General Info

URL

https://sxh.yimg.com/jf/dyc/IEinstall/hpset_2018.06.28.01.exe

Full analysis
https://app.any.run/tasks/12a3c9cb-cf72-40a4-911c-5263758db21b
Verdict
Malicious activity
Analysis date
8/13/2019, 17:44:24
OS:
Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distored by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Software environment set and analysis options

Launch configuration

Task duration
60 seconds
Additional time used
none
Fakenet option
off
Heavy Evaision option
off
MITM proxy
off
Route via Tor
off
Network geolocation
off
Privacy
Public submission
Autoconfirmation of UAC
on

Software preset

  • Internet Explorer 8.0.7601.17514
  • Adobe Acrobat Reader DC MUI (15.023.20070)
  • Adobe Flash Player 26 ActiveX (26.0.0.131)
  • Adobe Flash Player 26 NPAPI (26.0.0.131)
  • Adobe Flash Player 26 PPAPI (26.0.0.131)
  • Adobe Refresh Manager (1.8.0)
  • CCleaner (5.35)
  • FileZilla Client 3.36.0 (3.36.0)
  • Google Chrome (75.0.3770.100)
  • Google Update Helper (1.3.34.7)
  • Java 8 Update 92 (8.0.920.14)
  • Java Auto Updater (2.8.92.14)
  • Microsoft .NET Framework 4.7.2 (4.7.03062)
  • Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Professional 2010 (14.0.6029.1000)
  • Microsoft Office Proof (English) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (French) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
  • Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
  • Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Single Image 2010 (14.0.6029.1000)
  • Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
  • Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
  • Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
  • Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2015-2019 Redistributable (x86) - 14.21.27702 (14.21.27702.2)
  • Microsoft Visual C++ 2019 X86 Additional Runtime - 14.21.27702 (14.21.27702)
  • Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.21.27702 (14.21.27702)
  • Mozilla Firefox 68.0.1 (x86 en-US) (68.0.1)
  • Notepad++ (32-bit x86) (7.5.1)
  • Opera 12.15 (12.15.1748)
  • Skype version 8.29 (8.29)
  • Update for Microsoft .NET Framework 4.7.2 (KB4087364) (1)
  • VLC media player (2.2.6)
  • WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

  • Client LanguagePack Package
  • Client Refresh LanguagePack Package
  • CodecPack Basic Package
  • Foundation Package
  • IE Troubleshooters Package
  • InternetExplorer Optional Package
  • KB2534111
  • KB2999226
  • KB4019990
  • KB976902
  • LocalPack AU Package
  • LocalPack CA Package
  • LocalPack GB Package
  • LocalPack US Package
  • LocalPack ZA Package
  • ProfessionalEdition
  • UltimateEdition

Behavior activities

MALICIOUS SUSPICIOUS INFO
Runs PING.EXE for delay simulation
  • cmd.exe (PID: 2964)
Loads dropped or rewritten executable
  • YSearchSetTool.exe (PID: 3572)
  • webExt_DL.exe (PID: 2800)
  • hpset_2018.06.28.01[1].exe (PID: 2160)
Application was dropped or rewritten from another process
  • YSearchSetTool.exe (PID: 3572)
  • webExt_DL.exe (PID: 2800)
  • nsADF.tmp (PID: 3400)
  • ns30E.tmp (PID: 3604)
  • hpset_2018.06.28.01[1].exe (PID: 2160)
Starts CMD.EXE for commands execution
  • wscript.exe (PID: 384)
Creates files in the user directory
  • hpset_2018.06.28.01[1].exe (PID: 2160)
  • YSearchSetTool.exe (PID: 3572)
Changes the started page of IE
  • YSearchSetTool.exe (PID: 3572)
Executes scripts
  • nsADF.tmp (PID: 3400)
Executable content was dropped or overwritten
  • webExt_DL.exe (PID: 2800)
  • hpset_2018.06.28.01[1].exe (PID: 2160)
  • iexplore.exe (PID: 2468)
  • iexplore.exe (PID: 2888)
Starts application with an unusual extension
  • hpset_2018.06.28.01[1].exe (PID: 2160)
Reads Internet Cache Settings
  • iexplore.exe (PID: 2888)
  • iexplore.exe (PID: 2468)
Changes internet zones settings
  • iexplore.exe (PID: 2468)
Application launched itself
  • iexplore.exe (PID: 2468)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Screenshots

Processes

Total processes
45
Monitored processes
10
Malicious processes
2
Suspicious processes
2

Behavior graph

+
drop and start start drop and start drop and start drop and start iexplore.exe iexplore.exe hpset_2018.06.28.01[1].exe ysearchsettool.exe ns30e.tmp no specs webext_dl.exe nsadf.tmp no specs wscript.exe no specs cmd.exe no specs ping.exe no specs
Specs description
Program did not start
Integrity level elevation
Task сontains an error or was rebooted
Process has crashed
Task contains several apps running
Executable file was dropped
Debug information is available
Process was injected
Network attacks were detected
Application downloaded the executable file
Actions similar to stealing personal data
Behavior similar to exploiting the vulnerability
Inspected object has sucpicious PE structure
File is detected by antivirus software
CPU overrun
RAM overrun
Process starts the services
Process was added to the startup
Behavior similar to spam
Low-level access to the HDD
Probably Tor was used
System was rebooted
Connects to the network
Known threat

Process information

Click at the process to see the details.

PID
2468
CMD
"C:\Program Files\Internet Explorer\iexplore.exe" "https://sxh.yimg.com/jf/dyc/IEinstall/hpset_2018.06.28.01.exe"
Path
C:\Program Files\Internet Explorer\iexplore.exe
Indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
1
Version:
Company
Microsoft Corporation
Description
Internet Explorer
Version
8.00.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\shell32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\psapi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\oleacc.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\profapi.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\cryptbase.dll
c:\program files\internet explorer\sqmapi.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\version.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\sensapi.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\ieui.dll
c:\windows\system32\msimg32.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\program files\internet explorer\ieproxy.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\url.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\propsys.dll
c:\windows\system32\xmllite.dll
c:\windows\system32\explorerframe.dll
c:\windows\system32\duser.dll
c:\windows\system32\dui70.dll
c:\windows\system32\msfeeds.dll
c:\windows\system32\sxs.dll
c:\windows\system32\mlang.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\wship6.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\userenv.dll
c:\windows\system32\linkinfo.dll
c:\windows\system32\actxprxy.dll
c:\windows\system32\shdocvw.dll
c:\users\admin\appdata\local\microsoft\windows\temporary internet files\content.ie5\lh043oam\hpset_2018.06.28.01[1].exe
c:\windows\system32\sfc.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\devrtl.dll
c:\windows\system32\mpr.dll

