General Info

File name

AgentTesla inside SevereWeatherAlerts

Full analysis
https://app.any.run/tasks/a7f299b3-0b84-4403-a75f-7fb45700e14e
Verdict
Malicious activity
Analysis date
4/15/2019, 15:46:47
OS:
Windows 7 Professional Service Pack 1 (build: 7601, 64 bit)
Tags:

installer

evasion

trojan

rat

agenttesla

opendir

Indicators:

MIME:
application/x-dosexec
File info:
PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5

d18c6edb768e000117eeeea3d5fc89be

SHA1

775ceb1bd0d24df850773b5b57ea588983aa18d2

SHA256

acbee4955a1ecf53baa95bb0e3b0c8b87fe320797d626f47041af8feec31d91a

SSDEEP

12288:lnzefKdEN7vYCiXUrTNRw8FC4UaY7HYeesMFAa+i8H6:lnzMKavYsTNRrUz7oxili8H6

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distored by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Software environment set and analysis options

Launch configuration

Task duration
360 seconds
Additional time used
none
Fakenet option
off
Heavy Evaision option
off
MITM proxy
on
Route via Tor
off
Network geolocation
off
Privacy
Public submission
Autoconfirmation of UAC
off

Software preset

  • Internet Explorer 11.0.9600.18860 KB4052978
  • Adobe Acrobat Reader DC MUI (15.007.20033)
  • Adobe Flash Player 27 ActiveX (27.0.0.187)
  • Adobe Flash Player 27 NPAPI (27.0.0.187)
  • Adobe Flash Player 27 PPAPI (27.0.0.187)
  • CCleaner (5.35)
  • Google Chrome (73.0.3683.86)
  • Google Update Helper (1.3.33.23)
  • Java 8 Update 92 (64-bit) (8.0.920.14)
  • Java Auto Updater (2.8.92.14)
  • Microsoft .NET Framework 4.6.1 (4.6.01055)
  • Microsoft Office Access MUI (English) 2010 (14.0.4763.1000)
  • Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.4763.1000)
  • Microsoft Office Excel MUI (English) 2010 (14.0.4763.1000)
  • Microsoft Office Office 32-bit Components 2010 (14.0.4763.1000)
  • Microsoft Office OneNote MUI (English) 2010 (14.0.4763.1000)
  • Microsoft Office Outlook MUI (English) 2010 (14.0.4763.1000)
  • Microsoft Office PowerPoint MUI (English) 2010 (14.0.4763.1000)
  • Microsoft Office Professional 2010 (14.0.4763.1000)
  • Microsoft Office Proof (English) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (French) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office Proofing (English) 2010 (14.0.4763.1000)
  • Microsoft Office Publisher MUI (English) 2010 (14.0.4763.1000)
  • Microsoft Office Shared 32-bit MUI (English) 2010 (14.0.4763.1000)
  • Microsoft Office Shared MUI (English) 2010 (14.0.4763.1000)
  • Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.4763.1000)
  • Microsoft Office Single Image 2010 (14.0.4763.1000)
  • Microsoft Office Word MUI (English) 2010 (14.0.4763.1000)
  • Microsoft Visual C++ 2005 Redistributable (x64) (8.0.61000)
  • Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (9.0.30729.6161)
  • Microsoft Visual C++ 2010 x64 Redistributable - 10.0.40219 (10.0.40219)
  • Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030 (11.0.61030.0)
  • Microsoft Visual C++ 2012 x64 Additional Runtime - 11.0.61030 (11.0.61030)
  • Microsoft Visual C++ 2012 x64 Minimum Runtime - 11.0.61030 (11.0.61030)
  • Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
  • Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2017 Redistributable (x64) - 14.12.25810 (14.12.25810.0)
  • Microsoft Visual C++ 2017 Redistributable (x86) - 14.11.25325 (14.11.25325.0)
  • Microsoft Visual C++ 2017 x64 Additional Runtime - 14.12.25810 (14.12.25810)
  • Microsoft Visual C++ 2017 x64 Minimum Runtime - 14.12.25810 (14.12.25810)
  • Microsoft Visual C++ 2017 x86 Additional Runtime - 14.11.25325 (14.11.25325)
  • Microsoft Visual C++ 2017 x86 Minimum Runtime - 14.11.25325 (14.11.25325)
  • Mozilla Firefox 65.0.2 (x64 en-US) (65.0.2)
  • Mozilla Maintenance Service (65.0.2)
  • Notepad++ (64-bit x64) (7.5.1)
  • Opera 12.15 (12.15.1748)
  • Skype™ 7.39 (7.39.102)
  • VLC media player (2.2.6)
  • WinRAR 5.60 (64-bit) (5.60.0)

Hotfixes

  • Client LanguagePack Package
  • Client Refresh LanguagePack Package
  • CodecPack Basic Package
  • Foundation Package
  • IE Hyphenation Parent Package English
  • IE Spelling Parent Package English
  • IE Troubleshooters Package
  • InternetExplorer Optional Package
  • InternetExplorer Package TopLevel
  • KB2479943
  • KB2491683
  • KB2506014
  • KB2506212
  • KB2506928
  • KB2509553
  • KB2532531
  • KB2533552
  • KB2534111
  • KB2545698
  • KB2547666
  • KB2552343
  • KB2560656
  • KB2563227
  • KB2564958
  • KB2579686
  • KB2585542
  • KB2585542 SP1
  • KB2598845
  • KB2603229
  • KB2604115
  • KB2620704
  • KB2621440
  • KB2631813
  • KB2640148
  • KB2653956
  • KB2654428
  • KB2656356
  • KB2656356 SP1
  • KB2660075
  • KB2667402
  • KB2685811
  • KB2685813
  • KB2685939
  • KB2690533
  • KB2698365
  • KB2705219
  • KB2706045
  • KB2719857
  • KB2726535
  • KB2727528
  • KB2729094
  • KB2729452
  • KB2732059
  • KB2732487
  • KB2736422
  • KB2742599
  • KB2750841
  • KB2758857
  • KB2761217
  • KB2763523
  • KB2770660
  • KB2773072
  • KB2786081
  • KB2789645
  • KB2789645 SP1
  • KB2791765
  • KB2799926
  • KB2800095
  • KB2807986
  • KB2808679
  • KB2813430
  • KB2834140
  • KB2836942
  • KB2836943
  • KB2840631
  • KB2843630
  • KB2847927
  • KB2852386
  • KB2853952
  • KB2861698
  • KB2862152
  • KB2862330
  • KB2862335
  • KB2864202
  • KB2868038
  • KB2871997
  • KB2884256
  • KB2888049
  • KB2891804
  • KB2892074
  • KB2893294
  • KB2893519
  • KB2894844
  • KB2900986
  • KB2908783
  • KB2911501
  • KB2912390
  • KB2918077
  • KB2919469
  • KB2931356
  • KB2937610
  • KB2943357
  • KB2952664
  • KB2966583
  • KB2968294
  • KB2970228
  • KB2972100
  • KB2972211
  • KB2973112
  • KB2973201
  • KB2973351
  • KB2977292
  • KB2978120
  • KB2978742
  • KB2984972
  • KB2985461
  • KB2991963
  • KB2992611
  • KB3003743
  • KB3004361
  • KB3004375
  • KB3006121
  • KB3006137
  • KB3010788
  • KB3011780
  • KB3013531
  • KB3019978
  • KB3020370
  • KB3021674
  • KB3021917
  • KB3022777
  • KB3023215
  • KB3030377
  • KB3031432
  • KB3035126
  • KB3035132
  • KB3037574
  • KB3042058
  • KB3045685
  • KB3046017
  • KB3046269
  • KB3054476
  • KB3055642
  • KB3059317
  • KB3060716
  • KB3067903
  • KB3068708
  • KB3071756
  • KB3072305
  • KB3074543
  • KB3075220
  • KB3076895
  • KB3078601
  • KB3078667
  • KB3080149
  • KB3084135
  • KB3086255
  • KB3092601
  • KB3092627
  • KB3093513
  • KB3097989
  • KB3101722
  • KB3107998
  • KB3108371
  • KB3108381
  • KB3108664
  • KB3109103
  • KB3109560
  • KB3110329
  • KB3115858
  • KB3115858 SP1
  • KB3122648
  • KB3124275
  • KB3126587
  • KB3127220
  • KB3133977
  • KB3137061
  • KB3138378
  • KB3138612
  • KB3138910
  • KB3139398
  • KB3139914
  • KB3140245
  • KB3147071
  • KB3150220
  • KB3155178
  • KB3156016
  • KB3156019
  • KB3159398
  • KB3161102
  • KB3161949
  • KB3161958
  • KB3170735
  • KB3170735 SP1
  • KB3172605
  • KB3177467
  • KB3179573
  • KB3184143
  • KB4019990
  • KB4040980
  • KB976902
  • KB982018
  • LocalPack AU Package
  • LocalPack CA Package
  • LocalPack GB Package
  • LocalPack US Package
  • LocalPack ZA Package
  • Package 1 for KB2656356
  • Package 1 for KB2789645
  • Package 1 for KB3115858
  • Package 1 for KB3170735
  • Package 2 for KB2585542
  • Package 2 for KB2656356
  • Package 2 for KB2789645
  • Package 2 for KB3115858
  • Package 2 for KB3170735
  • Package 3 for KB2585542
  • Package 3 for KB2656356
  • Package 4 for KB2656356
  • Package 4 for KB2789645
  • Package 5 for KB2656356
  • Package 7 for KB2656356
  • PlatformUpdate Win7 SRV08R2 Package TopLevel
  • ProfessionalEdition
  • RollupFix
  • UltimateEdition
  • WUClient SelfUpdate ActiveX
  • WUClient SelfUpdate Aux TopLevel
  • WUClient SelfUpdate Core TopLevel

Behavior activities

MALICIOUS SUSPICIOUS INFO
Application was dropped or rewritten from another process
  • SevereWeatherAlerts.exe (PID: 2708)
  • SevereWeatherAlertsApp.exe (PID: 2896)
  • SevereWeatherAlerts.exe (PID: 1376)
  • SevereWeatherAlertsApp.exe (PID: 1464)
Loads dropped or rewritten executable
  • AgentTesla inside SevereWeatherAlerts.exe (PID: 1624)
Writes to a start menu file
  • AgentTesla inside SevereWeatherAlerts.exe (PID: 1624)
Reads the machine GUID from the registry
  • SevereWeatherAlerts.exe (PID: 2708)
  • DllHost.exe (PID: 768)
  • SevereWeatherAlerts.exe (PID: 1376)
Checks for external IP
  • SevereWeatherAlerts.exe (PID: 2708)
  • SevereWeatherAlerts.exe (PID: 1376)
Starts Internet Explorer
  • SevereWeatherAlerts.exe (PID: 2708)
Executable content was dropped or overwritten
  • AgentTesla inside SevereWeatherAlerts.exe (PID: 1624)
Creates files in the user directory
  • AgentTesla inside SevereWeatherAlerts.exe (PID: 1624)
Creates a software uninstall entry
  • AgentTesla inside SevereWeatherAlerts.exe (PID: 1624)
Application launched itself
  • SevereWeatherAlertsApp.exe (PID: 2896)
Reads Internet Cache Settings
  • iexplore.exe (PID: 1892)
Creates files in the user directory
  • IEXPLORE.EXE (PID: 2276)
Changes internet zones settings
  • iexplore.exe (PID: 1892)
Reads settings of System Certificates
  • SevereWeatherAlerts.exe (PID: 2708)
  • iexplore.exe (PID: 1892)
  • SevereWeatherAlerts.exe (PID: 1376)
Reads internet explorer settings
  • IEXPLORE.EXE (PID: 2276)
Reads the machine GUID from the registry
  • iexplore.exe (PID: 1892)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Static information

