Malware analysis early-2010s-adware.7z Malicious activity

Add for printing

File name:	early-2010s-adware.7z
Full analysis:	https://app.any.run/tasks/77fb8612-545a-4bd6-b903-5f9e638a6845
Verdict:	Malicious activity
Analysis date:	February 18, 2024, 15:22:49
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:	toolbar scam addons
Indicators:
MIME:	application/x-7z-compressed
File info:	7-zip archive data, version 0.4
MD5:	C0137B76D986D63D1A96C8E4E2266E05
SHA1:	78ECA78558E3F2E23766C76B54B06DC9E99AEA85
SHA256:	F6CA92E7AFE93E719BBE70561A9216A295B92353EA5C6F87D403FB5BAB456184
SSDEEP:	98304:shBk3pQNTEvtsQdxHymmZT3IfgTdp1mJxRwFqlWv5ueaw8dS+C0S+1Fpuh5GL+SG:QfVE3sTN8M2MT0b45UESDYawSHI

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.0.9600.19596 KB4534251
Adobe Acrobat Reader DC (20.013.20064)
Adobe Acrobat Reader DC (20.013.20064)
Adobe Flash Player 32 ActiveX (32.0.0.453)
Adobe Flash Player 32 ActiveX (32.0.0.453)
Adobe Flash Player 32 NPAPI (32.0.0.453)
Adobe Flash Player 32 NPAPI (32.0.0.453)
Adobe Flash Player 32 PPAPI (32.0.0.453)
Adobe Flash Player 32 PPAPI (32.0.0.453)
Adobe Refresh Manager (1.8.0)
Adobe Refresh Manager (1.8.0)
CCleaner (6.14)
CCleaner (6.14)
FileZilla 3.65.0 (3.65.0)
FileZilla 3.65.0 (3.65.0)
Google Chrome (109.0.5414.120)
Google Chrome (109.0.5414.120)
Google Update Helper (1.3.36.31)
Google Update Helper (1.3.36.31)
Java 8 Update 271 (8.0.2710.9)
Java 8 Update 271 (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Java Auto Updater (2.8.271.9)
Microsoft .NET Framework 4.8 (4.8.03761)
Microsoft .NET Framework 4.8 (4.8.03761)
Microsoft .NET Framework 4.8 (4.8.03761)
Microsoft .NET Framework 4.8 (4.8.03761)
Microsoft Edge (109.0.1518.115)
Microsoft Edge (109.0.1518.115)
Microsoft Edge Update (1.3.175.29)
Microsoft Edge Update (1.3.175.29)
Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Access MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Excel MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Groove MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Groove MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office IME (Japanese) 2010 (14.0.4763.1000)
Microsoft Office IME (Japanese) 2010 (14.0.4763.1000)
Microsoft Office IME (Korean) 2010 (14.0.4763.1000)
Microsoft Office IME (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (French) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (French) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (German) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (German) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office InfoPath MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Language Pack 2010 - French/Français (14.0.4763.1000)
Microsoft Office Language Pack 2010 - French/Français (14.0.4763.1000)
Microsoft Office Language Pack 2010 - German/Deutsch (14.0.4763.1000)
Microsoft Office Language Pack 2010 - German/Deutsch (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Italian/Italiano (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Italian/Italiano (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Japanese/日本語 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Japanese/日本語 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Korean/한국어 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Korean/한국어 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Portuguese/Português (Brasil) (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Portuguese/Português (Brasil) (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Russian/русский (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Russian/русский (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Spanish/Español (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Spanish/Español (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Turkish/Türkçe (14.0.4763.1013)
