General Info

File name

temp.vbs

Full analysis
https://app.any.run/tasks/cffc1599-4892-4b13-85a9-7719eb1e24db
Verdict
Malicious activity
Analysis date
7/11/2019, 16:34:30
OS:
Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:

trojan

loader

netsupport

unwanted

Indicators:

MIME:
text/plain
File info:
UTF-8 Unicode text, with CRLF line terminators
MD5

b4a5edcf8bbd2415f41e412cc72da63c

SHA1

63e1419bf665ff621e2c7f149a32cc84ddd71728

SHA256

590ab0dae68ce55e1551b1227ade50b16eae76059a49b3eeae05ad4c793ae791

SSDEEP

192:UsVJ7dgJYI34bNx/gsY49gQm/729g32bjeikHIBkVKokCxo4kIWRkFn7vvvtvrve:5VJ76J734pxTfeikHIBkVKokio4kIWR/

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distored by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Software environment set and analysis options

Launch configuration

Task duration
300 seconds
Additional time used
240 seconds
Fakenet option
off
Heavy Evaision option
off
MITM proxy
off
Route via Tor
off
Network geolocation
off
Privacy
Public submission
Autoconfirmation of UAC
on

Software preset

  • Internet Explorer 8.0.7601.17514
  • Adobe Acrobat Reader DC MUI (15.023.20070)
  • Adobe Flash Player 26 ActiveX (26.0.0.131)
  • Adobe Flash Player 26 NPAPI (26.0.0.131)
  • Adobe Flash Player 26 PPAPI (26.0.0.131)
  • Adobe Refresh Manager (1.8.0)
  • CCleaner (5.35)
  • FileZilla Client 3.36.0 (3.36.0)
  • Google Chrome (75.0.3770.100)
  • Google Update Helper (1.3.34.7)
  • Java 8 Update 92 (8.0.920.14)
  • Java Auto Updater (2.8.92.14)
  • Microsoft .NET Framework 4.7.2 (4.7.03062)
  • Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Professional 2010 (14.0.6029.1000)
  • Microsoft Office Proof (English) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (French) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
  • Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
  • Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Single Image 2010 (14.0.6029.1000)
  • Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
  • Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
  • Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
  • Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2015-2019 Redistributable (x86) - 14.21.27702 (14.21.27702.2)
  • Microsoft Visual C++ 2019 X86 Additional Runtime - 14.21.27702 (14.21.27702)
  • Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.21.27702 (14.21.27702)
  • Mozilla Firefox 67.0.4 (x86 en-US) (67.0.4)
  • Notepad++ (32-bit x86) (7.5.1)
  • Opera 12.15 (12.15.1748)
  • Skype version 8.29 (8.29)
  • Update for Microsoft .NET Framework 4.7.2 (KB4087364) (1)
  • VLC media player (2.2.6)
  • WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

  • Client LanguagePack Package
  • Client Refresh LanguagePack Package
  • CodecPack Basic Package
  • Foundation Package
  • IE Troubleshooters Package
  • InternetExplorer Optional Package
  • KB2534111
  • KB2999226
  • KB4019990
  • KB976902
  • LocalPack AU Package
  • LocalPack CA Package
  • LocalPack GB Package
  • LocalPack US Package
  • LocalPack ZA Package
  • ProfessionalEdition
  • UltimateEdition

Behavior activities

MALICIOUS SUSPICIOUS INFO
Loads dropped or rewritten executable
  • client32.exe (PID: 3776)
Application was dropped or rewritten from another process
  • client32.exe (PID: 3776)
  • WinSupport.exe (PID: 2596)
  • KB24115436.exe (PID: 2460)
  • temp50.exe (PID: 3016)
Downloads executable files from the Internet
  • WScript.exe (PID: 3028)
Downloads executable files from IP
  • WScript.exe (PID: 3028)
Writes to a start menu file
  • WinSupport.exe (PID: 2596)
Connects to CnC server
  • client32.exe (PID: 3776)
Executable content was dropped or overwritten
  • WScript.exe (PID: 3028)
  • temp50.exe (PID: 3016)
  • KB24115436.exe (PID: 2460)
  • WinSupport.exe (PID: 2596)
Creates files in the user directory
  • KB24115436.exe (PID: 2460)
  • WinSupport.exe (PID: 2596)
Reads Internet Cache Settings
  • client32.exe (PID: 3776)
Uses ATTRIB.EXE to modify file attributes
  • temp50.exe (PID: 3016)
Connects to server without host name
  • client32.exe (PID: 3776)
Drop NetSupport executable file
  • WinSupport.exe (PID: 2596)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Static information

Screenshots

Processes

Total processes
43
Monitored processes
6
Malicious processes
5
Suspicious processes
0

Behavior graph

+
download and start start drop and start drop and start drop and start wscript.exe temp50.exe attrib.exe no specs kb24115436.exe winsupport.exe client32.exe
Specs description
Program did not start
Integrity level elevation
Task сontains an error or was rebooted
Process has crashed
Task contains several apps running
Executable file was dropped
Debug information is available
Process was injected
Network attacks were detected
Application downloaded the executable file
Actions similar to stealing personal data
Behavior similar to exploiting the vulnerability
Inspected object has sucpicious PE structure
File is detected by antivirus software
CPU overrun
RAM overrun
Process starts the services
Process was added to the startup
Behavior similar to spam
Low-level access to the HDD
Probably Tor was used
System was rebooted
Connects to the network
Known threat

Process information

Click at the process to see the details.

