Malware analysis Payment pdf.shtml Malicious activity

Add for printing

File name:	Payment pdf.shtml
Full analysis:	https://app.any.run/tasks/0671efa3-1b42-410d-824f-bc6a6c3df9ac
Verdict:	Malicious activity
Analysis date:	December 03, 2024, 10:57:57
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	ims-api generic
Indicators:
MIME:	text/html
File info:	HTML document, Unicode text, UTF-8 (with BOM) text, with very long lines (65446), with CRLF line terminators
MD5:	5E4869BFE01462249DA236E048D61F44
SHA1:	2B2DA69005AE30CCC3D6D4B8AF97D9B6677B379C
SHA256:	7853135463C696CD95AF41B48AB2CE8BF64BA879DA8A4FBE0C959327CF6B791B
SSDEEP:	1536:q0ejckb/MbMPpFCm2wySzCX0W5zbnkGTrWRDDLQEYAA6:quy/uMffCX0W5zbk8rUD/bf

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 60 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: none
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
No malicious indicators.
SUSPICIOUS
- Possible usage of Discord/Telegram API has been detected (YARA)
  - notepad.exe (PID: 5488)
INFO
- Creates files in the program directory
  - MoUsoCoreWorker.exe (PID: 4712)
- Reads security settings of Internet Explorer
  - taskhostw.exe (PID: 848)
  - notepad.exe (PID: 5488)
- Application launched itself
  - firefox.exe (PID: 3996)
- Reads the computer name
  - PLUGScheduler.exe (PID: 556)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.txt	\|	Text - UTF-8 encoded (100)

EXIF

HTML

Title:	continue

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

129

Monitored processes

113

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

320

C:\WINDOWS\system32\svchost.exe -k DcomLaunch -p -s LSM

C:\Windows\System32\svchost.exe

—

services.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Host Process for Windows Services

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\lsm.dll
c:\windows\system32\msvcrt.dll

376

C:\WINDOWS\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s WdiSystemHost

C:\Windows\System32\svchost.exe

—

services.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Host Process for Windows Services

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll

556

"C:\Program Files\RUXIM\PLUGscheduler.exe"

C:\Program Files\RUXIM\PLUGScheduler.exe

—

svchost.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Windows Update LifeCycle Component Scheduler

Exit code:

Version:

10.0.19041.3623 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\clbcatq.dll
c:\windows\system32\taskschd.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\xmllite.dll

628

"C:\Program Files\Mozilla Firefox\default-browser-agent.exe" do-task "308046B0AF4A39CB"

C:\Program Files\Mozilla Firefox\default-browser-agent.exe

—

svchost.exe

User:

admin

Company:

Mozilla Foundation

Integrity Level:

MEDIUM

Exit code:

2147500037

Version:

123.0

Modules

Images
c:\program files\mozilla firefox\default-browser-agent.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ole32.dll

812

C:\WINDOWS\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc

C:\Windows\System32\svchost.exe

—

services.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Host Process for Windows Services

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll

848

taskhostw.exe

C:\Windows\System32\taskhostw.exe

—

svchost.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Host Process for Windows Tasks

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\linkinfo.dll
c:\windows\system32\iconcodecservice.dll
c:\windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.3636_none_60b6a03d71f818d5\comctl32.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\version.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\msiso.dll
c:\windows\system32\secur32.dll

892

C:\WINDOWS\system32\svchost.exe -k DcomLaunch -p

C:\Windows\System32\svchost.exe

—

services.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Host Process for Windows Services

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\umpnpmgr.dll
c:\windows\system32\msvcrt.dll

1008

C:\WINDOWS\system32\svchost.exe -k RPCSS -p

C:\Windows\System32\svchost.exe

—

services.exe

User:

NETWORK SERVICE

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Host Process for Windows Services

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcepmap.dll
c:\windows\system32\wldp.dll

1068

C:\WINDOWS\system32\svchost.exe -k netsvcs -p -s gpsvc

C:\Windows\System32\svchost.exe

—

services.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Host Process for Windows Services

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll

1076

C:\WINDOWS\system32\svchost.exe -k netsvcs -p -s DsmSvc

C:\Windows\System32\svchost.exe

services.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Host Process for Windows Services

