General Info

File name

FAT#Q5VHKWX03 .msi

Full analysis
https://app.any.run/tasks/bdb4c7b5-68c9-46a6-9d35-53a7312ddbc8
Verdict
Malicious activity
Analysis date
9/11/2019, 00:49:14
OS:
Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:

generated-doc

Indicators:

MIME:
application/x-msi
File info:
Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.3, MSI Installer, Title: Installation Database, Keywords: Installer, MSI, Database, Last Printed: Fri Dec 11 11:47:44 2009, Create Time/Date: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Dec 11 11:47:44 2009, Number of Pages: 200, Security: 0, Code page: 1252, Revision Number: {9F4AD185-A744-443F-8238-BAAB0691AFF0}, Number of Words: 10, Subject: Windows Installer, Author: Windows Installer, Name of Creating Application: Advanced Installer 12.2.1 build 64247, Template: ;1033, Comments: This installer database contains the logic and data required to install Windows Installer.
MD5

fa8b0b867b1c0d30ace0e3e63bb35c0e

SHA1

403882f86d074bc30700fbde0a5ce9c0f1371628

SHA256

e7d224387b5a531f45592def4030f6c7b4ebc3e1be373223460e93ce3b2a15a0

SSDEEP

3072:rm2kc9/3DaYIA5wgz88ereWn/7w05g0546PMcB3RUN46ILJ9+ZB5yOanYG:rmC3DaYIA08er1nzTv4XrPG

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distored by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Software environment set and analysis options

Launch configuration

Task duration
60 seconds
Additional time used
none
Fakenet option
off
Heavy Evaision option
off
MITM proxy
off
Route via Tor
off
Network geolocation
off
Privacy
Public submission
Autoconfirmation of UAC
off

Software preset

  • Internet Explorer 8.0.7601.17514
  • Adobe Acrobat Reader DC MUI (15.023.20070)
  • Adobe Flash Player 26 ActiveX (26.0.0.131)
  • Adobe Flash Player 26 NPAPI (26.0.0.131)
  • Adobe Flash Player 26 PPAPI (26.0.0.131)
  • Adobe Refresh Manager (1.8.0)
  • CCleaner (5.35)
  • FileZilla Client 3.36.0 (3.36.0)
  • Google Chrome (75.0.3770.100)
  • Google Update Helper (1.3.34.7)
  • Java 8 Update 92 (8.0.920.14)
  • Java Auto Updater (2.8.92.14)
  • Microsoft .NET Framework 4.7.2 (4.7.03062)
  • Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Professional 2010 (14.0.6029.1000)
  • Microsoft Office Proof (English) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (French) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
  • Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
  • Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Single Image 2010 (14.0.6029.1000)
  • Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
  • Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
  • Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
  • Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2015-2019 Redistributable (x86) - 14.21.27702 (14.21.27702.2)
  • Microsoft Visual C++ 2019 X86 Additional Runtime - 14.21.27702 (14.21.27702)
  • Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.21.27702 (14.21.27702)
  • Mozilla Firefox 68.0.1 (x86 en-US) (68.0.1)
  • Notepad++ (32-bit x86) (7.5.1)
  • Opera 12.15 (12.15.1748)
  • Skype version 8.29 (8.29)
  • Update for Microsoft .NET Framework 4.7.2 (KB4087364) (1)
  • VLC media player (2.2.6)
  • WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

  • Client LanguagePack Package
  • Client Refresh LanguagePack Package
  • CodecPack Basic Package
  • Foundation Package
  • IE Troubleshooters Package
  • InternetExplorer Optional Package
  • KB2534111
  • KB2999226
  • KB4019990
  • KB976902
  • LocalPack AU Package
  • LocalPack CA Package
  • LocalPack GB Package
  • LocalPack US Package
  • LocalPack ZA Package
  • ProfessionalEdition
  • UltimateEdition

Behavior activities

MALICIOUS SUSPICIOUS INFO
Application was dropped or rewritten from another process
  • SMCSvMoOg.pif (PID: 2672)
Loads dropped or rewritten executable
  • SMCSvMoOg.pif (PID: 2672)
  • SearchProtocolHost.exe (PID: 980)
Changes the autorun value in the registry
  • reg.exe (PID: 2960)
Executable content was dropped or overwritten
  • MsiExec.exe (PID: 3356)
  • msiexec.exe (PID: 2244)
Starts CMD.EXE for commands execution
  • MsiExec.exe (PID: 3356)
Creates files in the user directory
  • cmd.exe (PID: 3372)
Starts Internet Explorer
  • cmd.exe (PID: 3372)
Uses REG.EXE to modify Windows registry
  • cmd.exe (PID: 2352)
Application launched itself
  • iexplore.exe (PID: 3120)
  • msiexec.exe (PID: 2244)
Creates files in the program directory
  • MsiExec.exe (PID: 3356)
Changes internet zones settings
  • iexplore.exe (PID: 3120)
Creates files in the user directory
  • iexplore.exe (PID: 3752)
Reads settings of System Certificates
  • iexplore.exe (PID: 3120)
Starts application with an unusual extension
  • MsiExec.exe (PID: 3356)
Loads dropped or rewritten executable
  • MsiExec.exe (PID: 3356)
Reads internet explorer settings
  • iexplore.exe (PID: 3752)
Reads Internet Cache Settings
  • iexplore.exe (PID: 3752)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Static information

TRiD
.msi
|   Microsoft Windows Installer (88.6%)
.mst
|   Windows SDK Setup Transform Script (10%)
.msi
|   Microsoft Installer (100%)
EXIF
FlashPix
Title:
Installation Database
Keywords:
Installer, MSI, Database
LastPrinted:
2009:12:11 11:47:44
CreateDate:
2009:12:11 11:47:44
ModifyDate:
2009:12:11 11:47:44
Pages:
200
Security:
None
CodePage:
Windows Latin 1 (Western European)
RevisionNumber:
{9F4AD185-A744-443F-8238-BAAB0691AFF0}
Words:
10
Subject:
Windows Installer
Author:
Windows Installer
LastModifiedBy:
null
Software:
Advanced Installer 12.2.1 build 64247
Template:
;1033
Comments:
This installer database contains the logic and data required to install Windows Installer.

Screenshots

Processes

Total processes
43
Monitored processes
10
Malicious processes
1
Suspicious processes
2

Behavior graph

+
start drop and start msiexec.exe no specs msiexec.exe msiexec.exe cmd.exe no specs iexplore.exe iexplore.exe searchprotocolhost.exe no specs cmd.exe no specs reg.exe smcsvmoog.pif no specs
Specs description
Program did not start
Integrity level elevation
Task сontains an error or was rebooted
Process has crashed
Task contains several apps running
Executable file was dropped
Debug information is available
Process was injected
Network attacks were detected
Application downloaded the executable file
Actions similar to stealing personal data
Behavior similar to exploiting the vulnerability
Inspected object has sucpicious PE structure
File is detected by antivirus software
CPU overrun
RAM overrun
Process starts the services
Process was added to the startup
Behavior similar to spam
Low-level access to the HDD
Probably Tor was used
System was rebooted
Connects to the network
Known threat

Process information

Click at the process to see the details.

