General Info

File name

Minecraft drugs.exe

Full analysis
https://app.any.run/tasks/30b87988-833a-4666-8d3e-1e157acbd4e5
Verdict
Malicious activity
Threats:

NanoCore is a Remote Access Trojan or RAT. This malware is highly customizable with plugins which allow attackers to tailor its functionality to their needs. Nanocore is created with the .NET framework and it’s available for purchase for just $25 from its “official” website.

Analysis date
15/01/2022, 02:05:02
OS:
Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:

rat

nanocore

trojan

Indicators:

MIME:
application/x-dosexec
File info:
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5

801d94537113242ae7201f3f0530d611

SHA1

9bd7173288db68b62b025f34be71bc46ecdd30ef

SHA256

dfc054b88338674497098c543cfecc2baf3d71bb3cfc247dda2b12a8e370e636

SSDEEP

12288:2LV6BtpmkeuuBpGJenn6VfG+S3s2xWt1qhQxSuPQJQ3Te5nJJxw:kApfeuMrn6VL0rWt7ETSK5nrC

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Software environment set and analysis options

Launch configuration

Task duration
240 seconds
Additional time used
180 seconds
Fakenet option
off
Heavy Evaision option
off
MITM proxy
off
Route via Tor
off
Network geolocation
off
Privacy
Public submission
Autoconfirmation of UAC
on

Software preset

  • Internet Explorer 11.0.9600.19596 KB4534251
  • Adobe Acrobat Reader DC (20.013.20064)
  • Adobe Flash Player 32 ActiveX (32.0.0.453)
  • Adobe Flash Player 32 NPAPI (32.0.0.453)
  • Adobe Flash Player 32 PPAPI (32.0.0.453)
  • Adobe Refresh Manager (1.8.0)
  • CCleaner (5.74)
  • FileZilla Client 3.51.0 (3.51.0)
  • Google Chrome (86.0.4240.198)
  • Google Update Helper (1.3.36.31)
  • Java 8 Update 271 (8.0.2710.9)
  • Java Auto Updater (2.8.271.9)
  • Microsoft .NET Framework 4.5.2 (4.5.51209)
  • Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Access MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office Access MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office Access MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office Access MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office Access MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office Access MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office Access MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office Access MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office Access MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Excel MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office Excel MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office Excel MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office Excel MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office Excel MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office Excel MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office Excel MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office Excel MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office Excel MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office Groove MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office Groove MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office Groove MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office Groove MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office Groove MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office Groove MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office Groove MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office Groove MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office Groove MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office IME (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office IME (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office InfoPath MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office InfoPath MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office InfoPath MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office InfoPath MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office InfoPath MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office InfoPath MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office InfoPath MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office InfoPath MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office InfoPath MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office Language Pack 2010 - French/Français (14.0.4763.1000)
  • Microsoft Office Language Pack 2010 - German/Deutsch (14.0.4763.1000)
  • Microsoft Office Language Pack 2010 - Italian/Italiano (14.0.4763.1000)
  • Microsoft Office Language Pack 2010 - Japanese/日本語 (14.0.4763.1000)
  • Microsoft Office Language Pack 2010 - Korean/한국어 (14.0.4763.1000)
  • Microsoft Office Language Pack 2010 - Portuguese/Português (Brasil) (14.0.4763.1000)
  • Microsoft Office Language Pack 2010 - Russian/русский (14.0.4763.1000)
  • Microsoft Office Language Pack 2010 - Spanish/Español (14.0.4763.1000)
  • Microsoft Office Language Pack 2010 - Turkish/Türkçe (14.0.4763.1013)
  • Microsoft Office O MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office O MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office O MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office O MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office O MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office O MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office O MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office O MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office O MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office OneNote MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office OneNote MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office OneNote MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office OneNote MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office OneNote MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office OneNote MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office OneNote MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office OneNote MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office OneNote MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Outlook MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office Outlook MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office Outlook MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office Outlook MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office Outlook MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office Outlook MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office Outlook MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office Outlook MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office Outlook MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office PowerPoint MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office PowerPoint MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office PowerPoint MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office PowerPoint MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office PowerPoint MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office PowerPoint MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office PowerPoint MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office PowerPoint MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office PowerPoint MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office Professional 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Arabic) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (Basque) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (Catalan) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (Dutch) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (English) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (French) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Galician) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (German) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office Proof (Ukrainian) 2010 (14.0.4763.1000)
  • Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
  • Microsoft Office Proofing (French) 2010 (14.0.4763.1000)
  • Microsoft Office Proofing (German) 2010 (14.0.4763.1000)
  • Microsoft Office Proofing (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office Proofing (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office Proofing (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office Proofing (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office Proofing (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office Proofing (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office Proofing (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Publisher MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office Publisher MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office Publisher MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office Publisher MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office Publisher MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office Publisher MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office Publisher MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office Publisher MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office Publisher MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office SharePoint Designer MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office SharePoint Designer MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office SharePoint Designer MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office SharePoint Designer MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office SharePoint Designer MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office SharePoint Designer MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office SharePoint Designer MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office SharePoint Designer MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office SharePoint Designer MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office Shared MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office Shared MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office Shared MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office Shared MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office Shared MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office Shared MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office Shared MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office Shared MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Single Image 2010 (14.0.6029.1000)
  • Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Word MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office Word MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office Word MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office Word MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office Word MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office Word MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office Word MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office Word MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office Word MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office X MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office X MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office X MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office X MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office X MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office X MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office X MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office X MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office X MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
  • Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
  • Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
  • Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2015-2019 Redistributable (x86) - 14.21.27702 (14.21.27702.2)
  • Microsoft Visual C++ 2019 X86 Additional Runtime - 14.21.27702 (14.21.27702)
  • Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.21.27702 (14.21.27702)
  • Mozilla Firefox 83.0 (x86 en-US) (83.0)
  • Mozilla Maintenance Service (83.0.0.7621)
  • Notepad++ (32-bit x86) (7.9.1)
  • Opera 12.15 (12.15.1748)
  • QGA (2.14.33)
  • Skype version 8.29 (8.29)
  • VLC media player (3.0.11)
  • WinRAR 5.91 (32-bit) (5.91.0)

