General Info

File name

acbee4955a1ecf53baa95bb0e3b0c8b87fe320797d626f47041af8feec31d91a.exe

Full analysis
https://app.any.run/tasks/6a559932-639e-47c1-9806-bffeff09dc67
Verdict
Malicious activity
Threats:

Agent Tesla is a password stealer spyware that has been around since 2014. The malware can be used by attackers to spy on victims, allowing them to see everything that has been typed in supported programs and web-browsers.

Analysis date
4/15/2019, 15:19:07
OS:
Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:

installer

evasion

trojan

rat

agenttesla

opendir

Indicators:

MIME:
application/x-dosexec
File info:
PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5

d18c6edb768e000117eeeea3d5fc89be

SHA1

775ceb1bd0d24df850773b5b57ea588983aa18d2

SHA256

acbee4955a1ecf53baa95bb0e3b0c8b87fe320797d626f47041af8feec31d91a

SSDEEP

12288:lnzefKdEN7vYCiXUrTNRw8FC4UaY7HYeesMFAa+i8H6:lnzMKavYsTNRrUz7oxili8H6

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distored by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Software environment set and analysis options

Launch configuration

Task duration
300 seconds
Additional time used
240 seconds
Fakenet option
off
Heavy Evaision option
off
MITM proxy
off
Route via Tor
off
Network geolocation
off
Privacy
Public submission
Autoconfirmation of UAC
on

Software preset

  • Internet Explorer 8.0.7601.17514
  • Adobe Acrobat Reader DC MUI (15.023.20070)
  • Adobe Flash Player 26 ActiveX (26.0.0.131)
  • Adobe Flash Player 26 NPAPI (26.0.0.131)
  • Adobe Flash Player 26 PPAPI (26.0.0.131)
  • Adobe Refresh Manager (1.8.0)
  • CCleaner (5.35)
  • FileZilla Client 3.36.0 (3.36.0)
  • Google Chrome (73.0.3683.75)
  • Google Update Helper (1.3.33.23)
  • Java 8 Update 92 (8.0.920.14)
  • Java Auto Updater (2.8.92.14)
  • Microsoft .NET Framework 4.6.1 (4.6.01055)
  • Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Professional 2010 (14.0.6029.1000)
  • Microsoft Office Proof (English) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (French) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
  • Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
  • Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Single Image 2010 (14.0.6029.1000)
  • Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
  • Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
  • Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
  • Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2017 Redistributable (x86) - 14.15.26706 (14.15.26706.0)
  • Microsoft Visual C++ 2017 x86 Additional Runtime - 14.15.26706 (14.15.26706)
  • Microsoft Visual C++ 2017 x86 Minimum Runtime - 14.15.26706 (14.15.26706)
  • Mozilla Firefox 65.0.2 (x86 en-US) (65.0.2)
  • Notepad++ (32-bit x86) (7.5.1)
  • Opera 12.15 (12.15.1748)
  • Skype version 8.29 (8.29)
  • VLC media player (2.2.6)
  • WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

  • Client LanguagePack Package
  • Client Refresh LanguagePack Package
  • CodecPack Basic Package
  • Foundation Package
  • IE Troubleshooters Package
  • InternetExplorer Optional Package
  • KB2534111
  • KB2999226
  • KB976902
  • LocalPack AU Package
  • LocalPack CA Package
  • LocalPack GB Package
  • LocalPack US Package
  • LocalPack ZA Package
  • ProfessionalEdition
  • UltimateEdition

Behavior activities

MALICIOUS SUSPICIOUS INFO
Loads dropped or rewritten executable
  • acbee4955a1ecf53baa95bb0e3b0c8b87fe320797d626f47041af8feec31d91a.exe (PID: 1700)
  • SWAUpdater.exe (PID: 900)
  • SevereWeatherAlerts.exe (PID: 3140)
Application was dropped or rewritten from another process
  • SevereWeatherAlerts.exe (PID: 3140)
  • SWAUpdater.exe (PID: 2780)
  • SevereWeatherAlertsApp.exe (PID: 3212)
  • SevereWeatherAlertsApp.exe (PID: 3520)
  • SWAUpdater.exe (PID: 900)
Changes settings of System certificates
  • SevereWeatherAlerts.exe (PID: 3140)
  • SWAUpdater.exe (PID: 900)
Writes to a start menu file
  • acbee4955a1ecf53baa95bb0e3b0c8b87fe320797d626f47041af8feec31d91a.exe (PID: 1700)
Application launched itself
  • SevereWeatherAlertsApp.exe (PID: 3212)
Adds / modifies Windows certificates
  • SevereWeatherAlerts.exe (PID: 3140)
  • SWAUpdater.exe (PID: 900)
Checks for external IP
  • SevereWeatherAlerts.exe (PID: 3140)
Creates files in the user directory
  • acbee4955a1ecf53baa95bb0e3b0c8b87fe320797d626f47041af8feec31d91a.exe (PID: 1700)
Executable content was dropped or overwritten
  • acbee4955a1ecf53baa95bb0e3b0c8b87fe320797d626f47041af8feec31d91a.exe (PID: 1700)
Creates a software uninstall entry
  • acbee4955a1ecf53baa95bb0e3b0c8b87fe320797d626f47041af8feec31d91a.exe (PID: 1700)

No info indicators.

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Static information

TRiD
.exe
|   NSIS - Nullsoft Scriptable Install System (94.8%)
.exe
|   Win32 Executable MS Visual C++ (generic) (3.4%)
.dll
|   Win32 Dynamic Link Library (generic) (0.7%)
.exe
|   Win32 Executable (generic) (0.5%)
.exe
|   Generic Win/DOS Executable (0.2%)
EXIF
EXE
MachineType:
Intel 386 or later, and compatibles
TimeStamp:
2009:12:05 23:50:52+01:00
PEType:
PE32
LinkerVersion:
6
CodeSize:
24064
InitializedDataSize:
164864
UninitializedDataSize:
1024
EntryPoint:
0x30fa
OSVersion:
4
ImageVersion:
6
SubsystemVersion:
4
Subsystem:
Windows GUI
FileVersionNumber:
1.23.0.0
ProductVersionNumber:
1.23.0.0
FileFlagsMask:
0x0000
FileFlags:
(none)
FileOS:
Win32
ObjectFileType:
Executable application
FileSubtype:
null
LanguageCode:
Neutral
CharacterSet:
Windows, Latin1
CompanyName:
Weather Notifications, LLC
FileDescription:
Application
FileVersion:
1.23.0.0
LegalCopyright:
Weather Notifications, LLC © 2013. All Rights Reserved.
ProductName:
Severe Weather Alerts
Summary
Architecture:
IMAGE_FILE_MACHINE_I386
Subsystem:
IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date:
05-Dec-2009 22:50:52
Detected languages
English - United States
CompanyName:
Weather Notifications, LLC
FileDescription:
Application
FileVersion:
1.23.0.0
LegalCopyright:
Weather Notifications, LLC © 2013. All Rights Reserved.
ProductName:
Severe Weather Alerts
DOS Header
Magic number:
MZ
Bytes on last page of file:
0x0090
Pages in file:
0x0003
Relocations:
0x0000
Size of header:
0x0004
Min extra paragraphs:
0x0000
Max extra paragraphs:
0xFFFF
Initial SS value:
0x0000
Initial SP value:
0x00B8
Checksum:
0x0000
Initial IP value:
0x0000
Initial CS value:
0x0000
Overlay number:
0x0000
OEM identifier:
0x0000
OEM information:
0x0000
Address of NE header:
0x000000D8
PE Headers
Signature:
PE
Machine:
IMAGE_FILE_MACHINE_I386
Number of sections:
5
Time date stamp:
05-Dec-2009 22:50:52
Pointer to Symbol Table:
0x00000000
Number of symbols:
0
Size of Optional Header:
0x00E0
Characteristics
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_RELOCS_STRIPPED
Sections
Name Virtual Address Virtual Size Raw Size Charateristics Entropy
.text 0x00001000 0x00005C4C 0x00005E00 IMAGE_SCN_CNT_CODE,IMAGE_SCN_MEM_EXECUTE,IMAGE_SCN_MEM_READ 6.44011
.rdata 0x00007000 0x0000129C 0x00001400 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ 5.04684
.data 0x00009000 0x00025C58 0x00000400 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ,IMAGE_SCN_MEM_WRITE 4.801
.ndata 0x0002F000 0x0000A000 0x00000000 IMAGE_SCN_CNT_UNINITIALIZED_DATA,IMAGE_SCN_MEM_READ,IMAGE_SCN_MEM_WRITE 0
.rsrc 0x00039000 0x00004520 0x00004600 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ 5.87531
Resources
1