PID
2888
CMD
"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2468 CREDAT:71937
Path
C:\Program Files\Internet Explorer\iexplore.exe
Indicators
Parent process
iexplore.exe
User
admin
Integrity Level
LOW
Exit code
0
Version:
Company
Microsoft Corporation
Description
Internet Explorer
Version
8.00.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\shell32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\psapi.dll
c:\windows\system32\oleacc.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\comdlg32.dll
c:\program files\internet explorer\ieshims.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\rpcrtremote.dll
c:\program files\internet explorer\sqmapi.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\rsaenh.dll
c:\program files\internet explorer\ieproxy.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\mlang.dll
c:\windows\system32\uxtheme.dll
c:\program files\java\jre1.8.0_92\bin\ssv.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\version.dll
c:\progra~1\micros~1\office14\urlredir.dll
c:\windows\system32\secur32.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\progra~1\micros~1\office14\msohev.dll
c:\program files\java\jre1.8.0_92\bin\jp2ssv.dll
c:\program files\java\jre1.8.0_92\bin\msvcr100.dll
c:\program files\java\jre1.8.0_92\bin\deploy.dll
c:\windows\system32\imagehlp.dll
c:\windows\system32\sxs.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\sensapi.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\userenv.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\schannel.dll
c:\windows\system32\wship6.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\credssp.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\gpapi.dll
c:\windows\system32\p2pcollab.dll
c:\windows\system32\qagentrt.dll
c:\windows\system32\fveui.dll
c:\windows\system32\mscoree.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorwks.dll
c:\windows\system32\wpc.dll
c:\windows\system32\wevtapi.dll
c:\windows\system32\samcli.dll
c:\windows\system32\samlib.dll
c:\windows\system32\netutils.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\ehstorshell.dll
c:\windows\system32\cscui.dll
c:\windows\system32\cscdll.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\slc.dll
c:\windows\system32\imageres.dll

PID
2160
CMD
"C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\hpset_2018.06.28.01[1].exe"
Path
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\hpset_2018.06.28.01[1].exe
Indicators
Parent process
iexplore.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Yahoo! Inc.
Description
Yahoo homepage Set Setup
Version
2018.06.28.01
Modules
Image
c:\users\admin\appdata\local\microsoft\windows\temporary internet files\content.ie5\lh043oam\hpset_2018.06.28.01[1].exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\propsys.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\oleacc.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\version.dll
c:\windows\system32\shfolder.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\users\admin\appdata\local\temp\nsr290.tmp\system.dll
c:\windows\system32\riched20.dll
c:\users\admin\appdata\local\yahoo\yset\ysearchsettool.exe
c:\users\admin\appdata\local\temp\nsr290.tmp\nsexec.dll
c:\users\admin\appdata\local\temp\nsr290.tmp\ns30e.tmp
c:\users\admin\appdata\local\temp\nsr290.tmp\nsadf.tmp
c:\users\admin\appdata\local\temp\nsr290.tmp\inetc.dll
c:\windows\system32\wininet.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\schannel.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\sensapi.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\wship6.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\credssp.dll
c:\windows\system32\secur32.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\gpapi.dll

PID
3572
CMD
"C:\Users\admin\AppData\Local\Yahoo\yset\YSearchSetTool.exe" /partner=external-oo-hpbanner /yfrc_ie=yset_ie_syc_hp /yfrc_ff=yset_ff_syc_hp /yfrc_chr=yset_chr_syc_hp /ytc=yset_hpiebanner /ytchp=yset_hpiebanner /intl=us /setie /setchr /setff
Path
C:\Users\admin\AppData\Local\Yahoo\yset\YSearchSetTool.exe
Indicators
Parent process
hpset_2018.06.28.01[1].exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Yahoo Inc.
Description
YSearchSetTool
Version
2018, 06, 28, 01
Modules
Image
c:\users\admin\appdata\local\yahoo\yset\ysearchsettool.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\shell32.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\ole32.dll
c:\windows\system32\cryptbase.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\oleaut32.dll
c:\users\admin\appdata\local\yahoo\yset\ysearchutil.dll
c:\windows\system32\wininet.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\schannel.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\sensapi.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\wship6.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\credssp.dll
c:\windows\system32\secur32.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\gpapi.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\psapi.dll
c:\windows\system32\oleacc.dll
c:\windows\system32\msxml3.dll
c:\program files\common files\microsoft shared\office14\msoxmlmf.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll

PID
3604
CMD
"C:\Users\admin\AppData\Local\Temp\nsr290.tmp\ns30E.tmp" webExt_DL.exe
Path
C:\Users\admin\AppData\Local\Temp\nsr290.tmp\ns30E.tmp
Indicators
No indicators
Parent process
hpset_2018.06.28.01[1].exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Description
Version
Modules
Image
c:\users\admin\appdata\local\temp\nsr290.tmp\ns30e.tmp
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\apphelp.dll
c:\users\admin\appdata\local\yahoo\yset\webext_dl.exe

PID
2800
CMD
webExt_DL.exe
Path
C:\Users\admin\AppData\Local\Yahoo\yset\webExt_DL.exe
Indicators
Parent process
ns30E.tmp
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Description
Version
Modules
Image
c:\users\admin\appdata\local\yahoo\yset\webext_dl.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\propsys.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\oleacc.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\version.dll
c:\windows\system32\shfolder.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\riched20.dll
c:\users\admin\appdata\local\temp\nsd4f2.tmp\inetc.dll
c:\windows\system32\wininet.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\schannel.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\sensapi.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\wship6.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\credssp.dll
c:\windows\system32\secur32.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\gpapi.dll

PID
3400
CMD
"C:\Users\admin\AppData\Local\Temp\nsr290.tmp\nsADF.tmp" wscript.exe invisible.vbs checksets.bat
Path
C:\Users\admin\AppData\Local\Temp\nsr290.tmp\nsADF.tmp
Indicators
No indicators
Parent process
hpset_2018.06.28.01[1].exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Description
Version
Modules
Image
c:\users\admin\appdata\local\temp\nsr290.tmp\nsadf.tmp
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\wscript.exe
c:\windows\system32\apphelp.dll