Hotfixes

  • Client LanguagePack Package
  • Client Refresh LanguagePack Package
  • CodecPack Basic Package
  • Foundation Package
  • IE Hyphenation Parent Package English
  • IE Spelling Parent Package English
  • IE Troubleshooters Package
  • InternetExplorer Optional Package
  • InternetExplorer Package TopLevel
  • KB2479943
  • KB2491683
  • KB2506212
  • KB2506928
  • KB2532531
  • KB2533552
  • KB2533623
  • KB2534111
  • KB2545698
  • KB2547666
  • KB2552343
  • KB2560656
  • KB2564958
  • KB2574819
  • KB2579686
  • KB2585542
  • KB2604115
  • KB2620704
  • KB2621440
  • KB2631813
  • KB2639308
  • KB2640148
  • KB2653956
  • KB2654428
  • KB2656356
  • KB2660075
  • KB2667402
  • KB2676562
  • KB2685811
  • KB2685813
  • KB2685939
  • KB2690533
  • KB2698365
  • KB2705219
  • KB2719857
  • KB2726535
  • KB2727528
  • KB2729094
  • KB2729452
  • KB2731771
  • KB2732059
  • KB2736422
  • KB2742599
  • KB2750841
  • KB2758857
  • KB2761217
  • KB2770660
  • KB2773072
  • KB2786081
  • KB2789645
  • KB2799926
  • KB2800095
  • KB2807986
  • KB2808679
  • KB2813347
  • KB2813430
  • KB2820331
  • KB2834140
  • KB2836942
  • KB2836943
  • KB2840631
  • KB2843630
  • KB2847927
  • KB2852386
  • KB2853952
  • KB2857650
  • KB2861698
  • KB2862152
  • KB2862330
  • KB2862335
  • KB2864202
  • KB2868038
  • KB2871997
  • KB2872035
  • KB2884256
  • KB2891804
  • KB2893294
  • KB2893519
  • KB2894844
  • KB2900986
  • KB2908783
  • KB2911501
  • KB2912390
  • KB2918077
  • KB2919469
  • KB2923545
  • KB2931356
  • KB2937610
  • KB2943357
  • KB2952664
  • KB2968294
  • KB2970228
  • KB2972100
  • KB2972211
  • KB2973112
  • KB2973201
  • KB2977292
  • KB2978120
  • KB2978742
  • KB2984972
  • KB2984976
  • KB2984976 SP1
  • KB2985461
  • KB2991963
  • KB2992611
  • KB2999226
  • KB3004375
  • KB3006121
  • KB3006137
  • KB3010788
  • KB3011780
  • KB3013531
  • KB3019978
  • KB3020370
  • KB3020388
  • KB3021674
  • KB3021917
  • KB3022777
  • KB3023215
  • KB3030377
  • KB3031432
  • KB3035126
  • KB3037574
  • KB3042058
  • KB3045685
  • KB3046017
  • KB3046269
  • KB3054476
  • KB3055642
  • KB3059317
  • KB3060716
  • KB3061518
  • KB3067903
  • KB3068708
  • KB3071756
  • KB3072305
  • KB3074543
  • KB3075226
  • KB3078667
  • KB3080149
  • KB3086255
  • KB3092601
  • KB3093513
  • KB3097989
  • KB3101722
  • KB3102429
  • KB3102810
  • KB3107998
  • KB3108371
  • KB3108664
  • KB3109103
  • KB3109560
  • KB3110329
  • KB3115858
  • KB3118401
  • KB3122648
  • KB3123479
  • KB3126587
  • KB3127220
  • KB3133977
  • KB3137061
  • KB3138378
  • KB3138612
  • KB3138910
  • KB3139398
  • KB3139914
  • KB3140245
  • KB3147071
  • KB3150220
  • KB3150513
  • KB3155178
  • KB3156016
  • KB3159398
  • KB3161102
  • KB3161949
  • KB3170735
  • KB3172605
  • KB3179573
  • KB3184143
  • KB3185319
  • KB4019990
  • KB4040980
  • KB4474419
  • KB4490628
  • KB4524752
  • KB4532945
  • KB4536952
  • KB4567409
  • KB958488
  • KB976902
  • KB982018
  • LocalPack AU Package
  • LocalPack CA Package
  • LocalPack GB Package
  • LocalPack US Package
  • LocalPack ZA Package
  • Package 21 for KB2984976
  • Package 38 for KB2984976
  • Package 45 for KB2984976
  • Package 59 for KB2984976
  • Package 7 for KB2984976
  • Package 76 for KB2984976
  • PlatformUpdate Win7 SRV08R2 Package TopLevel
  • ProfessionalEdition
  • RDP BlueIP Package TopLevel
  • RDP WinIP Package TopLevel
  • RollupFix
  • UltimateEdition
  • WUClient SelfUpdate ActiveX
  • WUClient SelfUpdate Aux TopLevel
  • WUClient SelfUpdate Core TopLevel
  • WinMan WinIP Package TopLevel

Behavior activities

MALICIOUS SUSPICIOUS INFO
NANOCORE was detected
  • Minecraft drugs.exe (PID: 2156)
  • Minecraft drugs.exe (PID: 796)
Changes the autorun value in the registry
  • Minecraft drugs.exe (PID: 2156)
  • Minecraft drugs.exe (PID: 796)
Drops executable file immediately after starts
  • Minecraft drugs.exe (PID: 2156)
  • Minecraft drugs.exe (PID: 796)
Uses Task Scheduler to run other applications
  • Minecraft drugs.exe (PID: 796)
Loads the Task Scheduler COM API
  • schtasks.exe (PID: 2432)
  • schtasks.exe (PID: 2844)
  • explorer.exe (PID: 2216)
  • schtasks.exe (PID: 2088)
  • schtasks.exe (PID: 2024)
Connects to CnC server
  • Minecraft drugs.exe (PID: 796)
Checks supported languages
  • Minecraft drugs.exe (PID: 2156)
  • Minecraft drugs.exe (PID: 796)
  • cmd.exe (PID: 576)
Reads the computer name
  • Minecraft drugs.exe (PID: 2156)
  • Minecraft drugs.exe (PID: 796)
Creates files in the user directory
  • Minecraft drugs.exe (PID: 2156)
  • Minecraft drugs.exe (PID: 796)
Executable content was dropped or overwritten
  • Minecraft drugs.exe (PID: 2156)
  • Minecraft drugs.exe (PID: 796)
Application launched itself
  • Minecraft drugs.exe (PID: 2156)
Creates a directory in Program Files
  • Minecraft drugs.exe (PID: 796)
Creates files in the program directory
  • Minecraft drugs.exe (PID: 796)
Reads Environment values
  • Minecraft drugs.exe (PID: 796)
Starts CMD.EXE for commands execution
  • Minecraft drugs.exe (PID: 796)
Starts CMD.EXE for self-deleting
  • Minecraft drugs.exe (PID: 796)
Reads the date of Windows installation
  • explorer.exe (PID: 2216)
Executed via COM
  • DllHost.exe (PID: 3700)
Reads default file associations for system extensions
  • explorer.exe (PID: 2216)
Uses TASKKILL.EXE to kill process
  • cmd.exe (PID: 576)
Reads the computer name
  • schtasks.exe (PID: 2844)
  • schtasks.exe (PID: 2432)
  • schtasks.exe (PID: 2088)
  • explorer.exe (PID: 2216)
  • DllHost.exe (PID: 3700)
  • schtasks.exe (PID: 2024)
  • PING.EXE (PID: 4004)
  • taskkill.exe (PID: 2160)
Checks supported languages
  • schtasks.exe (PID: 2432)
  • schtasks.exe (PID: 2844)
  • DllHost.exe (PID: 3700)
  • explorer.exe (PID: 2216)
  • schtasks.exe (PID: 2088)
  • PING.EXE (PID: 4004)
  • taskkill.exe (PID: 2160)
  • schtasks.exe (PID: 2024)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Static information