2

3

4

5

6

7

102

103

105

106

107

111

Imports
    KERNEL32.dll

    USER32.dll

    GDI32.dll

    SHELL32.dll

    ADVAPI32.dll

    COMCTL32.dll

    ole32.dll

    VERSION.dll

Exports

    No exports.

Screenshots

Processes

Total processes
41
Monitored processes
6
Malicious processes
4
Suspicious processes
0

Behavior graph

+
drop and start start acbee4955a1ecf53baa95bb0e3b0c8b87fe320797d626f47041af8feec31d91a.exe severeweatheralerts.exe severeweatheralertsapp.exe no specs severeweatheralertsapp.exe swaupdater.exe no specs swaupdater.exe
Specs description
Program did not start
Integrity level elevation
Task сontains an error or was rebooted
Process has crashed
Task contains several apps running
Executable file was dropped
Debug information is available
Process was injected
Network attacks were detected
Application downloaded the executable file
Actions similar to stealing personal data
Behavior similar to exploiting the vulnerability
Inspected object has sucpicious PE structure
File is detected by antivirus software
CPU overrun
RAM overrun
Process starts the services
Process was added to the startup
Behavior similar to spam
Low-level access to the HDD
Probably Tor was used
System was rebooted
Connects to the network
Known threat

Process information

Click at the process to see the details.

PID
1700
CMD
"C:\Users\admin\AppData\Local\Temp\acbee4955a1ecf53baa95bb0e3b0c8b87fe320797d626f47041af8feec31d91a.exe"
Path
C:\Users\admin\AppData\Local\Temp\acbee4955a1ecf53baa95bb0e3b0c8b87fe320797d626f47041af8feec31d91a.exe
Indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Weather Notifications, LLC
Description
Application
Version
1.23.0.0
Modules
Image
c:\users\admin\appdata\local\temp\acbee4955a1ecf53baa95bb0e3b0c8b87fe320797d626f47041af8feec31d91a.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\version.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\shfolder.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\riched20.dll
c:\windows\system32\uxtheme.dll
c:\users\admin\appdata\local\temp\nsd64c8.tmp\installoptions.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\linkinfo.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\slc.dll
c:\users\admin\appdata\local\severeweatheralerts\severeweatheralerts.exe
c:\users\admin\appdata\local\severeweatheralerts\severeweatheralertsapp.exe
c:\windows\system32\netutils.dll

PID
3140
CMD
"C:\Users\admin\AppData\Local\SevereWeatherAlerts\SevereWeatherAlerts.exe" /installer 1200396 1
Path
C:\Users\admin\AppData\Local\SevereWeatherAlerts\SevereWeatherAlerts.exe
Indicators
Parent process
acbee4955a1ecf53baa95bb0e3b0c8b87fe320797d626f47041af8feec31d91a.exe
User
admin
Integrity Level
MEDIUM
Version:
Company
Weather Notifications, LLC
Description
SevereWeatherAlerts
Version
1.21.0.0
Modules
Image
c:\users\admin\appdata\local\severeweatheralerts\severeweatheralerts.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\version.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorwks.dll
c:\windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\msvcr80.dll
c:\windows\system32\shell32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\profapi.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\mscorlib\62a0b3e4b40ec0e8c5cfaa0c8848e64a\mscorlib.ni.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorsec.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\riched20.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\imagehlp.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\userenv.dll
c:\windows\system32\gpapi.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorjit.dll
c:\users\admin\appdata\local\severeweatheralerts\severeweatheralertsappapi.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system\9e0a3b9b9f457233a335d7fba8f95419\system.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.drawing\dbfe8642a8ed7b2b103ad28e0c96418a\system.drawing.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.windows.forms\3afcd5168c7a6cb02eab99d7fd71e102\system.windows.forms.ni.dll
c:\windows\system32\uxtheme.dll
c:\windows\assembly\gac_msil\system.windows.forms\2.0.0.0__b77a5c561934e089\system.windows.forms.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.configuration\bc09ad2d49d8535371845cd7532f9271\system.configuration.ni.dll
c:\windows\system32\shfolder.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.xml\461d3b6b3f43e6fbe6c897d5936e17e4\system.xml.ni.dll
c:\windows\system32\propsys.dll
c:\windows\system32\oleaut32.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\psapi.dll
c:\windows\system32\oleacc.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\sspicli.dll
c:\users\admin\appdata\local\severeweatheralerts\severeweatheralertsapp.exe
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\nsi.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\wship6.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\webio.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\dhcpcsvc6.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\security.dll
c:\windows\system32\secur32.dll
c:\windows\system32\credssp.dll
c:\windows\system32\schannel.dll
c:\users\admin\appdata\local\severeweatheralerts\swaupdater.exe
c:\windows\system32\mpr.dll

PID
3212
CMD
"C:\Users\admin\AppData\Local\SevereWeatherAlerts\SevereWeatherAlertsApp.exe" /installevent=10 /distid=1200396 /tpchannelid=1
Path
C:\Users\admin\AppData\Local\SevereWeatherAlerts\SevereWeatherAlertsApp.exe
Indicators
No indicators
Parent process
SevereWeatherAlerts.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Description
SevereWeatherAlertsApp
Version
1.0.9.0
Modules
Image
c:\users\admin\appdata\local\severeweatheralerts\severeweatheralertsapp.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\version.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorwks.dll
c:\windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\msvcr80.dll
c:\windows\system32\shell32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\profapi.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\mscorlib\62a0b3e4b40ec0e8c5cfaa0c8848e64a\mscorlib.ni.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorsec.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\riched20.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\imagehlp.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\userenv.dll
c:\windows\system32\gpapi.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorjit.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system\9e0a3b9b9f457233a335d7fba8f95419\system.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.drawing\dbfe8642a8ed7b2b103ad28e0c96418a\system.drawing.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.windows.forms\3afcd5168c7a6cb02eab99d7fd71e102\system.windows.forms.ni.dll
c:\windows\system32\uxtheme.dll
c:\windows\assembly\gac_msil\system.windows.forms\2.0.0.0__b77a5c561934e089\system.windows.forms.dll
c:\windows\microsoft.net\framework\v2.0.50727\culture.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.management\6f3b99ed0b791ff4d8aa52f2f0cd0bcf\system.management.ni.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\wbem\wmiutils.dll
c:\windows\system32\wbemcomn.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\wbem\wbemprox.dll
c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll
c:\windows\system32\wbem\wbemsvc.dll
c:\windows\system32\wbem\fastprox.dll
c:\windows\system32\ntdsapi.dll
c:\windows\system32\apphelp.dll