PID
384
CMD
wscript.exe invisible.vbs checksets.bat
Path
C:\Windows\system32\wscript.exe
Indicators
No indicators
Parent process
nsADF.tmp
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Microsoft ® Windows Based Script Host
Version
5.8.7600.16385
Modules
Image
c:\windows\system32\wscript.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\version.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\sxs.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\vbscript.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\msisip.dll
c:\windows\system32\wshext.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\scrobj.dll
c:\windows\system32\wshom.ocx
c:\windows\system32\mpr.dll
c:\windows\system32\scrrun.dll
c:\windows\system32\propsys.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\psapi.dll
c:\windows\system32\oleacc.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\sspicli.dll

PID
2964
CMD
cmd /c ""C:\Users\admin\AppData\Local\Yahoo\yset\checksets.bat" "
Path
C:\Windows\system32\cmd.exe
Indicators
No indicators
Parent process
wscript.exe
User
admin
Integrity Level
MEDIUM
Version:
Company
Microsoft Corporation
Description
Windows Command Processor
Version
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Image
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\apphelp.dll

PID
340
CMD
PING 127.0.0.1 -n 1800
Path
C:\Windows\system32\PING.EXE
Indicators
No indicators
Parent process
cmd.exe
User
admin
Integrity Level
MEDIUM
Version:
Company
Microsoft Corporation
Description
TCP/IP Ping Command
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\ping.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\nsi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshqos.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\wship6.dll