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll

Add for printing

Total events

37 748

Read events

37 245

Write events

343

Delete events

160

Modification events


(PID) Process:	(848) taskhostw.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\AppListBackup\TotalListOfLastBackedUpTiles_2351661338
Operation:	write	Name:	TotalListOfLastBackedUpTiles_2351661338
Value: [{"tileId":"W~{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\SnippingTool.exe", "displayName":"Snipping Tool", "sortName":"Snipping Tool", "suiteName":"Windows Accessories", "packageId":"", "targetPath":"C:\WINDOWS\system32\SnippingTool.exe", "shortcutArgs":""}, {"tileId":"W~Microsoft.Office.WINWORD.EXE.15", "displayName":"Word", "sortName":"Word", "suiteName":"", "packageId":"", "targetPath":"C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE", "shortcutArgs":""}, {"tileId":"W~Microsoft.Office.SETLANG.EXE.15", "displayName":"Office Language Preferences", "sortName":"Office Language Preferences", "suiteName":"Microsoft Office Tools", "packageId":"", "targetPath":"C:\Program Files\Microsoft Office\root\Office16\SETLANG.EXE", "shortcutArgs":""}, {"tileId":"W~Chrome", "displayName":"Google Chrome", "sortName":"Google Chrome", "suiteName":"", "packageId":"", "targetPath":"C:\Program Files\Google\Chrome\Application\chrome.exe", "shortcutArgs":""--disable-features=OptimizationGuideModelDownloading,OptimizationHintsFetching,OptimizationTargetPrediction,OptimizationHints""}, {"tileId":"W~Microsoft.Windows.ControlPanel", "displayName":"Control Panel", "sortName":"Control Panel", "suiteName":"Windows System", "packageId":"", "targetPath":"::{5399E694-6CE5-4D6C-8FCE-1D8870FDCBA0}", "shortcutArgs":""}, {"tileId":"W~Microsoft.Windows.Shell.RunDialog", "displayName":"Run", "sortName":"Run", "suiteName":"Windows System", "packageId":"", "targetPath":"::{2559A1F3-21D7-11D4-BDAF-00C04F60B9F0}", "shortcutArgs":""}, {"tileId":"W~308046B0AF4A39CB", "displayName":"Firefox", "sortName":"Firefox", "suiteName":"", "packageId":"", "targetPath":"C:\Program Files\Mozilla Firefox\firefox.exe", "shortcutArgs":""}, {"tileId":"W~Microsoft.Office.POWERPNT.EXE.15", "displayName":"PowerPoint", "sortName":"PowerPoint", "suiteName":"", "packageId":"", "targetPath":"C:\Program Files\Microsoft Office\root\Office16\POWERPNT.EXE", "shortcutArgs":""}, {"tileId":"W~https://java.com/", "displayName":"Visit Java.com", "sortName":"Visit Java.com", "suiteName":"Java", "packageId":"", "targetPath":"https://java.com/", "shortcutArgs":""}, {"tileId":"W~{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\printmanagement.msc", "displayName":"Print Management", "sortName":"Print Management", "suiteName":"Windows Administrative Tools", "packageId":"", "targetPath":"C:\WINDOWS\system32\printmanagement.msc", "shortcutArgs":""}, {"tileId":"W~Microsoft.AutoGenerated.{DAA168DE-4306-C8BC-8C11-B596240BDDED}", "displayName":"Windows Speech Recognition", "sortName":"Windows Speech Recognition", "suiteName":"Windows Ease of Access", "packageId":"", "targetPath":"C:\WINDOWS\Speech\Common\sapisvr.exe", "shortcutArgs":"-SpeechUX"}, {"tileId":"W~Microsoft.AutoGenerated.{30BD9A02-CB9A-93FD-A859-09C8803F2346}", "displayName":"VLC media player skinned", "sortName":"VLC media player skinned", "suiteName":"VideoLAN", "packageId":"", "targetPath":"C:\Program Files\VideoLAN\VLC\vlc.exe", "shortcutArgs":"-Iskins"}, {"tileId":"W~Microsoft.Windows.MediaPlayer32", "displayName":"Windows Media Player", "sortName":"Windows Media Player", "suiteName":"Windows Accessories", "packageId":"", "targetPath":"C:\Program Files (x86)\Windows Media Player\wmplayer.exe", "shortcutArgs":"/prefetch:1"}, {"tileId":"W~{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\magnify.exe", "displayName":"Magnifier", "sortName":"Magnifier", "suiteName":"Windows Ease of Access", "packageId":"", "targetPath":"C:\WINDOWS\system32\magnify.exe", "shortcutArgs":""}, {"tileId":"W~FileZilla.Client.AppID", "displayName":"FileZilla", "sortName":"FileZilla", "suiteName":"FileZilla FTP Client", "packageId":"", "targetPath":"C:\Program Files\FileZilla FTP Client\filezilla.exe", "shortcutArgs":""}, {"tileId":"W~{6D809377-6AF0-444B-8957-A3773F02200E}\Java\jre1.8.0_271\bin\javacpl.exe", "displayName":"Configure Java", "sortName":"Configure Java", "suiteName":"Java", "packageId":"", "targetPath":"C:\Program Files\Java\jre1.8.0_271\bin\javacpl.exe", "shortcutArgs":""}, {"tileId":"W~Microsoft.AutoGenerated.{C804BBA7-FA5F-CBF7-8B55-2096E5F972CB}", "displayName":"Resource Monitor", "sortName":"Resource Monitor", "suiteName":"Windows Administrative Tools", "packageId":"", "targetPath":"C:\WINDOWS\system32\perfmon.exe", "shortcutArgs":"/res"}, {"tileId":"W~308046B0AF4A39CB;PrivateBrowsingAUMID", "displayName":"Firefox Private Browsing", "sortName":"Firefox Private Browsing", "suiteName":"", "packageId":"", "targetPath":"C:\Program Files\Mozilla Firefox\private_browsing.exe", "shortcutArgs":""}, {"tileId":"W~{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\WindowsPowerShell\v1.0\PowerShell_ISE.exe", "displayName":"Windows PowerShell ISE", "sortName":"Windows PowerShell ISE", "suiteName":"Windows PowerShell", "packageId":"", "targetPath":"C:\WINDOWS\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe", "shortcutArgs":""}, {"tileId":"W~{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\WindowsPowerShell\v1.0\powershell.exe", "displayName":"Windows PowerShell", "sortName":"Windows PowerShell", "suiteName":"Windows PowerShell", "packageId":"", "targetPath":"C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe", "shortcutArgs":""}, {"tileId":"W~Microsoft.AutoGenerated.