PID
3028
CMD
"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\temp.vbs"
Path
C:\Windows\System32\WScript.exe
Indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Microsoft ® Windows Based Script Host
Version
5.8.7600.16385
Modules
Image
c:\windows\system32\wscript.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\version.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\sxs.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\vbscript.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\msisip.dll
c:\windows\system32\wshext.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\scrobj.dll
c:\windows\system32\wshom.ocx
c:\windows\system32\mpr.dll
c:\windows\system32\scrrun.dll
c:\windows\system32\msxml3.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\profapi.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\sensapi.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\rasadhlp.dll
c:\program files\common files\system\ado\msado15.dll
c:\windows\system32\msdart.dll
c:\windows\system32\propsys.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\shdocvw.dll
c:\users\admin\appdata\local\temp\temp50.exe

PID
3016
CMD
"C:\Users\admin\AppData\Local\Temp\temp50.exe"
Path
C:\Users\admin\AppData\Local\Temp\temp50.exe
Indicators
Parent process
WScript.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Piriform Ltd
Description
CCleaner
Version
4, 11, 00, 4619
Modules
Image
c:\users\admin\appdata\local\temp\temp50.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\webio.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\credssp.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshqos.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\wship6.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\schannel.dll
c:\windows\system32\secur32.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\gpapi.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\cryptbase.dll
c:\temp\kb24115436.exe

PID
3492
CMD
attrib +h +s C:\Temp
Path
C:\Windows\system32\attrib.exe
Indicators
No indicators
Parent process
temp50.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Attribute Utility
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\attrib.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ulib.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll

PID
2460
CMD
"C:\Temp\KB24115436.exe"
Path
C:\Temp\KB24115436.exe
Indicators
Parent process
temp50.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Qihoo 360 Technology Co. Ltd.
Description
360 Total Security
Version
10,0,0,1160
Modules
Image
c:\temp\kb24115436.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\ole32.dll
c:\windows\system32\riched20.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\shell32.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\oleaut32.dll
c:\program files\common files\microsoft shared\ink\tiptsf.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\users\admin\appdata\roaming\codeintegrity\winsupport.exe
c:\windows\system32\sfc.dll
c:\windows\system32\devrtl.dll
c:\windows\system32\mpr.dll

PID
2596
CMD
"C:\Users\admin\AppData\Roaming\CodeIntegrity\WinSupport.exe" -pjf74idD
Path
C:\Users\admin\AppData\Roaming\CodeIntegrity\WinSupport.exe
Indicators
Parent process
KB24115436.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Description
Version
Modules
Image
c:\users\admin\appdata\roaming\codeintegrity\winsupport.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\ole32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\riched20.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\shell32.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\oleaut32.dll
c:\program files\common files\microsoft shared\ink\tiptsf.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\devobj.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\linkinfo.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\slc.dll
c:\users\admin\appdata\roaming\codeintegrity\winsupport\client32.exe
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\sfc.dll
c:\windows\system32\devrtl.dll
c:\windows\system32\mpr.dll
c:\windows\system32\netutils.dll