TRiD
.exe
|   NSIS - Nullsoft Scriptable Install System (94.8%)
.exe
|   Win32 Executable MS Visual C++ (generic) (3.4%)
.dll
|   Win32 Dynamic Link Library (generic) (0.7%)
.exe
|   Win32 Executable (generic) (0.5%)
.exe
|   Generic Win/DOS Executable (0.2%)
EXIF
EXE
MachineType:
Intel 386 or later, and compatibles
TimeStamp:
2009:12:05 23:50:52+01:00
PEType:
PE32
LinkerVersion:
6
CodeSize:
24064
InitializedDataSize:
164864
UninitializedDataSize:
1024
EntryPoint:
0x30fa
OSVersion:
4
ImageVersion:
6
SubsystemVersion:
4
Subsystem:
Windows GUI
FileVersionNumber:
1.23.0.0
ProductVersionNumber:
1.23.0.0
FileFlagsMask:
0x0000
FileFlags:
(none)
FileOS:
Win32
ObjectFileType:
Executable application
FileSubtype:
null
LanguageCode:
Neutral
CharacterSet:
Windows, Latin1
CompanyName:
Weather Notifications, LLC
FileDescription:
Application
FileVersion:
1.23.0.0
LegalCopyright:
Weather Notifications, LLC © 2013. All Rights Reserved.
ProductName:
Severe Weather Alerts
Summary
Architecture:
IMAGE_FILE_MACHINE_I386
Subsystem:
IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date:
05-Dec-2009 22:50:52
Detected languages
English - United States
CompanyName:
Weather Notifications, LLC
FileDescription:
Application
FileVersion:
1.23.0.0
LegalCopyright:
Weather Notifications, LLC © 2013. All Rights Reserved.
ProductName:
Severe Weather Alerts
DOS Header
Magic number:
MZ
Bytes on last page of file:
0x0090
Pages in file:
0x0003
Relocations:
0x0000
Size of header:
0x0004
Min extra paragraphs:
0x0000
Max extra paragraphs:
0xFFFF
Initial SS value:
0x0000
Initial SP value:
0x00B8
Checksum:
0x0000
Initial IP value:
0x0000
Initial CS value:
0x0000
Overlay number:
0x0000
OEM identifier:
0x0000
OEM information:
0x0000
Address of NE header:
0x000000D8
PE Headers
Signature:
PE
Machine:
IMAGE_FILE_MACHINE_I386
Number of sections:
5
Time date stamp:
05-Dec-2009 22:50:52
Pointer to Symbol Table:
0x00000000
Number of symbols:
0
Size of Optional Header:
0x00E0
Characteristics
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_RELOCS_STRIPPED
Sections
Name Virtual Address Virtual Size Raw Size Charateristics Entropy
.text 0x00001000 0x00005C4C 0x00005E00 IMAGE_SCN_CNT_CODE,IMAGE_SCN_MEM_EXECUTE,IMAGE_SCN_MEM_READ 6.44011
.rdata 0x00007000 0x0000129C 0x00001400 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ 5.04684
.data 0x00009000 0x00025C58 0x00000400 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ,IMAGE_SCN_MEM_WRITE 4.801
.ndata 0x0002F000 0x0000A000 0x00000000 IMAGE_SCN_CNT_UNINITIALIZED_DATA,IMAGE_SCN_MEM_READ,IMAGE_SCN_MEM_WRITE 0
.rsrc 0x00039000 0x00004520 0x00004600 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ 5.87531
Resources
1

2

3

4

5

6

7

102

103

105

106

107

111

Imports
    KERNEL32.dll

    USER32.dll

    GDI32.dll

    SHELL32.dll

    ADVAPI32.dll

    COMCTL32.dll

    ole32.dll

    VERSION.dll

Exports

    No exports.

Video and screenshots

Processes

Total processes
43
Monitored processes
8
Malicious processes
1
Suspicious processes
2

Behavior graph

+
drop and start start agenttesla inside severeweatheralerts.exe severeweatheralerts.exe severeweatheralertsapp.exe no specs severeweatheralertsapp.exe severeweatheralerts.exe iexplore.exe iexplore.exe RemoteProxyFactory32 Class no specs
Specs description
Program did not start
Integrity level elevation
Task сontains an error or was rebooted
Process has crashed
Task contains several apps running
Executable file was dropped
Debug information is available
Process was injected
Network attacks were detected
Application downloaded the executable file
Actions similar to stealing personal data
Behavior similar to exploiting the vulnerability
Inspected object has sucpicious PE structure
File is detected by antivirus software
CPU overrun
RAM overrun
Process starts the services
Process was added to the startup
Behavior similar to spam
Low-level access to the HDD
Probably Tor was used
System was rebooted
Connects to the network
Known threat

Process information

Click at the process to see the details.

PID
1624
CMD
"C:\Users\admin\Desktop\AgentTesla inside SevereWeatherAlerts.exe"
Path
C:\Users\admin\Desktop\AgentTesla inside SevereWeatherAlerts.exe
Indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Weather Notifications, LLC
Description
Application
Version
1.23.0.0
Modules
Image
c:\users\admin\desktop\agenttesla inside severeweatheralerts.exe
c:\systemroot\system32\ntdll.dll
c:\systemroot\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\gdi32.dll
c:\windows\syswow64\lpk.dll
c:\windows\syswow64\usp10.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\sechost.dll
c:\windows\syswow64\rpcrt4.dll
c:\windows\syswow64\sspicli.dll
c:\windows\syswow64\cryptbase.dll
c:\windows\syswow64\shell32.dll
c:\windows\syswow64\shlwapi.dll
c:\windows\syswow64\ole32.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d\comctl32.dll
c:\windows\syswow64\version.dll
c:\windows\syswow64\imm32.dll
c:\windows\syswow64\msctf.dll
c:\windows\syswow64\shfolder.dll
c:\windows\syswow64\oleaut32.dll
c:\windows\syswow64\setupapi.dll
c:\windows\syswow64\cfgmgr32.dll
c:\windows\syswow64\devobj.dll
c:\windows\syswow64\clbcatq.dll
c:\windows\syswow64\propsys.dll
c:\windows\syswow64\ntmarta.dll
c:\windows\syswow64\wldap32.dll
c:\windows\syswow64\riched20.dll
c:\windows\syswow64\uxtheme.dll
c:\users\admin\appdata\local\temp\nsq3c89.tmp\installoptions.dll
c:\windows\syswow64\comdlg32.dll
c:\windows\syswow64\profapi.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\shdocvw.dll
c:\windows\syswow64\linkinfo.dll
c:\windows\syswow64\ntshrui.dll
c:\windows\syswow64\srvcli.dll
c:\windows\syswow64\cscapi.dll
c:\windows\syswow64\slc.dll
c:\users\admin\appdata\local\severeweatheralerts\severeweatheralerts.exe
c:\users\admin\appdata\local\severeweatheralerts\severeweatheralertsapp.exe
c:\windows\syswow64\netutils.dll

PID
1376
CMD
"C:\Users\admin\AppData\Local\SevereWeatherAlerts\SevereWeatherAlerts.exe" /installer 1200396 1
Path
C:\Users\admin\AppData\Local\SevereWeatherAlerts\SevereWeatherAlerts.exe
Indicators
Parent process
AgentTesla inside SevereWeatherAlerts.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Weather Notifications, LLC
Description
SevereWeatherAlerts
Version
1.21.0.0
Modules
Image
c:\users\admin\appdata\local\severeweatheralerts\severeweatheralerts.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework64\v4.0.30319\mscoreei.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\version.dll
c:\windows\microsoft.net\framework64\v2.0.50727\mscorwks.dll
c:\windows\winsxs\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.6195_none_88e41e092fab0294\msvcr80.dll
c:\windows\system32\shell32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\profapi.dll
c:\windows\assembly\nativeimages_v2.0.50727_64\mscorlib\0478aed7fc25ae268474c704fd2a3e0f\mscorlib.ni.dll
c:\windows\microsoft.net\framework64\v2.0.50727\mscorsec.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.18837_none_a4d981ff711297b6\comctl32.dll
c:\windows\system32\riched20.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\imagehlp.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\userenv.dll
c:\windows\system32\gpapi.dll
c:\windows\microsoft.net\framework64\v2.0.50727\mscorjit.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\assembly\nativeimages_v2.0.50727_64\system\9b0615d346556a8ae639dcec168731cc\system.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_64\system.drawing\1deaddfc41ab5efdec9a9b9faa759ada\system.drawing.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_64\system.windows.forms\e339f1036b8eb2c6be74704608908927\system.windows.forms.ni.dll
c:\windows\system32\uxtheme.dll
c:\windows\assembly\nativeimages_v2.0.50727_64\system.configuration\a2571a4e32a586b52463d88a83702aed\system.configuration.ni.dll
c:\windows\system32\shfolder.dll
c:\windows\assembly\nativeimages_v2.0.50727_64\system.xml\e0542eb82c5f716397d316d5c88f7ae5\system.xml.ni.dll
c:\windows\system32\propsys.dll
c:\windows\system32\oleaut32.dll
c:\windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_fa3b1e3d17594757\comctl32.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\api-ms-win-downlevel-shlwapi-l1-1-0.dll
c:\windows\system32\api-ms-win-downlevel-user32-l1-1-0.dll
c:\windows\system32\api-ms-win-downlevel-shell32-l1-1-0.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
c:\windows\system32\api-ms-win-downlevel-normaliz-l1-1-0.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\api-ms-win-downlevel-ole32-l1-1-0.dll
c:\windows\system32\wininet.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l2-1-0.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\wship6.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\webio.dll
c:\windows\system32\credssp.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\dhcpcsvc6.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\psapi.dll
c:\windows\system32\security.dll
c:\windows\system32\schannel.dll

PID
2896
CMD
"C:\Users\admin\AppData\Local\SevereWeatherAlerts\SevereWeatherAlertsApp.exe" /installevent=10 /distid=1200396 /tpchannelid=1
Path
C:\Users\admin\AppData\Local\SevereWeatherAlerts\SevereWeatherAlertsApp.exe
Indicators
No indicators
Parent process
SevereWeatherAlerts.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Description
SevereWeatherAlertsApp
Version
1.0.9.0
Modules
Image
c:\users\admin\appdata\local\severeweatheralerts\severeweatheralertsapp.exe
c:\systemroot\system32\ntdll.dll
c:\systemroot\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\sechost.dll
c:\windows\syswow64\rpcrt4.dll
c:\windows\syswow64\sspicli.dll
c:\windows\syswow64\cryptbase.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\syswow64\shlwapi.dll
c:\windows\syswow64\gdi32.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\lpk.dll
c:\windows\syswow64\usp10.dll
c:\windows\syswow64\imm32.dll
c:\windows\syswow64\msctf.dll
c:\windows\syswow64\version.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorwks.dll
c:\windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\msvcr80.dll
c:\windows\syswow64\shell32.dll
c:\windows\syswow64\ole32.dll
c:\windows\syswow64\profapi.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\mscorlib\9f895c66454577eff9c77442d0c84f71\mscorlib.ni.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorsec.dll
c:\windows\syswow64\wintrust.dll
c:\windows\syswow64\crypt32.dll
c:\windows\syswow64\msasn1.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.18837_none_ec86b8d6858ec0bc\comctl32.dll
c:\windows\syswow64\riched20.dll
c:\windows\syswow64\cryptsp.dll
c:\windows\syswow64\rsaenh.dll
c:\windows\syswow64\imagehlp.dll
c:\windows\syswow64\ncrypt.dll
c:\windows\syswow64\bcrypt.dll
c:\windows\syswow64\bcryptprimitives.dll
c:\windows\syswow64\userenv.dll
c:\windows\syswow64\gpapi.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorjit.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system\ad92dab7f418877d6a1e0358ce35658a\system.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.drawing\ce3c98f2bf220ef17b0cf4233cac6ceb\system.drawing.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.windows.forms\367e5b8a038ac76eba17528bb7b3688e\system.windows.forms.ni.dll
c:\windows\syswow64\uxtheme.dll
c:\windows\assembly\gac_msil\system.windows.forms\2.0.0.0__b77a5c561934e089\system.windows.forms.dll
c:\windows\microsoft.net\framework\v2.0.50727\culture.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.23894_none_5c0be957a009922e\gdiplus.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.management\00c2b464e52d4e82c04d61592a12a89d\system.management.ni.dll
c:\windows\syswow64\rpcrtremote.dll
c:\windows\syswow64\oleaut32.dll
c:\windows\syswow64\clbcatq.dll
c:\windows\syswow64\wbem\wmiutils.dll
c:\windows\syswow64\wbemcomn.dll
c:\windows\syswow64\ws2_32.dll
c:\windows\syswow64\nsi.dll
c:\windows\syswow64\wbem\wbemprox.dll
c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll
c:\windows\syswow64\wbem\wbemsvc.dll
c:\windows\syswow64\wbem\fastprox.dll
c:\windows\syswow64\ntdsapi.dll
c:\windows\syswow64\apphelp.dll