PID
980
CMD
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
Path
C:\Windows\System32\SearchProtocolHost.exe
Indicators
No indicators
Parent process
––
User
SYSTEM
Integrity Level
SYSTEM
Version:
Company
Microsoft Corporation
Description
Microsoft Windows Search Protocol Host
Version
7.00.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\searchprotocolhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\tquery.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\msshooks.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\msidle.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\mssprxy.dll
c:\windows\system32\mssph.dll
c:\windows\system32\mapi32.dll
c:\windows\system32\authz.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\shell32.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\propsys.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\profapi.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\slc.dll
c:\windows\system32\version.dll
c:\users\admin\documents\ad9a435e-dda5-83cd-588ab17311b1\106e5ad18d45175374212\{c49249f5-b9a4-f7f9da622bb}\common\imgengine.dll
c:\users\admin\documents\ad9a435e-dda5-83cd-588ab17311b1\106e5ad18d45175374212\{c49249f5-b9a4-f7f9da622bb}\common\sptdintf.dll
c:\users\admin\documents\ad9a435e-dda5-83cd-588ab17311b1\106e5ad18d45175374212\{c49249f5-b9a4-f7f9da622bb}\common\name.exe
c:\windows\system32\acppage.dll

PID
2868
CMD
"C:\Windows\System32\msiexec.exe" /i "C:\Users\admin\AppData\Local\Temp\FAT#Q5VHKWX03 .msi"
Path
C:\Windows\System32\msiexec.exe
Indicators
No indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows® installer
Version
5.0.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\msiexec.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msi.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\aclayers.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\shell32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\winspool.drv
c:\windows\system32\mpr.dll
c:\windows\apppatch\acgenral.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\winmm.dll
c:\windows\system32\samcli.dll
c:\windows\system32\msacm32.dll
c:\windows\system32\version.dll
c:\windows\system32\sfc.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\msimsg.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\propsys.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\sxs.dll
c:\windows\system32\mscoree.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\microsoft.net\framework\v4.0.30319\clr.dll
c:\windows\microsoft.net\framework\v4.0.30319\fusion.dll

PID
2244
CMD
C:\Windows\system32\msiexec.exe /V
Path
C:\Windows\system32\msiexec.exe
Indicators
Parent process
––
User
SYSTEM
Integrity Level
SYSTEM
Version:
Company
Microsoft Corporation
Description
Windows® installer
Version
5.0.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\msiexec.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msi.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\aclayers.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\shell32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\winspool.drv
c:\windows\system32\mpr.dll
c:\windows\apppatch\acgenral.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\winmm.dll
c:\windows\system32\samcli.dll
c:\windows\system32\msacm32.dll
c:\windows\system32\version.dll
c:\windows\system32\sfc.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\msimsg.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\sxs.dll
c:\windows\system32\mscoree.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\microsoft.net\framework\v4.0.30319\clr.dll
c:\windows\microsoft.net\framework\v4.0.30319\fusion.dll
c:\windows\system32\rstrtmgr.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\devrtl.dll

PID
3356
CMD
C:\Windows\system32\MsiExec.exe -Embedding D9AA18CE5753176E17A18C7DE9DC85B2
Path
C:\Windows\system32\MsiExec.exe
Indicators
Parent process
msiexec.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows® installer
Version
5.0.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\msiexec.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msi.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\aclayers.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\shell32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\winspool.drv
c:\windows\system32\mpr.dll
c:\windows\apppatch\acgenral.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\winmm.dll
c:\windows\system32\samcli.dll
c:\windows\system32\msacm32.dll
c:\windows\system32\version.dll
c:\windows\system32\sfc.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\installer\msib163.tmp
c:\windows\system32\comdlg32.dll
c:\windows\installer\msib1f0.tmp
c:\windows\system32\jscript.dll
c:\windows\system32\wshom.ocx
c:\windows\system32\scrrun.dll
c:\windows\system32\sxs.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\webio.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\credssp.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshqos.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\wship6.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\fwpuclnt.dll
c:\program files\common files\system\ado\msado15.dll
c:\windows\system32\msdart.dll
c:\windows\system32\zipfldr.dll
c:\program files\internet explorer\ieproxy.dll
c:\program files\winrar\rarext.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\msimg32.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\winshfhc.dll
c:\windows\system32\wdscore.dll
c:\windows\system32\mssprxy.dll
c:\windows\system32\msxml3.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\sensapi.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\twext.dll
c:\windows\system32\cscui.dll
c:\windows\system32\cscdll.dll
c:\windows\system32\cscapi.dll
c:\users\admin\documents\ad9a435e-dda5-83cd-588ab17311b1\106e5ad18d45175374212\{c49249f5-b9a4-f7f9da622bb}\common\name.exe

PID
3372
CMD
"C:\Windows\System32\cmd.exe" /C start /MIN http://google.com.br/
Path
C:\Windows\System32\cmd.exe
Indicators
No indicators
Parent process
MsiExec.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows Command Processor
Version
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Image
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\propsys.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\psapi.dll
c:\windows\system32\oleacc.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\version.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\profapi.dll
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll

PID
3120
CMD
"C:\Program Files\Internet Explorer\iexplore.exe" -nohome
Path
C:\Program Files\Internet Explorer\iexplore.exe
Indicators
Parent process
cmd.exe
User
admin
Integrity Level
MEDIUM
Version:
Company
Microsoft Corporation
Description
Internet Explorer
Version
8.00.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\shell32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\psapi.dll
c:\windows\system32\oleacc.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\profapi.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\cryptbase.dll
c:\program files\internet explorer\sqmapi.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\sensapi.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\ieui.dll
c:\windows\system32\msimg32.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\clbcatq.dll
c:\program files\internet explorer\ieproxy.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\url.dll
c:\windows\system32\version.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\xmllite.dll
c:\windows\system32\propsys.dll
c:\windows\system32\explorerframe.dll
c:\windows\system32\duser.dll
c:\windows\system32\dui70.dll
c:\windows\system32\msfeeds.dll
c:\windows\system32\sxs.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\wship6.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\mlang.dll
c:\windows\system32\userenv.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\schannel.dll
c:\windows\system32\mssprxy.dll
c:\windows\system32\credssp.dll
c:\windows\system32\secur32.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\gpapi.dll