PID
3520
CMD
"C:\Users\admin\AppData\Local\SevereWeatherAlerts\SevereWeatherAlertsApp.exe" /distid=1200396 /tpchannelid=1
Path
C:\Users\admin\AppData\Local\SevereWeatherAlerts\SevereWeatherAlertsApp.exe
Indicators
Parent process
SevereWeatherAlertsApp.exe
User
admin
Integrity Level
MEDIUM
Version:
Company
Description
SevereWeatherAlertsApp
Version
1.0.9.0
Modules
Image
c:\users\admin\appdata\local\severeweatheralerts\severeweatheralertsapp.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\version.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorwks.dll
c:\windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\msvcr80.dll
c:\windows\system32\shell32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\profapi.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\mscorlib\62a0b3e4b40ec0e8c5cfaa0c8848e64a\mscorlib.ni.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorsec.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\riched20.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\imagehlp.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\userenv.dll
c:\windows\system32\gpapi.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorjit.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system\9e0a3b9b9f457233a335d7fba8f95419\system.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.drawing\dbfe8642a8ed7b2b103ad28e0c96418a\system.drawing.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.windows.forms\3afcd5168c7a6cb02eab99d7fd71e102\system.windows.forms.ni.dll
c:\windows\system32\uxtheme.dll
c:\windows\assembly\gac_msil\system.windows.forms\2.0.0.0__b77a5c561934e089\system.windows.forms.dll
c:\windows\microsoft.net\framework\v2.0.50727\culture.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.management\6f3b99ed0b791ff4d8aa52f2f0cd0bcf\system.management.ni.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\wbem\wmiutils.dll
c:\windows\system32\wbemcomn.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\wbem\wbemprox.dll
c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll
c:\windows\system32\wbem\wbemsvc.dll
c:\windows\system32\wbem\fastprox.dll
c:\windows\system32\ntdsapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\dhcpcsvc6.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\wship6.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.configuration\bc09ad2d49d8535371845cd7532f9271\system.configuration.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.xml\461d3b6b3f43e6fbe6c897d5936e17e4\system.xml.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.data\1e85062785e286cd9eae9c26d2c61f73\system.data.ni.dll
c:\windows\assembly\gac_32\system.data\2.0.0.0__b77a5c561934e089\system.data.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\webio.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\psapi.dll
c:\windows\system32\oleacc.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\sxs.dll
c:\windows\system32\macromed\flash\flash32_26_0_0_131.ocx

PID
2780
CMD
"C:\Users\admin\AppData\Local\SevereWeatherAlerts\SWAUpdater.exe"
Path
C:\Users\admin\AppData\Local\SevereWeatherAlerts\SWAUpdater.exe
Indicators
No indicators
Parent process
SevereWeatherAlerts.exe
User
admin
Integrity Level
MEDIUM
Exit code
3221226540
Version:
Company
Weather Notifications, LLC
Description
SWAUpdater
Version
1.2.0.0
Modules
Image
c:\users\admin\appdata\local\severeweatheralerts\swaupdater.exe
c:\systemroot\system32\ntdll.dll

PID
900
CMD
"C:\Users\admin\AppData\Local\SevereWeatherAlerts\SWAUpdater.exe"
Path
C:\Users\admin\AppData\Local\SevereWeatherAlerts\SWAUpdater.exe
Indicators
Parent process
SevereWeatherAlerts.exe
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
Weather Notifications, LLC
Description
SWAUpdater
Version
1.2.0.0
Modules
Image
c:\users\admin\appdata\local\severeweatheralerts\swaupdater.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\acgenral.dll
c:\windows\system32\sechost.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\winmm.dll
c:\windows\system32\samcli.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msacm32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\version.dll
c:\windows\system32\shell32.dll
c:\windows\system32\sfc.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\mpr.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorwks.dll
c:\windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\msvcr80.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\mscorlib\62a0b3e4b40ec0e8c5cfaa0c8848e64a\mscorlib.ni.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorsec.dll
c:\windows\system32\wintrust.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\riched20.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\imagehlp.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\gpapi.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorjit.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system\9e0a3b9b9f457233a335d7fba8f95419\system.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.xml\461d3b6b3f43e6fbe6c897d5936e17e4\system.xml.ni.dll
c:\users\admin\appdata\local\severeweatheralerts\icsharpcode.sharpziplib.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.drawing\dbfe8642a8ed7b2b103ad28e0c96418a\system.drawing.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.windows.forms\3afcd5168c7a6cb02eab99d7fd71e102\system.windows.forms.ni.dll
c:\windows\assembly\gac_msil\system.windows.forms\2.0.0.0__b77a5c561934e089\system.windows.forms.dll
c:\users\admin\appdata\local\severeweatheralerts\severeweatheralerts.exe
c:\windows\assembly\nativeimages_v2.0.50727_32\system.configuration\bc09ad2d49d8535371845cd7532f9271\system.configuration.ni.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\wship6.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\webio.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\dhcpcsvc6.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\fwpuclnt.dll

