General Info

File name

osc.bin

Full analysis
https://app.any.run/tasks/02a35816-d719-49b8-95c9-5465aebdde7d
Verdict
Malicious activity
Analysis date
6/12/2019, 13:54:26
OS:
Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:

adware

Indicators:

MIME:
application/x-dosexec
File info:
PE32 executable (GUI) Intel 80386, for MS Windows
MD5

f83095b72191428af3f9ff109736f79e

SHA1

0ff9a6f57dffa830f11bffe10ae6e21203dab521

SHA256

56336c044a83dd97ba4a547ab48b074b3a17d6c7fc7a86185540ab01d2283fa6

SSDEEP

98304:3Z7AtVRf+iSAz6GaVWsj3WyIs0MbTquSI3s+vm++WB6rNscXJFiHjY3vBzifRm5o:hK2zAzNPs7WyIsNquSI3HvmVWvcXJFSN

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distored by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Software environment set and analysis options

Launch configuration

Task duration
60 seconds
Additional time used
none
Fakenet option
off
Heavy Evaision option
off
MITM proxy
off
Route via Tor
off
Network geolocation
off
Privacy
Public submission
Autoconfirmation of UAC
on

Software preset

  • Internet Explorer 8.0.7601.17514
  • Adobe Acrobat Reader DC MUI (15.023.20070)
  • Adobe Flash Player 26 ActiveX (26.0.0.131)
  • Adobe Flash Player 26 NPAPI (26.0.0.131)
  • Adobe Flash Player 26 PPAPI (26.0.0.131)
  • Adobe Refresh Manager (1.8.0)
  • CCleaner (5.35)
  • FileZilla Client 3.36.0 (3.36.0)
  • Google Chrome (73.0.3683.75)
  • Google Update Helper (1.3.33.23)
  • Java 8 Update 92 (8.0.920.14)
  • Java Auto Updater (2.8.92.14)
  • Microsoft .NET Framework 4.6.1 (4.6.01055)
  • Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Professional 2010 (14.0.6029.1000)
  • Microsoft Office Proof (English) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (French) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
  • Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
  • Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Single Image 2010 (14.0.6029.1000)
  • Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
  • Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
  • Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
  • Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2017 Redistributable (x86) - 14.15.26706 (14.15.26706.0)
  • Microsoft Visual C++ 2017 x86 Additional Runtime - 14.15.26706 (14.15.26706)
  • Microsoft Visual C++ 2017 x86 Minimum Runtime - 14.15.26706 (14.15.26706)
  • Mozilla Firefox 65.0.2 (x86 en-US) (65.0.2)
  • Notepad++ (32-bit x86) (7.5.1)
  • Opera 12.15 (12.15.1748)
  • Skype version 8.29 (8.29)
  • VLC media player (2.2.6)
  • WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

  • Client LanguagePack Package
  • Client Refresh LanguagePack Package
  • CodecPack Basic Package
  • Foundation Package
  • IE Troubleshooters Package
  • InternetExplorer Optional Package
  • KB2534111
  • KB2999226
  • KB976902
  • LocalPack AU Package
  • LocalPack CA Package
  • LocalPack GB Package
  • LocalPack US Package
  • LocalPack ZA Package
  • ProfessionalEdition
  • UltimateEdition

Behavior activities

MALICIOUS SUSPICIOUS INFO
Application was dropped or rewritten from another process
  • desktop_media_service.exe (PID: 3636)
  • ad04def822ec6c22e21c.MSI9F47.tmp (PID: 2788)
  • pse.exe (PID: 3608)
  • na.exe (PID: 3020)
Connects to CnC server
  • MsiExec.exe (PID: 3452)
  • osc.bin.tmp (PID: 1304)
  • osc.bin.tmp (PID: 1136)
Loads dropped or rewritten executable
  • na.exe (PID: 3020)
  • regsvr32.exe (PID: 3428)
  • regsvr32.exe (PID: 3304)
Loads the Task Scheduler COM API
  • MsiExec.exe (PID: 2688)
Application was injected by another process
  • regsvr32.exe (PID: 3428)
  • regsvr32.exe (PID: 3304)
Runs injected code in another process
  • osc.bin.tmp (PID: 1304)
  • osc.bin.tmp (PID: 1136)
Executed as Windows Service
  • desktop_media_service.exe (PID: 3636)
Starts Microsoft Installer
  • na.exe (PID: 3020)
Reads Environment values
  • MsiExec.exe (PID: 2688)
  • MsiExec.exe (PID: 3452)
  • MsiExec.exe (PID: 2644)
Executable content was dropped or overwritten
  • msiexec.exe (PID: 2992)
  • MSI9F47.tmp (PID: 3696)
  • na.exe (PID: 3020)
  • osc.bin.exe (PID: 3540)
  • osc.bin.tmp (PID: 1304)
  • osc.bin.exe (PID: 2952)
  • osc.bin.tmp (PID: 1136)
  • osc.bin.exe (PID: 2552)
Executed via COM
  • DllHost.exe (PID: 1784)
Creates files in the user directory
  • na.exe (PID: 3020)
Reads Windows owner or organization settings
  • osc.bin.tmp (PID: 1304)
  • osc.bin.tmp (PID: 1136)
Reads the Windows organization settings
  • osc.bin.tmp (PID: 1304)
  • osc.bin.tmp (PID: 1136)
Application was dropped or rewritten from another process
  • MSI9F47.tmp (PID: 3696)
  • osc.bin.tmp (PID: 1304)
  • osc.bin.tmp (PID: 3640)
  • osc.bin.tmp (PID: 1136)
Creates files in the program directory
  • msiexec.exe (PID: 2992)
Creates a software uninstall entry
  • MsiExec.exe (PID: 3452)
  • osc.bin.tmp (PID: 1304)
  • osc.bin.tmp (PID: 1136)
Starts application with an unusual extension
  • msiexec.exe (PID: 2992)
Loads dropped or rewritten executable
  • MsiExec.exe (PID: 2644)
  • MsiExec.exe (PID: 3452)
  • MsiExec.exe (PID: 2688)
  • osc.bin.tmp (PID: 1304)
  • osc.bin.tmp (PID: 1136)
Application launched itself
  • msiexec.exe (PID: 2992)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Static information

TRiD
.exe
|   Win32 Executable Delphi generic (57.2%)
.exe
|   Win32 Executable (generic) (18.2%)
.exe
|   Win16/32 Executable Delphi generic (8.3%)
.exe
|   Generic Win/DOS Executable (8%)
.exe
|   DOS Executable Generic (8%)
EXIF
EXE
MachineType:
Intel 386 or later, and compatibles
TimeStamp:
2016:04:06 16:39:04+02:00
PEType:
PE32
LinkerVersion:
2.25
CodeSize:
66560
InitializedDataSize:
83456
UninitializedDataSize:
null
EntryPoint:
0x117dc
OSVersion:
5
ImageVersion:
6
SubsystemVersion:
5
Subsystem:
Windows GUI
FileVersionNumber:
0.0.0.0
ProductVersionNumber:
0.0.0.0
FileFlagsMask:
0x003f
FileFlags:
(none)
FileOS:
Win32
ObjectFileType:
Executable application
FileSubtype:
null
LanguageCode:
Neutral
CharacterSet:
Unicode
Comments:
This installation was built with Inno Setup.
CompanyName:
FileDescription:
FileVersion:
LegalCopyright:
ProductName:
ProductVersion:
Summary
Architecture:
IMAGE_FILE_MACHINE_I386
Subsystem:
IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date:
06-Apr-2016 14:39:04
Detected languages
English - United States
Comments:
This installation was built with Inno Setup.
CompanyName:
null
FileDescription:
null
FileVersion:
null
LegalCopyright:
null
ProductName:
null
ProductVersion:
null
DOS Header
Magic number:
MZ
Bytes on last page of file:
0x0050
Pages in file:
0x0002
Relocations:
0x0000
Size of header:
0x0004
Min extra paragraphs:
0x000F
Max extra paragraphs:
0xFFFF
Initial SS value:
0x0000
Initial SP value:
0x00B8
Checksum:
0x0000
Initial IP value:
0x0000
Initial CS value:
0x0000
Overlay number:
0x001A
OEM identifier:
0x0000
OEM information:
0x0000
Address of NE header:
0x00000100
PE Headers
Signature:
PE
Machine:
IMAGE_FILE_MACHINE_I386
Number of sections:
8
Time date stamp:
06-Apr-2016 14:39:04
Pointer to Symbol Table:
0x00000000
Number of symbols:
0
Size of Optional Header:
0x00E0
Characteristics
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_BYTES_REVERSED_HI
IMAGE_FILE_BYTES_REVERSED_LO
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_RELOCS_STRIPPED
Sections
Name Virtual Address Virtual Size Raw Size Charateristics Entropy
.text 0x00001000 0x0000F244 0x0000F400 IMAGE_SCN_CNT_CODE,IMAGE_SCN_MEM_EXECUTE,IMAGE_SCN_MEM_READ 6.37521
.itext 0x00011000 0x00000F64 0x00001000 IMAGE_SCN_CNT_CODE,IMAGE_SCN_MEM_EXECUTE,IMAGE_SCN_MEM_READ 5.7322
.data 0x00012000 0x00000C88 0x00000E00 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ,IMAGE_SCN_MEM_WRITE 2.29672
.bss 0x00013000 0x000056BC 0x00000000 IMAGE_SCN_MEM_READ,IMAGE_SCN_MEM_WRITE 0
.idata 0x00019000 0x00000E04 0x00001000 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ,IMAGE_SCN_MEM_WRITE 4.59781
.tls 0x0001A000 0x00000008 0x00000000 IMAGE_SCN_MEM_READ,IMAGE_SCN_MEM_WRITE 0
.rdata 0x0001B000 0x00000018 0x00000200 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ 0.204488
.rsrc 0x0001C000 0x00012500 0x00012600 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ 5.02657
Resources
1

2

3

4

5

4091

4092

4093

4094

4095

4096

11111

CHARTABLE

DVCLAL

PACKAGEINFO

MAINICON

Imports
    oleaut32.dll

    advapi32.dll

    user32.dll

    kernel32.dll

    comctl32.dll

Exports

    No exports.

Screenshots

Processes

Total processes
60
Monitored processes
19
Malicious processes
5
Suspicious processes
3

Behavior graph

+
drop and start start drop and start inject drop and start inject drop and start drop and start drop and start osc.bin.exe osc.bin.tmp no specs osc.bin.exe osc.bin.tmp regsvr32.exe osc.bin.exe osc.bin.tmp regsvr32.exe pse.exe no specs na.exe msiexec.exe msiexec.exe no specs msiexec.exe no specs msiexec.exe msi9f47.tmp ad04def822ec6c22e21c.msi9f47.tmp no specs msiexec.exe no specs HNetCfg.FwPolicy2 no specs desktop_media_service.exe no specs
Specs description
Program did not start
Integrity level elevation
Task сontains an error or was rebooted
Process has crashed
Task contains several apps running
Executable file was dropped
Debug information is available
Process was injected
Network attacks were detected
Application downloaded the executable file
Actions similar to stealing personal data
Behavior similar to exploiting the vulnerability
Inspected object has sucpicious PE structure
File is detected by antivirus software
CPU overrun
RAM overrun
Process starts the services
Process was added to the startup
Behavior similar to spam
Low-level access to the HDD
Probably Tor was used
System was rebooted
Connects to the network
Known threat

Process information

Click at the process to see the details.

