General Info

File name

Setup.exe

Full analysis
https://app.any.run/tasks/0995d253-bcf5-4017-b5da-5aec3ede4e1c
Verdict
Malicious activity
Analysis date
8/14/2019, 00:27:56
OS:
Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:

MIME:
application/x-dosexec
File info:
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5

51e2f3de98f241dfb268dc887eb2750c

SHA1

4b1dcd948edc1bf5bbf587e23da90ed2d8357844

SHA256

cdd28a31b437da4a3ec6e9ccb23ca9552e2ef70f024509efe608c5c9709e90fa

SSDEEP

12288:ZibqI59Pk2cb7pSn0dVwyjqm+7vzLBZSSPDBMX9+8:ZibqIjk2cvpaAH+HLBZSSKXH

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distored by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Software environment set and analysis options

Launch configuration

Task duration
60 seconds
Additional time used
none
Fakenet option
off
Heavy Evaision option
off
MITM proxy
off
Route via Tor
off
Network geolocation
off
Privacy
Public submission
Autoconfirmation of UAC
on

Software preset

  • Internet Explorer 8.0.7601.17514
  • Adobe Acrobat Reader DC MUI (15.023.20070)
  • Adobe Flash Player 26 ActiveX (26.0.0.131)
  • Adobe Flash Player 26 NPAPI (26.0.0.131)
  • Adobe Flash Player 26 PPAPI (26.0.0.131)
  • Adobe Refresh Manager (1.8.0)
  • CCleaner (5.35)
  • FileZilla Client 3.36.0 (3.36.0)
  • Google Chrome (75.0.3770.100)
  • Google Update Helper (1.3.34.7)
  • Java 8 Update 92 (8.0.920.14)
  • Java Auto Updater (2.8.92.14)
  • Microsoft .NET Framework 4.7.2 (4.7.03062)
  • Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Professional 2010 (14.0.6029.1000)
  • Microsoft Office Proof (English) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (French) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
  • Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
  • Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Single Image 2010 (14.0.6029.1000)
  • Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
  • Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
  • Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
  • Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2015-2019 Redistributable (x86) - 14.21.27702 (14.21.27702.2)
  • Microsoft Visual C++ 2019 X86 Additional Runtime - 14.21.27702 (14.21.27702)
  • Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.21.27702 (14.21.27702)
  • Mozilla Firefox 68.0.1 (x86 en-US) (68.0.1)
  • Notepad++ (32-bit x86) (7.5.1)
  • Opera 12.15 (12.15.1748)
  • Skype version 8.29 (8.29)
  • Update for Microsoft .NET Framework 4.7.2 (KB4087364) (1)
  • VLC media player (2.2.6)
  • WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

  • Client LanguagePack Package
  • Client Refresh LanguagePack Package
  • CodecPack Basic Package
  • Foundation Package
  • IE Troubleshooters Package
  • InternetExplorer Optional Package
  • KB2534111
  • KB2999226
  • KB4019990
  • KB976902
  • LocalPack AU Package
  • LocalPack CA Package
  • LocalPack GB Package
  • LocalPack US Package
  • LocalPack ZA Package
  • ProfessionalEdition
  • UltimateEdition

Behavior activities

MALICIOUS SUSPICIOUS INFO
Application was dropped or rewritten from another process
  • explorer.exe (PID: 4068)
  • explorer.exe (PID: 3168)
  • explorer.exe (PID: 3084)
  • svchost.exe (PID: 944)
  • svchost.exe (PID: 364)
Changes the autorun value in the registry
  • svchost.exe (PID: 364)
  • explorer.exe (PID: 4068)
  • Setup.exe (PID: 3348)
Creates files in the user directory
  • explorer.exe (PID: 3168)
  • svchost.exe (PID: 364)
  • explorer.exe (PID: 4068)
  • svchost.exe (PID: 944)
  • Setup.exe (PID: 3348)
Creates executable files which already exist in Windows
  • explorer.exe (PID: 3168)
  • svchost.exe (PID: 364)
  • explorer.exe (PID: 4068)
  • svchost.exe (PID: 944)
  • Setup.exe (PID: 3348)
Executable content was dropped or overwritten
  • svchost.exe (PID: 364)
  • explorer.exe (PID: 3168)
  • explorer.exe (PID: 4068)
  • svchost.exe (PID: 944)
  • Setup.exe (PID: 3348)

No info indicators.

