General Info

File name

Spam Sender.exe

Full analysis
https://app.any.run/tasks/afffe872-3761-4f3d-9fd8-3c12a46803ab
Verdict
Malicious activity
Analysis date
5/15/2019, 10:07:32
OS:
Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:

rat

njrat

bladabindi

Indicators:

MIME:
application/x-dosexec
File info:
PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5

97083a8e2778c8dce935a4537ea374bb

SHA1

8ab552709ec86a09ca30b36a2753dea70e0decef

SHA256

dbe79c946db2abc0a6b084f63684a5e771a5668c2dfa8f94938f1547f9a5d206

SSDEEP

3072:QqRaMrUwmuvDWLc9BJC7II094TfpZFbpGKp2feEyg5oRj7QgyJL3TNf7PZpX:Qnx1207D0W9sKALr5oRHQgSLDNf7xpX

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distored by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Software environment set and analysis options

Launch configuration

Task duration
120 seconds
Additional time used
60 seconds
Fakenet option
off
Heavy Evaision option
off
MITM proxy
off
Route via Tor
off
Network geolocation
off
Privacy
Public submission
Autoconfirmation of UAC
on

Software preset

  • Internet Explorer 8.0.7601.17514
  • Adobe Acrobat Reader DC MUI (15.023.20070)
  • Adobe Flash Player 26 ActiveX (26.0.0.131)
  • Adobe Flash Player 26 NPAPI (26.0.0.131)
  • Adobe Flash Player 26 PPAPI (26.0.0.131)
  • Adobe Refresh Manager (1.8.0)
  • CCleaner (5.35)
  • FileZilla Client 3.36.0 (3.36.0)
  • Google Chrome (73.0.3683.75)
  • Google Update Helper (1.3.33.23)
  • Java 8 Update 92 (8.0.920.14)
  • Java Auto Updater (2.8.92.14)
  • Microsoft .NET Framework 4.6.1 (4.6.01055)
  • Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Professional 2010 (14.0.6029.1000)
  • Microsoft Office Proof (English) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (French) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
  • Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
  • Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Single Image 2010 (14.0.6029.1000)
  • Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
  • Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
  • Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
  • Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2017 Redistributable (x86) - 14.15.26706 (14.15.26706.0)
  • Microsoft Visual C++ 2017 x86 Additional Runtime - 14.15.26706 (14.15.26706)
  • Microsoft Visual C++ 2017 x86 Minimum Runtime - 14.15.26706 (14.15.26706)
  • Mozilla Firefox 65.0.2 (x86 en-US) (65.0.2)
  • Notepad++ (32-bit x86) (7.5.1)
  • Opera 12.15 (12.15.1748)
  • Skype version 8.29 (8.29)
  • VLC media player (2.2.6)
  • WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

  • Client LanguagePack Package
  • Client Refresh LanguagePack Package
  • CodecPack Basic Package
  • Foundation Package
  • IE Troubleshooters Package
  • InternetExplorer Optional Package
  • KB2534111
  • KB2999226
  • KB976902
  • LocalPack AU Package
  • LocalPack CA Package
  • LocalPack GB Package
  • LocalPack US Package
  • LocalPack ZA Package
  • ProfessionalEdition
  • UltimateEdition

Behavior activities

MALICIOUS SUSPICIOUS INFO
Application was injected by another process
  • DllHost.exe (PID: 3920)
  • DllHost.exe (PID: 3308)
  • conhost.exe (PID: 3296)
  • spoolsv.exe (PID: 1196)
  • windanr.exe (PID: 2216)
  • svchost.exe (PID: 976)
  • svchost.exe (PID: 3128)
  • SearchProtocolHost.exe (PID: 1256)
  • SearchFilterHost.exe (PID: 1344)
  • ctfmon.exe (PID: 2000)
  • OSPPSVC.EXE (PID: 184)
  • svchost.exe (PID: 1696)
  • svchost.exe (PID: 816)
  • svchost.exe (PID: 1048)
  • SearchIndexer.exe (PID: 1988)
  • wininit.exe (PID: 396)
  • WerFault.exe (PID: 3516)
  • services.exe (PID: 492)
  • lsass.exe (PID: 500)
  • csrss.exe (PID: 404)
  • svchost.exe (PID: 1224)
  • qemu-ga.exe (PID: 1388)
  • dwm.exe (PID: 2016)
  • lsm.exe (PID: 508)
  • taskeng.exe (PID: 1752)
  • svchost.exe (PID: 692)
  • explorer.exe (PID: 252)
  • svchost.exe (PID: 780)
  • svchost.exe (PID: 612)
  • smss.exe (PID: 264)
  • DllHost.exe (PID: 4084)
  • csrss.exe (PID: 348)
  • DllHost.exe (PID: 2752)
  • svchost.exe (PID: 848)
  • svchost.exe (PID: 1776)
  • winlogon.exe (PID: 444)
Loads dropped or rewritten executable
  • DllHost.exe (PID: 3920)
  • DllHost.exe (PID: 3308)
  • conhost.exe (PID: 3296)
  • netsh.exe (PID: 3856)
  • ctfmon.exe (PID: 2000)
  • CorrM1.exe (PID: 3896)
  • csrss.exe (PID: 404)
  • WerFault.exe (PID: 3516)
  • CorrM.exe (PID: 3988)
  • taskeng.exe (PID: 1752)
  • dwm.exe (PID: 2016)
  • Spam Sender.exe (PID: 2468)
  • explorer.exe (PID: 252)
  • DllHost.exe (PID: 4084)
  • windanr.exe (PID: 2216)
  • winlogon.exe (PID: 444)
NJRAT was detected
  • CorrM.exe (PID: 3988)
Runs injected code in another process
  • CorrM1.exe (PID: 3896)
Application was dropped or rewritten from another process
  • CorrM.exe (PID: 3988)
  • CorrM1.exe (PID: 3896)
  • Spam Sender.exe (PID: 2468)
  • DisableAntiQuit.exe (PID: 2648)
Changes the autorun value in the registry
  • CorrM1.exe (PID: 3896)
  • DisableAntiQuit.exe (PID: 2648)
Creates files in the program directory
  • WerFault.exe (PID: 3516)
Uses NETSH.EXE for network configuration
  • CorrM.exe (PID: 3988)
Executable content was dropped or overwritten
  • CorrM1.exe (PID: 3896)
  • DisableAntiQuit.exe (PID: 2648)
  • Spam Sender.exe (PID: 3236)
Starts itself from another location
  • DisableAntiQuit.exe (PID: 2648)
Creates files in the Windows directory
  • Spam Sender.exe (PID: 3236)
Searches for installed software
  • svchost.exe (PID: 816)
Application was crashed
  • Spam Sender.exe (PID: 2468)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Static information

TRiD
.exe
|   Win32 Executable MS Visual C++ (generic) (67.4%)
.dll
|   Win32 Dynamic Link Library (generic) (14.2%)
.exe
|   Win32 Executable (generic) (9.7%)
.exe
|   Generic Win/DOS Executable (4.3%)
.exe
|   DOS Executable Generic (4.3%)
EXIF
EXE
MachineType:
Intel 386 or later, and compatibles
TimeStamp:
2015:12:27 06:38:55+01:00
PEType:
PE32
LinkerVersion:
6
CodeSize:
24576
InitializedDataSize:
164864
UninitializedDataSize:
1024
EntryPoint:
0x310d
OSVersion:
4
ImageVersion:
6
SubsystemVersion:
4
Subsystem:
Windows GUI
Summary
Architecture:
IMAGE_FILE_MACHINE_I386
Subsystem:
IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date:
27-Dec-2015 05:38:55
Detected languages
English - United States
DOS Header
Magic number:
MZ
Bytes on last page of file:
0x0090
Pages in file:
0x0003
Relocations:
0x0000
Size of header:
0x0004
Min extra paragraphs:
0x0000
Max extra paragraphs:
0xFFFF
Initial SS value:
0x0000
Initial SP value:
0x00B8
Checksum:
0x0000
Initial IP value:
0x0000
Initial CS value:
0x0000
Overlay number:
0x0000
OEM identifier:
0x0000
OEM information:
0x0000
Address of NE header:
0x000000D8
PE Headers
Signature:
PE
Machine:
IMAGE_FILE_MACHINE_I386
Number of sections:
5
Time date stamp:
27-Dec-2015 05:38:55
Pointer to Symbol Table:
0x00000000
Number of symbols:
0
Size of Optional Header:
0x00E0
Characteristics
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_RELOCS_STRIPPED
Sections
Name Virtual Address Virtual Size Raw Size Charateristics Entropy
.text 0x00001000 0x00005E3C 0x00006000 IMAGE_SCN_CNT_CODE,IMAGE_SCN_MEM_EXECUTE,IMAGE_SCN_MEM_READ 6.4323
.rdata 0x00007000 0x0000126A 0x00001400 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ 5.00589
.data 0x00009000 0x00025D38 0x00000600 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ,IMAGE_SCN_MEM_WRITE 4.29176
.ndata 0x0002F000 0x00008000 0x00000000 IMAGE_SCN_CNT_UNINITIALIZED_DATA,IMAGE_SCN_MEM_READ,IMAGE_SCN_MEM_WRITE 0
.rsrc 0x00037000 0x000070D0 0x00007200 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ 4.86243
Resources
1

2

3

4

5

103

105

106

111

Imports
    KERNEL32.dll

    USER32.dll

    GDI32.dll

    SHELL32.dll

    ADVAPI32.dll

    COMCTL32.dll

    ole32.dll

Exports

    No exports.

Screenshots

Processes

Total processes
49
Monitored processes
44
Malicious processes
21
Suspicious processes
2

Behavior graph

+
drop and start drop and start start drop and start drop and start inject inject inject inject inject spam sender.exe no specs spam sender.exe spam sender.exe disableantiquit.exe corrm1.exe #NJRAT corrm.exe no specs smss.exe csrss.exe winlogon.exe svchost.exe windanr.exe DllHost.exe svchost.exe svchost.exe explorer.exe DllHost.exe svchost.exe svchost.exe svchost.exe lsm.exe dwm.exe taskeng.exe csrss.exe services.exe lsass.exe qemu-ga.exe werfault.exe wininit.exe svchost.exe svchost.exe svchost.exe spoolsv.exe searchindexer.exe svchost.exe osppsvc.exe searchprotocolhost.exe searchfilterhost.exe ctfmon.exe svchost.exe netsh.exe no specs conhost.exe explorer.exe no specs Thumbnail Cache Out of Proc Server Thumbnail Cache Out of Proc Server
Specs description
Program did not start
Integrity level elevation
Task сontains an error or was rebooted
Process has crashed
Task contains several apps running
Executable file was dropped
Debug information is available
Process was injected
Network attacks were detected
Application downloaded the executable file
Actions similar to stealing personal data
Behavior similar to exploiting the vulnerability
Inspected object has sucpicious PE structure
File is detected by antivirus software
CPU overrun
RAM overrun
Process starts the services
Process was added to the startup
Behavior similar to spam
Low-level access to the HDD
Probably Tor was used
System was rebooted
Connects to the network
Known threat

Process information

Click at the process to see the details.