PID
3776
CMD
"C:\Users\admin\AppData\Roaming\CodeIntegrity\WinSupport\client32.exe"
Path
C:\Users\admin\AppData\Roaming\CodeIntegrity\WinSupport\client32.exe
Indicators
Parent process
WinSupport.exe
User
admin
Integrity Level
MEDIUM
Version:
Company
NetSupport Ltd
Description
NetSupport Client Application
Version
V12.10
Modules
Image
c:\users\admin\appdata\roaming\codeintegrity\winsupport\client32.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\users\admin\appdata\roaming\codeintegrity\winsupport\pcicl32.dll
c:\users\admin\appdata\roaming\codeintegrity\winsupport\shfolder.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\users\admin\appdata\roaming\codeintegrity\winsupport\pcichek.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\users\admin\appdata\roaming\codeintegrity\winsupport\msvcr100.dll
c:\users\admin\appdata\roaming\codeintegrity\winsupport\pcicapi.dll
c:\windows\system32\mpr.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\version.dll
c:\windows\system32\winmm.dll
c:\windows\system32\wsock32.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\winspool.drv
c:\windows\system32\comdlg32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\shell32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\samcli.dll
c:\windows\system32\wininet.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\dbghelp.dll
c:\users\admin\appdata\roaming\codeintegrity\winsupport\cryptpak.dll
c:\users\admin\appdata\roaming\codeintegrity\winsupport\tcctl32.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\dhcpcsvc6.dll
c:\windows\system32\dhcpcsvc.dll
c:\users\admin\appdata\roaming\codeintegrity\winsupport\htctl32.dll
c:\windows\system32\psapi.dll
c:\users\admin\appdata\roaming\codeintegrity\winsupport\pcihooks.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\winsta.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\wbem\wbemprox.dll
c:\windows\system32\wbemcomn.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\wbem\wbemsvc.dll
c:\windows\system32\wbem\fastprox.dll
c:\windows\system32\ntdsapi.dll
c:\windows\system32\riched32.dll
c:\windows\system32\riched20.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\napinsp.dll
c:\windows\system32\pnrpnsp.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\winrnr.dll
c:\users\admin\appdata\roaming\codeintegrity\winsupport\pciinv.dll
c:\windows\system32\msimg32.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\oleacc.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\dwmapi.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\firewallapi.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\sensapi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\wship6.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\msi.dll
c:\program files\adobe\acrobat reader dc\reader\acrord32.exe
c:\program files\ccleaner\ccleaner.exe
c:\program files\google\chrome\application\chrome.exe
c:\program files\dvd maker\dvdmaker.exe
c:\windows\system32\linkinfo.dll
c:\windows\system32\propsys.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\program files\microsoft office\office14\excel.exe
c:\windows\system32\devobj.dll
c:\program files\filezilla ftp client\filezilla.exe
c:\program files\mozilla firefox\firefox.exe
c:\program files\internet explorer\iexplore.exe
c:\program files\java\jre1.8.0_92\bin\javaws.exe
c:\program files\windows journal\journal.exe
c:\program files\common files\microsoft shared\ink\mip.exe
c:\program files\windows media player\wmplayer.exe
c:\program files\microsoft office\office14\outlook.exe
c:\program files\opera\opera.exe
c:\windows\system32\ie4uinit.exe
c:\program files\microsoft office\office14\msaccess.exe
c:\program files\common files\microsoft shared\office14\msoxmled.exe
c:\program files\microsoft\skype for desktop\skype.exe
c:\program files\microsoft office\office14\mspub.exe
c:\program files\notepad++\notepad++.exe
c:\program files\videolan\vlc\vlc.exe
c:\program files\microsoft office\office14\ois.exe
c:\program files\microsoft office\office14\onenote.exe
c:\program files\microsoft office\office14\powerpnt.exe
c:\program files\windows sidebar\sidebar.exe
c:\program files\common files\microsoft shared\ink\tabtip.exe
c:\program files\windows mail\wab.exe
c:\program files\windows mail\wabmig.exe
c:\program files\winrar\winrar.exe
c:\program files\microsoft office\office14\winword.exe
c:\windows\system32\apphelp.dll
c:\windows\system32\shdocvw.dll
c:\program files\common files\microsoft shared\ink\shapecollector.exe
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\program files\filezilla ftp client\uninstall.exe
c:\windows\system32\gameux.dll
c:\windows\system32\xmllite.dll
c:\windows\system32\wer.dll
c:\program files\java\jre1.8.0_92\bin\javacpl.exe
c:\program files\common files\microsoft shared\office14\office setup controller\promo.exe
c:\windows\system32\tapi32.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\dxdiagn.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\dxgi.dll
c:\windows\system32\d3d10.dll
c:\windows\system32\d3d10core.dll
c:\windows\system32\d3d10_1.dll
c:\windows\system32\d3d10_1core.dll
c:\windows\system32\d3d11.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\ddraw.dll
c:\windows\system32\dsound.dll

Registry activity

Total events
2779
Read events
2717
Write events
62
Delete events
0

Modification events

PID
Process
Operation
Key
Name
Value
3028
WScript.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WScript_RASAPI32
EnableFileTracing
0
3028
WScript.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WScript_RASAPI32
EnableConsoleTracing
0
3028
WScript.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WScript_RASAPI32
FileTracingMask
4294901760
3028
WScript.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WScript_RASAPI32
ConsoleTracingMask
4294901760
3028
WScript.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WScript_RASAPI32
MaxFileSize
1048576
3028
WScript.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WScript_RASAPI32
FileDirectory
%windir%\tracing
3028
WScript.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WScript_RASMANCS
EnableFileTracing
0
3028
WScript.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WScript_RASMANCS
EnableConsoleTracing
0
3028
WScript.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WScript_RASMANCS
FileTracingMask
4294901760
3028
WScript.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WScript_RASMANCS
ConsoleTracingMask
4294901760
3028
WScript.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WScript_RASMANCS
MaxFileSize
1048576
3028
WScript.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WScript_RASMANCS
FileDirectory
%windir%\tracing
3028
WScript.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
ProxyEnable
0
3028
WScript.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
SavedLegacySettings
4600000077000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
3028
WScript.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
3028
WScript.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
3016
temp50.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\70\52C64B7E
LanguageList
en-US
2460
KB24115436.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
2460
KB24115436.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
2596
WinSupport.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
2596
WinSupport.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
3776
client32.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\client32_RASAPI32
EnableFileTracing
0
3776
client32.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\client32_RASAPI32
EnableConsoleTracing
0
3776
client32.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\client32_RASAPI32
FileTracingMask
4294901760
3776
client32.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\client32_RASAPI32
ConsoleTracingMask
4294901760
3776
client32.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\client32_RASAPI32
MaxFileSize
1048576
3776
client32.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\client32_RASAPI32
FileDirectory
%windir%\tracing
3776
client32.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\client32_RASMANCS
EnableFileTracing
0
3776
client32.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\client32_RASMANCS
EnableConsoleTracing
0
3776
client32.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\client32_RASMANCS
FileTracingMask
4294901760
3776
client32.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\client32_RASMANCS
ConsoleTracingMask
4294901760
3776
client32.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\client32_RASMANCS
MaxFileSize
1048576
3776
client32.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\client32_RASMANCS
FileDirectory
%windir%\tracing
3776
client32.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
ProxyEnable
0
3776
client32.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
SavedLegacySettings
4600000078000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
3776
client32.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
3776
client32.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
3776
client32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\70\52C64B7E
LanguageList
en-US
3776
client32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\70\52C64B7E
@"%windir%\System32\ie4uinit.exe",-738
Start Internet Explorer without ActiveX controls or browser extensions.
3776
client32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\70\52C64B7E
@"%systemroot%\system32\windowspowershell\v1.0\powershell.exe",-111
Performs object-based (command-line) functions