Registry activity

Total events
1660
Read events
1485
Write events
173
Delete events
2

Modification events

PID
Process
Operation
Key
Name
Value
2468
iexplore.exe
delete key
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012019032320190324
2468
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
CompatibilityFlags
0
2468
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
2468
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
2468
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
SecuritySafe
1
2468
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
ProxyEnable
0
2468
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
SavedLegacySettings
4600000092000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
2468
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Recovery\Active
{43170D4D-BDE1-11E9-9885-5254004A04AF}
0
2468
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Type
4
2468
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Count
2
2468
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Time
E307080002000D000F002C0029002702
2468
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}\iexplore
Type
4
2468
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}\iexplore
Count
2
2468
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}\iexplore
Time
E307080002000D000F002C0029003602
2468
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
FullScreen
no
2468
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Window_Placement
2C0000000200000003000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF20000000200000004003000078020000
2468
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites\Links
Order
08000000020000000C01000001000000020000007E0000000000000070003200EC000000464B245120005355474745537E312E55524C0000540008000400EFBE454B974D464B24512A000000F94300000000020000000000000000000000000000005300750067006700650073007400650064002000530069007400650073002E00750072006C0000001C00000000000000820000000100000074003200E2000000464B24512000574542534C497E312E55524C0000580008000400EFBE454B864A464B24512A000000743E0000000003000000000000000000000000000000570065006200200053006C006900630065002000470061006C006C006500720079002E00750072006C0000001C00000000000000
2468
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\iexplore
Type
3
2468
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\iexplore
Count
2
2468
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\iexplore
Time
E307080002000D000F002C0029000103
2468
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\iexplore
LoadTime
11
2468
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
Type
3
2468
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
Count
2
2468
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
Time
E307080002000D000F002C0029005003
2468
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
LoadTime
83
2468
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DBC80044-A445-435B-BC74-9C25C1C588A9}\iexplore
Type
3
2468
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DBC80044-A445-435B-BC74-9C25C1C588A9}\iexplore
Count
2
2468
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DBC80044-A445-435B-BC74-9C25C1C588A9}\iexplore
Time
E307080002000D000F002C002A003300
2468
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DBC80044-A445-435B-BC74-9C25C1C588A9}\iexplore
LoadTime
31
2468
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\0
Path
C:\Users\admin\Favorites\Links\Suggested Sites.url
2468
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\0
Handler
{B0FA7D7C-7195-4F03-B03E-9DC1C9EBC394}
2468
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\0
FeedUrl
https://ieonline.microsoft.com/#ieslice
2468
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\0
DisplayName
2468
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\0
ErrorState
0
2468
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\0
DisplayMask
0
2468
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\1
Path
C:\Users\admin\Favorites\Links\Web Slice Gallery.url
2468
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\1
Handler
{B0FA7D7C-7195-4F03-B03E-9DC1C9EBC394}
2468
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\1
FeedUrl
http://go.microsoft.com/fwlink/?LinkId=121315
2468
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\1
DisplayName
2468
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\1
ErrorState
0
2468
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\1
DisplayMask
0
2468
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}\Enum
Implementing
1C00000001000000E307080002000D000F002D000800CF0000000000
2468
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
NotifyDownloadComplete
yes
2468
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012019081320190814
CachePath
%USERPROFILE%\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012019081320190814
2468
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012019081320190814
CachePrefix
:2019081320190814:
2468
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012019081320190814
CacheLimit
8192
2468
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012019081320190814
CacheOptions
11
2468
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012019081320190814
CacheRepair
0
2888
iexplore.exe
delete key
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\LowCache\Extensible Cache\MSHist012018082820180829
2888
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\LowCache\Extensible Cache\MSHist012019081320190814
CachePath
%USERPROFILE%\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012019081320190814
2888
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\LowCache\Extensible Cache\MSHist012019081320190814
CachePrefix
:2019081320190814:
2888
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\LowCache\Extensible Cache\MSHist012019081320190814
CacheLimit
8192
2888
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\LowCache\Extensible Cache\MSHist012019081320190814
CacheOptions
11
2888
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\LowCache\Extensible Cache\MSHist012019081320190814
CacheRepair
0
2160
hpset_2018.06.28.01[1].exe
write
HKEY_CURRENT_USER\Software\Yahoo\ss
clientID
{1943C9D6-E3D3-994B-9A6F-3ED15AEA8101}
2160
hpset_2018.06.28.01[1].exe
write
HKEY_CURRENT_USER\Software\Yahoo\ss
firstRun
1
2160
hpset_2018.06.28.01[1].exe
write
HKEY_CURRENT_USER\Software\Yahoo\ss
INSTDIR
C:\Users\admin\AppData\Local\Yahoo\yset
2160
hpset_2018.06.28.01[1].exe
write
HKEY_CURRENT_USER\Software\Yahoo\ss
checkSetParams
/partner=external-oo-hpbanner /yfrc_ie=yset_ie_syc_hp /yfrc_ff=yset_ff_syc_hp /yfrc_chr=yset_chr_syc_hp /ytc=yset_hpiebanner /ytchp=yset_hpiebanner /intl=us
2160
hpset_2018.06.28.01[1].exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\hpset_2018_RASAPI32
EnableFileTracing
0
2160
hpset_2018.06.28.01[1].exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\hpset_2018_RASAPI32
EnableConsoleTracing
0
2160
hpset_2018.06.28.01[1].exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\hpset_2018_RASAPI32
FileTracingMask
4294901760
2160
hpset_2018.06.28.01[1].exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\hpset_2018_RASAPI32
ConsoleTracingMask
4294901760
2160
hpset_2018.06.28.01[1].exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\hpset_2018_RASAPI32
MaxFileSize
1048576
2160
hpset_2018.06.28.01[1].exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\hpset_2018_RASAPI32
FileDirectory
%windir%\tracing
2160
hpset_2018.06.28.01[1].exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\hpset_2018_RASMANCS
EnableFileTracing
0
2160
hpset_2018.06.28.01[1].exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\hpset_2018_RASMANCS
EnableConsoleTracing
0
2160
hpset_2018.06.28.01[1].exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\hpset_2018_RASMANCS