Registry activity

Total events
975
Read events
879
Write events
94
Delete events
2

Modification events

PID
Process
Operation
Key
Name
Value
1700
acbee4955a1ecf53baa95bb0e3b0c8b87fe320797d626f47041af8feec31d91a.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\App Paths\SevereWeatherAlerts.exe
C:\Users\admin\AppData\Local\SevereWeatherAlerts\SevereWeatherAlerts.exe
1700
acbee4955a1ecf53baa95bb0e3b0c8b87fe320797d626f47041af8feec31d91a.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Severe Weather Alerts
DisplayName
Severe Weather Alerts
1700
acbee4955a1ecf53baa95bb0e3b0c8b87fe320797d626f47041af8feec31d91a.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Severe Weather Alerts
UninstallString
C:\Users\admin\AppData\Local\SevereWeatherAlerts\uninstall.exe
1700
acbee4955a1ecf53baa95bb0e3b0c8b87fe320797d626f47041af8feec31d91a.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Severe Weather Alerts
DisplayVersion
1.23.0.0
1700
acbee4955a1ecf53baa95bb0e3b0c8b87fe320797d626f47041af8feec31d91a.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Severe Weather Alerts
Publisher
Weather Notifications, LLC
1700
acbee4955a1ecf53baa95bb0e3b0c8b87fe320797d626f47041af8feec31d91a.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Severe Weather Alerts
URLInfoAbout
http://www.severeweatheralerts.net
3140
SevereWeatherAlerts.exe
delete key
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81
3140
SevereWeatherAlerts.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
LanguageList
en-US
3140
SevereWeatherAlerts.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81
Blob
0F000000010000001400000085FEF11B4F47FE3952F98301C9F98976FEFEE0CE09000000010000002A000000302806082B0601050507030106082B0601050507030206082B0601050507030406082B0601050507030353000000010000002500000030233021060B6086480186F8450107300130123010060A2B0601040182373C0101030200C01400000001000000140000007B5B45CFAFCECB7AFD31921A6AB6F346EB5748501D00000001000000100000005B3B67000EEB80022E42605B6B3B72400B000000010000000E000000740068006100770074006500000003000000010000001400000091C6D6EE3E8AC86384E548C299295C756C817B812000000001000000240400003082042030820308A0030201020210344ED55720D5EDEC49F42FCE37DB2B6D300D06092A864886F70D01010505003081A9310B300906035504061302555331153013060355040A130C7468617774652C20496E632E31283026060355040B131F43657274696669636174696F6E205365727669636573204469766973696F6E31383036060355040B132F2863292032303036207468617774652C20496E632E202D20466F7220617574686F72697A656420757365206F6E6C79311F301D06035504031316746861777465205072696D61727920526F6F74204341301E170D3036313131373030303030305A170D3336303731363233353935395A3081A9310B300906035504061302555331153013060355040A130C7468617774652C20496E632E31283026060355040B131F43657274696669636174696F6E205365727669636573204469766973696F6E31383036060355040B132F2863292032303036207468617774652C20496E632E202D20466F7220617574686F72697A656420757365206F6E6C79311F301D06035504031316746861777465205072696D61727920526F6F7420434130820122300D06092A864886F70D01010105000382010F003082010A0282010100ACA0F0FB8059D49CC7A4CF9DA159730910450C0D2C6E68F16C5B4868495937FC0B3319C2777FCC102D95341CE6EB4D09A71CD2B8C9973602B789D4245F06C0CC4494948D02626FEB5ADD118D289A5C8490107A0DBD74662F6A38A0E2D55444EB1D079F07BA6FEEE9FD4E0B29F53E84A001F19CABF81C7E89A4E8A1D871650DA3517BEEBCD222600DB95B9DDFBAFC515B0BAF98B2E92EE904E86287DE2BC8D74EC14C641EDDCF8758BA4A4FCA68071D1C9D4AC6D52F91CC7C71721CC5C067EB32FDC9925C94DA85C09BBF537D2B09F48C9D911F976A52CBDE0936A477D87B875044D53E6E2969FB3949261E09A5807B402DEBE82785C9FE61FD7EE67C971DD59D0203010001A3423040300F0603551D130101FF040530030101FF300E0603551D0F0101FF040403020106301D0603551D0E041604147B5B45CFAFCECB7AFD31921A6AB6F346EB574850300D06092A864886F70D010105050003820101007911C04BB391B6FCF0E967D40D6E45BE55E893D2CE033FEDDA25B01D57CB1E3A76A04CEC5076E864720CA4A9F1B88BD6D68784BB32E54111C077D9B3609DEB1BD5D16E4444A9A601EC55621D77B85C8E48497C9C3B5711ACAD73378E2F785C906847D96060E6FC073D222017C4F716E9C4D872F9C8737CDF162F15A93EFD6A27B6A1EB5ABA981FD5E34D640A9D13C861BAF5391C87BAB8BD7B227FF6FEAC4079E5AC106F3D8F1B79768BC437B3211884E53600EB632099B9E9FE3304BB41C8C102F94463209E81CE42D3D63F2C76D3639C59DD8FA6E10EA02E41F72E9547CFBCFD33F3F60B617E7E912B8147C22730EEA7105D378F5C392BE404F07B8D568C68
3140
SevereWeatherAlerts.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81
Blob
190000000100000010000000DC73F9B71E16D51D26527D32B11A6A3D09000000010000002A000000302806082B0601050507030106082B0601050507030206082B0601050507030406082B0601050507030353000000010000002500000030233021060B6086480186F8450107300130123010060A2B0601040182373C0101030200C01400000001000000140000007B5B45CFAFCECB7AFD31921A6AB6F346EB5748501D00000001000000100000005B3B67000EEB80022E42605B6B3B72400B000000010000000E000000740068006100770074006500000003000000010000001400000091C6D6EE3E8AC86384E548C299295C756C817B812000000001000000240400003082042030820308A0030201020210344ED55720D5EDEC49F42FCE37DB2B6D300D06092A864886F70D01010505003081A9310B300906035504061302555331153013060355040A130C7468617774652C20496E632E31283026060355040B131F43657274696669636174696F6E205365727669636573204469766973696F6E31383036060355040B132F2863292032303036207468617774652C20496E632E202D20466F7220617574686F72697A656420757365206F6E6C79311F301D06035504031316746861777465205072696D61727920526F6F74204341301E170D3036313131373030303030305A170D3336303731363233353935395A3081A9310B300906035504061302555331153013060355040A130C7468617774652C20496E632E31283026060355040B131F43657274696669636174696F6E205365727669636573204469766973696F6E31383036060355040B132F2863292032303036207468617774652C20496E632E202D20466F7220617574686F72697A656420757365206F6E6C79311F301D06035504031316746861777465205072696D61727920526F6F7420434130820122300D06092A864886F70D01010105000382010F003082010A0282010100ACA0F0FB8059D49CC7A4CF9DA159730910450C0D2C6E68F16C5B4868495937FC0B3319C2777FCC102D95341CE6EB4D09A71CD2B8C9973602B789D4245F06C0CC4494948D02626FEB5ADD118D289A5C8490107A0DBD74662F6A38A0E2D55444EB1D079F07BA6FEEE9FD4E0B29F53E84A001F19CABF81C7E89A4E8A1D871650DA3517BEEBCD222600DB95B9DDFBAFC515B0BAF98B2E92EE904E86287DE2BC8D74EC14C641EDDCF8758BA4A4FCA68071D1C9D4AC6D52F91CC7C71721CC5C067EB32FDC9925C94DA85C09BBF537D2B09F48C9D911F976A52CBDE0936A477D87B875044D53E6E2969FB3949261E09A5807B402DEBE82785C9FE61FD7EE67C971DD59D0203010001A3423040300F0603551D130101FF040530030101FF300E0603551D0F0101FF040403020106301D0603551D0E041604147B5B45CFAFCECB7AFD31921A6AB6F346EB574850300D06092A864886F70D010105050003820101007911C04BB391B6FCF0E967D40D6E45BE55E893D2CE033FEDDA25B01D57CB1E3A76A04CEC5076E864720CA4A9F1B88BD6D68784BB32E54111C077D9B3609DEB1BD5D16E4444A9A601EC55621D77B85C8E48497C9C3B5711ACAD73378E2F785C906847D96060E6FC073D222017C4F716E9C4D872F9C8737CDF162F15A93EFD6A27B6A1EB5ABA981FD5E34D640A9D13C861BAF5391C87BAB8BD7B227FF6FEAC4079E5AC106F3D8F1B79768BC437B3211884E53600EB632099B9E9FE3304BB41C8C102F94463209E81CE42D3D63F2C76D3639C59DD8FA6E10EA02E41F72E9547CFBCFD33F3F60B617E7E912B8147C22730EEA7105D378F5C392BE404F07B8D568C68
3140
SevereWeatherAlerts.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
3140
SevereWeatherAlerts.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
3140
SevereWeatherAlerts.exe
write
HKEY_CURRENT_USER\Software\SevereWeatherAlerts
Installed
True
3140
SevereWeatherAlerts.exe
write
HKEY_CURRENT_USER\Software\SevereWeatherAlerts
GUID
71f6d9f8-242d-4cfe-8dc0-b12af52d66cd
3140
SevereWeatherAlerts.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\SevereWeatherAlerts_RASAPI32
EnableFileTracing
0
3140
SevereWeatherAlerts.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\SevereWeatherAlerts_RASAPI32
EnableConsoleTracing
0
3140
SevereWeatherAlerts.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\SevereWeatherAlerts_RASAPI32
FileTracingMask
4294901760
3140
SevereWeatherAlerts.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\SevereWeatherAlerts_RASAPI32
ConsoleTracingMask
4294901760
3140
SevereWeatherAlerts.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\SevereWeatherAlerts_RASAPI32
MaxFileSize
1048576
3140
SevereWeatherAlerts.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\SevereWeatherAlerts_RASAPI32
FileDirectory
%windir%\tracing
3140
SevereWeatherAlerts.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\SevereWeatherAlerts_RASMANCS
EnableFileTracing
0
3140
SevereWeatherAlerts.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\SevereWeatherAlerts_RASMANCS
EnableConsoleTracing
0
3140
SevereWeatherAlerts.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\SevereWeatherAlerts_RASMANCS
FileTracingMask
4294901760
3140
SevereWeatherAlerts.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\SevereWeatherAlerts_RASMANCS
ConsoleTracingMask
4294901760
3140
SevereWeatherAlerts.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\SevereWeatherAlerts_RASMANCS
MaxFileSize
1048576
3140
SevereWeatherAlerts.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\SevereWeatherAlerts_RASMANCS