PID
264
CMD
\SystemRoot\System32\smss.exe
Path
C:\Windows\System32\smss.exe
Indicators
Parent process
––
User
SYSTEM
Integrity Level
SYSTEM
Version:
Company
Microsoft Corporation
Description
Windows Session Manager
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\systemroot\system32\smss.exe
c:\windows\system32\ntdll.dll

PID
348
CMD
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,12288,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
Path
C:\Windows\System32\csrss.exe
Indicators
Parent process
––
User
SYSTEM
Integrity Level
SYSTEM
Version:
Company
Microsoft Corporation
Description
Client Server Runtime Process
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\csrss.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\csrsrv.dll
c:\windows\system32\basesrv.dll
c:\windows\system32\winsrv.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sxssrv.dll
c:\windows\system32\sxs.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cryptbase.dll

PID
396
CMD
wininit.exe
Path
C:\Windows\System32\wininit.exe
Indicators
Parent process
––
User
SYSTEM
Integrity Level
SYSTEM
Version:
Company
Microsoft Corporation
Description
Windows Start-Up Application
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\wininit.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\profapi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\wship6.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\credssp.dll
c:\windows\system32\advapi32.dll

PID
404
CMD
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,12288,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
Path
C:\Windows\System32\csrss.exe
Indicators
Parent process
––
User
SYSTEM
Integrity Level
SYSTEM
Version:
Company
Microsoft Corporation
Description
Client Server Runtime Process
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\csrss.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\csrsrv.dll
c:\windows\system32\basesrv.dll
c:\windows\system32\winsrv.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sxssrv.dll
c:\windows\system32\sxs.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cryptbase.dll
c:\users\admin\appdata\local\temp\corrm_proc_only.dll

PID
444
CMD
winlogon.exe
Path
C:\Windows\System32\winlogon.exe
Indicators
Parent process
––
User
SYSTEM
Integrity Level
SYSTEM
Version:
Company
Microsoft Corporation
Description
Windows Logon Application
Version
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Image
c:\windows\system32\winlogon.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winsta.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\profapi.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\uxinit.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\ole32.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\netjoin.dll
c:\windows\system32\netutils.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\slc.dll
c:\windows\system32\mpr.dll
c:\users\admin\appdata\local\temp\corrm_proc_only.dll

PID
492
CMD
C:\Windows\system32\services.exe
Path
C:\Windows\System32\services.exe
Indicators
Parent process
wininit.exe
User
SYSTEM
Integrity Level
SYSTEM
Version:
Company
Microsoft Corporation
Description
Services and Controller app
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\services.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\profapi.dll
c:\windows\system32\sechost.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\scext.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\secur32.dll
c:\windows\system32\scesrv.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\credssp.dll
c:\windows\system32\authz.dll
c:\windows\system32\ubpm.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\wship6.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\winsta.dll

PID
500
CMD
C:\Windows\system32\lsass.exe
Path
C:\Windows\System32\lsass.exe
Indicators
Parent process
wininit.exe
User
SYSTEM
Integrity Level
SYSTEM
Version:
Company
Microsoft Corporation
Description
Local Security Authority Process
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\lsass.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sspisrv.dll
c:\windows\system32\lsasrv.dll
c:\windows\system32\sechost.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\samsrv.dll
c:\windows\system32\cryptdll.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\wevtapi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cngaudit.dll
c:\windows\system32\authz.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\msprivs.dll
c:\windows\system32\netjoin.dll
c:\windows\system32\negoexts.dll
c:\windows\system32\secur32.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\kerberos.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wship6.dll
c:\windows\system32\msv1_0.dll
c:\windows\system32\netlogon.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\logoncli.dll
c:\windows\system32\schannel.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\wdigest.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\tspkg.dll
c:\windows\system32\pku2u.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\efslsaext.dll
c:\windows\system32\scecli.dll
c:\windows\system32\credssp.dll
c:\windows\system32\winsta.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\netutils.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\dssenh.dll
c:\windows\system32\gpapi.dll
c:\windows\system32\certpoleng.dll
c:\windows\system32\wkscli.dll

PID
508
CMD
C:\Windows\system32\lsm.exe
Path
C:\Windows\System32\lsm.exe
Indicators
Parent process
wininit.exe
User
SYSTEM
Integrity Level
SYSTEM
Version:
Company
Microsoft Corporation
Description
Local Session Manager Service
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\lsm.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sysntfy.dll
c:\windows\system32\wmsgapi.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\pcwum.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\credssp.dll
c:\windows\system32\advapi32.dll

PID
612
CMD
C:\Windows\system32\svchost.exe -k DcomLaunch
Path
C:\Windows\System32\svchost.exe
Indicators
Parent process
services.exe
User
SYSTEM
Integrity Level
SYSTEM
Version:
Company
Microsoft Corporation
Description
Host Process for Windows Services
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\umpnpmgr.dll
c:\windows\system32\spinf.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\devrtl.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\gpapi.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\umpo.dll
c:\windows\system32\winsta.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\pcwum.dll
c:\windows\system32\rpcss.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\credssp.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\wbem\wmidcprv.dll
c:\windows\system32\wbem\fastprox.dll
c:\windows\system32\wbemcomn.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\ntdsapi.dll
c:\windows\system32\wbem\wbemprox.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\wbem\wbemsvc.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\wbem\wmiutils.dll
c:\windows\system32\dllhost.exe

PID
692
CMD
C:\Windows\system32\svchost.exe -k RPCSS
Path
C:\Windows\System32\svchost.exe
Indicators
Parent process
services.exe
User
NETWORK SERVICE
Integrity Level
SYSTEM
Version:
Company
Microsoft Corporation
Description
Host Process for Windows Services
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\rpcepmap.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\credssp.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\rpcss.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\wship6.dll
c:\windows\system32\firewallapi.dll
c:\windows\system32\version.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\msi.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\msiltcfg.dll
c:\windows\system32\sfc.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\sxs.dll

PID
780
CMD
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
Path
C:\Windows\System32\svchost.exe
Indicators
Parent process
services.exe
User
LOCAL SERVICE
Integrity Level
SYSTEM
Version:
Company
Microsoft Corporation
Description
Host Process for Windows Services
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\wevtsvc.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\credssp.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\wship6.dll
c:\windows\system32\gpapi.dll
c:\windows\system32\audiosrv.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\mmdevapi.dll
c:\windows\system32\propsys.dll
c:\windows\system32\avrt.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\lmhsvc.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\nrpsrv.dll
c:\windows\system32\dhcpcore.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\firewallapi.dll
c:\windows\system32\version.dll
c:\windows\system32\dhcpcore6.dll
c:\windows\system32\winsta.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\audioses.dll
c:\windows\system32\dhcpcsvc6.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\wscsvc.dll
c:\windows\system32\dbghelp.dll
c:\windows\system32\wbem\wbemprox.dll
c:\windows\system32\wbemcomn.dll
c:\windows\system32\wbem\wbemsvc.dll
c:\windows\system32\wbem\fastprox.dll
c:\windows\system32\ntdsapi.dll
c:\windows\system32\wuapi.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\cabinet.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\profapi.dll
c:\windows\system32\userenv.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\netutils.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\napinsp.dll
c:\windows\system32\pnrpnsp.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\winrnr.dll
c:\windows\system32\audiodg.exe

PID
816
CMD
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
Path
C:\Windows\System32\svchost.exe
Indicators
Parent process
services.exe
User
SYSTEM
Integrity Level
SYSTEM
Version:
Company
Microsoft Corporation
Description
Host Process for Windows Services
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\audiosrv.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\mmdevapi.dll
c:\windows\system32\propsys.dll
c:\windows\system32\avrt.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\uxsms.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\winsta.dll
c:\windows\system32\trkwks.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\wdi.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\gpapi.dll
c:\windows\system32\portabledeviceapi.dll
c:\windows\system32\apphlpdm.dll
c:\windows\system32\shell32.dll
c:\windows\system32\wer.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\portabledeviceconnectapi.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\netman.dll
c:\windows\system32\nsi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\netshell.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\rasdlg.dll
c:\windows\system32\mprapi.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\dsrole.dll
c:\windows\system32\netcfgx.dll
c:\windows\system32\slc.dll
c:\windows\system32\devrtl.dll
c:\windows\system32\hnetcfg.dll
c:\windows\system32\atl.dll
c:\windows\system32\wbem\wbemprox.dll
c:\windows\system32\wbemcomn.dll
c:\windows\system32\wbem\wbemsvc.dll
c:\windows\system32\wbem\fastprox.dll
c:\windows\system32\ntdsapi.dll
c:\windows\system32\pcasvc.dll
c:\windows\system32\aepic.dll
c:\windows\system32\sfc.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\version.dll
c:\windows\system32\wevtapi.dll
c:\users\admin\appdata\local\temp\spam sender.exe

PID
848
CMD
C:\Windows\system32\svchost.exe -k netsvcs
Path
C:\Windows\System32\svchost.exe
Indicators
Parent process
services.exe
User
SYSTEM
Integrity Level
SYSTEM
Version:
Company
Microsoft Corporation
Description
Host Process for Windows Services
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\gpsvc.dll
c:\windows\system32\gpapi.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\nsi.dll
c:\windows\system32\sysntfy.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\themeservice.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\profsvc.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\atl.dll
c:\windows\system32\winsta.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\dsrole.dll
c:\windows\system32\slc.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\sens.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\shsvcs.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\devobj.dll
c:\windows\system32\schedsvc.dll
c:\windows\system32\pcwum.dll
c:\windows\system32\shell32.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\wevtapi.dll
c:\windows\system32\authz.dll
c:\windows\system32\ubpm.dll
c:\windows\system32\ktmw32.dll
c:\windows\system32\xmllite.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\credssp.dll
c:\windows\system32\fveapi.dll
c:\windows\system32\tbs.dll
c:\windows\system32\fvecerts.dll
c:\windows\system32\logoncli.dll
c:\windows\system32\wiarpc.dll
c:\windows\system32\samlib.dll
c:\windows\system32\taskcomp.dll
c:\windows\system32\version.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\wship6.dll
c:\windows\system32\netjoin.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\ikeext.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\dhcpcsvc6.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\wbem\wmisvc.dll
c:\windows\system32\wbemcomn.dll
c:\windows\system32\iphlpsvc.dll
c:\windows\system32\firewallapi.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\sqmapi.dll
c:\windows\system32\wdscore.dll
c:\windows\system32\srvsvc.dll
c:\windows\system32\browser.dll
c:\windows\system32\devrtl.dll
c:\windows\system32\vssapi.dll
c:\windows\system32\vsstrace.dll
c:\windows\system32\sscore.dll
c:\windows\system32\clusapi.dll
c:\windows\system32\cryptdll.dll
c:\windows\system32\resutils.dll
c:\windows\system32\samcli.dll
c:\windows\system32\nci.dll
c:\windows\system32\propsys.dll
c:\windows\system32\wbem\wbemcore.dll
c:\windows\system32\wbem\esscli.dll
c:\windows\system32\wbem\fastprox.dll
c:\windows\system32\ntdsapi.dll
c:\windows\system32\netprofm.dll
c:\windows\system32\spinf.dll
c:\windows\system32\wbem\wbemsvc.dll
c:\windows\system32\wbem\wmiutils.dll
c:\windows\system32\wbem\repdrvfs.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\npmproxy.dll
c:\windows\system32\sxs.dll
c:\windows\system32\wbem\wmiprvsd.dll
c:\windows\system32\ncobjapi.dll
c:\windows\system32\wbem\wbemess.dll
c:\windows\system32\wbem\ncprov.dll
c:\windows\system32\wuaueng.dll
c:\windows\system32\esent.dll
c:\windows\system32\winspool.drv
c:\windows\system32\winhttp.dll
c:\windows\system32\webio.dll
c:\windows\system32\cabinet.dll
c:\windows\system32\mspatcha.dll
c:\windows\system32\psapi.dll
c:\windows\system32\wmsgapi.dll
c:\windows\system32\wer.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aelupsvc.dll
c:\windows\system32\appinfo.dll
c:\windows\system32\tschannel.dll
c:\windows\system32\hnetcfg.dll
c:\windows\system32\wbem\wbemprox.dll
c:\windows\system32\netcfgx.dll
c:\windows\system32\ndiscapcfg.dll
c:\windows\system32\rascfg.dll
c:\windows\system32\mprapi.dll
c:\windows\system32\tcpipcfg.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\es.dll
c:\windows\system32\windanr.exe
c:\users\admin\appdata\local\temp\spam sender.exe
c:\windows\system32\spam sender.exe
c:\windows\system32\disableantiquit.exe
c:\windows\system32\werfault.exe
c:\windows\system32\mmcss.dll
c:\windows\system32\avrt.dll

