General Info

URL

https://adpop.xyz/UN3HO

Full analysis
https://app.any.run/tasks/10267052-90bd-40d1-a121-ae093f5a2596
Verdict
Malicious activity
Analysis date
6/12/2019, 13:52:30
OS:
Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:

trojan

Indicators:

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distored by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Software environment set and analysis options

Launch configuration

Task duration
300 seconds
Additional time used
240 seconds
Fakenet option
off
Heavy Evaision option
off
MITM proxy
off
Route via Tor
off
Network geolocation
off
Privacy
Public submission
Autoconfirmation of UAC
on

Software preset

  • Internet Explorer 8.0.7601.17514
  • Adobe Acrobat Reader DC MUI (15.023.20070)
  • Adobe Flash Player 26 ActiveX (26.0.0.131)
  • Adobe Flash Player 26 NPAPI (26.0.0.131)
  • Adobe Flash Player 26 PPAPI (26.0.0.131)
  • Adobe Refresh Manager (1.8.0)
  • CCleaner (5.35)
  • FileZilla Client 3.36.0 (3.36.0)
  • Google Chrome (73.0.3683.75)
  • Google Update Helper (1.3.33.23)
  • Java 8 Update 92 (8.0.920.14)
  • Java Auto Updater (2.8.92.14)
  • Microsoft .NET Framework 4.6.1 (4.6.01055)
  • Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Professional 2010 (14.0.6029.1000)
  • Microsoft Office Proof (English) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (French) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
  • Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
  • Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Single Image 2010 (14.0.6029.1000)
  • Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
  • Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
  • Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
  • Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2017 Redistributable (x86) - 14.15.26706 (14.15.26706.0)
  • Microsoft Visual C++ 2017 x86 Additional Runtime - 14.15.26706 (14.15.26706)
  • Microsoft Visual C++ 2017 x86 Minimum Runtime - 14.15.26706 (14.15.26706)
  • Mozilla Firefox 65.0.2 (x86 en-US) (65.0.2)
  • Notepad++ (32-bit x86) (7.5.1)
  • Opera 12.15 (12.15.1748)
  • Skype version 8.29 (8.29)
  • VLC media player (2.2.6)
  • WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

  • Client LanguagePack Package
  • Client Refresh LanguagePack Package
  • CodecPack Basic Package
  • Foundation Package
  • IE Troubleshooters Package
  • InternetExplorer Optional Package
  • KB2534111
  • KB2999226
  • KB976902
  • LocalPack AU Package
  • LocalPack CA Package
  • LocalPack GB Package
  • LocalPack US Package
  • LocalPack ZA Package
  • ProfessionalEdition
  • UltimateEdition

Behavior activities

MALICIOUS SUSPICIOUS INFO
Connects to CnC server
  • rundll32.exe (PID: 3740)
Creates files in the program directory
  • rundll32.exe (PID: 272)
Application launched itself
  • rundll32.exe (PID: 3740)
Executable content was dropped or overwritten
  • rundll32.exe (PID: 272)
Uses RUNDLL32.EXE to load library
  • rundll32.exe (PID: 3740)
  • dllhost.exe (PID: 1724)
Low-level read access rights to disk partition
  • rundll32.exe (PID: 3740)
Executed via COM
  • FlashUtil32_26_0_0_131_ActiveX.exe (PID: 3932)
Reads Internet Cache Settings
  • dllhost.exe (PID: 1724)
Creates COM task schedule object
  • rundll32.exe (PID: 272)
Creates files in the user directory
  • FlashUtil32_26_0_0_131_ActiveX.exe (PID: 3932)
  • iexplore.exe (PID: 3416)
Reads Internet Cache Settings
  • iexplore.exe (PID: 2976)
  • iexplore.exe (PID: 3416)
Reads internet explorer settings
  • iexplore.exe (PID: 3416)
Changes internet zones settings
  • iexplore.exe (PID: 2976)
Application launched itself
  • iexplore.exe (PID: 2976)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Screenshots

Processes

Total processes
44
Monitored processes
11
Malicious processes
1
Suspicious processes
2

Behavior graph

+
start iexplore.exe iexplore.exe flashutil32_26_0_0_131_activex.exe no specs dllhost.exe rundll32.exe rundll32.exe dllhost.exe no specs msdtc.exe wmiprvse.exe dllhost.exe no specs mscorsvw.exe
Specs description
Program did not start
Integrity level elevation
Task сontains an error or was rebooted
Process has crashed
Task contains several apps running
Executable file was dropped
Debug information is available
Process was injected
Network attacks were detected
Application downloaded the executable file
Actions similar to stealing personal data
Behavior similar to exploiting the vulnerability
Inspected object has sucpicious PE structure
File is detected by antivirus software
CPU overrun
RAM overrun
Process starts the services
Process was added to the startup
Behavior similar to spam
Low-level access to the HDD
Probably Tor was used
System was rebooted
Connects to the network
Known threat

Process information

Click at the process to see the details.

PID
2976
CMD
"C:\Program Files\Internet Explorer\iexplore.exe" -nohome
Path
C:\Program Files\Internet Explorer\iexplore.exe
Indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Version:
Company
Microsoft Corporation
Description
Internet Explorer
Version
8.00.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\shell32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\psapi.dll
c:\windows\system32\oleacc.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\profapi.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\cryptbase.dll
c:\program files\internet explorer\sqmapi.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\sensapi.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\ieui.dll
c:\windows\system32\msimg32.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\clbcatq.dll
c:\program files\internet explorer\ieproxy.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\url.dll
c:\windows\system32\version.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\propsys.dll
c:\windows\system32\xmllite.dll
c:\windows\system32\explorerframe.dll
c:\windows\system32\duser.dll
c:\windows\system32\dui70.dll
c:\windows\system32\msfeeds.dll
c:\windows\system32\sxs.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\wship6.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\mlang.dll
c:\windows\system32\wer.dll
c:\windows\system32\mssprxy.dll