FileDirectory
%windir%\tracing
3212
SevereWeatherAlertsApp.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
LanguageList
en-US
3520
SevereWeatherAlertsApp.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
LanguageList
en-US
3520
SevereWeatherAlertsApp.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\SevereWeatherAlertsApp_RASAPI32
EnableFileTracing
0
3520
SevereWeatherAlertsApp.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\SevereWeatherAlertsApp_RASAPI32
EnableConsoleTracing
0
3520
SevereWeatherAlertsApp.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\SevereWeatherAlertsApp_RASAPI32
FileTracingMask
4294901760
3520
SevereWeatherAlertsApp.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\SevereWeatherAlertsApp_RASAPI32
ConsoleTracingMask
4294901760
3520
SevereWeatherAlertsApp.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\SevereWeatherAlertsApp_RASAPI32
MaxFileSize
1048576
3520
SevereWeatherAlertsApp.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\SevereWeatherAlertsApp_RASAPI32
FileDirectory
%windir%\tracing
3520
SevereWeatherAlertsApp.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\SevereWeatherAlertsApp_RASMANCS
EnableFileTracing
0
3520
SevereWeatherAlertsApp.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\SevereWeatherAlertsApp_RASMANCS
EnableConsoleTracing
0
3520
SevereWeatherAlertsApp.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\SevereWeatherAlertsApp_RASMANCS
FileTracingMask
4294901760
3520
SevereWeatherAlertsApp.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\SevereWeatherAlertsApp_RASMANCS
ConsoleTracingMask
4294901760
3520
SevereWeatherAlertsApp.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\SevereWeatherAlertsApp_RASMANCS
MaxFileSize
1048576
3520
SevereWeatherAlertsApp.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\SevereWeatherAlertsApp_RASMANCS
FileDirectory
%windir%\tracing
900
SWAUpdater.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
LanguageList
en-US
900
SWAUpdater.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81
Blob
0F000000010000001400000085FEF11B4F47FE3952F98301C9F98976FEFEE0CE09000000010000002A000000302806082B0601050507030106082B0601050507030206082B0601050507030406082B0601050507030353000000010000002500000030233021060B6086480186F8450107300130123010060A2B0601040182373C0101030200C01400000001000000140000007B5B45CFAFCECB7AFD31921A6AB6F346EB5748501D00000001000000100000005B3B67000EEB80022E42605B6B3B72400B000000010000000E000000740068006100770074006500000003000000010000001400000091C6D6EE3E8AC86384E548C299295C756C817B812000000001000000240400003082042030820308A0030201020210344ED55720D5EDEC49F42FCE37DB2B6D300D06092A864886F70D01010505003081A9310B300906035504061302555331153013060355040A130C7468617774652C20496E632E31283026060355040B131F43657274696669636174696F6E205365727669636573204469766973696F6E31383036060355040B132F2863292032303036207468617774652C20496E632E202D20466F7220617574686F72697A656420757365206F6E6C79311F301D06035504031316746861777465205072696D61727920526F6F74204341301E170D3036313131373030303030305A170D3336303731363233353935395A3081A9310B300906035504061302555331153013060355040A130C7468617774652C20496E632E31283026060355040B131F43657274696669636174696F6E205365727669636573204469766973696F6E31383036060355040B132F2863292032303036207468617774652C20496E632E202D20466F7220617574686F72697A656420757365206F6E6C79311F301D06035504031316746861777465205072696D61727920526F6F7420434130820122300D06092A864886F70D01010105000382010F003082010A0282010100ACA0F0FB8059D49CC7A4CF9DA159730910450C0D2C6E68F16C5B4868495937FC0B3319C2777FCC102D95341CE6EB4D09A71CD2B8C9973602B789D4245F06C0CC4494948D02626FEB5ADD118D289A5C8490107A0DBD74662F6A38A0E2D55444EB1D079F07BA6FEEE9FD4E0B29F53E84A001F19CABF81C7E89A4E8A1D871650DA3517BEEBCD222600DB95B9DDFBAFC515B0BAF98B2E92EE904E86287DE2BC8D74EC14C641EDDCF8758BA4A4FCA68071D1C9D4AC6D52F91CC7C71721CC5C067EB32FDC9925C94DA85C09BBF537D2B09F48C9D911F976A52CBDE0936A477D87B875044D53E6E2969FB3949261E09A5807B402DEBE82785C9FE61FD7EE67C971DD59D0203010001A3423040300F0603551D130101FF040530030101FF300E0603551D0F0101FF040403020106301D0603551D0E041604147B5B45CFAFCECB7AFD31921A6AB6F346EB574850300D06092A864886F70D010105050003820101007911C04BB391B6FCF0E967D40D6E45BE55E893D2CE033FEDDA25B01D57CB1E3A76A04CEC5076E864720CA4A9F1B88BD6D68784BB32E54111C077D9B3609DEB1BD5D16E4444A9A601EC55621D77B85C8E48497C9C3B5711ACAD73378E2F785C906847D96060E6FC073D222017C4F716E9C4D872F9C8737CDF162F15A93EFD6A27B6A1EB5ABA981FD5E34D640A9D13C861BAF5391C87BAB8BD7B227FF6FEAC4079E5AC106F3D8F1B79768BC437B3211884E53600EB632099B9E9FE3304BB41C8C102F94463209E81CE42D3D63F2C76D3639C59DD8FA6E10EA02E41F72E9547CFBCFD33F3F60B617E7E912B8147C22730EEA7105D378F5C392BE404F07B8D568C68
900
SWAUpdater.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81
Blob
190000000100000010000000DC73F9B71E16D51D26527D32B11A6A3D03000000010000001400000091C6D6EE3E8AC86384E548C299295C756C817B810B000000010000000E00000074006800610077007400650000001D00000001000000100000005B3B67000EEB80022E42605B6B3B72401400000001000000140000007B5B45CFAFCECB7AFD31921A6AB6F346EB57485053000000010000002500000030233021060B6086480186F8450107300130123010060A2B0601040182373C0101030200C009000000010000002A000000302806082B0601050507030106082B0601050507030206082B0601050507030406082B060105050703030F000000010000001400000085FEF11B4F47FE3952F98301C9F98976FEFEE0CE2000000001000000240400003082042030820308A0030201020210344ED55720D5EDEC49F42FCE37DB2B6D300D06092A864886F70D01010505003081A9310B300906035504061302555331153013060355040A130C7468617774652C20496E632E31283026060355040B131F43657274696669636174696F6E205365727669636573204469766973696F6E31383036060355040B132F2863292032303036207468617774652C20496E632E202D20466F7220617574686F72697A656420757365206F6E6C79311F301D06035504031316746861777465205072696D61727920526F6F74204341301E170D3036313131373030303030305A170D3336303731363233353935395A3081A9310B300906035504061302555331153013060355040A130C7468617774652C20496E632E31283026060355040B131F43657274696669636174696F6E205365727669636573204469766973696F6E31383036060355040B132F2863292032303036207468617774652C20496E632E202D20466F7220617574686F72697A656420757365206F6E6C79311F301D06035504031316746861777465205072696D61727920526F6F7420434130820122300D06092A864886F70D01010105000382010F003082010A0282010100ACA0F0FB8059D49CC7A4CF9DA159730910450C0D2C6E68F16C5B4868495937FC0B3319C2777FCC102D95341CE6EB4D09A71CD2B8C9973602B789D4245F06C0CC4494948D02626FEB5ADD118D289A5C8490107A0DBD74662F6A38A0E2D55444EB1D079F07BA6FEEE9FD4E0B29F53E84A001F19CABF81C7E89A4E8A1D871650DA3517BEEBCD222600DB95B9DDFBAFC515B0BAF98B2E92EE904E86287DE2BC8D74EC14C641EDDCF8758BA4A4FCA68071D1C9D4AC6D52F91CC7C71721CC5C067EB32FDC9925C94DA85C09BBF537D2B09F48C9D911F976A52CBDE0936A477D87B875044D53E6E2969FB3949261E09A5807B402DEBE82785C9FE61FD7EE67C971DD59D0203010001A3423040300F0603551D130101FF040530030101FF300E0603551D0F0101FF040403020106301D0603551D0E041604147B5B45CFAFCECB7AFD31921A6AB6F346EB574850300D06092A864886F70D010105050003820101007911C04BB391B6FCF0E967D40D6E45BE55E893D2CE033FEDDA25B01D57CB1E3A76A04CEC5076E864720CA4A9F1B88BD6D68784BB32E54111C077D9B3609DEB1BD5D16E4444A9A601EC55621D77B85C8E48497C9C3B5711ACAD73378E2F785C906847D96060E6FC073D222017C4F716E9C4D872F9C8737CDF162F15A93EFD6A27B6A1EB5ABA981FD5E34D640A9D13C861BAF5391C87BAB8BD7B227FF6FEAC4079E5AC106F3D8F1B79768BC437B3211884E53600EB632099B9E9FE3304BB41C8C102F94463209E81CE42D3D63F2C76D3639C59DD8FA6E10EA02E41F72E9547CFBCFD33F3F60B617E7E912B8147C22730EEA7105D378F5C392BE404F07B8D568C68
900
SWAUpdater.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\SWAUpdater_RASAPI32
EnableFileTracing
0
900
SWAUpdater.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\SWAUpdater_RASAPI32
EnableConsoleTracing
0
900
SWAUpdater.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\SWAUpdater_RASAPI32
FileTracingMask
4294901760
900
SWAUpdater.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\SWAUpdater_RASAPI32
ConsoleTracingMask
4294901760
900
SWAUpdater.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\SWAUpdater_RASAPI32
MaxFileSize
1048576
900
SWAUpdater.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\SWAUpdater_RASAPI32
FileDirectory
%windir%\tracing
900
SWAUpdater.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\SWAUpdater_RASMANCS
EnableFileTracing
0
900
SWAUpdater.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\SWAUpdater_RASMANCS
EnableConsoleTracing
0
900
SWAUpdater.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\SWAUpdater_RASMANCS
FileTracingMask
4294901760
900
SWAUpdater.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\SWAUpdater_RASMANCS
ConsoleTracingMask
4294901760
900
SWAUpdater.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\SWAUpdater_RASMANCS
MaxFileSize
1048576
900
SWAUpdater.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\SWAUpdater_RASMANCS
FileDirectory
%windir%\tracing