PID
976
CMD
C:\Windows\system32\svchost.exe -k LocalService
Path
C:\Windows\System32\svchost.exe
Indicators
Parent process
services.exe
User
LOCAL SERVICE
Integrity Level
SYSTEM
Version:
Company
Microsoft Corporation
Description
Host Process for Windows Services
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\es.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\nsisvc.dll
c:\windows\system32\nsi.dll
c:\windows\system32\sxs.dll
c:\windows\system32\netprofm.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\wdi.dll
c:\windows\system32\npmproxy.dll
c:\windows\system32\perftrack.dll
c:\windows\system32\wer.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\aepic.dll
c:\windows\system32\sfc.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\version.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\gpapi.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\credssp.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\napinsp.dll
c:\windows\system32\pnrpnsp.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\winrnr.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\wship6.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\dhcpcsvc6.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\webio.dll

PID
1048
CMD
C:\Windows\system32\svchost.exe -k NetworkService
Path
C:\Windows\System32\svchost.exe
Indicators
Parent process
services.exe
User
NETWORK SERVICE
Integrity Level
SYSTEM
Version:
Company
Microsoft Corporation
Description
Host Process for Windows Services
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\dnsrslvr.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\dnsext.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\gpapi.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\wship6.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\dhcpcsvc6.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\wkssvc.dll
c:\windows\system32\netutils.dll
c:\windows\system32\netjoin.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\cryptsvc.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\vssapi.dll
c:\windows\system32\atl.dll
c:\windows\system32\vsstrace.dll
c:\windows\system32\nlasvc.dll
c:\windows\system32\wevtapi.dll
c:\windows\system32\ncsi.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\webio.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\secur32.dll
c:\windows\system32\samcli.dll
c:\windows\system32\samlib.dll
c:\windows\system32\credssp.dll
c:\windows\system32\ssdpapi.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\es.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\propsys.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\winsta.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\esent.dll
c:\windows\system32\psapi.dll

PID
1196
CMD
C:\Windows\System32\spoolsv.exe
Path
C:\Windows\System32\spoolsv.exe
Indicators
Parent process
services.exe
User
SYSTEM
Integrity Level
SYSTEM
Version:
Company
Microsoft Corporation
Description
Spooler SubSystem App
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\spoolsv.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\slc.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\credssp.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\winsta.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\wship6.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\umb.dll
c:\windows\system32\atl.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\localspl.dll
c:\windows\system32\spoolss.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\winspool.drv
c:\windows\system32\printisolationproxy.dll
c:\windows\system32\fxsmon.dll
c:\windows\system32\tcpmon.dll
c:\windows\system32\snmpapi.dll
c:\windows\system32\wsnmp32.dll
c:\windows\system32\msxml6.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\usbmon.dll
c:\windows\system32\wls0wndh.dll
c:\windows\system32\wsdmon.dll
c:\windows\system32\wsdapi.dll
c:\windows\system32\webservices.dll
c:\windows\system32\firewallapi.dll
c:\windows\system32\version.dll
c:\windows\system32\fundisc.dll
c:\windows\system32\fdpnp.dll
c:\windows\system32\spool\prtprocs\w32x86\winprint.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\gpapi.dll
c:\windows\system32\dsrole.dll
c:\windows\system32\win32spl.dll
c:\windows\system32\devrtl.dll
c:\windows\system32\spinf.dll
c:\windows\system32\inetpp.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\netutils.dll

PID
1224
CMD
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
Path
C:\Windows\System32\svchost.exe
Indicators
Parent process
services.exe
User
LOCAL SERVICE
Integrity Level
SYSTEM
Version:
Company
Microsoft Corporation
Description
Host Process for Windows Services
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\bfe.dll
c:\windows\system32\authz.dll
c:\windows\system32\slc.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\pcwum.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\mpssvc.dll
c:\windows\system32\firewallapi.dll
c:\windows\system32\version.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\nsi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\secur32.dll
c:\windows\system32\credssp.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\gpapi.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\dhcpcsvc6.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshqos.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\wship6.dll
c:\windows\system32\wfapigp.dll
c:\windows\system32\dps.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\taskschd.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\wdi.dll
c:\windows\system32\diagperf.dll
c:\windows\system32\netprofm.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\pnpts.dll
c:\windows\system32\pots.dll
c:\windows\system32\tdh.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\devobj.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\npmproxy.dll
c:\windows\system32\wdiasqmmodule.dll
c:\windows\system32\radardt.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\winsta.dll

PID
1388
CMD
"C:\Program Files\Qemu-ga\qemu-ga.exe" -d
Path
C:\Program Files\Qemu-ga\qemu-ga.exe
Indicators
Parent process
services.exe
User
SYSTEM
Integrity Level
SYSTEM
Version:
Company
http://www.qemu-project.org
Description
QEMU machine emulators and tools
Version
2.10.59
Modules
Image
c:\program files\qemu-ga\qemu-ga.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\qemu-ga\libglib-2.0-0.dll
c:\program files\qemu-ga\intl.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\samcli.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\psapi.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\wininet.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\iertutil.dll
c:\program files\qemu-ga\libgcc_s_sjlj-1.dll
c:\program files\qemu-ga\libssp-0.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\winsta.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\mpr.dll
c:\windows\system32\apphelp.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\sensapi.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\wship6.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\winsanr.dll
c:\windows\system32\version.dll
c:\windows\system32\winanr.dll

PID
1776
CMD
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
Path
C:\Windows\System32\svchost.exe
Indicators
Parent process
services.exe
User
NETWORK SERVICE
Integrity Level
SYSTEM
Version:
Company
Microsoft Corporation
Description
Host Process for Windows Services
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ipsecsvc.dll
c:\windows\system32\authz.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\firewallapi.dll
c:\windows\system32\version.dll
c:\windows\system32\fwremotesvr.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\credssp.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\wship6.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\dhcpcsvc6.dll
c:\windows\system32\dhcpcsvc.dll

PID
2016
CMD
"C:\Windows\system32\Dwm.exe"
Path
C:\Windows\System32\dwm.exe
Indicators
Parent process
svchost.exe
User
admin
Integrity Level
MEDIUM
Version:
Company
Microsoft Corporation
Description
Desktop Window Manager
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\dwm.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\dwmredir.dll
c:\windows\system32\dwmcore.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\ole32.dll
c:\windows\system32\d3d10_1.dll
c:\windows\system32\d3d10_1core.dll
c:\windows\system32\dxgi.dll
c:\windows\system32\version.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\psapi.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\users\admin\appdata\local\temp\corrm_proc_only.dll

PID
252
CMD
C:\Windows\Explorer.EXE
Path
C:\Windows\explorer.exe
Indicators
Parent process
ctfmon.exe
User
admin
Integrity Level
MEDIUM
Version:
Company
Microsoft Corporation
Description
Windows Explorer
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\shell32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\explorerframe.dll
c:\windows\system32\duser.dll
c:\windows\system32\dui70.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\slc.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\propsys.dll
c:\windows\system32\cryptbase.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\profapi.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\ehstorshell.dll
c:\windows\system32\cscui.dll
c:\windows\system32\cscdll.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\iconcodecservice.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\sndvolsso.dll
c:\windows\system32\hid.dll
c:\windows\system32\mmdevapi.dll
c:\windows\system32\timedate.cpl
c:\windows\system32\atl.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\actxprxy.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\linkinfo.dll
c:\windows\system32\userenv.dll
c:\windows\system32\shacct.dll
c:\windows\system32\samlib.dll
c:\windows\system32\samcli.dll
c:\windows\system32\netutils.dll
c:\windows\system32\msftedit.dll
c:\windows\system32\msls31.dll
c:\program files\common files\microsoft shared\ink\tiptsf.dll
c:\windows\system32\authui.dll
c:\windows\system32\cryptui.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\gameux.dll
c:\windows\system32\xmllite.dll
c:\windows\system32\wer.dll
c:\windows\system32\msiltcfg.dll
c:\windows\system32\version.dll
c:\windows\system32\msi.dll
c:\windows\system32\winsta.dll
c:\windows\system32\psapi.dll
c:\windows\system32\networkexplorer.dll
c:\windows\system32\winmm.dll
c:\windows\system32\wdmaud.drv
c:\windows\system32\ksuser.dll
c:\windows\system32\avrt.dll
c:\windows\system32\audioses.dll
c:\windows\system32\msacm32.drv
c:\windows\system32\msacm32.dll
c:\windows\system32\midimap.dll
c:\windows\system32\stobject.dll
c:\windows\system32\batmeter.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\es.dll
c:\windows\system32\prnfldr.dll
c:\windows\system32\winspool.drv
c:\windows\system32\dxp.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\syncreg.dll
c:\windows\ehome\ehsso.dll
c:\windows\system32\netshell.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\nsi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\alttab.dll
c:\windows\system32\wpdshserviceobj.dll
c:\windows\system32\portabledevicetypes.dll
c:\windows\system32\portabledeviceapi.dll
c:\program files\filezilla ftp client\fzshellext.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\taskschd.dll
c:\windows\system32\pnidui.dll
c:\windows\system32\qutil.dll
c:\windows\system32\wevtapi.dll
c:\windows\system32\dhcpcsvc6.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\mssprxy.dll
c:\windows\system32\npmproxy.dll
c:\windows\system32\wlanapi.dll
c:\windows\system32\wlanutil.dll
c:\windows\system32\wwanapi.dll
c:\windows\system32\wwapi.dll
c:\windows\system32\qagent.dll
c:\windows\system32\srchadmin.dll
c:\windows\system32\sxs.dll
c:\windows\system32\bthprops.cpl
c:\windows\system32\ieframe.dll
c:\windows\system32\oleacc.dll
c:\windows\system32\synccenter.dll
c:\windows\system32\actioncenter.dll
c:\windows\system32\imapi2.dll
c:\windows\system32\hgcpl.dll
c:\windows\system32\provsvc.dll
c:\windows\system32\netprofm.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\fxsst.dll
c:\windows\system32\fxsapi.dll
c:\windows\system32\fxsresm.dll
c:\windows\system32\wscinterop.dll
c:\windows\system32\wscapi.dll
c:\windows\system32\wscui.cpl
c:\windows\system32\werconcpl.dll
c:\windows\system32\framedynos.dll
c:\windows\system32\wercplsupport.dll
c:\windows\system32\msxml6.dll
c:\windows\system32\hcproviders.dll
c:\program files\internet explorer\ieproxy.dll
c:\windows\system32\mpr.dll
c:\windows\system32\drprov.dll
c:\windows\system32\ntlanman.dll
c:\windows\system32\davclnt.dll
c:\windows\system32\davhlpr.dll
c:\windows\system32\searchfolder.dll
c:\windows\system32\structuredquery.dll
c:\windows\system32\naturallanguage6.dll
c:\windows\system32\nlsdata0009.dll
c:\windows\system32\nlslexicons0009.dll
c:\windows\system32\thumbcache.dll
c:\windows\system32\tquery.dll
c:\program files\microsoft office\office14\onfilter.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\windows\system32\sfc.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\devrtl.dll
c:\program files\common files\microsoft shared\office14\msoxev.dll
c:\windows\system32\mlang.dll
c:\windows\system32\msutb.dll
c:\windows\system32\winanr.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\users\admin\appdata\local\temp\spam sender.exe
c:\windows\system32\werfault.exe
c:\users\admin\appdata\local\temp\corrm_proc_only.dll
c:\windows\system32\photometadatahandler.dll
c:\windows\system32\imageres.dll
c:\windows\system32\wpdshext.dll
c:\windows\system32\audiodev.dll
c:\windows\system32\wmvcore.dll
c:\windows\system32\wmasf.dll
c:\windows\system32\ehstorapi.dll