PID
3416
CMD
"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2976 CREDAT:71937
Path
C:\Program Files\Internet Explorer\iexplore.exe
Indicators
Parent process
iexplore.exe
User
admin
Integrity Level
LOW
Version:
Company
Microsoft Corporation
Description
Internet Explorer
Version
8.00.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\shell32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\psapi.dll
c:\windows\system32\oleacc.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\comdlg32.dll
c:\program files\internet explorer\ieshims.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\rpcrtremote.dll
c:\program files\internet explorer\sqmapi.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\rsaenh.dll
c:\program files\internet explorer\ieproxy.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\mlang.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\apphelp.dll
c:\program files\java\jre1.8.0_92\bin\ssv.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\version.dll
c:\progra~1\micros~1\office14\urlredir.dll
c:\windows\system32\secur32.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\progra~1\micros~1\office14\msohev.dll
c:\program files\java\jre1.8.0_92\bin\jp2ssv.dll
c:\program files\java\jre1.8.0_92\bin\msvcr100.dll
c:\program files\java\jre1.8.0_92\bin\deploy.dll
c:\windows\system32\imagehlp.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\sxs.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\sensapi.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\userenv.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\schannel.dll
c:\windows\system32\wship6.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\credssp.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\gpapi.dll
c:\windows\system32\p2pcollab.dll
c:\windows\system32\qagentrt.dll
c:\windows\system32\fveui.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\msls31.dll
c:\windows\system32\msimtf.dll
c:\windows\system32\feclient.dll
c:\windows\system32\t2embed.dll
c:\windows\system32\iepeers.dll
c:\windows\system32\winspool.drv
c:\windows\system32\jscript.dll
c:\windows\system32\vbscript.dll
c:\windows\system32\imgutil.dll
c:\windows\system32\pngfilt.dll
c:\windows\system32\macromed\flash\flash32_26_0_0_131.ocx
c:\windows\system32\winmm.dll
c:\windows\system32\dsound.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\msimg32.dll
c:\windows\system32\mscms.dll
c:\windows\system32\dinput8.dll
c:\windows\system32\xmllite.dll
c:\windows\system32\ddrawex.dll
c:\windows\system32\ddraw.dll
c:\windows\system32\dciman32.dll
c:\program files\common files\adobe\acrobat\activex\acropdf.dll
c:\program files\common files\adobe\acrobat\activex\acropdfimpl.dll
c:\windows\system32\mpr.dll
c:\windows\system32\msvcp120.dll
c:\windows\system32\msvcr120.dll
c:\program files\adobe\acrobat reader dc\reader\acrord32.exe
c:\windows\system32\wmp.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\wmploc.dll
c:\windows\system32\mmdevapi.dll
c:\windows\system32\wdmaud.drv
c:\windows\system32\ksuser.dll
c:\windows\system32\avrt.dll
c:\windows\system32\audioses.dll
c:\windows\system32\msacm32.drv
c:\windows\system32\msacm32.dll
c:\windows\system32\midimap.dll
c:\windows\system32\msxml3.dll
c:\windows\system32\cabinet.dll
c:\windows\system32\dllhost.exe

PID
3932
CMD
C:\Windows\system32\Macromed\Flash\FlashUtil32_26_0_0_131_ActiveX.exe -Embedding
Path
C:\Windows\system32\Macromed\Flash\FlashUtil32_26_0_0_131_ActiveX.exe
Indicators
No indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Version:
Company
Adobe Systems Incorporated
Description
Adobe® Flash® Player Installer/Uninstaller 26.0 r0
Version
26,0,0,131
Modules
Image
c:\windows\system32\macromed\flash\flashutil32_26_0_0_131_activex.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\comres.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\secur32.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\devobj.dll
c:\windows\system32\version.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\riched20.dll
c:\windows\system32\cryptui.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\ws2help.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\psapi.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\macromed\flash\flashutil32_26_0_0_131_activex.dll
c:\windows\system32\comdlg32.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\dinput8.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\sxs.dll
c:\windows\system32\mlang.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll

PID
1724
CMD
"C:\Windows\system32\dllhost.exe"
Path
C:\Windows\system32\dllhost.exe
Indicators
Parent process
iexplore.exe
User
admin
Integrity Level
LOW
Exit code
0
Version:
Company
Microsoft Corporation
Description
COM Surrogate
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\dllhost.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\cabinet.dll
c:\windows\system32\wininet.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\iertutil.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\shell32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\sensapi.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshqos.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\wship6.dll
c:\windows\system32\kbdus.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\rundll32.exe

PID
3740
CMD
InetCpl.cpl,ClearMyTracksByProcess 8
Path
C:\Windows\system32\rundll32.exe
Indicators
Parent process
dllhost.exe
User
admin
Integrity Level
LOW
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows host process (Rundll32)
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\rundll32.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imagehlp.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\aclayers.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\winspool.drv
c:\windows\system32\mpr.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\cabinet.dll
c:\windows\system32\sechost.dll
c:\windows\system32\wininet.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\iertutil.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\sensapi.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\napinsp.dll
c:\windows\system32\pnrpnsp.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\winrnr.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\wship6.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\netprofm.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\npmproxy.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\dhcpcsvc6.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\samcli.dll

PID
272
CMD
/Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D6}
Path
C:\Windows\system32\rundll32.exe
Indicators
Parent process
rundll32.exe
User
SYSTEM
Integrity Level
SYSTEM
Exit code
4294967294
Version:
Company
Microsoft Corporation
Description
Windows host process (Rundll32)
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\rundll32.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imagehlp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\aclayers.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\winspool.drv
c:\windows\system32\mpr.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\samcli.dll
c:\windows\system32\dllhost.exe
c:\windows\system32\samlib.dll

PID
2884
CMD
/Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D6}
Path
C:\Windows\system32\dllhost.exe
Indicators
No indicators
Parent process
rundll32.exe
User
SYSTEM
Integrity Level
SYSTEM
Version:
Company
Microsoft Corporation
Description
COM Surrogate
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\dllhost.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\samcli.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msdtc.exe
c:\windows\system32\shlwapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\wship6.dll
c:\windows\system32\wshqos.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\firewallapi.dll
c:\windows\system32\version.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorsvw.exe

PID
2108
CMD
"C:\Windows\system32\msdtc.exe"
Path
C:\Windows\system32\msdtc.exe
Indicators
Parent process
dllhost.exe
User
SYSTEM
Integrity Level
SYSTEM
Version:
Company
Microsoft Corporation
Description
Microsoft Distributed Transaction Coordinator Service
Version
2001.12.8530.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\msdtc.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\msdtctm.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\msdtcprx.dll
c:\windows\system32\mtxclu.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\clusapi.dll
c:\windows\system32\cryptdll.dll
c:\windows\system32\resutils.dll
c:\windows\system32\version.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ktmw32.dll
c:\windows\system32\msdtclog.dll
c:\windows\system32\winmm.dll
c:\windows\system32\xolehlp.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\msctf.dll
c:\windows\system32\imm32.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\napinsp.dll
c:\windows\system32\pnrpnsp.dll
c:\windows\system32\winrnr.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\psapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\dbghelp.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\winsta.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\dllhost.exe