TRiD
.exe
|   Generic CIL Executable (.NET, Mono, etc.) (63.1%)
.exe
|   Win64 Executable (generic) (23.8%)
.dll
|   Win32 Dynamic Link Library (generic) (5.6%)
.exe
|   Win32 Executable (generic) (3.8%)
.exe
|   Generic Win/DOS Executable (1.7%)
EXIF
EXE
MachineType:
Intel 386 or later, and compatibles
TimeStamp:
2015:02:22 01:49:37+01:00
PEType:
PE32
LinkerVersion:
6
CodeSize:
116736
InitializedDataSize:
456192
UninitializedDataSize:
null
EntryPoint:
0x1e792
OSVersion:
4
ImageVersion:
null
SubsystemVersion:
4
Subsystem:
Windows GUI
Summary
Architecture:
IMAGE_FILE_MACHINE_I386
Subsystem:
IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date:
22-Feb-2015 00:49:37
DOS Header
Magic number:
MZ
Bytes on last page of file:
0x0090
Pages in file:
0x0003
Relocations:
0x0000
Size of header:
0x0004
Min extra paragraphs:
0x0000
Max extra paragraphs:
0xFFFF
Initial SS value:
0x0000
Initial SP value:
0x00B8
Checksum:
0x0000
Initial IP value:
0x0000
Initial CS value:
0x0000
Overlay number:
0x0000
OEM identifier:
0x0000
OEM information:
0x0000
Address of NE header:
0x00000080
PE Headers
Signature:
PE
Machine:
IMAGE_FILE_MACHINE_I386
Number of sections:
3
Time date stamp:
22-Feb-2015 00:49:37
Pointer to Symbol Table:
0x00000000
Number of symbols:
0
Size of Optional Header:
0x00E0
Characteristics
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
Sections
Name Virtual Address Virtual Size Raw Size Charateristics Entropy
.text 0x00002000 0x0001C798 0x0001C800 IMAGE_SCN_CNT_CODE,IMAGE_SCN_MEM_EXECUTE,IMAGE_SCN_MEM_READ 6.59807
.reloc 0x00020000 0x0000000C 0x00000200 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_DISCARDABLE,IMAGE_SCN_MEM_READ 0.10191
.rsrc 0x00022000 0x0006F238 0x0006F400 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ 7.99953
Resources
1

Imports
    mscoree.dll

Exports

    No exports.

Screenshots

Processes

Total processes
56
Monitored processes
11
Malicious processes
2
Suspicious processes
1

Behavior graph

+
drop and start start #NANOCORE minecraft drugs.exe #NANOCORE minecraft drugs.exe schtasks.exe no specs schtasks.exe no specs PhotoViewer.dll no specs explorer.exe no specs schtasks.exe no specs schtasks.exe no specs cmd.exe no specs taskkill.exe no specs ping.exe no specs
Specs description
Program did not start
Integrity level elevation
Task сontains an error or was rebooted
Process has crashed
Task contains several apps running
Executable file was dropped
Debug information is available
Process was injected
Network attacks were detected
Application downloaded the executable file
Actions similar to stealing personal data
Behavior similar to exploiting the vulnerability
Inspected object has sucpicious PE structure
File is detected by antivirus software
CPU overrun
RAM overrun
Process starts the services
Process was added to the startup
Behavior similar to spam
Low-level access to the HDD
Probably Tor was used
System was rebooted
Connects to the network
Known threat

Process information

Click at the process to see the details.

PID
2156
CMD
"C:\Users\admin\AppData\Local\Temp\Minecraft drugs.exe"
Path
C:\Users\admin\AppData\Local\Temp\Minecraft drugs.exe
Indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Description
Version
Modules
Image
c:\windows\system32\shlwapi.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\apphelp.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorjit.dll
c:\windows\system32\imm32.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.drawing\8f5842a3d4d666059db685b319e3a5b3\system.drawing.ni.dll
c:\windows\system32\version.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\ole32.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.visualbas#\32611a460efdd579a68a09bf3d065e0c\microsoft.visualbasic.ni.dll
c:\windows\system32\api-ms-win-downlevel-ole32-l1-1-0.dll
c:\windows\system32\cryptsp.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorwks.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\secur32.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l2-1-0.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.xml\992b101b45c1e2e5563fee65ab5fd691\system.xml.ni.dll
c:\windows\system32\shfolder.dll
c:\windows\system32\propsys.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\users\admin\appdata\local\temp\minecraft drugs.exe
c:\windows\assembly\nativeimages_v2.0.50727_32\system\e10fc0c922927179f29b495cf47d62dc\system.ni.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\api-ms-win-downlevel-user32-l1-1-0.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\system32\api-ms-win-downlevel-shlwapi-l1-1-0.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\profapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.windows.forms\91efd50cedcf22003233d52464c01816\system.windows.forms.ni.dll
c:\windows\system32\shell32.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\mpr.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\sspicli.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\usp10.dll
c:\windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\msvcr80.dll
c:\windows\system32\devobj.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\api-ms-win-downlevel-normaliz-l1-1-0.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\wininet.dll
c:\windows\system32\userenv.dll
c:\windows\assembly\gac_msil\system.windows.forms\2.0.0.0__b77a5c561934e089\system.windows.forms.dll
c:\windows\system32\lpk.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\mscorlib\23349d393ecff063c3152fcf5229b2ab\mscorlib.ni.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
c:\windows\system32\rpcrtremote.dll