{A49227EA-5AF0-D494-A3F1-0918A278ED71}", "displayName":"PowerShell 7 (x64)", "sortName":"PowerShell 7 (x64)", "suiteName":"PowerShell", "packageId":"", "targetPath":"C:\Program Files\PowerShell\7\pwsh.exe", "shortcutArgs":"-WorkingDirectory ~"}, {"tileId":"W~https://java.com/help", "displayName":"Get Help", "sortName":"Get Help", "suiteName":"Java", "packageId":"", "targetPath":"https://java.com/help", "shortcutArgs":""}, {"tileId":"W~{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\mspaint.exe", "displayName":"Paint", "sortName":"Paint", "suiteName":"Windows Accessories", "packageId":"", "targetPath":"C:\WINDOWS\system32\mspaint.exe", "shortcutArgs":""}, {"tileId":"W~{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\msconfig.exe", "displayName":"System Configuration", "sortName":"System Configuration", "suiteName":"Windows Administrative Tools", "packageId":"", "targetPath":"C:\WINDOWS\system32\msconfig.exe", "shortcutArgs":""}, {"tileId":"W~Microsoft.AutoGenerated.{4DEFA131-DEEE-1634-0BA3-879BF2240822}", "displayName":"Check For Updates", "sortName":"Check For Updates", "suiteName":"Java", "packageId":"", "targetPath":"C:\Program Files\Java\jre1.8.0_271\bin\javacpl.exe", "shortcutArgs":"-tab update"}, {"tileId":"W~http://www.ccleaner.com/ccleaner", "displayName":"CCleaner Homepage", "sortName":"CCleaner Homepage", "suiteName":"CCleaner", "packageId":"", "targetPath":"http://www.ccleaner.com/ccleaner", "shortcutArgs":""}, {"tileId":"W~Microsoft.AutoGenerated.{51325390-AE6A-68FC-A315-0950CC83A166}", "displayName":"VLC media player - reset preferences and cache files", "sortName":"VLC media player - reset preferences and cache files", "suiteName":"VideoLAN", "packageId":"", "targetPath":"C:\Program Files\VideoLAN\VLC\vlc.exe", "shortcutArgs":"--reset-config --reset-plugins-cache vlc://quit"}, {"tileId":"W~Microsoft.AutoGenerated.{8AA47365-B2B3-1961-69EB-F866E376B12F}", "displayName":"Performance Monitor", "sortName":"Performance Monitor", "suiteName":"Windows Administrative Tools", "packageId":"", "targetPath":"C:\WINDOWS\system32\perfmon.msc", "shortcutArgs":"/s"}, {"tileId":"W~{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\dfrgui.exe", "displayName":"Defragment and Optimize Drives", "sortName":"Defragment and Optimize Drives", "suiteName":"Windows Administrative Tools", "packageId":"", "targetPath":"C:\WINDOWS\system32\dfrgui.exe", "shortcutArgs":""}, {"tileId":"W~{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\psr.exe", "displayName":"Steps Recorder", "sortName":"Steps Recorder", "suiteName":"Windows Accessories", "packageId":"", "targetPath":"C:\WINDOWS\system32\psr.exe", "shortcutArgs":""}, {"tileId":"W~Microsoft.AutoGenerated.{923DD477-5846-686B-A659-0FCCD73851A8}", "displayName":"Task Manager", "sortName":"Task Manager", "suiteName":"Windows System", "packageId":"", "targetPath":"C:\WINDOWS\system32\taskmgr.exe", "shortcutArgs":"/7"}, {"tileId":"W~Microsoft.AutoGenerated.{8ABD94FB-E7D6-84A6-A997-C918EDDE0AE5}", "displayName":"Computer Management", "sortName":"Computer Management", "suiteName":"Windows Administrative Tools", "packageId":"", "targetPath":"C:\WINDOWS\system32\compmgmt.msc", "shortcutArgs":"/s"}, {"tileId":"W~Microsoft.AutoGenerated.{BB044BFD-25B7-2FAA-22A8-6371A93E0456}", "displayName":"Event Viewer", "sortName":"Event Viewer", "suiteName":"Windows Administrative Tools", "packageId":"", "targetPath":"C:\WINDOWS\system32\eventvwr.msc", "shortcutArgs":"/s"}, {"tileId":"W~{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\narrator.exe", "displayName":"Narrator", "sortName":"Narrator", "suiteName":"Windows Ease of Access", "packageId":"", "targetPath":"C:\WINDOWS\system32\narrator.exe", "shortcutArgs":""}, {"tileId":"W~Microsoft.Windows.Explorer", "displayName":"File Explorer", "sortName":"File Explorer", "suiteName":"Windows System", "packageId":"", "targetPath":"::{52205FD8-5DFB-447D-801A-D0B52F2E83E1}", "shortcutArgs":""}, {"tileId":"W~Microsoft.AutoGenerated.{BD3F924E-55FB-A1BA-9DE6-B50F9F2460AC}", "displayName":"Local Security Policy", "sortName":"Local Security Policy", "suiteName":"Windows Administrative Tools", "packageId":"", "targetPath":"C:\WINDOWS\system32\secpol.msc", "shortcutArgs":"/s"}, {"tileId":"W~{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\odbcad32.exe", "displayName":"ODBC Data Sources (64-bit)", "sortName":"ODBC Data Sources (64-bit)", "suiteName":"Windows Administrative Tools", "packageId":"", "targetPath":"C:\WINDOWS\system32\odbcad32.exe", "shortcutArgs":""}, {"tileId":"W~{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\WFS.exe", "displayName":"Windows Fax and Scan", "sortName":"Windows Fax and Scan", "suiteName":"Windows Accessories", "packageId":"", "targetPath":"C:\WINDOWS\system32\WFS.exe", "shortcutArgs":""}, {"tileId":"W~{6D809377-6AF0-444B-8957-A3773F02200E}\VideoLAN\VLC\Documentation.url", "displayName":"Documentation", "sortName":"Documentation", "suiteName":"VideoLAN", "packageId":"", "targetPath":"C:\Program Files\VideoLAN\VLC\Documentation.url", "shortcutArgs":""}, {"tileId":"W~{6D809377-6AF0-444B-8957-A3773F02200E}\WinRAR\WinRAR.chm", "displayName":"WinRAR help", "sortName":"WinRAR help", "suiteName":"WinRAR", "packageId":"", "targetPath":"C:\Program Files\WinRAR\WinRAR.chm", "shortcutArgs":""}, {"tileId":"W~{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\cmd.exe", "displayName":"Command Prompt", "sortName":"Command Prompt", "suiteName":"Windows System", "packageId":"", "targetPath":"C:\WINDOWS\system32\cmd.exe", "shortcutArgs":""}, {"tileId":"W~{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\iscsicpl.exe", "displayName":"iSCSI Initiator", "sortName":"iSCSI Initiator", "suiteName":"Windows Administrative Tools", "packageId":"", "targetPath":"C:\WINDOWS\system32\iscsicpl.exe", "shortcutArgs":""}, {"tileId":"W~Microsoft.AutoGenerated.{BE31758D-4968-0391-4AA3-C6BB88B115C9}", "displayName":"About Java", "sortName":"About Java", "suiteName":"Java", "packageId":"", "targetPath":"C:\Program Files\Java\jre1.8.0_271\bin\javacpl.exe", "shortcutArgs":"-tab about"}, {"tileId":"W~{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\comexp.msc", "displayName":"Component Services", "sortName":"Component Services", "suiteName":"Windows Administrative Tools", "packageId":"", "targetPath":"C:\WINDOWS\system32\comexp.msc", "shortcutArgs":""}, {"tileId":"W~Microsoft.AutoGenerated.