Files activity

Executable files
8
Suspicious files
18
Text files
29
Unknown types
7

Dropped files

PID
Process
Filename
Type
1700
acbee4955a1ecf53baa95bb0e3b0c8b87fe320797d626f47041af8feec31d91a.exe
C:\Users\admin\AppData\Local\Temp\nsd64C8.tmp\InstallOptions.dll
executable
MD5: 325b008aec81e5aaa57096f05d4212b5
SHA256: c9cd5c9609e70005926ae5171726a4142ffbcccc771d307efcd195dafc1e6b4b
1700
acbee4955a1ecf53baa95bb0e3b0c8b87fe320797d626f47041af8feec31d91a.exe
C:\Users\admin\AppData\Local\SevereWeatherAlerts\SevereWeatherAlertsBrowser.exe
executable
MD5: 65c5ac31bc867c0ac16a05002b78b110
SHA256: d77797ea67a8ba795f9d98df39d667f50ef457970a0ae20964215c6d1ff60781
1700
acbee4955a1ecf53baa95bb0e3b0c8b87fe320797d626f47041af8feec31d91a.exe
C:\Users\admin\AppData\Local\SevereWeatherAlerts\SevereWeatherAlertsApp.exe
executable
MD5: 5dad6355a4e6272cb3dc132f2618a1d1
SHA256: 6c876a1878736cdce407e1c82fd8f055d0db0b240a0f1c31d7fca77470aaac89
1700
acbee4955a1ecf53baa95bb0e3b0c8b87fe320797d626f47041af8feec31d91a.exe
C:\Users\admin\AppData\Local\SevereWeatherAlerts\SevereWeatherAlertsAppAPI.dll
executable
MD5: 63740795e7fbdaac2255497c3c239635
SHA256: c0a194aede1ef5bb65955cbe2614acbd88893ca5a05a6a1a50a9d7022e89db18
1700
acbee4955a1ecf53baa95bb0e3b0c8b87fe320797d626f47041af8feec31d91a.exe
C:\Users\admin\AppData\Local\SevereWeatherAlerts\ICSharpCode.SharpZipLib.dll
executable
MD5: 17d67afb3452b3b78a679fa9f4caefd8
SHA256: 68dae50cca679f6ca5c9e4f4225e34d738d34098701dde463f2304415845dd8b
1700
acbee4955a1ecf53baa95bb0e3b0c8b87fe320797d626f47041af8feec31d91a.exe
C:\Users\admin\AppData\Local\SevereWeatherAlerts\SWAUpdater.exe
executable
MD5: b71e1957c2899a44f8dda1891aa8cc66
SHA256: ce8cc5436bda31440b86e414f29fc13bd7a5bea381ec4f00e0a31e5fbed94cb1
1700
acbee4955a1ecf53baa95bb0e3b0c8b87fe320797d626f47041af8feec31d91a.exe
C:\Users\admin\AppData\Local\SevereWeatherAlerts\SevereWeatherAlerts.exe
executable
MD5: 74b457db24e9a1677e0d841686f11c95
SHA256: 68c6e2521e232c72da81215a25218bc11758c37010c67dfb52c8478e3a3682a9
1700
acbee4955a1ecf53baa95bb0e3b0c8b87fe320797d626f47041af8feec31d91a.exe
C:\Users\admin\AppData\Local\SevereWeatherAlerts\uninstall.exe
executable
MD5: 3f83b9eac72673ed46c6186f1d09e60f
SHA256: 6865be77c74c8f82cb54e79be66c6a60a95182571885587c0266a45f2158c2bc
3520
SevereWeatherAlertsApp.exe
C:\Users\admin\AppData\Local\SevereWeatherAlerts\mod.SevereWeatherAlertsApp0.dat~RF1102db.TMP
binary
MD5: 59e8636c7d226b1a7cec61f9355a5ed1
SHA256: a419640af320103f921a9b0004f342cb78ab7d65a8e62b6e603bc40fae2fcb70
3520
SevereWeatherAlertsApp.exe
C:\Users\admin\AppData\Local\SevereWeatherAlerts\mod.SevereWeatherAlertsApp0.dat.tmp
––
MD5:  ––
SHA256:  ––
3520
SevereWeatherAlertsApp.exe
C:\Users\admin\AppData\Local\SevereWeatherAlerts\mod.SevereWeatherAlertsApp0.dat~RF10c2e4.TMP
binary
MD5: a73945c9424e7616cdcd2a8cfee9943c
SHA256: cc663066ee7867fe876fa15fa926714adb1fe687d3d7274d91f86a2b9052001c
3520
SevereWeatherAlertsApp.exe
C:\Users\admin\AppData\Local\SevereWeatherAlerts\mod.SevereWeatherAlertsApp0.dat
binary
MD5: a73945c9424e7616cdcd2a8cfee9943c
SHA256: cc663066ee7867fe876fa15fa926714adb1fe687d3d7274d91f86a2b9052001c
3520
SevereWeatherAlertsApp.exe
C:\Users\admin\AppData\Local\SevereWeatherAlerts\mod.SevereWeatherAlertsApp0.dat
binary
MD5: e57f08b71fd1039522394de22d7b4261
SHA256: 720874084aaaffc957ec1334737507592b13df5889c37158291ca0749b1d10db
3520
SevereWeatherAlertsApp.exe
C:\Users\admin\AppData\Local\SevereWeatherAlerts\mod.SevereWeatherAlertsApp0.dat~RF10c16d.TMP
binary
MD5: e57f08b71fd1039522394de22d7b4261
SHA256: 720874084aaaffc957ec1334737507592b13df5889c37158291ca0749b1d10db
3520
SevereWeatherAlertsApp.exe
C:\Users\admin\AppData\Local\SevereWeatherAlerts\SevereWeatherAlertsApp0.dat~RF10bfd7.TMP
binary
MD5: 3eee006d94bed6dbaaaf20978503a394
SHA256: e65410183cf58bf1afcfe2d71873d377c04113682db2162bdb72840486d4a8ce
3520
SevereWeatherAlertsApp.exe
C:\Users\admin\AppData\Local\SevereWeatherAlerts\SevereWeatherAlertsApp0.dat
binary
MD5: 3eee006d94bed6dbaaaf20978503a394
SHA256: e65410183cf58bf1afcfe2d71873d377c04113682db2162bdb72840486d4a8ce
3520
SevereWeatherAlertsApp.exe
C:\Users\admin\AppData\Local\SevereWeatherAlerts\SevereWeatherAlertsApp0.dat.tmp
––
MD5:  ––
SHA256:  ––
3520
SevereWeatherAlertsApp.exe
C:\Users\admin\AppData\Local\SevereWeatherAlerts\mod.SevereWeatherAlertsApp0.dat~RF10be22.TMP
binary
MD5: cc4a6695b377b018fa49387e12d0ce59
SHA256: 95be4073feb90e88716ef82ff1ab81e8b604ffa6ee161132d7152d9c853f144d
3520
SevereWeatherAlertsApp.exe
C:\Users\admin\AppData\Local\SevereWeatherAlerts\mod.SevereWeatherAlertsApp0.dat
binary
MD5: cc4a6695b377b018fa49387e12d0ce59
SHA256: 95be4073feb90e88716ef82ff1ab81e8b604ffa6ee161132d7152d9c853f144d