PID
796
CMD
"C:\Users\admin\AppData\Local\Temp\Minecraft drugs.exe"
Path
C:\Users\admin\AppData\Local\Temp\Minecraft drugs.exe
Indicators
Parent process
Minecraft drugs.exe
User
admin
Integrity Level
HIGH
Exit code
1
Version:
Company
Description
Version
Modules
Image
c:\windows\system32\schtasks.exe
c:\windows\system32\apphelp.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorwks.dll
c:\windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\msvcr80.dll
c:\windows\assembly\gac_msil\system.windows.forms\2.0.0.0__b77a5c561934e089\system.windows.forms.dll
c:\users\admin\appdata\local\temp\minecraft drugs.exe
c:\windows\system32\kernelbase.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\system32\usp10.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\mscorlib\23349d393ecff063c3152fcf5229b2ab\mscorlib.ni.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorjit.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imm32.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\rsaenh.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system\e10fc0c922927179f29b495cf47d62dc\system.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.visualbas#\32611a460efdd579a68a09bf3d065e0c\microsoft.visualbasic.ni.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\shfolder.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\shell32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\msctf.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.drawing\8f5842a3d4d666059db685b319e3a5b3\system.drawing.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.windows.forms\91efd50cedcf22003233d52464c01816\system.windows.forms.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.xml\992b101b45c1e2e5563fee65ab5fd691\system.xml.ni.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\ole32.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\nsi.dll
c:\windows\microsoft.net\framework\v2.0.50727\diasymreader.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\psapi.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\wship6.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.configuration\94fe1557aab4bc059482da7d99e97641\system.configuration.ni.dll
c:\windows\microsoft.net\framework\v2.0.50727\culture.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.management\bda2113f273e7bf6eba84f3d0d1a66c3\system.management.ni.dll
c:\windows\system32\wbemcomn2.dll
c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\wbem\wbemsvc.dll
c:\windows\system32\wbem\wbemprox.dll
c:\windows\system32\wbem\fastprox.dll
c:\windows\system32\ntdsapi.dll
c:\windows\system32\wbem\wmiutils.dll
c:\windows\system32\devobj.dll
c:\windows\system32\devenum.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\winmm.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\version.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\sxs.dll
c:\windows\system32\msvfw32.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\system32\msdmo.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\avicap32.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.24542_none_5c0717c7a00ddc6d\gdiplus.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\riched20.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.core\3b259d3ceb1962e723584a04cfab357a\system.core.ni.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\api-ms-win-downlevel-user32-l1-1-0.dll
c:\windows\system32\api-ms-win-downlevel-ole32-l1-1-0.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\api-ms-win-downlevel-shlwapi-l1-1-0.dll
c:\windows\system32\userenv.dll
c:\windows\system32\propsys.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\api-ms-win-downlevel-normaliz-l1-1-0.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l2-1-0.dll
c:\windows\system32\secur32.dll
c:\windows\system32\api-ms-win-downlevel-shell32-l1-1-0.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
c:\windows\system32\wininet.dll
c:\windows\system32\webio.dll

PID
2432
CMD
"schtasks.exe" /create /f /tn "TCP Monitor" /xml "C:\Users\admin\AppData\Local\Temp\tmp342C.tmp"
Path
C:\Windows\system32\schtasks.exe
Indicators
No indicators
Parent process
Minecraft drugs.exe
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
Microsoft Corporation
Description
Manages scheduled tasks
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\schtasks.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\taskschd.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\sechost.dll
c:\windows\system32\user32.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\usp10.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\ktmw32.dll
c:\windows\system32\version.dll

PID
2844
CMD
"schtasks.exe" /create /f /tn "TCP Monitor Task" /xml "C:\Users\admin\AppData\Local\Temp\tmp348B.tmp"
Path
C:\Windows\system32\schtasks.exe
Indicators
No indicators
Parent process
Minecraft drugs.exe
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
Microsoft Corporation
Description
Manages scheduled tasks
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\taskschd.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msctf.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\schtasks.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\ktmw32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\version.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\advapi32.dll

PID
3700
CMD
C:\Windows\system32\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
Path
C:\Windows\system32\DllHost.exe
Indicators
No indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Version:
Company
Microsoft Corporation
Description
COM Surrogate
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\usp10.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\mscms.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.24542_none_5c0717c7a00ddc6d\gdiplus.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ole32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\version.dll
c:\windows\system32\propsys.dll
c:\windows\system32\msctf.dll
c:\windows\system32\dwmapi.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\system32\dllhost.exe
c:\windows\system32\rsaenh.dll
c:\windows\system32\d3d9.dll
c:\windows\system32\userenv.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\uxtheme.dll
c:\program files\windows photo viewer\photobase.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\api-ms-win-downlevel-shlwapi-l2-1-0.dll
c:\windows\system32\profapi.dll
c:\windows\system32\slc.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\oleacc.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\program files\windows photo viewer\imagingengine.dll
c:\windows\system32\d3d8thk.dll
c:\windows\system32\actxprxy.dll
c:\windows\system32\lpk.dll
c:\windows\system32\imm32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\cryptsp.dll
c:\program files\windows photo viewer\photoviewer.dll
c:\windows\system32\wtsapi32.dll
c:\program files\internet explorer\ieproxy.dll
c:\windows\system32\api-ms-win-downlevel-shlwapi-l1-1-0.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\linkinfo.dll
c:\windows\system32\devobj.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\icm32.dll
c:\windows\system32\thumbcache.dll
c:\windows\system32\psapi.dll