FileTracingMask
4294901760
2160
hpset_2018.06.28.01[1].exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\hpset_2018_RASMANCS
ConsoleTracingMask
4294901760
2160
hpset_2018.06.28.01[1].exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\hpset_2018_RASMANCS
MaxFileSize
1048576
2160
hpset_2018.06.28.01[1].exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\hpset_2018_RASMANCS
FileDirectory
%windir%\tracing
2160
hpset_2018.06.28.01[1].exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
ProxyEnable
0
2160
hpset_2018.06.28.01[1].exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
SavedLegacySettings
4600000095000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
2160
hpset_2018.06.28.01[1].exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
2160
hpset_2018.06.28.01[1].exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
2160
hpset_2018.06.28.01[1].exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\72\52C64B7E
LanguageList
en-US
3572
YSearchSetTool.exe
write
HKEY_CURRENT_USER\Software\Yahoo\ss
checkSetParams
/partner=external-oo-hpbanner /yfrc_ie=yset_ie_syc_hp /yfrc_ff=yset_ff_syc_hp /yfrc_chr=yset_chr_syc_hp /ytc=yset_hpiebanner /ytchp=yset_hpiebanner /intl=us
3572
YSearchSetTool.exe
write
HKEY_CURRENT_USER\Software\Yahoo\ss
intl
us
3572
YSearchSetTool.exe
write
HKEY_CURRENT_USER\Software\Yahoo\ss
origSP_ie
http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC
3572
YSearchSetTool.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{479C7EAC-7AB0-460A-AD2D-14CC88C2FEFB}
DisplayName
Yahoo Search
3572
YSearchSetTool.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{479C7EAC-7AB0-460A-AD2D-14CC88C2FEFB}
URL
https://search.yahoo.com/search?p={searchTerms}&intl=us&fr=yset_ie_syc_hp&type=yset_hpiebanner
3572
YSearchSetTool.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{479C7EAC-7AB0-460A-AD2D-14CC88C2FEFB}
OSDFileURL
file:///C:/Users/admin/AppData/Roaming/Yahoo/search.xml
3572
YSearchSetTool.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{479C7EAC-7AB0-460A-AD2D-14CC88C2FEFB}
FaviconURL
https://search.yahoo.com/favicon.ico
3572
YSearchSetTool.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\YSearchSetTool_RASAPI32
EnableFileTracing
0
3572
YSearchSetTool.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\YSearchSetTool_RASAPI32
EnableConsoleTracing
0
3572
YSearchSetTool.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\YSearchSetTool_RASAPI32
FileTracingMask
4294901760
3572
YSearchSetTool.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\YSearchSetTool_RASAPI32
ConsoleTracingMask
4294901760
3572
YSearchSetTool.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\YSearchSetTool_RASAPI32
MaxFileSize
1048576
3572
YSearchSetTool.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\YSearchSetTool_RASAPI32
FileDirectory
%windir%\tracing
3572
YSearchSetTool.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\YSearchSetTool_RASMANCS
EnableFileTracing
0
3572
YSearchSetTool.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\YSearchSetTool_RASMANCS
EnableConsoleTracing
0
3572
YSearchSetTool.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\YSearchSetTool_RASMANCS
FileTracingMask
4294901760
3572
YSearchSetTool.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\YSearchSetTool_RASMANCS
ConsoleTracingMask
4294901760
3572
YSearchSetTool.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\YSearchSetTool_RASMANCS
MaxFileSize
1048576
3572
YSearchSetTool.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\YSearchSetTool_RASMANCS
FileDirectory
%windir%\tracing
3572
YSearchSetTool.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
ProxyEnable
0
3572
YSearchSetTool.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
SavedLegacySettings
4600000093000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
3572
YSearchSetTool.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
3572
YSearchSetTool.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
3572
YSearchSetTool.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\72\52C64B7E
LanguageList
en-US
3572
YSearchSetTool.exe
write
HKEY_CURRENT_USER\Software\Yahoo\ss
origSP_chr
https://www.google.com/
3572
YSearchSetTool.exe
write
HKEY_CURRENT_USER\Software\Google\Chrome\Extensions\jfcjhdijahefmfgcceakfkkialaekpfl
update_url
https://clients2.google.com/service/update2/crx
3572
YSearchSetTool.exe
write
HKEY_CURRENT_USER\Software\Yahoo\ss
chromeExtID
jfcjhdijahefmfgcceakfkkialaekpfl
3572
YSearchSetTool.exe
write
HKEY_CURRENT_USER\Software\Yahoo\ss
origSP_ff
3572
YSearchSetTool.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{479C7EAC-7AB0-460A-AD2D-14CC88C2FEFB}
FaviconPath
C:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{479C7EAC-7AB0-460A-AD2D-14CC88C2FEFB}.ico
3572
YSearchSetTool.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Start Page
https://www.yahoo.com/?fr=yset_ie_syc_hp&type=yset_hpiebanner
3572
YSearchSetTool.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
NewTabPageShow
1
3572
YSearchSetTool.exe
write
HKEY_CURRENT_USER\Software\Yahoo\ss
pendingExtActivates
chr;ff;
3572
YSearchSetTool.exe
write
HKEY_CURRENT_USER\Software\Yahoo\ss
pendingExtActivateParams
"C:\Users\admin\AppData\Local\Yahoo\yset\YSearchSetTool.exe" /partner=external-oo-hpbanner /yfrc_ie=yset_ie_syc_hp /yfrc_ff=yset_ff_syc_hp /yfrc_chr=yset_chr_syc_hp /ytc=yset_hpiebanner /ytchp=yset_hpiebanner /intl=us /setie /setchr /setff
3572
YSearchSetTool.exe
write
HKEY_CURRENT_USER\Software\Yahoo\ss
successfulSets
chr;ff;ie;
2800
webExt_DL.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\webExt_DL_RASAPI32
EnableFileTracing
0
2800
webExt_DL.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\webExt_DL_RASAPI32
EnableConsoleTracing
0
2800
webExt_DL.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\webExt_DL_RASAPI32
FileTracingMask
4294901760
2800
webExt_DL.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\webExt_DL_RASAPI32
ConsoleTracingMask
4294901760
2800
webExt_DL.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\webExt_DL_RASAPI32
MaxFileSize
1048576
2800
webExt_DL.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\webExt_DL_RASAPI32
FileDirectory
%windir%\tracing
2800
webExt_DL.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\webExt_DL_RASMANCS
EnableFileTracing
0
2800
webExt_DL.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\webExt_DL_RASMANCS
EnableConsoleTracing
0
2800
webExt_DL.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\webExt_DL_RASMANCS
FileTracingMask
4294901760
2800
webExt_DL.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\webExt_DL_RASMANCS
ConsoleTracingMask
4294901760
2800
webExt_DL.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\webExt_DL_RASMANCS
MaxFileSize
1048576
2800
webExt_DL.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\webExt_DL_RASMANCS
FileDirectory
%windir%\tracing
2800
webExt_DL.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
ProxyEnable
0
2800
webExt_DL.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
SavedLegacySettings
4600000094000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
2800
webExt_DL.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
2800
webExt_DL.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
2800
webExt_DL.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\72\52C64B7E
LanguageList
en-US
2800
webExt_DL.exe
write
HKEY_CURRENT_USER\Software\Mozilla\Firefox\Extensions
C:\Users\admin\AppData\Local\Yahoo\yset\[email protected]
2800
webExt_DL.exe
write
HKEY_CURRENT_USER\Software\Mozilla\ManagedStorage\[email protected]
C:\Users\admin\AppData\Local\Yahoo\yset\[email protected]
384
wscript.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
384
wscript.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1