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Static information

TRiD
.exe
|   Generic CIL Executable (.NET, Mono, etc.) (55.8%)
.exe
|   Win64 Executable (generic) (21%)
.scr
|   Windows screen saver (9.9%)
.dll
|   Win32 Dynamic Link Library (generic) (5%)
.exe
|   Win32 Executable (generic) (3.4%)
EXIF
EXE
MachineType:
Intel 386 or later, and compatibles
TimeStamp:
2019:03:21 19:17:17+01:00
PEType:
PE32
LinkerVersion:
11
CodeSize:
457216
InitializedDataSize:
103424
UninitializedDataSize:
null
EntryPoint:
0x7183e
OSVersion:
4
ImageVersion:
null
SubsystemVersion:
4
Subsystem:
Windows GUI
FileVersionNumber:
8.1.1.7800
ProductVersionNumber:
8.1.1.7800
FileFlagsMask:
0x003f
FileFlags:
(none)
FileOS:
Win32
ObjectFileType:
Executable application
FileSubtype:
null
LanguageCode:
Neutral
CharacterSet:
Unicode
Comments:
hkcmd Module
CompanyName:
Intel Corporation
FileDescription:
hkcmd Module
FileVersion:
8.1.1.7800
InternalName:
Setup.exe
LegalCopyright:
Copyright 1996 - 2006. Intel Corporation
OriginalFileName:
Setup.exe
ProductName:
Intel(R) Common User Interface
ProductVersion:
8.1.1.7800
AssemblyVersion:
8.1.1.7800
Summary
Architecture:
IMAGE_FILE_MACHINE_I386
Subsystem:
IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date:
21-Mar-2019 18:17:17
Debug artifacts
C:\Users\pc\Desktop\01-03-2019\svchost--setup 22-09-2018\obj\Release\Setup.pdb
Comments:
hkcmd Module
CompanyName:
Intel Corporation
FileDescription:
hkcmd Module
FileVersion:
8.1.1.7800
InternalName:
Setup.exe
LegalCopyright:
Copyright 1996 - 2006. Intel Corporation
OriginalFilename:
Setup.exe
ProductName:
Intel(R) Common User Interface
ProductVersion:
8.1.1.7800
Assembly Version:
8.1.1.7800
DOS Header
Magic number:
MZ
Bytes on last page of file:
0x0090
Pages in file:
0x0003
Relocations:
0x0000
Size of header:
0x0004
Min extra paragraphs:
0x0000
Max extra paragraphs:
0xFFFF
Initial SS value:
0x0000
Initial SP value:
0x00B8
Checksum:
0x0000
Initial IP value:
0x0000
Initial CS value:
0x0000
Overlay number:
0x0000
OEM identifier:
0x0000
OEM information:
0x0000
Address of NE header:
0x00000080
PE Headers
Signature:
PE
Machine:
IMAGE_FILE_MACHINE_I386
Number of sections:
4
Time date stamp:
21-Mar-2019 18:17:17
Pointer to Symbol Table:
0x00000000
Number of symbols:
0
Size of Optional Header:
0x00E0
Characteristics
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_EXECUTABLE_IMAGE
Sections
Name Virtual Address Virtual Size Raw Size Charateristics Entropy
.text 0x00002000 0x0006F844 0x0006FA00 IMAGE_SCN_CNT_CODE,IMAGE_SCN_MEM_EXECUTE,IMAGE_SCN_MEM_READ 7.18684
.sdata 0x00072000 0x00000138 0x00000200 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ,IMAGE_SCN_MEM_WRITE 1.91806
.rsrc 0x00074000 0x00018FC8 0x00019000 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ 4.68236
.reloc 0x0008E000 0x0000000C 0x00000200 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_DISCARDABLE,IMAGE_SCN_MEM_READ 0.10191
Resources
1

2

3

4

5

6

7

8

9

10

11

32512

Imports
    mscoree.dll

Exports

    No exports.