Files activity

Executable files
49
Suspicious files
8
Text files
3
Unknown types
1

Dropped files

PID
Process
Filename
Type
3028
WScript.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JGRR2OYX\1[1].jpg
executable
MD5: b4c837b395483e5f430d00000b1d4c31
SHA256: 3f47f2175f27c02c36e7aa9fd485ef30bb03531e3c0f5d176f727e46b3a80c72
2596
WinSupport.exe
C:\Users\admin\AppData\Roaming\CodeIntegrity\WinSupport\Nbctl32.dll
executable
MD5: 96d283f596f720c7bdce0564030fd242
SHA256: 8ed968d09ae10f2aebc75d8b4d93e214ed3b38ff3af4e4f6ffbe52577c6bd281
2596
WinSupport.exe
C:\Users\admin\AppData\Roaming\CodeIntegrity\WinSupport\PCIinv.dll
executable
MD5: 4a92f7d4924fda20d6a60096c59c282b
SHA256: 443dfc6205d85b1c32bb38aa9734a5e18bbbc8526c869552331b2d81b9b0c032
2596
WinSupport.exe
C:\Users\admin\AppData\Roaming\CodeIntegrity\WinSupport\HTCTL32.DLL
executable
MD5: 2d3b207c8a48148296156e5725426c7f
SHA256: edfe2b923bfb5d1088de1611401f5c35ece91581e71503a5631647ac51f7d796
2596
WinSupport.exe
C:\Users\admin\AppData\Roaming\CodeIntegrity\WinSupport\PCIMON.DLL
executable
MD5: 49549e31838886d755af38995b0c263d
SHA256: 47271356af5597a6704c654c5bc42a05a7cca9fde928b99f121ddc86bec71aa5
2596
WinSupport.exe
C:\Users\admin\AppData\Roaming\CodeIntegrity\WinSupport\PCIHOOKS.DLL
executable
MD5: 3eedd8357b86b6a2f90188063e33d797
SHA256: 574eda2b8561364445e38f59ba93fb12210d07e1f80347bf67abb2a87e6891e9
2596
WinSupport.exe
C:\Users\admin\AppData\Roaming\CodeIntegrity\WinSupport\pcimonhook.dll
executable
MD5: 8c72f88ae953a8fbb33e885b7334e3d1
SHA256: 14dce1aeeea19bd346fc2e320e8b50449a48eb1e455e5faf8a29166b1d61c21f
2596
WinSupport.exe
C:\Users\admin\AppData\Roaming\CodeIntegrity\WinSupport\IPCTL32.DLL
executable
MD5: 67184a4406f5ecb71c21583987038708
SHA256: e70cb83658b4fb9f7266ccf528219c835f0efbe5e06872d4f5fad8cd496b71f2
2596
WinSupport.exe
C:\Users\admin\AppData\Roaming\CodeIntegrity\WinSupport\pcisys.sys
executable
MD5: 4b5f06667db76849628ddf0027d3bcf4
SHA256: 0adfd29f255a071706ef207d720bd206458168d535758216222925c3b3d89c95
2596
WinSupport.exe
C:\Users\admin\AppData\Roaming\CodeIntegrity\WinSupport\CryptPak.dll
executable
MD5: 92fd46bd92d218ee3f1e800c1c5daef8
SHA256: 7e6616f762ab9f9850090d1c89507d2851222cfa1ff66982f84ac214c6fde570
2596
WinSupport.exe
C:\Users\admin\AppData\Roaming\CodeIntegrity\WinSupport\nsmexec.exe
executable
MD5: eb0e2ecaa54f94233735c0c353166362
SHA256: 2634a91c1a844f53598f83ba0f3381dfb062a3986391454a70ffcecd8d581590
2596
WinSupport.exe
C:\Users\admin\AppData\Roaming\CodeIntegrity\WinSupport\NBBR32.DLL
executable
MD5: d91b5be1c3426035eab693dec962fbf7
SHA256: 80ee52d07ff8ccb745c6cb67b44523b6d38a3a3086a826c890080b79415f5124
2596
WinSupport.exe
C:\Users\admin\AppData\Roaming\CodeIntegrity\WinSupport\gdihook5.dll
executable
MD5: 367a4e8f632f0f1d05b8ab9922dab331
SHA256: 8423c1be72387638c0143b8bc0edc91a9f4ad7262af8baec1c2464ec45be98a0
2596
WinSupport.exe
C:\Users\admin\AppData\Roaming\CodeIntegrity\WinSupport\pcigina.dll
executable
MD5: bbcecda514b5e4070bee6a1aeb86d99d
SHA256: b312cfc8995e1ea1654639618c931b9c8aaf791be87337949343e3fa0825c312
2596
WinSupport.exe
C:\Users\admin\AppData\Roaming\CodeIntegrity\WinSupport\PCIMSG.DLL
executable
MD5: 9d941b1a72abaa8cde01720eac699f2c