PID
2216
CMD
"C:\Windows\explorer.exe"
Path
C:\Windows\explorer.exe
Indicators
No indicators
Parent process
Minecraft drugs.exe
User
admin
Integrity Level
HIGH
Version:
Company
Microsoft Corporation
Description
Windows Explorer
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\explorer.exe
c:\windows\system32\gdi32.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.24542_none_5c0717c7a00ddc6d\gdiplus.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\explorerframe.dll
c:\windows\system32\duser.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\secur32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\msctf.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\sechost.dll
c:\windows\system32\dui70.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\slc.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\iconcodecservice.dll
c:\windows\system32\ole32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\imageres.dll
c:\windows\system32\lpk.dll
c:\windows\system32\cscui.dll
c:\windows\system32\cscdll.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\devobj.dll
c:\windows\system32\user32.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\shell32.dll
c:\windows\system32\propsys.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\ehstorshell.dll
c:\windows\system32\hid.dll
c:\windows\system32\timedate.cpl
c:\windows\system32\samlib.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\actxprxy.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\atl.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\sndvolsso.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\linkinfo.dll
c:\windows\system32\mmdevapi.dll
c:\windows\system32\userenv.dll
c:\windows\system32\shacct.dll
c:\windows\system32\avrt.dll
c:\windows\system32\wdmaud.drv
c:\windows\system32\msacm32.drv
c:\windows\system32\msacm32.dll
c:\windows\system32\audioses.dll
c:\windows\system32\ksuser.dll
c:\windows\installer\{90140000-003d-0000-0000-0000000ff1ce}\wordicon.exe
c:\windows\system32\midimap.dll
c:\windows\system32\xmllite.dll
c:\windows\system32\version.dll
c:\windows\system32\netutils.dll
c:\windows\system32\samcli.dll
c:\windows\system32\msi.dll
c:\program files\common files\microsoft shared\ink\tiptsf.dll
c:\windows\system32\wer.dll
c:\windows\system32\winmm.dll
c:\windows\system32\msiltcfg.dll
c:\windows\system32\winsta.dll
c:\windows\system32\cryptui.dll
c:\windows\system32\msftedit.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\msls31.dll
c:\windows\system32\psapi.dll
c:\windows\system32\networkexplorer.dll
c:\windows\system32\msutb.dll
c:\windows\system32\devicecenter.dll
c:\windows\system32\thumbcache.dll
c:\windows\system32\authui.dll
c:\windows\system32\gameux.dll
c:\windows\system32\winspool.drv
c:\windows\system32\wtsapi32.dll
c:\windows\system32\es.dll
c:\windows\system32\prnfldr.dll
c:\windows\system32\batmeter.dll
c:\windows\system32\stobject.dll
c:\windows\system32\api-ms-win-downlevel-user32-l1-1-0.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\dxp.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\wininet.dll
c:\windows\system32\api-ms-win-downlevel-ole32-l1-1-0.dll
c:\windows\system32\syncreg.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\api-ms-win-downlevel-shlwapi-l1-1-0.dll
c:\windows\system32\api-ms-win-downlevel-normaliz-l1-1-0.dll
c:\windows\ehome\ehsso.dll
c:\windows\system32\alttab.dll
c:\windows\system32\nsi.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\netshell.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\wpdshserviceobj.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\taskschd.dll
c:\windows\system32\qutil.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\ncsi.dll
c:\windows\system32\portabledevicetypes.dll
c:\program files\filezilla ftp client\fzshellext.dll
c:\windows\system32\credssp.dll
c:\windows\system32\mssprxy.dll
c:\windows\system32\portabledeviceapi.dll
c:\windows\system32\pnidui.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\npmproxy.dll
c:\windows\system32\dhcpcsvc6.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\webio.dll
c:\windows\system32\wevtapi.dll
c:\windows\system32\wlanutil.dll
c:\windows\system32\wwapi.dll
c:\windows\system32\wlanapi.dll
c:\windows\system32\srchadmin.dll
c:\windows\system32\wwanapi.dll
c:\windows\system32\qagent.dll
c:\windows\system32\sxs.dll
c:\windows\system32\bthprops.cpl
c:\windows\system32\api-ms-win-downlevel-shell32-l1-1-0.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\synccenter.dll
c:\windows\system32\actioncenter.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\netprofm.dll
c:\windows\system32\provsvc.dll
c:\windows\system32\hgcpl.dll
c:\windows\system32\imapi2.dll
c:\windows\system32\fxsst.dll
c:\windows\system32\fxsapi.dll
c:\windows\system32\fxssvc.exe
c:\windows\system32\fxsresm.dll
c:\windows\system32\wscinterop.dll
c:\windows\system32\wscui.cpl
c:\windows\system32\wscapi.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l2-1-0.dll
c:\windows\system32\framedynos.dll
c:\windows\system32\api-ms-win-downlevel-shlwapi-l2-1-0.dll
c:\windows\system32\msxml6.dll
c:\windows\system32\hcproviders.dll
c:\windows\system32\werconcpl.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\wercplsupport.dll
c:\program files\internet explorer\ieproxy.dll

PID
2088
CMD
"schtasks.exe" /delete /f /tn "TCP Monitor"
Path
C:\Windows\system32\schtasks.exe
Indicators
No indicators
Parent process
Minecraft drugs.exe
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
Microsoft Corporation
Description
Manages scheduled tasks
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\ktmw32.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\sechost.dll
c:\windows\system32\taskschd.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\schtasks.exe
c:\windows\system32\cryptbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\version.dll
c:\windows\system32\sspicli.dll

PID
2024
CMD
"schtasks.exe" /delete /f /tn "TCP Monitor Task"
Path
C:\Windows\system32\schtasks.exe
Indicators
No indicators
Parent process
Minecraft drugs.exe
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
Microsoft Corporation
Description
Manages scheduled tasks
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\advapi32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\taskschd.dll
c:\windows\system32\user32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\lpk.dll
c:\windows\system32\imm32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\usp10.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\ktmw32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\schtasks.exe
c:\windows\system32\gdi32.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\version.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\sspicli.dll

PID
576
CMD
"cmd.exe" /C taskkill /f /im "Minecraft drugs.exe" & ping -n 1 -w 3000 1.1.1.1 & type nul > "C:\Users\admin\AppData\Local\Temp\Minecraft drugs.exe" & del /f /q "C:\Users\admin\AppData\Local\Temp\Minecraft drugs.exe"
Path
C:\Windows\system32\cmd.exe
Indicators
No indicators
Parent process
Minecraft drugs.exe
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows Command Processor
Version
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Image
c:\windows\system32\kernelbase.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cmd.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\user32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\taskkill.exe
c:\windows\system32\ping.exe

PID
2160
CMD
taskkill /f /im "Minecraft drugs.exe"
Path
C:\Windows\system32\taskkill.exe
Indicators
No indicators
Parent process
cmd.exe
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
Microsoft Corporation
Description
Terminates Processes
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\winsta.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\taskkill.exe
c:\windows\system32\gdi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\nsi.dll
c:\windows\system32\framedynos.dll
c:\windows\system32\ntdsapi.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\wbemcomn2.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\mpr.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\version.dll
c:\windows\system32\lpk.dll
c:\windows\system32\dbghelp.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\wbem\wbemprox.dll
c:\windows\system32\wbem\fastprox.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\wbem\wbemsvc.dll
c:\windows\system32\user32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\secur32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\usp10.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\srvcli.dll