PID
1464
CMD
"C:\Users\admin\AppData\Local\SevereWeatherAlerts\SevereWeatherAlertsApp.exe" /distid=1200396 /tpchannelid=1
Path
C:\Users\admin\AppData\Local\SevereWeatherAlerts\SevereWeatherAlertsApp.exe
Indicators
Parent process
SevereWeatherAlertsApp.exe
User
admin
Integrity Level
MEDIUM
Version:
Company
Description
SevereWeatherAlertsApp
Version
1.0.9.0
Modules
Image
c:\users\admin\appdata\local\severeweatheralerts\severeweatheralertsapp.exe
c:\systemroot\system32\ntdll.dll
c:\systemroot\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\sechost.dll
c:\windows\syswow64\rpcrt4.dll
c:\windows\syswow64\sspicli.dll
c:\windows\syswow64\cryptbase.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\syswow64\shlwapi.dll
c:\windows\syswow64\gdi32.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\lpk.dll
c:\windows\syswow64\usp10.dll
c:\windows\syswow64\imm32.dll
c:\windows\syswow64\msctf.dll
c:\windows\syswow64\version.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorwks.dll
c:\windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\msvcr80.dll
c:\windows\syswow64\shell32.dll
c:\windows\syswow64\ole32.dll
c:\windows\syswow64\profapi.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\mscorlib\9f895c66454577eff9c77442d0c84f71\mscorlib.ni.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorsec.dll
c:\windows\syswow64\wintrust.dll
c:\windows\syswow64\crypt32.dll
c:\windows\syswow64\msasn1.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.18837_none_ec86b8d6858ec0bc\comctl32.dll
c:\windows\syswow64\riched20.dll
c:\windows\syswow64\cryptsp.dll
c:\windows\syswow64\rsaenh.dll
c:\windows\syswow64\imagehlp.dll
c:\windows\syswow64\ncrypt.dll
c:\windows\syswow64\bcrypt.dll
c:\windows\syswow64\bcryptprimitives.dll
c:\windows\syswow64\userenv.dll
c:\windows\syswow64\gpapi.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorjit.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system\ad92dab7f418877d6a1e0358ce35658a\system.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.drawing\ce3c98f2bf220ef17b0cf4233cac6ceb\system.drawing.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.windows.forms\367e5b8a038ac76eba17528bb7b3688e\system.windows.forms.ni.dll
c:\windows\syswow64\uxtheme.dll
c:\windows\assembly\gac_msil\system.windows.forms\2.0.0.0__b77a5c561934e089\system.windows.forms.dll
c:\windows\microsoft.net\framework\v2.0.50727\culture.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.23894_none_5c0be957a009922e\gdiplus.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.management\00c2b464e52d4e82c04d61592a12a89d\system.management.ni.dll
c:\windows\syswow64\clbcatq.dll
c:\windows\syswow64\oleaut32.dll
c:\windows\syswow64\wbem\wmiutils.dll
c:\windows\syswow64\wbemcomn.dll
c:\windows\syswow64\ws2_32.dll
c:\windows\syswow64\nsi.dll
c:\windows\syswow64\rpcrtremote.dll
c:\windows\syswow64\wbem\wbemprox.dll
c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll
c:\windows\syswow64\wbem\wbemsvc.dll
c:\windows\syswow64\wbem\fastprox.dll
c:\windows\syswow64\ntdsapi.dll
c:\windows\syswow64\iphlpapi.dll
c:\windows\syswow64\winnsi.dll
c:\windows\syswow64\dnsapi.dll
c:\windows\syswow64\dhcpcsvc6.dll
c:\windows\syswow64\dhcpcsvc.dll
c:\windows\syswow64\mswsock.dll
c:\windows\syswow64\wshtcpip.dll
c:\windows\syswow64\wship6.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.configuration\ad8dd536906e94c4bc9cb9b82285580b\system.configuration.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.xml\77c1dc46ea139bf5e1eaa9b87ef03c7a\system.xml.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.data\511c39d1efa06d262a6b2f47e2726c73\system.data.ni.dll
c:\windows\assembly\gac_32\system.data\2.0.0.0__b77a5c561934e089\system.data.dll
c:\windows\syswow64\ntmarta.dll
c:\windows\syswow64\wldap32.dll
c:\windows\syswow64\rasapi32.dll
c:\windows\syswow64\rasman.dll
c:\windows\syswow64\rtutils.dll
c:\windows\syswow64\winhttp.dll
c:\windows\syswow64\webio.dll
c:\windows\syswow64\credssp.dll
c:\windows\syswow64\rasadhlp.dll
c:\windows\syswow64\fwpuclnt.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d\comctl32.dll
c:\windows\syswow64\ieframe.dll
c:\windows\syswow64\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\syswow64\api-ms-win-downlevel-shlwapi-l1-1-0.dll
c:\windows\syswow64\api-ms-win-downlevel-user32-l1-1-0.dll
c:\windows\syswow64\api-ms-win-downlevel-shell32-l1-1-0.dll
c:\windows\syswow64\api-ms-win-downlevel-version-l1-1-0.dll
c:\windows\syswow64\api-ms-win-downlevel-normaliz-l1-1-0.dll
c:\windows\syswow64\normaliz.dll
c:\windows\syswow64\iertutil.dll
c:\windows\syswow64\sxs.dll
c:\windows\syswow64\api-ms-win-downlevel-shlwapi-l2-1-0.dll
c:\windows\syswow64\api-ms-win-downlevel-advapi32-l2-1-0.dll
c:\windows\syswow64\macromed\flash\flash32_27_0_0_187.ocx
c:\windows\assembly\nativeimages_v2.0.50727_32\accessibility\7685e267329cb2e8965ed24d23d22727\accessibility.ni.dll
c:\program files\internet explorer\iexplore.exe
c:\windows\syswow64\oleacc.dll
c:\program files (x86)\internet explorer\ieproxy.dll

PID
2708
CMD
"C:\Users\admin\AppData\Local\SevereWeatherAlerts\SevereWeatherAlerts.exe"
Path
C:\Users\admin\AppData\Local\SevereWeatherAlerts\SevereWeatherAlerts.exe
Indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Version:
Company
Weather Notifications, LLC
Description
SevereWeatherAlerts
Version
1.21.0.0
Modules
Image
c:\users\admin\appdata\local\severeweatheralerts\severeweatheralerts.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework64\v4.0.30319\mscoreei.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\version.dll
c:\windows\microsoft.net\framework64\v2.0.50727\mscorwks.dll
c:\windows\winsxs\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.6195_none_88e41e092fab0294\msvcr80.dll
c:\windows\system32\shell32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\profapi.dll
c:\windows\assembly\nativeimages_v2.0.50727_64\mscorlib\0478aed7fc25ae268474c704fd2a3e0f\mscorlib.ni.dll
c:\windows\microsoft.net\framework64\v2.0.50727\mscorsec.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.18837_none_a4d981ff711297b6\comctl32.dll
c:\windows\system32\riched20.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\imagehlp.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\userenv.dll
c:\windows\system32\gpapi.dll
c:\windows\microsoft.net\framework64\v2.0.50727\mscorjit.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\assembly\nativeimages_v2.0.50727_64\system\9b0615d346556a8ae639dcec168731cc\system.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_64\system.drawing\1deaddfc41ab5efdec9a9b9faa759ada\system.drawing.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_64\system.windows.forms\e339f1036b8eb2c6be74704608908927\system.windows.forms.ni.dll
c:\windows\system32\uxtheme.dll
c:\windows\assembly\nativeimages_v2.0.50727_64\system.xml\e0542eb82c5f716397d316d5c88f7ae5\system.xml.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_64\system.configuration\a2571a4e32a586b52463d88a83702aed\system.configuration.ni.dll
c:\windows\system32\shfolder.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\wship6.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\webio.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\credssp.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\dhcpcsvc6.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\psapi.dll
c:\windows\system32\security.dll
c:\windows\system32\secur32.dll
c:\windows\system32\schannel.dll
c:\windows\system32\oleaut32.dll
c:\windows\winsxs\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.23894_none_145eb2808b8d6928\gdiplus.dll
c:\windows\system32\windowscodecs.dll
c:\windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_fa3b1e3d17594757\comctl32.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\propsys.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\api-ms-win-downlevel-shlwapi-l1-1-0.dll
c:\windows\system32\api-ms-win-downlevel-user32-l1-1-0.dll
c:\windows\system32\api-ms-win-downlevel-shell32-l1-1-0.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
c:\windows\system32\api-ms-win-downlevel-normaliz-l1-1-0.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\api-ms-win-downlevel-ole32-l1-1-0.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\api-ms-win-downlevel-shlwapi-l2-1-0.dll
c:\program files\internet explorer\ieproxy.dll
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll

PID
1892
CMD
"C:\Program Files\Internet Explorer\iexplore.exe" http://www.spc.noaa.gov/products/outlook/day1otlk.html
Path
C:\Program Files\Internet Explorer\iexplore.exe
Indicators
Parent process
SevereWeatherAlerts.exe
User
admin
Integrity Level
MEDIUM
Version:
Company
Microsoft Corporation
Description
Internet Explorer
Version
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Image
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\api-ms-win-downlevel-shell32-l1-1-0.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
c:\windows\system32\version.dll
c:\windows\system32\api-ms-win-downlevel-user32-l1-1-0.dll
c:\windows\system32\api-ms-win-downlevel-normaliz-l1-1-0.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\api-ms-win-downlevel-shlwapi-l1-1-0.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_fa3b1e3d17594757\comctl32.dll
c:\program files\internet explorer\ieshims.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\api-ms-win-downlevel-ole32-l1-1-0.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\program files\internet explorer\sqmapi.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l2-1-0.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\webio.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\api-ms-win-downlevel-shlwapi-l2-1-0.dll
c:\windows\system32\wship6.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\clbcatq.dll
c:\program files\internet explorer\ieproxy.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\ieui.dll
c:\windows\system32\propsys.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\oleacc.dll
c:\windows\system32\mssprxy.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\explorerframe.dll
c:\windows\system32\duser.dll
c:\windows\system32\dui70.dll
c:\windows\system32\msimg32.dll
c:\windows\system32\sxs.dll
c:\windows\system32\mlang.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\macromed\flash\flash64_27_0_0_187.ocx
c:\windows\system32\wshqos.dll
c:\windows\system32\credssp.dll
c:\windows\system32\schannel.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\gpapi.dll

PID
2276
CMD
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1892 CREDAT:267521 /prefetch:2
Path
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
Indicators
Parent process
iexplore.exe
User
admin
Integrity Level
LOW
Version:
Company
Microsoft Corporation
Description
Internet Explorer
Version
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Image
c:\program files (x86)\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\systemroot\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\sechost.dll
c:\windows\syswow64\rpcrt4.dll
c:\windows\syswow64\sspicli.dll
c:\windows\syswow64\cryptbase.dll
c:\windows\syswow64\iertutil.dll
c:\windows\syswow64\api-ms-win-downlevel-version-l1-1-0.dll
c:\windows\syswow64\version.dll
c:\windows\syswow64\api-ms-win-downlevel-user32-l1-1-0.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\gdi32.dll
c:\windows\syswow64\lpk.dll
c:\windows\syswow64\usp10.dll
c:\windows\syswow64\api-ms-win-downlevel-normaliz-l1-1-0.dll
c:\windows\syswow64\normaliz.dll
c:\windows\syswow64\api-ms-win-downlevel-shlwapi-l1-1-0.dll
c:\windows\syswow64\shlwapi.dll
c:\windows\syswow64\imm32.dll
c:\windows\syswow64\msctf.dll
c:\windows\syswow64\api-ms-win-downlevel-shell32-l1-1-0.dll
c:\windows\syswow64\shell32.dll
c:\windows\syswow64\ieframe.dll
c:\windows\syswow64\ole32.dll
c:\windows\syswow64\oleaut32.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d\comctl32.dll
c:\program files (x86)\internet explorer\ieshims.dll
c:\windows\syswow64\comdlg32.dll
c:\windows\syswow64\api-ms-win-downlevel-ole32-l1-1-0.dll
c:\windows\syswow64\urlmon.dll
c:\windows\syswow64\wininet.dll
c:\windows\syswow64\userenv.dll
c:\windows\syswow64\profapi.dll
c:\windows\syswow64\secur32.dll
c:\windows\syswow64\api-ms-win-downlevel-advapi32-l2-1-0.dll
c:\windows\syswow64\ws2_32.dll
c:\windows\syswow64\nsi.dll
c:\windows\syswow64\winhttp.dll
c:\windows\syswow64\webio.dll
c:\windows\syswow64\mswsock.dll
c:\windows\syswow64\wship6.dll
c:\windows\syswow64\cryptsp.dll
c:\windows\syswow64\iphlpapi.dll
c:\windows\syswow64\winnsi.dll
c:\windows\syswow64\rsaenh.dll
c:\windows\syswow64\rpcrtremote.dll
c:\windows\syswow64\clbcatq.dll
c:\program files (x86)\internet explorer\ieproxy.dll
c:\windows\syswow64\api-ms-win-downlevel-shlwapi-l2-1-0.dll
c:\windows\syswow64\ieui.dll
c:\windows\syswow64\mshtml.dll
c:\program files (x86)\internet explorer\sqmapi.dll
c:\windows\syswow64\d2d1.dll
c:\windows\syswow64\dwrite.dll
c:\windows\syswow64\bcrypt.dll
c:\windows\syswow64\dxgi.dll
c:\windows\syswow64\dwmapi.dll
c:\windows\syswow64\bcryptprimitives.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\setupapi.dll
c:\windows\syswow64\cfgmgr32.dll
c:\windows\syswow64\devobj.dll
c:\windows\syswow64\wintrust.dll
c:\windows\syswow64\crypt32.dll
c:\windows\syswow64\msasn1.dll
c:\windows\syswow64\mlang.dll
c:\windows\syswow64\propsys.dll
c:\windows\syswow64\dnsapi.dll
c:\windows\syswow64\wshtcpip.dll
c:\windows\syswow64\rasadhlp.dll
c:\windows\syswow64\fwpuclnt.dll
c:\windows\syswow64\wshqos.dll
c:\windows\syswow64\credssp.dll
c:\windows\syswow64\schannel.dll
c:\windows\syswow64\ncrypt.dll
c:\windows\syswow64\gpapi.dll
c:\windows\syswow64\p2pcollab.dll
c:\windows\syswow64\uxtheme.dll
c:\windows\syswow64\msimtf.dll
c:\windows\syswow64\oleacc.dll
c:\windows\syswow64\sxs.dll
c:\windows\syswow64\jscript9.dll
c:\windows\syswow64\windowscodecs.dll
c:\windows\syswow64\d3d11.dll
c:\windows\syswow64\d3d10warp.dll
c:\windows\syswow64\macromed\flash\flash32_27_0_0_187.ocx
c:\windows\syswow64\powrprof.dll
c:\windows\syswow64\winmm.dll

PID
768
CMD
C:\Windows\system32\DllHost.exe /Processid:{53362C64-A296-4F2D-A2F8-FD984D08340B}
Path
C:\Windows\system32\DllHost.exe
Indicators
No indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Version:
Company
Microsoft Corporation
Description
COM Surrogate
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\dllhost.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\oleacc.dll
c:\windows\system32\sxs.dll
c:\program files\internet explorer\ieproxy.dll
c:\windows\system32\api-ms-win-downlevel-shlwapi-l1-1-0.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\api-ms-win-downlevel-shlwapi-l2-1-0.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll

Registry activity

Total events
1439
Read events
1305
Write events
134
Delete events
0

Modification events

PID
Process
Operation
Key
Name
Value
1624
AgentTesla inside SevereWeatherAlerts.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\App Paths\SevereWeatherAlerts.exe
C:\Users\admin\AppData\Local\SevereWeatherAlerts\SevereWeatherAlerts.exe
1624
AgentTesla inside SevereWeatherAlerts.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Severe Weather Alerts
DisplayName
Severe Weather Alerts
1624
AgentTesla inside SevereWeatherAlerts.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Severe Weather Alerts
UninstallString
C:\Users\admin\AppData\Local\SevereWeatherAlerts\uninstall.exe
1624
AgentTesla inside SevereWeatherAlerts.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Severe Weather Alerts
DisplayVersion
1.23.0.0
1624
AgentTesla inside SevereWeatherAlerts.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Severe Weather Alerts
Publisher
Weather Notifications, LLC
1624
AgentTesla inside SevereWeatherAlerts.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Severe Weather Alerts
URLInfoAbout
http://www.severeweatheralerts.net
1376
SevereWeatherAlerts.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\65\52C64B7E
LanguageList
en-US
1376
SevereWeatherAlerts.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
ProxyBypass
1
1376
SevereWeatherAlerts.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
IntranetName
1
1376
SevereWeatherAlerts.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
1
1376
SevereWeatherAlerts.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
0
1376
SevereWeatherAlerts.exe
write
HKEY_CURRENT_USER\Software\SevereWeatherAlerts
Installed
True
1376
SevereWeatherAlerts.exe
write
HKEY_CURRENT_USER\Software\SevereWeatherAlerts
GUID
447fe70d-0943-4562-9581-73c7bebb0276
1376
SevereWeatherAlerts.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\SevereWeatherAlerts_RASAPI32
EnableFileTracing
0
1376
SevereWeatherAlerts.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\SevereWeatherAlerts_RASAPI32
EnableConsoleTracing
0
1376
SevereWeatherAlerts.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\SevereWeatherAlerts_RASAPI32
FileTracingMask
4294901760
1376
SevereWeatherAlerts.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\SevereWeatherAlerts_RASAPI32
ConsoleTracingMask
4294901760
1376
SevereWeatherAlerts.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\SevereWeatherAlerts_RASAPI32
MaxFileSize
1048576
1376
SevereWeatherAlerts.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\SevereWeatherAlerts_RASAPI32
FileDirectory
%windir%\tracing
1376
SevereWeatherAlerts.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\SevereWeatherAlerts_RASMANCS
EnableFileTracing
0
1376
SevereWeatherAlerts.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\SevereWeatherAlerts_RASMANCS
EnableConsoleTracing
0
1376
SevereWeatherAlerts.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\SevereWeatherAlerts_RASMANCS
FileTracingMask
4294901760
1376
SevereWeatherAlerts.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\SevereWeatherAlerts_RASMANCS
ConsoleTracingMask
4294901760
1376
SevereWeatherAlerts.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\SevereWeatherAlerts_RASMANCS
MaxFileSize
1048576
1376
SevereWeatherAlerts.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\SevereWeatherAlerts_RASMANCS
FileDirectory
%windir%\tracing
2896
SevereWeatherAlertsApp.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\65\52C64B7E
LanguageList
en-US
1464
SevereWeatherAlertsApp.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\65\52C64B7E
LanguageList
en-US
1464
SevereWeatherAlertsApp.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing
EnableConsoleTracing
0
1464
SevereWeatherAlertsApp.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\SevereWeatherAlertsApp_RASAPI32
EnableFileTracing
0
1464
SevereWeatherAlertsApp.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\SevereWeatherAlertsApp_RASAPI32
EnableConsoleTracing
0
1464
SevereWeatherAlertsApp.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\SevereWeatherAlertsApp_RASAPI32
FileTracingMask
4294901760
1464
SevereWeatherAlertsApp.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\SevereWeatherAlertsApp_RASAPI32
ConsoleTracingMask
4294901760
1464
SevereWeatherAlertsApp.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\SevereWeatherAlertsApp_RASAPI32
MaxFileSize
1048576
1464
SevereWeatherAlertsApp.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\SevereWeatherAlertsApp_RASAPI32
FileDirectory
%windir%\tracing
1464
SevereWeatherAlertsApp.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\SevereWeatherAlertsApp_RASMANCS
EnableFileTracing
0
1464
SevereWeatherAlertsApp.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\SevereWeatherAlertsApp_RASMANCS
EnableConsoleTracing
0
1464
SevereWeatherAlertsApp.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\SevereWeatherAlertsApp_RASMANCS
FileTracingMask
4294901760
1464
SevereWeatherAlertsApp.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\SevereWeatherAlertsApp_RASMANCS
ConsoleTracingMask
4294901760
1464
SevereWeatherAlertsApp.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\SevereWeatherAlertsApp_RASMANCS
MaxFileSize
1048576
1464
SevereWeatherAlertsApp.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\SevereWeatherAlertsApp_RASMANCS
FileDirectory
%windir%\tracing
2708
SevereWeatherAlerts.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\65\52C64B7E
LanguageList
en-US
2708
SevereWeatherAlerts.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached
{17FE9752-0B5A-4665-84CD-569794602F5C} {7F9185B0-CB92-43C5-80A9-92277A4F7B54} 0xFFFF
0100000000000000CCE4341D92F3D401
1892
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
NTPDaysSinceLastAutoMigration
2
1892
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
NTPLastLaunchLowDateTime
491878208
1892
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
NTPLastLaunchHighDateTime
30733202
1892
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager
NextCheckForUpdateLowDateTime
792193208
1892
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager
NextCheckForUpdateHighDateTime
30733202
1892
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
CachePrefix
1892
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
CachePrefix
Cookie:
1892
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
CachePrefix
Visited:
1892
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
CompatibilityFlags
0
1892
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
ProxyEnable
0
1892
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
SavedLegacySettings
4600000077000000010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
1892
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
ProxyBypass
1
1892
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
IntranetName
1
1892
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
1
1892
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
0
1892
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
SecuritySafe
1
1892
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Recovery\Active
{5AEAFA0F-5F85-11E9-8447-5254004AAD21}
0
1892
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
FullScreen
no
1892
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Window_Placement
2C0000000200000003000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF20000000200000004003000078020000
1892
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\WindowsSearch
UpgradeTime
2206B81D92F3D401
1892
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery
Active
0
1892
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
Type
3
1892
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
Count
3
1892
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
Time
E307040001000F000D0031003B00A503
1892
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
Blocked
3
1892
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\EUPP Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy\DSP
BackupDefaultSearchScope
00000000A6070000CA45E12565756A3690124504EE4A0284AF55D151B3D57EA6DA41F33E9539EB02D29CDCE54D90F7F2DC61539B5BE9721A465FB5430ED94B6817D7701CD4984A47B82004AC5B24405A0A468DC3385C04D191A5109DE825759D4192D36F2488314ECCF1750E7ED1DA5B6CDFEFAB7FB0453246491996C15A7E34C3917BACB6A8A5F7D32F0DC02837A0D3834D11C891855EBDFA6976086B19818495F67620AB9A6961B4FA5451A8F50763C8B0AA51F97B08796E27D5D0F300932AB3E05B5A3EFDF7B6F1724DB2D1ADB6D44529AE11FB32DE89DAA1FA0028B1CF75456F41DDEF70C917CAB8898DAFFE6F14DED7B77E774BD4DC12F9E6DFABCAFD673FC34E26E395FE8624EAB170CC889DB5B3D8A8282464C9E2834D84B788ECD243B5FB71FF150B5BED612955C5F5EBEA0A6D50A8740A1E585B0FBF377A1AB830ABC539192491718F2E72951E9710C75DC9095C82ABEA192F2E936DFD2DBBCCE94E0D9C2A39B669B54A4E4E043033BC7A42D91D8C54D8F52156FB79FD2F5CCA0C294844520C5A92078E5E74027E786A3B289DB30BE2DD52EEDC6F022F45CE50BE529C50A02AB38B6ED81427D14C42714BE6543F6DAF66D1EAE1FE27467A3C00AD5AA9E2C2C7B9F6DBE955875B4C5D715F85EDDFD8495F10A6B8630A82D21A782139EB19E4ED4272B9CA2CB43FEC98090E23ABB4E7122BB0DC12DDC91ECBB4597BCC2315D404B09ED83B23CEA6038BDB3AFA71DF8C26E0519A375A86F1AA1F44E9E657F6B0A6361C19371BF5FE479E8641F66C7E169E89932D52D55F689FF4D7F1EED1DB01C4238B97855A491B95B5AA16DAD0B25516A7161BC9117676B37EB44B0CDFE67317A98A205F0CEAEF0BB3E790FA839BCA8FD07A2DAAA3E9D28A037916E7183664EA02BBE71E11F8CAEFE0DD5380465A979A4F608F252BDAE1F4B4C722F745EBF72A68BDA10311930A6A242C453F510D6ED42066F1178467D94B323F7D606C25EACEE52F660535DBEC0C1874991E8DD55BB0232D8CA16EB236A78F7FE361AB036D883EB3CAB3B3F0502B3D557C0F0CD39C989F55CBD892D9A3D961290856BFA784CB64E8222CFDF22C05476F41913A25C557E97E457B01FED94456DB95403D304822C96DE91BFA01E1BB7C6290C9E7EC23D78A4880BE843FCC758936ACEB45BE06CF0EE4DBCEE73DD91D86CD212B8748822A5E54B42953BEBE982CDB11979A708DC563EC5257CDC6BF3DFB523EAB635A05EC7240A57D4F9A6EB9E268CD37806818EB9524F6BCC9BC51DA9090BE884540C7E967ADA8B08EF297D0197FFE430CC504AC2B2E8A3F9D3F5898DA27B5A2CB1B5F21ED3B0CFA78E812A7AFBECF132FA750E32CA9E9ACDF6F250AE7B7575E6C0C340DC68A7FECE59A2F888CC69DCF7A2EA209C33461BDA76CF78810E0CC1D3131D93FAC3A579D452ACABC1838A0EEFD790CBF3671B28BB856DCDA0D421647FBAB835221ECC4E3E1B636E0F4B2B543D1AA759DB5FEF815814D99AF6B7D96DABF9A9F207A3EB09F076068FF21D6599C60E0205AA37D35CDAE7122E64531D5980B1F255220D1CE17C946B788EB4236F1463B3741658D073D8DE20CA532FE99B809585D3B0D45515F2E8ABD0D809716238BDAA1F296CDC4BA98C0A1446D848E2FD166C507CA3A17D4B34AA5D22A769748DBDFCD7BD2DFAD26DF2BF1058862A3868E698E36A7503BA939A8E62FE77D458FCF6994B90E6264C3B343B89A9B3A7F4110829668D1274F7FBDC2D6C07C4E85A57998130EEBF5131302297783BDABC9D3F8CF627A6F609D0F49BA3A67F087EABF798C2264F13A0CCD64FB592B8B55552ABB715FF1689936E89DAEB61795C9FA1FB9644A844BD0B3E02DDAB2F1F8D898BE6E8920BA5273A23405C0F57E00B58738C342FEB9B756938468E66DE506D4ED4042352F34F68EC899950EF96CBDE97A5B1345AFC5EA6EEA5D453FE2603CE9ECC8C996EB8C998A011EE7BA8019460733F3548DE0255BB744AC5105957420B735A299CC156C9F07422867E3D135EDAD16588539B4A5A9D0D2944558901F48DE29A05BF886F47BA6C083EDA81FC6647D762BB26B1746F45BD46C5F58405572FEAF04F038F60B110567827B2B91DA1D157744E742D97163F721202B25E7D695B625F6F1ADB8F636C50C1F9C8A000AB416F13124DE9B7DBC4325A402DFA4DC8CA869877C78F24AFA86924068E716C56B214647255FCA833EE1687806A654909E73154B2CB7D62492E898FCF360A97591D42F3BF6E4F480AF70B338199A0450E9B72D7FD78BC2B9A58B40F76217576F6DD10756C18FE9CF978FF14212DBD7CDD914FABF9814C730A30FCBCAA92AADB010B606313C7FC0E704E01D65278931F1E62AA94C5B731CD0481568833ABB53749024CC034CD4F175690201A417C4CD954D9938E404C6C57B233B5D29A4E8588E33BC9B8153AEF6BDB194D50B13AC6B0F30013826982E9F7D6022015C8CD3AFA0C11C224CBC2CCC5051380090AD61B18352023E8B61CC2CA6FC6ADEFB899A23197EE66DEEE4707C11708DAA03E703A715433C6AEB38BE5EB7A9B362E4415F200335B8026A36992587F232BA16AFB2E2D83D4FF494A425C21FD99D34B79A40CEA68F335B5C55C7BD8404C9B16BA78E349E99DA87F28A211D0A62C905B7195FC2FA34F821A49B19BE1A6AF144B8C7B7EE8AA67F2BC34FD3CBB753D5A4B26ADB27E4C7A5F8A6DCB11EDD95495DF8C54D7680B1DD0EDD1559942B1362B2FCF5D3B34776DCE11B0CAE4A783A734FB1C6705B55AD94010000000E0000007A67784775642F5046646B2533640200000000000000
1892
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\User Preferences
88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977
01000000D08C9DDF0115D1118C7A00C04FC297EB010000002A83B6021EF2C7499630A24288AB378900000000020000000000106600000001000020000000A07CDB4D7F0106A0E91C97AF4CE4A9F24AC7816C5F6298DCE95B56A457BA35FA000000000E8000000002000020000000A2D20D4EDA820141B8719551CC2B61D7F4F1D83DF52EFC2477E8A2454645FB6850000000D03572ABF63ED802045D7D33B0D7BFBC96B77A4ADBD14D695FE276105B4B4E4C447A06F0339249FD3A3A2802375B17EF71C612C877285844400B3A5CE726B439974B8B8479C52BDF37C75B39678A115040000000E323202D781A2438EC51C366719622B1662C5A4EAE87E140A023E1BD11762DD7058B38655286CB405E26A41B5109D2CD1A6972A4CE8F1E5055FA96D7E90FB46E
1892
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\EUPP Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy\DSP
ChangeNotice
0
1892
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\User Preferences
2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81
01000000D08C9DDF0115D1118C7A00C04FC297EB010000002A83B6021EF2C7499630A24288AB3789000000000200000000001066000000010000200000004AE7FF0833EAB4335B2C101F6666A30810A492732E0C01574C3C0C26EA90659A000000000E8000000002000020000000C2B783AC3F376FAB3DB7D3071CB88E0D67FE945D372755867D85996A1624C7D710000000F7EC405076F04B22422186009268376D4000000056E22F71DF04971D6FA1A744E2D1D7F9559E2367CE03A221185941C75AFA22FECAAA1D565DD8F74220E99362753CC26FE457AC8C771B8EC7F21A8EE44C8790C4
1892
iexplore.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\65\52C64B7E
LanguageList
en-US
1892
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
Count
4
1892
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
Time
E307040001000F000D0032000900A103
1892
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
Blocked
4
2276
IEXPLORE.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\LowCache\Content
CachePrefix
2276
IEXPLORE.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\LowCache\Cookies
CachePrefix
Cookie:
2276
IEXPLORE.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\LowCache\History
CachePrefix
Visited:

Files activity

Executable files
8
Suspicious files
15
Text files
76
Unknown types
3

Dropped files

PID
Process
Filename
Type
1624
AgentTesla inside SevereWeatherAlerts.exe
C:\Users\admin\AppData\Local\SevereWeatherAlerts\SevereWeatherAlertsBrowser.exe
executable
MD5: 65c5ac31bc867c0ac16a05002b78b110
SHA256: d77797ea67a8ba795f9d98df39d667f50ef457970a0ae20964215c6d1ff60781
1624
AgentTesla inside SevereWeatherAlerts.exe
C:\Users\admin\AppData\Local\SevereWeatherAlerts\uninstall.exe
executable
MD5: 3f83b9eac72673ed46c6186f1d09e60f
SHA256: 6865be77c74c8f82cb54e79be66c6a60a95182571885587c0266a45f2158c2bc
1624
AgentTesla inside SevereWeatherAlerts.exe
C:\Users\admin\AppData\Local\SevereWeatherAlerts\SWAUpdater.exe
executable
MD5: b71e1957c2899a44f8dda1891aa8cc66
SHA256: ce8cc5436bda31440b86e414f29fc13bd7a5bea381ec4f00e0a31e5fbed94cb1
1624
AgentTesla inside SevereWeatherAlerts.exe
C:\Users\admin\AppData\Local\SevereWeatherAlerts\SevereWeatherAlertsApp.exe
executable
MD5: 5dad6355a4e6272cb3dc132f2618a1d1
SHA256: 6c876a1878736cdce407e1c82fd8f055d0db0b240a0f1c31d7fca77470aaac89
1624
AgentTesla inside SevereWeatherAlerts.exe
C:\Users\admin\AppData\Local\SevereWeatherAlerts\ICSharpCode.SharpZipLib.dll
executable
MD5: 17d67afb3452b3b78a679fa9f4caefd8
SHA256: 68dae50cca679f6ca5c9e4f4225e34d738d34098701dde463f2304415845dd8b
1624
AgentTesla inside SevereWeatherAlerts.exe
C:\Users\admin\AppData\Local\SevereWeatherAlerts\SevereWeatherAlerts.exe
executable
MD5: 74b457db24e9a1677e0d841686f11c95
SHA256: 68c6e2521e232c72da81215a25218bc11758c37010c67dfb52c8478e3a3682a9
1624
AgentTesla inside SevereWeatherAlerts.exe
C:\Users\admin\AppData\Local\Temp\nsq3C89.tmp\InstallOptions.dll
executable
MD5: 325b008aec81e5aaa57096f05d4212b5
SHA256: c9cd5c9609e70005926ae5171726a4142ffbcccc771d307efcd195dafc1e6b4b
1624
AgentTesla inside SevereWeatherAlerts.exe
C:\Users\admin\AppData\Local\SevereWeatherAlerts\SevereWeatherAlertsAppAPI.dll
executable
MD5: 63740795e7fbdaac2255497c3c239635
SHA256: c0a194aede1ef5bb65955cbe2614acbd88893ca5a05a6a1a50a9d7022e89db18
2276
IEXPLORE.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\YQPEPCE1\twitter-bird-light-bgs[1].png
image
MD5: cd6d0c602b50d7a3d9768c4ca22888e3
SHA256: 2fa680869e21afb52ff3f38ee3b43db0620a3405a0d36e31c3c430f685cc4d16
2276
IEXPLORE.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\UJFUX3OG\sayt_loader_libs[1].js
text
MD5: 2b713bf6ffe468fc4d6bbbd8a6eaf405
SHA256: 8f0815511a7201e39ae464d1afbdf047b6c1a5761247c35c979a65e05c7ee071
2276
IEXPLORE.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\ZOYIQ18X\sayt[1].css
text
MD5: 33ee9678e110a74fc5c9dce6e35e5cf5
SHA256: ad1af8375b6c6ceff0b6688cedcf42f3463e12878368e929aa00fd961d89947f
2276
IEXPLORE.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\YQPEPCE1\sayt_loader[1].js
text
MD5: 95887020126f04bd7a546d500bd4aa57
SHA256: 2ef28c0a0e397177ad07d15aad886046ac78931496f60127abc94748bd6b0351
2276
IEXPLORE.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XLWA6BPE\remote.loader[1].htm
html
MD5: 19424a1eaf321a60f34a62869fc4dd2c
SHA256: da063d86dafb6b2b4254d9c3d0c2b789f4b70591590a5342e40eba36a0d08c04
2276
IEXPLORE.EXE
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\8G5XVSP7.txt
text
MD5: bb7e40d0d55ec027b0db4e98e45c2dd0
SHA256: be4fae406ff57738232fef85b3e8f83ffb0f7382bf03ce0c7132731a35a612c8
2276
IEXPLORE.EXE
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\MYHE2Y68.txt
––
MD5:  ––
SHA256:  ––
2276
IEXPLORE.EXE
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\QHZCNITI.txt
––
MD5:  ––
SHA256:  ––
2276
IEXPLORE.EXE
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\TNIBFVN3.txt
––
MD5:  ––
SHA256:  ––
2276
IEXPLORE.EXE
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\F24B3HW5.txt
––
MD5:  ––
SHA256:  ––
2276
IEXPLORE.EXE
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\PPGLZJRG.txt
––
MD5:  ––
SHA256:  ––
2276
IEXPLORE.EXE
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\Z7QF8UN0.txt
––
MD5:  ––
SHA256:  ––
2276
IEXPLORE.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\UJFUX3OG\ga[1].js
text
MD5: e9372f0ebbcf71f851e3d321ef2a8e5a
SHA256: 1259ea99bd76596239bfd3102c679eb0a5052578dc526b0452f4d42f8bcdd45f
2276
IEXPLORE.EXE
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\G2NNI06Z.txt
––
MD5:  ––
SHA256:  ––
2276
IEXPLORE.EXE
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\03DH6E2N.txt
––
MD5:  ––
SHA256:  ––
2276
IEXPLORE.EXE
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\A7H05KTC.txt
––
MD5:  ––
SHA256:  ––
2276
IEXPLORE.EXE
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\SRXM7FRL.txt
––
MD5:  ––
SHA256:  ––
2276
IEXPLORE.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\ZOYIQ18X\analytics[1].js
text
MD5: 0ea40a4cb2873a89cbe597eaea860826
SHA256: 3e552578c7d450b023f2cd9d28f830be4335c3acc6c4ab6dadda0769f09e5f22
2276
IEXPLORE.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\YQPEPCE1\jquery.min[1].js
text
MD5: 3576a6e73c9dccdbbc4a2cf8ff544ad7
SHA256: 61c6caebd23921741fb5ffe6603f16634fca9840c2bf56ac8201e9264d6daccf
2276
IEXPLORE.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XLWA6BPE\utctime[1].js
text
MD5: c11c084fba13678fc8ba1d42c7ee751e
SHA256: 56a034dab67dc151a5ac8bf599222b3c06f1793baedd182be8865d8534b76981
2276
IEXPLORE.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\ZOYIQ18X\noaaleft[1].jpg
image
MD5: f90a568cc687a3230f7e60c38cbad570
SHA256: 00ca959f72b7d87684647c7af72873a68f8e9bf5bc10fa7b486a54c6118ccccd
2276
IEXPLORE.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\YQPEPCE1\cwa[1].gif
image
MD5: 4a8f440f4336e37fe4fead1d8b56b103
SHA256: 5e48a4a246ac02507efa64bbee6c75d95bac0d500c9e1848e57628f71631a579
2276
IEXPLORE.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\ZOYIQ18X\interstate[1].gif
image
MD5: 4a49901ed7de95c9bf89e83241e5b6cd
SHA256: 23dfd26934c176a0a3bf3f7bbea4b415795323d4813fa77e332a9060910b8bed
2276
IEXPLORE.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\ZOYIQ18X\Federated-Analytics-min[1].js
text
MD5: 3ed7e5a73685640b212673c1480b4811
SHA256: d49b3e7a798bf1ef6f0a17853c85833d630b4652ae26c817e2dd558bacfd9c2a
2276
IEXPLORE.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\YQPEPCE1\fema_regions[1].png
image
MD5: d3c88716396c648eb5afff5e4c17353d
SHA256: e5a897ad7bccbecffe5bb4eacb8a133d015c4a21c6a9b3ad26ff8d9ec09c14ee
2276
IEXPLORE.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\YQPEPCE1\nwsexit-spc-min[1].js
html
MD5: 49149b4584336198b7e99a24ca89c946
SHA256: 225feeeefa228990b0eab2262070fc32b27aa7de3798bb561225cd999c8b7dc9
2276
IEXPLORE.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XLWA6BPE\artcc[1].gif
image
MD5: b76f1a3cb2ab9b0caf3d40123443b8eb
SHA256: 5b9bfb2eeb561fe9083b75a8799b3b013762285e0ebb8d1fc8edb3d2f6d0fea0
2276
IEXPLORE.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XLWA6BPE\cities[1].gif
image
MD5: 1b0f8c3149b13d47ae953bf63920fa54
SHA256: 5aa83c916ae8cd40730de5f7c184b1ddfeef720dd241edf5588ba0db37dd0f5e
2276
IEXPLORE.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XLWA6BPE\county[1].gif
image
MD5: 545af6b84fa965b920434ee6fd9bdc84
SHA256: 10478beadf01e5a508bff0af2b83c9e51150957ea249f330ead43cfcbd563ee7
2276
IEXPLORE.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XLWA6BPE\population[1].gif
image
MD5: 810986a2082720758e400a49d88f5685
SHA256: 256e1f4315336247dc9cf91da5077e148d1859891e8f540e6a198f35553054cc
2276
IEXPLORE.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\UJFUX3OG\ncep_bkgrnd[1].jpg
image
MD5: 35bd52a7650f0f09e51005e98148bd30
SHA256: c66ce8700201c6d2ef3bc33496ff5776bc58c7bccc7a7cfdabc3e28c498c1691
2276
IEXPLORE.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\UJFUX3OG\shp_icon[1].jpg
image
MD5: 624a6af5099490d5cc3881fff9f0fbde
SHA256: 81920ea508c20e7fb597f554968270f675fb32204d9d0a44419771c2bc10fb18
2276
IEXPLORE.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\UJFUX3OG\usagov_logo_color_110w_30h[1].gif
image
MD5: 1faa154b539b90cc97e02326ec47b175
SHA256: ababf24686bdb7f73babd5ea29991f7470903c1d6625bf5d5d2568fc6887a989
2276
IEXPLORE.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\UJFUX3OG\KML_icon[1].jpg
image
MD5: bbeef5d95e85eec7c410bc2e9edf5f3a
SHA256: f2a3010be252e0c6ec303b23d783967babd119dcb11cf4b7b94d30234c5ce756
2276
IEXPLORE.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\UJFUX3OG\map_background[1].gif
image
MD5: 5f421ef550dcf7131964416dfed2e4e2
SHA256: 964695adaeb5f5b8d2e66ad3308d24dd490992d8fe55164850aa90a31f06b096
2276
IEXPLORE.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\ZOYIQ18X\xml2[1].gif
image
MD5: d18cb336a0878a46cb0794cae9680634
SHA256: 3bdc5df8ed2754addc6450368e03ff18d8bf22e989700c2d11edc0039de23064
2276
IEXPLORE.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\ZOYIQ18X\navbarleft[1].jpg
image
MD5: 425205d99461559255d2fd2cfe6be17a
SHA256: 9abefee03f10f8145f98d4c09109e063766c674e4e04cfd5d0a37d965db9ac0b
2276
IEXPLORE.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\YQPEPCE1\navbkgrnd[1].gif
image
MD5: 689faf1cd2336a35be12e6ae6190402c
SHA256: 50400c833a82d4f44a036b24463feb516ca33266feb064ecaea2506c9c520138
1624
AgentTesla inside SevereWeatherAlerts.exe
C:\Users\admin\AppData\Local\Temp\nsq3C89.tmp\modern-wizard.bmp
image
MD5: cbe40fd2b1ec96daedc65da172d90022
SHA256: 3ad2dc318056d0a2024af1804ea741146cfc18cc404649a44610cbf8b2056cf2
2276
IEXPLORE.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XLWA6BPE\navbarendcap[1].jpg
image
MD5: e11ad73b4484136f8ec16ffa0e1158b1