PID
1988
CMD
C:\Windows\system32\SearchIndexer.exe /Embedding
Path
C:\Windows\System32\SearchIndexer.exe
Indicators
Parent process
services.exe
User
SYSTEM
Integrity Level
SYSTEM
Version:
Company
Microsoft Corporation
Description
Microsoft Windows Search Indexer
Version
7.00.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\searchindexer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\tquery.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\mssrch.dll
c:\windows\system32\esent.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\psapi.dll
c:\windows\system32\shell32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\credssp.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\msidle.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\mssprxy.dll
c:\windows\system32\propsys.dll
c:\windows\system32\en-us\tquery.dll.mui
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\vssapi.dll
c:\windows\system32\atl.dll
c:\windows\system32\vsstrace.dll
c:\windows\system32\samcli.dll
c:\windows\system32\samlib.dll
c:\windows\system32\netutils.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\es.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\winsta.dll
c:\windows\system32\userenv.dll
c:\windows\system32\sxs.dll
c:\windows\system32\naturallanguage6.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\elscore.dll
c:\windows\system32\elslad.dll
c:\windows\system32\nlsdata0009.dll
c:\windows\system32\nlslexicons0009.dll
c:\windows\system32\nlsdata0007.dll
c:\windows\system32\nlslexicons0007.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\devobj.dll
c:\windows\system32\nlsdata0000.dll

PID
1696
CMD
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
Path
C:\Windows\System32\svchost.exe
Indicators
Parent process
services.exe
User
LOCAL SERVICE
Integrity Level
SYSTEM
Version:
Company
Microsoft Corporation
Description
Host Process for Windows Services
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\fntcache.dll
c:\windows\system32\ktmw32.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll

PID
184
CMD
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
Path
C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
Indicators
Parent process
services.exe
User
NETWORK SERVICE
Integrity Level
SYSTEM
Version:
Company
Microsoft Corporation
Description
Microsoft Office Software Protection Platform Service
Version
14.0.0370.400 (longhorn(wmbla).090811-1833)
Modules
Image
c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\osppsvc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\osppobjs.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll

PID
1256
CMD
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe5_ Global\UsGthrCtrlFltPipeMssGthrPipe5 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
Path
C:\Windows\System32\SearchProtocolHost.exe
Indicators
Parent process
SearchIndexer.exe
User
SYSTEM
Integrity Level
SYSTEM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Microsoft Windows Search Protocol Host
Version
7.00.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\searchprotocolhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\tquery.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\msshooks.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\msidle.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\mssprxy.dll
c:\windows\system32\mssph.dll
c:\windows\system32\mapi32.dll
c:\windows\system32\authz.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\shell32.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\propsys.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\profapi.dll
c:\windows\system32\apphelp.dll

PID
1344
CMD
"C:\Windows\system32\SearchFilterHost.exe" 0 512 516 524 65536 520
Path
C:\Windows\System32\SearchFilterHost.exe
Indicators
Parent process
SearchIndexer.exe
User
SYSTEM
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Microsoft Windows Search Filter Host
Version
7.00.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\searchfilterhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\tquery.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\msshooks.dll
c:\windows\system32\mscoree.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\mssprxy.dll
c:\windows\system32\sxs.dll
c:\windows\system32\xmlfilter.dll
c:\windows\system32\msxml3.dll
c:\windows\system32\query.dll
c:\windows\system32\shell32.dll
c:\windows\system32\propsys.dll
c:\windows\system32\photometadatahandler.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\rtffilt.dll

PID
1752
CMD
taskeng.exe {913ED9C6-74EB-420D-A55F-56D46DDA21F2}
Path
C:\Windows\System32\taskeng.exe
Indicators
Parent process
svchost.exe
User
admin
Integrity Level
MEDIUM
Version:
Company
Microsoft Corporation
Description
Task Scheduler Engine
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\taskeng.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ole32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\tschannel.dll
c:\windows\system32\xmllite.dll
c:\windows\system32\apphelp.dll
c:\users\admin\appdata\local\temp\corrm_proc_only.dll

PID
2000
CMD
C:\Windows\System32\ctfmon.exe
Path
C:\Windows\System32\ctfmon.exe
Indicators
Parent process
taskeng.exe
User
admin
Integrity Level
MEDIUM
Version:
Company
Microsoft Corporation
Description
CTF Loader
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\ctfmon.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\msctfmonitor.dll
c:\windows\system32\msctf.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msutb.dll
c:\windows\system32\ole32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\winsta.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\dwmapi.dll
c:\users\admin\appdata\local\temp\corrm_proc_only.dll

PID
2216
CMD
"windanr.exe"
Path
C:\Windows\system32\windanr.exe
Indicators
Parent process
qemu-ga.exe
User
admin
Integrity Level
MEDIUM
Version:
Company
Description
Version
Modules
Image
c:\windows\system32\windanr.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winanr.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\winsanr.dll
c:\windows\system32\psapi.dll
c:\windows\system32\version.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\users\admin\appdata\local\temp\corrm_proc_only.dll

PID
3068
CMD
"C:\Users\admin\AppData\Local\Temp\Spam Sender.exe"
Path
C:\Users\admin\AppData\Local\Temp\Spam Sender.exe
Indicators
No indicators
Parent process
explorer.exe
User
admin
Integrity Level
MEDIUM
Exit code
3221226540
Version:
Company
Description
Version
Modules
Image
c:\users\admin\appdata\local\temp\spam sender.exe
c:\systemroot\system32\ntdll.dll

PID
4084
CMD
C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E}
Path
C:\Windows\system32\DllHost.exe
Indicators
Parent process
svchost.exe
User
SYSTEM
Integrity Level
SYSTEM
Exit code
0
Version:
Company
Microsoft Corporation
Description
COM Surrogate
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\dllhost.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\shacct.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\idstore.dll
c:\users\admin\appdata\local\temp\corrm_proc_only.dll

PID
2752
CMD
C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E}
Path
C:\Windows\system32\DllHost.exe
Indicators
Parent process
svchost.exe
User
SYSTEM
Integrity Level
SYSTEM
Exit code
0
Version:
Company
Microsoft Corporation
Description
COM Surrogate
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\dllhost.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\shacct.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\idstore.dll

PID
3236
CMD
"C:\Users\admin\AppData\Local\Temp\Spam Sender.exe"
Path
C:\Users\admin\AppData\Local\Temp\Spam Sender.exe
Indicators
Parent process
explorer.exe
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
Description
Version
Modules
Image
c:\users\admin\appdata\local\temp\spam sender.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\version.dll
c:\windows\system32\shfolder.dll
c:\windows\system32\cryptbase.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\spam sender.exe
c:\windows\system32\disableantiquit.exe

PID
2468
CMD
"C:\Windows\system32\Spam Sender.exe"
Path
C:\Windows\system32\Spam Sender.exe
Indicators
Parent process
Spam Sender.exe
User
admin
Integrity Level
HIGH
Exit code
3762504530
Version:
Company
Description
Spam Sender By iiEnFLaT
Version
1.0.0.0
Modules
Image
c:\windows\system32\spam sender.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\version.dll
c:\windows\microsoft.net\framework\v4.0.30319\clr.dll
c:\windows\system32\msvcr120_clr0400.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\mscorlib\225759bb87c854c0fff27b1d84858c21\mscorlib.ni.dll
c:\windows\system32\ole32.dll
c:\windows\system32\cryptbase.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system\52cca48930e580e3189eac47158c20be\system.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.core\55560c2014611e9119f99923c9ebdeef\system.core.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\microsoft.v9921e851#\7ca6a7b9413844e82108a9d62f88a2d9\microsoft.visualbasic.ni.dll
c:\windows\microsoft.net\framework\v4.0.30319\clrjit.dll
c:\windows\system32\oleaut32.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.drawing\646b4b01cb29986f8e076aa65c9e9753\system.drawing.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.windows.forms\5aac750b35b27770dccb1a43f83cced7\system.windows.forms.ni.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\microsoft.net\framework\v4.0.30319\nlssorting.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.runt73a1fc9d#\647f9e8a4465888d8348c3f66611c463\system.runtime.remoting.ni.dll
c:\windows\system32\uxtheme.dll
c:\windows\microsoft.net\assembly\gac_msil\system.windows.forms\v4.0_4.0.0.0__b77a5c561934e089\system.windows.forms.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\nsi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\dhcpcsvc6.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\microsoft.net\framework\v4.0.30319\diasymreader.dll
c:\users\admin\appdata\local\temp\corrm_proc_only.dll