Screenshots

Processes

Total processes
39
Monitored processes
6
Malicious processes
5
Suspicious processes
0

Behavior graph

+
drop and start start drop and start drop and start drop and start drop and start setup.exe svchost.exe svchost.exe explorer.exe explorer.exe explorer.exe
Specs description
Program did not start
Integrity level elevation
Task сontains an error or was rebooted
Process has crashed
Task contains several apps running
Executable file was dropped
Debug information is available
Process was injected
Network attacks were detected
Application downloaded the executable file
Actions similar to stealing personal data
Behavior similar to exploiting the vulnerability
Inspected object has sucpicious PE structure
File is detected by antivirus software
CPU overrun
RAM overrun
Process starts the services
Process was added to the startup
Behavior similar to spam
Low-level access to the HDD
Probably Tor was used
System was rebooted
Connects to the network
Known threat

Process information

Click at the process to see the details.

PID
3348
CMD
"C:\Users\admin\AppData\Local\Temp\Setup.exe"
Path
C:\Users\admin\AppData\Local\Temp\Setup.exe
Indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Intel Corporation
Description
hkcmd Module
Version
8.1.1.7800
Modules
Image
c:\users\admin\appdata\local\temp\setup.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\acgenral.dll
c:\windows\system32\sechost.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\user32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\winmm.dll
c:\windows\system32\samcli.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msacm32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\version.dll
c:\windows\system32\shell32.dll
c:\windows\system32\sfc.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\mpr.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorwks.dll
c:\windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\msvcr80.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\mscorlib\62a0b3e4b40ec0e8c5cfaa0c8848e64a\mscorlib.ni.dll
c:\windows\system32\cryptbase.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system\9e0a3b9b9f457233a335d7fba8f95419\system.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.visualbas#\08d608378aa405adc844f3cf36974b8c\microsoft.visualbasic.ni.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorjit.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.drawing\dbfe8642a8ed7b2b103ad28e0c96418a\system.drawing.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.windows.forms\3afcd5168c7a6cb02eab99d7fd71e102\system.windows.forms.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.runtime.remo#\5cae93d923c8378370758489e5535820\system.runtime.remoting.ni.dll
c:\windows\assembly\gac_msil\system.windows.forms\2.0.0.0__b77a5c561934e089\system.windows.forms.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.serviceproce#\20008c75bb41e2febf84d4d4aea5b4e8\system.serviceprocess.ni.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\riched20.dll
c:\windows\system32\windowscodecs.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\microsoft.net\framework\v2.0.50727\culture.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.deployment\be74d258a0daa0e11197e1dcb1b3b0b9\system.deployment.ni.dll
c:\windows\system32\shfolder.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\propsys.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\shdocvw.dll
c:\users\admin\appdata\roaming\intel corporation\intel(r) common user interface\8.1.1.7800\svchost.exe
c:\windows\system32\rpcrtremote.dll