PID
2552
CMD
"C:\Users\admin\AppData\Local\Temp\osc.bin.exe"
Path
C:\Users\admin\AppData\Local\Temp\osc.bin.exe
Indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Version:
Company
Description
Version
Modules
Image
c:\users\admin\appdata\local\temp\osc.bin.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\propsys.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\oleacc.dll
c:\windows\system32\version.dll
c:\windows\system32\comres.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\shell32.dll
c:\users\admin\appdata\local\temp\is-ougef.tmp\osc.bin.tmp

PID
3640
CMD
"C:\Users\admin\AppData\Local\Temp\is-OUGEF.tmp\osc.bin.tmp" /SL5="$600EC,5390452,151040,C:\Users\admin\AppData\Local\Temp\osc.bin.exe"
Path
C:\Users\admin\AppData\Local\Temp\is-OUGEF.tmp\osc.bin.tmp
Indicators
No indicators
Parent process
osc.bin.exe
User
admin
Integrity Level
MEDIUM
Version:
Company
Description
Setup/Uninstall
Version
51.1052.0.0
Modules
Image
c:\users\admin\appdata\local\temp\is-ougef.tmp\osc.bin.tmp
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\msimg32.dll
c:\windows\system32\version.dll
c:\windows\system32\mpr.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\shell32.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\propsys.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\oleacc.dll
c:\windows\system32\comres.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\shdocvw.dll

PID
2952
CMD
"C:\Users\admin\AppData\Local\Temp\osc.bin.exe" /SPAWNWND=$70288 /NOTIFYWND=$600EC
Path
C:\Users\admin\AppData\Local\Temp\osc.bin.exe
Indicators
Parent process
osc.bin.tmp
User
admin
Integrity Level
HIGH
Version:
Company
Description
Version
Modules
Image
c:\users\admin\appdata\local\temp\osc.bin.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\propsys.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\oleacc.dll
c:\windows\system32\version.dll
c:\windows\system32\comres.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\shell32.dll
c:\users\admin\appdata\local\temp\is-klo4q.tmp\osc.bin.tmp

PID
1136
CMD
"C:\Users\admin\AppData\Local\Temp\is-KLO4Q.tmp\osc.bin.tmp" /SL5="$60146,5390452,151040,C:\Users\admin\AppData\Local\Temp\osc.bin.exe" /SPAWNWND=$70288 /NOTIFYWND=$600EC
Path
C:\Users\admin\AppData\Local\Temp\is-KLO4Q.tmp\osc.bin.tmp
Indicators
Parent process
osc.bin.exe
User
admin
Integrity Level
HIGH
Version:
Company
Description
Setup/Uninstall
Version
51.1052.0.0
Modules
Image
c:\users\admin\appdata\local\temp\is-klo4q.tmp\osc.bin.tmp
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\msimg32.dll
c:\windows\system32\version.dll
c:\windows\system32\mpr.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\shell32.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\propsys.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\oleacc.dll
c:\windows\system32\comres.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\shfolder.dll
c:\users\admin\appdata\local\temp\is-59v6b.tmp\_isetup\_iscrypt.dll
c:\windows\system32\rstrtmgr.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\bcryptprimitives.dll
c:\users\admin\appdata\local\temp\is-59v6b.tmp\loba.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\nsi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\dhcpcsvc6.dll
c:\windows\system32\psapi.dll
c:\windows\system32\regsvr32.exe
c:\windows\system32\wbem\wbemprox.dll
c:\windows\system32\wbemcomn.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\wbem\wbemsvc.dll
c:\windows\system32\wbem\fastprox.dll
c:\windows\system32\ntdsapi.dll
c:\windows\system32\qmgrprxy.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\wship6.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\fwpuclnt.dll
c:\users\admin\appdata\local\temp\osc.bin.exe

PID
3304
CMD
"C:\Windows\system32\regsvr32.exe" "C:\Users\admin\AppData\Local\Temp\is-59V6B.tmp\loba.dll" /i /n /s:"$$7lmy0AvcsybKiRde18C8UIJdve02FqMh6JtHGPVznN4mz2dTn0E9-vwPCkMEuqJFGUsGbh1OABPj8fQxdmRDZLcH17EIXSHCljGNSE1s1_A0B_YMC3XvX3IdhYmyode0XfTbT9QIN91JH4HeAVnsvP5DBrQiIVcucHT0UX-HwehpkVJrAQA3H5pZCfZGzbPckCVN5ChUyXy5dRWspGelEeEwNinpK3el20UGJ1q7ba2Cn4fuoVDddmbhuziteSY9rZG0U6egkGdU6x_ThA0dYhh0egXtBcez0SQzNqMtN1sc16P7rWZtzYQy8kTb6MtD56G38zaEYZNpKrReAG5QPeEIdjyZN_oZGiwVAkUaNIN5Lig0UM8MAg3O6oqfVnvLn0-8qDF7PmkonK9dl6XhR9gDv2dXfDEOVwdYK1GwqUer-RkRH6JcOguoz13WLK4sHjO7i17z7dkf9Pxvr6LS1dOPcfeBXQvVrlPYqXOtqR3lxxKCBrgE-qlgloIuoB6a-5V7EgNH0wpwgXeteSdrxgpJjSBz7eH6dqRkn5_QBcg68d0V3engEEKfyifz_7BgKhYXHYtH35YskA6n02ykJvKfdASI4luOA-PCTOF9IeBUWvm_-EwXzvTsDvjsSm9-YnXtWHEE9fca1D2LUpMBLojoRvL6FaQDmJhTYEeaS9G1P98s3h_UQYoI$$"
Path
C:\Windows\system32\regsvr32.exe
Indicators
Parent process
––
User
SYSTEM
Integrity Level
SYSTEM
Exit code
6
Version:
Company
Microsoft Corporation
Description
Microsoft(C) Register Server
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\regsvr32.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\ole32.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\acgenral.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\winmm.dll
c:\windows\system32\samcli.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msacm32.dll
c:\windows\system32\version.dll
c:\windows\system32\shell32.dll
c:\windows\system32\sfc.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\mpr.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\users\admin\appdata\local\temp\is-59v6b.tmp\loba.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\nsi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\ws2_32.dll

PID
3540
CMD
C:\Users\admin\AppData\Local\Temp\osc.bin.exe /VERYSILENT /SL5="$60146,5390452,151040,C:\Users\admin\AppData\Local\Temp\osc.bin.exe" /SPAWNWND=$70288 /NOTIFYWND=$600EC
Path
C:\Users\admin\AppData\Local\Temp\osc.bin.exe
Indicators
Parent process
osc.bin.tmp
User
admin
Integrity Level
HIGH
Version:
Company
Description
Version
Modules
Image
c:\users\admin\appdata\local\temp\osc.bin.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\propsys.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\oleacc.dll
c:\windows\system32\version.dll
c:\windows\system32\comres.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\shell32.dll
c:\users\admin\appdata\local\temp\is-goi6n.tmp\osc.bin.tmp

PID
1304
CMD
"C:\Users\admin\AppData\Local\Temp\is-GOI6N.tmp\osc.bin.tmp" /SL5="$C0152,5390452,151040,C:\Users\admin\AppData\Local\Temp\osc.bin.exe" /VERYSILENT /SL5="$60146,5390452,151040,C:\Users\admin\AppData\Local\Temp\osc.bin.exe" /SPAWNWND=$70288 /NOTIFYWND=$600EC
Path
C:\Users\admin\AppData\Local\Temp\is-GOI6N.tmp\osc.bin.tmp
Indicators
Parent process
osc.bin.exe
User
admin
Integrity Level
HIGH
Version:
Company
Description
Setup/Uninstall
Version
51.1052.0.0
Modules
Image
c:\users\admin\appdata\local\temp\is-goi6n.tmp\osc.bin.tmp
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\msimg32.dll
c:\windows\system32\version.dll
c:\windows\system32\mpr.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\shell32.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\propsys.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\oleacc.dll
c:\windows\system32\comres.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\shfolder.dll
c:\users\admin\appdata\local\temp\is-07g3s.tmp\_isetup\_iscrypt.dll
c:\windows\system32\rstrtmgr.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\bcryptprimitives.dll
c:\users\admin\appdata\local\temp\is-07g3s.tmp\loba.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\nsi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\dhcpcsvc6.dll
c:\windows\system32\psapi.dll
c:\windows\system32\regsvr32.exe
c:\windows\system32\wbem\wbemprox.dll
c:\windows\system32\wbemcomn.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\wbem\wbemsvc.dll
c:\windows\system32\wbem\fastprox.dll
c:\windows\system32\ntdsapi.dll
c:\windows\system32\qmgrprxy.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\wship6.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\bitsprx4.dll
c:\windows\system32\bitsprx2.dll
c:\users\admin\appdata\local\temp\{8c3659e7-1e77-61d3-bc34-4eea5f1d2b81}\pse.exe
c:\users\admin\appdata\local\temp\{8c3659e7-1e77-61d3-bc34-4eea5f1d2b81}\na.exe

PID
3428
CMD
"C:\Windows\system32\regsvr32.exe" "C:\Users\admin\AppData\Local\Temp\is-07G3S.tmp\loba.dll" /i /n /s:"$$0Ubmp8x--Lsp6Q6EGcxFi14KqmhFikjpRdUBFMWgMd8X69kec6kGZBoMPOvEvQTmXll1lXh9g3mA00n70DeLQ-elRaKQZ4ISVT4o5mP7UHGSHS74CJkxrbW4NpHUq1NqhDg3LhqW3pe4SMzmPKYEPPPtd7ZnF-q9eQwGH1RLKLU9gWdiPNYjOYfiFmPLbvuxqlw2AvgC66WLzP9M57t4fCola9iEkoIpoH8ZQoJb80VlrEdc7pEThv10yQ88V7DzuPJ9EvdczeLzPwoUBy3KGk8adL60o2D-Vy3rdEfw--ujUGopSV_PFWexsNE3VvnzuZamaO87w6rb91eoNFe2g8234kcfY4i_v74mg-vx7o3Fwo78cRiKmHYyFmQ7hykeHm_ZcB4oDLDk--dZVR17Cam3EM7wyNxvvXtvT8UrAG6kphKv31FybJe_qd4FcJFh8232yLtSMncaBSIvHhJAKXD6OMyLif9deMgiE0qFYLxTEMtsQopF6_yYofW2aRWQY6VT3fhxYW2rShsskJTDqyeOM47uMcYBETNN6pqC_lTJrRUuLBEbneWBBO65w-5DYUp-4CJDIauuA2r5VKtEa2fYvjyZW7IVMD1qrxqOnlXFMUthlqOo6qbHSb8LhAh3ywi5ZSD8DQvQB5ekskvXtKVejF5kSf0AmRu9rjrz3sBnZNhWzMLrZltooN_DCDFJ$$"
Path
C:\Windows\system32\regsvr32.exe
Indicators
Parent process
––
User
SYSTEM
Integrity Level
SYSTEM
Exit code
6
Version:
Company
Microsoft Corporation
Description
Microsoft(C) Register Server
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\regsvr32.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\lpk.dll
c:\windows\system32\ole32.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\acgenral.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\winmm.dll
c:\windows\system32\samcli.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msacm32.dll
c:\windows\system32\version.dll
c:\windows\system32\shell32.dll
c:\windows\system32\sfc.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\mpr.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\users\admin\appdata\local\temp\is-07g3s.tmp\loba.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\nsi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\ws2_32.dll

PID
3608
CMD
"C:\Users\admin\AppData\Local\Temp\{8C3659E7-1E77-61D3-BC34-4EEA5F1D2B81}\pse.exe" /efd= /efl= /efd= /efd= /efd= /efd= /efd=
Path
C:\Users\admin\AppData\Local\Temp\{8C3659E7-1E77-61D3-BC34-4EEA5F1D2B81}\pse.exe
Indicators
No indicators
Parent process
osc.bin.tmp
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
Description
Version
Modules
Image
c:\users\admin\appdata\local\temp\{8c3659e7-1e77-61d3-bc34-4eea5f1d2b81}\pse.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll

PID
3020
CMD
"C:\Users\admin\AppData\Local\Temp\{8C3659E7-1E77-61D3-BC34-4EEA5F1D2B81}\na.exe" /QN VENDOR_ID="osc"
Path
C:\Users\admin\AppData\Local\Temp\{8C3659E7-1E77-61D3-BC34-4EEA5F1D2B81}\na.exe
Indicators
Parent process
osc.bin.tmp
User
admin
Integrity Level
HIGH
Version:
Company
Description
Installer
Version
1.0
Modules
Image
c:\users\admin\appdata\local\temp\{8c3659e7-1e77-61d3-bc34-4eea5f1d2b81}\na.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\psapi.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\ole32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\msi.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\msls31.dll
c:\windows\system32\version.dll
c:\windows\system32\mpr.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\profapi.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\userenv.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\oleaut32.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\comdlg32.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\msimg32.dll
c:\windows\system32\dbghelp.dll
c:\windows\system32\wininet.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\cabinet.dll
c:\windows\system32\propsys.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\msihnd.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\secur32.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\riched20.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\users\admin\appdata\roaming\jetmedia\nativedesktopmediaservice 3.6.0\install\decoder.dll
c:\windows\system32\msimsg.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\sxs.dll
c:\windows\system32\mscoree.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\microsoft.net\framework\v4.0.30319\clr.dll
c:\windows\microsoft.net\framework\v4.0.30319\fusion.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\msiexec.exe

PID
2992
CMD
C:\Windows\system32\msiexec.exe /V
Path
C:\Windows\system32\msiexec.exe
Indicators
Parent process
––
User
SYSTEM
Integrity Level
SYSTEM
Version:
Company
Microsoft Corporation
Description
Windows® installer
Version
5.0.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\iertutil.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\version.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cabinet.dll
c:\windows\system32\cryptnet.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\shell32.dll
c:\windows\system32\secur32.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctfmonitor.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\winmm.dll
c:\windows\system32\wmsgapi.dll
c:\windows\system32\ole32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\consent.exe
c:\windows\system32\msiexec.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msi.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\aclayers.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\userenv.dll
c:\windows\system32\winspool.drv
c:\windows\system32\mpr.dll
c:\windows\apppatch\acgenral.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\samcli.dll
c:\windows\system32\msacm32.dll
c:\windows\system32\sfc.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\wininet.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\msimsg.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\sxs.dll
c:\windows\system32\mscoree.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\microsoft.net\framework\v4.0.30319\clr.dll
c:\windows\microsoft.net\framework\v4.0.30319\fusion.dll
c:\windows\system32\rstrtmgr.dll
c:\windows\system32\bcrypt.dll
c:\windows\installer\msi9f47.tmp
c:\windows\system32\devrtl.dll

PID
2644
CMD
C:\Windows\system32\MsiExec.exe -Embedding 43B60E4981C1DBC47DD9DBD05FB28538 C
Path
C:\Windows\system32\MsiExec.exe
Indicators
No indicators
Parent process
msiexec.exe
User
admin
Integrity Level
HIGH
Version:
Company
Microsoft Corporation
Description
Windows® installer
Version
5.0.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\msiexec.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msi.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\aclayers.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\shell32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\winspool.drv
c:\windows\system32\mpr.dll
c:\windows\apppatch\acgenral.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\winmm.dll
c:\windows\system32\samcli.dll
c:\windows\system32\msacm32.dll
c:\windows\system32\version.dll
c:\windows\system32\sfc.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\devobj.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\users\admin\appdata\local\temp\msi9831.tmp
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\logoncli.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\users\admin\appdata\local\temp\msi993c.tmp
c:\windows\microsoft.net\framework\v4.0.30319\clr.dll
c:\windows\system32\msvcr120_clr0400.dll
c:\windows\assembly\gac_msil\microsoft.office.interop.excel\14.0.0.0__71e9bce111e9429c\microsoft.office.interop.excel.dll
c:\windows\assembly\gac_msil\microsoft.vbe.interop.forms\11.0.0.0__71e9bce111e9429c\microsoft.vbe.interop.forms.dll
c:\windows\assembly\gac_msil\microsoft.office.interop.graph\14.0.0.0__71e9bce111e9429c\microsoft.office.interop.graph.dll
c:\windows\assembly\gac_msil\microsoft.office.interop.outlook\14.0.0.0__71e9bce111e9429c\microsoft.office.interop.outlook.dll
c:\windows\assembly\gac_msil\microsoft.office.interop.powerpoint\14.0.0.0__71e9bce111e9429c\microsoft.office.interop.powerpoint.dll
c:\windows\assembly\gac_msil\office\14.0.0.0__71e9bce111e9429c\office.dll
c:\windows\assembly\gac_msil\microsoft.office.interop.smarttag\14.0.0.0__71e9bce111e9429c\microsoft.office.interop.smarttag.dll
c:\windows\assembly\gac_msil\microsoft.office.interop.word\14.0.0.0__71e9bce111e9429c\microsoft.office.interop.word.dll
c:\windows\system32\netprofm.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\npmproxy.dll
c:\windows\system32\wbem\wbemprox.dll
c:\windows\system32\secur32.dll
c:\windows\system32\d3d11.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\program files\microsoft office\office14\vviewer.dll
c:\windows\system32\mscoree.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\microsoft.net\framework\v4.0.30319\fusion.dll
c:\windows\system32\wbemcomn.dll
c:\windows\system32\napinsp.dll
c:\windows\system32\pnrpnsp.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\winrnr.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\wbem\wbemsvc.dll
c:\windows\system32\wbem\fastprox.dll
c:\windows\system32\ntdsapi.dll
c:\windows\system32\samlib.dll

PID
2748
CMD
"C:\Windows\system32\msiexec.exe" /i "C:\Users\admin\AppData\Roaming\Jetmedia\NativeDesktopMediaService 3.6.0\install\2CF5F20\NetworkDesktopMedia.msi" /QN VENDOR_ID=osc AI_SETUPEXEPATH=C:\Users\admin\AppData\Local\Temp\{8C3659E7-1E77-61D3-BC34-4EEA5F1D2B81}\na.exe SETUPEXEDIR=C:\Users\admin\AppData\Local\Temp\{8C3659E7-1E77-61D3-BC34-4EEA5F1D2B81}\ EXE_CMD_LINE="/exenoupdates /forcecleanup /QN VENDOR_ID=""osc"" " VENDOR_ID="osc"
Path
C:\Windows\system32\msiexec.exe
Indicators
No indicators
Parent process
na.exe
User
admin
Integrity Level
HIGH
Version:
Company
Microsoft Corporation
Description
Windows® installer
Version
5.0.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\msiexec.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msi.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\aclayers.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\shell32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\winspool.drv
c:\windows\system32\mpr.dll
c:\windows\apppatch\acgenral.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\winmm.dll
c:\windows\system32\samcli.dll
c:\windows\system32\msacm32.dll
c:\windows\system32\version.dll
c:\windows\system32\sfc.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\msimsg.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\rpcrtremote.dll

PID
3452
CMD
C:\Windows\system32\MsiExec.exe -Embedding 00D081ADF308DEBFAD52F5711CCA34E9
Path
C:\Windows\system32\MsiExec.exe
Indicators
Parent process
msiexec.exe
User
admin
Integrity Level
HIGH
Version:
Company
Microsoft Corporation
Description
Windows® installer
Version
5.0.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\msiexec.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msi.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\aclayers.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\shell32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\winspool.drv
c:\windows\system32\mpr.dll
c:\windows\apppatch\acgenral.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\winmm.dll
c:\windows\system32\samcli.dll
c:\windows\system32\msacm32.dll
c:\windows\system32\version.dll
c:\windows\system32\sfc.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\installer\msi9e1d.tmp
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\logoncli.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\installer\msi9ef8.tmp
c:\windows\installer\msiacc6.tmp
c:\windows\system32\secur32.dll
c:\windows\system32\d3d11.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\program files\microsoft office\office14\vviewer.dll
c:\windows\system32\mscoree.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\microsoft.net\framework\v4.0.30319\clr.dll
c:\windows\microsoft.net\framework\v4.0.30319\fusion.dll
c:\windows\system32\msvcr120_clr0400.dll
c:\windows\assembly\gac_msil\microsoft.office.interop.excel\14.0.0.0__71e9bce111e9429c\microsoft.office.interop.excel.dll
c:\windows\assembly\gac_msil\microsoft.vbe.interop.forms\11.0.0.0__71e9bce111e9429c\microsoft.vbe.interop.forms.dll
c:\windows\assembly\gac_msil\microsoft.office.interop.graph\14.0.0.0__71e9bce111e9429c\microsoft.office.interop.graph.dll
c:\windows\assembly\gac_msil\microsoft.office.interop.outlook\14.0.0.0__71e9bce111e9429c\microsoft.office.interop.outlook.dll
c:\windows\assembly\gac_msil\microsoft.office.interop.powerpoint\14.0.0.0__71e9bce111e9429c\microsoft.office.interop.powerpoint.dll
c:\windows\assembly\gac_msil\office\14.0.0.0__71e9bce111e9429c\office.dll
c:\windows\assembly\gac_msil\microsoft.office.interop.smarttag\14.0.0.0__71e9bce111e9429c\microsoft.office.interop.smarttag.dll
c:\windows\assembly\gac_msil\microsoft.office.interop.word\14.0.0.0__71e9bce111e9429c\microsoft.office.interop.word.dll
c:\windows\system32\netprofm.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\npmproxy.dll
c:\windows\system32\wbem\wbemprox.dll
c:\windows\system32\wbemcomn.dll
c:\windows\system32\napinsp.dll
c:\windows\system32\pnrpnsp.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\winrnr.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\wbem\wbemsvc.dll
c:\windows\system32\wbem\fastprox.dll
c:\windows\system32\ntdsapi.dll
c:\windows\system32\samlib.dll
c:\windows\installer\msiae3e.tmp
c:\windows\installer\msiae7d.tmp
c:\windows\installer\msiaebd.tmp
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\dhcpcsvc6.dll
c:\windows\system32\qmgrprxy.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\wship6.dll
c:\windows\installer\msib797.tmp
c:\windows\installer\msibe30.tmp
c:\windows\installer\msibe7f.tmp
c:\windows\installer\msic806.tmp
c:\windows\installer\msic827.tmp
c:\windows\installer\msic847.tmp
c:\windows\installer\msic877.tmp
c:\windows\installer\msic897.tmp
c:\windows\installer\msic8c7.tmp
c:\windows\installer\msic906.tmp
c:\windows\installer\msicace.tmp

PID
3696
CMD
"C:\Windows\Installer\MSI9F47.tmp" /p="C:\Users\admin\AppData\Local\Temp\{8C3659E7-1E77-61D3-BC34-4EEA5F1D2B81}\na.exe" /p="C:\Users\admin\AppData\Roaming\Jetmedia\NativeDesktopMediaService 3.6.0\install\2CF5F20\NetworkDesktopMedia.msi" /p="C:\Program Files\Jetmedia\NativeDesktopMediaService" /p="" /p=""
Path
C:\Windows\Installer\MSI9F47.tmp
Indicators
Parent process
msiexec.exe
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
Description
Version
Modules
Image
c:\windows\installer\msi9f47.tmp
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\nsi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\ole32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\psapi.dll
c:\windows\system32\apphelp.dll
c:\users\admin\appdata\local\temp\ad04def822ec6c22e21c.msi9f47.tmp