PID
2648
CMD
"C:\Windows\system32\DisableAntiQuit.exe"
Path
C:\Windows\system32\DisableAntiQuit.exe
Indicators
Parent process
Spam Sender.exe
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
Description
ProcessOnly CorrM Hider
Version
1.0.0.0
Modules
Image
c:\windows\system32\disableantiquit.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\version.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorwks.dll
c:\windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\msvcr80.dll
c:\windows\system32\shell32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\profapi.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\mscorlib\62a0b3e4b40ec0e8c5cfaa0c8848e64a\mscorlib.ni.dll
c:\windows\system32\cryptbase.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system\9e0a3b9b9f457233a335d7fba8f95419\system.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.visualbas#\08d608378aa405adc844f3cf36974b8c\microsoft.visualbasic.ni.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorjit.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.drawing\dbfe8642a8ed7b2b103ad28e0c96418a\system.drawing.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.windows.forms\3afcd5168c7a6cb02eab99d7fd71e102\system.windows.forms.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.runtime.remo#\5cae93d923c8378370758489e5535820\system.runtime.remoting.ni.dll
c:\windows\system32\uxtheme.dll
c:\windows\assembly\gac_msil\system.windows.forms\2.0.0.0__b77a5c561934e089\system.windows.forms.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\microsoft.net\framework\v2.0.50727\culture.dll
c:\windows\system32\propsys.dll
c:\windows\system32\oleaut32.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\sspicli.dll
c:\users\admin\appdata\local\temp\corrm1.exe
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll

PID
3128
CMD
C:\Windows\System32\svchost.exe -k WerSvcGroup
Path
C:\Windows\System32\svchost.exe
Indicators
Parent process
services.exe
User
SYSTEM
Integrity Level
SYSTEM
Version:
Company
Microsoft Corporation
Description
Host Process for Windows Services
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\svchost.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\wersvc.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\faultrep.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\wer.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\ole32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\userenv.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\werfault.exe

PID
3516
CMD
C:\Windows\system32\WerFault.exe -u -p 2468 -s 588
Path
C:\Windows\system32\WerFault.exe
Indicators
Parent process
svchost.exe
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows Problem Reporting
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\werfault.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\wer.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\faultrep.dll
c:\windows\system32\psapi.dll
c:\windows\system32\version.dll
c:\windows\system32\spam sender.exe
c:\windows\microsoft.net\framework\v4.0.30319\mscordacwks.dll
c:\windows\system32\dbgeng.dll
c:\windows\system32\dbghelp.dll
c:\windows\system32\sensapi.dll
c:\windows\system32\werui.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\dui70.dll
c:\windows\system32\duser.dll
c:\windows\system32\riched20.dll
c:\windows\system32\shell32.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\xmllite.dll
c:\users\admin\appdata\local\temp\corrm_proc_only.dll
c:\windows\system32\profapi.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\mscoree.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\microsoft.net\framework\v4.0.30319\clr.dll
c:\windows\system32\msvcr120_clr0400.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\mscorlib\225759bb87c854c0fff27b1d84858c21\mscorlib.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system\52cca48930e580e3189eac47158c20be\system.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.core\55560c2014611e9119f99923c9ebdeef\system.core.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\microsoft.v9921e851#\7ca6a7b9413844e82108a9d62f88a2d9\microsoft.visualbasic.ni.dll
c:\windows\microsoft.net\framework\v4.0.30319\clrjit.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.drawing\646b4b01cb29986f8e076aa65c9e9753\system.drawing.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.windows.forms\5aac750b35b27770dccb1a43f83cced7\system.windows.forms.ni.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\microsoft.net\framework\v4.0.30319\nlssorting.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.runt73a1fc9d#\647f9e8a4465888d8348c3f66611c463\system.runtime.remoting.ni.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\nsi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\dhcpcsvc6.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\microsoft.net\framework\v4.0.30319\diasymreader.dll

PID
3896
CMD
"C:\Users\admin\AppData\Local\Temp\CorrM1.exe"
Path
C:\Users\admin\AppData\Local\Temp\CorrM1.exe
Indicators
Parent process
DisableAntiQuit.exe
User
admin
Integrity Level
HIGH
Version:
Company
Description
ProcessOnly CorrM Hider
Version
1.0.0.0
Modules
Image
c:\users\admin\appdata\local\temp\corrm1.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\version.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorwks.dll
c:\windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\msvcr80.dll
c:\windows\system32\shell32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\profapi.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\mscorlib\62a0b3e4b40ec0e8c5cfaa0c8848e64a\mscorlib.ni.dll
c:\windows\system32\cryptbase.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system\9e0a3b9b9f457233a335d7fba8f95419\system.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.visualbas#\08d608378aa405adc844f3cf36974b8c\microsoft.visualbasic.ni.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorjit.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.drawing\dbfe8642a8ed7b2b103ad28e0c96418a\system.drawing.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.windows.forms\3afcd5168c7a6cb02eab99d7fd71e102\system.windows.forms.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.runtime.remo#\5cae93d923c8378370758489e5535820\system.runtime.remoting.ni.dll
c:\windows\system32\uxtheme.dll
c:\windows\assembly\gac_msil\system.windows.forms\2.0.0.0__b77a5c561934e089\system.windows.forms.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\microsoft.net\framework\v2.0.50727\culture.dll
c:\windows\system32\propsys.dll
c:\windows\system32\oleaut32.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\sspicli.dll
c:\users\admin\appdata\local\temp\corrm.exe
c:\users\admin\appdata\local\temp\corrm_proc_only.dll

PID
3988
CMD
"C:\Users\admin\AppData\Local\Temp\CorrM.exe"
Path
C:\Users\admin\AppData\Local\Temp\CorrM.exe
Indicators
Parent process
CorrM1.exe
User
admin
Integrity Level
HIGH
Version:
Company
Description
Version
Modules
Image
c:\users\admin\appdata\local\temp\corrm.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\version.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorwks.dll
c:\windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\msvcr80.dll
c:\windows\system32\shell32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\profapi.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\mscorlib\62a0b3e4b40ec0e8c5cfaa0c8848e64a\mscorlib.ni.dll
c:\windows\system32\cryptbase.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorjit.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system\9e0a3b9b9f457233a335d7fba8f95419\system.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.visualbas#\08d608378aa405adc844f3cf36974b8c\microsoft.visualbasic.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.drawing\dbfe8642a8ed7b2b103ad28e0c96418a\system.drawing.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.windows.forms\3afcd5168c7a6cb02eab99d7fd71e102\system.windows.forms.ni.dll
c:\users\admin\appdata\local\temp\corrm_proc_only.dll
c:\windows\system32\apphelp.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.configuration\bc09ad2d49d8535371845cd7532f9271\system.configuration.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.xml\461d3b6b3f43e6fbe6c897d5936e17e4\system.xml.ni.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\wship6.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\fwpuclnt.dll

PID
3856
CMD
netsh firewall add allowedprogram "C:\Users\admin\AppData\Local\Temp\CorrM.exe" "CorrM.exe" ENABLE
Path
C:\Windows\system32\netsh.exe
Indicators
No indicators
Parent process
CorrM.exe
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
Microsoft Corporation
Description
Network Command Shell
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\netsh.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\credui.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\mpr.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\rasmontr.dll
c:\windows\system32\mprapi.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\mfc42u.dll
c:\windows\system32\odbc32.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\odbcint.dll
c:\windows\system32\nshwfp.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\slc.dll
c:\windows\system32\dhcpcmonitor.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\dhcpcsvc6.dll
c:\windows\system32\dhcpqec.dll
c:\windows\system32\qutil.dll
c:\windows\system32\wevtapi.dll
c:\windows\system32\wshelper.dll
c:\windows\system32\ws2help.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\nshhttp.dll
c:\windows\system32\httpapi.dll
c:\windows\system32\fwcfg.dll
c:\windows\system32\firewallapi.dll
c:\windows\system32\version.dll
c:\windows\system32\authfwcfg.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\winipsec.dll
c:\windows\system32\ifmon.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\nci.dll
c:\windows\system32\devrtl.dll
c:\windows\system32\netiohlp.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\whhelper.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\webio.dll
c:\windows\system32\hnetmon.dll
c:\windows\system32\netshell.dll
c:\windows\system32\shell32.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\rpcnsh.dll
c:\windows\system32\dot3cfg.dll
c:\windows\system32\dot3api.dll
c:\windows\system32\atl.dll
c:\windows\system32\eappcfg.dll
c:\windows\system32\onex.dll
c:\windows\system32\eappprxy.dll
c:\windows\system32\napmontr.dll
c:\windows\system32\certcli.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\nshipsec.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\logoncli.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\activeds.dll
c:\windows\system32\adsldpc.dll
c:\windows\system32\polstore.dll
c:\windows\system32\nettrace.dll
c:\windows\system32\ndfapi.dll
c:\windows\system32\wdi.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\tdh.dll
c:\windows\system32\wcnnetsh.dll
c:\windows\system32\wlanapi.dll
c:\windows\system32\wlanutil.dll
c:\windows\system32\p2pnetsh.dll
c:\windows\system32\p2p.dll
c:\windows\system32\p2pcollab.dll
c:\windows\system32\wlancfg.dll
c:\windows\system32\wlanhlp.dll
c:\windows\system32\wwancfg.dll
c:\windows\system32\wwapi.dll
c:\windows\system32\peerdistsh.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\qagent.dll
c:\windows\system32\napipsec.dll
c:\windows\system32\tsgqec.dll
c:\windows\system32\eapqec.dll
c:\users\admin\appdata\local\temp\corrm_proc_only.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\gpapi.dll
c:\windows\system32\bcryptprimitives.dll

PID
3296
CMD
\??\C:\Windows\system32\conhost.exe
Path
C:\Windows\system32\conhost.exe
Indicators
Parent process
csrss.exe
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
Microsoft Corporation
Description
Console Window Host
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\conhost.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\ole32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\netsh.exe
c:\users\admin\appdata\local\temp\corrm_proc_only.dll

PID
3892
CMD
"C:\Windows\explorer.exe"
Path
C:\Windows\explorer.exe
Indicators
No indicators
Parent process
explorer.exe
User
admin
Integrity Level
MEDIUM
Exit code
1
Version:
Company
Microsoft Corporation
Description
Windows Explorer
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\explorer.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\shell32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\explorerframe.dll
c:\windows\system32\duser.dll
c:\windows\system32\dui70.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\slc.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\propsys.dll
c:\windows\system32\cryptbase.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\actxprxy.dll

PID
3308
CMD
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
Path
C:\Windows\system32\DllHost.exe
Indicators
Parent process
svchost.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
COM Surrogate
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\dllhost.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\thumbcache.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\psapi.dll
c:\windows\system32\propsys.dll
c:\windows\system32\actxprxy.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\xmllite.dll
c:\windows\system32\linkinfo.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\users\admin\appdata\local\temp\corrm_proc_only.dll

PID
3920
CMD
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
Path
C:\Windows\system32\DllHost.exe
Indicators
Parent process
svchost.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
COM Surrogate
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\dllhost.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\thumbcache.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\psapi.dll
c:\windows\system32\propsys.dll
c:\windows\system32\photometadatahandler.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\actxprxy.dll
c:\users\admin\appdata\local\temp\corrm_proc_only.dll