PID
944
CMD
"C:\Users\admin\AppData\Roaming\Intel Corporation\Intel(R) Common User Interface\8.1.1.7800\svchost.exe"
Path
C:\Users\admin\AppData\Roaming\Intel Corporation\Intel(R) Common User Interface\8.1.1.7800\svchost.exe
Indicators
Parent process
Setup.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Intel Corporation
Description
Host Process for Windows Services
Version
8.1.1.7900
Modules
Image
c:\users\admin\appdata\roaming\intel corporation\intel(r) common user interface\8.1.1.7800\svchost.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\winmm.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\shell32.dll
c:\windows\system32\cabinet.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\msftedit.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\twext.dll
c:\windows\system32\cscui.dll
c:\windows\system32\cscdll.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\userenv.dll
c:\windows\system32\ie4uinit.exe
c:\windows\system32\accessibilitycpl.dll
c:\windows\system32\sud.dll
c:\windows\system32\wucltux.dll
c:\windows\ehome\ehres.dll
c:\program files\windows sidebar\sidebar.exe
c:\windows\system32\windowsanytimeupgradeui.exe
c:\program files\dvd maker\dvdmaker.exe
c:\windows\system32\fxsresm.dll
c:\windows\system32\unregmp2.exe
c:\windows\system32\xpsrchvw.exe
c:\windows\system32\displayswitch.exe
c:\program files\common files\microsoft shared\ink\mip.exe
c:\windows\system32\mblctr.exe
c:\windows\system32\netprojw.dll
c:\windows\system32\mstsc.exe
c:\windows\system32\snippingtool.exe
c:\windows\system32\soundrecorder.exe
c:\windows\system32\sntsearch.dll
c:\windows\system32\synccenter.dll
c:\windows\system32\oobefldr.dll
c:\windows\system32\speech\speechux\sapi.cpl
c:\windows\system32\dfrgui.exe
c:\windows\system32\wdc.dll
c:\windows\system32\msinfo32.exe
c:\windows\system32\rstrui.exe
c:\windows\system32\miguiresource.dll
c:\windows\system32\migwiz\wet.dll
c:\program files\common files\microsoft shared\ink\shapecollector.exe
c:\program files\common files\microsoft shared\ink\tiptsf.dll
c:\program files\windows journal\journal.exe
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\comres.dll
c:\windows\system32\mycomput.dll
c:\windows\system32\odbcint.dll
c:\windows\system32\iscsicpl.dll
c:\windows\system32\mdsched.exe
c:\windows\system32\pmcsnap.dll
c:\windows\system32\wsecedit.dll
c:\windows\system32\filemgmt.dll
c:\windows\system32\msconfig.exe
c:\windows\system32\authfwgp.dll
c:\windows\system32\gameux.dll
c:\windows\system32\sdcpl.dll
c:\windows\system32\recdisc.exe
c:\windows\system32\msra.exe
c:\program files\winrar\rarext.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\msimg32.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\slc.dll
c:\windows\system32\netutils.dll
c:\windows\system32\syncui.dll
c:\windows\system32\synceng.dll
c:\windows\system32\linkinfo.dll
c:\program files\notepad++\nppshell_06.dll
c:\windows\system32\acppage.dll
c:\windows\system32\sfc.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\msi.dll
c:\windows\system32\version.dll
c:\windows\system32\wer.dll
c:\windows\system32\devrtl.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\sspicli.dll
c:\users\admin\appdata\roaming\microsoft\windows\8.1.7601.17587\svchost.exe

PID
364
CMD
"C:\Users\admin\AppData\Roaming\Microsoft\Windows\8.1.7601.17587\svchost.exe"
Path
C:\Users\admin\AppData\Roaming\Microsoft\Windows\8.1.7601.17587\svchost.exe
Indicators
Parent process
svchost.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Intel Corporation
Description
Host Process for Windows Services
Version
8.1.1.7900
Modules
Image
c:\users\admin\appdata\roaming\microsoft\windows\8.1.7601.17587\svchost.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\lpk.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\version.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorwks.dll
c:\windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\msvcr80.dll
c:\windows\system32\shell32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\profapi.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\mscorlib\62a0b3e4b40ec0e8c5cfaa0c8848e64a\mscorlib.ni.dll
c:\windows\system32\cryptbase.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system\9e0a3b9b9f457233a335d7fba8f95419\system.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.visualbas#\08d608378aa405adc844f3cf36974b8c\microsoft.visualbasic.ni.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorjit.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.drawing\dbfe8642a8ed7b2b103ad28e0c96418a\system.drawing.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.windows.forms\3afcd5168c7a6cb02eab99d7fd71e102\system.windows.forms.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.runtime.remo#\5cae93d923c8378370758489e5535820\system.runtime.remoting.ni.dll
c:\windows\system32\uxtheme.dll
c:\windows\assembly\gac_msil\system.windows.forms\2.0.0.0__b77a5c561934e089\system.windows.forms.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\microsoft.net\framework\v2.0.50727\culture.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.deployment\be74d258a0daa0e11197e1dcb1b3b0b9\system.deployment.ni.dll
c:\windows\system32\shfolder.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.configuration\bc09ad2d49d8535371845cd7532f9271\system.configuration.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.xml\461d3b6b3f43e6fbe6c897d5936e17e4\system.xml.ni.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\wship6.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\webio.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\dhcpcsvc6.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\propsys.dll
c:\windows\system32\oleaut32.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\sspicli.dll
c:\users\admin\appdata\roaming\intel corporation\intel(r) common user interface\8.1.1.7900\explorer.exe