PID
2788
CMD
"C:\Users\admin\AppData\Local\Temp\ad04def822ec6c22e21c.MSI9F47.tmp" $$SsiHI_Pp7umOclV98C69MUttRf1J1uepxvqiZCkvZNBxkFiZ_M6O_wgwjeVKbvAP0Y_UJvTW3nYfH5YjBnTVF047Ocxa_Rrq6XbuawTwnHM2bcdYqJtxqkKK3gnfxwtpVQ6smb4XNjVKVxkWyKbR8-Y8sLg9dww0096-uZR5g0vG8qQ7qXv5IxKYKZ4yzHfX7qTbYLTzFKpg_xSkB7kW89nnbikAOkH_ny8uQm_YsrJJaZCP0OfGoEb04Dbkw486OlJ4V9xW8Xq6GgzRkUvWxNZU-ia6SuK2e-fpSrLktiYHB4GH7SNL4nW9mt6aUVfJjDVqvgeNq-UEQ2khnDabRpEN3fK4F7WKFBpHqWkzkJ4tzPqP8PjJb5zGeS_KyLYFAqkhwXah0MjN_7WmreO08YFtwgZP0Kszr3xdLnF-hO9gIxNVeQylR2ukdySL-JbC9GRLkX-FPtnRfQ086GFldJIDSeDUH8lu1oegfRJaiules8VUzc5Aej2w2EUsO8fGSqrCYYG4o8DEyH_mtY-sCcTw-eEB2TM7CR0gMs0losk38xKVlkF3uReBLYCP8MHa2OIOh3Gbpykx8iRQ-dnCJioS_uamzD8EETEG4m5XuJ4P0VHhBpsfTMACVxvdd3zxpDWdXPS-xh_GA8-q_ukBQF9KazoYcUb6hV4AbAzsVMMfUM0Ino-FMxyL4P5_Tjpekd3VleDXDONnTueWz5XOMFDQVq7q4o8jlA5cjrMYQD8NbG4_sdkuoZVPR1jRES_-RTfa2RH-bGzD_2eLXBLKG8WLW_4u0OCq$$
Path
C:\Users\admin\AppData\Local\Temp\ad04def822ec6c22e21c.MSI9F47.tmp
Indicators
No indicators
Parent process
––
User
SYSTEM
Integrity Level
SYSTEM
Exit code
0
Version:
Company
Description
Version
Modules
Image
c:\users\admin\appdata\local\temp\ad04def822ec6c22e21c.msi9f47.tmp
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\nsi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll

PID
2688
CMD
C:\Windows\system32\MsiExec.exe -Embedding C9BD717453A7B7175CE1AB27CF51B15E M Global\MSI0000
Path
C:\Windows\system32\MsiExec.exe
Indicators
No indicators
Parent process
msiexec.exe
User
SYSTEM
Integrity Level
SYSTEM
Version:
Company
Microsoft Corporation
Description
Windows® installer
Version
5.0.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\msiexec.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msi.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\aclayers.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\shell32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\winspool.drv
c:\windows\system32\mpr.dll
c:\windows\apppatch\acgenral.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\winmm.dll
c:\windows\system32\samcli.dll
c:\windows\system32\msacm32.dll
c:\windows\system32\version.dll
c:\windows\system32\sfc.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\installer\msic9a5.tmp
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\taskschd.dll
c:\windows\system32\xmllite.dll
c:\windows\installer\msicbd9.tmp
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\logoncli.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\installer\msicc47.tmp
c:\windows\system32\comsvcs.dll
c:\windows\system32\atl.dll
c:\windows\system32\sxs.dll
c:\windows\system32\firewallapi.dll
c:\windows\installer\msid1f6.tmp

PID
1784
CMD
C:\Windows\system32\DllHost.exe /Processid:{E2B3C97F-6AE1-41AC-817A-F6F92166D7DD}
Path
C:\Windows\system32\DllHost.exe
Indicators
No indicators
Parent process
––
User
SYSTEM
Integrity Level
SYSTEM
Exit code
0
Version:
Company
Microsoft Corporation
Description
COM Surrogate
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\dllhost.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\firewallapi.dll
c:\windows\system32\version.dll
c:\windows\system32\sxs.dll

PID
3636
CMD
"C:\Program Files\Jetmedia\NativeDesktopMediaService\desktop_media_service.exe" --service
Path
C:\Program Files\Jetmedia\NativeDesktopMediaService\desktop_media_service.exe
Indicators
No indicators
Parent process
––
User
SYSTEM
Integrity Level
SYSTEM
Version:
Company
Description
Version
Modules
Image
c:\program files\jetmedia\nativedesktopmediaservice\desktop_media_service.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\version.dll
c:\windows\system32\ole32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll

Registry activity

Total events
903
Read events
795
Write events
106
Delete events
2

Modification events

PID
Process
Operation
Key
Name
Value
1136
osc.bin.tmp
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Owner
700400000AE96AA81521D501
1136
osc.bin.tmp
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
SessionHash
162D14E216285BF4123A6BFA97D2B6727F59CA5F9AAEAA499A73AEF2E97673A4
1136
osc.bin.tmp
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Sequence
1
1136
osc.bin.tmp
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5175C1E7-2F25-D68E-D57F-3EBA1745E7B5}
cd77f991
017DD9693B0500010000004000000040000000CA2A6DE2E5359B0E21BCACD610D70FD48367368710973A1D3B10A5AF14E56F8324F9778B6810143773AA8673320048216A8AF6E2C3685CFC5E54CA236C8E1292FDC84433353A3204501D9FD1FD0C19DE
1136
osc.bin.tmp
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5175C1E7-2F25-D68E-D57F-3EBA1745E7B5}
cd77f991
0156D16E54050001000000400000004000000024F17122F0EF5852D429507EEB86572487BE398A41E6F87EE1AC96BABBA7B71D34289A573D2EFDBC68DE8F965AD80D81BF7B4EDE5FDB6163F5300A96058AFDDF2621069AF111A12768FFCBEDB0E6EDA2
1136
osc.bin.tmp
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5175C1E7-2F25-D68E-D57F-3EBA1745E7B5}
7e34172e
0119432ED70500010000001C0000001C000000A24CCFB44E47A9863FB13F54AB2B7E5B0D8B8CB5A75EAF04B5277581BD0280000A6A8F02D4C0FBCA5672B8BB
1136
osc.bin.tmp
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{2C332E1D-92EE-193A-D785-47D53FBD1B51}
cd77f991
015FA880D00500010000004000000040000000C36881097CFBF973DCD60F2DD0BE7E4854DA006F99AAB40D57C8DB9168C785B0651663A7322519178C6243323E34D49CC6163FC00C5600C6F7661A662D29A5096AF66DE6A74B947B1CFA45E7EB69D8AF
3304
regsvr32.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Paths
C:\Program Files\OneSystemCare\
0
3304
regsvr32.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Paths
C:\Program Files\OneSystemCare\setuphelper.dll
0
3304
regsvr32.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Paths
C:\Program Files\OneSystemCare\unins000.exe
0
3304
regsvr32.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Paths
C:\ProgramData\1560344101
0
3304
regsvr32.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Paths
C:\Users\admin\AppData\Local\Temp\is-59V6B.tmp\loba.dll
0
3304
regsvr32.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Paths
C:\Users\admin\AppData\Local\Temp\is-KLO4Q.tmp\osc.bin.tmp
0
3304
regsvr32.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Paths
C:\Users\admin\AppData\Local\Temp\{54AC5269-C06B-765A-8795-DF9DEBC12163}
0
3304
regsvr32.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Processes
C:\Program Files\OneSystemCare\OneSystemCare.exe
0
3304
regsvr32.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Processes
C:\Users\admin\AppData\Local\Temp\is-59V6B.tmp\loba.dll
0
3304
regsvr32.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Processes
C:\Users\admin\AppData\Local\Temp\is-KLO4Q.tmp\osc.bin.tmp
0
3304
regsvr32.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Processes
OneSystemCare.exe
0
1304
osc.bin.tmp
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0001
Owner
180500006663BBAE1521D501
1304
osc.bin.tmp
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0001
SessionHash
2F1AA83B76F47E4CC2F35C18CA06DDB422F454EFC577B68238101B37868FFC61
1304
osc.bin.tmp
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0001
Sequence
1
1304
osc.bin.tmp
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{2DCA429E-B0DA-8CC9-2D87-4ADE4DE75A0E}
cd77f991
01D9D4D972050001000000400000004000000041D853766B6716C04A2F113FE3F681BD0CC80F5F1D4B1F6B661573B72F5F9812F406FD0877F56FADB219CC9A42B0E9273C648625E78EF6CE2A77E20D40FD2300DBFEB4217597C8C060DF7D81BAEF2613
1304
osc.bin.tmp
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{2DCA429E-B0DA-8CC9-2D87-4ADE4DE75A0E}
cd77f991
01238019F005000100000040000000400000008B2E3F75B280C39EEC082C53B4F4C32125BC135BEFF61492160715AAE92919AEFB535CFA628861928462545798ADD62F072BC2DB6289DB1C5056B93ED6D89E2E936AA73E0FB1C978756E9AA007DB1F1C
1304
osc.bin.tmp
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{2DCA429E-B0DA-8CC9-2D87-4ADE4DE75A0E}
7e34172e
0105524BAA0500010000001C0000001C000000DBFB8977A96B2982D95E30C2876556350F64118C80BFE1AA1ABAC6C80B34B179A359BA9B55C4AADE82A1A2E9
1304
osc.bin.tmp
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{2C332E1D-92EE-193A-D785-47D53FBD1B51}
cd77f991
017FE6CD090500010000004000000040000000D75F9BC0E84AF206BF84FB2E0F7512A2062C5B10C14A2B1B06C0001F2B7FD848D8F6335DFBDC57E68E6B77F4CE18CB4A54828E9737A62F47D9B412A031562095E690CF354798BF93C4B44B9EA4FD78AE
1304
osc.bin.tmp
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{2DCA429E-B0DA-8CC9-2D87-4ADE4DE75A0E}
cd77f991
014CD49FD20500010000004000000040000000531DF3D703D326412F56A013306F042ACC046F8756C6472E6D0665E9428712683A001E5D217ACFE19D66D699573C2387BDB393B33067B818128D2DCA78CB7F1BE5BC187BECBB2934A3FB1FA427FA3F8A
1304
osc.bin.tmp
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{2DCA429E-B0DA-8CC9-2D87-4ADE4DE75A0E}
81c3e8cc
0128C4D4400500010000001C0000001C0000008A94055A449511FC653C666050F3886BD42A090F5557A02E4DCA8D61C8AE3023D2A33F57C8548F803F15C335
1304
osc.bin.tmp
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{763B720B-C28A-5678-B41C-AAFE7D773296}
cd77f991
0106A77E7C05000100000040000000400000004A775DBCB5A1B55D751FDD332A2862B797B6379138DB5BB0925BDCB3D32ECD5BB8962260AF76D729A91F6DE34F983DEE81B794144F050B6532B5C52799E40EA342683877C0E81FE2CC2E81D1765562C5
3428
regsvr32.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Paths
C:\Program Files\OneSystemCare\
0
3428
regsvr32.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Paths
C:\Program Files\OneSystemCare\setuphelper.dll
0
3428
regsvr32.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Paths
C:\Program Files\OneSystemCare\unins000.exe
0
3428
regsvr32.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Paths
C:\ProgramData\1560344112
0
3428
regsvr32.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Paths
C:\Users\admin\AppData\Local\Temp\is-07G3S.tmp\loba.dll
0
3428
regsvr32.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Paths
C:\Users\admin\AppData\Local\Temp\is-GOI6N.tmp\osc.bin.tmp
0
3428
regsvr32.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Paths
C:\Users\admin\AppData\Local\Temp\{8C3659E7-1E77-61D3-BC34-4EEA5F1D2B81}
0
3428
regsvr32.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Processes
C:\Program Files\OneSystemCare\OneSystemCare.exe
0
3428
regsvr32.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Processes
C:\Users\admin\AppData\Local\Temp\is-07G3S.tmp\loba.dll
0
3428
regsvr32.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Processes
C:\Users\admin\AppData\Local\Temp\is-GOI6N.tmp\osc.bin.tmp
0
3428
regsvr32.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Processes
OneSystemCare.exe
0
2992
msiexec.exe
write
HKEY_USERS\S-1-5-21-1302019708-1500728564-335382590-1000\Software\Microsoft\RestartManager\Session0002
Owner
B00B000046F07BBD1521D501
2992
msiexec.exe
write
HKEY_USERS\S-1-5-21-1302019708-1500728564-335382590-1000\Software\Microsoft\RestartManager\Session0002
SessionHash
1ECB3BCE51EC8529179B9E7AAFD5F4EAD3FA7638D24F2E6D985B97CBFB73F2CC
2992
msiexec.exe
write
HKEY_USERS\S-1-5-21-1302019708-1500728564-335382590-1000\Software\Microsoft\RestartManager\Session0002
Sequence
1
2992
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\InProgress
C:\Windows\Installer\129cd6.ipi
2992
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders
C:\Config.Msi\
2992
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts
C:\Config.Msi\129cd7.rbs
30744862
2992
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts
C:\Config.Msi\129cd7.rbsLow
655086848
2992
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\F607D05DC5F63594BBF3B2461B7B7CA5
883B9FC4AF873C644B9091F62EFCF502
02:\Software\Caphyon\Advanced Installer\LZMA\{4CF9B388-78FA-46C3-B409-196FE2CF5F20}\3.6.0\AI_ExePath
2992
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\DC709AE344971F940A612500314D7368
883B9FC4AF873C644B9091F62EFCF502
02:\Software\Jetmedia\NativeDesktopMediaService\VendorId
2992
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\E58E972E9A5A30C4BAC65C0CF48B48BD
883B9FC4AF873C644B9091F62EFCF502
02:\Software\Jetmedia\NativeDesktopMediaService\InstanceId
2992
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\DEB2302CB75968B4AA5F1F6D7E8D4919
883B9FC4AF873C644B9091F62EFCF502
02:\Software\Jetmedia\NativeDesktopMediaService\ServiceName
2992
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\307D253A70CB21E43A4374E451D0A397
883B9FC4AF873C644B9091F62EFCF502
02:\Software\Jetmedia\NativeDesktopMediaService\Path
2992
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\9046CFD34DC49EA45866E320C474DB92
883B9FC4AF873C644B9091F62EFCF502
02:\Software\Jetmedia\NativeDesktopMediaService\VendorId1
2992
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\C5E0BF6B88796ED4698E84C44FF06ABF
883B9FC4AF873C644B9091F62EFCF502
02:\Software\Jetmedia\NativeDesktopMediaService\Uninstall
2992
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\EF2BB7EFF73EB794C877730D308C6165
883B9FC4AF873C644B9091F62EFCF502
C:\Program Files\Jetmedia\NativeDesktopMediaService\watchdog.exe
2992
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\BF31675ED828A0D459AB9F9BF98DDA5D
883B9FC4AF873C644B9091F62EFCF502
02:\Software\Jetmedia\NativeDesktopMediaService\RegisterDate
2992
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\A259754BDFFFF3E42968FEB19C2EBD54
883B9FC4AF873C644B9091F62EFCF502
02:\Software\Jetmedia\NativeDesktopMediaService\VendorId2
2992
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\9ED1AE69FBB90AC4EB48676326125C43
883B9FC4AF873C644B9091F62EFCF502
02:\Software\Jetmedia\NativeDesktopMediaService\VendorId3
2992
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\CE00CF65812E73D43A032920E4C893F2
883B9FC4AF873C644B9091F62EFCF502
02:\Software\Jetmedia\NativeDesktopMediaService\VendorId4
2992
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\C2266F4C90F7AAF4A995C1F6CC11F75C
883B9FC4AF873C644B9091F62EFCF502
02:\Software\Jetmedia\NativeDesktopMediaService\Version
2992
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\A6C7949F95D258C47BA2032F20EA40AC
883B9FC4AF873C644B9091F62EFCF502
