General Info

File name

NEW ORDER.pdf

Full analysis
https://app.any.run/tasks/a0533738-f8e8-4f28-a0ab-5f4616784954
Verdict
Malicious activity
Analysis date
7/18/2019, 15:56:41
OS:
Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:

autoit

rat

nanocore

Indicators:

MIME:
application/pdf
File info:
PDF document, version 1.4
MD5

49da7a6a33d92497f44a67e9c87a7063

SHA1

6feb181d0a108c3eef465f31f4210074c25bcd8b

SHA256

e3cbadc9a0c8adce93cbbe76c51fd996c609632aaa4bb16e84a4bcffbdc2f4f2

SSDEEP

3072:II97HMb2D3G////pgD/9EpfhLjtGcAqFP6AUpUUInBbT:597sb2C////pC90jtGcV6AUpUUInBH

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distored by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Software environment set and analysis options

Launch configuration

Task duration
60 seconds
Additional time used
none
Fakenet option
off
Heavy Evaision option
off
MITM proxy
off
Route via Tor
off
Network geolocation
off
Privacy
Public submission
Autoconfirmation of UAC
on

Software preset

  • Internet Explorer 8.0.7601.17514
  • Adobe Acrobat Reader DC MUI (15.023.20070)
  • Adobe Flash Player 26 ActiveX (26.0.0.131)
  • Adobe Flash Player 26 NPAPI (26.0.0.131)
  • Adobe Flash Player 26 PPAPI (26.0.0.131)
  • Adobe Refresh Manager (1.8.0)
  • CCleaner (5.35)
  • FileZilla Client 3.36.0 (3.36.0)
  • Google Chrome (75.0.3770.100)
  • Google Update Helper (1.3.34.7)
  • Java 8 Update 92 (8.0.920.14)
  • Java Auto Updater (2.8.92.14)
  • Microsoft .NET Framework 4.7.2 (4.7.03062)
  • Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Professional 2010 (14.0.6029.1000)
  • Microsoft Office Proof (English) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (French) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
  • Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
  • Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Single Image 2010 (14.0.6029.1000)
  • Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
  • Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
  • Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
  • Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2015-2019 Redistributable (x86) - 14.21.27702 (14.21.27702.2)
  • Microsoft Visual C++ 2019 X86 Additional Runtime - 14.21.27702 (14.21.27702)
  • Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.21.27702 (14.21.27702)
  • Mozilla Firefox 67.0.4 (x86 en-US) (67.0.4)
  • Notepad++ (32-bit x86) (7.5.1)
  • Opera 12.15 (12.15.1748)
  • Skype version 8.29 (8.29)
  • Update for Microsoft .NET Framework 4.7.2 (KB4087364) (1)
  • VLC media player (2.2.6)
  • WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

  • Client LanguagePack Package
  • Client Refresh LanguagePack Package
  • CodecPack Basic Package
  • Foundation Package
  • IE Troubleshooters Package
  • InternetExplorer Optional Package
  • KB2534111
  • KB2999226
  • KB4019990
  • KB976902
  • LocalPack AU Package
  • LocalPack CA Package
  • LocalPack GB Package
  • LocalPack US Package
  • LocalPack ZA Package
  • ProfessionalEdition
  • UltimateEdition

Behavior activities

MALICIOUS SUSPICIOUS INFO
Application was dropped or rewritten from another process
  • Filname.scr (PID: 3228)
  • otd.exe (PID: 2872)
  • otd.exe (PID: 3528)
  • RegSvcs.exe (PID: 3404)
Changes the autorun value in the registry
  • otd.exe (PID: 2872)
  • RegSvcs.exe (PID: 3404)
NanoCore was detected
  • RegSvcs.exe (PID: 3404)
Executable content was dropped or overwritten
  • RegSvcs.exe (PID: 3404)
  • WScript.exe (PID: 3324)
  • Filname.scr (PID: 3228)
Application launched itself
  • otd.exe (PID: 3528)
Creates files in the user directory
  • RegSvcs.exe (PID: 3404)
Creates files in the program directory
  • AdobeARM.exe (PID: 3200)
Executes scripts
  • Filname.scr (PID: 3228)
  • WinRAR.exe (PID: 2704)
Starts application with an unusual extension
  • WScript.exe (PID: 3324)
Drop AutoIt3 executable file
  • Filname.scr (PID: 3228)
Starts Internet Explorer
  • AcroRd32.exe (PID: 2888)
Dropped object may contain Bitcoin addresses
  • Filname.scr (PID: 3228)
Application launched itself
  • AcroRd32.exe (PID: 2888)
  • RdrCEF.exe (PID: 3056)
Creates files in the user directory
  • iexplore.exe (PID: 3800)
Reads settings of System Certificates
  • iexplore.exe (PID: 3008)
Reads Internet Cache Settings
  • iexplore.exe (PID: 3800)
Changes internet zones settings
  • iexplore.exe (PID: 3008)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Static information

TRiD
.pdf
|   Adobe Portable Document Format (100%)
EXIF
PDF
PDFVersion:
1.4
Linearized:
No
PageMode:
UseNone
PageCount:
1
ModifyDate:
2019:07:18 13:30:33+01:00
Creator:
Nitro Pro 8 (8. 0. 10. 7)
CreateDate:
2017:08:28 04:06:04Z
Author:
Dollars
Producer:
Nitro Pro 8 (8. 0. 10. 7)
XMP
Xpacket:
null
XMPToolkit:
3.1-701
CreateDate:
2017:08:28 04:06:04Z
CreatorTool:
Nitro Pro 8 (8. 0. 10. 7)
ModifyDate:
2017:08:28 04:06:09Z
MetadataDate:
2017:08:28 04:06:09Z
Format:
application/pdf
Creator:
Dollars
Title:
null
Description:
null
Keywords:
null
Producer:
Nitro Pro 8 (8. 0. 10. 7)
DocumentID:
uuid:6254959b-1ee2-41a2-9324-a20e60ff664f

Screenshots

Processes

Total processes
49
Monitored processes
16
Malicious processes
9
Suspicious processes
0

Behavior graph

+
start drop and start acrord32.exe acrord32.exe no specs rdrcef.exe no specs rdrcef.exe no specs rdrcef.exe no specs iexplore.exe iexplore.exe winrar.exe no specs wscript.exe filname.scr wscript.exe no specs adobearm.exe no specs reader_sl.exe no specs otd.exe no specs otd.exe #NANOCORE regsvcs.exe
Specs description
Program did not start
Integrity level elevation
Task сontains an error or was rebooted
Process has crashed
Task contains several apps running
Executable file was dropped
Debug information is available
Process was injected
Network attacks were detected
Application downloaded the executable file
Actions similar to stealing personal data
Behavior similar to exploiting the vulnerability
Inspected object has sucpicious PE structure
File is detected by antivirus software
CPU overrun
RAM overrun
Process starts the services
Process was added to the startup
Behavior similar to spam
Low-level access to the HDD
Probably Tor was used
System was rebooted
Connects to the network
Known threat

Process information

Click at the process to see the details.

PID
2888
CMD
"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\admin\AppData\Local\Temp\NEW ORDER.pdf"
Path
C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
Indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Version:
Company
Adobe Systems Incorporated
Description
Adobe Acrobat Reader DC
Version
15.23.20070.215641
Modules
Image
c:\program files\adobe\acrobat reader dc\reader\acrord32.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\shell32.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\mpr.dll
c:\windows\system32\kbdus.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\explorerframe.dll
c:\windows\system32\duser.dll
c:\windows\system32\dui70.dll
c:\windows\system32\propsys.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\sspicli.dll
c:\program files\adobe\acrobat reader dc\reader\acrocef\rdrcef.exe
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\psapi.dll
c:\windows\system32\oleacc.dll
c:\windows\system32\version.dll
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\sensapi.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\userenv.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\schannel.dll
c:\windows\system32\wship6.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\credssp.dll
c:\windows\system32\secur32.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\gpapi.dll
c:\windows\system32\sfc.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\devrtl.dll
c:\program files\common files\adobe\arm\1.0\adobearm.exe

PID
2388
CMD
"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" --type=renderer "C:\Users\admin\AppData\Local\Temp\NEW ORDER.pdf"
Path
C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
Indicators
No indicators
Parent process
AcroRd32.exe
User
admin
Integrity Level
LOW
Version:
Company
Adobe Systems Incorporated
Description
Adobe Acrobat Reader DC
Version
15.23.20070.215641
Modules
Image
c:\program files\adobe\acrobat reader dc\reader\acrord32.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\shell32.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\ole32.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\program files\adobe\acrobat reader dc\reader\acrord32.dll
c:\program files\adobe\acrobat reader dc\reader\agm.dll
c:\windows\system32\msvcp120.dll
c:\windows\system32\msvcr120.dll
c:\windows\system32\version.dll
c:\program files\adobe\acrobat reader dc\reader\bib.dll
c:\program files\adobe\acrobat reader dc\reader\cooltype.dll
c:\program files\adobe\acrobat reader dc\reader\ace.dll
c:\windows\system32\profapi.dll
c:\program files\adobe\acrobat reader dc\reader\axe8sharedexpat.dll
c:\program files\adobe\acrobat reader dc\reader\plug_ins\weblink.api
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\program files\adobe\acrobat reader dc\reader\plug_ins\escript.api
c:\windows\system32\psapi.dll
c:\windows\system32\winmm.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\propsys.dll
c:\program files\adobe\acrobat reader dc\reader\bibutils.dll
c:\program files\adobe\acrobat reader dc\reader\sqlite.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\rasadhlp.dll
c:\program files\adobe\acrobat reader dc\reader\plug_ins\ia32.api
c:\windows\system32\mscms.dll
c:\windows\system32\userenv.dll
c:\program files\adobe\acrobat reader dc\reader\plug_ins\updater.api

PID
3056
CMD
"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16448250
Path
C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
Indicators
No indicators
Parent process
AcroRd32.exe
User
admin
Integrity Level
MEDIUM
Version:
Company
Adobe Systems Incorporated
Description
Adobe RdrCEF
Version
15.23.20053.211670
Modules
Image
c:\program files\adobe\acrobat reader dc\reader\acrocef\rdrcef.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\usp10.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\winmm.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\program files\adobe\acrobat reader dc\reader\acrocef\libcef.dll
c:\windows\system32\psapi.dll
c:\windows\system32\winspool.drv
c:\windows\system32\comdlg32.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\webio.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\oleacc.dll
c:\windows\system32\version.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\kbdus.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\audioses.dll
c:\windows\system32\mmdevapi.dll
c:\windows\system32\propsys.dll
c:\windows\system32\dhcpcsvc6.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\apphelp.dll

PID
2592
CMD
"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-3d-apis --disable-databases --disable-direct-npapi-requests --disable-file-system --disable-notifications --disable-shared-workers --disable-direct-write --lang=en-US --lang=en-US --log-severity=disable --product-version="ReaderServices/15.23.20053 Chrome/45.0.2454.85" --device-scale-factor=1 --enable-delegated-renderer --num-raster-threads=2 --gpu-rasterization-msaa-sample-count=8 --content-image-texture-target=3553 --video-image-texture-target=3553 --disable-accelerated-video-decode --disable-webrtc-hw-encoding --disable-gpu-compositing --channel="3056.0.217419708\1543208519" --allow-no-sandbox-job /prefetch:673131151
Path
C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
Indicators
No indicators
Parent process
RdrCEF.exe
User
admin
Integrity Level
LOW
Version:
Company
Adobe Systems Incorporated
Description
Adobe RdrCEF
Version
15.23.20053.211670
Modules
Image
c:\program files\adobe\acrobat reader dc\reader\acrocef\rdrcef.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\winmm.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\program files\adobe\acrobat reader dc\reader\acrocef\libcef.dll
c:\windows\system32\psapi.dll
c:\windows\system32\winspool.drv
c:\windows\system32\comdlg32.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\webio.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\oleacc.dll
c:\windows\system32\version.dll
c:\windows\system32\cryptbase.dll

PID
2720
CMD
"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-3d-apis --disable-databases --disable-direct-npapi-requests --disable-file-system --disable-notifications --disable-shared-workers --disable-direct-write --lang=en-US --lang=en-US --log-severity=disable --product-version="ReaderServices/15.23.20053 Chrome/45.0.2454.85" --device-scale-factor=1 --enable-delegated-renderer --num-raster-threads=2 --gpu-rasterization-msaa-sample-count=8 --content-image-texture-target=3553 --video-image-texture-target=3553 --disable-accelerated-video-decode --disable-webrtc-hw-encoding --disable-gpu-compositing --channel="3056.1.953025387\1591327328" --allow-no-sandbox-job /prefetch:673131151
Path
C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
Indicators
No indicators
Parent process
RdrCEF.exe
User
admin
Integrity Level
LOW
Version:
Company
Adobe Systems Incorporated
Description
Adobe RdrCEF
Version
15.23.20053.211670
Modules
Image
c:\program files\adobe\acrobat reader dc\reader\acrocef\rdrcef.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\winmm.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\program files\adobe\acrobat reader dc\reader\acrocef\libcef.dll
c:\windows\system32\psapi.dll
c:\windows\system32\winspool.drv
c:\windows\system32\comdlg32.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\webio.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\oleacc.dll
c:\windows\system32\version.dll
c:\windows\system32\cryptbase.dll

PID
3008
CMD
"C:\Program Files\Internet Explorer\iexplore.exe" -nohome
Path
C:\Program Files\Internet Explorer\iexplore.exe
Indicators
Parent process
AcroRd32.exe
User
admin
Integrity Level
MEDIUM
Exit code
1
Version:
Company
Microsoft Corporation
Description
Internet Explorer
Version
8.00.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\shell32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\psapi.dll
c:\windows\system32\oleacc.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\profapi.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\cryptbase.dll
c:\program files\internet explorer\sqmapi.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\sensapi.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\ieui.dll
c:\windows\system32\msimg32.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\clbcatq.dll
c:\program files\internet explorer\ieproxy.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\url.dll
c:\windows\system32\version.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\propsys.dll
c:\windows\system32\xmllite.dll
c:\windows\system32\explorerframe.dll
c:\windows\system32\duser.dll
c:\windows\system32\dui70.dll
c:\windows\system32\msfeeds.dll
c:\windows\system32\sxs.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\wship6.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\mlang.dll
c:\windows\system32\userenv.dll
c:\windows\system32\linkinfo.dll
c:\windows\system32\actxprxy.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\imagehlp.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\gpapi.dll
c:\program files\winrar\winrar.exe
c:\windows\system32\winshfhc.dll
c:\windows\system32\wdscore.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\sfc.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\devrtl.dll
c:\windows\system32\mpr.dll

PID
3800
CMD
"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3008 CREDAT:71937
Path
C:\Program Files\Internet Explorer\iexplore.exe
Indicators
Parent process
iexplore.exe
User
admin
Integrity Level
LOW
Exit code
0
Version:
Company
Microsoft Corporation
Description
Internet Explorer
Version
8.00.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\shell32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\psapi.dll
c:\windows\system32\oleacc.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\comdlg32.dll
c:\program files\internet explorer\ieshims.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\rpcrtremote.dll
c:\program files\internet explorer\sqmapi.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\rsaenh.dll
c:\program files\internet explorer\ieproxy.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\mlang.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\apphelp.dll
c:\program files\java\jre1.8.0_92\bin\ssv.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\version.dll
c:\progra~1\micros~1\office14\urlredir.dll
c:\windows\system32\secur32.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\progra~1\micros~1\office14\msohev.dll
c:\program files\java\jre1.8.0_92\bin\jp2ssv.dll
c:\program files\java\jre1.8.0_92\bin\msvcr100.dll
c:\program files\java\jre1.8.0_92\bin\deploy.dll
c:\windows\system32\imagehlp.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\sxs.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\sensapi.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\userenv.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\schannel.dll
c:\windows\system32\wship6.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\credssp.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\gpapi.dll
c:\windows\system32\p2pcollab.dll
c:\windows\system32\qagentrt.dll
c:\windows\system32\fveui.dll
c:\windows\system32\wpc.dll
c:\windows\system32\wevtapi.dll
c:\windows\system32\samcli.dll
c:\windows\system32\samlib.dll
c:\windows\system32\netutils.dll
c:\program files\winrar\winrar.exe

PID
2704
CMD
"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\P420A25I\Quotation[1].ace"
Path
C:\Program Files\WinRAR\WinRAR.exe
Indicators
No indicators
Parent process
iexplore.exe
User
admin
Integrity Level
MEDIUM
Version:
Company
Alexander Roshal
Description
WinRAR archiver
Version
5.60.0
Modules
Image
c:\program files\winrar\winrar.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\shlwapi.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\uxtheme.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\msimg32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\riched20.dll
c:\program files\common files\microsoft shared\ink\tiptsf.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ehstorshell.dll
c:\windows\system32\cscui.dll
c:\windows\system32\cscdll.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\slc.dll
c:\windows\system32\imageres.dll
c:\windows\system32\mpr.dll
c:\windows\system32\drprov.dll
c:\windows\system32\winsta.dll
c:\windows\system32\ntlanman.dll
c:\windows\system32\davclnt.dll
c:\windows\system32\davhlpr.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\netutils.dll
c:\windows\system32\wpdshext.dll
c:\windows\system32\winmm.dll
c:\windows\system32\portabledeviceapi.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\audiodev.dll
c:\windows\system32\wmvcore.dll
c:\windows\system32\wmasf.dll
c:\windows\system32\ehstorapi.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\samcli.dll
c:\windows\system32\samlib.dll
c:\windows\system32\profapi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\psapi.dll
c:\windows\system32\oleacc.dll
c:\windows\system32\iertutil.dll
c:\program files\winrar\unacev2.dll
c:\windows\system32\wshext.dll
c:\windows\system32\wscript.exe
c:\windows\system32\explorerframe.dll
c:\windows\system32\duser.dll
c:\windows\system32\dui70.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll

PID
3324
CMD
"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\Rar$DIa2704.26092\Quotation.js"
Path
C:\Windows\System32\WScript.exe
Indicators
Parent process
WinRAR.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Microsoft ® Windows Based Script Host
Version
5.8.7600.16385
Modules
Image
c:\windows\system32\wscript.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\version.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\sxs.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\jscript.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\msisip.dll
c:\windows\system32\wshext.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\scrobj.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\scrrun.dll
c:\windows\system32\msxml3.dll
c:\program files\common files\system\ado\msado15.dll
c:\windows\system32\msdart.dll
c:\windows\system32\wshom.ocx
c:\windows\system32\mpr.dll
c:\windows\system32\propsys.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\sspicli.dll
c:\users\admin\appdata\local\temp\filname.scr

PID
3228
CMD
"C:\Users\admin\AppData\Local\Temp\Filname.scr" /S
Path
C:\Users\admin\AppData\Local\Temp\Filname.scr
Indicators
Parent process
WScript.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Description
Version
Modules
Image
c:\users\admin\appdata\local\temp\filname.scr
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\version.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\riched20.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\shell32.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\oleaut32.dll
c:\program files\common files\microsoft shared\ink\tiptsf.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\wscript.exe
c:\windows\system32\sfc.dll

PID
2180
CMD
"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\74192147\mag.vbs"
Path
C:\Windows\System32\WScript.exe
Indicators
No indicators
Parent process
Filname.scr
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Microsoft ® Windows Based Script Host
Version
5.8.7600.16385
Modules
Image
c:\windows\system32\wscript.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\version.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\sxs.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\vbscript.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\msisip.dll
c:\windows\system32\wshext.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\scrobj.dll
c:\windows\system32\wshom.ocx
c:\windows\system32\mpr.dll
c:\windows\system32\scrrun.dll
c:\windows\system32\propsys.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\psapi.dll
c:\windows\system32\oleacc.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\twext.dll
c:\windows\system32\cscui.dll
c:\windows\system32\cscdll.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\userenv.dll
c:\program files\winrar\rarext.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\msimg32.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\slc.dll
c:\windows\system32\netutils.dll
c:\windows\system32\syncui.dll
c:\windows\system32\synceng.dll
c:\windows\system32\linkinfo.dll
c:\program files\notepad++\nppshell_06.dll
c:\windows\system32\acppage.dll
c:\windows\system32\sfc.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\msi.dll
c:\windows\system32\wer.dll
c:\windows\system32\devrtl.dll
c:\windows\system32\sspicli.dll
c:\users\admin\appdata\local\temp\74192147\otd.exe

PID
3200
CMD
"C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" /PRODUCT:Reader /VERSION:15.0 /MODE:3
Path
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
Indicators
No indicators
Parent process
AcroRd32.exe
User
admin
Integrity Level
MEDIUM
Version:
Company
Adobe Systems Incorporated
Description
Adobe Reader and Acrobat Manager
Version
1.824.27.2646
Modules
Image
c:\program files\common files\adobe\arm\1.0\adobearm.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msi.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\ole32.dll
c:\windows\system32\psapi.dll
c:\windows\system32\version.dll
c:\windows\system32\wininet.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\sensapi.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\comdlg32.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\winspool.drv
c:\windows\system32\wintrust.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\propsys.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\apphelp.dll
c:\program files\adobe\acrobat reader dc\reader\reader_sl.exe
c:\windows\system32\normaliz.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\qmgrprxy.dll
c:\windows\system32\msisip.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\gpapi.dll
c:\windows\system32\wshext.dll
c:\windows\system32\windowspowershell\v1.0\pwrshsip.dll
c:\program files\common files\adobe\arm\1.0\adobearmhelper.exe

PID
3928
CMD
"C:\Program Files\Adobe\Acrobat Reader DC\Reader\Reader_sl.exe"
Path
C:\Program Files\Adobe\Acrobat Reader DC\Reader\Reader_sl.exe
Indicators
No indicators
Parent process
AdobeARM.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Adobe Systems Incorporated
Description
Adobe Acrobat SpeedLauncher
Version
15.23.20053.211670
Modules
Image
c:\program files\adobe\acrobat reader dc\reader\reader_sl.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcp120.dll
c:\windows\system32\msvcr120.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll

PID
3528
CMD
"C:\Users\admin\AppData\Local\Temp\74192147\otd.exe" nhj=qua
Path
C:\Users\admin\AppData\Local\Temp\74192147\otd.exe
Indicators
No indicators
Parent process
WScript.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
AutoIt Team
Description
AutoIt v3 Script
Version
3, 3, 14, 4
Modules
Image
c:\users\admin\appdata\local\temp\74192147\otd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\wsock32.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\windows\system32\version.dll
c:\windows\system32\winmm.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\mpr.dll
c:\windows\system32\wininet.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\psapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\apphelp.dll

PID
2872
CMD
C:\Users\admin\AppData\Local\Temp\74192147\otd.exe C:\Users\admin\AppData\Local\Temp\74192147\LBYHC
Path
C:\Users\admin\AppData\Local\Temp\74192147\otd.exe
Indicators
Parent process
otd.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
AutoIt Team
Description
AutoIt v3 Script
Version
3, 3, 14, 4
Modules
Image
c:\users\admin\appdata\local\temp\74192147\otd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\wsock32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\windows\system32\version.dll
c:\windows\system32\winmm.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\mpr.dll
c:\windows\system32\wininet.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\psapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\apphelp.dll
c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll

PID
3404
CMD
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Path
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Indicators
Parent process
otd.exe
User
admin
Integrity Level
MEDIUM
Version:
Company
Microsoft Corporation
Description
Microsoft .NET Services Installation Utility
Version
4.7.3062.0 built by: NET472REL1
Modules
Image
c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\version.dll
c:\windows\microsoft.net\framework\v4.0.30319\clr.dll
c:\windows\system32\msvcr120_clr0400.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\winsta.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\mscorlib\97e047cf68e9a7d90e196d072cd49cac\mscorlib.ni.dll
c:\windows\system32\ole32.dll
c:\windows\system32\cryptbase.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system\e071297bb06faa961bef045ae5f25fdc\system.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.drawing\61dfb69c9ad6ed96809170d54d80b8a6\system.drawing.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.windows.forms\2dc6cfd856864312d563098f9486361c\system.windows.forms.ni.dll
c:\windows\microsoft.net\framework\v4.0.30319\clrjit.dll
c:\windows\system32\oleaut32.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.core\21a1606b6c00f9abe7db55c02e0f87c9\system.core.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\microsoft.v9921e851#\f971acbc25b64dfe4d70e5b25837c780\microsoft.visualbasic.ni.dll
c:\windows\microsoft.net\framework\v4.0.30319\nlssorting.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.configuration\cd03f9386e02f56502e01a25ddd7e0a7\system.configuration.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.xml\7c8f75f367134a030cba4a127dc62a2f\system.xml.ni.dll
c:\windows\system32\shell32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\uxtheme.dll
c:\windows\microsoft.net\assembly\gac_msil\system.windows.forms\v4.0_4.0.0.0__b77a5c561934e089\system.windows.forms.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\microsoft.net\framework\v4.0.30319\diasymreader.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\psapi.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\wship6.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\fwpuclnt.dll

Registry activity

Total events
2573
Read events
2384
Write events
187
Delete events
2

Modification events

PID
Process
Operation
Key
Name
Value
2888
AcroRd32.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
ProxyEnable
0
2888
AcroRd32.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
SavedLegacySettings
4600000078000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
2888
AcroRd32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\70\52C64B7E
LanguageList
en-US
2888
AcroRd32.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
2888
AcroRd32.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
2388
AcroRd32.exe
write
HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\DC\ExitSection
bLastExitNormal
0
2388
AcroRd32.exe
write
HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\DC\AVGeneral
bExpandRHPInViewer
1
2388
AcroRd32.exe
write
HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\DC\NoTimeOut
smailto
5900
3008
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
CompatibilityFlags
0
3008
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
3008
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
3008
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
SecuritySafe
1
3008
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
ProxyEnable
0
3008
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
SavedLegacySettings
4600000077000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
3008
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Recovery\Active
{F3CF93E6-A963-11E9-A9B1-5254004A04AF}
0
3008
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Type
4
3008
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Count
1
3008
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Time
E3070700040012000D00390012002601
3008
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}\iexplore
Type
4
3008
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}\iexplore
Count
1
3008
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}\iexplore
Time
E3070700040012000D00390012002E01
3008
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
FullScreen
no
3008
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Window_Placement
2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF20000000200000004003000078020000
3008
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites\Links
Order
08000000020000000C01000001000000020000007E0000000000000070003200EC000000464B245120005355474745537E312E55524C0000540008000400EFBE454B974D464B24512A000000F94300000000020000000000000000000000000000005300750067006700650073007400650064002000530069007400650073002E00750072006C0000001C00000000000000820000000100000074003200E2000000464B24512000574542534C497E312E55524C0000580008000400EFBE454B864A464B24512A000000743E0000000003000000000000000000000000000000570065006200200053006C006900630065002000470061006C006C006500720079002E00750072006C0000001C00000000000000
3008
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\iexplore
Type
3
3008
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\iexplore
Count
1
3008
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\iexplore
Time
E3070700040012000D00390012001102
3008
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\iexplore
LoadTime
24
3008
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
Type
3
3008
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
Count
1
3008
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
Time
E3070700040012000D00390012004102
3008
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
LoadTime
128
3008
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DBC80044-A445-435B-BC74-9C25C1C588A9}\iexplore
Type
3
3008
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DBC80044-A445-435B-BC74-9C25C1C588A9}\iexplore
Count
1
3008
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DBC80044-A445-435B-BC74-9C25C1C588A9}\iexplore
Time
E3070700040012000D0039001200B302
3008
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DBC80044-A445-435B-BC74-9C25C1C588A9}\iexplore
LoadTime
141
3008
iexplore.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\70\52C64B7E
LanguageList
en-US
3008
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}\Enum
Implementing
1C00000001000000E3070700040012000D0039001C00ED0100000000
3008
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}\Enum
Implementing
1C00000001000000E3070700040012000D0039001C00EF0100000000
3008
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
NotifyDownloadComplete
yes
3008
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012019071820190719
CachePath
%USERPROFILE%\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012019071820190719
3008
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012019071820190719
CachePrefix
:2019071820190719:
3008
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012019071820190719
CacheLimit
8192
3008
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012019071820190719
CacheOptions
11
3008
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012019071820190719
CacheRepair
0
3008
iexplore.exe
delete key
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012019032320190324
3800
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\LowCache\Extensible Cache\MSHist012019071820190719
CachePath
%USERPROFILE%\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012019071820190719
3800
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\LowCache\Extensible Cache\MSHist012019071820190719
CachePrefix
:2019071820190719:
3800
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\LowCache\Extensible Cache\MSHist012019071820190719
CacheLimit
8192
3800
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\LowCache\Extensible Cache\MSHist012019071820190719
CacheOptions
11
3800
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\LowCache\Extensible Cache\MSHist012019071820190719
CacheRepair
0
3800
iexplore.exe
delete key
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\LowCache\Extensible Cache\MSHist012018082820180829
2704
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
ShellExtBMP
2704
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
ShellExtIcon
2704
WinRAR.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\70\52C64B7E
LanguageList
en-US
2704
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
0
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\P420A25I\Quotation[1].ace
2704
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
name
120
2704
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
size
80
2704
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
type
120
2704
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
mtime
100
2704
WinRAR.exe
write
HKEY_CURRENT_USER\Software\ACE Compression Software\ActiveAce\2.0
Count
0
2704
WinRAR.exe
write
HKEY_CURRENT_USER\Software\ACE Compression Software\ActiveAce\2.0
Name
542D4B42647265644B76737A7E794B566767537663764B5B7874767B4B5A7E746578647871634B407E79737860644B43727A67786576656E375E7963726579726337517E7B72644B5B78604B54787963727963395E52224B472325275625225E4B4662786376637E78794C264A3976747217171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171700
2704
WinRAR.exe
write
HKEY_CURRENT_USER\Software\ACE Compression Software\ActiveAce\2.0
Size
2480476
2704
WinRAR.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\70\52C64B7E
@C:\Windows\System32\wshext.dll,-4804
JScript Script File
2704
WinRAR.exe
write
HKEY_CURRENT_USER\Software\ACE Compression Software\ActiveAce\2.0
Name
542D4B42647265644B76737A7E794B566767537663764B5B7874767B4B5A7E746578647871634B407E79737860644B43727A67786576656E375E7963726579726337517E7B72644B5B78604B54787963727963395E52224B472325275625225E4B4662786376637E78794C264A39767472170A1717151713170717170F175D04FB41DD1717175F1414171717FF8D0A17FF8C0A172BB70A17FAF7D160FC911817E9E8E8E80F16DB60D8E8DC6037175D040617171716171717171717371A171717371717170F8B0A175371DE60B8C8EA627B141717478B0A174F8B0A171F171717191717170F17171714171717171717171680B1607B8B0A17161717175FB70A17171517175717171717171717C343DE601717171717171717171717174F3E2114838B0A175FB70A17131717171717171717171717B6C6211466108D52078B0A1700
2704
WinRAR.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
2704
WinRAR.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
3324
WScript.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
3324
WScript.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
3228
Filname.scr
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
3228
Filname.scr
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
2180
WScript.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\70\52C64B7E
LanguageList
en-US
2180
WScript.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
2180
WScript.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
3200
AdobeARM.exe
write
HKEY_CURRENT_USER\Software\Adobe\Adobe ARM\1.0\ARM
iSpeedLauncherLogonTime
144722A0ACE1D401
3200
AdobeARM.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
3200
AdobeARM.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
3200
AdobeARM.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\70\52C64B7E
LanguageList
en-US
2872
otd.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
chrome
C:\Users\admin\AppData\Local\Temp\74192147\otd.exe C:\Users\admin\AppData\Local\Temp\74192147\NHJ_QU~1
3404
RegSvcs.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
TCP Monitor
C:\Users\admin\AppData\Roaming\90059C37-1320-41A4-B58D-2B75A9850D2F\TCP Monitor\tcpmon.exe

Files activity

Executable files
3
Suspicious files
4
Text files
75
Unknown types
17

Dropped files

PID
Process
Filename
Type
3228
Filname.scr
C:\Users\admin\AppData\Local\Temp\74192147\otd.exe
executable
MD5: 6ee7ddebff0a2b78c7ac30f6e00d1d11
SHA256: 865347471135bb5459ad0e647e75a14ad91424b6f13a5c05d9ecd9183a8a1cf4
3324
WScript.exe
C:\Users\admin\AppData\Local\Temp\Filname.scr
executable
MD5: f7c6f12873e628876ef9367e7e3d4464
SHA256: 00ed4501a73ced528391efbaa79d50943747ca49260a3d2985f422dde579f48b
3404
RegSvcs.exe
C:\Users\admin\AppData\Roaming\90059C37-1320-41A4-B58D-2B75A9850D2F\TCP Monitor\tcpmon.exe
executable
MD5: 0e06054beb13192588e745ee63a84173
SHA256: c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768
3200
AdobeARM.exe
C:\ProgramData\Adobe\ARM\ArmReport.ini
text
MD5: a5deee52b298967638b05dc479def3a9
SHA256: 932ad7d7735eabddcecd281d859df90619225c5ff6d3d5c717b4bcbae46b094d
3404
RegSvcs.exe
C:\Users\admin\AppData\Roaming\90059C37-1320-41A4-B58D-2B75A9850D2F\run.dat
text
MD5: 84ccd71f7391ac9bef1d9ca80ea64c44
SHA256: f2c1aeae22a30087b0fa324a56b2be999227c579e6c9b6f06094b8ce4f56ed78
3528
otd.exe
C:\Users\admin\AppData\Local\Temp\74192147\LBYHC
text
MD5: 93884cab9760d21aafa5264a489402fb
SHA256: a57fabe9638162415a46e43295ca7192c8af7186c006243fffb2125261ef3903
3200
AdobeARM.exe
C:\Users\admin\AppData\Local\Temp\ArmUI.ini
text
MD5: 864c22fb9a1c0670edf01c6ed3e4fbe4
SHA256: b4d4dcd9594d372d7c0c975d80ef5802c88502895ed4b8a26ca62e225f2f18b0
3228
Filname.scr
C:\Users\admin\AppData\Local\Temp\74192147\kge.dat
text
MD5: aa32d4e41abcd8241e83eb06783dddf3
SHA256: a2e98294eb486b25f85b3312c5d1fa18b17f6a8ce185a920356d9a44de210d87
3228
Filname.scr
C:\Users\admin\AppData\Local\Temp\74192147\bcv.xl
text
MD5: 9e8dece9b469898ee835906f1b074dce
SHA256: 35e1edd2c029e30aec9b55df58fcc2d603c2d3de85d43af96c2ee9608403ea90
3228
Filname.scr
C:\Users\admin\AppData\Local\Temp\74192147\ipa.mp3
text
MD5: b9c346d37a14e5c3cfa37550de65064c
SHA256: f804579525327d1f44eede23a0822b41dfb6e33cab28760a05d63eec00cfbb72
3228
Filname.scr
C:\Users\admin\AppData\Local\Temp\74192147\apb.mp3
text
MD5: b7c7324762d2f6bb45d3b8efdcdf4955
SHA256: 47a4bfb9843481b3aec183020130170eccb78266cf5d6e9732c093838ee4d597
3228
Filname.scr
C:\Users\admin\AppData\Local\Temp\74192147\dtj.ico
text
MD5: 4cdd66457f295bddb793aebd134f9bae
SHA256: 13313f77ecf88607db96f66d8a35226328ebb326982647913ba31bae62a34fa8
3228
Filname.scr
C:\Users\admin\AppData\Local\Temp\74192147\hjn.mp3
text
MD5: 0b9a6066b335f54ee019e26e67cd763c
SHA256: 43e2866437de719129e5cc730a6a6b5b3e436ee7c48850f9db40d42d257133df
3228
Filname.scr
C:\Users\admin\AppData\Local\Temp\74192147\aib.docx
text
MD5: b5b37a05e8920443da909e98e178e644
SHA256: 65f802bd0a53dc83c6ebea646cac066f66372214422b1028ed4f1d0d17c25acb
3228
Filname.scr
C:\Users\admin\AppData\Local\Temp\74192147\vik.xl
text
MD5: 2cb5d81cdc2c90827c230a5930558a0a
SHA256: c033c2e145b3d0b1254ce0fcd6f59e9bf858cf3177cc57323ff5bbb8d84cf991
3228
Filname.scr
C:\Users\admin\AppData\Local\Temp\74192147\hlg.txt
text
MD5: 9c7140e886d769330d547dba57816201
SHA256: 3833b40ef5d5a064069db7e11d703820141b5f5c96d0cad96b41a326e4a94bb6
3228
Filname.scr
C:\Users\admin\AppData\Local\Temp\74192147\jeu.mp4
text
MD5: d2a9eb58e6919c2bf97dbb7ecbb3b33e
SHA256: 7f13b7bb5f63d5ed7e396ca68b6a999d90ceccece304105726332c2ea72971b0
3228
Filname.scr
C:\Users\admin\AppData\Local\Temp\74192147\vvv.ico
text
MD5: fb8ecc79eef99fee693a39885d192cb3
SHA256: e1b22b62b843d425e157da405eacad52996e96dde6b530f790f3bc0ecffb351e
3228
Filname.scr
C:\Users\admin\AppData\Local\Temp\74192147\irt.pdf
text
MD5: 692fdc4f5dff7e69396d8c2c30d0c3ce
SHA256: 0ba8faa727539fa78ac7886857ca8bb07735b35f0a30b02b0457e3a4b0dd642f
3228
Filname.scr
C:\Users\admin\AppData\Local\Temp\74192147\lvq.icm
text
MD5: 03c05254e9e61e0056daf3acf43f0d08
SHA256: 71464fe7843dda3bdc090598ddd82fb89b2e727f7b11e78b360ce0817b7d91ee
3228
Filname.scr
C:\Users\admin\AppData\Local\Temp\74192147\jqq.pdf
text
MD5: b3ba5aa0fcf8e70ce98e73fc6756d942
SHA256: 5d587ae55dfc6ac58aefe76d655d9c2ca9b46b99dd479668f38b25e4a0376986
3228
Filname.scr
C:\Users\admin\AppData\Local\Temp\74192147\mfm.ico
text
MD5: 247e512147266f2f89d51771a85d56a6
SHA256: e1121278953041fc3d0447472293ac05e87245d0ee61b09a34edd871ee48045d
3228
Filname.scr
C:\Users\admin\AppData\Local\Temp\74192147\ibf.ppt
text
MD5: 53e02bb4a278493d3689e120300ac7ab
SHA256: 80d3b4392688933ba48daedda69152e144442a6f105d458c4f81768952f4ba35
3228
Filname.scr
C:\Users\admin\AppData\Local\Temp\74192147\ilu.ico
text
MD5: ebcb1985658d14a16e6e21ce18cae89d
SHA256: 60052d2f594c8ebc887647604c1360df0520d409adf24bb622731c841b556809
3228
Filname.scr
C:\Users\admin\AppData\Local\Temp\74192147\ise.txt
text
MD5: 6d8a7ca3e73f314d6d6f3d595680cffc
SHA256: 81d3305b34eac7aea5d60ce8af34a7f00f9f15a25cf6eb49a81b166f307af573
3228
Filname.scr
C:\Users\admin\AppData\Local\Temp\74192147\qmr.jpg
text
MD5: 365bd79e8dc1ed7e13be46c5b124b8fd
SHA256: 0a72cf86ea70dc9493019860aa483f698be75ba27406c8d2f9b4d103199a2280
3228
Filname.scr
C:\Users\admin\AppData\Local\Temp\74192147\roa.ppt
text
MD5: 07361604d6b775625feba0136933ae66
SHA256: 945ac7fb04017dbaa57db1da30430d90251b445e1b32415f24a87cc1b30e58a1
3228
Filname.scr
C:\Users\admin\AppData\Local\Temp\74192147\ttc.bmp
text
MD5: 178a2224824767eadae682cb3ad9184d
SHA256: e2dac12b6654045783f772b5c82f4774554d32b15c08db282904c09fcf29bc4c
3228
Filname.scr
C:\Users\admin\AppData\Local\Temp\74192147\shf.pdf
text
MD5: e606fbbe28dcd1cc040abcc3e6b18809
SHA256: ccdec19f1b42f2afad0425be971c25a8c24f2554efff6a9e75dd89265b65028a
3228
Filname.scr
C:\Users\admin\AppData\Local\Temp\74192147\nsb.jpg
text
MD5: f43efc4dc87595e225b8f7e8a69fe98b
SHA256: 22d065b552f639be7da7d27fc5e19b023b47bc6b763f0a4d4ec27b01753a8781
3228
Filname.scr
C:\Users\admin\AppData\Local\Temp\74192147\evd.xl
text
MD5: 1ddb72a85fcdc37cbe80dc410d916b1e
SHA256: f1d878154282e86a2ab74aa026d3eab888d46fb0e8ca470bacd3559ba33c11a7
3228
Filname.scr
C:\Users\admin\AppData\Local\Temp\74192147\gpe.mp4
text
MD5: d0c25425a8b010c401919388d5fc1706
SHA256: 95c6843ce6a67b5c30df3ea7b84e8414f4f43a6cdaff3060fce8eb32acebccef
3228
Filname.scr
C:\Users\admin\AppData\Local\Temp\74192147\uep.mp4
text
MD5: e015bcf987563d7f87a656da716b5202
SHA256: 255f6b0fb573332161d821ddbcb248cfacc4b6907eacf1ad62f763741df006ec
3228
Filname.scr
C:\Users\admin\AppData\Local\Temp\74192147\wab.pdf
text
MD5: 2ccb523f25f3e7b7b0f090bc6e0bc300
SHA256: fca524b1d28376e472185e7914cb434bd7da3f7622add4941cf04258717a670b
3228
Filname.scr
C:\Users\admin\AppData\Local\Temp\74192147\abt.ppt
text
MD5: 75b8ee91b9d79a713c3ed49bfd8d138c
SHA256: b9b83cbba3991ec98356cc56aaf2937b78d08599368811e88eaeb68882f014be
3228
Filname.scr
C:\Users\admin\AppData\Local\Temp\74192147\sho.ico
text
MD5: bc34b9c0f287e4a3d271b4750985ed1a
SHA256: e6d5f9dfd03cf723700e30268dd0c5f9707c0381c0b6d409a86893d8489238e3
3228
Filname.scr
C:\Users\admin\AppData\Local\Temp\74192147\qsl.mp3
text
MD5: cd122c1d64ce53372eaf05c4ea45c3d1
SHA256: 7281f52f2440f40ff5dc5755b5224c292482e1c37ea6864ec4e95b03a1f062ab
3228
Filname.scr
C:\Users\admin\AppData\Local\Temp\74192147\vga.bmp
text
MD5: 2809d99ce6a83228cd57017d9287b15d
SHA256: efa9c9565d9f405b9846110799a4ea0568ea372537fcefeb06fc91a0663c88d7
3228
Filname.scr
C:\Users\admin\AppData\Local\Temp\74192147\xak.xl
text
MD5: 02a9cc3882dc6b94763945daf90f2dde
SHA256: ed80ba23f7c309748260d6e73b49648caa1f7a2d587c3a6e4627be4ee68dc4a7
3228
Filname.scr
C:\Users\admin\AppData\Local\Temp\74192147\hvk.mp4
text
MD5: 6997c7cc6e6c7cf78bbcaca8e2add6f1
SHA256: 3c6ec93514df14b463d79bf3061e8a34b8ce75c3811c08b7bfbf6be72a16255f
3228
Filname.scr
C:\Users\admin\AppData\Local\Temp\74192147\wxs.mp4
text
MD5: 542446136067de898f6e2cf4a56926ef
SHA256: 2f1c1eb8ecf1ab5c0af955f66116bebaf17e3be23518e98ed3d243b5fda9b649
3228
Filname.scr
C:\Users\admin\AppData\Local\Temp\74192147\auq.ico
text
MD5: bf0990ff0424d476ad999aeab590eee6
SHA256: 1d57258d3bd24c910d3f9c5c0a158a9b235d046e3a81c23e53fec2309cd99377
3228
Filname.scr
C:\Users\admin\AppData\Local\Temp\74192147\fjf.docx
text
MD5: 9a679aa98bd92d92cf37692c453c5067
SHA256: ab16b434ac2945a4e9e80f8695688b0ce32ba29b0e41608593cabb1847ef40b5
3228
Filname.scr
C:\Users\admin\AppData\Local\Temp\74192147\spg.ico
text
MD5: 4ad901999c16cae168920c75cc7305b6
SHA256: 02a0b847f9f20c6aca80d861a03500b5ffda823b4dd87f1eb60750af1f4d2af2
3228
Filname.scr
C:\Users\admin\AppData\Local\Temp\74192147\qkf.ppt
text
MD5: 31ab8718b2c52c22dcda28be81d7952f
SHA256: 963139b4a4eb17ff3ef60408e793f70787a834138956abdd2390793cb3ac689c
3228
Filname.scr
C:\Users\admin\AppData\Local\Temp\74192147\pse.mp4
text
MD5: 21081c11e557e33e0f8296ab64e7f447
SHA256: 8122ce127fc601128a48ebf4e706338dd1d5784f5d8344db69673919f0d0f819
2388
AcroRd32.exe
C:\Users\admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages
sqlite
MD5: 71289f8f8d3000638a846f994c51e52b
SHA256: a67239b25ef289bb16b95feb12a1d0a77fef6772cd26901970bce3116d81fcb9
3228
Filname.scr
C:\Users\admin\AppData\Local\Temp\74192147\mag.vbs
text
MD5: 9a06768552605481f5feba40efb1bf9b
SHA256: d266954d3d83032cf2d9443f00b46462097b18afd638e42ef4bab863a7d5c4a3
3228
Filname.scr
C:\Users\admin\AppData\Local\Temp\74192147\nhj=qua
text
MD5: 006751efeca978ddbf8d98f5db8fa30a
SHA256: 33d94e46f66444ad87e6bbf932c471bc42e3aa5fd65380fb4d695e63e265c9de
3228
Filname.scr
C:\Users\admin\AppData\Local\Temp\74192147\nhv.mp3
text
MD5: 382ca91da264216d956bddf7fdff04fd
SHA256: b694c2cf12c8f3a30e67e1c37c5f4f1ce2b7892963e7f6129bb4127201c68137
3200
AdobeARM.exe
C:\Users\admin\AppData\Local\Temp\Tmp4800.tmp
––
MD5:  ––
SHA256:  ––
2704
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$DIa2704.26092\Quotation.js
text
MD5: 14bd1034f8e411fd5c77e93ce9e636f2
SHA256: 0faa36880750bd124542e5dcbb0312be9b6ff3ef996bb058c15581063b7f4a3b
3008
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{F3CF93E6-A963-11E9-A9B1-5254004A04AF}.dat
––
MD5:  ––
SHA256:  ––
3008
iexplore.exe
C:\Users\admin\AppData\Local\Temp\~DFF3E4118FCE5EECFC.TMP
––
MD5:  ––
SHA256:  ––
3800
iexplore.exe
C:\Users\admin\AppData\Local\Temp\Low\JavaDeployReg.log
text
MD5: e7e3c581949b804f5ccda6417e36f6e3
SHA256: 4d27ba32f1bedefc66173e9e999e5ed3b3cef3c79ab2ebcfce01d6e8571c6d51
3008
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012019071820190719\index.dat
dat
MD5: 5d4ae7548a91d7db07fcdfbf73246a73
SHA256: 39e1567d4f42c679c493db1e565eef1f332350d80b0c5e5d2305f8172bcbe5c0
3800
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012019071820190719\index.dat
dat
MD5: 3ef513b7374ea5087febbe9c0c364d87
SHA256: 623a3e2d2dc433096c54436c18484826ddf155ea1846559f1367994f068e6d6f
3008
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\P420A25I\Quotation[1].ace:Zone.Identifier
text
MD5: fbccf14d504b7b2dbcb5a5bda75bd93b
SHA256: eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913
3800
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\P420A25I\Quotation[1].ace
compressed
MD5: b0f2a7c228d235c7710bf4ebb9c6d457
SHA256: 8cd98d9eebe48b7b9225c825e2345f056a82d189e9372e13740dc0f778d9aae4
2388
AcroRd32.exe
C:\Users\admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages
sqlite
MD5: 02f123db2ceaa7472bd4d3922630fa1f
SHA256: 2ba4e4ee82e50630a70602235bf9fcf7dbc3280e1cd5df3f728161cf35e0e8c1
2388
AcroRd32.exe
C:\Users\admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages-journal
––
MD5:  ––
SHA256:  ––
2388
AcroRd32.exe
C:\Users\admin\AppData\Local\Temp\acrord32_sbx\A9R1y6663s_1ob0ca7_1uc.tmp
––
MD5:  ––
SHA256:  ––
2388
AcroRd32.exe
C:\Users\admin\AppData\Local\Temp\acrord32_sbx\A9R14ipnns_1ob0ca5_1uc.tmp
––
MD5:  ––
SHA256:  ––
2388
AcroRd32.exe
C:\Users\admin\AppData\Local\Temp\acrord32_sbx\A9R1eloapb_1ob0ca6_1uc.tmp
––
MD5:  ––
SHA256:  ––
2388
AcroRd32.exe
C:\Users\admin\AppData\Local\Temp\acrord32_sbx\A9Riahcoy_1ob0ca3_1uc.tmp
––
MD5:  ––
SHA256:  ––
2388
AcroRd32.exe
C:\Users\admin\AppData\Local\Temp\acrord32_sbx\A9Rxwpijx_1ob0ca4_1uc.tmp
––
MD5:  ––
SHA256:  ––
2388
AcroRd32.exe
C:\Users\admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages
sqlite
MD5: 85fba1ded6ba3fe4efd7c178afee77dc
SHA256: cdbddf454a0b3877fd898bece5933ac2d6477c5775e06451f375676f59d58314
3008
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\{F3CF93E7-A963-11E9-A9B1-5254004A04AF}.dat
binary
MD5: ccc9eb54208f4b4701d30791fbc7084b
SHA256: d860f4bf25b485e6f003ed864bf4d389fd609a13139e2b4bff574179bafab7f8
3008
iexplore.exe
C:\Users\admin\AppData\Local\Temp\~DF52C4D5815F83F54F.TMP
––
MD5:  ––
SHA256:  ––
3800
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat
dat
MD5: b4af44c2ec1f5d7879a5520e7aefcf9f
SHA256: 70cb6a3d8c21bb83139d744f1a16f50f0b75a8e8395caa954bbc77cee8d14c53
3800
iexplore.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][2].txt
text
MD5: 6484b3df3ebcb591958ac84d827a4d75
SHA256: 6b41754809358a9f4af3309ed0a21e0679ed6a8c794230560d31dc90902af45e
3800
iexplore.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected]box[2].txt
text
MD5: c8f90ec80ce18141dd7695ffcc21e555
SHA256: 87e8d06a6ede612b035585a78172f112475d5470f3fe9e29b2a45bb175f0d055
3800
iexplore.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][1].txt
––
MD5:  ––
SHA256:  ––
3800
iexplore.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\index.dat
dat
MD5: 95369ddacd3b82e626ef0abb1ca2e399
SHA256: 57e891a7e96d67cdefa186d1127880452df5a909f4200d35e8f48f40f352e703
3800
iexplore.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][1].txt
––
MD5:  ––
SHA256:  ––
3008
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JGRR2OYX\favicon[1].png
image
MD5: 9fb559a691078558e77d6848202f6541
SHA256: 6d8a01dc7647bc218d003b58fe04049e24a9359900b7e0cebae76edf85b8b914
3008
iexplore.exe
C:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
––
MD5:  ––
SHA256:  ––
3008
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JGRR2OYX\favicon[1].ico
––
MD5:  ––
SHA256:  ––
3800
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\index.dat
dat
MD5: eb0860b0253fa46c1bc0daebf11f775e
SHA256: cbf09e889919e2c57893e1e68315a81fbdea1c0f014c09a87ef853cb371fa22f
3800
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\9GE3TVSV\desktop.ini
ini
MD5: 4a3deb274bb5f0212c2419d3d8d08612
SHA256: 2842973d15a14323e08598be1dfb87e54bf88a76be8c7bc94c56b079446edf38
3800
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\3U49FD5F\desktop.ini
ini
MD5: 4a3deb274bb5f0212c2419d3d8d08612
SHA256: 2842973d15a14323e08598be1dfb87e54bf88a76be8c7bc94c56b079446edf38
3800
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XYJTW95G\desktop.ini
ini
MD5: 4a3deb274bb5f0212c2419d3d8d08612
SHA256: 2842973d15a14323e08598be1dfb87e54bf88a76be8c7bc94c56b079446edf38
3800
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\P420A25I\desktop.ini
ini
MD5: 4a3deb274bb5f0212c2419d3d8d08612
SHA256: 2842973d15a14323e08598be1dfb87e54bf88a76be8c7bc94c56b079446edf38
3008
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini
ini
MD5: 4a3deb274bb5f0212c2419d3d8d08612
SHA256: 2842973d15a14323e08598be1dfb87e54bf88a76be8c7bc94c56b079446edf38
3800
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\desktop.ini
ini
MD5: 4a3deb274bb5f0212c2419d3d8d08612
SHA256: 2842973d15a14323e08598be1dfb87e54bf88a76be8c7bc94c56b079446edf38
3800
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\desktop.ini
ini
MD5: 4a3deb274bb5f0212c2419d3d8d08612
SHA256: 2842973d15a14323e08598be1dfb87e54bf88a76be8c7bc94c56b079446edf38
2388
AcroRd32.exe
C:\Users\admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages
sqlite
MD5: b93b145fe0eb9ccadf3b49905c4a0ae2
SHA256: 8928b58dc44f172b2bea427a12bc8aa05e44873e6425a6fe6f302964c5a59822
2388
AcroRd32.exe
C:\Users\admin\AppData\Local\Adobe\Acrobat\DC\UserCache.bin
binary
MD5: fe9a7263e69aeba538268e2863e44f0b
SHA256: 94c6c73b8ea579c601ce95c1c2143f881fd36a0696716f9dc5fb13824170198b
2388
AcroRd32.exe
C:\Users\admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages-journal
binary
MD5: b1980aa2b0ba01eec9c01eb89eb2af88
SHA256: e5d300e866fd9d44c9d771d42e2e7d194b87ed01492021f5595b9857d8578650
2388
AcroRd32.exe
C:\Users\admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages
sqlite
MD5: 26a8885ce9b1e03aac7d6ae6e1343801
SHA256: 37dd44e1ab880b4baefc5abf97b1e24444fe8a3d880a245199ae16e7a520c5a8
2388
AcroRd32.exe
C:\Users\admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages
sqlite
MD5: 0b8bdbb076b08e5036ed7e9d59564860
SHA256: 60e1fe70c2c455f22d9be3e19cab4ff36c4d12d92b5058ee5ce71a8c8373e3eb
3200
AdobeARM.exe
C:\Users\admin\AppData\Local\Temp\Tmp4821.tmp
––
MD5:  ––
SHA256:  ––

Find more information of the staic content and download it at the full report

Network activity

HTTP(S) requests
6
TCP/UDP connections
12
DNS requests
9
Threats
1

HTTP requests

PID Process Method HTTP Code IP URL CN Type Size Reputation
3008 iexplore.exe GET 200 13.107.21.200:80 http://www.bing.com/favicon.ico US
image
whitelisted
2888 AcroRd32.exe GET 304 2.16.186.33:80 http://acroipm2.adobe.com/15/rdr/ENU/win/nooem/none/consumer/278_15_23_20070.zip unknown
––
––
whitelisted
2888 AcroRd32.exe GET 304 2.16.186.33:80 http://acroipm2.adobe.com/15/rdr/ENU/win/nooem/none/consumer/277_15_23_20070.zip unknown
––
––
whitelisted
2888 AcroRd32.exe GET 304 2.16.186.33:80 http://acroipm2.adobe.com/15/rdr/ENU/win/nooem/none/consumer/281_15_23_20070.zip unknown
––
––
whitelisted
2888 AcroRd32.exe GET 304 2.16.186.33:80 http://acroipm2.adobe.com/15/rdr/ENU/win/nooem/none/consumer/280_15_23_20070.zip unknown
––
––
whitelisted
2888 AcroRd32.exe GET 304 2.16.186.33:80 http://acroipm2.adobe.com/15/rdr/ENU/win/nooem/none/consumer/message.zip unknown
––
––
whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID Process IP ASN CN Reputation
3008 iexplore.exe 13.107.21.200:80 Microsoft Corporation US whitelisted
3800 iexplore.exe 162.125.66.1:443 Dropbox, Inc. DE shared
3800 iexplore.exe 162.125.66.6:443 Dropbox, Inc. DE shared
2888 AcroRd32.exe 2.16.186.33:80 Akamai International B.V. –– whitelisted
–– –– 2.18.233.74:443 Akamai International B.V. –– whitelisted
–– –– 2.16.186.33:80 Akamai International B.V. –– whitelisted
3404 RegSvcs.exe 79.134.225.35:19864 Andreas Fink trading as Fink Telecom Services CH malicious
–– –– 104.111.214.232:443 Akamai International B.V. NL whitelisted
3404 RegSvcs.exe 105.112.96.202:19864 NG unknown

DNS requests

Domain IP Reputation
www.bing.com 13.107.21.200
204.79.197.200
whitelisted
www.dropbox.com 162.125.66.1
shared
uca4e0bc8bf025e06f76afff9046.dl.dropboxusercontent.com 162.125.66.6
suspicious
acroipm2.adobe.com 2.16.186.33
2.16.186.32
whitelisted
armmf.adobe.com 2.18.233.74
whitelisted
xeliteme.us 79.134.225.35
malicious
ardownload2.adobe.com 104.111.214.232
whitelisted
tats2lou.ddns.net 105.112.96.202
malicious

Threats

PID Process Class Message
3800 iexplore.exe Potential Corporate Privacy Violation SUSPICIOUS [PTsecurity] Dropbox SSL Payload Request

Debug output strings

No debug info.