Microsoft Office Language Pack 2010 - Turkish/Türkçe (14.0.4763.1013)
Microsoft Office O MUI (French) 2010 (14.0.4763.1000)
Microsoft Office O MUI (French) 2010 (14.0.4763.1000)
Microsoft Office O MUI (German) 2010 (14.0.4763.1000)
Microsoft Office O MUI (German) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office O MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
Microsoft Office OneNote MUI (French) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (French) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (German) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (German) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office OneNote MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Outlook MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Outlook MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
Microsoft Office PowerPoint MUI (French) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (French) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (German) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (German) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office PowerPoint MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Professional 2010 (14.0.6029.1000)
Microsoft Office Professional 2010 (14.0.6029.1000)
Microsoft Office Proof (Arabic) 2010 (14.0.4763.1000)
Microsoft Office Proof (Arabic) 2010 (14.0.4763.1000)
Microsoft Office Proof (Basque) 2010 (14.0.4763.1000)
Microsoft Office Proof (Basque) 2010 (14.0.4763.1000)
Microsoft Office Proof (Catalan) 2010 (14.0.4763.1000)
Microsoft Office Proof (Catalan) 2010 (14.0.4763.1000)
Microsoft Office Proof (Dutch) 2010 (14.0.4763.1000)
Microsoft Office Proof (Dutch) 2010 (14.0.4763.1000)
Microsoft Office Proof (English) 2010 (14.0.6029.1000)
Microsoft Office Proof (English) 2010 (14.0.6029.1000)
Microsoft Office Proof (French) 2010 (14.0.6029.1000)
Microsoft Office Proof (French) 2010 (14.0.6029.1000)
Microsoft Office Proof (Galician) 2010 (14.0.4763.1000)
Microsoft Office Proof (Galician) 2010 (14.0.4763.1000)
Microsoft Office Proof (German) 2010 (14.0.4763.1000)
Microsoft Office Proof (German) 2010 (14.0.4763.1000)
Microsoft Office Proof (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proof (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proof (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proof (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proof (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proof (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proof (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
Microsoft Office Proof (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Proof (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Proof (Ukrainian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Ukrainian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
Microsoft Office Proofing (French) 2010 (14.0.4763.1000)
Microsoft Office Proofing (French) 2010 (14.0.4763.1000)
Microsoft Office Proofing (German) 2010 (14.0.4763.1000)