PID
4004
CMD
ping -n 1 -w 3000 1.1.1.1
Path
C:\Windows\system32\PING.EXE
Indicators
No indicators
Parent process
cmd.exe
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
Microsoft Corporation
Description
TCP/IP Ping Command
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\winnsi.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\windows\system32\lpk.dll
c:\windows\system32\user32.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\ping.exe
c:\windows\system32\advapi32.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\msctf.dll
c:\windows\system32\sechost.dll

Registry activity

Total events
5007
Read events
0
Write events
132
Delete events
2

Modification events

PID
Process
Operation
Key
Name
Value
2156
Minecraft drugs.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
TCP Monitor
C:\Users\admin\AppData\Roaming\90059C37-1320-41A4-B58D-2B75A9850D2F\TCP Monitor\tcpmon.exe
2156
Minecraft drugs.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
IntranetName
1
2156
Minecraft drugs.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
0
2156
Minecraft drugs.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
ProxyBypass
1
2156
Minecraft drugs.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
1
796
Minecraft drugs.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
TCP Monitor
C:\Program Files\TCP Monitor\tcpmon.exe
796
Minecraft drugs.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
1
796
Minecraft drugs.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
IntranetName
1
796
Minecraft drugs.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
0
796
Minecraft drugs.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
ProxyBypass
1
796
Minecraft drugs.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager
PendingFileRenameOperations
\??\C:\Users\admin\AppData\Local\Temp\Minecraft drugs.exe
3700
DllHost.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Direct3D\MostRecentApplication
Name
DllHost.exe
2216
explorer.exe
delete key
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\HomeGroup\UIStatusCache
(default)
2216
explorer.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\16C\52C64B7E
LanguageList
en-US
2216
explorer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer
CleanShutdown
0
2216
explorer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{e1a82db3-a9f0-11e7-b142-806e6f6e6963}
Generation
2
2216
explorer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{e1a82db4-a9f0-11e7-b142-806e6f6e6963}
Generation
2
2216
explorer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{e1a82db3-a9f0-11e7-b142-806e6f6e6963}
Data
000000000DF0ADBA01000000080000000000008000000000000000300000000000000000FF00E703FF0000001600000084BAB9BC0400000000000000000000000000000000000000000000000000000000005C005C003F005C00530054004F005200410047004500230056006F006C0075006D00650023007B00660039006500330036006300340036002D0031006400340030002D0031003100650038002D0039003400310037002D003800300036006500360066003600650036003900360033007D002300300030003000300030003000300030003000300031003000300030003000300023007B00350033006600350036003300300064002D0062003600620066002D0031003100640030002D0039003400660032002D003000300061003000630039003100650066006200380062007D000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000005C005C003F005C0056006F006C0075006D0065007B00650031006100380032006400620033002D0061003900660030002D0031003100650037002D0062003100340032002D003800300036006500360066003600650036003900360033007D005C000000530079007300740065006D002000520065007300650072007600650064000000000000000000000000000000000000000000000000000000000000000000000000004E005400460053000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF0000
2216
explorer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{e1a82db4-a9f0-11e7-b142-806e6f6e6963}
Data
000000000DF0ADBA41000000080000000000008000000000000000300000000000000000FF00E703FF000000160000004736BAC40440000001000000000000000000000000000000000000000000000000005C005C003F005C00530054004F005200410047004500230056006F006C0075006D00650023007B00660039006500330036006300340036002D0031006400340030002D0031003100650038002D0039003400310037002D003800300036006500360066003600650036003900360033007D002300300030003000300030003000300030003000360035003000300030003000300023007B00350033006600350036003300300064002D0062003600620066002D0031003100640030002D0039003400660032002D003000300061003000630039003100650066006200380062007D000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000005C005C003F005C0056006F006C0075006D0065007B00650031006100380032006400620034002D0061003900660030002D0031003100650037002D0062003100340032002D003800300036006500360066003600650036003900360033007D005C0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000004E005400460053000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF0000
2216
explorer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell\BagMRU
MRUListEx
FFFFFFFF
2216
explorer.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
NodeSlots
0202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202
2216
explorer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
(default)
0
2216
explorer.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
MRUListEx
01000000020000000D0000000C000000000000000B00000007000000060000000A0000000900000008000000030000000500000004000000FFFFFFFF
2216
explorer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell\BagMRU
NodeSlots
02
2216
explorer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Applets\SysTray
Services
31
2216
explorer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows Search\ProcessedSearchRoots\0007
(default)
defaultroot://{S-1-5-21-1302019708-1500728564-335382590-500}/
2216
explorer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows Search\ProcessedSearchRoots\0007
Version
0
2216
explorer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows Search\ProcessedSearchRoots\0006
Version
0
2216
explorer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows Search\ProcessedSearchRoots\0006
DoNotCreateSearchConnectors
1
2216
explorer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows Search\ProcessedSearchRoots\0007
DoNotCreateSearchConnectors
1
2216
explorer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows Search\ProcessedSearchRoots\0006
(default)
csc://{S-1-5-21-1302019708-1500728564-335382590-500}/
2216
explorer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\HomeGroup\UIStatusCache