3140
SevereWeatherAlerts.exe
C:\Users\admin\AppData\Local\Weather_Notifications,_LL\SevereWeatherAlerts.exe_Url_iizmzxlnptgxiue03na3heyuw1pdjbls\1.21.0.0\user.config
xml
MD5: f6a0034e9c25dc1ee4631cde1475944a
SHA256: babe03f3c6ec954b33ee394e25b11aed005a29efc58d34d47a062c811ba7a349
3140
SevereWeatherAlerts.exe
C:\Users\admin\AppData\Local\Weather_Notifications,_LL\SevereWeatherAlerts.exe_Url_iizmzxlnptgxiue03na3heyuw1pdjbls\1.21.0.0\lviqbgj4.newcfg
––
MD5:  ––
SHA256:  ––
1700
acbee4955a1ecf53baa95bb0e3b0c8b87fe320797d626f47041af8feec31d91a.exe
C:\Users\admin\AppData\Local\Temp\nsd64C8.tmp\ioSpecial.ini
––
MD5:  ––
SHA256:  ––
1700
acbee4955a1ecf53baa95bb0e3b0c8b87fe320797d626f47041af8feec31d91a.exe
C:\Users\admin\AppData\Local\Temp\nsd64C8.tmp\ioSpecial.ini
text
MD5: c98ada3a1c0f2d33d01f2fd14637ae17
SHA256: 94c091ed2fd2b31b520882f5b40f00c9ae1e69ba5e928443eb9f7cfbdeb75588
1700
acbee4955a1ecf53baa95bb0e3b0c8b87fe320797d626f47041af8feec31d91a.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Severe Weather Alerts App.lnk
lnk
MD5: 9ee76b357cdc8a645d57f5b5729ee53d
SHA256: a1798a5d3cb104df235b4e71ac642f669e8253b4c1ac3c929992de81a1dcbf7d
1700
acbee4955a1ecf53baa95bb0e3b0c8b87fe320797d626f47041af8feec31d91a.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Severe Weather Alerts\Severe Weather Alerts.lnk
lnk
MD5: 10b50be243d3946348e07d2561631f29
SHA256: 4a5f43f15b6527f5bc0114b6557b8caa806c1f5139a2143846959952beeb64ad
1700
acbee4955a1ecf53baa95bb0e3b0c8b87fe320797d626f47041af8feec31d91a.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Severe Weather Alerts.lnk
lnk
MD5: afc557e9fca0887cd6bedbbc7f058603
SHA256: e6a141d74495cffb692ca215b52cb078324b8cd2f58dbfeb55ef6a374acb925c
900
SWAUpdater.exe
C:\Users\Administrator\NTUSER.DAT.LOG1
log
MD5: ca74a1aaeaad0ff7c0b1819eaf8de740
SHA256: 2df6390db07952c8e3ce085ac80c7ba6363860d4aeac96aea60ac8d117816774
900
SWAUpdater.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG1
log
MD5: 6f36ec370bf50b21f6d3c9a1d3024916
SHA256: 9c50232461ea94eb5329cf528e8b07397aa56a57f6ea54d85e5ec68217a33dd5
900
SWAUpdater.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows\UsrClass.dat
hiv
MD5: b5b7e862db01388db56bac0408a9fc77
SHA256: 54936a727e11cb90188823d8e56b692fc13263f1255fb73d95923a101fdb3b92
3140
SevereWeatherAlerts.exe
C:\Users\admin\AppData\Local\Weather_Notifications,_LL\SevereWeatherAlerts.exe_Url_iizmzxlnptgxiue03na3heyuw1pdjbls\1.21.0.0\user.config
xml
MD5: 5e40c8556cd93a62d125aa2bb38df927
SHA256: f88e93b9b4ea518dd5843618a69a027facb5e3cd6b874b4221a0ff4653a193bd
1700
acbee4955a1ecf53baa95bb0e3b0c8b87fe320797d626f47041af8feec31d91a.exe
C:\Users\admin\AppData\Local\SevereWeatherAlerts\SevereWeatherAlertsApp0.dat
binary
MD5: 457b73f64501b3489678d555eb7f46b3
SHA256: d363745224c59cc861a4d50b75ff0aed0b7138b2c1f5e11bfa7800ac4dc38625
3140
SevereWeatherAlerts.exe
C:\Users\admin\AppData\Local\Weather_Notifications,_LL\SevereWeatherAlerts.exe_Url_iizmzxlnptgxiue03na3heyuw1pdjbls\1.21.0.0\s6ftinfu.newcfg
––
MD5:  ––
SHA256:  ––
3520
SevereWeatherAlertsApp.exe
C:\Users\admin\AppData\Local\SevereWeatherAlerts\mod.SevereWeatherAlertsApp0.dat~RF1102eb.TMP
binary
MD5: 59e8636c7d226b1a7cec61f9355a5ed1
SHA256: a419640af320103f921a9b0004f342cb78ab7d65a8e62b6e603bc40fae2fcb70
1700
acbee4955a1ecf53baa95bb0e3b0c8b87fe320797d626f47041af8feec31d91a.exe
C:\Users\admin\AppData\Local\SevereWeatherAlerts\SevereWeatherAlerts.exe.config
xml
MD5: 2cafca792cf6d92685107db827c44b00
SHA256: 373da9a0d703d45a914366b89077519e8883256ac5fe18b47161bae6a19a5021
3520
SevereWeatherAlertsApp.exe
C:\Users\admin\AppData\Local\SevereWeatherAlerts\mod.SevereWeatherAlertsApp0.dat
binary
MD5: 59e8636c7d226b1a7cec61f9355a5ed1
SHA256: a419640af320103f921a9b0004f342cb78ab7d65a8e62b6e603bc40fae2fcb70
1700
acbee4955a1ecf53baa95bb0e3b0c8b87fe320797d626f47041af8feec31d91a.exe
C:\Users\admin\AppData\Local\Temp\nsd64C8.tmp\ioSpecial.ini
text
MD5: 9ce84bf9e02668453f22d5c6a7a5e4a1
SHA256: eb1959f15e6bab74800e98671e98ed211dd6b7bde3868e1ab427685d498e4855
1700
acbee4955a1ecf53baa95bb0e3b0c8b87fe320797d626f47041af8feec31d91a.exe
C:\Users\admin\AppData\Local\Temp\nsd64C8.tmp\ioSpecial.ini
text
MD5: 34c06e13176eb1a1a00a7fcd35fbee7d
SHA256: 372b84da5b159aafed23085a07b267b890b87b091ece5ac4082f86658384872d
1700
acbee4955a1ecf53baa95bb0e3b0c8b87fe320797d626f47041af8feec31d91a.exe
C:\Users\admin\AppData\Local\Temp\nsd64C8.tmp\modern-wizard.bmp
image
MD5: cbe40fd2b1ec96daedc65da172d90022
SHA256: 3ad2dc318056d0a2024af1804ea741146cfc18cc404649a44610cbf8b2056cf2
900
SWAUpdater.exe
C:\Users\Administrator\NTUSER.DAT
hiv
MD5: 664d2c2e2fefe47fb35e6732ba12df08
SHA256: a478c39855d2dd7aff2aa44ad99970f2b085712840bd88ac94e011263173da40