C:\ProgramData\Jetmedia\NativeDesktopMediaService\comdata.dat
2992
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\8639A60AF9BDE664EBC129671F855071
883B9FC4AF873C644B9091F62EFCF502
C:\Program Files\Jetmedia\NativeDesktopMediaService\desktop_media_service.exe
2992
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders
C:\Program Files\Jetmedia\NativeDesktopMediaService\
2992
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders
C:\Program Files\Jetmedia\
2992
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders
C:\ProgramData\Jetmedia\NativeDesktopMediaService\
2992
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders
C:\ProgramData\Jetmedia\
2992
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Caphyon\Advanced Installer\LZMA\{4CF9B388-78FA-46C3-B409-196FE2CF5F20}\3.6.0
AI_ExePath
C:\Users\admin\AppData\Local\Temp\{8C3659E7-1E77-61D3-BC34-4EEA5F1D2B81}\na.exe
2992
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Jetmedia\NativeDesktopMediaService
VendorId
osc
2992
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Jetmedia\NativeDesktopMediaService
InstanceId
1D26561D-6CF6-9431-8AB4-5617695F85DE
2992
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Jetmedia\NativeDesktopMediaService
ServiceName
NativeDesktopMediaService
2992
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Jetmedia\NativeDesktopMediaService
VendorId1
na
2992
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Jetmedia\NativeDesktopMediaService
Uninstall
C:\Windows\system32\msiexec.exe /x {4CF9B388-78FA-46C3-B409-196FE2CF5F20}
2992
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Jetmedia\NativeDesktopMediaService
RegisterDate
1560340543
2992
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Jetmedia\NativeDesktopMediaService
Version
3.6.0
2992
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Jetmedia\NativeDesktopMediaService
Path
C:\Program Files\Jetmedia\NativeDesktopMediaService\
2992
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Jetmedia\NativeDesktopMediaService
VendorId2
na
2992
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Jetmedia\NativeDesktopMediaService
VendorId3
na
2992
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Jetmedia\NativeDesktopMediaService
VendorId4
na
3452
MsiExec.exe
delete key
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{4B52302A-33D8-F88A-CF6D-A3E95D172266}
3452
MsiExec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1E120A1E-7001-ABA1-7153-7C742E8A4FED}
cd77f991
013D3DCD460500010000004000000040000000B26676FA55449C6658BBC6A2924BD162709626D3A12569347CDBCA86676D0332FB5AC2ECDDD45E838392F3AEA0CEA95970374602FF39964097334BE47F4FB788DB95EEEFECCC1F466005393A0892DF69
3452
MsiExec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1E120A1E-7001-ABA1-7153-7C742E8A4FED}
cd77f991
014709E3050500010000004000000040000000CE612263E3F2689DC63FABDBAEC460334704E40855FA705364B935B24047CA30DEE7121A0698457840DC72163E2FCBB4C61B41F7E58A4BCB7B1484C3511E323541E142D431157E65323E6B8FB01CBD38
3452
MsiExec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1E120A1E-7001-ABA1-7153-7C742E8A4FED}
7e34172e
010EB5770A0500010000001C0000001C0000009244B79750B2BA00F8E4592D2EA8947F60EADF3377BD889C792236051561970B88B53093A1F3B3AFA2D7D7B9
3452
MsiExec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{4B52302A-33D8-F88A-CF6D-A3E95D172266}
cd77f991
01A953F17305000100000040000000400000009C973EC890F566B643365DF085694CC01DBA83842ADDD4E0B9DFCBC94F9369ECF21E1F3294CCE9B551CF7AE21804B002322A1D9F91565115CD9AD0FA03EE2AC4A51962E76F69D039C9A3D86DB541E470
3452
MsiExec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{4B52302A-33D8-F88A-CF6D-A3E95D172266}
cd77f991
01E811507105000100000040000000400000004BA2A61E7C6A070F1A5BAEF84D3B0D31840E0BEDF63786F64D6CE7FBFD3AB714CF4813A6F2AA9C0A6831A856A30CE6C765E1A938378C5BBD244F8D80645BCFCE4B9DA10A35BB757884F67B1E943819FF
3452
MsiExec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{4B4CD726-7EF9-8434-4EEA-5F1DAB018183}
f6057a2d
01987FDAFF050301000000C80100008202000013097290BB77E038789F05C7C0102F8B71DF9D69714664E0C61DE7B84B4397D4CC0F1652629124F62F7FEBC588A7AC6F3BF64A46C4EBA288C7EE64CF66459CF59F713112F8ABA74206FC7EA037B16A77350224C764E9220F69E824131620CA1F2C0F708EC1AEEA0297C21E4C78AFF1CECE47307AFE950226D59AB2A9A7A516526CF33B17D155EADBB73250DC400DC376F305B7B4DD4FAECB0A3E46988ED87F6DBA29D91BF0F65422EE844ED13615E873F3A8CDB9CBFF1F154CCF45D05A6527C2BBC391399B20474032385062064765BF94FE8CF57688B986DA9244BFCBCCD51BA80A293EDEC0AAE34034ECCB0B0D1669F6D5F5F4964BFC063D806B093ABF1BAB805C404C3F73BCD4249772DBD2EB8F03D685D6C9A47EF94847FCE99917FA1E913543B4F1131B737266E26C4813F84EC095305BD7105C27887E45E128E2B8D9202B76F91AF1CBDF1426D35B395976AB4062E61F495B9A31BC97DEB1F8E44B6DC388DCAE841D18DB2D4199B59BB1C379C168C2CE378C775593D02190B6D7108BC016607CE8A299698D03EF6227D4860EABE7B63250AEDE83BABAD22884E3C63C3416E156BBAC9C7ADA425633FCB45CD6C2A5C92C5463EAC9B39DBA03587AC27DE6F65FB93AAA82FE403887FC1A0063C710BFEE1AD9849D6570
3452
MsiExec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{4B52302A-33D8-F88A-CF6D-A3E95D172266}
cd77f991
01D645E1970500010000004000000040000000A87488E63A5293AE6428C4152745EC226F27381EDF8547A1AC39FBABEDDB9C66A8DB6094E8CEE3975B22A11CCEF7CB66ADEEEC88871E36C0E559BC8B54F463A2E82B9783AE74EDC71DBF576341DEC569
3452
MsiExec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{4B52302A-33D8-F88A-CF6D-A3E95D172266}
cd77f991
019F1FAE050500010000004000000040000000D08810C525A15CF0B6B58AA73939B7635F8CB309318A8C49731738640F31F1348BE1A4C642B4728D4E49203FAA92A65F6D6E2927D6057B15F22AB98D76E45BFB51140C83AC3F5DEBA6D8179867E2EAD3
3452
MsiExec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{6CB02112-C969-A66D-A3E9-5D172266194B}
f6057a2d
018F132D21050301000000C801000082020000AF9B56CC5C6BC59965E3DD1296203DF2226D9F12877A8C151C858F357E82EBF02231D352553CD88F77E8FA59FD6DA14B937BDCD63829D68C119CC22A054DD78886436AE94A23D9AAACA06262E63D1F632F34F323EE44506043660634588A99072649F7BFCAFEF45A90BFD5B51319C571C7C83B88D384EB844F9F5D2FA84B3A1756DA9D0E6A19A1B09A66076FCAF6F58C2B56C837C4B746716E9EB0AA930A711E662C1F63F9D2070DB123E9394F537D5E26367E0DB8141BF0FB437709609A2F94B6063FC93F467C5A978693BC3BECA065CDAAFADD0D0B4FF62DCC3C4CA33EEED7B765CE55025E330FC3D1C67109344086EC017AEB2A4209C3C4180771BC2423831FC0A835DCFFD254F05CC7E719E95E6DFDC3D92C4707FDB9DCD820511C898E2A32B78037CB415C33F1DE30A2BDD285A8AB02641A56D0A552B642BAE3A924648DC689D02B5A3584023D3E862EFA8223261207D9C27E8E1B0DD2D7B5211B2AE4823AB4F4267B6A5B094FE2B5C650F640246EA883CED9FD21E139334ABE4D82BAF8BC92FD90209D5EDB4D54CAA8431E94234D6D9F0194D0B312546A3E9BDF536F531CC374053E3B83851C0A1B4DC82C5829009ED29AADF53AA748B3978A8643E73F3A0AE68DB73E4BBA6F7FCF72F8D5AA90BB240776BBF65C17
3452
MsiExec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{4B52302A-33D8-F88A-CF6D-A3E95D172266}
cd77f991
010DAC3303050001000000400000004000000051DF6B5A0D53151477AF32CBF9AF78C708B5B0D49B602AE8E3F9D9169B0B82D8F376309958C4C64E2EE76A67593532BB4271A2D76B04C4F4DF0DA62910148DCB9F3BF300B4771F125CAF99E270B76CE4
3452
MsiExec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{4B52302A-33D8-F88A-CF6D-A3E95D172266}
cd77f991
017F306D27050001000000400000004000000075363266FFB3B6D37E8FB364D9A1D7519073C678CA876F3CE2E2C55AA3A1DAADD806DA9E26E766B9CCA32E0A784C84C70B9182F9ADCAAF1BD83104B4CF0BB42A3E404236FFB5965ED7AF20AEA5E14AD7
3452
MsiExec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{4B52302A-33D8-F88A-CF6D-A3E95D172266}
80cc0950
01763436A50500010000001C0000001C000000B5D6645AD1DA0EACB60476AEBA162B2EC534712EF03F42676B08FC0AA18D4B2AEFD7087BA909F290B4E760DB
2788
ad04def822ec6c22e21c.MSI9F47.tmp
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Paths
C:\Program Files\Jetmedia\NativeDesktopMediaService
0
2788
ad04def822ec6c22e21c.MSI9F47.tmp
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Paths
C:\ProgramData\1560344135
0
2788
ad04def822ec6c22e21c.MSI9F47.tmp
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Paths
C:\Users\admin\AppData\Local\Temp\{8C3659E7-1E77-61D3-BC34-4EEA5F1D2B81}\na.exe
0
2788
ad04def822ec6c22e21c.MSI9F47.tmp
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Paths
C:\Users\admin\AppData\Roaming\Jetmedia\NativeDesktopMediaService 3.6.0\install\2CF5F20\NetworkDesktopMedia.msi
0
2788
ad04def822ec6c22e21c.MSI9F47.tmp
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Paths
C:\Windows\Installer
0
2788
ad04def822ec6c22e21c.MSI9F47.tmp
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Paths
C:\Windows\Installer\MSI9F47.tmp
0
2788
ad04def822ec6c22e21c.MSI9F47.tmp
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Processes
C:\Windows\Installer\MSI9F47.tmp
0
2788
ad04def822ec6c22e21c.MSI9F47.tmp
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Processes
DMService
0
2788
ad04def822ec6c22e21c.MSI9F47.tmp
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Processes
NativeDesktopMediaService
0
2788
ad04def822ec6c22e21c.MSI9F47.tmp
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Processes
desktop_media_service.exe
0
2788
ad04def822ec6c22e21c.MSI9F47.tmp
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Processes
watchdog.exe
0
2688
MsiExec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Caphyon\Advanced Installer\Scheduled Tasks\{711E0759-3245-49C6-A4D0-B5EE99B2ECA2}
Checker641
1
2688
MsiExec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Caphyon\Advanced Installer\Scheduled Tasks\{711E0759-3245-49C6-A4D0-B5EE99B2ECA2}
Checker641_ID
{B4EF14D7-7152-4DCD-96E8-6029CC863C6A}
2688
MsiExec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Caphyon\Advanced Installer\Windows Firewall\{4CF9B388-78FA-46C3-B409-196FE2CF5F20}
AllowExceptions
1
2688
MsiExec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Caphyon\Advanced Installer\Windows Firewall\{4CF9B388-78FA-46C3-B409-196FE2CF5F20}
AllowUnicastResponses
1
2688
MsiExec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Caphyon\Advanced Installer\Windows Firewall\{4CF9B388-78FA-46C3-B409-196FE2CF5F20}\Registered Applications
netmedia32
{99DBD9CF-3E0E-4548-9CEF-88A300A8C631}
2688
MsiExec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Caphyon\Advanced Installer\Windows Firewall\{4CF9B388-78FA-46C3-B409-196FE2CF5F20}\Registered Applications
tcpsvcs64
{2D1286D9-30DF-4749-9A23-1634435AE444}