UIStatus
544
2216
explorer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\HomeGroup\UIStatusCache
OnlyMember
0
2216
explorer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
ProxyBypass
1
2216
explorer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
1
2216
explorer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
0
2216
explorer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
IntranetName
1
2216
explorer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Action Center\Checks\{852FB1F8-5CC6-4567-9C0E-7C330F8807C2}.check.101
CheckSetting
23004100430042006C006F00620000000000000000000000010000000000000000000000
2216
explorer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Action Center\Checks\{852FB1F8-5CC6-4567-9C0E-7C330F8807C2}.check.100
CheckSetting
23004100430042006C006F00620000000000000000000000010000000000000000000000
2216
explorer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Action Center\Checks\{E8433B72-5842-4d43-8645-BC2C35960837}.check.101
CheckSetting
01000000D08C9DDF0115D1118C7A00C04FC297EB010000002902C017C3CB7046878CBEFB4BC2510200000000020000000000106600000001000020000000EB09217BCC7888F39348AA8AB31570F8BB35C38C218709802BE7728A41B96FA0000000000E80000000020000200000009ABCE7816A5F507ACDF28821830ECD2571AC6FD2E599A7066B3454ADA6DE70A4D00000002F9B547B23D0D3BF7CD2234C47E5C8B9A27F9A9304940196BDC74543ACAD1D44FF036D7EA5A4F6D07E7E704DA00BA0E1C79491D42331E90422611F7A428AA38DB81EDC9F9F1A8D95BE6B2F53500AA031DB7CE1A65B27A44C4A303035F7816BA5BBEEAC855815EC4DEF83DE8C3D7B623A5E60381E40E7E6490C01605598DC725B3CD54B7D23048914ED5FE5110B4C8DAB5E16C65F40109C3DA2226EFF879630E70A6970F4F78CE60FE8BB5D0E33F2AA7EDE46E6402B6E0E99D6A7152AC18D91722B34BC127BF9BC641ED10A6DC18C2D5E40000000B51FFDD47BA57365EA6A77E80611D75782960F5B97829DE1DF7EE4DB6DA3CF396CF569A1508B2FA3960DC31B9A1AA14C4D9581E0DFA7E83540A361C93DFEFF93
2216
explorer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Action Center\Checks\{E8433B72-5842-4d43-8645-BC2C35960837}.check.100
CheckSetting
01000000D08C9DDF0115D1118C7A00C04FC297EB010000002902C017C3CB7046878CBEFB4BC2510200000000020000000000106600000001000020000000BC17ED8174696D3D35106965437D53B88F05739ED0EC6119B6F95E62D768F6B7000000000E8000000002000020000000B5D5F34492D284878BC26FCF1550609EBCD63A690F0FA9002CFA1EB5CEE7EB8DD0000000FFBBC78831D7E01E2C5005B2B6438464DB4A8D6B0EF54C06BA86D260C4CF9F6E5868415167C5F92C9D0F4F4B2514A764A4A2465A35D65A5DE8093191531BD396889709F77199BC88486A70EB90C48583DF7798CE9093A13256C0BE0422936ED1AACA5DC2F1A4EF09272DD02FC2B8B1EF1086658A9DD4BB61ACD9A5EF218E8F2AB2BA6F09962E23AD8D1461A36504B1F59BA1A25DC5B7BB51E2719A782EA9895862BFB8B6D6B27E79328C77B75030AECF642B30596BE3B8922FA814846EA86C19AAD8ABEE4569FBF49A2DF5DADB0A1689400000000FECB703200598E08F5EBDA87EB6817BA02A044C021934B92C7976544E5A5A28C421F001C4944F015693DB69E58E377785F6B67BEBF76199DCFB321C78D877E8
2216
explorer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Action Center\Checks\{C8E6F269-B90A-4053-A3BE-499AFCEC98C4}.check.0
CheckSetting
01000000D08C9DDF0115D1118C7A00C04FC297EB010000002902C017C3CB7046878CBEFB4BC2510200000000020000000000106600000001000020000000A9179FA127E3EB5EC9E2D92CA49BFB2773C93C1B857E6E903AAA73660A98EE08000000000E80000000020000200000009A5D40D572E7EEA3B7D37AEBF7C9DEF495FE0D7D282154A2B97709ACD584E5AB30000000B278EC66F5F1A8883BC9112872C98F9CE8927B6C1089D30B18050010DC3FB960AEDAAEB840B76EF6D6781D5960D8CA4F40000000538751F6E9E3BDD43A385E02998ADFA1B9A1FF0768371D4BD3C400BCDC21F20BA154FE2B9A200329BDC6308225CB326925E7C9AE3D6C412235CAFCD1E0FD17BE
2216
explorer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Action Center\Checks\{E8433B72-5842-4d43-8645-BC2C35960837}.check.103
CheckSetting
01000000D08C9DDF0115D1118C7A00C04FC297EB010000002902C017C3CB7046878CBEFB4BC251020000000002000000000010660000000100002000000011416D7D280245A7F9BEB31D1F2AF0AB98475F1F35EE376A584888BE1B3F2758000000000E80000000020000200000008E75710DEEAAA367B41F5A480505A51592F6D7C0EE2C95763EC949F0E50FEDFCD0000000441CBCA6A481F42EAAC3D3416C39F6D968ADDE5ACB9CAD96A322314F018131CF5BE08B50764BE748F3456D2A3D1F4DDD2B55EFDC237F9F449DDB3FD3E543613F403755FCB45E1E97BDCBAA2A6A9223D97A1E2DE2B27BDA9BA641CF0ACEBB6C2436CDD206C4D371814B48D9EFEF9DCBA3CAF85E9BE5813F9FBD9CDADFFD7C23AC5A1F1AD0C30694AC0CF59258324D9754A35E98AA4CE7D9EE15E27F269644EE3AB7202FF66D509D190E47A42166CFDA3AC0B374B76EB2C6AB687CEDE1B09E7339021C02CD8DEDE17E59697864FFC6C86040000000B8BEFFBB88731FB0852EE9C8AD03896A416AFFBCB256E0CA119F5DB9E64B673F845E337257679DD9C3BD81ECC64F9991CD9895C389703A4D83084CE96BD7F9EB
2216
explorer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Action Center\Checks\{E8433B72-5842-4d43-8645-BC2C35960837}.check.102
CheckSetting
01000000D08C9DDF0115D1118C7A00C04FC297EB010000002902C017C3CB7046878CBEFB4BC2510200000000020000000000106600000001000020000000B90BBF5F23C284C0FD7F49765AA6B25DA82D2D0971274BFCDA1317D87C34D364000000000E8000000002000020000000D9965A7E707B35911200607FB975572AA31C008AE9FF6FE3C8099CC9D7327946D0000000BF787A4F2D1DEDAAF01884EDB899CD9F7470353F9AB8D6DE0EA271CBFFFCEADB5515547AC67A1045E0CB64C1201571C8FD7FA07045EDEB1C9CEE2EDABFAFFEEC010F9CA620E16F683692FCB8DC107AEA89E46A314CFB7DF80457950B0A2685024AD49CBFB137F6FB02C9620D3FD42A429FC65317F915FE518D03D6D488DD2874CB9339FEFCD7AD44DAC129759B373BB48A9706F73A165ED385F5EE9FEBA4DC79A5FDE4CDA53E41C9B8E7422EA4D6EC819F980F8921DE45D6DDECCFF52E087890907AD97DE0FAA2EECD5D43A40986C0D640000000887781A5D9FF3BC530E7658D754EE561F90297EE9994033B78EC66E4DA2A39341AFBFCC44F56FC5610096C8DDAF4532E5E3FDA2CF6AB6AC6FCCD3FC98961A87C
2216
explorer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Action Center\Checks\{01979c6a-42fa-414c-b8aa-eee2c8202018}.check.100
CheckSetting
01000000D08C9DDF0115D1118C7A00C04FC297EB010000002902C017C3CB7046878CBEFB4BC2510200000000020000000000106600000001000020000000930F8EB9DC15D45AC992E94847656818B128E1835F9D09C7FC50A715E3A5857A000000000E800000000200002000000056ABBE9F92DD7776DE1BDF8235337D360CAA4D853643D8084EBC88AC08AE8714B000000040FD506197E50596B0BBA4F830866C875081A4E090FA1FF4A65BE8F1BBC6D1A34C222AD11CFCBC62020C63EDEE0CCA167938DB6F1CB80F34F8BCF0FB99426DE33B8B4434E700269797121603680FE1C774535D9905849F9B2813395F1A9C9081ACD8C8AF2C53A83282F0FA2B0BE9EEDD22ECED59629A13B0A128B5D636FE30F37C3AC7FD1379C1D03CE88623082EB3AB638F20DA7A43942D336686421BEA292367DB6410C3CBA4AC7193D1D4C770365940000000502D3069142F35B5006F3B1A532A50428ABDCA5B4D4D2F602B61190D632133AD7919BBD12EE9E266FBD2B49E2EB84C1BB0424F008E1D4BBF1AA761B0452C8099

