknown

Threats

PID Process Class Message
756 explorer.exe A Network Trojan was detected ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
756 explorer.exe Potential Corporate Privacy Violation ET POLICY Possible External IP Lookup SSL Cert Observed (ipinfo.io)
756 explorer.exe A Network Trojan was detected SC BACKDOOR TeleRAT webhook using attempt
756 explorer.exe Misc activity ET CHAT IRC PONG response
756 explorer.exe Misc activity ET CHAT IRC USER command
756 explorer.exe Misc activity ET CHAT IRC NICK command
756 explorer.exe Misc activity ET CHAT IRC PING command
756 explorer.exe Misc activity ET CHAT IRC PONG response
756 explorer.exe Misc activity ET CHAT IRC USER command
756 explorer.exe Misc activity ET CHAT IRC NICK command
756 explorer.exe Misc activity ET CHAT IRC PING command
756 explorer.exe Misc activity ET CHAT IRC authorization message
756 explorer.exe Misc activity ET CHAT IRC PONG response
756 explorer.exe Misc activity ET CHAT IRC USER command
756 explorer.exe Misc activity ET CHAT IRC NICK command
756 explorer.exe Misc activity ET CHAT IRC PING command
756 explorer.exe A Network Trojan was detected SC BACKDOOR TeleRAT webhook using attempt
756 explorer.exe Misc activity ET CHAT IRC PONG response

3 ETPRO signatures available at the full report

Debug output strings

No debug info.