{C1C6F8AC-40A3-0F5C-146F-65A9DC70BBB4}", "displayName":"Task Scheduler", "sortName":"Task Scheduler", "suiteName":"Windows Administrative Tools", "packageId":"", "targetPath":"C:\WINDOWS\system32\taskschd.msc", "shortcutArgs":"/s"}, {"tileId":"W~Microsoft.InternetExplorer.Default", "displayName":"Internet Explorer", "sortName":"Internet Explorer", "suiteName":"Windows Accessories", "packageId":"", "targetPath":"C:\Program Files\Internet Explorer\iexplore.exe", "shortcutArgs":""}, {"tileId":"W~{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\notepad.exe", "displayName":"Notepad", "sortName":"Notepad", "suiteName":"Windows Accessories", "packageId":"", "targetPath":"C:\WINDOWS\system32\notepad.exe", "shortcutArgs":""}, {"tileId":"W~Microsoft.Office.MSPUB.EXE.15", "displayName":"Publisher", "sortName":"Publisher", "suiteName":"", "packageId":"", "targetPath":"C:\Program Files\Microsoft Office\root\Office16\MSPUB.EXE", "shortcutArgs":""}, {"tileId":"W~Microsoft.Office.EXCEL.EXE.15", "displayName":"Excel", "sortName":"Excel", "suiteName":"", "packageId":"", "targetPath":"C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE", "shortcutArgs":""}, {"tileId":"W~Microsoft.Office.MSACCESS.EXE.15", "displayName":"Access", "sortName":"Access", "suiteName":"", "packageId":"", "targetPath":"C:\Program Files\Microsoft Office\root\Office16\MSACCESS.EXE", "shortcutArgs":""}, {"tileId":"W~Microsoft.Windows.Computer", "displayName":"This PC", "sortName":"This PC", "suiteName":"Windows System", "packageId":"", "targetPath":"::{20D04FE0-3AEA-1069-A2D8-08002B30309D}", "shortcutArgs":""}, {"tileId":"W~Microsoft.Office.ONENOTE.EXE.15", "displayName":"OneNote", "sortName":"OneNote", "suiteName":"", "packageId":"", "targetPath":"C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE", "shortcutArgs":""}, {"tileId":"W~Microsoft.Office.OUTLOOK.EXE.15", "displayName":"Outlook", "sortName":"Outlook", "suiteName":"", "packageId":"", "targetPath":"C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE", "shortcutArgs":""}, {"tileId":"W~{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\services.msc", "displayName":"Services", "sortName":"Services", "suiteName":"Windows Administrative Tools", "packageId":"", "targetPath":"C:\WINDOWS\system32\services.msc", "shortcutArgs":""}, {"tileId":"W~Microsoft.SkyDrive.Desktop", "displayName":"OneDrive", "sortName":"OneDrive", "suiteName":"", "packageId":"", "targetPath":"C:\Users\admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe", "shortcutArgs":""}, {"tileId":"W~{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\msinfo32.exe", "displayName":"System Information", "sortName":"System Information", "suiteName":"Windows Administrative Tools", "packageId":"", "targetPath":"C:\WINDOWS\system32\msinfo32.exe", "shortcutArgs":""}, {"tileId":"W~Microsoft.Skype.SkypeDesktop", "displayName":"Skype", "sortName":"Skype", "suiteName":"Skype", "packageId":"", "targetPath":"C:\Program Files (x86)\Microsoft\Skype for Desktop\Skype.exe", "shortcutArgs":""}, {"tileId":"W~Microsoft.Windows.AdministrativeTools", "displayName":"Windows Administrative Tools", "sortName":"Windows Administrative Tools", "suiteName":"Windows System", "packageId":"", "targetPath":"C:\WINDOWS\system32\control.exe", "shortcutArgs":"/name Microsoft.AdministrativeTools"}, {"tileId":"W~{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\WF.msc", "displayName":"Windows Defender Firewall with Advanced Security", "sortName":"Windows Defender Firewall with Advanced Security", "suiteName":"Windows Administrative Tools", "packageId":"", "targetPath":"C:\WINDOWS\system32\WF.msc", "shortcutArgs":""}, {"tileId":"W~Microsoft.Windows.RemoteDesktop", "displayName":"Remote Desktop Connection", "sortName":"Remote Desktop Connection", "suiteName":"Windows Accessories", "packageId":"", "targetPath":"C:\WINDOWS\system32\mstsc.exe", "shortcutArgs":""}, {"tileId":"W~{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\osk.exe", "displayName":"On-Screen Keyboard", "sortName":"On-Screen Keyboard", "suiteName":"Windows Ease of Access", "packageId":"", "targetPath":"C:\WINDOWS\system32\osk.exe", "shortcutArgs":""}, {"tileId":"W~MSEdge", "displayName":"Microsoft Edge", "sortName":"Microsoft Edge", "suiteName":"", "packageId":"", "targetPath":"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe", "shortcutArgs":""}, {"tileId":"W~{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\charmap.exe", "displayName":"Character Map", "sortName":"Character Map", "suiteName":"Windows Accessories", "packageId":"", "targetPath":"C:\WINDOWS\system32\charmap.exe", "shortcutArgs":""}, {"tileId":"W~{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\cleanmgr.exe", "displayName":"Disk Cleanup", "sortName":"Disk Cleanup", "suiteName":"Windows Administrative Tools", "packageId":"", "targetPath":"C:\WINDOWS\system32\cleanmgr.exe", "shortcutArgs":""}, {"tileId":"W~{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\quickassist.exe", "displayName":"Quick Assist", "sortName":"Quick Assist", "suiteName":"Windows Accessories", "packageId":"", "targetPath":"C:\WINDOWS\system32\quickassist.exe", "shortcutArgs":""}, {"tileId":"W~{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\MdSched.exe", "displayName":"Windows Memory Diagnostic", "sortName":"Windows Memory Diagnostic", "suiteName":"Windows Administrative Tools", "packageId":"", "targetPath":"C:\WINDOWS\system32\MdSched.exe", "shortcutArgs":""}, {"tileId":"W~{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\RecoveryDrive.exe", "displayName":"Recovery Drive", "sortName":"Recovery Drive", "suiteName":"Windows Administrative Tools", "packageId":"", "targetPath":"C:\WINDOWS\system32\RecoveryDrive.exe", "shortcutArgs":""}, {"tileId":"W~{6D809377-6AF0-444B-8957-A3773F02200E}\Adobe\Acrobat DC\Acrobat\Acrobat.exe", "displayName":"Adobe Acrobat", "sortName":"Adobe