Files activity

Executable files
2
Suspicious files
4
Text files
4
Unknown types
1

Dropped files

PID
Process
Filename
Type
2156
Minecraft drugs.exe
C:\Users\admin\AppData\Roaming\90059C37-1320-41A4-B58D-2B75A9850D2F\TCP Monitor\tcpmon.exe
executable
MD5: 801d94537113242ae7201f3f0530d611
SHA256: dfc054b88338674497098c543cfecc2baf3d71bb3cfc247dda2b12a8e370e636
796
Minecraft drugs.exe
C:\Program Files\TCP Monitor\tcpmon.exe
executable
MD5: 801d94537113242ae7201f3f0530d611
SHA256: dfc054b88338674497098c543cfecc2baf3d71bb3cfc247dda2b12a8e370e636
796
Minecraft drugs.exe
C:\Users\admin\AppData\Roaming\90059C37-1320-41A4-B58D-2B75A9850D2F\Logs\admin\KB_1127734.dat
binary
MD5: 5b06a71d8ec48c059c559232717256ba
SHA256: 88388bd0a58b4fbc4e4c87705ae91c5d8b57feed23932fe145a6bd483898049e
796
Minecraft drugs.exe
C:\Users\admin\AppData\Roaming\90059C37-1320-41A4-B58D-2B75A9850D2F\settings.bak
binary
MD5: c74849fd547f117d72d4edc0749baf9a
SHA256: 34f2f3a734fcc26d340315b741907f42b4985356d8ff4870d08ac15f6bc1c3a1
796
Minecraft drugs.exe
C:\Users\admin\AppData\Roaming\90059C37-1320-41A4-B58D-2B75A9850D2F\settings.bin
binary
MD5: 4e5e92e2369688041cc82ef9650eded2
SHA256: f8098a6290118f2944b9e7c842bd014377d45844379f863b00d54515a8a64b48
796
Minecraft drugs.exe
C:\Users\admin\AppData\Roaming\90059C37-1320-41A4-B58D-2B75A9850D2F\catalog.dat
bs
MD5: 061e700fe27d852034a5a44bf5985ccf
SHA256: 4bbb88af530693eb4a710b0591d4baf585837242c5690f5a821bf2fc9cc587cd
796
Minecraft drugs.exe
C:\Users\admin\AppData\Roaming\90059C37-1320-41A4-B58D-2B75A9850D2F\task.dat
text
MD5: a67d83bb8be245aeeac3dcb0f5f021eb
SHA256: 93bc2b6f07fa5f5219c59aab1b67e7ea7fffae4edcf1b2d18286f50bdb8b1073
796
Minecraft drugs.exe
C:\Users\admin\AppData\Local\Temp\tmp348B.tmp
xml
MD5: e4118e3ec98934aa1d4235c87b44aa31
SHA256: efc475d73603df6a26978d7bcac27004830137e97fdd1656140b4a08c07470d9
796
Minecraft drugs.exe
C:\Users\admin\AppData\Local\Temp\tmp342C.tmp
xml
MD5: 50003d769156f7bd57f24b6de3aedc13
SHA256: 868c54b67996f8ecb798fb8ca6419c50b42f19882e0c888546bc913b0f33a2fa
2156
Minecraft drugs.exe
C:\Users\admin\AppData\Roaming\90059C37-1320-41A4-B58D-2B75A9850D2F\run.dat
text
MD5: 8c4a1c66b26cbb0d721df84618884faf
SHA256: 0b74a976cbf8eb43b63c7d92bb6a1452a55fdb069e5d211ebebbb0c36c39758e

Find more information of the staic content and download it at the full report

Network activity

HTTP(S) requests
0
TCP/UDP connections
2
DNS requests
7
Threats
61

HTTP requests

No HTTP requests.

Connections

PID Process IP ASN CN Reputation
796 Minecraft drugs.exe 76.121.13.90:5353 Comcast Cable Communications, LLC US malicious

DNS requests

Domain IP Reputation
cursuavee.ddns.net No response malicious

Threats

PID Process Class Message
796 Minecraft drugs.exe Potentially Bad Traffic ET POLICY DNS Query to DynDNS Domain *.ddns .net
796 Minecraft drugs.exe Potentially Bad Traffic ET POLICY DNS Query to DynDNS Domain *.ddns .net
–– –– Potentially Bad Traffic ET POLICY DNS Query to DynDNS Domain *.ddns .net
796 Minecraft drugs.exe Potentially Bad Traffic ET POLICY DNS Query to DynDNS Domain *.ddns .net
796 Minecraft drugs.exe Potentially Bad Traffic ET POLICY DNS Query to DynDNS Domain *.ddns .net
796 Minecraft drugs.exe Potentially Bad Traffic ET POLICY DNS Query to DynDNS Domain *.ddns .net
796 Minecraft drugs.exe Potentially Bad Traffic ET POLICY DNS Query to DynDNS Domain *.ddns .net
796 Minecraft drugs.exe A Network Trojan was detected ET TROJAN Possible NanoCore C2 60B
796 Minecraft drugs.exe A Network Trojan was detected ET TROJAN Possible NanoCore C2 60B
796 Minecraft drugs.exe A Network Trojan was detected ET TROJAN Possible NanoCore C2 60B

51 ETPRO signatures available at the full report

Debug output strings

No debug info.