Files activity

Executable files
13
Suspicious files
3
Text files
16
Unknown types
4

Dropped files

PID
Process
Filename
Type
2160
hpset_2018.06.28.01[1].exe
C:\Users\admin\AppData\Local\Yahoo\yset\YSearchSetTool.exe
executable
MD5: 8cf6891b39f55057e958766fcba08f89
SHA256: 3c9971115278e434f0f7d1c0234988ac1ffba2bd5ede32985cea3de135dff773
2160
hpset_2018.06.28.01[1].exe
C:\Users\admin\AppData\Local\Temp\nsr290.tmp\nsADF.tmp
executable
MD5: 37707a29bd8efbeb912019737bb2b584
SHA256: 4751809ef6fd3ced738392e7c5df6d4e3938d85711daa0b52b045b5092913c27
2160
hpset_2018.06.28.01[1].exe
C:\Users\admin\AppData\Local\Temp\nsr290.tmp\nsExec.dll
executable
MD5: b5a1f9dc73e2944a388a61411bdd8c70
SHA256: 288100583f65a2b7acfc0c7e231c0e268c58d3067675543f627c01e82f6fd884
2160
hpset_2018.06.28.01[1].exe
C:\Users\admin\AppData\Local\Yahoo\yset\ypanel.exe
executable
MD5: aaa84f9e858c4bfad3e86807094c030d
SHA256: 41a0c48ac1097c843dca9577c66aca095adbaf2615e40c7dc48c5ac745a8aee7
2160
hpset_2018.06.28.01[1].exe
C:\Users\admin\AppData\Local\Temp\nsr290.tmp\ns30E.tmp
executable
MD5: 37707a29bd8efbeb912019737bb2b584
SHA256: 4751809ef6fd3ced738392e7c5df6d4e3938d85711daa0b52b045b5092913c27
2160
hpset_2018.06.28.01[1].exe
C:\Users\admin\AppData\Local\Temp\nsr290.tmp\System.dll
executable
MD5: 3f176d1ee13b0d7d6bd92e1c7a0b9bae
SHA256: fa4ab1d6f79fd677433a31ada7806373a789d34328da46ccb0449bbf347bd73e
2468
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\hpset_2018.06.28.01[1].exe
executable
MD5: 159905dc2c40959349fe72ba2c729b80
SHA256: b3f9edc6d66ebede32029914970e7f657a3084cce1c8776c9e20878ee62f7e84
2160
hpset_2018.06.28.01[1].exe
C:\Users\admin\AppData\Local\Temp\nsr290.tmp\inetc.dll
executable
MD5: 92ec4dd8c0ddd8c4305ae1684ab65fb0
SHA256: 5520208a33e6409c129b4ea1270771f741d95afe5b048c2a1e6a2cc2ad829934
2888
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\BGMW763A\hpset_2018.06.28.01[1].exe
executable
MD5: 159905dc2c40959349fe72ba2c729b80
SHA256: b3f9edc6d66ebede32029914970e7f657a3084cce1c8776c9e20878ee62f7e84
2160
hpset_2018.06.28.01[1].exe
C:\Users\admin\AppData\Local\Yahoo\yset\webExt_DL.exe
executable
MD5: b359a583fc4f5cb0ebbe03495d5449de
SHA256: 2b078c508999c9321d9b0155d283d7ef695e560ece8ce55e5863d3cf72ae6b4a
2800
webExt_DL.exe
C:\Users\admin\AppData\Local\Temp\nsd4F2.tmp\inetc.dll
executable
MD5: 92ec4dd8c0ddd8c4305ae1684ab65fb0
SHA256: 5520208a33e6409c129b4ea1270771f741d95afe5b048c2a1e6a2cc2ad829934
2160
hpset_2018.06.28.01[1].exe
C:\Users\admin\AppData\Local\Yahoo\yset\unset.exe
executable
MD5: 123c7afac8985a90a25e58c7bb4dd301
SHA256: 63fa11cc14cafce8fa7e746e5807b7cacb4b0a515facc13d1bfe1a041558c28f
2160
hpset_2018.06.28.01[1].exe
C:\Users\admin\AppData\Local\Yahoo\yset\YSearchUtil.dll
executable
MD5: 9356f12a9fafb0cfc91213ae727f7b9c
SHA256: eb654863fd6230e2470e66b933675e153e007dab33df8204bf39aaca69b6c928
3572
YSearchSetTool.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
text
MD5: 7a7d5df861cd131448965687f580eda2
SHA256: 8a847efa6d541f82603de5bf56565a9ca4340272fa78a88fc108ef15057a32fa
2800
webExt_DL.exe
C:\Users\admin\AppData\Local\Yahoo\yset\[email protected]
text
MD5: de2d7d3f5a543c716052bea2c41a7123
SHA256: ff5d7a6caeb3a17f006eca16ebb6ab612a59af9ee6c2e5c6283aaac54af82625
2160
hpset_2018.06.28.01[1].exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][2].txt
text
MD5: 4c1a2a6356f5f1f7c0118aefd1eaea01
SHA256: cc86efaa22c1d42b19180bc541a9659ed065347c4ab25467a7b8eb0340510b18
2468
iexplore.exe
C:\Users\admin\AppData\Local\Temp\~DF8D11705F7F83544E.TMP
––
MD5:  ––
SHA256:  ––
2160
hpset_2018.06.28.01[1].exe
C:\Users\admin\AppData\Local\Yahoo\yset\invisible.vbs
text
MD5: c578d9653b22800c3eb6b6a51219bbb8
SHA256: 20a98a7e6e137bb1b9bd5ef6911a479cb8eac925b80d6db4e70b19f62a40cce2
2468
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{43170D4D-BDE1-11E9-9885-5254004A04AF}.dat
––
MD5:  ––
SHA256:  ––
2888
iexplore.exe
C:\Users\admin\AppData\Local\Temp\Low\JavaDeployReg.log
text
MD5: 0ae99a49abbebd83c1deaf45befada54
SHA256: a1e36d83fc27b4c8ba86974a527834fa1af67d75874930506c481f93b3d56264
2160
hpset_2018.06.28.01[1].exe
C:\Users\admin\AppData\Local\Yahoo\yset\checksets.bat
text
MD5: 53136b74d9ae0821c34cf0f0ea545032
SHA256: 2081d047667212399fc1369dc47c3a1e19f896ec68428b6fa48c3a52d3c0c044
2888
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\index.dat
dat
MD5: c478186d1c42081d6d5e0c6aa7294739
SHA256: ae43e933de8da5702a110c44768ae21a00a0988a65798ba1e84e8dafde28f6f8
2800
webExt_DL.exe
C:\Users\admin\AppData\Local\Yahoo\yset\[email protected]
compressed
MD5: 932ff4ba098232adf882e69f4a4052ec
SHA256: 0c70ff6c1117af5d8670ae411a52c6997a26a071da813a015661df8fa2130db7
2800
webExt_DL.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\yahoo_homepage-1.5.2-fx[1].xpi
compressed
MD5: 932ff4ba098232adf882e69f4a4052ec
SHA256: 0c70ff6c1117af5d8670ae411a52c6997a26a071da813a015661df8fa2130db7
3572
YSearchSetTool.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JGRR2OYX\favicon[1].ico
image
MD5: 9796ed786d95606d51be9dab54fb5350
SHA256: 74368197cb53191e522e3a73aab974d53eae8e38da694a1ed2cfa06f39176e58
2468
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012019081320190814\index.dat
dat
MD5: 91a3b7e17be9e6fc99a456b894a54084
SHA256: b623b7803ccfbc3edb8fe867b4c188445f62f51a54bb2ae78abcae3369520455
2888
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012019081320190814\index.dat
dat
MD5: db0c388b771e510ed150d4b789b431aa
SHA256: 64171b7d85c8ee45f47b814cb6f3c9dbdea586bc6cc9496d15ba78de7eafdd43
2468
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\BGMW763A\hpset_2018.06.28.01[1].exe:Zone.Identifier
text
MD5: fbccf14d504b7b2dbcb5a5bda75bd93b
SHA256: eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913
2888
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat
dat
MD5: 0a03aea096715712c871e9f59acdd40e
SHA256: 1114507a3d5f782f6e8b273f5ce9c8e5df153c91f83cde1f9ee22e292bbce538
2468
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\hpset_2018.06.28.01[1].exe:Zone.Identifier
text
MD5: fbccf14d504b7b2dbcb5a5bda75bd93b
SHA256: eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913
3572
YSearchSetTool.exe
C:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{479C7EAC-7AB0-460A-AD2D-14CC88C2FEFB}.ico
image
MD5: 9796ed786d95606d51be9dab54fb5350
SHA256: 74368197cb53191e522e3a73aab974d53eae8e38da694a1ed2cfa06f39176e58
3572
YSearchSetTool.exe
C:\Users\admin\AppData\Roaming\Yahoo\search.xml
xml
MD5: a2bbc5e38683fe0c241cb0cab4402b02
SHA256: 54e4c649c3016841550aef5c1c485d459eeb47f3789ef1118214fb947d961ed8
2468
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\{43170D4E-BDE1-11E9-9885-5254004A04AF}.dat
binary
MD5: 7db310cc0dc3f219bc41e2b4784829f9
SHA256: b6977f95b49e58ddb6a6387f404fbf17b467ccda21be56cebe9f2e0dae30003d
2468
iexplore.exe
C:\Users\admin\AppData\Local\Temp\~DF12EFF939F84585FE.TMP
––
MD5:  ––
SHA256:  ––
2468
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\favicon[1].png
image
MD5: 9fb559a691078558e77d6848202f6541
SHA256: 6d8a01dc7647bc218d003b58fe04049e24a9359900b7e0cebae76edf85b8b914
2468
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\favicon[1].ico
––
MD5:  ––
SHA256:  ––
2468
iexplore.exe
C:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
––
MD5:  ––
SHA256:  ––
2888
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\BGMW763A\desktop.ini
ini
MD5: 4a3deb274bb5f0212c2419d3d8d08612
SHA256: 2842973d15a14323e08598be1dfb87e54bf88a76be8c7bc94c56b079446edf38
2888
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\85R7SK7Z\desktop.ini
ini
MD5: 4a3deb274bb5f0212c2419d3d8d08612
SHA256: 2842973d15a14323e08598be1dfb87e54bf88a76be8c7bc94c56b079446edf38
2888
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\RUNAIZ4K\desktop.ini
ini
MD5: 4a3deb274bb5f0212c2419d3d8d08612
SHA256: 2842973d15a14323e08598be1dfb87e54bf88a76be8c7bc94c56b079446edf38
2888
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\AUI2F8VJ\desktop.ini
ini
MD5: 4a3deb274bb5f0212c2419d3d8d08612
SHA256: 2842973d15a14323e08598be1dfb87e54bf88a76be8c7bc94c56b079446edf38
2160
hpset_2018.06.28.01[1].exe
C:\Users\admin\AppData\Local\Temp\nsr290.tmp\nsbD13.tmp.htm
––
MD5:  ––
SHA256:  ––