Files activity

Executable files
24
Suspicious files
4
Text files
0
Unknown types
1

Dropped files

PID
Process
Filename
Type
2552
osc.bin.exe
C:\Users\admin\AppData\Local\Temp\is-OUGEF.tmp\osc.bin.tmp
executable
MD5: c3f1e7c9dee637383437ff73a0fda80b
SHA256: 4dda0d4f88cfddf13d7e09c69aeb7b44192b9378f9093f16ba03ed5b6685bf10
3020
na.exe
C:\Users\admin\AppData\Local\Temp\MSI993C.tmp
executable
MD5: 3df1a130b263daf320aabfc98b2f0206
SHA256: db8cfaaff769fa7117372e2c051a4a5e9646a20777c1c04cbf2f9a42e4799490
3020
na.exe
C:\Users\admin\AppData\Roaming\Jetmedia\NativeDesktopMediaService 3.6.0\install\2CF5F20\watchdog.exe
executable
MD5: c9042bfa9381f36d3dd0d3edaa46b7a5
SHA256: a3e402e6de4cce3a503c33856293aa78d9612a02b740306b7d85f1af4f68fc2a
2992
msiexec.exe
C:\Windows\Installer\MSI9F47.tmp
executable
MD5: aa8a0837e4d96a0567805cbf9718e7e4
SHA256: cd5c9a0059c34543c0744f21df87696f13709b9d52440c996f78b2ff6a553fcc
3020
na.exe
C:\Users\admin\AppData\Roaming\Jetmedia\NativeDesktopMediaService 3.6.0\install\decoder.dll
executable
MD5: 7dba3f67223e1db36ccf17c010b5cea5
SHA256: 32899d4642474607ac17534bd799e3c78182fd975ab6e9f5f0db77d52acdc09f
3696
MSI9F47.tmp
C:\Users\admin\AppData\Local\Temp\ad04def822ec6c22e21c.MSI9F47.tmp
executable
MD5: aa8a0837e4d96a0567805cbf9718e7e4
SHA256: cd5c9a0059c34543c0744f21df87696f13709b9d52440c996f78b2ff6a553fcc
1136
osc.bin.tmp
C:\Users\admin\AppData\Local\Temp\is-59V6B.tmp\_isetup\_iscrypt.dll
executable
MD5: a69559718ab506675e907fe49deb71e9
SHA256: 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
2992
msiexec.exe
C:\Windows\Installer\MSIACC6.tmp
executable
MD5: 3df1a130b263daf320aabfc98b2f0206
SHA256: db8cfaaff769fa7117372e2c051a4a5e9646a20777c1c04cbf2f9a42e4799490
2992
msiexec.exe
C:\Program Files\Jetmedia\NativeDesktopMediaService\watchdog.exe
executable
MD5: c9042bfa9381f36d3dd0d3edaa46b7a5
SHA256: a3e402e6de4cce3a503c33856293aa78d9612a02b740306b7d85f1af4f68fc2a
2992
msiexec.exe
C:\Windows\Installer\MSIBE7F.tmp
executable
MD5: e0dad2eb19a676ccd2ee9825f282c8d3
SHA256: 6006bb6bee1cdba3e061ddcc54ef97f9faaae3acf1eec09e4e4d2426ff69179a
1304
osc.bin.tmp
C:\Users\admin\AppData\Local\Temp\{8C3659E7-1E77-61D3-BC34-4EEA5F1D2B81}\na.exe
executable
MD5: 5bfe5883165dd5f10548ec858b2b7686
SHA256: adb5e86acb199bc4b0c2cd64334ef71cd12e99fb19cab90959b0e726e390bd9a
2992
msiexec.exe
C:\Program Files\Jetmedia\NativeDesktopMediaService\desktop_media_service.exe
executable
MD5: beb5101ecb76e2e955da10f9891e7b9b
SHA256: 936015742036d1583a68dd81f2a1bb1b57f56baba872a2fe8842f814a31d6791
1304
osc.bin.tmp
C:\Users\admin\AppData\Local\Temp\{8C3659E7-1E77-61D3-BC34-4EEA5F1D2B81}\pse.exe
executable
MD5: 2b5ab5dcf45a3d2d7a3e788ee3316d70
SHA256: fd06bac925e2aca12cae6cbdc194a234f2e49549e3a6f966043e62bab8a4de95
2992
msiexec.exe
C:\Windows\Installer\MSIAEBD.tmp
executable
MD5: e0dad2eb19a676ccd2ee9825f282c8d3
SHA256: 6006bb6bee1cdba3e061ddcc54ef97f9faaae3acf1eec09e4e4d2426ff69179a
2992
msiexec.exe
C:\Windows\Installer\MSIC8C7.tmp
executable
MD5: ec02fd954c6fab85acaa0efec4f6900c
SHA256: 1501d29a77df405e9fea46e1e52e4585233ff884c3d21788d6e19633c3f83212
2952
osc.bin.exe
C:\Users\admin\AppData\Local\Temp\is-KLO4Q.tmp\osc.bin.tmp
executable
MD5: c3f1e7c9dee637383437ff73a0fda80b
SHA256: 4dda0d4f88cfddf13d7e09c69aeb7b44192b9378f9093f16ba03ed5b6685bf10
3020
na.exe
C:\Users\admin\AppData\Roaming\Jetmedia\NativeDesktopMediaService 3.6.0\install\2CF5F20\desktop_media_service.exe
executable
MD5: beb5101ecb76e2e955da10f9891e7b9b
SHA256: 936015742036d1583a68dd81f2a1bb1b57f56baba872a2fe8842f814a31d6791
2992
msiexec.exe
C:\Windows\Installer\MSICC47.tmp
executable
MD5: ec02fd954c6fab85acaa0efec4f6900c
SHA256: 1501d29a77df405e9fea46e1e52e4585233ff884c3d21788d6e19633c3f83212
1304
osc.bin.tmp
C:\Users\admin\AppData\Local\Temp\is-07G3S.tmp\_isetup\_iscrypt.dll
executable
MD5: a69559718ab506675e907fe49deb71e9
SHA256: 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
1304
osc.bin.tmp
C:\Users\admin\AppData\Local\Temp\is-07G3S.tmp\loba.dll
executable
MD5: 3bcbec70095ccce04cb2d9ab8d010b9b
SHA256: 352be005b8cc25dde7804c65eb9e8d3be262a46a38045398af4e401002ec981b
2992
msiexec.exe
C:\Windows\Installer\MSIC9A5.tmp
executable
MD5: 5685c1bfaa16699bf9662696a38b4274
SHA256: 914ac28799cd54d9966807e62708a60e45849e26bdda492d9e66d007e682d68f
3540
osc.bin.exe
C:\Users\admin\AppData\Local\Temp\is-GOI6N.tmp\osc.bin.tmp
executable
MD5: c3f1e7c9dee637383437ff73a0fda80b
SHA256: 4dda0d4f88cfddf13d7e09c69aeb7b44192b9378f9093f16ba03ed5b6685bf10
1136
osc.bin.tmp
C:\Users\admin\AppData\Local\Temp\is-59V6B.tmp\loba.dll
executable
MD5: 3bcbec70095ccce04cb2d9ab8d010b9b
SHA256: 352be005b8cc25dde7804c65eb9e8d3be262a46a38045398af4e401002ec981b
2992
msiexec.exe
C:\Windows\Installer\MSIB797.tmp
executable
MD5: e0dad2eb19a676ccd2ee9825f282c8d3
SHA256: 6006bb6bee1cdba3e061ddcc54ef97f9faaae3acf1eec09e4e4d2426ff69179a
2992
msiexec.exe
C:\Windows\Installer\MSIAE7D.tmp
––
MD5:  ––
SHA256:  ––
3020
na.exe
C:\Users\admin\AppData\Roaming\Jetmedia\NativeDesktopMediaService 3.6.0\install\2CF5F20\NetworkDesktopMedia.msi
––
MD5:  ––
SHA256:  ––
2992
msiexec.exe
C:\Windows\Installer\MSIAE3E.tmp
––
MD5:  ––
SHA256:  ––
2992
msiexec.exe
C:\Users\admin\AppData\Local\Temp\~DF6275A9313894D5E4.TMP
––
MD5:  ––
SHA256:  ––
2992
msiexec.exe
C:\Windows\Installer\129cd6.ipi
binary
MD5: e5d895eb4ddeebce13c709fdd7d63359
SHA256: 56984c3f3bea9bbbaa879d206a6105d00394d553ea5955162c841cc8c5d4aa6a
2992
msiexec.exe
C:\Windows\Installer\MSIC806.tmp
––
MD5:  ––
SHA256:  ––
2992
msiexec.exe
C:\Windows\Installer\MSI9EF8.tmp
––
MD5:  ––
SHA256:  ––
2992
msiexec.exe
C:\Windows\Installer\MSI9E1D.tmp
––
MD5:  ––
SHA256:  ––
2992
msiexec.exe
C:\Windows\Installer\129cd4.msi
––
MD5:  ––
SHA256:  ––
2992
msiexec.exe
C:\Windows\Installer\MSIC827.tmp
––
MD5:  ––
SHA256:  ––
3020
na.exe
C:\Users\admin\AppData\Local\Temp\MSI9831.tmp
––
MD5:  ––
SHA256:  ––
2992
msiexec.exe
C:\Windows\Installer\MSIBE30.tmp
––
MD5:  ––
SHA256:  ––
3020
na.exe
C:\Users\admin\AppData\Roaming\Jetmedia\NativeDesktopMediaService 3.6.0\install\holder0.aiph
gmc
MD5: 451a89a284ed267d2634dfde456250b4
SHA256: 3debc58abfe65d7fbe40c999df252c694932a05d7f8f6b8434c19f4ca16ba644
2992
msiexec.exe
C:\Windows\Installer\MSIC847.tmp
––
MD5:  ––
SHA256:  ––
2992
msiexec.exe
C:\Windows\Installer\MSIC877.tmp
––
MD5:  ––
SHA256:  ––
2992
msiexec.exe
C:\Windows\Installer\MSIC897.tmp
––
MD5:  ––
SHA256:  ––
2992
msiexec.exe
C:\Windows\Installer\MSIC906.tmp
––
MD5:  ––
SHA256:  ––
2992
msiexec.exe
C:\Windows\Installer\MSIC7F6.tmp
binary
MD5: aa49d4e0434103e62b7d7dc771f59462
SHA256: c471a0484fcaaaa4246b7d3011a5088fb57b8f5834e3394a3848fbfeb1366257
2992
msiexec.exe
C:\Windows\Installer\MSICACE.tmp
––
MD5:  ––
SHA256:  ––
3020
na.exe
C:\Users\admin\AppData\Roaming\Jetmedia\NativeDesktopMediaService 3.6.0\install\2CF5F20\CommonAppDataFolder\Jetmedia\NativeDesktopMediaService\comdata.dat
binary
MD5: c8d6aad43a712b9ad8fb7d8224684df9
SHA256: 7ede55588d9d67748c4d4bdbfb72862d14d6e4511ff4eba6f66aaf1d530686a8
2992
msiexec.exe
C:\ProgramData\Jetmedia\NativeDesktopMediaService\comdata.dat
binary
MD5: c8d6aad43a712b9ad8fb7d8224684df9
SHA256: 7ede55588d9d67748c4d4bdbfb72862d14d6e4511ff4eba6f66aaf1d530686a8
2992
msiexec.exe
C:\Windows\Installer\MSICBD9.tmp
––
MD5:  ––
SHA256:  ––
2992
msiexec.exe
C:\Windows\Installer\MSID1F6.tmp
––
MD5:  ––
SHA256:  ––