PID
3168
CMD
"C:\Users\admin\AppData\Roaming\Intel Corporation\Intel(R) Common User Interface\8.1.1.7900\explorer.exe"
Path
C:\Users\admin\AppData\Roaming\Intel Corporation\Intel(R) Common User Interface\8.1.1.7900\explorer.exe
Indicators
Parent process
svchost.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Intel Corporation
Description
Windows Explorer
Version
6.1.7600.16385
Modules
Image
c:\users\admin\appdata\roaming\intel corporation\intel(r) common user interface\8.1.1.7900\explorer.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\winmm.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\shell32.dll
c:\windows\system32\cabinet.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\msftedit.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\sspicli.dll
c:\users\admin\appdata\roaming\microsoft\windows\8.1.7601.17587\explorer.exe

PID
4068
CMD
"C:\Users\admin\AppData\Roaming\Microsoft\Windows\8.1.7601.17587\explorer.exe"
Path
C:\Users\admin\AppData\Roaming\Microsoft\Windows\8.1.7601.17587\explorer.exe
Indicators
Parent process
explorer.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Intel Corporation
Description
Windows Explorer
Version
6.1.7600.16385
Modules
Image
c:\users\admin\appdata\roaming\microsoft\windows\8.1.7601.17587\explorer.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\version.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorwks.dll
c:\windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\msvcr80.dll
c:\windows\system32\shell32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\profapi.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\mscorlib\62a0b3e4b40ec0e8c5cfaa0c8848e64a\mscorlib.ni.dll
c:\windows\system32\cryptbase.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorjit.dll
c:\windows\system32\shfolder.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system\9e0a3b9b9f457233a335d7fba8f95419\system.ni.dll
c:\windows\microsoft.net\framework\v2.0.50727\culture.dll
c:\windows\system32\propsys.dll
c:\windows\system32\oleaut32.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\sspicli.dll
c:\users\admin\appdata\roaming\explorer.exe
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll

PID
3084
CMD
"C:\Users\admin\AppData\Roaming\explorer.exe"
Path
C:\Users\admin\AppData\Roaming\explorer.exe
Indicators
Parent process
explorer.exe
User
admin
Integrity Level
MEDIUM
Version:
Company
Intel Corporation
Description
Windows Explorer
Version
6.1.7600.16385
Modules
Image
c:\users\admin\appdata\roaming\explorer.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\version.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorwks.dll
c:\windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\msvcr80.dll
c:\windows\system32\shell32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\profapi.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\mscorlib\62a0b3e4b40ec0e8c5cfaa0c8848e64a\mscorlib.ni.dll
c:\windows\system32\cryptbase.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorjit.dll
c:\windows\microsoft.net\framework\v2.0.50727\culture.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\bcrypt.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system\9e0a3b9b9f457233a335d7fba8f95419\system.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.drawing\dbfe8642a8ed7b2b103ad28e0c96418a\system.drawing.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.windows.forms\3afcd5168c7a6cb02eab99d7fd71e102\system.windows.forms.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.visualbas#\08d608378aa405adc844f3cf36974b8c\microsoft.visualbasic.ni.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\psapi.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.configuration\bc09ad2d49d8535371845cd7532f9271\system.configuration.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.xml\461d3b6b3f43e6fbe6c897d5936e17e4\system.xml.ni.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\wship6.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\fwpuclnt.dll