Acrobat", "suiteName":"", "packageId":"", "targetPath":"C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe", "shortcutArgs":""}, {"tileId":"W~{6D809377-6AF0-444B-8957-A3773F02200E}\CCleaner\CCleaner64.exe", "displayName":"CCleaner", "sortName":"CCleaner", "suiteName":"CCleaner", "packageId":"", "targetPath":"C:\Program Files\CCleaner\CCleaner64.exe", "shortcutArgs":""}, {"tileId":"W~{6D809377-6AF0-444B-8957-A3773F02200E}\Common Files\Microsoft Shared\Ink\mip.exe", "displayName":"Math Input Panel", "sortName":"Math Input Panel", "suiteName":"Windows Accessories", "packageId":"", "targetPath":"C:\Program Files\Common Files\Microsoft Shared\Ink\mip.exe", "shortcutArgs":""}, {"tileId":"W~{6D809377-6AF0-444B-8957-A3773F02200E}\FileZilla FTP Client\uninstall.exe", "displayName":"Uninstall", "sortName":"Uninstall", "suiteName":"FileZilla FTP Client", "packageId":"", "targetPath":"C:\Program Files\FileZilla FTP Client\uninstall.exe", "shortcutArgs":""}, {"tileId":"W~{6D809377-6AF0-444B-8957-A3773F02200E}\Notepad++\notepad++.exe", "displayName":"Notepad++", "sortName":"Notepad++", "suiteName":"", "packageId":"", "targetPath":"C:\Program Files\Notepad++\notepad++.exe", "shortcutArgs":""}, {"tileId":"W~{6D809377-6AF0-444B-8957-A3773F02200E}\PCHealthCheck\PCHealthCheck.exe", "displayName":"PC Health Check", "sortName":"PC Health Check", "suiteName":"", "packageId":"", "targetPath":"C:\Program Files\PCHealthCheck\PCHealthCheck.exe", "shortcutArgs":""}, {"tileId":"W~{6D809377-6AF0-444B-8957-A3773F02200E}\VideoLAN\VLC\NEWS.txt", "displayName":"Release Notes", "sortName":"Release Notes", "suiteName":"VideoLAN", "packageId":"", "targetPath":"C:\Program Files\VideoLAN\VLC\NEWS.txt", "shortcutArgs":""}, {"tileId":"W~{6D809377-6AF0-444B-8957-A3773F02200E}\VideoLAN\VLC\VideoLAN Website.url", "displayName":"VideoLAN Website", "sortName":"VideoLAN Website", "suiteName":"VideoLAN", "packageId":"", "targetPath":"C:\Program Files\VideoLAN\VLC\VideoLAN Website.url", "shortcutArgs":""}, {"tileId":"W~{6D809377-6AF0-444B-8957-A3773F02200E}\VideoLAN\VLC\vlc.exe", "displayName":"VLC media player", "sortName":"VLC media player", "suiteName":"VideoLAN", "packageId":"", "targetPath":"C:\Program Files\VideoLAN\VLC\vlc.exe", "shortcutArgs":""}, {"tileId":"W~{F38BF404-1D43-42F2-9305-67DE0B28FC23}\regedit.exe", "displayName":"Registry Editor", "sortName":"Registry Editor", "suiteName":"Windows Administrative Tools", "packageId":"", "targetPath":"C:\WINDOWS\regedit.exe", "shortcutArgs":""}, {"tileId":"W~{6D809377-6AF0-444B-8957-A3773F02200E}\Windows NT\Accessories\wordpad.exe", "displayName":"WordPad", "sortName":"WordPad", "suiteName":"Windows Accessories", "packageId":"", "targetPath":"C:\Program Files\Windows NT\Accessories\wordpad.exe", "shortcutArgs":""}, {"tileId":"W~{6D809377-6AF0-444B-8957-A3773F02200E}\WinRAR\Rar.txt", "displayName":"Console RAR manual", "sortName":"Console RAR manual", "suiteName":"WinRAR", "packageId":"", "targetPath":"C:\Program Files\WinRAR\Rar.txt", "shortcutArgs":""}, {"tileId":"W~{6D809377-6AF0-444B-8957-A3773F02200E}\WinRAR\WhatsNew.txt", "displayName":"What is new in the latest version", "sortName":"What is new in the latest version", "suiteName":"WinRAR", "packageId":"", "targetPath":"C:\Program Files\WinRAR\WhatsNew.txt", "shortcutArgs":""}, {"tileId":"W~{6D809377-6AF0-444B-8957-A3773F02200E}\WinRAR\WinRAR.exe", "displayName":"WinRAR", "sortName":"WinRAR", "suiteName":"WinRAR", "packageId":"", "targetPath":"C:\Program Files\WinRAR\WinRAR.exe", "shortcutArgs":""}, {"tileId":"W~{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\odbcad32.exe", "displayName":"ODBC Data Sources (32-bit)", "sortName":"ODBC Data Sources (32-bit)", "suiteName":"Windows Administrative Tools", "packageId":"", "targetPath":"C:\WINDOWS\syswow64\odbcad32.exe", "shortcutArgs":""}, {"tileId":"W~{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\WindowsPowerShell\v1.0\powershell.exe", "displayName":"Windows PowerShell (x86)", "sortName":"Windows PowerShell (x86)", "suiteName":"Windows PowerShell", "packageId":"", "targetPath":"C:\WINDOWS\syswow64\WindowsPowerShell\v1.0\powershell.exe", "shortcutArgs":""}, {"tileId":"W~{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\WindowsPowerShell\v1.0\PowerShell_ISE.exe", "displayName":"Windows PowerShell ISE (x86)", "sortName":"Windows PowerShell ISE (x86)", "suiteName":"Windows PowerShell", "packageId":"", "targetPath":"C:\WINDOWS\syswow64\WindowsPowerShell\v1.0\PowerShell_ISE.exe", "shortcutArgs":""}]
(PID) Process:	(848) taskhostw.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\AppListBackup\TotalListOfLastBackedUpCompatInfos_2351661344
Operation:	write	Name:	TotalListOfLastBackedUpCompatInfos_2351661344
Value: []
(PID) Process:	(556) PLUGScheduler.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\PLUG\Scheduler\Activity\State\RUXIM
Operation:	write	Name:	ExecutionCount
Value: 6
(PID) Process:	(556) PLUGScheduler.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\PLUG\Scheduler\Activity\State\RUXIM
Operation:	write	Name:	LastExecutionResult
Value: 0
(PID) Process:	(556) PLUGScheduler.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\PLUG\Scheduler\Activity\State\RUXIM
Operation:	write	Name:	LastExecutionExitCode
Value: 0
(PID) Process:	(556) PLUGScheduler.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\PLUG\Scheduler\Activity\State\RUXIM
Operation:	write	Name:	LastExecutionTime
Value: C81199387245DB01
(PID) Process:	(4712) MoUsoCoreWorker.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsUpdate\Orchestrator
Operation:	delete value	Name:	EnhancedShutdownEnabled
Value:
(PID) Process:	(4712) MoUsoCoreWorker.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsUpdate\Orchestrator
Operation:	write	Name:	ShutdownFlyoutOptions
Value: 0
(PID) Process:	(1340) svchost.exe	Key:	\REGISTRY\A\{b0a375f5-0cd9-ad5b-d87d-a32f1041b3a5}\Root\InventoryDevicePnp
Operation:	write	Name:	WritePermissionsCheck
Value: 1
(PID) Process:	(1340) svchost.exe	Key:	\REGISTRY\A\{b0a375f5-0cd9-ad5b-d87d-a32f1041b3a5}\Root\InventoryDevicePnp\PermissionsCheckTestKey
Operation:	delete key	Name:	(default)
Value:

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
4712	MoUsoCoreWorker.exe	C:\ProgramData\USOPrivate\UpdateStore\store.db-journal		binary
		MD5:15917B2BA7D9C139B08A6BD9BD08F0AA	SHA256:BAD669E1977C5F7D6F7E20666BD2F46D4F25FBF6FB30F8474D4E2721A776FBEE
1276	svchost.exe	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work		xml
		MD5:C6086D02F8CE044F5FA07A98303DC7EB	SHA256:8901D9C9AEA465DA4EA7AA874610A90B8CF0A71EBA0E321CF9675FCEEE0B54A0
1276	svchost.exe	C:\Windows\System32\Tasks\Microsoft\Windows\WindowsUpdate\RUXIM\PLUGScheduler		xml
		MD5:1E0FD17505DF7FDD52708C59FCD5284C	SHA256:B374CE865F05A467798DE01B77F9AEEA861325CF274390D4C06753E77CDA564D
5828	MusNotificationUx.exe	C:\ProgramData\USOShared\Logs\User\NotificationUx.14e1d969-b327-4c1b-b5ca-7cba870f7eea.1.etl		etl
		MD5:9E83C6B050334057DD2ED4A80FF0D2DD	SHA256:FD02C8F880CCD955FEB0BD964DC6840463467FF79C3133466AE63289BD7385D4
2632	svchost.exe	C:\Windows\Logs\waasmediccapsule\WaasRemediation.002.etl		etl
		MD5:DEDECFD6DDECAA969F2F735761A8363F	SHA256:6D554FD45C5A4651BA508028AF27C5AE6501E3A2E10CFF9A8A925DCB74A68702
2632	svchost.exe	C:\Windows\Logs\waasmediccapsule\WaasRemediation.003.etl		etl
		MD5:A83C439448C1E67E6FFC948FEF1FCE18	SHA256:9FAA75F166CFDD869D3549B76139DDDDDB6A50790A5C6CC81B2084A432D7D60F
1768	svchost.exe	C:\Windows\Prefetch\WAASMEDICAGENT.EXE-ED0D7511.pf		binary
		MD5:A05C7EA60D829FFF35884B6931D484DC	SHA256:0E675225AF6332AF90E2D904545149DAF8D057BCB25D853BA77080DBA4582E91
1768	svchost.exe	C:\Windows\Prefetch\SVCHOST.EXE-2E4E3AC7.pf		binary
		MD5:EE6F219D010D05661D2BB686DDAF401F	SHA256:B9E756B2B1D00B30554B4FC023CAA8BD155E6F1F5B0D827F31F2E741A24578F2
5064	SearchApp.exe	C:\Users\admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\CryptnetUrlCache\MetaData\26C212D9399727259664BDFCA073966E_F9F7D6A7ECE73106D2A8C63168CDA10D		binary
		MD5:AC32355AE5EC000A31597675B8AA72E4	SHA256:FD86829CA90668E48E359E138F6D40C1F12A9F0D98E59E34FD705E91AE2D65B6
1176	svchost.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776		binary
		MD5:9BED3D5F0739D7B1162DEE3F8A14185D	SHA256:CE0B7555B922EC9A29B3BBCBD1931131455C254541CFFE5D3D17934FBD5E83F1