Registry activity

Total events
2198
Read events
1976
Write events
222
Delete events
0

Modification events

PID
Process
Operation
Key
Name
Value
1224
svchost.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules
{9FAE5A18-50B9-4F3D-82E3-F66A9B61A51F}
v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Public|App=C:\Users\admin\AppData\Local\Temp\CorrM.exe|Name=CorrM.exe|
1224
svchost.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Epoch
Epoch
401
1224
svchost.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules
{5C367402-0136-43D7-89F2-78C1015E68C6}
v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Public|App=C:\Users\admin\AppData\Local\Temp\CorrM.exe|Name=CorrM.exe|
1224
svchost.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Epoch
Epoch
402
252
explorer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached
{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF
01000000000000000C53FB6EF50AD501
252
explorer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count
{S38OS404-1Q43-42S2-9305-67QR0O28SP23}\rkcybere.rkr
00000000010000000000000000000000000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BFFFFFFFFF007CB06FF50AD50100000000
252
explorer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count
HRZR_PGYFRFFVBA
0000000006000000020000002C95000003000000020000001B6900004D006900630072006F0073006F00660074002E004100750074006F00470065006E006500720061007400650064002E007B00310035003900360032003100370035002D0037004400460043002D0042003100440037002D0042003000440031002D004500420034004300300038004600460044003700350034007D000000350201000000000000000000A27650E935023CE735025E7C37777CE93502787C3777030000008A018C01EC92CB026CE73502F77C37770100000050E93502847C3777BCE73502B0E73502C8E73502000000000000000000000000B8E7350250E93502000000000000000000000000F0E83502F0E8350200000000010000007CE93502F0E83502B2FE3777F270377785FC3777B5860A759A7C3677EC92CB02A27E367734E935021800000014FB3502006F367700000000000000001CE935023C003E007CE93502C34E9D00BCE7350200000000D84609000000350218E8350204EB350200000088C8000000C8000000C8000000C8000000F2010300000000000000D868A8D33A030106004000000000F0EA35021053D8687FEB9C7620000000220000001053D868102FD8020000000011000000B8450A00B0450A00A8D33A03ACE800001FB258415CE835028291BE75ACE8350260E835022795BE750000000054CAD20288E83502CD94BE7554CAD20234E93502C8C5D202E194BE7500000000C8C5D20234E9350290E8350203000000020000001B6900004D006900630072006F0073006F00660074002E004100750074006F00470065006E006500720061007400650064002E007B00310035003900360032003100370035002D0037004400460043002D0042003100440037002D0042003000440031002D004500420034004300300038004600460044003700350034007D000000350201000000000000000000A27650E935023CE735025E7C37777CE93502787C3777030000008A018C01EC92CB026CE73502F77C37770100000050E93502847C3777BCE73502B0E73502C8E73502000000000000000000000000B8E7350250E93502000000000000000000000000F0E83502F0E8350200000000010000007CE93502F0E83502B2FE3777F270377785FC3777B5860A759A7C3677EC92CB02A27E367734E935021800000014FB3502006F367700000000000000001CE935023C003E007CE93502C34E9D00BCE7350200000000D84609000000350218E8350204EB350200000088C8000000C8000000C8000000C8000000F2010300000000000000D868A8D33A030106004000000000F0EA35021053D8687FEB9C7620000000220000001053D868102FD8020000000011000000B8450A00B0450A00A8D33A03ACE800001FB258415CE835028291BE75ACE8350260E835022795BE750000000054CAD20288E83502CD94BE7554CAD20234E93502C8C5D202E194BE7500000000C8C5D20234E9350290E8350203000000020000001B6900004D006900630072006F0073006F00660074002E004100750074006F00470065006E006500720061007400650064002E007B00310035003900360032003100370035002D0037004400460043002D0042003100440037002D0042003000440031002D004500420034004300300038004600460044003700350034007D000000350201000000000000000000A27650E935023CE735025E7C37777CE93502787C3777030000008A018C01EC92CB026CE73502F77C37770100000050E93502847C3777BCE73502B0E73502C8E73502000000000000000000000000B8E7350250E93502000000000000000000000000F0E83502F0E8350200000000010000007CE93502F0E83502B2FE3777F270377785FC3777B5860A759A7C3677EC92CB02A27E367734E935021800000014FB3502006F367700000000000000001CE935023C003E007CE93502C34E9D00BCE7350200000000D84609000000350218E8350204EB350200000088C8000000C8000000C8000000C8000000F2010300000000000000D868A8D33A030106004000000000F0EA35021053D8687FEB9C7620000000220000001053D868102FD8020000000011000000B8450A00B0450A00A8D33A03ACE800001FB258415CE835028291BE75ACE8350260E835022795BE750000000054CAD20288E83502CD94BE7554CAD20234E93502C8C5D202E194BE7500000000C8C5D20234E9350290E83502
252
explorer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count
{9R3995NO-1S9P-4S13-O827-48O24O6P7174}\GnfxOne\Jvaqbjf Rkcybere.yax
00000000010000000000000000000000000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BFFFFFFFFF007CB06FF50AD50100000000
252
explorer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count
HRZR_PGYFRFFVBA
000000000500000000000000040000000300000000000000030000007B00300031003300390044003400340045002D0036004100460045002D0034003900460032002D0038003600390030002D003300440041004600430041004500360046004600420038007D005C004100630063006500730073006F0072006900650073005C00530079007300740065006D00200054006F006F006C0073005C005400610073006B0020005300630068006500640075006C00650072002E006C006E006B0000006C006E006B000000C703EDE03377E5710800FEFFFFFFE72F3777822E3777B8F9BD7533020000860000002DB9F87400000000084F270620660700F8670700202F4606987D07005700000098D6C70354DEC703E4FEC703EDE03377E5710800FEFFFFFFE72F3777822E3777B8F9BD75B501000080000000F1B9F87402000000000200000000000070D7C7030BA0F176303ED2020026460600020000390000003300000033020000303ED20290D7C7034319BE756340D202F0FC450386000000303ED2020026460633020000B8F9BD7533090000D699E301ACD7C70333AB3777D6AD4B3C010C0000102700000A000000C3540200E0D7C703F8AA3777C3540200D699E30100D8C703B0D0D20280D8C70300000000A301000040D80000838DAA40F0D7C7038291BE7540D8C703F4D7C7032795BE75000000003CD5D2021CD8C703CD94BE753CD5D202C8D8C703B0D0D202E194BE7500000000B0D0D202C8D8C70324D8C7030300000000000000030000007B00300031003300390044003400340045002D0036004100460045002D0034003900460032002D0038003600390030002D003300440041004600430041004500360046004600420038007D005C004100630063006500730073006F0072006900650073005C00530079007300740065006D00200054006F006F006C0073005C005400610073006B0020005300630068006500640075006C00650072002E006C006E006B0000006C006E006B000000C703EDE03377E5710800FEFFFFFFE72F3777822E3777B8F9BD7533020000860000002DB9F87400000000084F270620660700F8670700202F4606987D07005700000098D6C70354DEC703E4FEC703EDE03377E5710800FEFFFFFFE72F3777822E3777B8F9BD75B501000080000000F1B9F87402000000000200000000000070D7C7030BA0F176303ED2020026460600020000390000003300000033020000303ED20290D7C7034319BE756340D202F0FC450386000000303ED2020026460633020000B8F9BD7533090000D699E301ACD7C70333AB3777D6AD4B3C010C0000102700000A000000C3540200E0D7C703F8AA3777C3540200D699E30100D8C703B0D0D20280D8C70300000000A301000040D80000838DAA40F0D7C7038291BE7540D8C703F4D7C7032795BE75000000003CD5D2021CD8C703CD94BE753CD5D202C8D8C703B0D0D202E194BE7500000000B0D0D202C8D8C70324D8C7030300000000000000030000007B00300031003300390044003400340045002D0036004100460045002D0034003900460032002D0038003600390030002D003300440041004600430041004500360046004600420038007D005C004100630063006500730073006F0072006900650073005C00530079007300740065006D00200054006F006F006C0073005C005400610073006B0020005300630068006500640075006C00650072002E006C006E006B0000006C006E006B000000C703EDE03377E5710800FEFFFFFFE72F3777822E3777B8F9BD7533020000860000002DB9F87400000000084F270620660700F8670700202F4606987D07005700000098D6C70354DEC703E4FEC703EDE03377E5710800FEFFFFFFE72F3777822E3777B8F9BD75B501000080000000F1B9F87402000000000200000000000070D7C7030BA0F176303ED2020026460600020000390000003300000033020000303ED20290D7C7034319BE756340D202F0FC450386000000303ED2020026460633020000B8F9BD7533090000D699E301ACD7C70333AB3777D6AD4B3C010C0000102700000A000000C3540200E0D7C703F8AA3777C3540200D699E30100D8C703B0D0D20280D8C70300000000A301000040D80000838DAA40F0D7C7038291BE7540D8C703F4D7C7032795BE75000000003CD5D2021CD8C703CD94BE753CD5D202C8D8C703B0D0D202E194BE7500000000B0D0D202C8D8C70324D8C703
252
explorer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count
{9R3995NO-1S9P-4S13-O827-48O24O6P7174}\GnfxOne\Jvaqbjf Rkcybere.yax
00000000010000000000000001000000000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BFFFFFFFFF007CB06FF50AD50100000000
252
explorer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count
HRZR_PGYFRFFVBA
000000000500000000000000050000000300000000000000030000007B00300031003300390044003400340045002D0036004100460045002D0034003900460032002D0038003600390030002D003300440041004600430041004500360046004600420038007D005C004100630063006500730073006F0072006900650073005C00530079007300740065006D00200054006F006F006C0073005C005400610073006B0020005300630068006500640075006C00650072002E006C006E006B0000006C006E006B000000C703EDE03377E5710800FEFFFFFFE72F3777822E3777B8F9BD7533020000860000002DB9F87400000000084F270620660700F8670700202F4606987D07005700000098D6C70354DEC703E4FEC703EDE03377E5710800FEFFFFFFE72F3777822E3777B8F9BD75B501000080000000F1B9F87402000000000200000000000070D7C7030BA0F176303ED2020026460600020000390000003300000033020000303ED20290D7C7034319BE756340D202F0FC450386000000303ED2020026460633020000B8F9BD7533090000D699E301ACD7C70333AB3777D6AD4B3C010C0000102700000A000000C3540200E0D7C703F8AA3777C3540200D699E30100D8C703B0D0D20280D8C70300000000A301000040D80000838DAA40F0D7C7038291BE7540D8C703F4D7C7032795BE75000000003CD5D2021CD8C703CD94BE753CD5D202C8D8C703B0D0D202E194BE7500000000B0D0D202C8D8C70324D8C7030300000000000000030000007B00300031003300390044003400340045002D0036004100460045002D0034003900460032002D0038003600390030002D003300440041004600430041004500360046004600420038007D005C004100630063006500730073006F0072006900650073005C00530079007300740065006D00200054006F006F006C0073005C005400610073006B0020005300630068006500640075006C00650072002E006C006E006B0000006C006E006B000000C703EDE03377E5710800FEFFFFFFE72F3777822E3777B8F9BD7533020000860000002DB9F87400000000084F270620660700F8670700202F4606987D07005700000098D6C70354DEC703E4FEC703EDE03377E5710800FEFFFFFFE72F3777822E3777B8F9BD75B501000080000000F1B9F87402000000000200000000000070D7C7030BA0F176303ED2020026460600020000390000003300000033020000303ED20290D7C7034319BE756340D202F0FC450386000000303ED2020026460633020000B8F9BD7533090000D699E301ACD7C70333AB3777D6AD4B3C010C0000102700000A000000C3540200E0D7C703F8AA3777C3540200D699E30100D8C703B0D0D20280D8C70300000000A301000040D80000838DAA40F0D7C7038291BE7540D8C703F4D7C7032795BE75000000003CD5D2021CD8C703CD94BE753CD5D202C8D8C703B0D0D202E194BE7500000000B0D0D202C8D8C70324D8C7030300000000000000030000007B00300031003300390044003400340045002D0036004100460045002D0034003900460032002D0038003600390030002D003300440041004600430041004500360046004600420038007D005C004100630063006500730073006F0072006900650073005C00530079007300740065006D00200054006F006F006C0073005C005400610073006B0020005300630068006500640075006C00650072002E006C006E006B0000006C006E006B000000C703EDE03377E5710800FEFFFFFFE72F3777822E3777B8F9BD7533020000860000002DB9F87400000000084F270620660700F8670700202F4606987D07005700000098D6C70354DEC703E4FEC703EDE03377E5710800FEFFFFFFE72F3777822E3777B8F9BD75B501000080000000F1B9F87402000000000200000000000070D7C7030BA0F176303ED2020026460600020000390000003300000033020000303ED20290D7C7034319BE756340D202F0FC450386000000303ED2020026460633020000B8F9BD7533090000D699E301ACD7C70333AB3777D6AD4B3C010C0000102700000A000000C3540200E0D7C703F8AA3777C3540200D699E30100D8C703B0D0D20280D8C70300000000A301000040D80000838DAA40F0D7C7038291BE7540D8C703F4D7C7032795BE75000000003CD5D2021CD8C703CD94BE753CD5D202C8D8C703B0D0D202E194BE7500000000B0D0D202C8D8C70324D8C703
252
explorer.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
NodeSlots
0202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202
252
explorer.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
MRUListEx
0200000001000000000000000700000006000000030000000500000004000000FFFFFFFF
252
explorer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar
Locked
1
252
explorer.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
LanguageList
en-US
252
explorer.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell
NavBar
000000000000000000000000000000008B000000870000003153505305D5CDD59C2E1B10939708002B2CF9AE6B0000005A000000007B00360044003800420042003300440033002D0039004400380037002D0034004100390031002D0041004200350036002D003400460033003000430046004600450046004500390046007D005F0057006900640074006800000013000000F00000000000000000000000
252
explorer.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@C:\Windows\system32\ntshrui.dll,-103
S&hare with
252
explorer.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@C:\Windows\system32\ntshrui.dll,-5112
Share the selected items with other people on the network.
252
explorer.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\Shell\{C4D98F09-6124-4FE0-9942-826416082DA9}
Rev
0
252
explorer.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\Shell\{C4D98F09-6124-4FE0-9942-826416082DA9}
FFlags
1092616193
252
explorer.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\Shell\{C4D98F09-6124-4FE0-9942-826416082DA9}
Vid
{65F125E5-7BE1-4810-BA9D-D271C8432CE3}
252
explorer.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\Shell\{C4D98F09-6124-4FE0-9942-826416082DA9}
Mode
6
252
explorer.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\Shell\{C4D98F09-6124-4FE0-9942-826416082DA9}
LogicalViewMode
2
252
explorer.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\Shell\{C4D98F09-6124-4FE0-9942-826416082DA9}
FFlags
1092616209
252
explorer.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\Shell\{C4D98F09-6124-4FE0-9942-826416082DA9}
IconSize
48
252
explorer.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\Shell\{C4D98F09-6124-4FE0-9942-826416082DA9}
ColInfo
00000000000000000000000000000000FDDFDFFD100000000000000000000000040000001800000030F125B7EF471A10A5F102608C9EEBAC0A000000A000000030F125B7EF471A10A5F102608C9EEBAC0E0000007800000030F125B7EF471A10A5F102608C9EEBAC040000007800000030F125B7EF471A10A5F102608C9EEBAC0C00000050000000
252
explorer.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\Shell\{C4D98F09-6124-4FE0-9942-826416082DA9}
Sort
000000000000000000000000000000000100000030F125B7EF471A10A5F102608C9EEBAC0A00000001000000
252
explorer.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\Shell\{C4D98F09-6124-4FE0-9942-826416082DA9}
GroupView
0
252
explorer.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\Shell\{C4D98F09-6124-4FE0-9942-826416082DA9}
GroupByKey:FMTID
{00000000-0000-0000-0000-000000000000}
252
explorer.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\Shell\{C4D98F09-6124-4FE0-9942-826416082DA9}