Registry activity

Total events
2080
Read events
1934
Write events
146
Delete events
0

Modification events

PID
Process
Operation
Key
Name
Value
944
svchost.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\73\52C64B7E
LanguageList
en-US
944
svchost.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\73\52C64B7E
@C:\Windows\System32\ie4uinit.exe,-731
Internet Explorer
944
svchost.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\73\52C64B7E
@C:\Windows\system32\AccessibilityCpl.dll,-10
Ease of Access Center
944
svchost.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\73\52C64B7E
@C:\Windows\System32\ie4uinit.exe,-737
Internet Explorer (No Add-ons)
944
svchost.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\73\52C64B7E
@C:\Windows\system32\sud.dll,-1
Default Programs
944
svchost.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\73\52C64B7E
@C:\Windows\system32\wucltux.dll,-1
Windows Update
944
svchost.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\73\52C64B7E
@C:\Windows\ehome\ehres.dll,-100
Windows Media Center
944
svchost.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\73\52C64B7E
@C:\Program Files\Windows Sidebar\sidebar.exe,-1005
Desktop Gadget Gallery
944
svchost.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\73\52C64B7E
@C:\Windows\system32\WindowsAnytimeUpgradeUI.exe,-1
Windows Anytime Upgrade
944
svchost.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\73\52C64B7E
@C:\Program Files\DVD Maker\DVDMaker.exe,-61403
Windows DVD Maker
944
svchost.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\73\52C64B7E
@C:\Windows\system32\FXSRESM.dll,-114
Windows Fax and Scan
944
svchost.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\73\52C64B7E
@C:\Windows\system32\unregmp2.exe,-4
Windows Media Player
944
svchost.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\73\52C64B7E
@C:\Windows\system32\XpsRchVw.exe,-102
XPS Viewer
944
svchost.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\73\52C64B7E
@C:\Windows\system32\displayswitch.exe,-320
Connect to a Projector
944
svchost.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\73\52C64B7E
@C:\Program Files\Common Files\Microsoft Shared\Ink\mip.exe,-291
Math Input Panel
944
svchost.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\73\52C64B7E
@C:\Windows\system32\mblctr.exe,-1008
Windows Mobility Center
944
svchost.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\73\52C64B7E
@C:\Windows\system32\NetProjW.dll,-501
Connect to a Network Projector
944
svchost.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\73\52C64B7E
@C:\Windows\system32\mstsc.exe,-4000
Remote Desktop Connection
944
svchost.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\73\52C64B7E
@C:\Windows\system32\SnippingTool.exe,-15051
Snipping Tool
944
svchost.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\73\52C64B7E
@C:\Windows\system32\SoundRecorder.exe,-100
Sound Recorder
944
svchost.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\73\52C64B7E
@C:\Windows\system32\SNTSearch.dll,-505
Sticky Notes
944
svchost.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\73\52C64B7E
@C:\Windows\System32\SyncCenter.dll,-3000
Sync Center
944
svchost.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\73\52C64B7E
@C:\Windows\system32\OobeFldr.dll,-33056
Getting Started
944
svchost.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\73\52C64B7E
@C:\Windows\system32\Speech\SpeechUX\sapi.cpl,-5555
Windows Speech Recognition
944
svchost.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\73\52C64B7E
@C:\Windows\system32\dfrgui.exe,-103
Disk Defragmenter
944
svchost.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\73\52C64B7E
@C:\Windows\system32\wdc.dll,-10030
Resource Monitor
944
svchost.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\73\52C64B7E
@C:\Windows\system32\msinfo32.exe,-100
System Information
944
svchost.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\73\52C64B7E
@C:\Windows\system32\rstrui.exe,-100
System Restore
944
svchost.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\73\52C64B7E
@C:\Windows\system32\miguiresource.dll,-201
Task Scheduler
944
svchost.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\73\52C64B7E
@C:\Windows\system32\migwiz\wet.dll,-591
Windows Easy Transfer Reports
944
svchost.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\73\52C64B7E
@C:\Windows\system32\migwiz\wet.dll,-588
Windows Easy Transfer
944
svchost.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\73\52C64B7E
@C:\Program Files\Common Files\Microsoft Shared\Ink\ShapeCollector.exe,-298
Personalize Handwriting Recognition
944
svchost.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\73\52C64B7E
@C:\Program Files\Common Files\Microsoft Shared\Ink\TipTsf.dll,-80
Tablet PC Input Panel
944
svchost.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\73\52C64B7E
@C:\Program Files\Windows Journal\Journal.exe,-3074
Windows Journal
944