Find more information of the staic content and download it at the full report

Network activity

HTTP(S) requests
15
TCP/UDP connections
26
DNS requests
16
Threats
5

HTTP requests

PID Process Method HTTP Code IP URL CN Type Size Reputation
3140 SevereWeatherAlerts.exe GET 200 216.146.43.71:80 http://checkip.dyndns.org/ US
html
shared
3140 SevereWeatherAlerts.exe GET 200 104.16.37.47:80 http://geoip.maxmind.com/b?l=9sm8C3xEMxTs&i=62.212.86.130 US
text
shared
3140 SevereWeatherAlerts.exe GET 200 172.217.21.202:80 http://maps.googleapis.com/maps/api/geocode/xml?address=United%20States&sensor=false US
xml
whitelisted
3140 SevereWeatherAlerts.exe GET 301 13.32.219.90:80 http://www.spc.noaa.gov/products/outlook/archive/2019/KWNSPTSDY1_201904151300.txt US
html
suspicious
3520 SevereWeatherAlertsApp.exe GET 200 5.79.68.107:80 http://survey-smiles.com/ NL
html
whitelisted
3520 SevereWeatherAlertsApp.exe GET 200 5.79.68.107:80 http://survey-smiles.com/ NL
html
whitelisted
3520 SevereWeatherAlertsApp.exe GET 200 5.79.68.107:80 http://survey-smiles.com/ NL
html
whitelisted
3520 SevereWeatherAlertsApp.exe GET 200 5.79.68.107:80 http://survey-smiles.com/ NL
html
whitelisted
3520 SevereWeatherAlertsApp.exe GET 200 5.79.68.107:80 http://survey-smiles.com/ NL
html
whitelisted
3520 SevereWeatherAlertsApp.exe GET 200 5.79.68.107:80 http://survey-smiles.com/ NL
html
whitelisted
3140 SevereWeatherAlerts.exe GET 301 13.32.219.37:80 http://earthquake.usgs.gov/earthquakes/feed/v0.1/summary/2.5_day.csv US
html
whitelisted
900 SWAUpdater.exe GET 200 5.79.68.109:80 http://updates.severeweatheralerts.net/severeweatheralerts/version.php?id=71f6d9f8-242d-4cfe-8dc0-b12af52d66cd&version=1.21.0.0 NL
html
malicious
3520 SevereWeatherAlertsApp.exe POST 302 207.244.65.58:80 http://severeweatheralerts02.severeweatheralerts.net/te.aspx?ver=1.0.9.0&pkg_ver=1.0.9.0&rnd=25 US
text
text
malicious
3520 SevereWeatherAlertsApp.exe GET 200 5.79.68.107:80 http://survey-smiles.com/ NL
html
whitelisted
3520 SevereWeatherAlertsApp.exe POST –– 207.244.65.58:80 http://severeweatheralerts02.severeweatheralerts.net/config.aspx?ver=1.0.9.0&pkg_ver=1.0.9.0&rnd=16 US
text
––
––
malicious

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID Process IP ASN CN Reputation
3140 SevereWeatherAlerts.exe 216.146.43.71:80 Dynamic Network Services, Inc. US shared
3140 SevereWeatherAlerts.exe 104.16.37.47:80 Cloudflare Inc US shared
3140 SevereWeatherAlerts.exe 172.217.21.202:80 Google Inc. US whitelisted
3140 SevereWeatherAlerts.exe 13.32.219.90:80 Amazon.com, Inc. US unknown
3140 SevereWeatherAlerts.exe 13.32.219.90:443 Amazon.com, Inc. US unknown
3520 SevereWeatherAlertsApp.exe 207.244.65.58:80 Leaseweb USA, Inc. US malicious
3520 SevereWeatherAlertsApp.exe 5.79.68.107:80 LeaseWeb Netherlands B.V. NL suspicious
–– –– 207.244.65.58:80 Leaseweb USA, Inc. US malicious
3140 SevereWeatherAlerts.exe 13.32.219.133:443 Amazon.com, Inc. US unknown
3140 SevereWeatherAlerts.exe 13.32.219.155:443 Amazon.com, Inc. US unknown
3140 SevereWeatherAlerts.exe 13.32.219.221:443 Amazon.com, Inc. US unknown
3140 SevereWeatherAlerts.exe 13.32.219.37:80 Amazon.com, Inc. US unknown
3140 SevereWeatherAlerts.exe 13.32.219.37:443 Amazon.com, Inc. US unknown
900 SWAUpdater.exe 5.79.68.109:80 LeaseWeb Netherlands B.V. NL malicious
–– –– 5.79.68.107:80 LeaseWeb Netherlands B.V. NL suspicious

DNS requests

Domain IP Reputation
checkip.dyndns.org 216.146.43.71
131.186.113.70
216.146.43.70
shared
geoip.maxmind.com 104.16.37.47
104.16.38.47
unknown
maps.googleapis.com 172.217.21.202
216.58.205.234
172.217.21.234
172.217.18.10
172.217.23.138
216.58.207.42
216.58.207.74
172.217.16.170
172.217.16.138
172.217.22.42
172.217.22.106
172.217.16.202
172.217.23.170
whitelisted
www.spc.noaa.gov 13.32.219.90
13.32.219.133
13.32.219.155
13.32.219.221
suspicious
severeweatheralerts02.severeweatheralerts.net 207.244.65.58
unknown
survey-smiles.com 5.79.68.107
whitelisted
dns.msftncsi.com 131.107.255.255
whitelisted
earthquake.usgs.gov 13.32.219.37
13.32.219.70
13.32.219.132
13.32.219.119
whitelisted
updates.severeweatheralerts.net 5.79.68.109
unknown

Threats

PID Process Class Message
–– –– Misc activity ET INFO DYNAMIC_DNS Query to *.dyndns. Domain
3140 SevereWeatherAlerts.exe Potential Corporate Privacy Violation ET POLICY External IP Lookup - checkip.dyndns.org
3140 SevereWeatherAlerts.exe A Network Trojan was detected MALWARE [PTsecurity] TR/Spy.Gen IP Check checkip.dyndns.org (AgentTesla)
3140 SevereWeatherAlerts.exe Potentially Bad Traffic ET POLICY DynDNS CheckIp External IP Address Server Response

1 ETPRO signatures available at the full report

Debug output strings

Process Message
SevereWeatherAlertsApp.exe *** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
SevereWeatherAlertsApp.exe *** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144