Find more information of the staic content and download it at the full report

Network activity

HTTP(S) requests
1
TCP/UDP connections
9
DNS requests
8
Threats
0

HTTP requests

PID Process Method HTTP Code IP URL CN Type Size Reputation
2468 iexplore.exe GET 200 13.107.21.200:80 http://www.bing.com/favicon.ico US
image
whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID Process IP ASN CN Reputation
2888 iexplore.exe 87.248.116.12:443 Yahoo! UK Services Limited GB shared
2468 iexplore.exe 204.79.197.200:80 Microsoft Corporation US whitelisted
2468 iexplore.exe 13.107.21.200:80 Microsoft Corporation US whitelisted
2888 iexplore.exe 87.248.116.11:443 Yahoo! UK Services Limited GB shared
3572 YSearchSetTool.exe 188.125.72.139:443 CH unknown
2800 webExt_DL.exe 52.42.149.107:443 Amazon.com, Inc. US unknown
3572 YSearchSetTool.exe 212.82.100.137:443 Yahoo! UK Services Limited CH shared
2800 webExt_DL.exe 99.86.4.60:443 AT&T Services, Inc. US suspicious
2160 hpset_2018.06.28.01[1].exe 188.125.72.139:443 CH unknown

DNS requests

Domain IP Reputation
sxh.yimg.com 87.248.116.12
87.248.116.11
whitelisted
www.bing.com 204.79.197.200
13.107.21.200
whitelisted
dns.msftncsi.com 131.107.255.255
whitelisted
geo.yahoo.com 188.125.72.139
whitelisted
addons.mozilla.org 52.42.149.107
35.167.70.13
52.24.202.223
34.216.10.43
52.35.252.165
52.27.79.31
whitelisted
search.yahoo.com 212.82.100.137
whitelisted
addons.cdn.mozilla.net 99.86.4.60
whitelisted

Threats

No threats detected.