svchost.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\73\52C64B7E
@C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe,-101
Windows PowerShell ISE
944
svchost.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\73\52C64B7E
@C:\Windows\system32\comres.dll,-3410
Component Services
944
svchost.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\73\52C64B7E
@C:\Windows\system32\mycomput.dll,-300
Computer Management
944
svchost.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\73\52C64B7E
@C:\Windows\system32\odbcint.dll,-1310
Data Sources (ODBC)
944
svchost.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\73\52C64B7E
@C:\Windows\system32\miguiresource.dll,-101
Event Viewer
944
svchost.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\73\52C64B7E
@C:\Windows\system32\iscsicpl.dll,-5001
iSCSI Initiator
944
svchost.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\73\52C64B7E
@C:\Windows\system32\MdSched.exe,-4001
Windows Memory Diagnostic
944
svchost.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\73\52C64B7E
@C:\Windows\system32\wdc.dll,-10021
Performance Monitor
944
svchost.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\73\52C64B7E
@C:\Windows\system32\pmcsnap.dll,-700
Print Management
944
svchost.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\73\52C64B7E
@C:\Windows\system32\wsecedit.dll,-718
Local Security Policy
944
svchost.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\73\52C64B7E
@C:\Windows\system32\filemgmt.dll,-2204
Services
944
svchost.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\73\52C64B7E
@C:\Windows\system32\msconfig.exe,-126
System Configuration
944
svchost.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\73\52C64B7E
@C:\Windows\System32\AuthFWGP.dll,-20
Windows Firewall with Advanced Security
944
svchost.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\73\52C64B7E
@C:\Windows\system32\gameux.dll,-10082
Games Explorer
944
svchost.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\73\52C64B7E
@C:\Windows\system32\sdcpl.dll,-101
Backup and Restore
944
svchost.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\73\52C64B7E
@C:\Windows\system32\recdisc.exe,-2000
Create a System Repair Disc
944
svchost.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\73\52C64B7E
@C:\Windows\system32\msra.exe,-100
Windows Remote Assistance
944
svchost.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\73\52C64B7E
@C:\Windows\system32\ntshrui.dll,-103
S&hare with
944
svchost.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
944
svchost.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
3348
Setup.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Intel(R) Common Networking System
C:\Users\admin\AppData\Roaming\Intel Corporation\Intel(R) Common User Interface\8.1.1.7800\svchost.exe
3348
Setup.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
3348
Setup.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
364
svchost.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\svchost_RASAPI32
EnableFileTracing
0
364
svchost.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\svchost_RASAPI32
EnableConsoleTracing
0
364
svchost.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\svchost_RASAPI32
FileTracingMask
4294901760
364
svchost.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\svchost_RASAPI32
ConsoleTracingMask
4294901760
364
svchost.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\svchost_RASAPI32
MaxFileSize
1048576
364
svchost.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\svchost_RASAPI32
FileDirectory
%windir%\tracing
364
svchost.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\svchost_RASMANCS
EnableFileTracing
0
364
svchost.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\svchost_RASMANCS
EnableConsoleTracing
0
364
svchost.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\svchost_RASMANCS
FileTracingMask
4294901760
364
svchost.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\svchost_RASMANCS
ConsoleTracingMask
4294901760
364
svchost.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\svchost_RASMANCS
MaxFileSize
1048576
364
svchost.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\svchost_RASMANCS
FileDirectory
%windir%\tracing
364
svchost.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Intel(R) Common User Networking
C:\Users\admin\AppData\Roaming\Intel Corporation\Intel(R) Common User Interface\8.1.1.7900\explorer.exe
364
svchost.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
364
svchost.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
3168
explorer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
3168
explorer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
4068
explorer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Intel(R) Common User System Microsoft
C:\Users\admin\AppData\Roaming\explorer.exe
4068
explorer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
4068
explorer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1