Find more information of the staic content and download it at the full report

Network activity

HTTP(S) requests
11
TCP/UDP connections
11
DNS requests
9
Threats
13

HTTP requests

PID Process Method HTTP Code IP URL CN Type Size Reputation
1136 osc.bin.tmp POST 200 104.31.93.189:80 http://tm1.onesystemhost.info/ US
text
text
malicious
1304 osc.bin.tmp POST 200 104.31.93.189:80 http://tm1.onesystemhost.info/ US
text
text
malicious
1304 osc.bin.tmp POST 200 104.31.93.189:80 http://ins1.onesystemhost.info/ US
text
text
malicious
1304 osc.bin.tmp POST 200 104.31.93.189:80 http://ins2.onesystemhost.info/ US
text
text
malicious
–– –– HEAD 503 81.171.17.144:80 http://credicalls.info/?ch=lqr53onF31_iuISojSfure3CWMYz5C2jEhr5LQG7LuNgfJtjQ-EVkddeHuRUjTxsR7JNxOE5uWZBlARIMEj0Z4t5SqN3UTc4ttgpkdSjTxTEgPfUMcAr95_yNX325H_ixb0KuzPVLscBYEcM&ac=jA7nv7VFLcggp7PJPHn8oRFlRaoQxix72JiRoO0GgRxq7FermxYbXkGSX9QYu2w8bSNOnOp7svLp_LocPWys_scJWe-k4TI21moU-AZuRQzqP7nW1srLKALjWqnQMWUEK9W8m1KG39t8lSNim_5a6naR7v--x-vH9uwUYuLhAaV5weZHc7gZpT-Y8027RDwwwI0yyi8wLzIAk1r4831FtRqfKbiBXF_kjvxpnNRv9MeeVDQ7KBjWIiuecNRp1Br_61bWaWf9eh0ZlZjCzM1NomQ0-6cIiLBdBqTp3R1uPTC7UqlenjxSF1gof3Mph_dN7HbNj7YndrL2YMTFaw1vXDKP-XqbOuezIA0YsVo579Jo66M3qVszGHdXUk03LcJ55XZWWYt9byf8Zao2JbxdlLtLeZMuQC1iPkbzCzHcIDP_KDjw7iRjDC3RjtVr6FudSp_mcY364oSDY-NwVycaREOLINsgHzbtVbGS0vuygEfD7beXGS-WdrNF-n80A_5ZJpdM2wWlVclXkLoFI-y9OCAd8ZBFQaQijhZGcZQQ9MBWbSdpBw7l1jYtXbKfZPAPONrXuQxtQQ63YIW3MqjRpTYsqRyvImShK0rR7sZ6CAX1IdH8-jAVMgQA-f2t_NCxd87sK1eu7t2kpQjoBQmxKmNaPBO4YHLQbXVY52g_iXXCFhq5RfjsgadBSARPXDhoE6rRjhN3cDXYmxwTFGu042maYMH8lku-BBeJula4u5UdFhAZkh0YJC5MD0p3wNZ0LGN2CI6T4YLIMLdQ-Z4bwlWRL6hs9ZiLsIonDAKjhZzYLKfOtkG9lreHk0WTDfJ64HwVRyJSvSYOb_154w6Vxu1nyeS_3mKS2dQu0iPzPEt_dRxNqvU03b9YQZQ5F3MHnSsHCzMwCvdjtFy75VeORcE0MlG7qxhvzzpnPZopYJpgNlEm03XANcCN5DUwsdvCiojIf0A3QekT34gwYD1Z4ZaOZ9zkmbyU7ndR1agbmJt8GAIclyGv85TarW0BQHGl9wZDdqp2gA4J4sx1o4dEeXLfo8wD_EA_Fq2EX5S2OyVkUuWvmydrbaUtjRBdFNtRcoALp06o0AmEdwiUgicu8egPv68fZDusWYC1De3mf2qHGMnCB0ymna_LiTm_p_6g751dch1QlLQzUkjdkodhrGc45gd4NyNqqPAWavFCspKwIepA71Z9bHB9ZQP2cOF6EuMhtPM62WLVMPbanoMp_h7sfZ6DDVslzVeiWz5hgaXxKel8xBomMIcO4WFyKFGlIhkrcXB3hh_pirOVchrkU-S6&tr=iOmkb8rNdSdZy8sGjnMmtLzezvYsjzg5CjwMlvpelJZuNesD00Dh7hR-6g8a10PBhwbwkirSh1AtE0GfrvbXq1iPP-SQz0wFWTZ2cSe8esWOm4gU3UCo2yH2xuNnP2ovUAQvnZLhLOggqkmydAjbq23hZPoObVVQ4DWQ41NnWzcN4juoW4pCCWG1UuQPzyJ3wOre73LzVNOEUIEbr1KtkUIDM2Zhwy4-F3YX3gAFaUnp1jtomM8jyypq0T9C5SUqQZP9bQroXPgsN9M6Is7vWoL2angvt5FZDM6FfX6hSFavdEcoDecM36HRCdNsBRsOyOHDS7Nx NL
––
––
malicious
–– –– HEAD 503 81.171.17.144:80 http://areasons.info/?ch=lqr53onF31_iuISojSfure3CWMYz5C2jEhr5LQG7LuNgfJtjQ-EVkddeHuRUjTxsR7JNxOE5uWZBlARIMEj0Z4t5SqN3UTc4ttgpkdSjTxTEgPfUMcAr95_yNX325H_ixb0KuzPVLscBYEcM&ac=jA7nv7VFLcggp7PJPHn8oRFlRaoQxix72JiRoO0GgRxq7FermxYbXkGSX9QYu2w8bSNOnOp7svLp_LocPWys_scJWe-k4TI21moU-AZuRQzqP7nW1srLKALjWqnQMWUEK9W8m1KG39t8lSNim_5a6naR7v--x-vH9uwUYuLhAaV5weZHc7gZpT-Y8027RDwwwI0yyi8wLzIAk1r4831FtRqfKbiBXF_kjvxpnNRv9MeeVDQ7KBjWIiuecNRp1Br_61bWaWf9eh0ZlZjCzM1NomQ0-6cIiLBdBqTp3R1uPTC7UqlenjxSF1gof3Mph_dN7HbNj7YndrL2YMTFaw1vXDKP-XqbOuezIA0YsVo579Jo66M3qVszGHdXUk03LcJ55XZWWYt9byf8Zao2JbxdlLtLeZMuQC1iPkbzCzHcIDP_KDjw7iRjDC3RjtVr6FudSp_mcY364oSDY-NwVycaREOLINsgHzbtVbGS0vuygEfD7beXGS-WdrNF-n80A_5ZJpdM2wWlVclXkLoFI-y9OCAd8ZBFQaQijhZGcZQQ9MBWbSdpBw7l1jYtXbKfZPAPONrXuQxtQQ63YIW3MqjRpTYsqRyvImShK0rR7sZ6CAX1IdH8-jAVMgQA-f2t_NCxd87sK1eu7t2kpQjoBQmxKmNaPBO4YHLQbXVY52g_iXXCFhq5RfjsgadBSARPXDhoE6rRjhN3cDXYmxwTFGu042maYMH8lku-BBeJula4u5UdFhAZkh0YJC5MD0p3wNZ0LGN2CI6T4YLIMLdQ-Z4bwlWRL6hs9ZiLsIonDAKjhZzYLKfOtkG9lreHk0WTDfJ64HwVRyJSvSYOb_154w6Vxu1nyeS_3mKS2dQu0iPzPEt_dRxNqvU03b9YQZQ5F3MHnSsHCzMwCvdjtFy75VeORcE0MlG7qxhvzzpnPZopYJpgNlEm03XANcCN5DUwsdvCiojIf0A3QekT34gwYD1Z4ZaOZ9zkmbyU7ndR1agbmJt8GAIclyGv85TarW0BQHGl9wZDdqp2gA4J4sx1o4dEeXLfo8wD_EA_Fq2EX5S2OyVkUuWvmydrbaUtjRBdFNtRcoALp06o0AmEdwiUgicu8egPv68fZDusWYC1De3mf2qHGMnCB0ymna_LiTm_p_6g751dch1QlLQzUkjdkodhrGc45gd4NyNqqPAWavFCspKwIepA71Z9bHB9ZQP2cOF6EuMhtPM62WLVMPbanoMp_h7sfZ6DDVslzVeiWz5hgaXxKel8xBomMIcO4WFyKFGlIhkrcXB3hh_pirOVchrkU-S6&tr=iOmkb8rNdSdZy8sGjnMmtLzezvYsjzg5CjwMlvpelJZuNesD00Dh7hR-6g8a10PBhwbwkirSh1AtE0GfrvbXq1iPP-SQz0wFWTZ2cSe8esWOm4gU3UCo2yH2xuNnP2ovUAQvnZLhLOggqkmydAjbq23hZPoObVVQ4DWQ41NnWzcN4juoW4pCCWG1UuQPzyJ3wOre73LzVNOEUIEbr1KtkUIDM2Zhwy4-F3YX3gAFaUnp1jtomM8jyypq0T9C5SUqQZP9bQroXPgsN9M6Is7vWoL2angvt5FZDM6FfX6hSFavdEcoDecM36HRCdNsBRsOyOHDS7Nx NL
––
––
malicious
1304 osc.bin.tmp GET 200 81.171.17.143:80 http://inwindon.club/?ch=mMdwspvdIvc1ZukXb06H8IZIOCnM-CQVn16kWF1hyTt1-1floPfuMg7BQsJaETpM8Ya2NX5i-ijal2m2k8ovkcvHs2rCkMCS2C66dSHdU7XCYj6liURShky77z2XC3QUVv9WOMIvHkP8aHhV&tr=h5oAlne2Knti1-MOe6pns8U16Z5JsTs2S2qxR57XolaUVTM4QrAkRDHUnqQoHpYB5mpgIx0-uUOwi2GE2eOeumPOoQX78iFxgj-7ZzteL8QN07kmB7RNyo-ZhTam8rVcS-8X9LO_QENEfrt22_V1S4MQGDpeDkJoRXzTuQMmHkTG6NXJM5Phyp_l2_cDZ7a-Shk4fBSNCvgftrioZgazk2HMNpK7BkixbX7GmNJtT8RVghn3y5KtNTeZbKNBsF0wyL4_1kNjOEAFeH1e1R7w3JOeBp-nvPqVfo8s4pdxfYFvTMCNDX3VNE4jJyKKY6gMX6-UQ4Io&tf=lo21TZ4GpH5yuXXf0uT0aPQinlHMNqi6MqMOeKl7vYDFJhXaUf23wO218tJkMTX1U0-F_RzE4Npej8g_uKJZrqKi6haVd9hRj7f1EFJstwyR9JDQeSbf26Mx2-hOkUws2uc_Jbnd-oK9UbABRzdO_OF-2rJvbEPleI-OtvmowzJQ5A7GuW218q71pSwk79DWDv7C13ogywoDvBc2f3euhX_raH10YEcM&av=PzQ4N2af2oUktOwktJcdUxtngIytbFaf7MUd7rgHADZudXGCcGaquYXPujrcv0dUEfD5jLOy59zPtSRuI7chRGNcHCFUJs871YyAkxhmBpOlwI3NIWuiI1zHb8dpJ6kNmCzd69IcqiAWY4TaRuY4xZ_8wz8FvA3Z5MaJgwQQ&sp=sTb_ejdtHhkWJCAbuYzvtqY_paV0cBvU3-DNPVzgsm9CrskqHClYeFajDf-gPwaCZ9GOJM_mjTmYyaiZ3q6lXwPW6veryUoaLdIwekuHrKIGw0a0aWusjTWwk591ynblP_-xAQij9Mq_7onCwefIHNiE-xkEAsKL0m9JkEOlbiM-liYjn45_9p3yjyRj4Thput0WkzDUmZ_L&ac=&fl=pse.xa NL
binary
suspicious
1304 osc.bin.tmp GET 200 81.171.17.143:80 http://inwindon.club/?ch=j5jv72yOlKFbt9bxlv-yw_r6ubPill_iZebpDcHl_vfqJG8qsfZ5ohWrH3d3i09BAbcCvRQkHtuEduxw2Hhrc7-tj6pAQIE1NgQKsrR_q1NLAK2e4V5O15KqHmjWn7Nq6sEFBUXOh9pFU-S6&tr=cX1a2QPvz-n2ZJ9xzJEHByIk_V8m35sSxGcPFj6b_gWMLeYPyfcHtJ2L-yboiWRKgttIsgem8cAm7eeDGMF83b3I1RzzlUZbbg074dTG4WHSKYjGq_Rz7P0rCZnePhHIuYZ7AnO0jAdM5acZwubZ4dfuuVJvnOR7RM--Qtn0YisuscXc5vemeaCtGqmY8VMxeEFbq8-4s6HE5vOLaii4VdvoDtcNVt1a2A584pP7GqDnlNCNaWb0AJaG3_NEbawI4xltEA3R88j-VBu60aLjtG14hMF8xe7kG7p_MtXTOTIiQNixzfjCcgxOw9JkhLR0GCTUGpv7&tf=01iIgCvxYrCWDMFuPdiLo5Kk5TpHE_-DV0IffJhVRzXJtDxEB6n_Nl_Mg5KGk0ldOrF1AgPzTWQMzWl5y2adzg1dhWZF1ojxxmvD_6uo1k4wU18V5LQSPogtDhgxM4-IH9PsaLoklGuj9N6HklhuvMZBTYwUOGDMx9xzTbo4uGMcFo3BUCEE3ImE4DjyfUoz0jy7NJcj5jZ4CPRLXFim9DbszG7jgQww&av=8kYuWNtOVUAy5NHl1TjoOT3tmlLNrIy_z0RIWVzYomHWihDQ54tCFyuiGOBm1QVLeFNVNTQjD1U0A3wuNfzk5UFaA2WtQHq9J5C6Eb2KE8imSz__CT2U2MhmRe1trdkpl5p10HEkKzKwjN7lsVNT-MrVaCS5AgSfaxUtwoY4&sp=x37hp8rBo050VPgTYlhLGwKxrL5qzW2Ciay3iuPQhDyOshXam73QdrutgkuiSeFefKAPPEL2HCcn8JfyNQiS3j59msmEdiQq1-sVTLSMpW-20prpYfVj9JNZ-P2Yu-AG8JUyOx2EfOKPip-S9qkbVGf4RazprX2WBwvlo8GGXjPHtxyD3CV2p2CS735K9FIE_94MOQtlwoY4&ac=ntEefs1HrJWuuYzm-VNz8J94R9jc19aUSMhlOTJoxCCiTqxbyX_jbqrjLV-N6n412GjJwQsYkt9W9PeFYsoGVFAUtM5Ji-hMgFSnHA2-4WxwcrFDvV1PWpalYObFiRbRu-QlDW2OPcEAgt9DIhih9yPPdsD96w-8Hu5tuDDJpC8w50T-GifT5NuW5MBUKnUqqta2K9ECf_KcH4eWdV5FYfZIUBj5penU-4JGzoq2vjz4DuLASUk11_t9u4YlqdRVtQafhjhCRePfRvhtSkcFXMaHmC5yLJfW7BS_1OCSWwWSzIssXtV6-6v7AR46egMKcfeENCvKRzmy21QXfdLG_4Vvn9W0AMvPQ0toSUJf7prJSFtA1bE6zKJR45_Yv64qLmhH5Wxr1aEEzBdl0nOhbTdTw3BaD_NEXGMjdGh-J9PqNYZ1H7px9xzY3yPcPeTSJkAzvF5j9Bxx9kPEadjXJxKvjWvYdSgLM_Pg8hls9B_L7QvlhHPRqT9bKR4wCKwd59oBQOoucGTQNCqFP9BsSPjsScs6rZS-jp4uTFQ8jmXUTK2D53dgaLS6stO5pDjkNHGpp9-Xms4XmIAnqdzZSwN3QJ_qHx-pW2Zzhszkv2njz6faJAiOiTkA3RL0JgPGjfDQzmXHLpaR5SZ4EIR1IcNeYMVWn5xZlMDVlMNg7b1Binc761GAP-NmYNLj4gCNut_-Okp7_fGD9kWbX6reZosY2DkmzWNEsMnBwKszjA5GFNohVfz33AQwalM0ZRB6m3N5CnBdV0NWfUwCjfNI_8kOXSy9aj0mfzLv11fOaWl5OSYk_9D0AL_rf8PMqUFAde1v25DqGrsycJG2A_a55gIYTlncBgvZU9kRxx51aizJovykJznK1CAJCe8XdCMVSBQja9Eb238tgfG0f_wba42KIsaA0QuUH0Vl_INVN0d_ucL6GQ4oK2yZJ7tbTVO5zk1-2S4qiuGMFsM0knDsm604oHqHAhD9tDuOy8g1tcY8aHcYkNppeoW2QoXvRNanEBexsfI2E-W7ohWV_GPKj8VgJNVLANZavsU8T6v_6TARlnAMihJGb4WLgE5ev-7kKS2WV6fQ_rd0hQ9Q_k0jyNHK9VVKqMV66Dv86BJYu4-Rk4Bg5vrUW4LoxeoeJra1b6oTsYfpl3bobDu67yI-_rii5D-xqNaBNKyIEIbL3sN5iD4prkxIgF1W1WfWkaefvIjG0Ny2FIQmF7Gdv0sjyrFeRO_Lztt-5R0u7Q1gEONoBnqE31GWByW-kpGrDgm9-rhQLjqeWQUCbEIPpn9l5LeihSt8cKme&fl=na.xa NL
binary
suspicious
3452 MsiExec.exe POST 200 104.27.140.75:80 http://tm1.eventincoandhar.info/ US
text
text
malicious
3452 MsiExec.exe POST 200 199.217.118.146:40000 http://krsewiq.com:40000/tickets US
prg
––
––
malicious
3452 MsiExec.exe POST 200 104.27.140.75:80 http://ins1.eventincoandhar.info/ US
text
text
malicious

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID Process IP ASN CN Reputation
1136 osc.bin.tmp 104.31.93.189:80 Cloudflare Inc US suspicious
1304 osc.bin.tmp 104.31.93.189:80 Cloudflare Inc US suspicious
–– –– 81.171.17.144:80 LeaseWeb Netherlands B.V. NL malicious
–– –– 81.171.17.143:80 LeaseWeb Netherlands B.V. NL suspicious
1304 osc.bin.tmp 81.171.17.143:80 LeaseWeb Netherlands B.V. NL suspicious
3452 MsiExec.exe 104.27.140.75:80 Cloudflare Inc US malicious
3452 MsiExec.exe 199.217.118.146:40000 server4you Inc. US malicious
–– –– 104.27.140.75:80 Cloudflare Inc US malicious

DNS requests

Domain IP Reputation
tm1.onesystemhost.info 104.31.93.189
104.31.92.189
malicious
ins1.onesystemhost.info 104.31.93.189
104.31.92.189
malicious
ins2.onesystemhost.info 104.31.93.189
104.31.92.189
malicious
credicalls.info 81.171.17.144
unknown
areasons.info 81.171.17.144
unknown
inwindon.club 81.171.17.143
suspicious
tm1.eventincoandhar.info 104.27.140.75
104.27.141.75
malicious
krsewiq.com 199.217.118.146
malicious
ins1.eventincoandhar.info 104.27.140.75
104.27.141.75
malicious

Threats

PID Process Class Message
1136 osc.bin.tmp Misc activity ADWARE [PTsecurity] Win32.Risk.Uws.SystemHealer
1304 osc.bin.tmp Misc activity ADWARE [PTsecurity] Win32.Risk.Uws.SystemHealer
1304 osc.bin.tmp Misc activity ADWARE [PTsecurity] Win32.Risk.Uws.SystemHealer
1304 osc.bin.tmp Misc activity ADWARE [PTsecurity] Win32.Risk.Uws.SystemHealer
3452 MsiExec.exe Misc activity ADWARE [PTsecurity] Win32.Risk.Uws.SystemHealer
3452 MsiExec.exe A Network Trojan was detected MALWARE [PTsecurity] Win32/Jetmedia.A
3452 MsiExec.exe Misc activity ADWARE [PTsecurity] Win32.Risk.Uws.SystemHealer

6 ETPRO signatures available at the full report

Debug output strings

No debug info.