GroupByKey:PID
0
252
explorer.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\Shell\{C4D98F09-6124-4FE0-9942-826416082DA9}
GroupByDirection
1
252
explorer.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
MRUListEx
0100000002000000000000000700000006000000030000000500000004000000FFFFFFFF
252
explorer.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\34\Shell
SniffedFolderType
Generic
252
explorer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Modules\GlobalSettings\ProperTreeModuleInner
ProperTreeModuleInner
94000000900000003153505305D5CDD59C2E1B10939708002B2CF9AE4100000030000000004E0061007600500061006E0065005F00530068006F0077004C00690062007200610072007900500061006E00650000000B000000FFFF00003300000022000000004E0061007600500061006E0065005F0046006900720073007400520075006E0000000B000000000000000000000000000000
252
explorer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Modules\NavPane
ExpandedState
06000000160014001F8080A63C324DC29940B94D446DD2D7249E0000010000004D0000002D00000031535053357EC777E31B5043A48C7563D727776D1100000002000000000B000000FFFF0000000000001C00000031535053A66A63283D95D211B5D600C04FD918D00000000000000000160014001F4225481E03947BC34DB131E946B44C8DD50000010000004D0000002D00000031535053357EC777E31B5043A48C7563D727776D1100000002000000000B000000FFFF0000000000001C00000031535053A66A63283D95D211B5D600C04FD918D00000000000000000160014001F43983FFBB4EAC18D42A78AD1F5659CBA930000010000004D0000002D00000031535053357EC777E31B5043A48C7563D727776D1100000002000000000B000000FFFF0000000000001C00000031535053A66A63283D95D211B5D600C04FD918D0000000000000000002000000010000004D0000002D00000031535053357EC777E31B5043A48C7563D727776D1100000002000000000B000000FFFF0000000000001C00000031535053A66A63283D95D211B5D600C04FD918D00000000000000000160014001F580D1A2CF021BE504388B07367FC96EF3C0000010000004D0000002D00000031535053357EC777E31B5043A48C7563D727776D1100000002000000000B00000000000000000000001C00000031535053A66A63283D95D211B5D600C04FD918D00000000000000000160014001F50E04FD020EA3A6910A2D808002B30309D0000010000004D0000002D00000031535053357EC777E31B5043A48C7563D727776D1100000002000000000B000000FFFF0000000000001C00000031535053A66A63283D95D211B5D600C04FD918D00000000000000000
252
explorer.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\34\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}
Rev
0
252
explorer.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\34\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}
FFlags
1092616193
252
explorer.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\34\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}
Vid
{137E7700-3573-11CF-AE69-08002B2E1262}
252
explorer.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\34\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}
Mode
4
252
explorer.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\34\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}
LogicalViewMode
1
252
explorer.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\34\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}
IconSize
16
252
explorer.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\34\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}
ColInfo
00000000000000000000000000000000FDDFDFFD100000000000000000000000040000001800000030F125B7EF471A10A5F102608C9EEBAC0A0000001001000030F125B7EF471A10A5F102608C9EEBAC0E0000007800000030F125B7EF471A10A5F102608C9EEBAC040000007800000030F125B7EF471A10A5F102608C9EEBAC0C00000050000000
252
explorer.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\34\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}
Sort
000000000000000000000000000000000100000030F125B7EF471A10A5F102608C9EEBAC0A00000001000000
252
explorer.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\34\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}
GroupView
0
252
explorer.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\34\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}
GroupByKey:FMTID
{00000000-0000-0000-0000-000000000000}
252
explorer.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\34\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}
GroupByKey:PID
0
252
explorer.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\34\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}
GroupByDirection
1
252
explorer.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
MRUListEx
0700000001000000020000000000000006000000030000000500000004000000FFFFFFFF
252
explorer.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\53\Shell
SniffedFolderType
Generic
252
explorer.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\53\Shell
SniffedFolderType
Pictures
252
explorer.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell
MinPos1280x720x96(1).x
4294967295
252
explorer.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell
MinPos1280x720x96(1).y
4294967295
252
explorer.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell
MaxPos1280x720x96(1).x
4294967295
252
explorer.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell
MaxPos1280x720x96(1).y
4294967295
252
explorer.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell
WinPos1280x720x96(1).left
22
252
explorer.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell
WinPos1280x720x96(1).top
22
252
explorer.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell
WinPos1280x720x96(1).right
822
252
explorer.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell
WinPos1280x720x96(1).bottom
582
252
explorer.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell
WFlags
2
252
explorer.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell
ShowCmd
3
252
explorer.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell
HotKey
0
252
explorer.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\53\Shell\{B3690E58-E961-423B-B687-386EBFD83239}
Rev
0
252
explorer.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\53\Shell\{B3690E58-E961-423B-B687-386EBFD83239}
FFlags
1092616193
252
explorer.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\53\Shell\{B3690E58-E961-423B-B687-386EBFD83239}
Vid
{0057D0E0-3573-11CF-AE69-08002B2E1262}
252
explorer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count
{S38OS404-1Q43-42S2-9305-67QR0O28SP23}\rkcybere.rkr
000000000100000000000000752B0000000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BFFFFFFFFF007CB06FF50AD50100000000
252
explorer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count
HRZR_PGYFRFFVBA
000000000600000002000000A1C0000003000000020000001B6900004D006900630072006F0073006F00660074002E004100750074006F00470065006E006500720061007400650064002E007B00310035003900360032003100370035002D0037004400460043002D0042003100440037002D0042003000440031002D004500420034004300300038004600460044003700350034007D000000350201000000000000000000A27650E935023CE735025E7C37777CE93502787C3777030000008A018C01EC92CB026CE73502F77C37770100000050E93502847C3777BCE73502B0E73502C8E73502000000000000000000000000B8E7350250E93502000000000000000000000000F0E83502F0E8350200000000010000007CE93502F0E83502B2FE3777F270377785FC3777B5860A759A7C3677EC92CB02A27E367734E935021800000014FB3502006F367700000000000000001CE935023C003E007CE93502C34E9D00BCE7350200000000D84609000000350218E8350204EB350200000088C8000000C8000000C8000000C8000000F2010300000000000000D868A8D33A030106004000000000F0EA35021053D8687FEB9C7620000000220000001053D868102FD8020000000011000000B8450A00B0450A00A8D33A03ACE800001FB258415CE835028291BE75ACE8350260E835022795BE750000000054CAD20288E83502CD94BE7554CAD20234E93502C8C5D202E194BE7500000000C8C5D20234E9350290E8350203000000020000001B6900004D006900630072006F0073006F00660074002E004100750074006F00470065006E006500720061007400650064002E007B00310035003900360032003100370035002D0037004400460043002D0042003100440037002D0042003000440031002D004500420034004300300038004600460044003700350034007D000000350201000000000000000000A27650E935023CE735025E7C37777CE93502787C3777030000008A018C01EC92CB026CE73502F77C37770100000050E93502847C3777BCE73502B0E73502C8E73502000000000000000000000000B8E7350250E93502000000000000000000000000F0E83502F0E8350200000000010000007CE93502F0E83502B2FE3777F270377785FC3777B5860A759A7C3677EC92CB02A27E367734E935021800000014FB3502006F367700000000000000001CE935023C003E007CE93502C34E9D00BCE7350200000000D84609000000350218E8350204EB350200000088C8000000C8000000C8000000C8000000F2010300000000000000D868A8D33A030106004000000000F0EA35021053D8687FEB9C7620000000220000001053D868102FD8020000000011000000B8450A00B0450A00A8D33A03ACE800001FB258415CE835028291BE75ACE8350260E835022795BE750000000054CAD20288E83502CD94BE7554CAD20234E93502C8C5D202E194BE7500000000C8C5D20234E9350290E8350203000000020000001B6900004D006900630072006F0073006F00660074002E004100750074006F00470065006E006500720061007400650064002E007B00310035003900360032003100370035002D0037004400460043002D0042003100440037002D0042003000440031002D004500420034004300300038004600460044003700350034007D000000350201000000000000000000A27650E935023CE735025E7C37777CE93502787C3777030000008A018C01EC92CB026CE73502F77C37770100000050E93502847C3777BCE73502B0E73502C8E73502000000000000000000000000B8E7350250E93502000000000000000000000000F0E83502F0E8350200000000010000007CE93502F0E83502B2FE3777F270377785FC3777B5860A759A7C3677EC92CB02A27E367734E935021800000014FB3502006F367700000000000000001CE935023C003E007CE93502C34E9D00BCE7350200000000D84609000000350218E8350204EB350200000088C8000000C8000000C8000000C8000000F2010300000000000000D868A8D33A030106004000000000F0EA35021053D8687FEB9C7620000000220000001053D868102FD8020000000011000000B8450A00B0450A00A8D33A03ACE800001FB258415CE835028291BE75ACE8350260E835022795BE750000000054CAD20288E83502CD94BE7554CAD20234E93502C8C5D202E194BE7500000000C8C5D20234E9350290E83502
252
explorer.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\53\Shell\{B3690E58-E961-423B-B687-386EBFD83239}
Mode
1
252
explorer.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\53\Shell\{B3690E58-E961-423B-B687-386EBFD83239}
LogicalViewMode
3
252
explorer.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\53\Shell\{B3690E58-E961-423B-B687-386EBFD83239}
IconSize
96
252
explorer.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\53\Shell\{B3690E58-E961-423B-B687-386EBFD83239}
ColInfo
00000000000000000000000000000000FDDFDFFD100000000000000000000000050000001800000030F125B7EF471A10A5F102608C9EEBAC0A000000A0000000B474DBF787420341AFBAF1B13DCD75CF64000000A000000030F125B7EF471A10A5F102608C9EEBAC040000007800000030F125B7EF471A10A5F102608C9EEBAC0C00000050000000E0859FF2F94F6810AB9108002B27B3D90500000058000000
252
explorer.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\53\Shell\{B3690E58-E961-423B-B687-386EBFD83239}
Sort
000000000000000000000000000000000100000030F125B7EF471A10A5F102608C9EEBAC0A00000001000000
252
explorer.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\53\Shell\{B3690E58-E961-423B-B687-386EBFD83239}
GroupView
0
252
explorer.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\53\Shell\{B3690E58-E961-423B-B687-386EBFD83239}
GroupByKey:FMTID
{00000000-0000-0000-0000-000000000000}
252
explorer.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\53\Shell\{B3690E58-E961-423B-B687-386EBFD83239}
GroupByKey:PID
0
252
explorer.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\53\Shell\{B3690E58-E961-423B-B687-386EBFD83239}
GroupByDirection
1
3236
Spam Sender.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
3236
Spam Sender.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
2648
DisableAntiQuit.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
CorrM
C:\Users\admin\AppData\Local\Temp\CorrM1.exe
2648
DisableAntiQuit.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
2648
DisableAntiQuit.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
3516
WerFault.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\Debug
ExceptionRecord
524343E0010000000000000060B76D7505000000091513800000000000000000000000000000BC6B7F0001000000000000000000000000000000000000000000000000007F02000000010000FFFF0000
3516
WerFault.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\Windows Error Reporting\Debug\UIHandles
FirstLevelConsentDialog
9A01080000000000
3516
WerFault.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\Debug\UIHandles
FirstLevelConsentDialog
9A01080000000000
3896
CorrM1.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
CorrM
C:\Users\admin\AppData\Local\Temp\CorrM1.exe
3896
CorrM1.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
3896
CorrM1.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
3988
CorrM.exe
write
HKEY_CURRENT_USER
di
!
3988
CorrM.exe
write
HKEY_CURRENT_USER\Environment
SEE_MASK_NOZONECHECKS
1
3988
CorrM.exe
write
HKEY_CURRENT_USER\Software\dc883e718b387356a950a8986126946a
[kl]
3856
netsh.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
LanguageList
en-US
3856
netsh.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\dhcpqec.dll,-100
DHCP Quarantine Enforcement Client
3856
netsh.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\dhcpqec.dll,-101
Provides DHCP based enforcement for NAP
3856
netsh.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\dhcpqec.dll,-103
1.0
3856
netsh.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\dhcpqec.dll,-102
Microsoft Corporation
3856
netsh.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\napipsec.dll,-1
IPsec Relying Party
3856
netsh.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\napipsec.dll,-2
Provides IPsec based enforcement for Network Access Protection
3856
netsh.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\napipsec.dll,-4
1.0
3856
netsh.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\napipsec.dll,-3
Microsoft Corporation
3856
netsh.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\tsgqec.dll,-100
RD Gateway Quarantine Enforcement Client
3856
netsh.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\tsgqec.dll,-101
Provides RD Gateway enforcement for NAP
3856
netsh.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\tsgqec.dll,-102
1.0
3856
netsh.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\tsgqec.dll,-103
Microsoft Corporation
3856
netsh.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\eapqec.dll,-100
EAP Quarantine Enforcement Client
3856
netsh.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\eapqec.dll,-101
Provides Network Access Protection enforcement for EAP authenticated network connections, such as those used with 802.1X and VPN technologies.
3856
netsh.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\eapqec.dll,-102
1.0
3856
netsh.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@%SystemRoot%\system32\eapqec.dll,-103
Microsoft Corporation