PID
3752
CMD
"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3120 CREDAT:71937
Path
C:\Program Files\Internet Explorer\iexplore.exe
Indicators
Parent process
iexplore.exe
User
admin
Integrity Level
LOW
Version:
Company
Microsoft Corporation
Description
Internet Explorer
Version
8.00.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\shell32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\psapi.dll
c:\windows\system32\oleacc.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\comdlg32.dll
c:\program files\internet explorer\ieshims.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\rpcrtremote.dll
c:\program files\internet explorer\sqmapi.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\rsaenh.dll
c:\program files\internet explorer\ieproxy.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\mlang.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\apphelp.dll
c:\program files\java\jre1.8.0_92\bin\ssv.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\version.dll
c:\progra~1\micros~1\office14\urlredir.dll
c:\windows\system32\secur32.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\progra~1\micros~1\office14\msohev.dll
c:\program files\java\jre1.8.0_92\bin\jp2ssv.dll
c:\program files\java\jre1.8.0_92\bin\msvcr100.dll
c:\program files\java\jre1.8.0_92\bin\deploy.dll
c:\windows\system32\imagehlp.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\sxs.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\sensapi.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\wship6.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\userenv.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\schannel.dll
c:\windows\system32\credssp.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\gpapi.dll
c:\windows\system32\p2pcollab.dll
c:\windows\system32\qagentrt.dll
c:\windows\system32\fveui.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\msls31.dll
c:\windows\system32\msimtf.dll
c:\windows\system32\jscript.dll
c:\windows\system32\feclient.dll
c:\windows\system32\imgutil.dll
c:\windows\system32\pngfilt.dll
c:\windows\system32\msimg32.dll

PID
2352
CMD
"C:\Windows\System32\cmd.exe" /C start /MIN reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v 69_SMCSvMoOg /t reg_sz /d "C:\Users\admin\Documents\ad9a435e-dda5-83cd-588ab17311b1\106E5AD18D45175374212\{C49249F5-B9A4-F7F9DA622BB}\Common\SMCSvMoOg.pif"
Path
C:\Windows\System32\cmd.exe
Indicators
No indicators
Parent process
MsiExec.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows Command Processor
Version
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Image
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\apphelp.dll

PID
2960
CMD
reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v 69_SMCSvMoOg /t reg_sz /d "C:\Users\admin\Documents\ad9a435e-dda5-83cd-588ab17311b1\106E5AD18D45175374212\{C49249F5-B9A4-F7F9DA622BB}\Common\SMCSvMoOg.pif"
Path
C:\Windows\system32\reg.exe
Indicators
Parent process
cmd.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Registry Console Tool
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\reg.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll

PID
2672
CMD
"C:\Users\admin\Documents\ad9a435e-dda5-83cd-588ab17311b1\106E5AD18D45175374212\{C49249F5-B9A4-F7F9DA622BB}\Common\SMCSvMoOg.pif"
Path
C:\Users\admin\Documents\ad9a435e-dda5-83cd-588ab17311b1\106E5AD18D45175374212\{C49249F5-B9A4-F7F9DA622BB}\Common\SMCSvMoOg.pif
Indicators
No indicators
Parent process
MsiExec.exe
User
admin
Integrity Level
MEDIUM
Version:
Company
Disc Soft Ltd
Description
Disc Soft Bus Service Pro
Version
8.2.1.0709
Modules
Image
c:\users\admin\documents\ad9a435e-dda5-83cd-588ab17311b1\106e5ad18d45175374212\{c49249f5-b9a4-f7f9da622bb}\common\smcsvmoog.pif
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\users\admin\documents\ad9a435e-dda5-83cd-588ab17311b1\106e5ad18d45175374212\{c49249f5-b9a4-f7f9da622bb}\common\imgengine.dll
c:\windows\system32\version.dll
c:\windows\system32\mpr.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\winspool.drv
c:\windows\system32\magnification.dll
c:\windows\system32\wtsapi32.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\d3d9.dll
c:\windows\system32\d3d8thk.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\winmm.dll
c:\windows\system32\wsock32.dll
c:\users\admin\documents\ad9a435e-dda5-83cd-588ab17311b1\106e5ad18d45175374212\{c49249f5-b9a4-f7f9da622bb}\common\sptdintf.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\newdev.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\devobj.dll
c:\windows\system32\devrtl.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\winsta.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\colorui.dll
c:\windows\system32\mscms.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\compstui.dll
c:\windows\system32\msimg32.dll
c:\windows\system32\inetres.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ehstorshell.dll
c:\windows\system32\cscui.dll
c:\windows\system32\cscdll.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\slc.dll
c:\windows\system32\imageres.dll
c:\windows\system32\security.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\idndl.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\wship6.dll
c:\windows\system32\wshtcpip.dll

Registry activity

Total events
1522
Read events
1411
Write events
103
Delete events
8

Modification events

PID
Process
Operation
Key
Name
Value
980
SearchProtocolHost.exe
write
HKEY_USERS\.DEFAULT\Software\Classes\Local Settings\MuiCache\72\52C64B7E
LanguageList
en-US
980
SearchProtocolHost.exe
write
HKEY_USERS\.DEFAULT\Software\Classes\Local Settings\MuiCache\72\52C64B7E
@C:\Windows\System32\acppage.dll,-6005
Shortcut to MS-DOS Program
2244
msiexec.exe
delete key
HKEY_USERS\S-1-5-21-1302019708-1500728564-335382590-1000_CLASSES\Local Settings\MuiCache\72\52C64B7E
2244
msiexec.exe
delete key
HKEY_USERS\S-1-5-21-1302019708-1500728564-335382590-1000_CLASSES\Local Settings\MuiCache\72
2244
msiexec.exe
delete key
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts
2244
msiexec.exe
delete key
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Rollback
2244
msiexec.exe
delete key
HKEY_USERS\S-1-5-21-1302019708-1500728564-335382590-1000\Software\Microsoft\RestartManager\Session0000
2244
msiexec.exe
delete key
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\InProgress
2244
msiexec.exe
write
HKEY_USERS\S-1-5-21-1302019708-1500728564-335382590-1000\Software\Microsoft\RestartManager\Session0000
Owner
C4080000B8F759052A68D501
2244
msiexec.exe
write
HKEY_USERS\S-1-5-21-1302019708-1500728564-335382590-1000\Software\Microsoft\RestartManager\Session0000
SessionHash
1DBF95B4C41C855285E0DC4C7A90D5EDB78D5D192920D81702375F9749324BCB
2244
msiexec.exe
write
HKEY_USERS\S-1-5-21-1302019708-1500728564-335382590-1000\Software\Microsoft\RestartManager\Session0000
Sequence
1
2244
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\InProgress
C:\Windows\Installer\16b08a.ipi
2244
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders
C:\Config.Msi\
2244
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts
C:\Config.Msi\16b08b.rbs
30763058
2244
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts
C:\Config.Msi\16b08b.rbsLow
2118948832
2244
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-1302019708-1500728564-335382590-1000\Components\A47C0D8A5EA3AE746A335C0C4C492441
550BC03062AD0E84C987E289896502A1
01:\Software\Windows Installer\Windows Installer\Version
2244
msiexec.exe
write
HKEY_USERS\S-1-5-21-1302019708-1500728564-335382590-1000\Software\Windows Installer\Windows Installer
Version
1.0.0
2244
msiexec.exe
write
HKEY_USERS\S-1-5-21-1302019708-1500728564-335382590-1000\Software\Windows Installer\Windows Installer
Path
C:\Users\admin\AppData\Roaming\Windows Installer\Windows Installer\
3356
MsiExec.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
3356
MsiExec.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
3356
MsiExec.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}\Enum
Implementing
1C00000001000000E307090002000A001600320002006C0000000000
3356
MsiExec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\MsiExec_RASAPI32
EnableFileTracing
0
3356
MsiExec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\MsiExec_RASAPI32
EnableConsoleTracing
0
3356
MsiExec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\MsiExec_RASAPI32
FileTracingMask
4294901760
3356
MsiExec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\MsiExec_RASAPI32
ConsoleTracingMask
4294901760
3356
MsiExec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\MsiExec_RASAPI32
MaxFileSize
1048576
3356
MsiExec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\MsiExec_RASAPI32
FileDirectory
%windir%\tracing
3356
MsiExec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\MsiExec_RASMANCS
EnableFileTracing
0
3356
MsiExec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\MsiExec_RASMANCS
EnableConsoleTracing
0
3356
MsiExec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\MsiExec_RASMANCS
FileTracingMask
4294901760
3356
MsiExec.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
ProxyEnable
0
3356
MsiExec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\MsiExec_RASMANCS
ConsoleTracingMask
4294901760
3356
MsiExec.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
SavedLegacySettings
4600000093000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
3356
MsiExec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\MsiExec_RASMANCS
MaxFileSize
1048576
3356
MsiExec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\MsiExec_RASMANCS
FileDirectory
%windir%\tracing
3120
iexplore.exe
delete key
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012019032320190324
3120
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
CompatibilityFlags
0
3120
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
3120
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
3120
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
SecuritySafe
1
3120
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
ProxyEnable
0
3120
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
SavedLegacySettings
4600000092000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
3120
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Recovery\Active
{43FE7825-D41D-11E9-B86F-5254004A04AF}
0
3120
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Type
4
3120
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Count
2
3120
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Time
E307090002000A001600310026003202
3120
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}\iexplore
Type
4
3120
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}\iexplore
Count
2
3120
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}\iexplore
Time
E307090002000A001600310026003202
3120
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
FullScreen
no
3120
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Window_Placement
2C00000000000000010000000083FFFF0083FFFFFFFFFFFFFFFFFFFF20000000200000004003000078020000
3120
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites\Links
Order
08000000020000000C01000001000000020000007E0000000000000070003200EC000000464B245120005355474745537E312E55524C0000540008000400EFBE454B974D464B24512A000000F94300000000020000000000000000000000000000005300750067006700650073007400650064002000530069007400650073002E00750072006C0000001C00000000000000820000000100000074003200E2000000464B24512000574542534C497E312E55524C0000580008000400EFBE454B864A464B24512A000000743E0000000003000000000000000000000000000000570065006200200053006C006900630065002000470061006C006C006500720079002E00750072006C0000001C00000000000000
3120
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\iexplore
Type
3
3120
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\iexplore
Count
2
3120
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\iexplore
Time
E307090002000A001600310026000C03
3120
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\iexplore
LoadTime
11
3120
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
Type
3
3120
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
Count
2
3120
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
Time
E307090002000A001600310026002C03
3120
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
LoadTime
48
3120
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DBC80044-A445-435B-BC74-9C25C1C588A9}\iexplore
Type
3
3120
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DBC80044-A445-435B-BC74-9C25C1C588A9}\iexplore
Count
2
3120
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DBC80044-A445-435B-BC74-9C25C1C588A9}\iexplore
Time
E307090002000A001600310026008903
3120
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DBC80044-A445-435B-BC74-9C25C1C588A9}\iexplore
LoadTime
44
3120
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012019091020190911
CachePath
%USERPROFILE%\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012019091020190911
3120
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012019091020190911
CachePrefix
:2019091020190911:
3120
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012019091020190911
CacheLimit
8192
3120
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012019091020190911
CacheOptions
11
3120
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012019091020190911
CacheRepair
0
3120
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\WindowsSearch
UpgradeTime
3C29D4072A68D501
3120
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\WindowsSearch
UpgradeTime
968BD6072A68D501
3120
iexplore.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\72\52C64B7E
LanguageList
en-US
3120
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\0
Path
C:\Users\admin\Favorites\Links\Suggested Sites.url
3120
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\0
Handler
{B0FA7D7C-7195-4F03-B03E-9DC1C9EBC394}
3120
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\0
FeedUrl
https://ieonline.microsoft.com/#ieslice
3120
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\0
DisplayName
3120
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\0
ErrorState
0
3120
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\0
DisplayMask
0
3120
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\1
Path
C:\Users\admin\Favorites\Links\Web Slice Gallery.url
3120
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\1
Handler
{B0FA7D7C-7195-4F03-B03E-9DC1C9EBC394}
3120
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\1
FeedUrl
http://go.microsoft.com/fwlink/?LinkId=121315
3120
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\1
DisplayName
3120
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\1
ErrorState
0
3120
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\1
DisplayMask
0
3752
iexplore.exe
delete key
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\LowCache\Extensible Cache\MSHist012018082820180829
3752
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\LowCache\Extensible Cache\MSHist012019091020190911
CachePath
%USERPROFILE%\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012019091020190911
3752
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\LowCache\Extensible Cache\MSHist012019091020190911
CachePrefix
:2019091020190911:
3752
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\LowCache\Extensible Cache\MSHist012019091020190911
CacheLimit
8192
3752
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\LowCache\Extensible Cache\MSHist012019091020190911
CacheOptions
11
3752
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\LowCache\Extensible Cache\MSHist012019091020190911
CacheRepair
0
2960
reg.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
69_SMCSvMoOg
C:\Users\admin\Documents\ad9a435e-dda5-83cd-588ab17311b1\106E5AD18D45175374212\{C49249F5-B9A4-F7F9DA622BB}\Common\SMCSvMoOg.pif
2672
SMCSvMoOg.pif
write
HKEY_CURRENT_USER\Software\Microsoft\Direct3D\MostRecentApplication
Name
SMCSvMoOg.pif

Files activity

Executable files
5
Suspicious files
56
Text files
14
Unknown types
7

Dropped files

PID
Process
Filename
Type
2244
msiexec.exe
C:\Windows\Installer\16b088.msi
executable
MD5: fa8b0b867b1c0d30ace0e3e63bb35c0e
SHA256: e7d224387b5a531f45592def4030f6c7b4ebc3e1be373223460e93ce3b2a15a0
3356
MsiExec.exe
C:\Users\admin\Documents\ad9a435e-dda5-83cd-588ab17311b1\106E5AD18D45175374212\{C49249F5-B9A4-F7F9DA622BB}\Common\sptdintf.dll
executable
MD5: 3862c98f3676f3fd8bf4759db17cf273
SHA256: 1c7d5e42ff3bc5e1a0ecd01fa68633dc67515b3a06e660fcd2d22d6ea436a6f1
3356
MsiExec.exe
C:\Users\admin\Documents\ad9a435e-dda5-83cd-588ab17311b1\106E5AD18D45175374212\{C49249F5-B9A4-F7F9DA622BB}\Common\Name.exe
executable
MD5: e75f64e6c8346c6392bd2e87d934dae7
SHA256: ee38171c75dbb5c3cde877ec28d8cca9eec2ca3277eea9250e03bd90b1125d6f
2244
msiexec.exe
C:\Windows\Installer\MSIB163.tmp
executable
MD5: 9f1e5d66c2889018daef4aef604eebc4
SHA256: 02a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222
3356
MsiExec.exe
C:\Users\admin\Documents\ad9a435e-dda5-83cd-588ab17311b1\106E5AD18D45175374212\{C49249F5-B9A4-F7F9DA622BB}\Common\SMCSvMoOg.pif
executable
MD5: e75f64e6c8346c6392bd2e87d934dae7
SHA256: ee38171c75dbb5c3cde877ec28d8cca9eec2ca3277eea9250e03bd90b1125d6f
3356
MsiExec.exe
C:\Users\Public\Documents\JFrame\rolloutfile.tv22.1.tv
binary
MD5: e4dc50922bb02b187fdf1327c0e4d422
SHA256: 8ce4c6edbabdcd0e97e46839ec856a9e98d1710e8cb111f91d9f94262ebab120
3356
MsiExec.exe
C:\Users\Public\Documents\JFrame\rolloutfile.tv0.3.tv
binary
MD5: 90ce1a29083db68602ec8eab672051a9
SHA256: 05834e1d178537d5afdab2d74ca48c63fe2f32d46d0797cae766f0353d18a8f1
3356
MsiExec.exe
C:\Users\Public\Documents\JFrame\rolloutfile.tv9.1.tv
binary
MD5: 25627620023d84e5138ae258e362c23b
SHA256: be85abaf064f3ed63b9723da0277bcf9dbcca1c72ce1778b6f6d52a527e9f53f
3356
MsiExec.exe
C:\Users\Public\Documents\JFrame\rolloutfile.tv9.0.tv
binary
MD5: dd48380c7b0ed951ec265e79ca09ffca
SHA256: 68d473c158ca23ae38bbea57e7f83dba35bddfe8dfd4269d93bdea53dec93a14
3356
MsiExec.exe
C:\Users\Public\Documents\JFrame\rolloutfile.tv8.1.tv
binary
MD5: 2c57bf09e2715566afa5ef9521fe4adf
SHA256: d72023d5aac32ada0fbb02a00758fc4bfe1a8e0ffb8da53ae0fca2ed8987d7f1
3356
MsiExec.exe
C:\Users\Public\Documents\JFrame\rolloutfile.tv8.0.tv
binary
MD5: 8a74fe0691fc2593f9a9fd6ebf8f8020
SHA256: 047359d01c6173c7ad01fd2181eace381d4791ed3ec22db315898222c792ecf4
3356
MsiExec.exe
C:\Users\Public\Documents\JFrame\rolloutfile.tv7.1.tv
binary
MD5: d33ff533425c603ba71ecf2a26187518
SHA256: 48d5c24e101387fe1102b69823be31607da6bbd13484f75e4d10c258d36e50bb
3356
MsiExec.exe
C:\Users\Public\Documents\JFrame\rolloutfile.tv7.0.tv
binary
MD5: d7ba5f0bb3c285d96ef78c01a1169062
SHA256: 4211cbcb08db68e56f1566f9e06a038e97c7fa87f75f8a8aa5d5fe437c454bd3
3356
MsiExec.exe
C:\Users\Public\Documents\JFrame\rolloutfile.tv6.1.tv
binary
MD5: 9576e398e186bfbfdd48200437202325
SHA256: 5e082d4f186fdb5c8b26b4c11d3cbc50ee62cd6462efe99681a8ab82a0946883
3356
MsiExec.exe
C:\Users\Public\Documents\JFrame\rolloutfile.tv6.0.tv
binary
MD5: 493faaea5d6a5127464d4867fd565623
SHA256: bb274c1a9c2848a9119d9618f1f5b3e21b83fb0490525584760c5ec9391bad22
3356
MsiExec.exe
C:\Users\Public\Documents\JFrame\rolloutfile.tv5.1.tv
binary
MD5: 6f317f56375eeee344dbf2e8cfbff08c
SHA256: 93d33ac49f57e25cd9758b075c5ce9f2fcb8fdecea5bedbe19a7eb73740bc877
3356
MsiExec.exe
C:\Users\Public\Documents\JFrame\rolloutfile.tv5.0.tv
binary
MD5: 1d7d0672f42ee2e8aafe00ef449e3052
SHA256: c0018ba94a7fef1702952e318f05cce8f55c09cab8979e6b0ca6d9a46e040ce8
3356
MsiExec.exe
C:\Users\Public\Documents\JFrame\rolloutfile.tv4.1.tv
binary
MD5: bb040b9ba4c67801db1fe3c5241d9df1
SHA256: 0fa86b43101bb16d1ffff590208809d2b2eb11ee0c624a028837b8b04ce198af
3356
MsiExec.exe
C:\Users\Public\Documents\JFrame\rolloutfile.tv4.0.tv
binary
MD5: e09a370fda398aaa1556c60b486a70cf
SHA256: e42d3d2b3d86d19193c94ce1c358433d6b11ecee62996aebb7f62080eaedf813
3356
MsiExec.exe
C:\Users\Public\Documents\JFrame\rolloutfile.tv3.2.tv
binary
MD5: fa34a7a8b81f5caa5d0944aed8bc4e3f
SHA256: 6789fe7fc5a21b6e005369f949c9bd12ed41624bab4b498ce97bbd2849498130
3356
MsiExec.exe
C:\Users\Public\Documents\JFrame\rolloutfile.tv3.1.tv
binary
MD5: c591f6dc94c2e438b1ba2c07434a942a
SHA256: bac97df647d37d0f461b2e0e047879e92e1eaa08958abcc771281cefcac242d5
3356
MsiExec.exe
C:\Users\Public\Documents\JFrame\rolloutfile.tv3.0.tv
binary
MD5: 0b49e4a88a843652437a99f10777a8fb
SHA256: 2cb4c1a1889a84bee9ac041c2e19cf0dad1c65bda490379dd7f507bd2d13643a
3356
MsiExec.exe
C:\Users\Public\Documents\JFrame\rolloutfile.tv21.1.tv
binary
MD5: 8d9064008636bee50bc044c998fc91ed
SHA256: 71576f4afc7d842a4a8148b47dff0fc819b11bd715a6ebfe14b0b36570449647
3356
MsiExec.exe
C:\Users\Public\Documents\JFrame\rolloutfile.tv21.0.tv
binary
MD5: 997a266a742c5af8d9e695a0ac7d8786
SHA256: be5c1efe5ed74dba0d948146c7781316d5f6d886b0ea18f67c3a470c3a4186f6
3356
MsiExec.exe
C:\Users\Public\Documents\JFrame\rolloutfile.tv20.1.tv
binary
MD5: c67a8259d09e9e5a042186e5e7f370c1
SHA256: 4d23f6ad2187a86388b057d92b872b2d7aff1d7eee891873434706b635a409dd
3356
MsiExec.exe
C:\Users\Public\Documents\JFrame\rolloutfile.tv20.0.tv
binary
MD5: 097b4069b355ee4b16854ca68aa68801
SHA256: d1bbf4bc8f45cbaf012593091fc9909b4bf4ff7929f4f9a6ea4dd8f76bf14f8e
3356
MsiExec.exe
C:\Users\Public\Documents\JFrame\rolloutfile.tv2.6.tv
binary
MD5: c8ae47103b7ed9a6b36cbc4d7d2ecceb
SHA256: cf44b53e7b508f80c851d8cc5fc8d28045a7a1c3c27aa3b45946b0d6ecef9438
3356
MsiExec.exe
C:\Users\Public\Documents\JFrame\rolloutfile.tv2.5.tv
binary
MD5: 93c0d755ea62b0e59721ae6d6893df9a
SHA256: 8dea08f3e2d96d1f2a19cdaf5c6001f6c77b730cf3cb7821596faf5ea27dd41b
3356
MsiExec.exe
C:\Users\Public\Documents\JFrame\rolloutfile.tv2.4.tv
binary
MD5: c72fe56bae4703a7b8812fe991917ca5
SHA256: cb9a459d8b058fa1deb2f7b59d9a5d27bc3736afa36844a436ecdfb9edb77aec
3356
MsiExec.exe
C:\Users\Public\Documents\JFrame\rolloutfile.tv2.3.tv
binary
MD5: 42c8345f0d1cb75effecb329d5e879d4
SHA256: 3faa4a107bc9fda18c06f200169b1d752f06c2ec8748d08f27b35ea1d5ef0b52
3356
MsiExec.exe
C:\Users\Public\Documents\JFrame\rolloutfile.tv2.2.tv
binary
MD5: f1011e289b66f1859d4c094d332736ec
SHA256: 07c7eddc642b7c329833cacce4b60b391862c0f3f05c09f448ff271867ada4cd
3356
MsiExec.exe
C:\Users\Public\Documents\JFrame\rolloutfile.tv2.1.tv
binary
MD5: 0990c58aa8b54939bd18c41fc331137f
SHA256: d033da1fce7dcbd1655829c9685db0be2ca5bab6e9d30572e69ba276ce43fa77
3356
MsiExec.exe
C:\Users\Public\Documents\JFrame\rolloutfile.tv19.1.tv
binary
MD5: bd3f15eb900e69b09eee4560fc6ce4ce
SHA256: cf4c0d08aca6293a2dd127d07218e72b48b1ab1626e84676689f35832ced4bc4
3356
MsiExec.exe
C:\Users\Public\Documents\JFrame\rolloutfile.tv19.0.tv
binary
MD5: d44b49e73edab812b5e303b94d8f674b
SHA256: 7207cac67231d379c58f1d6cbc94bc036cb548c0d3458423fdcce13f69851da1
3356
MsiExec.exe
C:\Users\Public\Documents\JFrame\rolloutfile.tv18.1.tv
binary
MD5: 8f1202e7167e73ade0d3ef234d1b9097
SHA256: ab597ba338e05bf179526e1bfe9c46f2f5aee69ca54e08b154b590573409279d
3356
MsiExec.exe
C:\Users\Public\Documents\JFrame\rolloutfile.tv18.0.tv
binary
MD5: 3732c44dad736406a4aea62b8dd0a0f0
SHA256: 767a6c0c29d0e4f2d1229d8898428b37c2230de58d80f314c71fe81893112358
3356
MsiExec.exe
C:\Users\Public\Documents\JFrame\rolloutfile.tv17.1.tv
binary
MD5: e3c20cba66af2dfa0dcc3cbdfae0c16f
SHA256: 59be5f397f5f17efebd0e4b25945e7984dfd9e4904aec4718246c9dc77c1b806
3356
MsiExec.exe
C:\Users\Public\Documents\JFrame\rolloutfile.tv17.0.tv
binary
MD5: 2b3ef01b81d1ee3a3528402d0f284fc4
SHA256: 8d41fd4a8d015d5fb28a7ded2ddd2dc542314d2d233a65210f78e1c4e72c6f7c
3356
MsiExec.exe
C:\Users\Public\Documents\JFrame\rolloutfile.tv16.1.tv
binary
MD5: 3d669565cf26b045123f8f6010587315
SHA256: 626f4a2a98871b4545981ca0cf5c3b96393f17d79c2974eb775d402ea50bfa16
3356
MsiExec.exe
C:\Users\Public\Documents\JFrame\rolloutfile.tv16.0.tv
binary
MD5: 8ac14c59ab5eaf66a85cb47fed90732f
SHA256: 2124e1f8098d73103d5a32d3f024e6bb00ddb8ed65aaeb466e3c18dd5f0f94d1
3356
MsiExec.exe
C:\Users\Public\Documents\JFrame\rolloutfile.tv15.1.tv
binary
MD5: 7244345461c51e903f64ee1ef7aa1a4c
SHA256: a8241d71e3ecd9eb7b3001a699d41d4d8eb3b3ea3b3e20b94a60ac7ea690271c
3356
MsiExec.exe
C:\Users\Public\Documents\JFrame\rolloutfile.tv15.0.tv
binary
MD5: 306a6573870993efd447eade8a540248
SHA256: e6857a193ba144c1af78e5916fc1321e99c4e0e90af999cc1cbcbe35943912ca
3356
MsiExec.exe
C:\Users\Public\Documents\JFrame\rolloutfile.tv14.1.tv
binary
MD5: 09bcac0a7e8812f1a38d7be9ecac5212
SHA256: 3f7741bebc45669c2808a52ce54b5dd92acb914f9a91b314720381d92ff6fc45
3356
MsiExec.exe
C:\Users\Public\Documents\JFrame\rolloutfile.tv14.0.tv
binary
MD5: 38e1baa9b6e36ca4e8a5ae18a15b10a3
SHA256: 147b9d8d1585d831318a950aa8534b6f0156d651d457bda1c652feed9f91d628
3356
MsiExec.exe
C:\Users\Public\Documents\JFrame\rolloutfile.tv13.1.tv
binary
MD5: 95d39987afb0ef4bf0b5d8fb444204ba
SHA256: e1ab7c09d7a21f62f08eec464f412fa69abe464ba4efbe1664f6841f48a20e83
3356
MsiExec.exe
C:\Users\Public\Documents\JFrame\rolloutfile.tv13.0.tv
binary
MD5: 8899f669075a774ed9d8873dd62cae32
SHA256: 5d3763c7eb8463844bc4c9701caf31422f569c241301b7446d58c42086b399e1
3356
MsiExec.exe
C:\Users\Public\Documents\JFrame\rolloutfile.tv12.1.tv
binary
MD5: d21618ea3a5dc65693d452e4a359063a
SHA256: 9dccbbacbc88ec288167aa40eccb42698f44c4e2f74a07d5e7f177df3289f201
3356
MsiExec.exe
C:\Users\Public\Documents\JFrame\rolloutfile.tv12.0.tv
binary
MD5: 8c355ff3a6118b2c5e2dbb984a50729e
SHA256: a191713cb8625c9873b1c5eb14dde1327b2386ac8f40f55c2b74263e666132fc
3356
MsiExec.exe
C:\Users\Public\Documents\JFrame\rolloutfile.tv11.1.tv
binary
MD5: f39529da3bfc95960d408922f719ea4d
SHA256: 40e7181130a68e2d1fa58c562a6c4b2e73795169471330d94fe2b1f5f061efa9
3356
MsiExec.exe
C:\Users\Public\Documents\JFrame\rolloutfile.tv11.0.tv
binary
MD5: 2e1b6a79de1f473df30bc21bec3362bf
SHA256: f42e9351829ed3271cc92b8176e7f16b5b098c65f6d82eb3bdeaa795a95a099b
3356
MsiExec.exe
C:\Users\Public\Documents\JFrame\rolloutfile.tv10.1.tv
binary
MD5: d226a91ef35bff67bbaa566c63e564a6
SHA256: 7847bbd41158f37b1d7d84ed60bc3b1d4fbe892d9c785d34106f0e5f902c3e59
3356
MsiExec.exe
C:\Users\Public\Documents\JFrame\rolloutfile.tv10.0.tv
binary
MD5: 3111b78d59564de628ad06ed1b67276e
SHA256: ea50f12bf3633312698a89c0674fab96a11bca1dac2fb66a0564cf7d41ff2a9d
3356
MsiExec.exe
C:\Users\Public\Documents\JFrame\rolloutfile.tv1.2.tv
binary
MD5: d636272732d27407560255a2b6123e7f
SHA256: 283a0c030952f3888dc244ea88741b4cfc7fcd7294355e2bc305068039ac282b
3356
MsiExec.exe
C:\Users\Public\Documents\JFrame\rolloutfile.tv1.1.tv
binary
MD5: 14c4807e646aefb4d2aa41744dd85ae7
SHA256: eb54fdbc2193e1d5d1bf2c576b08c5ce6bfb8ffd35a9e2e6858c2744c51d4286
3356
MsiExec.exe
C:\Users\Public\Documents\JFrame\rolloutfile.tv0.2.tv
binary
MD5: 241b6720cd26fadb4ca23a40c39b36f1
SHA256: e1026a3bbf1195a1f124800f0a09ebffbe6c74c84144ecc271fe2b3746e89343
3356
MsiExec.exe
C:\Users\Public\Documents\JFrame\rolloutfile.tv0.1.tv
binary
MD5: a8bf1df28cebbf949c1fac88514e7469
SHA256: 3ea929ae8b11253a8d3993f8662fbcab7b60c04a030e4be51a545fafea05677e
3356
MsiExec.exe
C:\Users\Public\Documents\JFrame\rolloutfile.tv0.0.tv
binary
MD5: 2f8bd322ffcd09509356e1fc30082469
SHA256: 95b4195df307b4a7674a5f3c45be6e4e51bf51ce8db9418bfd2632518fad6f55
2244
msiexec.exe
C:\Users\admin\AppData\Local\Temp\~DFAF307ADE0DAE9E20.TMP
––
MD5:  ––
SHA256:  ––
2244
msiexec.exe
C:\Config.Msi\16b08b.rbs
––
MD5:  ––
SHA256:  ––
2244
msiexec.exe
C:\Windows\Installer\MSIB23F.tmp
––
MD5:  ––
SHA256:  ––
3356
MsiExec.exe
C:\Users\admin\Documents\ad9a435e-dda5-83cd-588ab17311b1\106E5AD18D45175374212\{C49249F5-B9A4-F7F9DA622BB}\Common\JFrame.zip
compressed
MD5: 34abed3304f3e8d8d9876c5484cb1fa0
SHA256: 7cda9e16841b5ab44175c63d742e19b438d91040e23edaf0f31ae318db81029f
3356
MsiExec.exe
C:\Users\admin\Documents\ad9a435e-dda5-83cd-588ab17311b1\106E5AD18D45175374212\{C49249F5-B9A4-F7F9DA622BB}\Common\imgengine.dll
––
MD5:  ––
SHA256:  ––
3356
MsiExec.exe
C:\Users\admin\Documents\ad9a435e-dda5-83cd-588ab17311b1\106E5AD18D45175374212\{C49249F5-B9A4-F7F9DA622BB}\Common\SMCSvMoOg.zip
compressed
MD5: 2a5699e093ae3c6c872189e70a801ccc
SHA256: c346373e2f89585ba3cebb8351113146899a9c307ecd4e3e68624bd4a4dc5385
3120
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\favicon[1].ico
image
MD5: f3418a443e7d841097c714d69ec4bcb8
SHA256: 6da5620880159634213e197fafca1dde0272153be3e4590818533fab8d040770
3120
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012019091020190911\index.dat
dat
MD5: aa9e4ad16bd0cb4c1f0576932b86308d
SHA256: 10507f603b88f7e5ef69177496ba6acc2fd139bf89126f1e315b6c18917824c9
3752
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012019091020190911\index.dat
dat
MD5: b6be7c2c98048b69d852511e76890ac8
SHA256: ecb9c06adcc8c5734872044696b18ca120f304489a976b2a9874fcc2c8a961af
3752
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\VJYTIH3P\rs=ACT90oEAQ02c65-qkzxWZg0Y5eIlsBa4PQ[1]
text
MD5: 2c85bf5eef772dd030c34baa5a5a4754
SHA256: 014901271c8bdcaedc67899350c3433012f6e8b7b5cb0105937225ca333d8568
3752
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\HMNBJV0X\nav_logo229[1].png
image
MD5: 1b12cab0347f8728af450fe2457e79c3
SHA256: ca858453ce21cabdf9911c6fa3291aa630df344244bc183a4d5ae9972e59f675
3752
iexplore.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][2].txt
text
MD5: d9ec60c86c48d0fd65691da73ede3987
SHA256: 6987432e23183e3e231b13c063ad0866c37848bff9574dbba19f1f1f08531fce
3752
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XHIIXIT7\tia[1].png
image
MD5: 201e50d8dd7a30c0a918213686ca43b7
SHA256: c532312eea8020a0370685b222a02b11becd58cd394b509029dff5956127dd81
3752
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\31BLIDRQ\googlelogo_white_background_color_272x92dp[1].png
image
MD5: b593548ac0f25135c059a0aae302ab4d
SHA256: 44fc041cb8145b4ef97007f85bdb9abdb9a50d744e258b0c4bb01f1d196bf105
3752
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\MSIMGSIZ.DAT
smt
MD5: 60272cba5ad84466b761ccb17bc51037
SHA256: ed2a144c57ac894562da29c3ed8df7a741f5a07e4c053cd366417c3574ec4cae
3752
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\VJYTIH3P\google_com_br[1].txt
––
MD5:  ––
SHA256:  ––
3752
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\VJYTIH3P\google_com_br[1].htm
html
MD5: 09bbc79eeebe9267e45551e56d84409d
SHA256: 1d3ffa9ab685691446ff412d8385bbe3ea013e49a8fa57ff733f14e6899af8e5
3752
iexplore.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][1].txt
––
MD5:  ––
SHA256:  ––
3752
iexplore.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][2].txt
text
MD5: fd6d6ff85caedd4c2f26054e5f12e192
SHA256: 1f51b5718b2c018c897ec671d144c1f396a8e41acc3742944b43615d814d1316
3752
iexplore.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\index.dat
dat
MD5: 3e759210110fb89e9d58050191c4f1bc
SHA256: 0a256f572ad83710652de6faa5499c77910cdd57433967e90f0a95aa0b518444
3752
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat
dat
MD5: ceaede0658c2d03bfca8341800b8c6d3
SHA256: b99e0a9a7a50ceb96aae3682cbed27f4ae6f1f2360182f659d457d3afe5c2d47
3120
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\favicon[1].png
image
MD5: 9fb559a691078558e77d6848202f6541
SHA256: 6d8a01dc7647bc218d003b58fe04049e24a9359900b7e0cebae76edf85b8b914
3120
iexplore.exe
C:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
––
MD5:  ––
SHA256:  ––
3120
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\favicon[1].ico
––
MD5:  ––
SHA256:  ––
3752
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\31BLIDRQ\desktop.ini
ini
MD5: 4a3deb274bb5f0212c2419d3d8d08612
SHA256: 2842973d15a14323e08598be1dfb87e54bf88a76be8c7bc94c56b079446edf38
3752
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XHIIXIT7\desktop.ini
ini
MD5: 4a3deb274bb5f0212c2419d3d8d08612
SHA256: 2842973d15a14323e08598be1dfb87e54bf88a76be8c7bc94c56b079446edf38
3752
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\HMNBJV0X\desktop.ini
ini
MD5: 4a3deb274bb5f0212c2419d3d8d08612
SHA256: 2842973d15a14323e08598be1dfb87e54bf88a76be8c7bc94c56b079446edf38
3752
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\VJYTIH3P\desktop.ini
ini
MD5: 4a3deb274bb5f0212c2419d3d8d08612
SHA256: 2842973d15a14323e08598be1dfb87e54bf88a76be8c7bc94c56b079446edf38
3752
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\index.dat
dat
MD5: 4fda34c5cccf9beb42c97c8bbb4ef8fd
SHA256: d711c0a29d84d02aaa832f9f099e59e8387549b330163849648270c0f3c53dbc
3372
cmd.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
dat
MD5: d7a950fefd60dbaa01df2d85fefb3862
SHA256: 75d0b1743f61b76a35b1fedd32378837805de58d79fa950cb6e8164bfa72073a
3356
MsiExec.exe
C:\ProgramData\5f42d86f-3ff6-4bda-98b4-6da987b.tmp.node
text
MD5: a067f5ec97ba51b576825b69bc855e58
SHA256: cf3e339d25c3c023c9417ffc5d8e73f1da828b18feecaf14fdb9c24d04e49ba0
2244
msiexec.exe
C:\Windows\Installer\16b08a.ipi
binary
MD5: 656daff477026d333bf8a8bbfe6e00e2
SHA256: dd2dfba452e94f5c4c0f8f237231b752b66c8bf7cb5051775e3c8ea4d7430c03
2244
msiexec.exe
C:\Users\admin\AppData\Local\Temp\~DFFCF4595C875F6F17.TMP
––
MD5:  ––
SHA256:  ––
2244
msiexec.exe
C:\Windows\Installer\MSIB1F0.tmp
––
MD5:  ––
SHA256:  ––
3356
MsiExec.exe
C:\Users\Public\Documents\JFrame\rolloutfile.tv22.0.tv
binary
MD5: a3a29ac4993591d3982a8f22170a3a18
SHA256: 8dededf02f300f8043712438b9b1344c0aee7f17f385c24417c38135e9f5f761
2244
msiexec.exe
C:\Windows\Installer\16b08a.ipi
––
MD5:  ––
SHA256:  ––

Find more information of the staic content and download it at the full report

Network activity

HTTP(S) requests
5
TCP/UDP connections
10
DNS requests
5
Threats
1

HTTP requests

PID Process Method HTTP Code IP URL CN Type Size Reputation
3356 MsiExec.exe GET 200 52.95.164.60:80 http://0909-app-brasil-mais-poder.s3-sa-east-1.amazonaws.com/NEWWWWWWWWWWWWWWZIP%20%285%29.zip US
compressed
shared
3120 iexplore.exe GET 200 204.79.197.200:80 http://www.bing.com/favicon.ico US
image
whitelisted
3752 iexplore.exe GET 301 172.217.21.227:80 http://google.com.br/ US
html
whitelisted
3752 iexplore.exe GET 302 172.217.23.131:80 http://www.google.com.br/ US
html
whitelisted
3356 MsiExec.exe GET 200 77.222.62.31:80 http://zfwbfurusa.temp.swtest.ru/001/ RU
––
––
malicious

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID Process IP ASN CN Reputation
3356 MsiExec.exe 52.95.164.60:80 US shared
3752 iexplore.exe 172.217.21.227:80 Google Inc. US whitelisted
3120 iexplore.exe 204.79.197.200:80 Microsoft Corporation US whitelisted
3752 iexplore.exe 172.217.23.131:80 Google Inc. US whitelisted
3752 iexplore.exe 172.217.23.131:443 Google Inc. US whitelisted
3120 iexplore.exe 172.217.23.131:443 Google Inc. US whitelisted
3356 MsiExec.exe 77.222.62.31:80 SpaceWeb Ltd RU malicious

DNS requests

Domain IP Reputation
0909-app-brasil-mais-poder.s3-sa-east-1.amazonaws.com 52.95.164.60
shared
www.bing.com 204.79.197.200
13.107.21.200
whitelisted
google.com.br 172.217.21.227
whitelisted
www.google.com.br 172.217.23.131
whitelisted
zfwbfurusa.temp.swtest.ru 77.222.62.31
unknown

Threats

PID Process Class Message
3356 MsiExec.exe Misc activity SUSPICIOUS [PTsecurity] Cmd.Powershell.Download HTTP UserAgent (Win7)

Debug output strings

No debug info.