Microsoft Office Proofing (German) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Proofing (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Publisher MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Publisher MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office SharePoint Designer MUI (French) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (French) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (German) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (German) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office SharePoint Designer MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Single Image 2010 (14.0.6029.1000)
Microsoft Office Single Image 2010 (14.0.6029.1000)
Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Word MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Word MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office X MUI (French) 2010 (14.0.4763.1000)
Microsoft Office X MUI (French) 2010 (14.0.4763.1000)
Microsoft Office X MUI (German) 2010 (14.0.4763.1000)
Microsoft Office X MUI (German) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office X MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x86 en-US) (115.0.2)
Mozilla Firefox (x86 en-US) (115.0.2)
Mozilla Maintenance Service (115.0.2)
Mozilla Maintenance Service (115.0.2)
Notepad++ (32-bit x86) (7.9.1)
Notepad++ (32-bit x86) (7.9.1)
PowerShell 7-x86 (7.2.11.0)
PowerShell 7-x86 (7.2.11.0)
Skype version 8.110 (8.110)
Skype version 8.110 (8.110)
Update for Microsoft .NET Framework 4.8 (KB4503575) (1)
Update for Microsoft .NET Framework 4.8 (KB4503575) (1)
VLC media player (3.0.11)
VLC media player (3.0.11)
WinRAR 5.91 (32-bit) (5.91.0)
WinRAR 5.91 (32-bit) (5.91.0)

Add for printing

MALICIOUS
- Drops the executable file immediately after the start
  - WinRAR.exe (PID: 3668)
  - HPDefender.exe (PID: 968)
  - MediaBack.exe (PID: 480)
  - PricePeep.exe (PID: 3528)
  - SBInstaller.exe (PID: 3036)
  - PennyBee.exe (PID: 316)
  - Web_Bar_Setup.exe (PID: 3312)
  - smw.exe (PID: 1592)
  - PricePeep.exe (PID: 2024)
  - WinAgir.exe (PID: 3564)
  - Web_Bar_Setup.exe (PID: 548)
  - Web_Bar_Setup.tmp (PID: 2448)
  - CrossRider.exe (PID: 2256)
  - 781.exe (PID: 956)
  - wb.exe (PID: 2576)
  - wb.exe (PID: 3356)
  - Flash.exe (PID: 3952)
  - SBInstaller.exe (PID: 3984)
  - WinAgir.exe (PID: 3056)
  - PricePeep.exe (PID: 3104)
  - PricePeep.exe (PID: 3956)
  - HPDefender.exe (PID: 912)
- Changes the autorun value in the registry
  - CpuzApp.exe (PID: 3504)
  - SBInstaller.exe (PID: 3036)
  - CpuzApp.exe (PID: 3124)
- Actions looks like stealing of personal data
  - PricePeep.exe (PID: 2024)
  - smu.exe (PID: 2832)
  - smu.exe (PID: 3768)
- Connects to the CnC server
  - PricePeep.exe (PID: 2024)
  - wb.exe (PID: 3356)
  - PricePeep.exe (PID: 3104)
- Steals credentials from Web Browsers
  - smu.exe (PID: 2832)
  - smu.exe (PID: 3768)
- Changes the AppInit_DLLs value (autorun option)
  - smu.exe (PID: 3768)
- Starts CMD.EXE for self-deleting
  - smw.exe (PID: 1592)
- Creates a writable file in the system directory
  - winaux.exe (PID: 3228)
  - MediaBack.exe (PID: 480)
- Opens an HTTP connection (SCRIPT)
  - lyricsgizm.exe (PID: 896)
- Creates internet connection object (SCRIPT)
  - lyricsgizm.exe (PID: 896)
- Sends HTTP request (SCRIPT)
  - lyricsgizm.exe (PID: 896)
- Create files in the Startup directory
  - Flash.exe (PID: 3952)
SUSPICIOUS
- Executable content was dropped or overwritten
  - HPDefender.exe (PID: 968)
  - MediaBack.exe (PID: 480)
  - PricePeep.exe (PID: 3528)
  - SBInstaller.exe (PID: 3036)
  - PennyBee.exe (PID: 316)
  - Web_Bar_Setup.exe (PID: 3312)
  - smw.exe (PID: 1592)
  - PricePeep.exe (PID: 2024)
  - WinAgir.exe (PID: 3564)