Debug output strings

Process Message
YSearchSetTool.exe 8-13-2019 16:45:10.629[3572,4056]: SUCCESS: CYSearchSetIE::prvSetYahooNewTab succeeded in setting new tab page to Yahoo because of search set fail
YSearchSetTool.exe 8-13-2019 16:45:10.629[3572,4056]: SUCCESS: CYSearchSetIE::prvSetYahooNewTab succeeded in setting new tab page to Yahoo because of search set fail
YSearchSetTool.exe 8-13-2019 16:45:10.629[3572,4056]: SUCCESS: CYSearchSetIE::prvSetYahooNewTab succeeded in setting new tab page to Yahoo because of search set fail
YSearchSetTool.exe 8-13-2019 16:45:10.629[3572,4056]: SUCCESS: CYSearchSetIE::prvSetYahooNewTab succeeded in setting new tab page to Yahoo because of search set fail
YSearchSetTool.exe 8-13-2019 16:45:10.629[3572,4056]: SUCCESS: CYSearchSetIE::prvSetYahooNewTab succeeded in setting new tab page to Yahoo because of search set fail
YSearchSetTool.exe 8-13-2019 16:45:10.629[3572,4056]: SUCCESS: CYSearchSetIE::prvSetYahooNewTab succeeded in setting new tab page to Yahoo because of search set fail
YSearchSetTool.exe 8-13-2019 16:45:10.629[3572,4056]: SUCCESS: CYSearchSetIE::prvSetYahooNewTab succeeded in setting new tab page to Yahoo because of search set fail
YSearchSetTool.exe 8-13-2019 16:45:10.629[3572,4056]: SUCCESS: CYSearchSetIE::prvSetYahooNewTab succeeded in setting new tab page to Yahoo because of search set fail
YSearchSetTool.exe 8-13-2019 16:45:10.629[3572,4056]: SUCCESS: CYSearchSetIE::prvSetYahooNewTab succeeded in setting new tab page to Yahoo because of search set fail
YSearchSetTool.exe 8-13-2019 16:45:10.629[3572,4056]: SUCCESS: CYSearchSetIE::prvSetYahooNewTab succeeded in setting new tab page to Yahoo because of search set fail
YSearchSetTool.exe 8-13-2019 16:45:10.629[3572,4056]: SUCCESS: CYSearchSetIE::prvSetYahooNewTab succeeded in setting new tab page to Yahoo because of search set fail
YSearchSetTool.exe 8-13-2019 16:45:10.629[3572,4056]: SUCCESS: CYSearchSetIE::prvSetYahooNewTab succeeded in setting new tab page to Yahoo because of search set fail
YSearchSetTool.exe 8-13-2019 16:45:10.629[3572,4056]: SUCCESS: CYSearchSetIE::prvSetYahooNewTab succeeded in setting new tab page to Yahoo because of search set fail
YSearchSetTool.exe 8-13-2019 16:45:10.629[3572,4056]: SUCCESS: CYSearchSetIE::prvSetYahooNewTab succeeded in setting new tab page to Yahoo because of search set fail
YSearchSetTool.exe 8-13-2019 16:45:10.629[3572,4056]: SUCCESS: CYSearchSetIE::prvSetYahooNewTab succeeded in setting new tab page to Yahoo because of search set fail
YSearchSetTool.exe 8-13-2019 16:45:10.629[3572,4056]: SUCCESS: CYSearchSetIE::prvSetYahooNewTab succeeded in setting new tab page to Yahoo because of search set fail
YSearchSetTool.exe 8-13-2019 16:45:10.629[3572,4056]: SUCCESS: CYSearchSetIE::prvSetYahooNewTab succeeded in setting new tab page to Yahoo because of search set fail
YSearchSetTool.exe 8-13-2019 16:45:10.629[3572,4056]: SUCCESS: CYSearchSetIE::prvSetYahooNewTab succeeded in setting new tab page to Yahoo because of search set fail
YSearchSetTool.exe 8-13-2019 16:45:10.629[3572,4056]: SUCCESS: CYSearchSetIE::prvSetYahooNewTab succeeded in setting new tab page to Yahoo because of search set fail
YSearchSetTool.exe 8-13-2019 16:45:10.629[3572,4056]: SUCCESS: CYSearchSetIE::prvSetYahooNewTab succeeded in setting new tab page to Yahoo because of search set fail
YSearchSetTool.exe 8-13-2019 16:45:10.629[3572,4056]: SUCCESS: CYSearchSetIE::prvSetYahooNewTab succeeded in setting new tab page to Yahoo because of search set fail
YSearchSetTool.exe 8-13-2019 16:45:10.629[3572,4056]: SUCCESS: CYSearchSetIE::prvSetYahooNewTab succeeded in setting new tab page to Yahoo because of search set fail
YSearchSetTool.exe 8-13-2019 16:45:10.629[3572,4056]: SUCCESS: CYSearchSetIE::prvSetYahooNewTab succeeded in setting new tab page to Yahoo because of search set fail
YSearchSetTool.exe 8-13-2019 16:45:10.629[3572,4056]: SUCCESS: CYSearchSetIE::prvSetYahooNewTab succeeded in setting new tab page to Yahoo because of search set fail
YSearchSetTool.exe 8-13-2019 16:45:10.629[3572,4056]: SUCCESS: CYSearchSetIE::prvSetYahooNewTab succeeded in setting new tab page to Yahoo because of search set fail
YSearchSetTool.exe 8-13-2019 16:45:10.629[3572,4056]: SUCCESS: CYSearchSetIE::prvSetYahooNewTab succeeded in setting new tab page to Yahoo because of search set fail
YSearchSetTool.exe 8-13-2019 16:45:10.629[3572,4056]: SUCCESS: CYSearchSetIE::prvSetYahooNewTab succeeded in setting new tab page to Yahoo because of search set fail
YSearchSetTool.exe 8-13-2019 16:45:10.629[3572,4056]: SUCCESS: CYSearchSetIE::prvSetYahooNewTab succeeded in setting new tab page to Yahoo because of search set fail
YSearchSetTool.exe 8-13-2019 16:45:10.629[3572,4056]: SUCCESS: CYSearchSetIE::prvSetYahooNewTab succeeded in setting new tab page to Yahoo because of search set fail
YSearchSetTool.exe 8-13-2019 16:45:10.629[3572,4056]: SUCCESS: CYSearchSetIE::prvSetYahooNewTab succeeded in setting new tab page to Yahoo because of search set fail
YSearchSetTool.exe 8-13-2019 16:45:10.629[3572,4056]: SUCCESS: CYSearchSetIE::prvSetYahooNewTab succeeded in setting new tab page to Yahoo because of search set fail
YSearchSetTool.exe 8-13-2019 16:45:10.629[3572,4056]: SUCCESS: CYSearchSetIE::prvSetYahooNewTab succeeded in setting new tab page to Yahoo because of search set fail
YSearchSetTool.exe 8-13-2019 16:45:10.629[3572,4056]: SUCCESS: CYSearchSetIE::prvSetYahooNewTab succeeded in setting new tab page to Yahoo because of search set fail
YSearchSetTool.exe 8-13-2019 16:45:10.629[3572,4056]: SUCCESS: CYSearchSetIE::prvSetYahooNewTab succeeded in setting new tab page to Yahoo because of search set fail
YSearchSetTool.exe 8-13-2019 16:45:10.629[3572,4056]: SUCCESS: CYSearchSetIE::prvSetYahooNewTab succeeded in setting new tab page to Yahoo because of search set fail
YSearchSetTool.exe 8-13-2019 16:45:10.629[3572,4056]: SUCCESS: CYSearchSetIE::prvSetYahooNewTab succeeded in setting new tab page to Yahoo because of search set fail
YSearchSetTool.exe 8-13-2019 16:45:10.629[3572,4056]: SUCCESS: CYSearchSetIE::prvSetYahooNewTab succeeded in setting new tab page to Yahoo because of search set fail
YSearchSetTool.exe 8-13-2019 16:45:10.629[3572,4056]: SUCCESS: CYSearchSetIE::prvSetYahooNewTab succeeded in setting new tab page to Yahoo because of search set fail
YSearchSetTool.exe 8-13-2019 16:45:10.629[3572,4056]: SUCCESS: CYSearchSetIE::prvSetYahooNewTab succeeded in setting new tab page to Yahoo because of search set fail
YSearchSetTool.exe 8-13-2019 16:45:10.629[3572,4056]: SUCCESS: CYSearchSetIE::prvSetYahooNewTab succeeded in setting new tab page to Yahoo because of search set fail
YSearchSetTool.exe 8-13-2019 16:45:10.629[3572,4056]: SUCCESS: CYSearchSetIE::prvSetYahooNewTab succeeded in setting new tab page to Yahoo because of search set fail
YSearchSetTool.exe 8-13-2019 16:45:10.629[3572,4056]: SUCCESS: CYSearchSetIE::prvSetYahooNewTab succeeded in setting new tab page to Yahoo because of search set fail
YSearchSetTool.exe 8-13-2019 16:45:10.629[3572,4056]: SUCCESS: CYSearchSetIE::prvSetYahooNewTab succeeded in setting new tab page to Yahoo because of search set fail
YSearchSetTool.exe 8-13-2019 16:45:10.629[3572,4056]: SUCCESS: CYSearchSetIE::prvSetYahooNewTab succeeded in setting new tab page to Yahoo because of search set fail
YSearchSetTool.exe 8-13-2019 16:45:10.629[3572,4056]: SUCCESS: CYSearchSetIE::prvSetYahooNewTab succeeded in setting new tab page to Yahoo because of search set fail
YSearchSetTool.exe 8-13-2019 16:45:10.629[3572,4056]: SUCCESS: CYSearchSetIE::prvSetYahooNewTab succeeded in setting new tab page to Yahoo because of search set fail
YSearchSetTool.exe 8-13-2019 16:45:10.629[3572,4056]: SUCCESS: CYSearchSetIE::prvSetYahooNewTab succeeded in setting new tab page to Yahoo because of search set fail
YSearchSetTool.exe 8-13-2019 16:45:10.629[3572,4056]: SUCCESS: CYSearchSetIE::prvSetYahooNewTab succeeded in setting new tab page to Yahoo because of search set fail
YSearchSetTool.exe 8-13-2019 16:45:10.629[3572,4056]: SUCCESS: CYSearchSetIE::prvSetYahooNewTab succeeded in setting new tab page to Yahoo because of search set fail
YSearchSetTool.exe 8-13-2019 16:45:10.629[3572,4056]: SUCCESS: CYSearchSetIE::prvSetYahooNewTab succeeded in setting new tab page to Yahoo because of search set fail
YSearchSetTool.exe 8-13-2019 16:45:10.629[3572,4056]: SUCCESS: CYSearchSetIE::prvSetYahooNewTab succeeded in setting new tab page to Yahoo because of search set fail