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
4712	MoUsoCoreWorker.exe	GET	200	2.16.164.49:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
5064	SearchApp.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D	unknown	—	—	whitelisted
4712	MoUsoCoreWorker.exe	GET	200	2.23.181.156:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
1176	svchost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
6936	SIHClient.exe	GET	200	23.215.121.133:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	unknown	—	—	whitelisted
6936	SIHClient.exe	GET	200	23.215.121.133:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl	unknown	—	—	whitelisted
6180	backgroundTaskHost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
—	—	20.49.150.241:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	GB	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
4712	MoUsoCoreWorker.exe	2.16.164.49:80	crl.microsoft.com	Akamai International B.V.	NL	whitelisted
4712	MoUsoCoreWorker.exe	2.23.181.156:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
5064	SearchApp.exe	2.19.96.88:443	www.bing.com	Akamai International B.V.	DE	whitelisted
1076	svchost.exe	23.32.186.57:443	go.microsoft.com	AKAMAI-AS	BR	whitelisted
5064	SearchApp.exe	192.229.221.95:80	ocsp.digicert.com	EDGECAST	US	whitelisted
1176	svchost.exe	20.190.159.75:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
1176	svchost.exe	192.229.221.95:80	ocsp.digicert.com	EDGECAST	US	whitelisted