  - Web_Bar_Setup.tmp (PID: 2448)
  - CrossRider.exe (PID: 2256)
  - Web_Bar_Setup.exe (PID: 548)
  - 781.exe (PID: 956)
  - wb.exe (PID: 2576)
  - wb.exe (PID: 3356)
  - Flash.exe (PID: 3952)
  - SBInstaller.exe (PID: 3984)
  - WinAgir.exe (PID: 3056)
  - PricePeep.exe (PID: 3956)
  - PricePeep.exe (PID: 3104)
  - HPDefender.exe (PID: 912)
- Malware-specific behavior (creating "System.dll" in Temp)
  - SBInstaller.exe (PID: 3036)
  - PennyBee.exe (PID: 316)
  - smw.exe (PID: 1592)
  - PricePeep.exe (PID: 2024)
  - WinAgir.exe (PID: 3564)
  - MediaBack.exe (PID: 480)
  - Flash.exe (PID: 3952)
  - SBInstaller.exe (PID: 3984)
  - WinAgir.exe (PID: 3056)
  - PricePeep.exe (PID: 3104)
- The process creates files with name similar to system file names
  - SBInstaller.exe (PID: 3036)
  - PennyBee.exe (PID: 316)
  - smw.exe (PID: 1592)
  - PricePeep.exe (PID: 2024)
  - WinAgir.exe (PID: 3564)
  - Web_Bar_Setup.tmp (PID: 2448)
  - wb.exe (PID: 2576)
  - wb.exe (PID: 3356)
  - smu.exe (PID: 3768)
  - MediaBack.exe (PID: 480)
  - Flash.exe (PID: 3952)
  - SBInstaller.exe (PID: 3984)
  - WinAgir.exe (PID: 3056)
  - PricePeep.exe (PID: 3104)
- Reads the Internet Settings
  - PennyBee.exe (PID: 316)
  - PricePeep.exe (PID: 2024)
  - lyricsgizm.exe (PID: 2476)
  - WinAgir.exe (PID: 3564)
  - 781.exe (PID: 956)
  - wbsvc.exe (PID: 2160)
  - smu.exe (PID: 2832)
  - wb.exe (PID: 2576)
  - smw.exe (PID: 1592)
  - Your.exe (PID: 696)
  - wbsvc.exe (PID: 1848)
  - lyricsgizm.exe (PID: 896)
  - wb.exe (PID: 3356)
  - dopeload.exe (PID: 3636)
  - Flash.exe (PID: 3952)
  - smu.exe (PID: 2732)
  - wscript.exe (PID: 2472)
  - PricePeep.exe (PID: 3104)
- Reads security settings of Internet Explorer
  - PennyBee.exe (PID: 316)
  - PricePeep.exe (PID: 2024)
  - WinAgir.exe (PID: 3564)
  - 781.exe (PID: 956)
  - wbsvc.exe (PID: 2160)
  - smu.exe (PID: 2832)
  - smu.exe (PID: 3768)
  - sma.exe (PID: 3588)
  - smw.exe (PID: 1592)
  - sma.exe (PID: 3772)
  - sma.exe (PID: 1880)
  - sma.exe (PID: 2780)
  - Your.exe (PID: 696)
  - winaux.exe (PID: 3228)
  - lyricsgizm.exe (PID: 896)
  - wbsvc.exe (PID: 1848)
  - wb.exe (PID: 3356)
  - dopeload.exe (PID: 3636)
  - Flash.exe (PID: 3952)
  - PricePeep.exe (PID: 3104)
- Application launched itself
  - PricePeep.exe (PID: 3528)
  - cmd.exe (PID: 2904)
  - cmd.exe (PID: 2372)
  - cmd.exe (PID: 3892)
  - cmd.exe (PID: 2396)
  - cmd.exe (PID: 2072)
  - PricePeep.exe (PID: 3956)
- Searches for installed software
  - PricePeep.exe (PID: 2024)
  - CrossRider.exe (PID: 2256)
  - 781.exe (PID: 956)
  - smu.exe (PID: 3768)
  - SBInstaller.exe (PID: 3036)
  - Your.exe (PID: 696)
  - PricePeep.exe (PID: 3104)
  - WinAgir.exe (PID: 3056)
- Creates a software uninstall entry
  - PricePeep.exe (PID: 2024)
  - HPDefender.exe (PID: 968)
  - PennyBee.exe (PID: 316)
  - WinAgir.exe (PID: 3564)
  - SBInstaller.exe (PID: 3036)
  - Your.exe (PID: 696)
  - smw.exe (PID: 1592)
  - MediaBack.exe (PID: 480)
  - PricePeep.exe (PID: 3104)
  - HPDefender.exe (PID: 912)
- Process drops legitimate windows executable
  - Web_Bar_Setup.tmp (PID: 2448)
- Reads the Windows owner or organization settings
  - Web_Bar_Setup.tmp (PID: 2448)
  - MediaBack.exe (PID: 480)
- Checks for Java to be installed
  - ISightHost.exe (PID: 3108)
  - ISightHost.exe (PID: 2172)
  - ISightHost.exe (PID: 2800)
- Creates/Modifies COM task schedule object
  - PricePeep.exe (PID: 2024)
  - WinAgir.exe (PID: 3564)
- Reads settings of System Certificates
  - WinAgir.exe (PID: 3564)
  - wbsvc.exe (PID: 2160)