Files activity

Executable files
7
Suspicious files
1
Text files
0
Unknown types
4

Dropped files

PID
Process
Filename
Type
2648
DisableAntiQuit.exe
C:\Users\admin\AppData\Local\Temp\CorrM.exe
executable
MD5: 70d58a65c0b0922770608a8ef03e3f5c
SHA256: d613b816cb30adff36e72840c6dda31572a15783c948a2e77fe84ed3e192dcbd
3896
CorrM1.exe
C:\Users\admin\AppData\Local\Temp\CorrM_Proc_Only.dll
executable
MD5: ab01b27269e402c19123ab0c618b1425
SHA256: cca49f2b6c053a8c9e9121e7b8e2f51ba798b9084436da340dee553290f24ded
2648
DisableAntiQuit.exe
C:\Users\admin\AppData\Local\Temp\CorrM1.exe
executable
MD5: 30618bd2f8d9d4eeffa017a6e297b752
SHA256: e1ee429a4a5cb546a2ef6f55cacfbd564b1fb2cbf4ff876309662872ff642ca6
2648
DisableAntiQuit.exe
C:\Users\admin\AppData\Local\Temp\CorrM_Proc_Only.dll
executable
MD5: ab01b27269e402c19123ab0c618b1425
SHA256: cca49f2b6c053a8c9e9121e7b8e2f51ba798b9084436da340dee553290f24ded
3236
Spam Sender.exe
C:\Windows\system32\DisableAntiQuit.exe
executable
MD5: 30618bd2f8d9d4eeffa017a6e297b752
SHA256: e1ee429a4a5cb546a2ef6f55cacfbd564b1fb2cbf4ff876309662872ff642ca6
3896
CorrM1.exe
C:\Users\admin\AppData\Local\Temp\CorrM.exe
executable
MD5: 70d58a65c0b0922770608a8ef03e3f5c
SHA256: d613b816cb30adff36e72840c6dda31572a15783c948a2e77fe84ed3e192dcbd
3236
Spam Sender.exe
C:\Windows\system32\Spam Sender.exe
executable
MD5: a9b160ee9eacf3e985dfdb980445378a
SHA256: c11692cbeb7878157561847a1281bb0cf33b6031e7253718dda28fa6abc79c3c
848
svchost.exe
C:\Windows\appcompat\programs\RecentFileCache.bcf
txt
MD5: 22389a3602b73776dd9655392e870a02
SHA256: ece130c443c0a7cf18434556e6ef896b2a64f94671d708ddc3403a701b0bc048
848
svchost.exe
C:\Windows\appcompat\programs\RecentFileCache.bcf
txt
MD5: 765fe6230a4b4042208a89217bce8d58
SHA256: da416b9b3a303cc340dc2d6efcd512cce993638e73ce21cde4c017213c844d5e
3516
WerFault.exe
C:\Users\admin\AppData\Local\CrashDumps\Spam Sender.exe.2468.dmp
––
MD5:  ––
SHA256:  ––
3516
WerFault.exe
C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_Spam Sender.exe_a279a8cf3ede590a755a66d86de177b59784f_0da92e8b\Report.wer
binary
MD5: 0e55cf0d0620347301b32d3ce819c22f
SHA256: 295a67f6bd0aba247cca403325d46fcf45e6e1637eafe6b2182119ed5dcf1713
848
svchost.exe
C:\Windows\appcompat\programs\RecentFileCache.bcf
txt
MD5: 71ca7046b0b8c29b86e377e31888b3d7
SHA256: 1ef7983d907ea8d5c152b0a6352827ca3f4133c26e42a77e66af092d86073ad0

Find more information of the staic content and download it at the full report

Network activity

HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
2
Threats
0

HTTP requests

No HTTP requests.

Connections

No connections.

DNS requests

Domain IP Reputation
arussiey4.ddns.net 0.0.0.0
unknown

Threats

No threats detected.

Debug output strings

No debug info.