SHA256: c8e631145db80a03046109580ef4c849ead8d9cc7a759439a83d74ed0ec9e72d
2276
IEXPLORE.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\UJFUX3OG\Universal-Federated-Analytics-Min[1].js
text
MD5: 7571c624d83d2126a02d544d50a914b3
SHA256: c84b740502772a2e24349189e0f58823c604679d4e0d1d7cffd16ffe76b4d7a0
2276
IEXPLORE.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\ZOYIQ18X\facebook_logo[1].gif
image
MD5: a3d4104a52a333919619e529a7d0371b
SHA256: 0f54b83d82bb1d8af7d297231c21b7d418f4ffe25ffa330a58b084de4bbf2cc6
2276
IEXPLORE.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\YQPEPCE1\spc[1].jpg
image
MD5: 49fef654254693f0fb72bf1103d99575
SHA256: 5f4f978f791a417c7af261249902050beabfaab7dc1cb7f7106bd6cdbc7108bc
2276
IEXPLORE.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XLWA6BPE\nwsright[1].jpg
image
MD5: 7e26ece9ea10e4547860e0cd8e69c5d4
SHA256: 4c9b5f8e10608e0215f9759ef8f71dff8c62858e20fc23343c88ee777994e033
2276
IEXPLORE.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\UJFUX3OG\noaa_nws_title[1].jpg
image
MD5: e4fc5c9a7d33137babb0e19bada4f0ff
SHA256: 9fd29510734626a3fd4799d44af10b537505ded607a14540c52ce45c71222fe5
2276
IEXPLORE.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\ZOYIQ18X\topbanner[1].jpg
image
MD5: c3a2e21a9c60753715f30cf98992eb89
SHA256: b2fc4f4f8687599e450e0b5c33bd19c0d72885a89ba40c65083aa42c37ad9dcf
2276
IEXPLORE.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\YQPEPCE1\skipgraphic[1].gif
image
MD5: 32a33e3728134a9b16bb1d9e2461cbfb
SHA256: a6d226933c37dfc8b00da58efb6654f6b15d287c9d05a8997419f1c36a1d4af1
2276
IEXPLORE.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XLWA6BPE\1024_navbar[1].gif
image
MD5: 1ccd53446eed4c477ea6dbb43536d063
SHA256: ce1abcb19649933385950cd1378bee79765570a4c828e69eb4254623fa43d8cc
2276
IEXPLORE.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\UJFUX3OG\lastMod[1].js
text
MD5: 7ff93ad9fbd32a220860e3fbc50e2ab3
SHA256: 30e84380f2bfa7fb7129149df88651c746f72042a5c59fbcb9b105f2e5ee6429
2276
IEXPLORE.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\ZOYIQ18X\main[1].css
text
MD5: 54befecb86cf834a9fe043f9577f8150
SHA256: d896e2dd13d2f483f91b45551d30ac78aa4d3e88b32b2e92fa04b1227c169bcf
2276
IEXPLORE.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\YQPEPCE1\spccwi[1].css
text
MD5: 4e358c75dee0792f792a2b7a8d84cacd
SHA256: a7f641e427bdffcfecada2be2cf98f74245e7f4216011879dea4dd994b83ead4
2276
IEXPLORE.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XLWA6BPE\day1otlk[1].htm
html
MD5: 0ffb523bd94c3e710d566d34837c4815
SHA256: 51979ae233339795e07c5b549e3384e8aa2690f91b2c3f722c48b4852ef0abb7
2276
IEXPLORE.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\UJFUX3OG\day1otlk[1].htm
html
MD5: e4e384d6672787c1bb2a9b500114f1f5
SHA256: 80785f5520097dde3b28c617171415cd690cbf1e0353a5f3e348c83a4656ea0f
1464
SevereWeatherAlertsApp.exe
C:\Users\admin\AppData\Local\SevereWeatherAlerts\mod.SevereWeatherAlertsApp0.dat~RF1c0e5f.TMP
binary
MD5: 4f7f1be7ff89ba757b68d3e7c0785ec6
SHA256: 4e10610445422c1fdd864126a602bcac19b283298ab68474522a867df6fdf3e4
1464
SevereWeatherAlertsApp.exe
C:\Users\admin\AppData\Local\SevereWeatherAlerts\mod.SevereWeatherAlertsApp0.dat
binary
MD5: 4f7f1be7ff89ba757b68d3e7c0785ec6
SHA256: 4e10610445422c1fdd864126a602bcac19b283298ab68474522a867df6fdf3e4
1464
SevereWeatherAlertsApp.exe
C:\Users\admin\AppData\Local\SevereWeatherAlerts\mod.SevereWeatherAlertsApp0.dat.tmp
––
MD5:  ––
SHA256:  ––
1464
SevereWeatherAlertsApp.exe
C:\Users\admin\AppData\Local\SevereWeatherAlerts\mod.SevereWeatherAlertsApp0.dat~RF1c0dd2.TMP
binary
MD5: 4f7f1be7ff89ba757b68d3e7c0785ec6
SHA256: 4e10610445422c1fdd864126a602bcac19b283298ab68474522a867df6fdf3e4
1464
SevereWeatherAlertsApp.exe
C:\Users\admin\AppData\Local\SevereWeatherAlerts\mod.SevereWeatherAlertsApp0.dat~RF1c0dc3.TMP
binary
MD5: 4f7f1be7ff89ba757b68d3e7c0785ec6
SHA256: 4e10610445422c1fdd864126a602bcac19b283298ab68474522a867df6fdf3e4
1464
SevereWeatherAlertsApp.exe
C:\Users\admin\AppData\Local\SevereWeatherAlerts\SevereWeatherAlertsApp0.dat~RF1b686b.TMP
binary
MD5: 802a24a3cd48382e1754cbc34276a4fd
SHA256: 0ce141f81eaa6267165c106f918f9aa8af001e73e1a5aa3b316c00b6fa21c470
1464
SevereWeatherAlertsApp.exe
C:\Users\admin\AppData\Local\SevereWeatherAlerts\SevereWeatherAlertsApp0.dat
binary
MD5: 802a24a3cd48382e1754cbc34276a4fd
SHA256: 0ce141f81eaa6267165c106f918f9aa8af001e73e1a5aa3b316c00b6fa21c470
1464
SevereWeatherAlertsApp.exe
C:\Users\admin\AppData\Local\SevereWeatherAlerts\SevereWeatherAlertsApp0.dat.tmp
––
MD5:  ––
SHA256:  ––
1464
SevereWeatherAlertsApp.exe
C:\Users\admin\AppData\Local\SevereWeatherAlerts\mod.SevereWeatherAlertsApp0.dat
binary
MD5: cc4a6695b377b018fa49387e12d0ce59
SHA256: 95be4073feb90e88716ef82ff1ab81e8b604ffa6ee161132d7152d9c853f144d
1464
SevereWeatherAlertsApp.exe
C:\Users\admin\AppData\Local\SevereWeatherAlerts\mod.SevereWeatherAlertsApp0.dat~RF1b67af.TMP
binary
MD5: cc4a6695b377b018fa49387e12d0ce59
SHA256: 95be4073feb90e88716ef82ff1ab81e8b604ffa6ee161132d7152d9c853f144d
1376
SevereWeatherAlerts.exe
C:\Users\admin\AppData\Local\Weather_Notifications,_LL\SevereWeatherAlerts.exe_Url_iizmzxlnptgxiue03na3heyuw1pdjbls\1.21.0.0\user.config
xml
MD5: f6a0034e9c25dc1ee4631cde1475944a
SHA256: babe03f3c6ec954b33ee394e25b11aed005a29efc58d34d47a062c811ba7a349
1376
SevereWeatherAlerts.exe
C:\Users\admin\AppData\Local\Weather_Notifications,_LL\SevereWeatherAlerts.exe_Url_iizmzxlnptgxiue03na3heyuw1pdjbls\1.21.0.0\4ahefssw.newcfg
––
MD5:  ––
SHA256:  ––
1624
AgentTesla inside SevereWeatherAlerts.exe
C:\Users\admin\AppData\Local\Temp\nsq3C89.tmp\ioSpecial.ini
––
MD5:  ––
SHA256:  ––
1624
AgentTesla inside SevereWeatherAlerts.exe
C:\Users\admin\AppData\Local\Temp\nsq3C89.tmp\ioSpecial.ini
text
MD5: eba6d9870c6fc8159718ec28b2a29532
SHA256: 95a43fadb2db570025e51c1b1b2bb4663c25f9b12ad427c3bc18bfcfb3eccadd
1624
AgentTesla inside SevereWeatherAlerts.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Severe Weather Alerts App.lnk
lnk
MD5: 6d33a379bb13796537b54004b55abcfc
SHA256: 787e622b9e4db6b20d354d7ab093fda0e77c27e84e568ba91332c01b3e33a963
1624
AgentTesla inside SevereWeatherAlerts.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Severe Weather Alerts.lnk
lnk
MD5: 2d917a949681d46a5a8383f3191feb5a
SHA256: 3f1b5e653b4954894c2358c1a86a71a2437df946512991d0ba4c4378099885de
1624
AgentTesla inside SevereWeatherAlerts.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Severe Weather Alerts\Severe Weather Alerts.lnk
lnk
MD5: cdf435acbdfbe3711d2bcebb2b0bf92d
SHA256: 643d6fc985e674d409c2ef0c29d159a29319cf210b26da550b40f12cee99f2eb
1892
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\imagestore\toi5kkc\imagestore.dat
binary
MD5: 2f7e2b8ea8f4b0bd0976cf4632f3b632
SHA256: ecdbd6241075060d39e684f69d798abe0d372ec8973ea1148ed0716fa7bbe7d3
1892
iexplore.exe
C:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
––
MD5:  ––
SHA256:  ––
1892
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\D2U1WPAC\favicon[1].ico
image
MD5: 9fb559a691078558e77d6848202f6541
SHA256: 6d8a01dc7647bc218d003b58fe04049e24a9359900b7e0cebae76edf85b8b914
1624
AgentTesla inside SevereWeatherAlerts.exe
C:\Users\admin\AppData\Local\SevereWeatherAlerts\SevereWeatherAlertsApp0.dat
binary
MD5: 457b73f64501b3489678d555eb7f46b3
SHA256: d363745224c59cc861a4d50b75ff0aed0b7138b2c1f5e11bfa7800ac4dc38625
1892
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BDW1XBVN\favicon[1].ico
––
MD5:  ––
SHA256:  ––
2276
IEXPLORE.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\YQPEPCE1\impacts[1].css
text
MD5: 5a465894e7fbf36b61f71f65b76359e6
SHA256: 222a663700f0d837019ff94c2e59e9ddcb3292e463266b56bdb2dc52d7fe54da
2276
IEXPLORE.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XLWA6BPE\ui-bg_flat_75_ffffff_40x100-39ab7ccd9f4e82579da78a9241265df288d8eb65dbbd7cf48aed2d0129887df5[1].png
image
MD5: 8692e6efddf882acbff144c38ea7dfdf
SHA256: 39ab7ccd9f4e82579da78a9241265df288d8eb65dbbd7cf48aed2d0129887df5
2276
IEXPLORE.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XLWA6BPE\ac1_1300_SItable[1].htm
html
MD5: 2765f5b893b271b961c7c9b2233827d3
SHA256: 71055dfda07d6227ab6ddc2627a365a7a0425528bc102f5fca39df48d81a68ad
1624
AgentTesla inside SevereWeatherAlerts.exe
C:\Users\admin\AppData\Local\SevereWeatherAlerts\SevereWeatherAlerts.exe.config
xml
MD5: 2cafca792cf6d92685107db827c44b00
SHA256: 373da9a0d703d45a914366b89077519e8883256ac5fe18b47161bae6a19a5021
1624
AgentTesla inside SevereWeatherAlerts.exe
C:\Users\admin\AppData\Local\Temp\nsq3C89.tmp\ioSpecial.ini
text
MD5: 58c2fab3fa04807a2ddd465a3765a7a2
SHA256: fe6bf3fd252641d2f82ab030a98d14a134435e3729a04cec8d2f10c9d2602755
1624
AgentTesla inside SevereWeatherAlerts.exe
C:\Users\admin\AppData\Local\Temp\nsq3C89.tmp\ioSpecial.ini
text
MD5: a5dff58c04b5e45d83e719ad793061da
SHA256: 5c42e14c7c8ee178666eb8b1cdee724063e8f98df1a44b575da6cf27a7c59e94
2276
IEXPLORE.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XLWA6BPE\day1otlk_1300[1].gif
image
MD5: fe0dd069fcc55565c7c9a90c11d02392
SHA256: 7f65ffba6c53cc849d06be6d245412666a507d377701af652192be4bf23e276f
1624
AgentTesla inside SevereWeatherAlerts.exe
C:\Users\admin\AppData\Local\Temp\nsq3C89.tmp\ioSpecial.ini
text
MD5: f1c8baf01c9718a019b076fd221b3212
SHA256: c42e80d2f11501e1dbb2c8f05f7df1a1bf1b9f12374fe138582fd86272f91564
1892
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BDW1XBVN\favicon[1].ico
image
MD5: 672bbd94428bb45eb2839c7eca976ef3
SHA256: be594b48336e2545d169dcb07629b83581c9ca79003d53d24bbf4675a54f4cab