SHA256: 43b95c63be137a64329b346027a647959779d28074870972548f30dcd73c4370
2596
WinSupport.exe
C:\Users\admin\AppData\Roaming\CodeIntegrity\WinSupport\msvcr100.dll
executable
MD5: 0e37fbfa79d349d672456923ec5fbbe3
SHA256: 8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18
2596
WinSupport.exe
C:\Users\admin\AppData\Roaming\CodeIntegrity\WinSupport\DBI.EXE
executable
MD5: 5d64121ab6415ec11effbd6d6761d46a
SHA256: 689facaf0e03034c42be4a4473e806bcd5272a40d7cf4e8b09083fff8744f278
2596
WinSupport.exe
C:\Users\admin\AppData\Roaming\CodeIntegrity\WinSupport\pciconn.exe
executable
MD5: 00ad420e7d2d2bd5e889aaad47eac553
SHA256: 378a03b6dbf7bd00bf0545378e10ab4b8fbd8d8f3f8273ca1adfc592f5a8e368
2596
WinSupport.exe
C:\Users\admin\AppData\Roaming\CodeIntegrity\WinSupport\pscrinst.dll
executable
MD5: 4725834d0416c9cbd376ff01f94f90f9
SHA256: 7e69de5b431e68536124f70815726773d4b8400d6999b1f5d891e44a67ccbab4
2596
WinSupport.exe
C:\Users\admin\AppData\Roaming\CodeIntegrity\WinSupport\NBCTLA0.DLL
executable
MD5: 00d5990a151db3d1d59bb4e1f0e7a04f
SHA256: 109dce2fc3d0a99c8086595a4a33286c4c3bf4283a28068f88ab581cf2ec8c1f
2596
WinSupport.exe
C:\Users\admin\AppData\Roaming\CodeIntegrity\WinSupport\gdihook5.sys
executable
MD5: 85ed5e4fa9a8b4776fa82b8bef5f2791
SHA256: 044f4a62b98a132de1f752fb33d654640d09221e74ebe1c062e6a276d22e5b69
2596
WinSupport.exe
C:\Users\admin\AppData\Roaming\CodeIntegrity\WinSupport\PCICL32.DLL
executable
MD5: 00587238d16012152c2e951a087f2cc9
SHA256: 63aa18c32af7144156e7ee2d5ba0fa4f5872a7deb56894f6f96505cbc9afe6f8
2596
WinSupport.exe
C:\Users\admin\AppData\Roaming\CodeIntegrity\WinSupport\shfolder.dll
executable
MD5: c9e2eebb7bd947fb6499c7637cedd16d
SHA256: 24083daed66232a64c5219eb134bd8fab914c37aeb3c31376b3cea19b4259d18
2596
WinSupport.exe
C:\Users\admin\AppData\Roaming\CodeIntegrity\WinSupport\NBCTLA6.DLL
executable
MD5: 20a6e4318b4e0b342f0b93255c418c82
SHA256: 1a553ac404a36dfaa372ac6f0de0987ed1bb17bf6e927092bb4130e9dd4b1133
2596
WinSupport.exe
C:\Users\admin\AppData\Roaming\CodeIntegrity\WinSupport\clhook4.dll
executable
MD5: 6f787b2a2930ef76c468ee410adc86a3
SHA256: 47e7c7c11b8a8fab19f4f30c2f023b741e6057190b80a928e48d37af0e08ad16
2596
WinSupport.exe
C:\Users\admin\AppData\Roaming\CodeIntegrity\WinSupport\PCICHEK.DLL
executable
MD5: a0b9388c5f18e27266a31f8c5765b263
SHA256: 313117e723dda6ea3911faacd23f4405003fb651c73de8deff10b9eb5b4a058a
2596
WinSupport.exe
C:\Users\admin\AppData\Roaming\CodeIntegrity\WinSupport\remcmdstub.exe
executable
MD5: 2a77875b08d4d2bb7b654db33a88f16c
SHA256: 8ad9c598c1fde52dd2bfced5f953ca0d013b0c65feb5ded73585cfc420c95a95
2596
WinSupport.exe
C:\Users\admin\AppData\Roaming\CodeIntegrity\WinSupport\NBCTLA4.DLL
executable
MD5: ffadb11ce73295fea7b4585a3bd927a9
SHA256: b6f85fff5bad3b6a1b75b5a4b3b34ef3db132c8be024894c175ac196b6c57be0
2596
WinSupport.exe
C:\Users\admin\AppData\Roaming\CodeIntegrity\WinSupport\client32.exe
executable
MD5: 8d9709ff7d9c83bd376e01912c734f0a
SHA256: 49a568f8ac11173e3a0d76cff6bc1d4b9bdf2c35c6d8570177422f142dcfdbe3
2596
WinSupport.exe
C:\Users\admin\AppData\Roaming\CodeIntegrity\WinSupport\pcicfgui.exe
executable
MD5: f44ebf7a82367c7b2d0702ad89bde583
SHA256: a1712260440eb8840da37854c374c7f4f6542c6ec16df61784428efbab658830