Files activity

Executable files
5
Suspicious files
3
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
4068
explorer.exe
C:\Users\admin\AppData\Roaming\explorer.exe
executable
MD5: 4b2b5500a0a026881b27d570beaa875a
SHA256: a662df16246c7136c272cd1fa96850f622ef3af7e07444e6881e1045f7cd9c63
3168
explorer.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\8.1.7601.17587\explorer.exe
executable
MD5: 4676a6789f25925b69e9c75607ba61b9
SHA256: b5b980b38e623a7bc804c471832d061eac40f9e4254b74b8065c0c81ebdaac13
944
svchost.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\8.1.7601.17587\svchost.exe
executable
MD5: 121a741173f55ae6c6272cc471e06336
SHA256: b57ed3b39a9dc7261c16d23dfe341de590d7fbd1c4ab8e886da03b44385ef37f
3348
Setup.exe
C:\Users\admin\AppData\Roaming\Intel Corporation\Intel(R) Common User Interface\8.1.1.7800\svchost.exe
executable
MD5: 4aaac2d684710cbb3f23d95517a2c99a
SHA256: 654ae2859ee31dc7b2b85f61f2e89e0ece39d0d8d9660a8ed65efbe7f380a750
364
svchost.exe
C:\Users\admin\AppData\Roaming\Intel Corporation\Intel(R) Common User Interface\8.1.1.7900\explorer.exe
executable
MD5: 061c01a6b9103417a780cab9419458d0
SHA256: 5e01da55b3e67603d857d7943509834c43eac6f5379ce8e90ed75e1030cd56db
364
svchost.exe
C:\Users\admin\AppData\Roaming\Intel Corporation\Intel(R) Common User Interface\8.1.1.7900\explorer.zip
compressed
MD5: d0de5cd6665c605f2050707264a43e0f
SHA256: 99f82f66bd81d588041551415d26eb256b3afa85423dbca9aaf4c9fc79459257
3168
explorer.exe
C:\Users\admin\AppData\Local\Temp\$inst\2.tmp
compressed
MD5: 8708699d2c73bed30a0a08d80f96d6d7
SHA256: a32e0a83001d2c5d41649063217923dac167809cab50ec5784078e41c9ec0f0f
944
svchost.exe
C:\Users\admin\AppData\Local\Temp\$inst\temp_0.tmp
––
MD5:  ––
SHA256:  ––
944
svchost.exe
C:\Users\admin\AppData\Local\Temp\$inst\2.tmp
compressed
MD5: 8708699d2c73bed30a0a08d80f96d6d7
SHA256: a32e0a83001d2c5d41649063217923dac167809cab50ec5784078e41c9ec0f0f
3348
Setup.exe
C:\Users\admin\AppData\Roaming\Intel Corporation\Intel(R) Common User Interface\8.1.1.7800\server.zip
––
MD5:  ––
SHA256:  ––
3168
explorer.exe
C:\Users\admin\AppData\Local\Temp\$inst\temp_0.tmp
––
MD5:  ––
SHA256:  ––

Find more information of the staic content and download it at the full report

Network activity

HTTP(S) requests
2
TCP/UDP connections
9
DNS requests
3
Threats
1

HTTP requests

PID Process Method HTTP Code IP URL CN Type Size Reputation
364 svchost.exe GET 200 160.153.51.197:80 http://capeturk.com/1/explorer.txt US
text
unknown
364 svchost.exe GET 200 209.99.16.94:80 http://www.anandpen.com/wp-includes/images/media/1/explorer.zip US
compressed
malicious

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID Process IP ASN CN Reputation
364 svchost.exe 160.153.51.197:80 GoDaddy.com, LLC US unknown
364 svchost.exe 209.99.16.94:80 PDR US malicious
3084 explorer.exe 38.141.46.20:1111 Cogent Communications US malicious
–– –– 38.141.46.20:1111 Cogent Communications US malicious

DNS requests

Domain IP Reputation
capeturk.com 160.153.51.197
unknown
www.anandpen.com 209.99.16.94
malicious
blog.capeturk.com 38.141.46.20
malicious

Threats

PID Process Class Message
364 svchost.exe A Network Trojan was detected MALWARE [PTsecurity] Trojan.DownLoader22.55152 (BackDoor.RevetRat)

Debug output strings

No debug info.