PID
2816
CMD
"C:\Windows\system32\wbem\WmiPrvSE.exe"
Path
C:\Windows\system32\wbem\WmiPrvSE.exe
Indicators
Parent process
msdtc.exe
User
SYSTEM
Integrity Level
SYSTEM
Version:
Company
Microsoft Corporation
Description
WMI Provider Host
Version
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Image
c:\windows\system32\wbem\wmiprvse.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\wbemcomn.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\wbem\fastprox.dll
c:\windows\system32\ntdsapi.dll
c:\windows\system32\ncobjapi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\dbghelp.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\version.dll
c:\windows\system32\psapi.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\wship6.dll
c:\windows\system32\wshqos.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\napinsp.dll
c:\windows\system32\pnrpnsp.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\winrnr.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\rasadhlp.dll

PID
3688
CMD
"C:\Windows\system32\dllhost.exe"
Path
C:\Windows\system32\dllhost.exe
Indicators
No indicators
Parent process
msdtc.exe
User
admin
Integrity Level
MEDIUM
Version:
Company
Microsoft Corporation
Description
COM Surrogate
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\dllhost.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\dbghelp.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\version.dll
c:\windows\system32\psapi.dll
c:\windows\system32\sfc.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\dwm.exe
c:\windows\explorer.exe
c:\windows\system32\taskeng.exe
c:\windows\system32\ctfmon.exe
c:\windows\system32\windanr.exe
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\macromed\flash\flashutil32_26_0_0_131_activex.exe
c:\windows\system32\audiodg.exe

PID
3124
CMD
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe"
Path
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
Indicators
Parent process
dllhost.exe
User
SYSTEM
Integrity Level
SYSTEM
Version:
Company
Microsoft Corporation
Description
.NET Runtime Optimization Service
Version
2.0.50727.4927 (NetFXspW7.050727-4900)
Modules
Image
c:\windows\microsoft.net\framework\v2.0.50727\mscorsvw.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\mscoree.dll
c:\windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\msvcr80.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\nsi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll

Registry activity

Total events
580
Read events
476
Write events
102
Delete events
2

Modification events

PID
Process
Operation
Key
Name
Value
2976
iexplore.exe
delete key
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012019032320190324
2976
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
CompatibilityFlags
0
2976
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
2976
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
2976
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
SecuritySafe
1
2976
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
ProxyEnable
0
2976
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
SavedLegacySettings
4600000071000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
2976
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Recovery\Active
{9E176481-8D08-11E9-A09E-5254004A04AF}
0
2976
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Type
4
2976
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Count
1
2976
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Time
E307060003000C000B0034003900A603
2976
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}\iexplore
Type
4
2976
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}\iexplore
Count
1
2976
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}\iexplore
Time
E307060003000C000B0034003900A603
2976
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
FullScreen
no
2976
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Window_Placement
2C0000000200000003000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF20000000200000004003000078020000
2976
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites\Links
Order
08000000020000000C01000001000000020000007E0000000000000070003200EC000000464B245120005355474745537E312E55524C0000540008000400EFBE454B974D464B24512A000000F94300000000020000000000000000000000000000005300750067006700650073007400650064002000530069007400650073002E00750072006C0000001C00000000000000820000000100000074003200E2000000464B24512000574542534C497E312E55524C0000580008000400EFBE454B864A464B24512A000000743E0000000003000000000000000000000000000000570065006200200053006C006900630065002000470061006C006C006500720079002E00750072006C0000001C00000000000000
2976
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\iexplore
Type
3
2976
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\iexplore
Count
1
2976
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\iexplore
Time
E307060003000C000B0034003A007A00
2976
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\iexplore
LoadTime
27
2976
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
Type
3
2976
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
Count
1
2976
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
Time
E307060003000C000B0034003A00B800
2976
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
LoadTime
511
2976
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DBC80044-A445-435B-BC74-9C25C1C588A9}\iexplore
Type
3
2976
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DBC80044-A445-435B-BC74-9C25C1C588A9}\iexplore
Count
1
2976
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DBC80044-A445-435B-BC74-9C25C1C588A9}\iexplore
Time
E307060003000C000B0034003A009D02
2976
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DBC80044-A445-435B-BC74-9C25C1C588A9}\iexplore
LoadTime
65
2976
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\0
Path
C:\Users\admin\Favorites\Links\Suggested Sites.url
2976
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\0
Handler
{B0FA7D7C-7195-4F03-B03E-9DC1C9EBC394}
2976
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\0
FeedUrl
https://ieonline.microsoft.com/#ieslice
2976
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\0
DisplayName
2976
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\0
ErrorState
0
2976
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\0
DisplayMask
0
2976
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\1
Path
C:\Users\admin\Favorites\Links\Web Slice Gallery.url
2976
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\1
Handler
{B0FA7D7C-7195-4F03-B03E-9DC1C9EBC394}
2976
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\1
FeedUrl
http://go.microsoft.com/fwlink/?LinkId=121315
2976
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\1
DisplayName
2976
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\1
ErrorState
0
2976
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\1
DisplayMask
0
2976
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D27CDB6E-AE6D-11CF-96B8-444553540000}\iexplore
Type
1
2976
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D27CDB6E-AE6D-11CF-96B8-444553540000}\iexplore
Count
1
2976
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D27CDB6E-AE6D-11CF-96B8-444553540000}\iexplore
Time
E307060003000C000B0035001200E101
2976
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D27CDB6E-AE6D-11CF-96B8-444553540000}\iexplore
Count
2
2976
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D27CDB6E-AE6D-11CF-96B8-444553540000}\iexplore
Time
E307060003000C000B00350013009900
2976
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012019061220190613
CachePath
%USERPROFILE%\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012019061220190613
2976
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012019061220190613
CachePrefix
:2019061220190613:
2976
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012019061220190613
CacheLimit
8192
2976
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012019061220190613
CacheOptions
11
2976
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012019061220190613
CacheRepair
0
2976
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\WindowsSearch
UpgradeTime
C8F1F66E1521D501
2976
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D27CDB6E-AE6D-11CF-96B8-444553540000}\iexplore
Count
3
2976
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D27CDB6E-AE6D-11CF-96B8-444553540000}\iexplore
Time
E307060003000C000B0035001500CC02
2976
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{CA8A9780-280D-11CF-A24D-444553540000}\iexplore
Type
1
2976
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{CA8A9780-280D-11CF-A24D-444553540000}\iexplore
Flags
0
2976
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{CA8A9780-280D-11CF-A24D-444553540000}\iexplore
Count
1
2976
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{CA8A9780-280D-11CF-A24D-444553540000}\iexplore
Time
E307060003000C000B00350015005803
2976
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{6BF52A52-394A-11D3-B153-00C04F79FAA6}\iexplore
Type
1
2976
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{6BF52A52-394A-11D3-B153-00C04F79FAA6}\iexplore
Flags
0
2976
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{6BF52A52-394A-11D3-B153-00C04F79FAA6}\iexplore
Count
1
2976
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{6BF52A52-394A-11D3-B153-00C04F79FAA6}\iexplore
Time
E307060003000C000B00350016000D00
2976
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D27CDB6E-AE6D-11CF-96B8-444553540000}\iexplore
Count
4
2976
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D27CDB6E-AE6D-11CF-96B8-444553540000}\iexplore
Time
E307060003000C000B00350018000101
3416
iexplore.exe
delete key
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\LowCache\Extensible Cache\MSHist012018082820180829
3416
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LowRegistry\ErrorReporting
LastShipAssertTime
F416D16B1521D501
3416
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\LowCache\Extensible Cache\MSHist012019061220190613
CachePath
%USERPROFILE%\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012019061220190613
3416
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\LowCache\Extensible Cache\MSHist012019061220190613
CachePrefix
:2019061220190613:
3416
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\LowCache\Extensible Cache\MSHist012019061220190613
CacheLimit
8192
3416
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\LowCache\Extensible Cache\MSHist012019061220190613
CacheOptions
11
3416
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\LowCache\Extensible Cache\MSHist012019061220190613
CacheRepair
0
3740
rundll32.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\rundll32_RASAPI32
EnableFileTracing
0
3740
rundll32.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\rundll32_RASAPI32
EnableConsoleTracing
0
3740
rundll32.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\rundll32_RASAPI32
FileTracingMask
4294901760
3740
rundll32.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\rundll32_RASAPI32
ConsoleTracingMask
4294901760
3740
rundll32.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\rundll32_RASAPI32
MaxFileSize
1048576
3740
rundll32.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\rundll32_RASAPI32
FileDirectory
%windir%\tracing
3740
rundll32.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\rundll32_RASMANCS
EnableFileTracing
0
3740
rundll32.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\rundll32_RASMANCS
EnableConsoleTracing
0
3740
rundll32.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\rundll32_RASMANCS
FileTracingMask
4294901760
3740
rundll32.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\rundll32_RASMANCS
ConsoleTracingMask
4294901760
3740
rundll32.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\rundll32_RASMANCS
MaxFileSize
1048576
3740
rundll32.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\rundll32_RASMANCS
FileDirectory
%windir%\tracing
3740
rundll32.exe
write
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings
ProxyEnable
0
3740
rundll32.exe
write
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
SavedLegacySettings
4600000003000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
3740
rundll32.exe
write
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
DefaultConnectionSettings
460000000200000009000000000000000000000000000000040000000000000000C1AE731521D501000000000000000000000000020000001700000000000000FE80000000000000A179B3FF019923140B0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A86491000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000004400000041535943000000000000000000000000
272
rundll32.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3986a3a4-cda1-636a-f482-115417843305}\InProcServer32
ThreadModel
Apartment
272
rundll32.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3986a3a4-cda1-636a-f482-115417843305}\InProcServer32
C:\Program Files\Windows Media Player\mpvis2.dll
272
rundll32.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs\wmplayer
StartExe
%Systemroot%\system32\verclsid.exe
272
rundll32.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs\wmplayer
StartParams
/S /C {3986a3a4-cda1-636a-f482-115417843305}
272
rundll32.exe
write
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Accessibility
Configuration
wmplayer
272
rundll32.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Accessibility\Session1
Configuration
wmplayer
2884
dllhost.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Intel
LogBuilds
0

Files activity

Executable files
1
Suspicious files
1
Text files
65
Unknown types
47

Dropped files

PID
Process
Filename
Type
272
rundll32.exe
C:\Program Files\Windows Media Player\mpvis2.dll
executable
MD5: a50942c6ebf0ff694bdf4617b7628c1b
SHA256: ace8685de997ad377ba539a25786fbea5923f058900b20154f64f19f3d3566a7
3416
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\49M1T1G6\today-has-been-ruff[1].jpg
image
MD5: a974cd190f789aa0577b1f20819bc8c7
SHA256: da96645d15060fb164ada0dbb21b5b122b86e71f3826c3f35d7f6cf98ccb6948
3416
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\BTUHXNOD\b4akc1uds995bvgclc4ugg8ovc[1].html
html
MD5: e7f9c534b028ca9917e714b1904f57cf
SHA256: 0079768be18cbbe0ba94c72da4532dc69403656b2e140acdf4eee7bf4e1559ed
3416
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\49M1T1G6\article[1].htm
html
MD5: e1a95d577c8babbf142523cb281e0bd2
SHA256: 543ac0447f36b87e450e177f852a7d7acd0713e8d85e7d797f522dd36fd108f8
3416
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\BTUHXNOD\article[1].php
––
MD5:  ––
SHA256:  ––
3416
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\BTUHXNOD\6bi5q5iu7ar0b3ivnava28c40s[1].html
––
MD5:  ––
SHA256:  ––
3416
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\JSF1IQCF\gvauv1sq0vp2el39ru64qhu1q0[1].js
text
MD5: e43d5fbcb85d65abd7ed21fd134ad3cd
SHA256: 1b0a9c623caa99d7c3e5f99696511e6b057c7cc3c6b0abe9f8ba9ccd21dc55ed
3416
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\D8J3YUYU\tinyjs.min[1].js
text
MD5: 22138c91d79bb0a5cd385ca4998f242f
SHA256: 3c2b483233042fcd3f11d524bb071c340e4fdab62260ba928d6ce883bf06bac3
3416
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\JSF1IQCF\encrypt.min[1].js
text
MD5: adc27e365f84269ff1ebe9d2de60faa0
SHA256: a8bc57dde6ae5555e6057623c4cfcf8f5c63185ff790f0dc1e4801b0053535f5
3416
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\JSF1IQCF\ibl30vno98onog1q349umfe064[1].html
html
MD5: 4322ace4f99adbfeca870d2991882abc
SHA256: 16e8496ca3a76d6740a15d253e2aa882c69e850311b9192751a91e55d4cee2fd
2976
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012019061220190613\index.dat
dat
MD5: 99de14cb65f9ee8b3061d3f3ec92f51b
SHA256: 7f04a0bacdedf1edb03ea289149ad72a1b5993bc0294f94405d9c048ba0f42d1
3416
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\JSF1IQCF\logo[1].swf
swf
MD5: b63114cb089861c2eec2c24e504507d0
SHA256: a1d0a5484e67d6edc72cd833e976afc0d48afc3cb85670089d3d61e0c139fcc2
3416
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012019061220190613\index.dat
dat
MD5: 2a617d711463ddcc453c2a646d8ac5bc
SHA256: 0520e0c3d4c2f9e7508dce12b3ae7ba71fff72b94a3eba70130637738388c47e
3416
iexplore.exe
C:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\DOMStore\index.dat
dat
MD5: 0738235a06fc4c607e2f076cecdb9af8
SHA256: 0f80eccf9a0bfc5497b50f43a6310131eb1b3602886889c2dd1c0efa198af2b0
3416
iexplore.exe
C:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\DOMStore\6C0G8IJM\38.75.136[1].xml
text
MD5: c1ddea3ef6bbef3e7060a1a9ad89e4c5
SHA256: b71e4d17274636b97179ba2d97c742735b6510eb54f22893d3a2daff2ceb28db
3932
FlashUtil32_26_0_0_131_ActiveX.exe
C:\Users\admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\settings.sol
sol
MD5: 7a66a9161d9307468f19ed38130a865d
SHA256: 8135d3505d045aa9032e6516a18e408a92ead10bab8ba6cddc70e05d35f4f595
3932
FlashUtil32_26_0_0_131_ActiveX.exe
C:\Users\admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\settings.sxx
––
MD5:  ––
SHA256:  ––
3932
FlashUtil32_26_0_0_131_ActiveX.exe
C:\Users\admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\settings.sxx:Zone.Identifier
––
MD5:  ––
SHA256:  ––
3932
FlashUtil32_26_0_0_131_ActiveX.exe
C:\Users\admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\settings.sol
sol
MD5: 0a5d096e971ec4514b5009d249a945f4
SHA256: 4516a0a695c67fb5ece074d58db2e3b3c93a5c26d4883134556e0ae0087db48a
3932
FlashUtil32_26_0_0_131_ActiveX.exe
C:\Users\admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\settings.sxx:Zone.Identifier
text
MD5: fbccf14d504b7b2dbcb5a5bda75bd93b
SHA256: eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913
3932
FlashUtil32_26_0_0_131_ActiveX.exe
C:\Users\admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\settings.sxx
sol
MD5: 0a5d096e971ec4514b5009d249a945f4
SHA256: 4516a0a695c67fb5ece074d58db2e3b3c93a5c26d4883134556e0ae0087db48a
3932
FlashUtil32_26_0_0_131_ActiveX.exe
C:\Users\admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\settings.sol
sol
MD5: aa00147413be2e91a10a53d6ac051f09
SHA256: ba4dc64471b3595d0bbdcb87d043eaa89cc68e6a5d993e742c4043213867f22d
3932
FlashUtil32_26_0_0_131_ActiveX.exe
C:\Users\admin\AppData\Roaming\Adobe\Flash Player\NativeCache\NativeCache.directory:Zone.Identifier
text
MD5: fbccf14d504b7b2dbcb5a5bda75bd93b
SHA256: eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913
3416
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\49M1T1G6\must-be-monday-animation[1].gif
image
MD5: 13f05f1c8f34c6fbbd98ed2da0262946
SHA256: eb3904f7de888cb48ddee054d6b2de64646ed9dacd4727871f7f5182b71de8ac
3416
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\BTUHXNOD\brain-transplant[1].jpg
image
MD5: 2b163d4e102fda522cf58bf966f6f9dc
SHA256: d5641705ab527f3ea898e409eb096419da74a31a9e4f54c2aee835da5786a1ac
3416
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\D8J3YUYU\bare-necessities[1].jpg
image
MD5: 1500292565d517bec8b1c52f58a69182
SHA256: 403f1dd8d92f7b1a421bd77ed64ccbea51ea6ad15b2b7a5e1abb6de98156e1cc
3416
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\D8J3YUYU\awesome[1].jpg
image
MD5: 97ea6896c5c740f1860f65b7ea9a20c3
SHA256: 6c693552165dcf3a81ccc5b3ead7bed89797e7103122104297bb39bc18638e45
3416
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\D8J3YUYU\invisible-bookshelf[1].jpg
image
MD5: aa637d8a90ad02b7145b94077cca0361
SHA256: ac12cf8770539c07756ebf3fff9504235849997004b038781e4f6a376d7e3baa
3416
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\D8J3YUYU\book-cave[1].jpg
image
MD5: 9022e17992858abbd3cec4f9fa40b58a
SHA256: 19a24bb764bb671cca6970fd15e0dc3dc894447448b4ed839fb07d46b419c6e3
3416
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\BTUHXNOD\i-have-the-same-look-when-i-get-to-sleep-in[1].jpg
image
MD5: 41db086a87a0993f9ccd9340c41dcf9c
SHA256: d7f1368b6eb534c2eb9be4cd6439096b2ec553604b49993c07ad8a1901cc2ea7
3416
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\BTUHXNOD\diet-coke-ninjas[1].jpg
image
MD5: 078cf051d66ea3af9ff799f51c947dd6
SHA256: 33571be53322e8bcf0eb880f9ec6e5426fcbbdd98f08b0c59d1a0fca8568c898
3416
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\BTUHXNOD\raphael-is-real[1].jpg
image
MD5: 0e2f16c340ae664fbd48b697845aff08
SHA256: 22bba668a2f1684e52cae1d9700c0dc7a3bf667278ffa84512a544908b2efd92
3416
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\BTUHXNOD\the-additional-sign-was-necessary[1].jpg
image
MD5: 19766e7e5c53588d9df718c44e5a4d79
SHA256: fa7efdc5884da843211cc1fbad34f9091726d806aeef6820f5eaffdea7d86c31
3416
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\49M1T1G6\must-be-monday[1].gif
image
MD5: f17517f9f2d79ba8e0fe4b6bc8e01dfb
SHA256: 61a63c9c19c836fe1dd9eaaccb1e2d48568c8a0aa8765aa14d0eb43cf22fb6b5
3416
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\49M1T1G6\nintendo-bed[1].jpg
image
MD5: be889440a6d5a8372b9caaa43c6d0c77
SHA256: 770a0d26ad5562344e0e5ebb5bd450b39635abf76564a766f08124550edaf6ad
3416
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\index.dat
dat
MD5: 3f0326292264a28c0b632f5baa71d86d
SHA256: a3f58e7a1e766cbcb79abea928852a954233fd60b24032c5cf55cbdbc398ece5
3416
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\49M1T1G6\hate-it-when-this-happens[1].jpg
image
MD5: b3faa917467869e828a3bfeb389f41a8
SHA256: 1a49543cdb3ba3abe82b75ac5dbe15806016903fb879d88e3d246225a80d18a5
3416
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\49M1T1G6\breakfast-for-one[1].jpg
image
MD5: e2d6cfe62d14a3dda2c9ac4ae3c381b5
SHA256: d999cf19ce0cee4a0fd794632d7e78f0a635c25cc2bf2dccbedf38c185860336
3416
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\desktop.ini
ini
MD5: 4a3deb274bb5f0212c2419d3d8d08612
SHA256: 2842973d15a14323e08598be1dfb87e54bf88a76be8c7bc94c56b079446edf38
2976
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\WER\ReportArchive\NonCritical_iexplore.exe_12df8271b62395a348f102b12959f9768e2baf9_0bb23cf2\Report.wer
binary
MD5: ef5cf3556bd2f99d390d85a8d806ee03
SHA256: 607c9469d9c0bc3018bbb846b22ea016f4c86bcb9693245ab10f12b53cdf929c
3416
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\JSF1IQCF\highlight-anything-stupid[1].jpg
image
MD5: b328a9d668ac17befcb317a91fc535fe
SHA256: b5aa762dd6e3b72d01451ead401d660a3bc790c691888304f04825b39e1cbf8d
3416
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\JSF1IQCF\YFJWUNeiVSaE0fAJQq21[1].png
image
MD5: 013c4575ccbc536b56b519d8f4fd3c45
SHA256: cd3eba627948494fbe217336e41697fa7b09ceff89b32bbc4d8433878f34d619
3416
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\BTUHXNOD\5oji6nr7150jad27ld9a6lb3pg[1].js
text
MD5: 6e4193ce4cda44959fb09610f081c100
SHA256: 172ac73cda6260918510ad2f4481a7fcd90c5a86d47dd880c5bcb3596dd20a7d
3416
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\MSIMGSIZ.DAT
smt
MD5: 739c1b2dbfb6211e0cf1403e609c02e4
SHA256: 4c29ee9f5e609006baf3354efa56fc502a2f907c42a8ae148c84beac6497a7ca
3416
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\JSF1IQCF\fontawesome-webfont[1].eot
eot
MD5: 7149833697a959306ec3012a8588dcfa
SHA256: e511891d3e01b0b27aed51a219ced5119e2c3d0460465af8242e9bff4cb61b77
3416
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\D8J3YUYU\font-awesome.min[1].css
text
MD5: feda974a77ea5783b8be673f142b7c88
SHA256: 0fb1bbca73646e8e2b93c82e8d8b219647b13d4b440c48e338290b9a685b8de1
3416
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\D8J3YUYU\jquery-1.11.1.min[1].js
text
MD5: 8101d596b2b8fa35fe3a634ea342d7c3
SHA256: 540bc6dec1dd4b92ea4d3fb903f69eabf6d919afd48f4e312b163c28cff0f441
3416
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\49M1T1G6\jquery.fitvid[1].js
html
MD5: 0273fc5835d0d6e99124e031f37ffddf
SHA256: ca4f29bb6efa578deb6693734c0a2c061b2211f023d146f486238fafe8a58108
3416
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\BTUHXNOD\style[1].css