2596
WinSupport.exe
C:\Users\admin\AppData\Roaming\CodeIntegrity\WinSupport\TCBR32.DLL
executable
MD5: b2a48c7fce59592ee7ad50472987ec9f
SHA256: 5eff3856b5e15826e2eed7c22e5fd8ca411b03c38b28672e003947414f515678
2596
WinSupport.exe
C:\Users\admin\AppData\Roaming\CodeIntegrity\WinSupport\NBCTLA3.DLL
executable
MD5: 881ffb9fa34ce6b7f5239a4241609774
SHA256: 9298eb3fadb19786be826159dd2103a84927b8f4dc3613e159724e19a47e398b
2596
WinSupport.exe
C:\Users\admin\AppData\Roaming\CodeIntegrity\WinSupport\AudioCapture.dll
executable
MD5: 771e97f76e213ed2d2b0b7c6639e1c68
SHA256: 8af1dd14b521d96d711b0ec5e1651d961b5f0d6ac18fbee3ef66e065e9766f72
2596
WinSupport.exe
C:\Users\admin\AppData\Roaming\CodeIntegrity\WinSupport\NBCTLA1.DLL
executable
MD5: 591d271da2b308cc83f06a3fc3cd0cc5
SHA256: 41ed0449f1d00fdcf0ed749437bd273610fffcaa34d7f51aab7542677c8e4a6c
2596
WinSupport.exe
C:\Users\admin\AppData\Roaming\CodeIntegrity\WinSupport\VolumeControlWXP.DLL
executable
MD5: 489ec38ad9fac51a445fd706da4737cb
SHA256: 15e8e30d4d997a1b3e09c87a833be8f8c05b7754398709fea6a08f5b04f83b43
2596
WinSupport.exe
C:\Users\admin\AppData\Roaming\CodeIntegrity\WinSupport\NBCTLA2.DLL
executable
MD5: 739ee44735a13414649cf9d8aec2effb
SHA256: 7d5c2a71d6551df029de3aeca5b620171ca560800b9bab8942164e198cf2d469
2460
KB24115436.exe
C:\Users\admin\AppData\Roaming\CodeIntegrity\WinSupport.exe
executable
MD5: 94cc7202ee76e7d650414ede964ebd9b
SHA256: 195e3d2424ab364edce6f54ccc3d21641cc6b3323ce01358951e98a064d8e85d
2596
WinSupport.exe
C:\Users\admin\AppData\Roaming\CodeIntegrity\WinSupport\NBCTLA5.DLL
executable
MD5: 3d227920379218138db4bfe1bd6c3da2
SHA256: 903ebcbc1eda6d1308f19531f9c5f5a8cf620dcc7a68da4d40d56d111a12df20
2596
WinSupport.exe
C:\Users\admin\AppData\Roaming\CodeIntegrity\WinSupport\TCCTL32.DLL
executable
MD5: eab603d12705752e3d268d86dff74ed4
SHA256: 6795d760ce7a955df6c2f5a062e296128efdb8c908908eda4d666926980447ea
2596
WinSupport.exe
C:\Users\admin\AppData\Roaming\CodeIntegrity\WinSupport\NBCTLA7.DLL
executable
MD5: ab45c36683663336434f96d2ac97c65a
SHA256: d6ed416b516b9b1002d84ce344039c86b3bbcceffb36fdf70e063ff6b85bdb90
3016
temp50.exe
C:\Temp\KB24115436.exe
executable
MD5: 29b47d1f3d4417b4e50e5b1c0005298b
SHA256: aacadf7b3bfc2ac8a9a342e5372c77218efa9c67602c3a15441094170a5f52d4
2596
WinSupport.exe
C:\Users\admin\AppData\Roaming\CodeIntegrity\WinSupport\pcicapi.dll
executable
MD5: dcde2248d19c778a41aa165866dd52d0
SHA256: 9074fd40ea6a0caa892e6361a6a4e834c2e51e6e98d1ffcda7a9a537594a6917
2596
WinSupport.exe
C:\Users\admin\AppData\Roaming\CodeIntegrity\WinSupport\WdfCoInstaller01005.dll
executable
MD5: f9cf2db8b99dc50eab538c4d860ac1a4
SHA256: 865864a32aee78e588764f37847522fdb0bd1940ecd73b3c49d8f68b4d5bad71
2596
WinSupport.exe
C:\Users\admin\AppData\Roaming\CodeIntegrity\WinSupport\nskbfltr.sys
executable
MD5: 21864538f3a0992152d0d889837df58b
SHA256: 8bd445ee6ddb44e88fe8b650111997004c86bdcfd9e6b16e063c67b32eb8e66b
3028
WScript.exe
C:\Users\admin\AppData\Local\Temp\temp50.exe
executable
MD5: b4c837b395483e5f430d00000b1d4c31
SHA256: 3f47f2175f27c02c36e7aa9fd485ef30bb03531e3c0f5d176f727e46b3a80c72
2596
WinSupport.exe
C:\Users\admin\AppData\Roaming\CodeIntegrity\WinSupport\NSToast.exe