DNS requests

Domain	IP	Reputation
settings-win.data.microsoft.com	20.49.150.241 51.104.136.2	whitelisted
crl.microsoft.com	2.16.164.49 2.16.164.9	whitelisted
www.microsoft.com	2.23.181.156 23.215.121.133	whitelisted
google.com	172.217.18.110	whitelisted
www.bing.com	2.19.96.88 2.19.96.80 2.19.96.90 2.19.96.81 2.19.96.82 2.19.96.89 2.19.96.83 2.19.96.96 2.19.96.91	whitelisted
go.microsoft.com	23.32.186.57	whitelisted
ocsp.digicert.com	192.229.221.95	whitelisted
login.live.com	20.190.159.75 40.126.31.69 20.190.159.68 20.190.159.64 20.190.159.73 20.190.159.0 40.126.31.71 40.126.31.73	whitelisted
arc.msn.com	20.199.58.43	whitelisted
fd.api.iris.microsoft.com	20.103.156.88	whitelisted

Threats

No threats detected

Add for printing

No debug info

General Info

Payment pdf.shtml

5E4869BFE01462249DA236E048D61F44

2B2DA69005AE30CCC3D6D4B8AF97D9B6677B379C

7853135463C696CD95AF41B48AB2CE8BF64BA879DA8A4FBE0C959327CF6B791B

1536:q0ejckb/MbMPpFCm2wySzCX0W5zbnkGTrWRDDLQEYAA6:quy/uMffCX0W5zbk8rUD/bf

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

SUSPICIOUS

Possible usage of Discord/Telegram API has been detected (YARA)

INFO

Creates files in the program directory

Reads security settings of Internet Explorer

Application launched itself

Reads the computer name

Malware configuration

Static information

TRiD

EXIF

HTML

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings