| URL: | td.doubleclick.net |
| Full analysis: | https://app.any.run/tasks/5ca1e6a4-b1bc-4b61-9c9b-78d0323325f7 |
| Verdict: | Malicious activity |
| Threats: | Adware is a form of malware that targets users with unwanted advertisements, often disrupting their browsing experience. It typically infiltrates systems through software bundling, malicious websites, or deceptive downloads. Once installed, it may track user activity, collect sensitive data, and display intrusive ads, including pop-ups or banners. Some advanced adware variants can bypass security measures and establish persistence on devices, making removal challenging. Additionally, adware can create vulnerabilities that other malware can exploit, posing a significant risk to user privacy and system security. |
| Analysis date: | May 24, 2024, 12:46:22 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Tags: | |
| Indicators: | |
| MD5: | 4454EC59B0C89A89EA1D23A716455EEE |
| SHA1: | 97DE6897B56301FC7142390C5F47006DA3E3DD6D |
| SHA256: | DE33BCC3C1A162A1DC58FBB17249529F94A0D57E89B70F80A787308DF9E3F906 |
| SSDEEP: | 3:L8rGJMB0:ASY0 |
MALICIOUS
Downloads files via BITSADMIN.EXE
- cmd.exe (PID: 2612)
Drops the executable file immediately after the start
- 7za.exe (PID: 3680)
- csc.exe (PID: 368)
- mshta.exe (PID: 2780)
- aria2c.exe (PID: 2624)
- SearcherBar.exe (PID: 1372)
Bypass execution policy to execute commands
- powershell.exe (PID: 2876)
Changes powershell execution policy (Bypass)
- cmd.exe (PID: 2796)
Starts Visual C# compiler
- powershell.exe (PID: 2876)
Actions looks like stealing of personal data
- mshta.exe (PID: 2780)
ADWARE has been detected (SURICATA)
- aria2c.exe (PID: 6020)
- aria2c.exe (PID: 2624)
- aria2c.exe (PID: 6084)
SUSPICIOUS
Reads the Internet Settings
- mshta.exe (PID: 1936)
- powershell.exe (PID: 1288)
- cmd.exe (PID: 112)
- mshta.exe (PID: 2780)
- mshta.exe (PID: 3084)
- WMIC.exe (PID: 3464)
Process requests binary or script from the Internet
- mshta.exe (PID: 1936)
Using 'findstr.exe' to search for text patterns in files and output
- cmd.exe (PID: 2612)
- cmd.exe (PID: 2388)
- cmd.exe (PID: 2748)
- cmd.exe (PID: 2932)
- cmd.exe (PID: 2724)
- cmd.exe (PID: 2088)
- cmd.exe (PID: 3288)
- cmd.exe (PID: 3596)
- cmd.exe (PID: 3548)
- cmd.exe (PID: 3848)
- cmd.exe (PID: 2052)
- cmd.exe (PID: 1116)
- cmd.exe (PID: 2076)
- cmd.exe (PID: 188)
- cmd.exe (PID: 3444)
- cmd.exe (PID: 2340)
- cmd.exe (PID: 1028)
- cmd.exe (PID: 2872)
- cmd.exe (PID: 2896)
- cmd.exe (PID: 2736)
- cmd.exe (PID: 3140)
- cmd.exe (PID: 2880)
- cmd.exe (PID: 3428)
- cmd.exe (PID: 3568)
- cmd.exe (PID: 3892)
- cmd.exe (PID: 1136)
- cmd.exe (PID: 2344)
- cmd.exe (PID: 2156)
- cmd.exe (PID: 736)
- cmd.exe (PID: 3736)
- cmd.exe (PID: 2644)
- cmd.exe (PID: 2812)
- cmd.exe (PID: 2832)
- cmd.exe (PID: 2996)
- cmd.exe (PID: 3164)
- cmd.exe (PID: 2840)
- cmd.exe (PID: 3092)
- cmd.exe (PID: 3396)
- cmd.exe (PID: 2224)
- cmd.exe (PID: 3676)
- cmd.exe (PID: 1768)
- cmd.exe (PID: 3832)
- cmd.exe (PID: 3604)
Found strings related to reading or modifying Windows Defender settings
- mshta.exe (PID: 1936)
Query Microsoft Defender status
- mshta.exe (PID: 1936)
- cmd.exe (PID: 2380)
Starts POWERSHELL.EXE for commands execution
- cmd.exe (PID: 2380)
- cmd.exe (PID: 2796)
Cmdlet gets the status of antimalware software installed on the computer
- cmd.exe (PID: 2380)
Starts CMD.EXE for commands execution
- mshta.exe (PID: 1936)
- cmd.exe (PID: 2636)
- mshta.exe (PID: 2780)
Using PowerShell to operate with local accounts
- powershell.exe (PID: 1288)
Executable content was dropped or overwritten
- expand.exe (PID: 1652)
- 7za.exe (PID: 3680)
- csc.exe (PID: 368)
- mshta.exe (PID: 2780)
- aria2c.exe (PID: 2624)
- SearcherBar.exe (PID: 1372)
Drops 7-zip archiver for unpacking
- expand.exe (PID: 1652)
- 7za.exe (PID: 3680)
Process drops legitimate windows executable
- 7za.exe (PID: 3680)
- mshta.exe (PID: 2780)
Application launched itself
- cmd.exe (PID: 2636)
- mshta.exe (PID: 1936)
Executing commands from a ".bat" file
- mshta.exe (PID: 1936)
- cmd.exe (PID: 2636)
The executable file from the user directory is run by the CMD process
- 7za.exe (PID: 3680)
- driverpack-wget.exe (PID: 3608)
- driverpack-wget.exe (PID: 3552)
- driverpack-wget.exe (PID: 3556)
- driverpack-wget.exe (PID: 3716)
- driverpack-wget.exe (PID: 3616)
- driverpack-wget.exe (PID: 3536)
- driverpack-wget.exe (PID: 3484)
- driverpack-wget.exe (PID: 2040)
- driverpack-wget.exe (PID: 588)
- driverpack-wget.exe (PID: 2812)
- driverpack-wget.exe (PID: 2672)
- driverpack-wget.exe (PID: 112)
- driverpack-wget.exe (PID: 2588)
- driverpack-wget.exe (PID: 1128)
- driverpack-wget.exe (PID: 936)
- driverpack-wget.exe (PID: 2864)
- driverpack-wget.exe (PID: 2508)
- driverpack-wget.exe (PID: 3380)
- driverpack-wget.exe (PID: 3060)
- driverpack-wget.exe (PID: 3148)
- driverpack-wget.exe (PID: 3768)
- driverpack-wget.exe (PID: 828)
- driverpack-wget.exe (PID: 3760)
- driverpack-wget.exe (PID: 812)
- driverpack-wget.exe (PID: 2452)
- driverpack-wget.exe (PID: 3616)
- driverpack-wget.exe (PID: 3236)
- driverpack-wget.exe (PID: 2508)
- driverpack-wget.exe (PID: 1520)
- driverpack-wget.exe (PID: 2172)
- driverpack-wget.exe (PID: 3716)
- driverpack-wget.exe (PID: 2772)
- driverpack-wget.exe (PID: 3356)
- driverpack-wget.exe (PID: 4000)
- driverpack-wget.exe (PID: 3412)
- driverpack-wget.exe (PID: 3728)
- driverpack-wget.exe (PID: 3300)
- driverpack-wget.exe (PID: 3512)
- driverpack-wget.exe (PID: 1248)
- driverpack-wget.exe (PID: 3060)
- driverpack-wget.exe (PID: 3052)
- driverpack-wget.exe (PID: 2520)
- driverpack-wget.exe (PID: 3788)
- driverpack-wget.exe (PID: 3860)
- driverpack-wget.exe (PID: 3596)
- driverpack-wget.exe (PID: 3264)
- driverpack-wget.exe (PID: 2356)
- driverpack-wget.exe (PID: 3672)
- driverpack-wget.exe (PID: 2508)
- driverpack-wget.exe (PID: 2020)
- driverpack-wget.exe (PID: 2056)
- driverpack-wget.exe (PID: 3216)
- driverpack-wget.exe (PID: 3752)
- driverpack-wget.exe (PID: 4068)
- driverpack-wget.exe (PID: 1380)
- driverpack-wget.exe (PID: 2996)
- driverpack-wget.exe (PID: 3624)
- driverpack-wget.exe (PID: 2076)
- driverpack-wget.exe (PID: 3620)
- driverpack-wget.exe (PID: 2840)
- driverpack-wget.exe (PID: 3152)
- driverpack-wget.exe (PID: 3380)
- driverpack-wget.exe (PID: 1844)
- driverpack-wget.exe (PID: 3660)
- driverpack-wget.exe (PID: 3948)
- driverpack-wget.exe (PID: 3472)
- driverpack-wget.exe (PID: 2188)
- driverpack-wget.exe (PID: 1996)
- driverpack-wget.exe (PID: 3360)
- driverpack-wget.exe (PID: 2052)
- driverpack-wget.exe (PID: 864)
- driverpack-wget.exe (PID: 3348)
- driverpack-wget.exe (PID: 2408)
- driverpack-wget.exe (PID: 1576)
- driverpack-wget.exe (PID: 2480)
- driverpack-wget.exe (PID: 3252)
- driverpack-wget.exe (PID: 524)
- driverpack-wget.exe (PID: 3768)
- driverpack-wget.exe (PID: 3080)
- driverpack-wget.exe (PID: 3384)
- driverpack-wget.exe (PID: 2168)
- driverpack-wget.exe (PID: 1520)
- driverpack-wget.exe (PID: 524)
- driverpack-wget.exe (PID: 3544)
- driverpack-wget.exe (PID: 2204)
- driverpack-wget.exe (PID: 1380)
- driverpack-wget.exe (PID: 1620)
- driverpack-wget.exe (PID: 2624)
- driverpack-wget.exe (PID: 3368)
- driverpack-wget.exe (PID: 3224)
- driverpack-wget.exe (PID: 3764)
- driverpack-wget.exe (PID: 3624)
- driverpack-wget.exe (PID: 3676)
- driverpack-wget.exe (PID: 3312)
- driverpack-wget.exe (PID: 2624)
- driverpack-wget.exe (PID: 3532)
- driverpack-wget.exe (PID: 3252)
- driverpack-wget.exe (PID: 2124)
- driverpack-wget.exe (PID: 3252)
- driverpack-wget.exe (PID: 3736)
- driverpack-wget.exe (PID: 600)
- driverpack-wget.exe (PID: 4124)
- driverpack-wget.exe (PID: 4680)
- driverpack-wget.exe (PID: 4708)
- driverpack-wget.exe (PID: 4720)
- driverpack-wget.exe (PID: 4728)
- driverpack-wget.exe (PID: 4760)
- driverpack-wget.exe (PID: 5336)
- driverpack-wget.exe (PID: 5328)
- driverpack-wget.exe (PID: 5392)
- aria2c.exe (PID: 6060)
- aria2c.exe (PID: 6020)
- aria2c.exe (PID: 6084)
- aria2c.exe (PID: 6100)
- driverpack-wget.exe (PID: 2328)
- aria2c.exe (PID: 2624)
- driverpack-wget.exe (PID: 1248)
- driverpack-wget.exe (PID: 4140)
- driverpack-wget.exe (PID: 4196)
- driverpack-wget.exe (PID: 4156)
- driverpack-wget.exe (PID: 4900)
- driverpack-wget.exe (PID: 4868)
- driverpack-wget.exe (PID: 4936)
- driverpack-wget.exe (PID: 4764)
- driverpack-wget.exe (PID: 4792)
- driverpack-wget.exe (PID: 5480)
- driverpack-wget.exe (PID: 4708)
- driverpack-wget.exe (PID: 5976)
- driverpack-wget.exe (PID: 5816)
- driverpack-wget.exe (PID: 6016)
- driverpack-wget.exe (PID: 4376)
- driverpack-wget.exe (PID: 4896)
- driverpack-wget.exe (PID: 5292)
- driverpack-wget.exe (PID: 5720)
- driverpack-wget.exe (PID: 5316)
- driverpack-wget.exe (PID: 5924)
- aria2c.exe (PID: 4348)
- aria2c.exe (PID: 3516)
- SearcherBar.exe (PID: 1372)
- driverpack-wget.exe (PID: 4732)
- driverpack-wget.exe (PID: 4524)
- driverpack-wget.exe (PID: 4840)
- driverpack-wget.exe (PID: 5936)
- driverpack-wget.exe (PID: 6068)
- driverpack-wget.exe (PID: 5572)
Executing commands from ".cmd" file
- mshta.exe (PID: 2780)
The process hides Powershell's copyright startup banner
- cmd.exe (PID: 2796)
The process bypasses the loading of PowerShell profile settings
- cmd.exe (PID: 2796)
Possibly malicious use of IEX has been detected
- cmd.exe (PID: 2796)
Get information on the list of running processes
- cmd.exe (PID: 2796)
The process hide an interactive prompt from the user
- cmd.exe (PID: 2796)
Uses RUNDLL32.EXE to load library
- mshta.exe (PID: 2780)
Adds/modifies Windows certificates
- mshta.exe (PID: 2780)
Uses .NET C# to load dll
- powershell.exe (PID: 2876)
Changes internet zones settings
- mshta.exe (PID: 2780)
Uses NETSH.EXE to add a firewall rule or allowed programs
- cmd.exe (PID: 3284)
Uses NETSH.EXE to delete a firewall rule or allowed programs
- cmd.exe (PID: 3028)
Starts application with an unusual extension
- cmd.exe (PID: 1868)
Uses NETSH.EXE to obtain data on the network
- cmd.exe (PID: 1868)
Starts SC.EXE for service management
- cmd.exe (PID: 3536)
Executes as Windows Service
- VSSVC.exe (PID: 1128)
Uses WMIC.EXE to obtain system information
- cmd.exe (PID: 1372)
Searches for installed software
- dllhost.exe (PID: 1836)
Potential Corporate Privacy Violation
- mshta.exe (PID: 2780)
- aria2c.exe (PID: 6020)
- aria2c.exe (PID: 6060)
- aria2c.exe (PID: 6084)
- aria2c.exe (PID: 6100)
- aria2c.exe (PID: 2624)
Access to an unwanted program domain was detected
- aria2c.exe (PID: 6084)
- aria2c.exe (PID: 6020)
INFO
Application launched itself
- iexplore.exe (PID: 4004)
Manual execution by a user
- wmpnscfg.exe (PID: 1772)
Checks supported languages
- wmpnscfg.exe (PID: 1772)
- 7za.exe (PID: 3680)
- csc.exe (PID: 368)
- cvtres.exe (PID: 3140)
- driverpack-wget.exe (PID: 3608)
- driverpack-wget.exe (PID: 3556)
- driverpack-wget.exe (PID: 3552)
- driverpack-wget.exe (PID: 3716)
- driverpack-wget.exe (PID: 3616)
- driverpack-wget.exe (PID: 2040)
- driverpack-wget.exe (PID: 3536)
- driverpack-wget.exe (PID: 588)
- driverpack-wget.exe (PID: 3484)
- driverpack-wget.exe (PID: 2672)
- driverpack-wget.exe (PID: 2812)
- driverpack-wget.exe (PID: 112)
- driverpack-wget.exe (PID: 936)
- driverpack-wget.exe (PID: 2588)
- driverpack-wget.exe (PID: 1128)
- driverpack-wget.exe (PID: 2864)
- driverpack-wget.exe (PID: 2508)
- driverpack-wget.exe (PID: 3380)
- driverpack-wget.exe (PID: 3060)
- driverpack-wget.exe (PID: 3760)
- driverpack-wget.exe (PID: 3148)
- driverpack-wget.exe (PID: 3768)
- driverpack-wget.exe (PID: 828)
- driverpack-wget.exe (PID: 812)
- driverpack-wget.exe (PID: 3236)
- driverpack-wget.exe (PID: 3616)
- driverpack-wget.exe (PID: 2508)
- driverpack-wget.exe (PID: 1520)
- driverpack-wget.exe (PID: 2172)
- driverpack-wget.exe (PID: 2452)
- driverpack-wget.exe (PID: 2772)
- driverpack-wget.exe (PID: 3356)
- driverpack-wget.exe (PID: 3716)
- driverpack-wget.exe (PID: 3412)
- driverpack-wget.exe (PID: 3728)
- driverpack-wget.exe (PID: 3300)
- driverpack-wget.exe (PID: 2076)
- driverpack-wget.exe (PID: 4000)
- driverpack-wget.exe (PID: 3512)
- driverpack-wget.exe (PID: 1248)
- driverpack-wget.exe (PID: 3052)
- driverpack-wget.exe (PID: 2520)
- driverpack-wget.exe (PID: 3060)
- driverpack-wget.exe (PID: 3788)
- driverpack-wget.exe (PID: 3596)
- driverpack-wget.exe (PID: 3860)
- driverpack-wget.exe (PID: 2356)
- driverpack-wget.exe (PID: 3264)
- driverpack-wget.exe (PID: 3672)
- driverpack-wget.exe (PID: 2508)
- driverpack-wget.exe (PID: 2020)
- driverpack-wget.exe (PID: 2056)
- driverpack-wget.exe (PID: 3216)
- driverpack-wget.exe (PID: 3752)
- driverpack-wget.exe (PID: 4068)
- driverpack-wget.exe (PID: 1380)
- driverpack-wget.exe (PID: 3624)
- driverpack-wget.exe (PID: 2996)
- driverpack-wget.exe (PID: 3620)
- driverpack-wget.exe (PID: 2840)
- driverpack-wget.exe (PID: 3948)
- driverpack-wget.exe (PID: 3152)
- driverpack-wget.exe (PID: 3380)
- driverpack-wget.exe (PID: 3660)
- driverpack-wget.exe (PID: 1844)
- driverpack-wget.exe (PID: 2188)
- driverpack-wget.exe (PID: 3472)
- driverpack-wget.exe (PID: 1996)
- driverpack-wget.exe (PID: 2408)
- driverpack-wget.exe (PID: 3360)
- driverpack-wget.exe (PID: 2052)
- driverpack-wget.exe (PID: 3348)
- driverpack-wget.exe (PID: 1576)
- driverpack-wget.exe (PID: 864)
- driverpack-wget.exe (PID: 2480)
- driverpack-wget.exe (PID: 3080)
- driverpack-wget.exe (PID: 3252)
- driverpack-wget.exe (PID: 524)
- driverpack-wget.exe (PID: 3768)
- driverpack-7za.exe (PID: 3412)
- chcp.com (PID: 3108)
- driverpack-wget.exe (PID: 2168)
- driverpack-wget.exe (PID: 524)
- driverpack-wget.exe (PID: 3384)
- driverpack-wget.exe (PID: 1520)
- driverpack-wget.exe (PID: 3544)
- driverpack-wget.exe (PID: 2204)
- driverpack-wget.exe (PID: 1380)
- driverpack-wget.exe (PID: 1620)
- driverpack-wget.exe (PID: 3368)
- driverpack-wget.exe (PID: 2624)
- driverpack-wget.exe (PID: 3676)
- driverpack-wget.exe (PID: 3312)
- driverpack-wget.exe (PID: 3224)
- driverpack-wget.exe (PID: 3764)
- driverpack-wget.exe (PID: 3624)
- driverpack-wget.exe (PID: 2624)
- driverpack-wget.exe (PID: 3252)
- driverpack-wget.exe (PID: 3532)
- driverpack-wget.exe (PID: 2124)
- driverpack-wget.exe (PID: 600)
- driverpack-wget.exe (PID: 3736)
- driverpack-wget.exe (PID: 3252)
- driverpack-wget.exe (PID: 4680)
- driverpack-wget.exe (PID: 4728)
- driverpack-wget.exe (PID: 4708)
- driverpack-wget.exe (PID: 4124)
- driverpack-wget.exe (PID: 4720)
- driverpack-wget.exe (PID: 4760)
- driverpack-wget.exe (PID: 5392)
- aria2c.exe (PID: 6020)
- driverpack-wget.exe (PID: 5328)
- driverpack-wget.exe (PID: 5336)
- aria2c.exe (PID: 6084)
- driverpack-wget.exe (PID: 2328)
- driverpack-wget.exe (PID: 4140)
- driverpack-wget.exe (PID: 4196)
- aria2c.exe (PID: 6100)
- aria2c.exe (PID: 6060)
- aria2c.exe (PID: 2624)
- driverpack-wget.exe (PID: 4156)
- driverpack-wget.exe (PID: 1248)
- driverpack-wget.exe (PID: 4868)
- driverpack-wget.exe (PID: 4900)
- driverpack-wget.exe (PID: 4764)
- driverpack-wget.exe (PID: 4792)
- driverpack-wget.exe (PID: 4936)
- driverpack-wget.exe (PID: 5480)
- driverpack-wget.exe (PID: 5292)
Reads the computer name
- wmpnscfg.exe (PID: 1772)
- 7za.exe (PID: 3680)
- driverpack-wget.exe (PID: 3608)
- driverpack-wget.exe (PID: 3552)
- driverpack-wget.exe (PID: 3556)
- driverpack-wget.exe (PID: 3716)
- driverpack-wget.exe (PID: 3616)
- driverpack-wget.exe (PID: 2040)
- driverpack-wget.exe (PID: 2672)
- driverpack-wget.exe (PID: 112)
- driverpack-wget.exe (PID: 2812)
- driverpack-wget.exe (PID: 588)
- driverpack-wget.exe (PID: 3484)
- driverpack-wget.exe (PID: 3536)
- driverpack-wget.exe (PID: 2588)
- driverpack-wget.exe (PID: 936)
- driverpack-wget.exe (PID: 1128)
- driverpack-wget.exe (PID: 2864)
- driverpack-wget.exe (PID: 3060)
- driverpack-wget.exe (PID: 3760)
- driverpack-wget.exe (PID: 3148)
- driverpack-wget.exe (PID: 3380)
- driverpack-wget.exe (PID: 2508)
- driverpack-wget.exe (PID: 3768)
- driverpack-wget.exe (PID: 828)
- driverpack-wget.exe (PID: 812)
- driverpack-wget.exe (PID: 3236)
- driverpack-wget.exe (PID: 3616)
- driverpack-wget.exe (PID: 2452)
- driverpack-wget.exe (PID: 1520)
- driverpack-wget.exe (PID: 2508)
- driverpack-wget.exe (PID: 2172)
- driverpack-wget.exe (PID: 3716)
- driverpack-wget.exe (PID: 2772)
- driverpack-wget.exe (PID: 3356)
- driverpack-wget.exe (PID: 4000)
- driverpack-wget.exe (PID: 3728)
- driverpack-wget.exe (PID: 3412)
- driverpack-wget.exe (PID: 3300)
- driverpack-wget.exe (PID: 1248)
- driverpack-wget.exe (PID: 2076)
- driverpack-wget.exe (PID: 3512)
- driverpack-wget.exe (PID: 2520)
- driverpack-wget.exe (PID: 3052)
- driverpack-wget.exe (PID: 3788)
- driverpack-wget.exe (PID: 3596)
- driverpack-wget.exe (PID: 3860)
- driverpack-wget.exe (PID: 3264)
- driverpack-wget.exe (PID: 2356)
- driverpack-wget.exe (PID: 3672)
- driverpack-wget.exe (PID: 2508)
- driverpack-wget.exe (PID: 2020)
- driverpack-wget.exe (PID: 2056)
- driverpack-wget.exe (PID: 3752)
- driverpack-wget.exe (PID: 1380)
- driverpack-wget.exe (PID: 4068)
- driverpack-wget.exe (PID: 3216)
- driverpack-wget.exe (PID: 3624)
- driverpack-wget.exe (PID: 3620)
- driverpack-wget.exe (PID: 2840)
- driverpack-wget.exe (PID: 2996)
- driverpack-wget.exe (PID: 3060)
- driverpack-wget.exe (PID: 3948)
- driverpack-wget.exe (PID: 3152)
- driverpack-wget.exe (PID: 3380)
- driverpack-wget.exe (PID: 3660)
- driverpack-wget.exe (PID: 1844)
- driverpack-wget.exe (PID: 3472)
- driverpack-wget.exe (PID: 2188)
- driverpack-wget.exe (PID: 1996)
- driverpack-wget.exe (PID: 2408)
- driverpack-wget.exe (PID: 3360)
- driverpack-wget.exe (PID: 2052)
- driverpack-wget.exe (PID: 864)
- driverpack-wget.exe (PID: 1576)
- driverpack-wget.exe (PID: 3348)
- driverpack-wget.exe (PID: 2480)
- driverpack-wget.exe (PID: 3768)
- driverpack-wget.exe (PID: 524)
- driverpack-wget.exe (PID: 3252)
- driverpack-7za.exe (PID: 3412)
- driverpack-wget.exe (PID: 3080)
- driverpack-wget.exe (PID: 3544)
- driverpack-wget.exe (PID: 2168)
- driverpack-wget.exe (PID: 524)
- driverpack-wget.exe (PID: 2204)
- driverpack-wget.exe (PID: 3384)
- driverpack-wget.exe (PID: 1520)
- driverpack-wget.exe (PID: 1380)
- driverpack-wget.exe (PID: 1620)
- driverpack-wget.exe (PID: 2624)
- driverpack-wget.exe (PID: 3368)
- driverpack-wget.exe (PID: 3676)
- driverpack-wget.exe (PID: 3624)
- driverpack-wget.exe (PID: 3312)
- driverpack-wget.exe (PID: 3224)
- driverpack-wget.exe (PID: 3764)
- driverpack-wget.exe (PID: 2624)
- driverpack-wget.exe (PID: 3532)
- driverpack-wget.exe (PID: 3252)
- driverpack-wget.exe (PID: 2124)
- driverpack-wget.exe (PID: 3736)
- driverpack-wget.exe (PID: 600)
- driverpack-wget.exe (PID: 4124)
- driverpack-wget.exe (PID: 4680)
- driverpack-wget.exe (PID: 3252)
- driverpack-wget.exe (PID: 4728)
- driverpack-wget.exe (PID: 4720)
- driverpack-wget.exe (PID: 4708)
- driverpack-wget.exe (PID: 4760)
- driverpack-wget.exe (PID: 5328)
- driverpack-wget.exe (PID: 5336)
- driverpack-wget.exe (PID: 5392)
- aria2c.exe (PID: 6020)
- aria2c.exe (PID: 6100)
- aria2c.exe (PID: 6084)
- aria2c.exe (PID: 6060)
- driverpack-wget.exe (PID: 4140)
- driverpack-wget.exe (PID: 2328)
- driverpack-wget.exe (PID: 4196)
- aria2c.exe (PID: 2624)
- driverpack-wget.exe (PID: 1248)
- driverpack-wget.exe (PID: 4156)
- driverpack-wget.exe (PID: 4868)
- driverpack-wget.exe (PID: 4900)
- driverpack-wget.exe (PID: 4936)
- driverpack-wget.exe (PID: 4764)
- driverpack-wget.exe (PID: 4792)
- driverpack-wget.exe (PID: 5480)
- driverpack-wget.exe (PID: 5292)
Modifies the phishing filter of IE
- iexplore.exe (PID: 4004)
The process uses the downloaded file
- iexplore.exe (PID: 4004)
- mshta.exe (PID: 1936)
Reads Internet Explorer settings
- mshta.exe (PID: 1936)
- mshta.exe (PID: 2780)
- mshta.exe (PID: 3084)
Checks proxy server information
- mshta.exe (PID: 1936)
- mshta.exe (PID: 2780)
- mshta.exe (PID: 3084)
Uses BITSADMIN.EXE
- cmd.exe (PID: 2388)
- cmd.exe (PID: 2088)
- cmd.exe (PID: 2724)
- cmd.exe (PID: 2748)
- cmd.exe (PID: 2932)
- cmd.exe (PID: 3596)
- cmd.exe (PID: 3848)
- cmd.exe (PID: 3288)
- cmd.exe (PID: 3548)
- cmd.exe (PID: 1116)
- cmd.exe (PID: 2052)
- cmd.exe (PID: 188)
- cmd.exe (PID: 2076)
- cmd.exe (PID: 2340)
- cmd.exe (PID: 3444)
- cmd.exe (PID: 2896)
- cmd.exe (PID: 1028)
- cmd.exe (PID: 2872)
- cmd.exe (PID: 2736)
- cmd.exe (PID: 3140)
- cmd.exe (PID: 2880)
- cmd.exe (PID: 3428)
- cmd.exe (PID: 3568)
- cmd.exe (PID: 3892)
- cmd.exe (PID: 2156)
- cmd.exe (PID: 2344)
- cmd.exe (PID: 736)
- cmd.exe (PID: 1136)
- cmd.exe (PID: 3736)
- cmd.exe (PID: 3164)
- cmd.exe (PID: 2644)
- cmd.exe (PID: 2832)
- cmd.exe (PID: 2996)
- cmd.exe (PID: 2812)
- cmd.exe (PID: 2840)
- cmd.exe (PID: 3092)
- cmd.exe (PID: 3396)
- cmd.exe (PID: 2224)
- cmd.exe (PID: 3676)
- cmd.exe (PID: 3604)
- cmd.exe (PID: 1768)
- cmd.exe (PID: 3832)
Script raised an exception (POWERSHELL)
- powershell.exe (PID: 1288)
Drops the executable file immediately after the start
- expand.exe (PID: 1652)
Create files in a temporary directory
- expand.exe (PID: 1652)
- 7za.exe (PID: 3680)
- csc.exe (PID: 368)
- cvtres.exe (PID: 3140)
- driverpack-wget.exe (PID: 3556)
- driverpack-wget.exe (PID: 3608)
- driverpack-wget.exe (PID: 3716)
- driverpack-wget.exe (PID: 3552)
- driverpack-wget.exe (PID: 3484)
- driverpack-wget.exe (PID: 2812)
- driverpack-wget.exe (PID: 3616)
- driverpack-wget.exe (PID: 588)
- driverpack-wget.exe (PID: 2040)
- driverpack-wget.exe (PID: 112)
- driverpack-wget.exe (PID: 2672)
- driverpack-wget.exe (PID: 3536)
- driverpack-wget.exe (PID: 2588)
- driverpack-wget.exe (PID: 1128)
- driverpack-wget.exe (PID: 936)
- driverpack-wget.exe (PID: 3760)
- driverpack-wget.exe (PID: 3148)
- driverpack-wget.exe (PID: 2864)
- driverpack-wget.exe (PID: 828)
- driverpack-wget.exe (PID: 812)
- driverpack-wget.exe (PID: 3768)
- driverpack-wget.exe (PID: 3236)
- driverpack-wget.exe (PID: 2508)
- driverpack-wget.exe (PID: 3616)
- driverpack-wget.exe (PID: 2452)
- driverpack-wget.exe (PID: 1520)
- driverpack-wget.exe (PID: 2172)
- driverpack-wget.exe (PID: 2772)
- driverpack-wget.exe (PID: 3356)
- driverpack-wget.exe (PID: 3716)
- driverpack-wget.exe (PID: 4000)
- driverpack-wget.exe (PID: 3596)
- driverpack-wget.exe (PID: 3860)
- driverpack-wget.exe (PID: 3788)
- driverpack-wget.exe (PID: 2356)
- driverpack-wget.exe (PID: 3264)
- driverpack-wget.exe (PID: 2508)
- driverpack-wget.exe (PID: 3672)
- driverpack-wget.exe (PID: 2056)
- driverpack-wget.exe (PID: 2020)
- driverpack-wget.exe (PID: 3216)
- driverpack-wget.exe (PID: 3752)
- driverpack-wget.exe (PID: 4068)
- driverpack-wget.exe (PID: 1380)
- driverpack-wget.exe (PID: 3620)
- driverpack-wget.exe (PID: 3624)
- driverpack-wget.exe (PID: 2840)
- driverpack-wget.exe (PID: 3948)
- driverpack-wget.exe (PID: 3152)
- driverpack-wget.exe (PID: 3380)
- driverpack-wget.exe (PID: 3660)
- driverpack-wget.exe (PID: 1844)
- driverpack-wget.exe (PID: 2188)
- driverpack-wget.exe (PID: 3472)
- driverpack-wget.exe (PID: 3360)
- driverpack-wget.exe (PID: 1996)
- driverpack-wget.exe (PID: 2408)
- driverpack-wget.exe (PID: 864)
- driverpack-wget.exe (PID: 2052)
- driverpack-wget.exe (PID: 3348)
- driverpack-wget.exe (PID: 1576)
- driverpack-wget.exe (PID: 2480)
- driverpack-wget.exe (PID: 524)
- driverpack-wget.exe (PID: 3080)
- driverpack-wget.exe (PID: 3768)
- driverpack-wget.exe (PID: 2996)
- driverpack-wget.exe (PID: 3252)
- driverpack-wget.exe (PID: 3544)
- driverpack-wget.exe (PID: 3384)
- driverpack-wget.exe (PID: 2168)
- driverpack-wget.exe (PID: 1520)
- driverpack-wget.exe (PID: 524)
- driverpack-wget.exe (PID: 2204)
- driverpack-wget.exe (PID: 1380)
- driverpack-wget.exe (PID: 1620)
- driverpack-wget.exe (PID: 3368)
- driverpack-wget.exe (PID: 2624)
- driverpack-wget.exe (PID: 3676)
- driverpack-wget.exe (PID: 3624)
- driverpack-wget.exe (PID: 3312)
- driverpack-wget.exe (PID: 3764)
- driverpack-wget.exe (PID: 3224)
- driverpack-wget.exe (PID: 3532)
- driverpack-wget.exe (PID: 3252)
- driverpack-wget.exe (PID: 2624)
- driverpack-wget.exe (PID: 2124)
- driverpack-wget.exe (PID: 3736)
- driverpack-wget.exe (PID: 600)
- driverpack-wget.exe (PID: 4124)
- driverpack-wget.exe (PID: 3252)
- driverpack-wget.exe (PID: 4728)
- driverpack-wget.exe (PID: 4720)
- driverpack-wget.exe (PID: 4680)
- driverpack-wget.exe (PID: 4760)
- driverpack-wget.exe (PID: 4708)
- driverpack-wget.exe (PID: 5328)
- driverpack-wget.exe (PID: 5336)
- driverpack-wget.exe (PID: 5392)
- driverpack-wget.exe (PID: 4140)
- driverpack-wget.exe (PID: 1248)
- driverpack-wget.exe (PID: 2328)
- driverpack-wget.exe (PID: 4156)
- driverpack-wget.exe (PID: 4196)
- driverpack-wget.exe (PID: 4900)
- driverpack-wget.exe (PID: 4868)
- driverpack-wget.exe (PID: 4936)
- driverpack-wget.exe (PID: 4792)
- driverpack-wget.exe (PID: 4764)
- driverpack-wget.exe (PID: 5480)
- driverpack-wget.exe (PID: 5292)
Reads the machine GUID from the registry
- csc.exe (PID: 368)
- cvtres.exe (PID: 3140)
- aria2c.exe (PID: 6100)
- aria2c.exe (PID: 6084)
- aria2c.exe (PID: 6020)
- aria2c.exe (PID: 6060)
- aria2c.exe (PID: 2624)
Creates files or folders in the user directory
- driverpack-wget.exe (PID: 3608)
- driverpack-wget.exe (PID: 3556)
- driverpack-wget.exe (PID: 3716)
- driverpack-wget.exe (PID: 3552)
- driverpack-wget.exe (PID: 2040)
- driverpack-wget.exe (PID: 3484)
- driverpack-wget.exe (PID: 3616)
- driverpack-wget.exe (PID: 2812)
- driverpack-wget.exe (PID: 588)
- driverpack-wget.exe (PID: 2672)
- driverpack-wget.exe (PID: 3536)
- driverpack-wget.exe (PID: 112)
- driverpack-wget.exe (PID: 2588)
- driverpack-wget.exe (PID: 936)
- driverpack-wget.exe (PID: 1128)
- driverpack-wget.exe (PID: 2864)
- driverpack-wget.exe (PID: 2508)
- driverpack-wget.exe (PID: 3060)
- driverpack-wget.exe (PID: 3380)
- driverpack-wget.exe (PID: 3760)
- driverpack-wget.exe (PID: 3768)
- driverpack-wget.exe (PID: 3148)
- driverpack-wget.exe (PID: 828)
- driverpack-wget.exe (PID: 812)
- driverpack-wget.exe (PID: 3236)
- driverpack-wget.exe (PID: 2452)
- driverpack-wget.exe (PID: 1520)
- driverpack-wget.exe (PID: 2508)
- driverpack-wget.exe (PID: 3616)
- driverpack-wget.exe (PID: 2172)
- driverpack-wget.exe (PID: 2772)
- driverpack-wget.exe (PID: 3716)
- driverpack-wget.exe (PID: 3356)
- driverpack-wget.exe (PID: 4000)
- driverpack-wget.exe (PID: 3728)
- driverpack-wget.exe (PID: 3412)
- driverpack-wget.exe (PID: 3300)
- driverpack-wget.exe (PID: 2076)
- driverpack-wget.exe (PID: 3512)
- driverpack-wget.exe (PID: 1248)
- driverpack-wget.exe (PID: 3060)
- driverpack-wget.exe (PID: 2520)
- driverpack-wget.exe (PID: 3788)
- driverpack-wget.exe (PID: 3596)
- driverpack-wget.exe (PID: 3860)
- driverpack-wget.exe (PID: 3264)
- driverpack-wget.exe (PID: 2356)
- driverpack-wget.exe (PID: 3672)
- driverpack-wget.exe (PID: 2508)
- driverpack-wget.exe (PID: 2020)
- driverpack-wget.exe (PID: 2056)
- driverpack-wget.exe (PID: 3216)
- driverpack-wget.exe (PID: 3752)
- driverpack-wget.exe (PID: 1380)
- driverpack-wget.exe (PID: 4068)
- driverpack-wget.exe (PID: 3624)
- driverpack-wget.exe (PID: 3620)
- driverpack-wget.exe (PID: 2840)
- driverpack-wget.exe (PID: 2996)
- driverpack-wget.exe (PID: 3052)
- driverpack-wget.exe (PID: 3152)
- driverpack-wget.exe (PID: 3380)
- driverpack-wget.exe (PID: 3660)
- driverpack-wget.exe (PID: 1844)
- driverpack-wget.exe (PID: 2188)
- driverpack-wget.exe (PID: 3472)
- driverpack-wget.exe (PID: 2408)
- driverpack-wget.exe (PID: 3360)
- driverpack-wget.exe (PID: 1996)
- driverpack-wget.exe (PID: 2480)
- driverpack-wget.exe (PID: 1576)
- driverpack-wget.exe (PID: 864)
- driverpack-wget.exe (PID: 3348)
- driverpack-wget.exe (PID: 2052)
- driverpack-wget.exe (PID: 3252)
- driverpack-wget.exe (PID: 3768)
- driverpack-wget.exe (PID: 524)
- driverpack-7za.exe (PID: 3412)
- driverpack-wget.exe (PID: 3080)
- driverpack-wget.exe (PID: 3544)
- driverpack-wget.exe (PID: 2168)
- driverpack-wget.exe (PID: 524)
- driverpack-wget.exe (PID: 3384)
- driverpack-wget.exe (PID: 3948)
- driverpack-wget.exe (PID: 1520)
- driverpack-wget.exe (PID: 2204)
- driverpack-wget.exe (PID: 1380)
- driverpack-wget.exe (PID: 2624)
- driverpack-wget.exe (PID: 1620)
- driverpack-wget.exe (PID: 3368)
- driverpack-wget.exe (PID: 3624)
- driverpack-wget.exe (PID: 3676)
- driverpack-wget.exe (PID: 3312)
- driverpack-wget.exe (PID: 3224)
- driverpack-wget.exe (PID: 2624)
- driverpack-wget.exe (PID: 3532)
- driverpack-wget.exe (PID: 3252)
- driverpack-wget.exe (PID: 3764)
- driverpack-wget.exe (PID: 2124)
- driverpack-wget.exe (PID: 3736)
- driverpack-wget.exe (PID: 600)
- driverpack-wget.exe (PID: 4124)
- driverpack-wget.exe (PID: 4680)
- driverpack-wget.exe (PID: 4728)
- driverpack-wget.exe (PID: 3252)
- driverpack-wget.exe (PID: 4720)
- driverpack-wget.exe (PID: 4708)
- driverpack-wget.exe (PID: 4760)
- driverpack-wget.exe (PID: 5336)
- driverpack-wget.exe (PID: 5392)
- driverpack-wget.exe (PID: 5328)
- driverpack-wget.exe (PID: 4140)
- driverpack-wget.exe (PID: 4196)
- driverpack-wget.exe (PID: 2328)
- aria2c.exe (PID: 6084)
- driverpack-wget.exe (PID: 1248)
- driverpack-wget.exe (PID: 4156)
- aria2c.exe (PID: 6020)
- driverpack-wget.exe (PID: 4868)
- driverpack-wget.exe (PID: 4900)
- aria2c.exe (PID: 6100)
- aria2c.exe (PID: 6060)
- aria2c.exe (PID: 2624)
- driverpack-wget.exe (PID: 4764)
- driverpack-wget.exe (PID: 4792)
- driverpack-wget.exe (PID: 4936)
- driverpack-wget.exe (PID: 5292)
- driverpack-wget.exe (PID: 5480)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
Total processes
743
Monitored processes
497
Malicious processes
13
Suspicious processes
11
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 112 | C:\Windows\system32\cmd.exe /K "C:\Users\admin\AppData\Local\Temp\beetle-cab\DriverPack\start.bat" | C:\Windows\System32\cmd.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
| 112 | "tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Users\admin\AppData\Local\Temp\beetle-cab\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/EXPERT-DRIVERS-3.mp3" -o "C:\Users\admin\AppData\Roaming\DRPSu\temp\wget_log_54891.log" | C:\Users\admin\AppData\Local\Temp\beetle-cab\DriverPack\Tools\driverpack-wget.exe | cmd.exe | ||||||||||||
User: admin Integrity Level: HIGH Exit code: 0 Modules
| |||||||||||||||
| 188 | "C:\Windows\System32\cmd.exe" /c bitsadmin /info dwnl-task-51109 | findstr /V /C:"BITSADMIN version" /C:"BITS administration" /C:"(C) Copyright" /C:"BITSAdmin is deprecated" /C:"Administrative tools" | findstr /R /V "^f7f81a39-5f63-5b42-9efd-1f13b5431005quot; > "C:\Users\admin\AppData\Local\Temp\dwnl_51109\log_bits_info.txt" | C:\Windows\System32\cmd.exe | — | mshta.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
| 304 | findstr /R /V "^f7f81a39-5f63-5b42-9efd-1f13b5431005quot; | C:\Windows\System32\findstr.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Find String (QGREP) Utility Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 304 | bitsadmin /info dwnl-task-51109 | C:\Windows\System32\bitsadmin.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: BITS administration utility Exit code: 1 Version: 7.5.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 368 | "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\admin\AppData\Local\Temp\x50bpf1k\x50bpf1k.cmdline" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe | powershell.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Visual C# Command Line Compiler Exit code: 0 Version: 4.8.3761.0 built by: NET48REL1 Modules
| |||||||||||||||
| 368 | "C:\Windows\System32\cmd.exe" /c ""tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Users\admin\AppData\Local\Temp\beetle-cab\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/EXPERT-DRIVERS-1.mp3" -o "C:\Users\admin\AppData\Roaming\DRPSu\temp\wget_log_26502.log" & echo DONE > "C:\Users\admin\AppData\Roaming\DRPSu\temp\wget_finished_26502.txt"" | C:\Windows\System32\cmd.exe | — | mshta.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
| 444 | "C:\Windows\System32\cmd.exe" /c ""tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Users\admin\AppData\Local\Temp\beetle-cab\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/REVIEWS-2.mp3" -o "C:\Users\admin\AppData\Roaming\DRPSu\temp\wget_log_65850.log" & echo DONE > "C:\Users\admin\AppData\Roaming\DRPSu\temp\wget_finished_65850.txt"" | C:\Windows\System32\cmd.exe | — | mshta.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
| 524 | "tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Users\admin\AppData\Local\Temp\beetle-cab\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/STORIES-adout-9.mp3" -o "C:\Users\admin\AppData\Roaming\DRPSu\temp\wget_log_99236.log" | C:\Users\admin\AppData\Local\Temp\beetle-cab\DriverPack\Tools\driverpack-wget.exe | cmd.exe | ||||||||||||
User: admin Integrity Level: HIGH Exit code: 0 Modules
| |||||||||||||||
| 524 | "tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Users\admin\AppData\Local\Temp\beetle-cab\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/STORIES-technologies-5.mp3" -o "C:\Users\admin\AppData\Roaming\DRPSu\temp\wget_log_87855.log" | C:\Users\admin\AppData\Local\Temp\beetle-cab\DriverPack\Tools\driverpack-wget.exe | cmd.exe | ||||||||||||
User: admin Integrity Level: HIGH Exit code: 0 Modules
| |||||||||||||||
Total events
112 558
Read events
110 920
Write events
1 561
Delete events
77
Modification events
| (PID) Process: | (4004) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing |
| Operation: | write | Name: | NTPDaysSinceLastAutoMigration |
Value: 1 | |||
| (PID) Process: | (4004) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing |
| Operation: | write | Name: | NTPLastLaunchLowDateTime |
Value: | |||
| (PID) Process: | (4004) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing |
| Operation: | write | Name: | NTPLastLaunchHighDateTime |
Value: 31108568 | |||
| (PID) Process: | (4004) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager |
| Operation: | write | Name: | NextCheckForUpdateLowDateTime |
Value: | |||
| (PID) Process: | (4004) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager |
| Operation: | write | Name: | NextCheckForUpdateHighDateTime |
Value: 31108568 | |||
| (PID) Process: | (4004) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content |
| Operation: | write | Name: | CachePrefix |
Value: | |||
| (PID) Process: | (4004) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies |
| Operation: | write | Name: | CachePrefix |
Value: Cookie: | |||
| (PID) Process: | (4004) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History |
| Operation: | write | Name: | CachePrefix |
Value: Visited: | |||
| (PID) Process: | (4004) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main |
| Operation: | write | Name: | CompatibilityFlags |
Value: 0 | |||
| (PID) Process: | (4004) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | ProxyBypass |
Value: 1 | |||
Executable files
16
Suspicious files
399
Text files
971
Unknown types
105
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 4056 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\MFAQUS6V\robot[1].png | image | |
MD5:4C9ACF280B47CEF7DEF3FC91A34C7FFE | SHA256:5F9FC5B3FBDDF0E72C5C56CDCFC81C6E10C617D70B1B93FBE1E4679A8797BFF7 | |||
| 4056 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\MFAQUS6V\googlelogo_color_150x54dp[1].png | image | |
MD5:9D73B3AA30BCE9D8F166DE5178AE4338 | SHA256:DBEF5E5530003B7233E944856C23D1437902A2D3568CDFD2BEAF2166E9CA9139 | |||
| 4004 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico | image | |
MD5:DA597791BE3B6E732F0BC8B20E38EE62 | SHA256:5B2C34B3C4E8DD898B664DBA6C3786E2FF9869EFF55D673AA48361F11325ED07 | |||
| 4004 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\favicon[1].ico | image | |
MD5:DA597791BE3B6E732F0BC8B20E38EE62 | SHA256:5B2C34B3C4E8DD898B664DBA6C3786E2FF9869EFF55D673AA48361F11325ED07 | |||
| 4004 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776 | der | |
MD5:BA208409D758D248B5C43BE99023D903 | SHA256:90052B1F97E33E41422EE5BDF739A18A7C66B30C282EA309314B68BBC7C093C1 | |||
| 4004 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\verC814.tmp | xml | |
MD5:CBD0581678FA40F0EDCBC7C59E0CAD10 | SHA256:159BD4343F344A08F6AF3B716B6FA679859C1BD1D7030D26FF5EF0255B86E1D9 | |||
| 4004 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776 | binary | |
MD5:DBB107627111484FA0A3668340D7DD13 | SHA256:ADA8A15B455069C56E26A1190AF564022792844D712C339B9A22B07E53B9A58C | |||
| 4004 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6Z2BCOUL\urlblockindex[1].bin | binary | |
MD5:FA518E3DFAE8CA3A0E495460FD60C791 | SHA256:775853600060162C4B4E5F883F9FD5A278E61C471B3EE1826396B6D129499AA7 | |||
| 4004 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\StructuredQuery.log | text | |
MD5:E1C23F828A4AD0212C3C05CCAD98D5CD | SHA256:3310260469F9DF5EF0E17353C5327A7EFE50939F99BC35CD020237B67AA7514E | |||
| 4056 | iexplore.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\Z18ACTV2.txt | text | |
MD5:7E58A189655EA6C17AD0718076E18350 | SHA256:7AF13690F313457BA6BE35669946D818305653C2DE6AB606FE6D56F5967BA51C | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1 069
TCP/UDP connections
464
DNS requests
96
Threats
613
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
1664 | iexplore.exe | GET | 200 | 216.58.206.35:80 | http://ocsp.pki.goog/gsr1/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS3V7W2nAf4FiMTjpDJKg6%2BMgGqMQQUYHtmGkUNl8qJUC99BM00qP%2F8%2FUsCEHe9DWzbNvka6iEPxPBY0w0%3D | unknown | — | — | unknown |
1664 | iexplore.exe | GET | 200 | 104.18.21.226:80 | http://ocsp.globalsign.com/gsgccr3dvtlsca2020/ME0wSzBJMEcwRTAJBgUrDgMCGgUABBQoKOHJRQbCE%2B3DXqwFiztBxLYdhwQUDZjAc3%2Brvb3ZR0tJrQpKDKw%2Bx3wCDCsO3G8HMLCIpE1A1Q%3D%3D | unknown | — | — | unknown |
1664 | iexplore.exe | GET | 200 | 104.18.21.226:80 | http://ocsp.globalsign.com/rootr1/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBS3V7W2nAf4FiMTjpDJKg6%2BMgGqMQQUYHtmGkUNl8qJUC99BM00qP%2F8%2FUsCDQHuXxad%2F5c1K2Rl1mo%3D | unknown | — | — | unknown |
1664 | iexplore.exe | GET | 200 | 216.58.206.35:80 | http://c.pki.goog/r/r1.crl | unknown | — | — | unknown |
1664 | iexplore.exe | GET | 200 | 216.58.206.35:80 | http://o.pki.goog/wr2/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEQD52znXgmjnXwogfY0LOz7q | unknown | — | — | unknown |
1664 | iexplore.exe | GET | 200 | 216.58.206.35:80 | http://o.pki.goog/wr2/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEQDcoc6fqZ4zlBD%2FfhdqltwL | unknown | — | — | unknown |
1664 | iexplore.exe | GET | 200 | 108.138.2.195:80 | http://o.ss2.us//MEowSDBGMEQwQjAJBgUrDgMCGgUABBSLwZ6EW5gdYc9UaSEaaLjjETNtkAQUv1%2B30c7dH4b0W1Ws3NcQwg6piOcCCQCnDkpMNIK3fw%3D%3D | unknown | — | — | unknown |
1664 | iexplore.exe | GET | 200 | 18.245.39.64:80 | http://ocsp.rootca1.amazontrust.com/MFQwUjBQME4wTDAJBgUrDgMCGgUABBRPWaOUU8%2B5VZ5%2Fa9jFTaU9pkK3FAQUhBjMhTTsvAyUlC4IWZzHshBOCggCEwdzEkzUBtJnwJkc3SmanzgxeYU%3D | unknown | — | — | unknown |
1664 | iexplore.exe | GET | 200 | 18.245.39.64:80 | http://ocsp.rootg2.amazontrust.com/MFQwUjBQME4wTDAJBgUrDgMCGgUABBSIfaREXmfqfJR3TkMYnD7O5MhzEgQUnF8A36oB1zArOIiiuG1KnPIRkYMCEwZ%2FlEoqJ83z%2BsKuKwH5CO65xMY%3D | unknown | — | — | unknown |
1664 | iexplore.exe | GET | 200 | 18.245.65.219:80 | http://ocsp.r2m03.amazontrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQqHI%2BsdmapawQncL1rpCEZZ8gTSAQUVdkYX9IczAHhWLS%2Bq9lVQgHXLgICEA%2BQ1WVbKcfycBRhHia5aYo%3D | unknown | — | — | unknown |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4056 | iexplore.exe | 172.217.16.194:80 | td.doubleclick.net | GOOGLE | US | whitelisted |
4056 | iexplore.exe | 172.217.18.100:80 | www.google.com | GOOGLE | US | whitelisted |
4004 | iexplore.exe | 2.22.228.122:443 | www.bing.com | Akamai International B.V. | GB | unknown |
4004 | iexplore.exe | 88.221.87.138:80 | ctldl.windowsupdate.com | Akamai International B.V. | GB | unknown |
4004 | iexplore.exe | 88.221.87.139:80 | ctldl.windowsupdate.com | Akamai International B.V. | GB | unknown |
4004 | iexplore.exe | 192.229.221.95:80 | ocsp.digicert.com | EDGECAST | US | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
4004 | iexplore.exe | 152.199.19.161:443 | iecvlist.microsoft.com | EDGECAST | US | whitelisted |
4056 | iexplore.exe | 13.107.5.80:443 | api.bing.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
td.doubleclick.net |
| unknown |
www.google.com |
| whitelisted |
api.bing.com |
| whitelisted |
www.bing.com |
| whitelisted |
ctldl.windowsupdate.com |
| whitelisted |
ocsp.digicert.com |
| whitelisted |
iecvlist.microsoft.com |
| whitelisted |
r20swj13mr.microsoft.com |
| whitelisted |
static.driverpack.io |
| unknown |
ocsp2.globalsign.com |
| whitelisted |
Threats
PID | Process | Class | Message |
|---|---|---|---|
— | — | A Network Trojan was detected | SUSPICIOUS [ANY.RUN] VBS is used to run Shell |
— | — | A Network Trojan was detected | SUSPICIOUS [ANY.RUN] VBS is used to run Shell |
— | — | Potentially Bad Traffic | ET HUNTING PowerShell DownloadFile Command Common In Powershell Stagers |
1088 | svchost.exe | Possibly Unwanted Program Detected | ET ADWARE_PUP DriverPack Domain in DNS Query |
1088 | svchost.exe | Possibly Unwanted Program Detected | ET ADWARE_PUP Observed DNS Query to DriverPack Domain ( .drp .su) |
1088 | svchost.exe | Possibly Unwanted Program Detected | ET ADWARE_PUP DriverPack Domain in DNS Query |
1088 | svchost.exe | Possibly Unwanted Program Detected | ET ADWARE_PUP Observed DNS Query to DriverPack Domain ( .drp .su) |
2780 | mshta.exe | Potentially Bad Traffic | ET POLICY HTTP Request to .su TLD (Soviet Union) Often Malware Related |
2780 | mshta.exe | Potentially Bad Traffic | ET POLICY HTTP Request to .su TLD (Soviet Union) Often Malware Related |
2780 | mshta.exe | Potentially Bad Traffic | ET POLICY HTTP Request to .su TLD (Soviet Union) Often Malware Related |
7 ETPRO signatures available at the full report