executable
MD5: a1ed96625d5714c5700290aa952b1986
SHA256: d4becbba58d0a594f96e3670abc907a60dfdc5f90ebe843626012a44506bd3a9
2596
WinSupport.exe
C:\Users\admin\AppData\Roaming\CodeIntegrity\WinSupport\nspscr.sys
executable
MD5: 8822efbbf1cf663bd3b70510adff15d5
SHA256: 50401bc698658360de5eb23c38648e06f81235c98612a1eaac9f65718d72e200
2596
WinSupport.exe
C:\Users\admin\AppData\Roaming\CodeIntegrity\WinSupport\IPBR32.DLL
executable
MD5: 7597d4434eda66a2d118279cca71881e
SHA256: 46aab21e20c6d2b2bef9baf26ea746186f5a5894cae04a2c0ed56160ef6874ee
2596
WinSupport.exe
C:\Users\admin\AppData\Roaming\CodeIntegrity\WinSupport\PCIVDD.DLL
executable
MD5: 93bd1d145701c19394cce7b54e241631
SHA256: 19c56caee0519fd60c353fcf6ece8344fa09a652a0a3c88840aab94d6a0ecf43
2596
WinSupport.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.lnk
lnk
MD5: b8c580892f9293d65ce9b035dda40bea
SHA256: a173b06445d1a92863c1d2208b73ab125fb7211e69a8b0c611c1ef438668d318
2596
WinSupport.exe
C:\Users\admin\AppData\Roaming\CodeIntegrity\WinSupport\nspscr.inf
binary
MD5: 967d9bd8558dca9df7f4fdd6f3284db5
SHA256: 914ea51fd68d4b872f9a1c9ca002081418e36a8cceae92772fb458625d823bfb
3776
client32.exe
C:\Users\admin\AppData\Local\NetSupport\NetSupport Manager\USER-PC_HF.bin
binary
MD5: 8399b4121cb52137e16dd11c75b9e978
SHA256: 08b2170ce78d992790b64497f3a03f3ae324fa5c4c1a2a5ce2f660a9b3456f1c
2596
WinSupport.exe
C:\Users\admin\AppData\Roaming\CodeIntegrity\WinSupport\gdihook5.INF
binary
MD5: 703c7774b981e5d02e058340a27a5b75
SHA256: 4cfca868959f4e1b85bfd6b8a970ae06c0810d9c341f260df3ab8479089500e9
2596
WinSupport.exe
C:\Users\admin\AppData\Roaming\CodeIntegrity\WinSupport\client32.ini
text
MD5: 182318fa51db5daa7008f8ed91f3fda9
SHA256: 00c60d416c139f841e1be8a1f5469c7747a62a78ccac4aff82b4b9ee4b2bef33
3776
client32.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\loca[1].htm
binary
MD5: c0cb5f0fcf239ab3d9c1fcd31fff1efc
SHA256: d03502c43d74a30b936740a9517dc4ea2b2ad7168caa0a774cefe793ce0b33e7
2596
WinSupport.exe
C:\Users\admin\AppData\Roaming\CodeIntegrity\WinSupport\Control.kbd
binary
MD5: 4d9e1c4b8a78f4c8d6ce5235d42c8f1e
SHA256: 6d098726cbcdb392bc3a43d4d218072f5cadd4b82d83ada87bce65f7642af602
2596
WinSupport.exe
C:\Users\admin\AppData\Roaming\CodeIntegrity\WinSupport\nskbfltr.inf
binary
MD5: 26e28c01461f7e65c402bdf09923d435
SHA256: d96856cd944a9f1587907cacef974c0248b7f4210f1689c1e6bcac5fed289368
3776
client32.exe
C:\Users\admin\AppData\Local\NetSupport\NetSupport Manager\USER-PC_SW.bin
binary
MD5: e8229ffc59e23d1e19ed2e741944e2d5
SHA256: 43386dad0855378cab839741bb7968490f97b5452372be13f9ce07127d2d3bd7
2596
WinSupport.exe
C:\Users\admin\AppData\Roaming\CodeIntegrity\WinSupport\NSM.ini
text
MD5: 88b1dab8f4fd1ae879685995c90bd902
SHA256: 60fe386112ad51f40a1ee9e1b15eca802ced174d7055341c491dee06780b3f92
3776
client32.exe
C:\Users\admin\AppData\Local\NetSupport\NetSupport Manager\USER-PC_HW.bin
binary
MD5: 868746aa93df1a0c3aa80a2666a6c154
SHA256: 2efc17218f295f1a0e29af1565a5cb4f00aed7498b6fac5ef55822d7e1b9c78b
2596
WinSupport.exe
C:\Users\admin\AppData\Roaming\CodeIntegrity\WinSupport\NSM.LIC
text
MD5: 7067af414215ee4c50bfcd3ea43c84f0
SHA256: 2050cc232710a2ea6a207bc78d1eac66a4042f2ee701cdfeee5de3ddcdc31d12