  - wb.exe (PID: 3356)
  - Flash.exe (PID: 3952)
- Executes as Windows Service
  - winaux.exe (PID: 3228)
  - smu.exe (PID: 3768)
- Checks Windows Trust Settings
  - WinAgir.exe (PID: 3564)
  - wbsvc.exe (PID: 2160)
  - winaux.exe (PID: 3228)
  - wb.exe (PID: 3356)
  - Flash.exe (PID: 3952)
- Starts itself from another location
  - CrossRider.exe (PID: 2256)
- Drops a system driver (possible attempt to evade defenses)
  - smw.exe (PID: 1592)
- The process executes via Task Scheduler
  - lyricsgizm.exe (PID: 3068)
  - wscript.exe (PID: 2472)
- Starts application with an unusual extension
  - smw.exe (PID: 1592)
- Starts CMD.EXE for commands execution
  - ns9564.tmp (PID: 3416)
  - nsA66D.tmp (PID: 3348)
  - nsABAD.tmp (PID: 2792)
  - smw.exe (PID: 1592)
  - nsAE3F.tmp (PID: 2160)
  - cmd.exe (PID: 2904)
  - cmd.exe (PID: 2072)
  - cmd.exe (PID: 3892)
  - cmd.exe (PID: 2396)
  - cmd.exe (PID: 2372)
- Starts SC.EXE for service management
  - smw.exe (PID: 1592)
- Checks whether a specific file exists (SCRIPT)
  - smp.exe (PID: 2036)
  - smp.exe (PID: 2712)
- Creates FileSystem object to access computer's file system (SCRIPT)
  - smp.exe (PID: 2036)
  - smp.exe (PID: 2712)
- Changes Internet Explorer settings (feature browser emulation)
  - Your.exe (PID: 696)
  - wb.exe (PID: 3356)
- Reads Internet Explorer settings
  - Your.exe (PID: 696)
  - wb.exe (PID: 3356)
  - lyricsgizm.exe (PID: 896)
- Creates a Folder object (SCRIPT)
  - smp.exe (PID: 2712)
- Reads the date of Windows installation
  - smp.exe (PID: 2712)
- Reads Microsoft Outlook installation path
  - Your.exe (PID: 696)
  - lyricsgizm.exe (PID: 896)
  - wb.exe (PID: 3356)
- Uses TIMEOUT.EXE to delay execution
  - cmd.exe (PID: 2396)
- Process requests binary or script from the Internet
  - Your.exe (PID: 696)
  - Flash.exe (PID: 3952)
- Detected use of alternative data streams (AltDS)
  - smu.exe (PID: 3768)
- Changes the title of the Internet Explorer window
  - Flash.exe (PID: 3952)
  - iexplore.exe (PID: 2876)
- Changes the Home page of Internet Explorer
  - Flash.exe (PID: 3952)
- Accesses command line arguments (SCRIPT)
  - wscript.exe (PID: 2472)
- Runs shell command (SCRIPT)
  - wscript.exe (PID: 2472)
INFO
- Executable content was dropped or overwritten
  - WinRAR.exe (PID: 3668)
- Manual execution by a user
  - explorer.exe (PID: 3732)
  - Flash.exe (PID: 3980)
  - MediaBack.exe (PID: 1784)
  - HPDefender.exe (PID: 968)
  - PennyBee.exe (PID: 3556)
  - installer.exe (PID: 2384)
  - MediaBack.exe (PID: 480)
  - PennyBee.exe (PID: 316)
  - PricePeep.exe (PID: 3528)
  - installer.exe (PID: 844)
  - Flash.exe (PID: 2592)
  - SBInstaller.exe (PID: 3036)
  - smw.exe (PID: 2348)
  - Web_Bar_Setup.exe (PID: 3312)
  - smw.exe (PID: 1592)
  - whkim.exe (PID: 2984)
  - WinAgir.exe (PID: 3132)
  - WinAgir.exe (PID: 3564)
  - CrossRider.exe (PID: 3936)
  - CrossRider.exe (PID: 2256)
  - installer.exe (PID: 2532)
  - Flash.exe (PID: 3156)
  - installer.exe (PID: 3080)
  - Flash.exe (PID: 3952)
  - SBInstaller.exe (PID: 3984)
  - WinAgir.exe (PID: 3548)
  - WinAgir.exe (PID: 3056)
  - PricePeep.exe (PID: 3956)
  - HPDefender.exe (PID: 912)
  - installer.exe (PID: 3444)
  - installer.exe (PID: 2496)
- Checks supported languages
  - HPDefender.exe (PID: 968)
  - installer.exe (PID: 844)
  - MediaBack.exe (PID: 480)
  - Flash.exe (PID: 3980)
  - PennyBee.exe (PID: 316)
  - PricePeep.exe (PID: 3528)
  - SBInstaller.exe (PID: 3036)
  - CpuzApp.exe (PID: 3504)
  - smw.exe (PID: 1592)
  - Web_Bar_Setup.exe (PID: 3312)