Find more information of the staic content and download it at the full report

Network activity

HTTP(S) requests
75
TCP/UDP connections
53
DNS requests
25
Threats
9

HTTP requests

PID Process Method HTTP Code IP URL CN Type Size Reputation
1376 SevereWeatherAlerts.exe GET 200 131.186.113.70:80 http://checkip.dyndns.org/ US
html
shared
1464 SevereWeatherAlertsApp.exe GET 200 5.79.68.107:80 http://survey-smiles.com/ NL
html
malicious
1376 SevereWeatherAlerts.exe GET 200 104.16.38.47:80 http://geoip.maxmind.com/b?l=9sm8C3xEMxTs&i=62.212.86.130 US
text
shared
2708 SevereWeatherAlerts.exe GET 200 13.32.219.221:443 https://www.spc.noaa.gov/products/outlook/archive/2019/KWNSPTSDY1_201904151300.txt US
text
shared
2708 SevereWeatherAlerts.exe GET 200 131.186.113.70:80 http://checkip.dyndns.org/ US
html
shared
2708 SevereWeatherAlerts.exe GET 200 104.16.37.47:80 http://geoip.maxmind.com/b?l=9sm8C3xEMxTs&i=62.212.86.130 US
text
shared
2708 SevereWeatherAlerts.exe GET 200 172.217.22.106:80 http://maps.googleapis.com/maps/api/geocode/xml?address=United%20States&sensor=false US
xml
whitelisted
2708 SevereWeatherAlerts.exe GET 301 13.32.219.221:80 http://www.spc.noaa.gov/products/outlook/archive/2019/KWNSPTSDY1_201904151300.txt US
html
shared
2708 SevereWeatherAlerts.exe GET 410 13.32.219.119:443 https://earthquake.usgs.gov/earthquakes/feed/v0.1/summary/2.5_day.csv US
html
whitelisted
2708 SevereWeatherAlerts.exe GET 200 13.32.219.221:443 https://www.spc.noaa.gov/products/outlook/archive/2019/day1otlk_20190415_1300.gif US
image
shared
2708 SevereWeatherAlerts.exe GET 301 13.32.219.119:80 http://earthquake.usgs.gov/earthquakes/feed/v0.1/summary/2.5_day.csv US
html
whitelisted
2708 SevereWeatherAlerts.exe GET 301 13.32.219.221:80 http://www.spc.noaa.gov/products/outlook/archive/2019/day1otlk_20190415_1300.gif US
html
shared
1376 SevereWeatherAlerts.exe GET 200 13.32.219.221:443 https://www.spc.noaa.gov/products/outlook/archive/2019/KWNSPTSDY1_201904151300.txt US
text
shared
1376 SevereWeatherAlerts.exe GET 301 13.32.219.221:80 http://www.spc.noaa.gov/products/outlook/archive/2019/KWNSPTSDY1_201904151300.txt US
html
shared
1376 SevereWeatherAlerts.exe GET 410 13.32.219.70:443 https://earthquake.usgs.gov/earthquakes/feed/v0.1/summary/2.5_day.csv US
html
whitelisted
1376 SevereWeatherAlerts.exe GET 301 13.32.219.70:80 http://earthquake.usgs.gov/earthquakes/feed/v0.1/summary/2.5_day.csv US
html
whitelisted
2276 IEXPLORE.EXE GET 200 13.32.219.133:443 https://www.spc.noaa.gov/products/outlook/day1otlk.html US
html
whitelisted
2276 IEXPLORE.EXE GET 301 13.32.219.133:80 http://www.spc.noaa.gov/products/outlook/day1otlk.html US
html
whitelisted
2276 IEXPLORE.EXE GET 200 13.32.219.133:443 https://www.spc.noaa.gov/misc/spccwi.css US
text
whitelisted
2276 IEXPLORE.EXE GET 200 13.32.219.133:443 https://www.spc.noaa.gov/nwscwi/main.css US
text
whitelisted
2276 IEXPLORE.EXE GET 200 13.32.219.133:443 https://www.spc.noaa.gov/misc/lastMod.js US
text
whitelisted
2276 IEXPLORE.EXE GET 200 13.32.219.133:443 https://www.spc.noaa.gov/nwscwi/1024_navbar.gif US
image
whitelisted
2276 IEXPLORE.EXE GET 200 13.32.219.133:443 https://www.spc.noaa.gov/nwscwi/topbanner.jpg US
image
whitelisted
2276 IEXPLORE.EXE GET 200 13.32.219.133:443 https://www.spc.noaa.gov/nwscwi/skipgraphic.gif US
image
whitelisted
2276 IEXPLORE.EXE GET 200 13.32.219.133:443 https://www.spc.noaa.gov/nwscwi/noaa_nws_title.jpg US
image
whitelisted
2276 IEXPLORE.EXE GET 200 13.32.219.133:443 https://www.spc.noaa.gov/nwscwi/nwsright.jpg US
image
whitelisted
2276 IEXPLORE.EXE GET 200 13.32.219.133:443 https://www.spc.noaa.gov/nwscwi/spc.jpg US
image
whitelisted
2276 IEXPLORE.EXE GET 200 13.32.219.133:443 https://www.spc.noaa.gov/nwscwi/navbkgrnd.gif US
image
whitelisted
2276 IEXPLORE.EXE GET 200 13.32.219.133:443 https://www.spc.noaa.gov/nwscwi/navbarleft.jpg US
image
whitelisted
2276 IEXPLORE.EXE GET 200 13.32.219.133:443 https://dap.digitalgov.gov/Universal-Federated-Analytics-Min.js?agency=DOC&sub­agency=NOAA&pua=UA-52727918-1&dclink=true US
text
whitelisted
2276 IEXPLORE.EXE GET 200 13.32.219.133:443 https://www.spc.noaa.gov/nwscwi/navbarendcap.jpg US
image
whitelisted
2276 IEXPLORE.EXE GET 200 13.32.219.133:443 https://www.spc.noaa.gov/misc/facebook_logo.gif US
image
whitelisted
2276 IEXPLORE.EXE GET 200 13.32.219.133:443 https://www.spc.noaa.gov/misc/twitter-bird-light-bgs.png US
image
whitelisted
2276 IEXPLORE.EXE GET 200 13.32.219.133:443 https://www.spc.noaa.gov/nwscwi/xml2.gif US
image
whitelisted
2276 IEXPLORE.EXE GET 200 13.32.219.133:443 https://www.spc.noaa.gov/misc/usagov_logo_color_110w_30h.gif US
image
whitelisted
2276 IEXPLORE.EXE GET 200 13.32.219.133:443 https://www.spc.noaa.gov/nwscwi/ncep_bkgrnd.jpg US
image
whitelisted
2276 IEXPLORE.EXE GET 200 13.32.219.133:443 https://www.spc.noaa.gov/misc/shp_icon.jpg US
image
whitelisted
2276 IEXPLORE.EXE GET 200 13.32.219.133:443 https://www.spc.noaa.gov/misc/KML_icon.jpg US
image
whitelisted
2276 IEXPLORE.EXE GET 200 13.32.219.133:443 https://www.spc.noaa.gov/products/outlook/imgs/map_background.gif US
image
whitelisted
2276 IEXPLORE.EXE GET 200 13.32.219.133:443 https://www.spc.noaa.gov/products/outlook/imgs/population.gif US
image
whitelisted
2276 IEXPLORE.EXE GET 200 13.32.219.133:443 https://www.spc.noaa.gov/products/outlook/imgs/county.gif US
image
whitelisted
2276 IEXPLORE.EXE GET 200 13.32.219.133:443 https://www.spc.noaa.gov/products/outlook/imgs/cwa.gif US
image
whitelisted
2276 IEXPLORE.EXE GET 200 13.32.219.133:443 https://www.spc.noaa.gov/products/outlook/imgs/interstate.gif US
image
whitelisted
2276 IEXPLORE.EXE GET 200 13.32.219.133:443 https://www.spc.noaa.gov/products/outlook/imgs/cities.gif US
image
whitelisted
2276 IEXPLORE.EXE GET 200 13.32.219.133:443 https://www.spc.noaa.gov/products/outlook/imgs/artcc.gif US
image
whitelisted
2276 IEXPLORE.EXE GET 200 13.32.219.133:443 https://www.spc.noaa.gov/products/outlook/imgs/fema_regions.png US
image
whitelisted
2276 IEXPLORE.EXE GET 200 13.32.219.133:443 https://www.spc.noaa.gov/misc/GA/Federated-Analytics-min.js?agency=DOC&sub­agency=NOAA&pua=UA-52727918-1 US
text
whitelisted
2276 IEXPLORE.EXE GET 200 13.32.219.133:443 https://www.spc.noaa.gov/misc/js/nwsexit-spc-min.js US
html
whitelisted
2276 IEXPLORE.EXE GET 200 13.32.219.133:443 https://www.spc.noaa.gov/nwscwi/noaaleft.jpg US
image
whitelisted
2276 IEXPLORE.EXE GET 200 13.32.219.133:443 https://www.spc.noaa.gov/misc/utctime.js US
text
whitelisted
2276 IEXPLORE.EXE GET 200 13.32.219.133:443 https://www.spc.noaa.gov/misc/js/jquery.min.js US
text
whitelisted
2276 IEXPLORE.EXE GET 301 52.201.195.38:443 https://search.usa.gov/javascripts/remote.loader.js US
html
whitelisted
2276 IEXPLORE.EXE GET 200 216.58.207.78:443 https://www.google-analytics.com/analytics.js US
text
whitelisted
2276 IEXPLORE.EXE GET 200 172.217.21.232:443 https://ssl.google-analytics.com/ga.js US
text
whitelisted
2276 IEXPLORE.EXE GET 200 216.58.207.78:443 https://www.google-analytics.com/collect?v=1&_v=j73&aip=1&a=18875010&t=pageview&_s=1&dl=https%3A%2F%2Fwww.spc.noaa.gov%2Fproducts%2Foutlook%2Fday1otlk.html&dp=%2Fproducts%2Foutlook%2Fday1otlk.html&ul=en-us&de=windows-1252&dt=Storm%20Prediction%20Center%20Apr%2015%2C%202019%201300%20UTC%20Day%201%20Convective%20Outlook&sd=24-bit&sr=1280x720&vp=1264x621&je=1&fl=27.0%20r0&_u=YGBAgQQ~&jid=1436721123&gjid=996847746&cid=1043085586.1555336203&tid=UA-33523145-1&_gid=1417990034.1555336203&cd1=DOC&cd2=DOC%20-%20spc.noaa.gov&cd3=20171207%20v4.0%20-%20Universal%20Analytics&cd4=unspecified%3Aspc.noaa.gov&cd5=unspecified%3Aspc.noaa.gov&cd6=https%3A%2F%2Fdap.digitalgov.gov%2FUniversal-Federated-Analytics-Min.js&cd7=https%3A&z=902122228 US
image
whitelisted
2276 IEXPLORE.EXE GET 200 216.58.207.78:443 https://www.google-analytics.com/collect?v=1&_v=j73&aip=1&a=18875010&t=pageview&_s=1&dl=https%3A%2F%2Fwww.spc.noaa.gov%2Fproducts%2Foutlook%2Fday1otlk.html&dp=%2Fproducts%2Foutlook%2Fday1otlk.html&ul=en-us&de=windows-1252&dt=Storm%20Prediction%20Center%20Apr%2015%2C%202019%201300%20UTC%20Day%201%20Convective%20Outlook&sd=24-bit&sr=1280x720&vp=1264x621&je=1&fl=27.0%20r0&_u=YGDAgQQ~&jid=629177883&gjid=422223383&cid=1043085586.1555336203&tid=UA-52727918-1&_gid=1417990034.1555336203&z=1055798166 US
image
whitelisted
2276 IEXPLORE.EXE GET 200 172.217.21.232:443 https://ssl.google-analytics.com/r/__utm.gif?utmwv=5.7.2&utms=1&utmn=143019669&utmhn=www.spc.noaa.gov&utme=8(33!Agency*Sub-Agency*Code%20Ver)9(33!DOC*DOC%20-%20NOAA*v1.76%20140514%20%3A%20Fix%20for%20extra%20sub-domain%20cookie%20in%20cross-sub-domain%20tracking)&utmcs=windows-1252&utmsr=1280x720&utmvp=1264x621&utmsc=24-bit&utmul=en-us&utmje=1&utmfl=27.0%20r0&utmdt=Storm%20Prediction%20Center%20Apr%2015%2C%202019%201300%20UTC%20Day%201%20Convective%20Outlook&utmhid=18875010&utmr=-&utmp=%2Fproducts%2Foutlook%2Fday1otlk.html&utmht=1555336203459&utmac=UA-33523145-1&utmcc=__utma%3D259181128.1043085586.1555336203.1555336203.1555336203.1%3B%2B__utmz%3D259181128.1555336203.1.1.utmcsr%3D(direct)%7Cutmccn%3D(direct)%7Cutmcmd%3D(none)%3B&aip=1&utmjid=988232903&utmredir=1&utmmt=1&utmu=qRSgAAAAMAAAAAAAAAABAQAE~ US
image
whitelisted
2276 IEXPLORE.EXE GET 302 172.217.21.232:443 https://ssl.google-analytics.com/r/__utm.gif?utmwv=5.7.2&utms=2&utmn=1975673783&utmhn=www.spc.noaa.gov&utme=8(33!Agency*Sub-Agency*Code%20Ver)9(33!DOC*DOC%20-%20NOAA*v1.76%20140514%20%3A%20Fix%20for%20extra%20sub-domain%20cookie%20in%20cross-sub-domain%20tracking)&utmcs=windows-1252&utmsr=1280x720&utmvp=1264x621&utmsc=24-bit&utmul=en-us&utmje=1&utmfl=27.0%20r0&utmdt=Storm%20Prediction%20Center%20Apr%2015%2C%202019%201300%20UTC%20Day%201%20Convective%20Outlook&utmhid=18875010&utmr=-&utmp=%2Fproducts%2Foutlook%2Fday1otlk.html&utmht=1555336203465&utmac=UA-52727918-1&utmcc=__utma%3D259181128.1043085586.1555336203.1555336203.1555336203.1%3B%2B__utmz%3D259181128.1555336203.1.1.utmcsr%3D(direct)%7Cutmccn%3D(direct)%7Cutmcmd%3D(none)%3B&aip=1&utmjid=1853558101&utmredir=1&utmmt=1&utmu=qRSgAAAAMAAAAAAAAAABAQAE~ US
html
whitelisted
2276 IEXPLORE.EXE GET 200 52.201.195.38:443 https://search.usa.gov/assets/sayt_loader.js US
text
whitelisted
2276 IEXPLORE.EXE GET 200 52.201.195.38:443 https://search.usa.gov/assets/sayt.css US
text
whitelisted
2276 IEXPLORE.EXE GET 200 52.201.195.38:443 https://search.usa.gov/assets/sayt_loader_libs.js US
text
whitelisted
2276 IEXPLORE.EXE GET 302 74.125.133.155:443 https://stats.g.doubleclick.net/r/collect?t=dc&aip=1&_r=3&v=1&_v=j73&tid=UA-52727918-1&cid=1043085586.1555336203&jid=629177883&gjid=422223383&_gid=1417990034.1555336203&_u=YGDAgQQ~&z=361679757 US
html
whitelisted
2276 IEXPLORE.EXE GET 200 74.125.133.155:443 https://stats.g.doubleclick.net/r/collect?t=dc&aip=1&_r=3&v=1&_v=j73&tid=UA-33523145-1&cid=1043085586.1555336203&jid=1436721123&gjid=996847746&_gid=1417990034.1555336203&_u=YGBAgQQ~&z=743206526 US
image
whitelisted
2276 IEXPLORE.EXE GET 302 74.125.133.155:443 https://stats.g.doubleclick.net/r/collect?v=1&aip=1&t=dc&_r=3&tid=UA-52727918-1&cid=1043085586.1555336203&jid=1853558101&_v=5.7.2&z=1975673783 US
html
whitelisted
2276 IEXPLORE.EXE GET 302 172.217.17.68:443 https://www.google.com/ads/ga-audiences?v=1&aip=1&t=sr&_r=4&tid=UA-52727918-1&cid=1043085586.1555336203&jid=629177883&_v=j73&z=361679757 US
––
––
whitelisted
2276 IEXPLORE.EXE GET 302 172.217.17.68:443 https://www.google.com/ads/ga-audiences?v=1&aip=1&t=sr&_r=4&tid=UA-52727918-1&cid=1043085586.1555336203&jid=1853558101&_v=5.7.2&z=1975673783 US
––
––
whitelisted
2276 IEXPLORE.EXE GET 200 13.32.219.133:443 https://www.spc.noaa.gov/products/outlook/day1otlk_1300.gif?1555336204408 US
image
whitelisted
2276 IEXPLORE.EXE GET 200 13.32.219.133:443 https://www.spc.noaa.gov/products/outlook/ac1_1300_SItable.html US
html
whitelisted
2276 IEXPLORE.EXE GET 200 52.201.195.38:443 https://search.usa.gov/assets/legacy/sayt/ui-bg_flat_75_ffffff_40x100-39ab7ccd9f4e82579da78a9241265df288d8eb65dbbd7cf48aed2d0129887df5.png US
image
whitelisted
2276 IEXPLORE.EXE GET 200 13.32.219.133:443 https://www.spc.noaa.gov/misc/impacts.css US
text
whitelisted
2276 IEXPLORE.EXE GET 200 216.58.207.35:443 https://www.google.nl/ads/ga-audiences?v=1&aip=1&t=sr&_r=4&tid=UA-52727918-1&cid=1043085586.1555336203&jid=629177883&_v=j73&z=361679757&slf_rd=1&random=2726392942 US
image
whitelisted
2276 IEXPLORE.EXE GET 200 216.58.207.35:443 https://www.google.nl/ads/ga-audiences?v=1&aip=1&t=sr&_r=4&tid=UA-52727918-1&cid=1043085586.1555336203&jid=1853558101&_v=5.7.2&z=1975673783&slf_rd=1&random=2116259366 US
image
whitelisted
1892 iexplore.exe GET 200 13.107.21.200:443 https://www.bing.com/favicon.ico US
image
whitelisted
1892 iexplore.exe GET 200 13.107.21.200:443 https://www.bing.com/favicon.ico US
image
whitelisted
1892 iexplore.exe GET 200 13.32.219.133:443 https://www.spc.noaa.gov/favicon.ico US
image
whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID Process IP ASN CN Reputation
1376 SevereWeatherAlerts.exe 131.186.113.70:80 US suspicious
1464 SevereWeatherAlertsApp.exe 5.79.68.109:80 LeaseWeb Netherlands B.V. NL malicious
1464 SevereWeatherAlertsApp.exe 5.79.68.107:80 LeaseWeb Netherlands B.V. NL unknown
1376 SevereWeatherAlerts.exe 104.16.38.47:80 Cloudflare Inc US shared
1376 SevereWeatherAlerts.exe 172.217.22.106:80 Google Inc. US whitelisted
1376 SevereWeatherAlerts.exe 172.217.18.106:80 Google Inc. US whitelisted
1376 SevereWeatherAlerts.exe 172.217.23.170:80 Google Inc. US whitelisted
2708 SevereWeatherAlerts.exe 131.186.113.70:80 US suspicious
2708 SevereWeatherAlerts.exe 104.16.37.47:80 Cloudflare Inc US shared
2708 SevereWeatherAlerts.exe 172.217.22.106:80 Google Inc. US whitelisted
2708 SevereWeatherAlerts.exe 13.32.219.221:80 Amazon.com, Inc. US unknown
2708 SevereWeatherAlerts.exe 13.32.219.221:443 Amazon.com, Inc. US unknown
2708 SevereWeatherAlerts.exe 13.32.219.119:80 Amazon.com, Inc. US unknown
2708 SevereWeatherAlerts.exe 13.32.219.119:443 Amazon.com, Inc. US unknown
1376 SevereWeatherAlerts.exe 172.217.21.202:80 Google Inc. US whitelisted
1376 SevereWeatherAlerts.exe 216.58.205.234:80 Google Inc. US whitelisted
1376 SevereWeatherAlerts.exe 13.32.219.221:80 Amazon.com, Inc. US unknown
1376 SevereWeatherAlerts.exe 13.32.219.221:443 Amazon.com, Inc. US unknown
1376 SevereWeatherAlerts.exe 13.32.219.70:80 Amazon.com, Inc. US unknown
1376 SevereWeatherAlerts.exe 13.32.219.70:443 Amazon.com, Inc. US unknown
2276 IEXPLORE.EXE 13.32.219.133:80 Amazon.com, Inc. US unknown
2276 IEXPLORE.EXE 13.32.219.133:443 Amazon.com, Inc. US unknown
2276 IEXPLORE.EXE 52.201.195.38:443 Amazon.com, Inc. US unknown
2276 IEXPLORE.EXE 216.58.207.78:443 Google Inc. US whitelisted
2276 IEXPLORE.EXE 172.217.21.232:443 Google Inc. US whitelisted
2276 IEXPLORE.EXE 74.125.133.155:443 Google Inc. US whitelisted
2276 IEXPLORE.EXE 172.217.17.68:443 Google Inc. US whitelisted
1892 iexplore.exe 13.107.21.200:443 Microsoft Corporation US whitelisted
2276 IEXPLORE.EXE 216.58.207.35:443 Google Inc. US whitelisted
1892 iexplore.exe 13.32.219.133:443 Amazon.com, Inc. US unknown