text
MD5: 47e4ee34b12652e24ddf483723c4ae25
SHA256: 1b1028565d72b4ddb606fc3d16f1c6ec115a1b3454beb0e2f92f06ee8c2df581
3416
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\BTUHXNOD\ninjamediascript_devdojo_com[1].htm
html
MD5: 86cc0112b79b88a29fcc9cd962f0673a
SHA256: 1d0de11b9ee3306529504ed848bbe5c7fba579df53196c31afa0feffe48e8df6
3416
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\BTUHXNOD\ninjamediascript_devdojo_com[1].txt
––
MD5:  ––
SHA256:  ––
3416
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\JSF1IQCF\index[1].htm
html
MD5: f54f4a53749bd2012b6a33f667696330
SHA256: e6a04ec78fd5907efa93c3821faac736183733e8d4c1ae0ad24aa9a7330b6ab2
3416
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\JSF1IQCF\index[1].php
––
MD5:  ––
SHA256:  ––
3416
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\49M1T1G6\jquery.min[1].js
text
MD5: 8fc25e27d42774aeae6edbc0a18b72aa
SHA256: b294e973896f8f874e90a8eb1a8908ac790980d034c4c4bdf0fc3d37b8abf682
3416
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\BTUHXNOD\glyphicons-halflings-regular[1].eot
eot
MD5: 7ad17c6085dee9a33787bac28fb23d46
SHA256: f495f34e4f177cf0115af995bbbfeb3fcabc88502876e76fc51a4ab439bc8431
3416
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\JSF1IQCF\bootstrap.min[1].css
text
MD5: 80654acbbb82f481297071701977b791
SHA256: 1912ec9329c898b56073a8120eb94e72e0bb858b390443cbc65d18a494572215
3416
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\D8J3YUYU\respond.min[1].js
html
MD5: afc1984a3d17110449dc90cf22de0c27
SHA256: 83a8807ef669fa70d0d9375347f5552897f76c6ae8e2e6f97ef592595462d8d1
3416
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\D8J3YUYU\html5shiv[1].js
html
MD5: 0ce8f355891c26c28f057e195e97dcd5
SHA256: 8c7a9c0470563367ab00307b4fb9bb3052d0a27f0b94e63b9dc0bb8c369449cb
3416
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\D8J3YUYU\5AwPwgG3vs0U0shuvnI5p2MI5oKiZd8c[1].htm
html
MD5: fe1be065daaa3398f34a1b82b68c8454
SHA256: b48674f77f8e34c9509c7c1fd4899c9190220b0b8ea579264e959c74053fc97b
3416
iexplore.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][2].txt
text
MD5: e9fb8c22a8c282cce536f72ad73f61ed
SHA256: 845ab9be5091fb92db47490de2f055b3773fb5f380120dbdc5df959a0f939192
3416
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\D8J3YUYU\5AwPwgG3vs0U0shuvnI5p2MI5oKiZd8c[1].php
––
MD5:  ––
SHA256:  ––
3416
iexplore.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][1].txt
text
MD5: c429796e14f81f160d25fdd9a1f1620d
SHA256: 4d4088c807f86ce75740a90c11e47aea5d85aeeb1d94274847e71fca978cd012
3416
iexplore.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][1].txt
text
MD5: c0d579f7e4daf0310be130862ec57dc5
SHA256: fe13656030ff66fa556bb1561117ec2e893a852ac7905f8089b327631f1d46de
3416
iexplore.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\index.dat
dat
MD5: b2eb49dbc1b07791547095211f91cfa5
SHA256: f95e2df629724bd6e4a4c9e6e4075915a5c6d166f92241c0733e9649ab320092
3416
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat
dat
MD5: abc8c92ed866e3b55e5f1bffddb549ab
SHA256: 255cd5bdea6e7ad0a91e5970eaebffa91a8b92040e15d50474d17e1b051a05fd
2976
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\favicon[1].png
image
MD5: 9fb559a691078558e77d6848202f6541
SHA256: 6d8a01dc7647bc218d003b58fe04049e24a9359900b7e0cebae76edf85b8b914
2976
iexplore.exe
C:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
––
MD5:  ––
SHA256:  ––
2976
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\favicon[1].ico
––
MD5:  ––
SHA256:  ––
3416
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\index.dat
dat
MD5: 7afe506547bf5857db67a6ef681cf694
SHA256: 2a21ce1f076e1acd6a0a1c839631a13a2101c8ebab7bf579dc5b11276a9396db
3416
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\49M1T1G6\desktop.ini
ini
MD5: 4a3deb274bb5f0212c2419d3d8d08612
SHA256: 2842973d15a14323e08598be1dfb87e54bf88a76be8c7bc94c56b079446edf38
3416
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\BTUHXNOD\desktop.ini
ini
MD5: 4a3deb274bb5f0212c2419d3d8d08612
SHA256: 2842973d15a14323e08598be1dfb87e54bf88a76be8c7bc94c56b079446edf38
2976
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini
ini
MD5: 4a3deb274bb5f0212c2419d3d8d08612
SHA256: 2842973d15a14323e08598be1dfb87e54bf88a76be8c7bc94c56b079446edf38
3416
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\D8J3YUYU\desktop.ini
ini
MD5: 4a3deb274bb5f0212c2419d3d8d08612
SHA256: 2842973d15a14323e08598be1dfb87e54bf88a76be8c7bc94c56b079446edf38
3416
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\JSF1IQCF\desktop.ini
ini
MD5: 4a3deb274bb5f0212c2419d3d8d08612
SHA256: 2842973d15a14323e08598be1dfb87e54bf88a76be8c7bc94c56b079446edf38
3416
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\desktop.ini
ini
MD5: 4a3deb274bb5f0212c2419d3d8d08612
SHA256: 2842973d15a14323e08598be1dfb87e54bf88a76be8c7bc94c56b079446edf38
3416
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\D8J3YUYU\4kuq352ntv7jaklqc20ao0u4fs[1].swf
swf
MD5: c1754643b6a6287ca2286d587acf8862
SHA256: 93e4b0a5121a0f335de8fee085295e1a9adf4af96821e0d4bbd4ccbb86c74671

Find more information of the staic content and download it at the full report

Network activity

HTTP(S) requests
43
TCP/UDP connections
23
DNS requests
7
Threats
7

HTTP requests

PID Process Method HTTP Code IP URL CN Type Size Reputation
2976 iexplore.exe GET 200 204.79.197.200:80 http://www.bing.com/favicon.ico US
image
whitelisted
3416 iexplore.exe GET 302 67.198.185.101:80 http://67.198.185.101/Xa137b375cc3881a70e186ce2172c8TT.php US
––
––
unknown
3416 iexplore.exe GET 200 67.198.185.100:80 http://67.198.185.100/5AwPwgG3vs0U0shuvnI5p2MI5oKiZd8c.php US
html
unknown
3416 iexplore.exe GET 200 104.25.141.116:80 http://ninjamediascript.devdojo.com/?pop US
html
unknown
3416 iexplore.exe GET 200 38.75.136.186:9081 http://38.75.136.186:9081/index.php?ad_id=PnRO6kbP34r-R5GHhnXpMg&re=PnRO6kbP34r-R5GHhnXpMg&rt=PnRO6kbP34r-R5GHhnXpMg&id=9081&zone=PnRO6kbP34r-R5GHhnXpMg&prod=PnRO6kbP34r-R5GHhnXpMg&lp=Type&st=PnRO6kbP34r-R5GHhnXpMg&e=1560340470&y=203380532409 US
html
suspicious
3416 iexplore.exe GET 200 38.75.136.186:9081 http://38.75.136.186:9081/js/5oji6nr7150jad27ld9a6lb3pg.js US
text
suspicious
3416 iexplore.exe GET 200 104.25.141.116:80 http://ninjamediascript.devdojo.com/themes/simple/assets/css/style.css US
text
unknown
3416 iexplore.exe GET 200 104.25.141.116:80 http://ninjamediascript.devdojo.com/themes/simple/assets/css/font-awesome.min.css US
text
unknown
3416 iexplore.exe GET 200 104.25.141.116:80 http://ninjamediascript.devdojo.com/themes/simple/assets/js/jquery.fitvid.js US
html
unknown
3416 iexplore.exe GET 200 104.25.141.116:80 http://ninjamediascript.devdojo.com/themes/simple/assets/js/jquery-1.11.1.min.js US
text
unknown
3416 iexplore.exe GET 200 104.25.141.116:80 http://ninjamediascript.devdojo.com/themes/simple/assets/fonts/fontawesome-webfont.eot? US
eot
unknown
3416 iexplore.exe GET 200 104.25.141.116:80 http://ninjamediascript.devdojo.com/storage/themes/December2017/YFJWUNeiVSaE0fAJQq21.png US
image
unknown
3416 iexplore.exe GET 200 104.25.141.116:80 http://ninjamediascript.devdojo.com/storage/posts/February2014/highlight-anything-stupid.jpg US
image
unknown
3416 iexplore.exe GET 200 104.25.141.116:80 http://ninjamediascript.devdojo.com/storage/posts/February2014/breakfast-for-one.jpg US
image
unknown
3416 iexplore.exe GET 200 104.25.141.116:80 http://ninjamediascript.devdojo.com/storage/posts/February2014/hate-it-when-this-happens.jpg US
image
unknown
3416 iexplore.exe GET 200 104.25.141.116:80 http://ninjamediascript.devdojo.com/storage/posts/February2014/must-be-monday-animation.gif US
image
unknown
3416 iexplore.exe GET 200 104.25.141.116:80 http://ninjamediascript.devdojo.com/storage/posts/February2014/must-be-monday.gif US
image
unknown
3416 iexplore.exe GET 200 104.25.141.116:80 http://ninjamediascript.devdojo.com/storage/posts/February2014/nintendo-bed.jpg US
image
unknown
3416 iexplore.exe GET 200 104.25.141.116:80 http://ninjamediascript.devdojo.com/storage/posts/February2014/today-has-been-ruff.jpg US
image
unknown
3416 iexplore.exe GET 200 104.25.141.116:80 http://ninjamediascript.devdojo.com/storage/posts/January2014/raphael-is-real.jpg US
image
unknown
3416 iexplore.exe GET 200 104.25.141.116:80 http://ninjamediascript.devdojo.com/storage/posts/January2014/the-additional-sign-was-necessary.jpg US
image
unknown
3416 iexplore.exe GET 200 104.25.141.116:80 http://ninjamediascript.devdojo.com/storage/posts/January2014/brain-transplant.jpg US
image
unknown
3416 iexplore.exe GET 200 104.25.141.116:80 http://ninjamediascript.devdojo.com/storage/posts/January2014/diet-coke-ninjas.jpg US
image
unknown
3416 iexplore.exe GET 200 104.25.141.116:80 http://ninjamediascript.devdojo.com/storage/posts/January2014/i-have-the-same-look-when-i-get-to-sleep-in.jpg US
image
unknown
3416 iexplore.exe GET 200 104.25.141.116:80 http://ninjamediascript.devdojo.com/storage/posts/January2014/awesome.jpg US
image
unknown
3416 iexplore.exe GET 200 104.25.141.116:80 http://ninjamediascript.devdojo.com/storage/posts/January2014/book-cave.jpg US
image
unknown
3416 iexplore.exe GET 200 104.25.141.116:80 http://ninjamediascript.devdojo.com/storage/posts/January2014/invisible-bookshelf.jpg US
image
unknown
3416 iexplore.exe GET 200 104.25.141.116:80 http://ninjamediascript.devdojo.com/storage/posts/January2014/bare-necessities.jpg US
image
unknown
3416 iexplore.exe GET 200 38.75.136.186:9081 http://38.75.136.186:9081/logo.swf US
swf
suspicious
2976 iexplore.exe GET 404 67.198.185.100:80 http://67.198.185.100/favicon.ico US
html
unknown
3416 iexplore.exe GET 302 38.75.136.186:9081 http://38.75.136.186:9081/pubs/servlet.php?fp=8932ce5f479c2fe7d2cac8ce0ab8d32c&lang=en-us&token=&id=49701&sign=e253c2ad9eae2f55bfce1bda71e77e6d&validate=83b33ccdc17c0c371027f6a6a362ec30 US
––
––
suspicious
3416 iexplore.exe GET 200 38.75.136.186:9081 http://38.75.136.186:9081/views/ibl30vno98onog1q349umfe064.html US
html
suspicious
3416 iexplore.exe GET 200 38.75.136.186:9081 http://38.75.136.186:9081/static/encrypt.min.js US
text
suspicious
3416 iexplore.exe GET 200 38.75.136.186:9081 http://38.75.136.186:9081/static/tinyjs.min.js US
text
suspicious
3416 iexplore.exe GET 200 38.75.136.186:9081 http://38.75.136.186:9081/js/gvauv1sq0vp2el39ru64qhu1q0.js US
text
suspicious
3416 iexplore.exe POST 200 38.75.136.186:9081 http://38.75.136.186:9081/views/6bi5q5iu7ar0b3ivnava28c40s.html US
text
text
suspicious
3416 iexplore.exe GET 200 38.75.136.186:9081 http://38.75.136.186:9081/pubs/article.php?id=570fd54bc7d443f8c2d307d0670ea3f0 US
html
suspicious
3416 iexplore.exe GET 200 38.75.136.186:9081 http://38.75.136.186:9081/views/b4akc1uds995bvgclc4ugg8ovc.html US
text
html
suspicious
3416 iexplore.exe GET 200 38.75.136.186:9081 http://38.75.136.186:9081/views/4kuq352ntv7jaklqc20ao0u4fs.swf US
swf
suspicious
3416 iexplore.exe GET 200 38.75.136.186:9081 http://38.75.136.186:9081/views/t8gdclo0m7hake91ro2gkgp9mc.wav US
text
wav
suspicious
1724 dllhost.exe GET 200 38.75.136.186:9081 http://38.75.136.186:9081/views/r8um02db10nc6f76gfp6p639gs.jpg US
image
suspicious
3740 rundll32.exe GET 200 38.75.136.186:9081 http://38.75.136.186:9081/pubs/wiki.php?id=d6beddefdfd7967bc6f80fdec5f171ea US
––
––
suspicious
3740 rundll32.exe GET 200 38.75.136.186:9081 http://38.75.136.186:9081/images/captcha.png?mod=attachment&u=bf16799d678ebed5a1efca97e747498b US
image
suspicious