Find more information of the staic content and download it at the full report

Network activity

HTTP(S) requests
22
TCP/UDP connections
6
DNS requests
5
Threats
33

HTTP requests

PID Process Method HTTP Code IP URL CN Type Size Reputation
3028 WScript.exe GET 200 45.12.215.157:80 http://45.12.215.157/images/1.jpg unknown
executable
suspicious
3776 client32.exe POST 200 5.45.73.63:4151 http://5.45.73.63/fakeurl.htm NL
text
binary
suspicious
3776 client32.exe POST 200 5.45.73.63:4151 http://5.45.73.63/fakeurl.htm NL
binary
binary
suspicious
3776 client32.exe POST –– 5.45.73.63:4151 http://5.45.73.63/fakeurl.htm NL
binary
––
––
suspicious
3776 client32.exe GET 200 195.171.92.116:80 http://geo.netsupportsoftware.com/location/loca.asp GB
binary
malicious
3028 WScript.exe GET 404 45.12.215.157:80 http://45.12.215.157/images/2.jpg unknown
html
suspicious
3776 client32.exe POST –– 5.45.73.63:4151 http://5.45.73.63/fakeurl.htm NL
binary
––
––
suspicious
3028 WScript.exe GET 404 45.12.215.157:80 http://45.12.215.157/images/2.jpg unknown
html
suspicious
3028 WScript.exe GET 404 45.12.215.157:80 http://45.12.215.157/images/3.jpg unknown
html
suspicious
3028 WScript.exe GET 404 45.12.215.157:80 http://45.12.215.157/images/2.jpg unknown
html
suspicious
3028 WScript.exe GET 404 45.12.215.157:80 http://45.12.215.157/images/3.jpg unknown
html
suspicious
3028 WScript.exe GET 404 45.12.215.157:80 http://45.12.215.157/images/4.jpg unknown
html
suspicious
3028 WScript.exe GET 404 45.12.215.157:80 http://45.12.215.157/images/2.jpg unknown
html
suspicious
3028 WScript.exe GET 404 45.12.215.157:80 http://45.12.215.157/images/3.jpg unknown
html
suspicious
3028 WScript.exe GET 404 45.12.215.157:80 http://45.12.215.157/images/4.jpg unknown
html
suspicious
3028 WScript.exe GET 404 45.12.215.157:80 http://45.12.215.157/images/5.jpg unknown
html
suspicious
3776 client32.exe POST –– 5.45.73.63:4151 http://5.45.73.63/fakeurl.htm NL
binary
––
––
suspicious
3776 client32.exe POST 200 5.45.73.63:4151 http://5.45.73.63/fakeurl.htm NL
text
binary
suspicious
3776 client32.exe POST 200 5.45.73.63:4151 http://5.45.73.63/fakeurl.htm NL
binary
binary
suspicious
3776 client32.exe POST –– 5.45.73.63:4151 http://5.45.73.63/fakeurl.htm NL
binary
––
––
suspicious
3776 client32.exe POST –– 5.45.73.63:4151 http://5.45.73.63/fakeurl.htm NL
binary
––
––
suspicious
3776 client32.exe POST –– 5.45.73.63:4151 http://5.45.73.63/fakeurl.htm NL
binary
––
––
suspicious

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID Process IP ASN CN Reputation
3028 WScript.exe 45.12.215.157:80 –– suspicious
3016 temp50.exe 185.212.130.9:443 Virtual Trade Ltd NL malicious
3776 client32.exe 5.45.73.63:4151 Serverius Holding B.V. NL suspicious
3776 client32.exe 195.171.92.116:80 British Telecommunications PLC GB unknown

DNS requests

Domain IP Reputation
avheaven.icu 185.212.130.9
malicious
geo.netsupportsoftware.com 195.171.92.116
62.172.138.35
malicious
dns.msftncsi.com 131.107.255.255
whitelisted

Threats

PID Process Class Message
3028 WScript.exe A Network Trojan was detected ET CURRENT_EVENTS Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
3028 WScript.exe A Network Trojan was detected ET CURRENT_EVENTS Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
3028 WScript.exe A Network Trojan was detected ET CURRENT_EVENTS Likely Evil EXE download from MSXMLHTTP non-exe extension M2
3028 WScript.exe A Network Trojan was detected ET TROJAN JS/WSF Downloader Dec 08 2016 M4
3028 WScript.exe Potentially Bad Traffic ET INFO SUSPICIOUS Dotted Quad Host MZ Response
3028 WScript.exe Misc activity SUSPICIOUS [PTsecurity] PE as Image Content type mismatch
–– –– Potentially Bad Traffic ET INFO DNS Query for Suspicious .icu Domain
3016 temp50.exe Potentially Bad Traffic ET INFO Suspicious Domain (*.icu) in TLS SNI
3016 temp50.exe Potentially Bad Traffic ET INFO Observed Let's Encrypt Certificate for Suspicious TLD (.icu)
3776 client32.exe A Network Trojan was detected SUSPICIOUS [PTsecurity] NetSupport Remote Admin
3776 client32.exe A Network Trojan was detected SUSPICIOUS [PTsecurity] NetSupport Remote Admin
3776 client32.exe A Network Trojan was detected SUSPICIOUS [PTsecurity] NetSupport Remote Admin
3776 client32.exe A Network Trojan was detected SUSPICIOUS [PTsecurity] NetSupport Remote Admin
3776 client32.exe A Network Trojan was detected SUSPICIOUS [PTsecurity] NetSupport Remote Admin
3776 client32.exe A Network Trojan was detected SUSPICIOUS [PTsecurity] NetSupport Remote Admin
3776 client32.exe A Network Trojan was detected SUSPICIOUS [PTsecurity] NetSupport Remote Admin
3776 client32.exe A Network Trojan was detected SUSPICIOUS [PTsecurity] NetSupport Remote Admin
3776 client32.exe A Network Trojan was detected SUSPICIOUS [PTsecurity] NetSupport Remote Admin

15 ETPRO signatures available at the full report

Debug output strings

No debug info.