DNS requests

Domain IP Reputation
checkip.dyndns.org 131.186.113.70
216.146.43.70
216.146.43.71
shared
severeweatheralerts02.severeweatheralerts.net 5.79.68.109
unknown
survey-smiles.com 5.79.68.107
malicious
geoip.maxmind.com 104.16.38.47
104.16.37.47
unknown
maps.googleapis.com 172.217.22.106
172.217.18.106
172.217.23.170
172.217.21.202
216.58.205.234
172.217.21.234
172.217.22.10
172.217.18.170
172.217.16.138
whitelisted
dns.msftncsi.com 131.107.255.255
whitelisted
www.spc.noaa.gov 13.32.219.221
13.32.219.90
13.32.219.133
13.32.219.155
unknown
earthquake.usgs.gov 13.32.219.119
13.32.219.132
13.32.219.37
13.32.219.70
unknown
dap.digitalgov.gov 13.32.219.133
13.32.219.236
13.32.219.37
13.32.219.53
whitelisted
search.usa.gov 52.201.195.38
34.200.177.191
54.152.204.18
whitelisted
ssl.google-analytics.com 172.217.21.232
whitelisted
www.google-analytics.com 216.58.207.78
whitelisted
api.bing.com 13.107.5.80
whitelisted
www.bing.com 13.107.21.200
204.79.197.200
whitelisted
stats.g.doubleclick.net 74.125.133.155
74.125.133.154
74.125.133.157
74.125.133.156
whitelisted
www.google.com 172.217.17.68
whitelisted
www.google.nl 216.58.207.35
whitelisted

Threats

PID Process Class Message
–– –– Misc activity ET INFO DYNAMIC_DNS Query to *.dyndns. Domain
1376 SevereWeatherAlerts.exe Potential Corporate Privacy Violation ET POLICY External IP Lookup - checkip.dyndns.org
1376 SevereWeatherAlerts.exe A Network Trojan was detected MALWARE [PTsecurity] TR/Spy.Gen IP Check checkip.dyndns.org (AgentTesla)
1376 SevereWeatherAlerts.exe Potentially Bad Traffic ET POLICY DynDNS CheckIp External IP Address Server Response
2708 SevereWeatherAlerts.exe Potential Corporate Privacy Violation ET POLICY External IP Lookup - checkip.dyndns.org
2708 SevereWeatherAlerts.exe A Network Trojan was detected MALWARE [PTsecurity] TR/Spy.Gen IP Check checkip.dyndns.org (AgentTesla)
2708 SevereWeatherAlerts.exe Potentially Bad Traffic ET POLICY DynDNS CheckIp External IP Address Server Response

2 ETPRO signatures available at the full report

Debug output strings

Process Message
–– base\diagnosis\diagtrack\engine\heartbeat.cpp(199)\diagtrack.dll!000007FEFA4EDA84: (caller: 000007FEFA4ED257) ReturnHr[PreRelease](60) tid(514) 80070510 The requested file operation failed because the storage policy blocks that type of file. For more information, contact your system administrator.
–– base\diagnosis\diagtrack\engine\heartbeat.cpp(199)\diagtrack.dll!000007FEFA4EDA84: (caller: 000007FEFA4ED257) ReturnHr[PreRelease](60) tid(514) 80070510 The requested file operation failed because the storage policy blocks that type of file. For more information, contact your system administrator.
–– base\diagnosis\diagtrack\engine\heartbeat.cpp(199)\diagtrack.dll!000007FEFA4EDA84: (caller: 000007FEFA4ED257) ReturnHr[PreRelease](60) tid(514) 80070510 The requested file operation failed because the storage policy blocks that type of file. For more information, contact your system administrator.
–– base\diagnosis\diagtrack\engine\heartbeat.cpp(199)\diagtrack.dll!000007FEFA4EDA84: (caller: 000007FEFA4ED257) ReturnHr[PreRelease](60) tid(514) 80070510 The requested file operation failed because the storage policy blocks that type of file. For more information, contact your system administrator.