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID Process IP ASN CN Reputation
2976 iexplore.exe 204.79.197.200:80 Microsoft Corporation US whitelisted
3416 iexplore.exe 67.198.185.98:443 Krypt Technologies US suspicious
3416 iexplore.exe 67.198.185.101:80 Krypt Technologies US unknown
3416 iexplore.exe 67.198.185.100:80 Krypt Technologies US unknown
3416 iexplore.exe 23.111.8.154:443 netDNA US unknown
3416 iexplore.exe 38.75.136.186:9081 Cogent Communications US suspicious
3416 iexplore.exe 104.25.141.116:80 Cloudflare Inc US unknown
2976 iexplore.exe 67.198.185.100:80 Krypt Technologies US unknown
1724 dllhost.exe 38.75.136.186:9081 Cogent Communications US suspicious
3740 rundll32.exe 38.75.136.186:9081 Cogent Communications US suspicious
3740 rundll32.exe 38.75.136.174:1108 Cogent Communications US malicious
2108 msdtc.exe 23.244.62.48:443 Enzu Inc US unknown
2816 WmiPrvSE.exe 23.244.33.47:17555 Enzu Inc US unknown

DNS requests

Domain IP Reputation
www.bing.com 204.79.197.200
13.107.21.200
whitelisted
adpop.xyz 67.198.185.98
suspicious
oss.maxcdn.com 23.111.8.154
whitelisted
ninjamediascript.devdojo.com 104.25.141.116
104.25.142.116
unknown
bbs.favcom.space 38.75.136.174
38.75.137.200
malicious
news.onetouchauthentication.club 23.244.62.48
23.244.62.52
23.244.62.51
malicious
r.twotouchauthentication.online 23.244.33.47
unknown

Threats

PID Process Class Message
3416 iexplore.exe Potentially Bad Traffic ET INFO Observed Let's Encrypt Certificate for Suspicious TLD (.xyz)
3416 iexplore.exe A Network Trojan was detected ET CURRENT_EVENTS Possible Underminer EK Landing
3416 iexplore.exe Potential Corporate Privacy Violation ET POLICY Outdated Flash Version M1
3416 iexplore.exe A Network Trojan was detected ET CURRENT_EVENTS Underminer EK IE Exploit
3740 rundll32.exe A Network Trojan was detected MALWARE [PTsecurity] Encrypted Hidden Bee binary payload
3740 rundll32.exe A Network Trojan was detected MALWARE [PTsecurity] Encrypted Hidden Bee binary payload

1 ETPRO signatures available at the full report

Debug output strings

No debug info.