  - whkim.exe (PID: 2984)
  - PricePeep.exe (PID: 2024)
  - Web_Bar_Setup.tmp (PID: 3900)
  - WinAgir.exe (PID: 3564)
  - Web_Bar_Setup.exe (PID: 548)
  - Web_Bar_Setup.tmp (PID: 2448)
  - ISightHost.exe (PID: 3108)
  - java.exe (PID: 2104)
  - CpuzApp.exe (PID: 3296)
  - lyricsgizm.exe (PID: 2476)
  - winaux.exe (PID: 2940)
  - winaux.exe (PID: 3156)
  - java.exe (PID: 3052)
  - winaux.exe (PID: 3932)
  - winaux.exe (PID: 3944)
  - winaux.exe (PID: 3228)
  - CrossRider.exe (PID: 2256)
  - 781.exe (PID: 956)
  - lyricsgizm.exe (PID: 3068)
  - wbsvc.exe (PID: 2160)
  - smu.exe (PID: 2832)
  - ns9564.tmp (PID: 3416)
  - wb.exe (PID: 2576)
  - ISightHost.exe (PID: 2172)
  - java.exe (PID: 1840)
  - java.exe (PID: 2468)
  - smu.exe (PID: 3768)
  - sma.exe (PID: 3588)
  - sma.exe (PID: 3772)
  - smp.exe (PID: 2036)
  - nsA66D.tmp (PID: 3348)
  - sma.exe (PID: 1880)
  - sma.exe (PID: 2780)
  - Your.exe (PID: 696)
  - nsABAD.tmp (PID: 2792)
  - smp.exe (PID: 2712)
  - nsAE3F.tmp (PID: 2160)
  - smp.exe (PID: 1644)
  - smi32.exe (PID: 2660)
  - smi32.exe (PID: 2500)
  - wb.exe (PID: 3356)
  - wbsvc.exe (PID: 1848)
  - lyricsgizm.exe (PID: 896)
  - java.exe (PID: 3936)
  - java.exe (PID: 912)
  - ISightHost.exe (PID: 2800)
  - dopeload.exe (PID: 3636)
  - winaspi32.exe (PID: 2072)
  - dopewars.exe (PID: 2640)
  - dopewars.exe (PID: 3496)
  - installer.exe (PID: 3080)
  - Flash.exe (PID: 3952)
  - SBInstaller.exe (PID: 3984)
  - smu.exe (PID: 2732)
  - WinAgir.exe (PID: 3056)
  - PricePeep.exe (PID: 3104)
  - PricePeep.exe (PID: 3956)
  - HPDefender.exe (PID: 912)
  - CpuzApp.exe (PID: 3124)
  - installer.exe (PID: 2496)
  - CpuzApp.exe (PID: 980)
  - smi32.exe (PID: 2172)
  - smi32.exe (PID: 3464)
  - smi32.exe (PID: 2544)
- Reads the computer name
  - Flash.exe (PID: 3980)
  - HPDefender.exe (PID: 968)
  - PennyBee.exe (PID: 316)
  - PricePeep.exe (PID: 3528)
  - SBInstaller.exe (PID: 3036)
  - CpuzApp.exe (PID: 3504)
  - smw.exe (PID: 1592)
  - PricePeep.exe (PID: 2024)
  - Web_Bar_Setup.tmp (PID: 3900)
  - WinAgir.exe (PID: 3564)
  - Web_Bar_Setup.tmp (PID: 2448)
  - ISightHost.exe (PID: 3108)
  - CpuzApp.exe (PID: 3296)
  - lyricsgizm.exe (PID: 2476)
  - winaux.exe (PID: 2940)
  - winaux.exe (PID: 3932)
  - winaux.exe (PID: 3944)
  - winaux.exe (PID: 3228)
  - winaux.exe (PID: 3156)
  - CrossRider.exe (PID: 2256)
  - 781.exe (PID: 956)
  - lyricsgizm.exe (PID: 3068)
  - wbsvc.exe (PID: 2160)
  - smu.exe (PID: 2832)
  - wb.exe (PID: 2576)
  - ISightHost.exe (PID: 2172)
  - smu.exe (PID: 3768)
  - sma.exe (PID: 3588)
  - sma.exe (PID: 1880)
  - sma.exe (PID: 2780)
  - sma.exe (PID: 3772)
  - smp.exe (PID: 2036)
  - smp.exe (PID: 2712)
  - Your.exe (PID: 696)
  - smp.exe (PID: 1644)
  - lyricsgizm.exe (PID: 896)
  - wbsvc.exe (PID: 1848)
  - wb.exe (PID: 3356)
  - ISightHost.exe (PID: 2800)
  - MediaBack.exe (PID: 480)
  - dopeload.exe (PID: 3636)
  - dopewars.exe (PID: 2640)
  - Flash.exe (PID: 3952)
  - SBInstaller.exe (PID: 3984)
  - smu.exe (PID: 2732)
  - WinAgir.exe (PID: 3056)
  - PricePeep.exe (PID: 3104)
  - PricePeep.exe (PID: 3956)
  - HPDefender.exe (PID: 912)
  - CpuzApp.exe (PID: 3124)
  - CpuzApp.exe (PID: 980)
- Create files in a temporary directory
  - MediaBack.exe (PID: 480)
  - HPDefender.exe (PID: 968)
  - PennyBee.exe (PID: 316)
  - PricePeep.exe (PID: 3528)
  - SBInstaller.exe (PID: 3036)
  - Web_Bar_Setup.exe (PID: 3312)
  - PricePeep.exe (PID: 2024)
  - smw.exe (PID: 1592)
  - Web_Bar_Setup.exe (PID: 548)
  - WinAgir.exe (PID: 3564)
  - Web_Bar_Setup.tmp (PID: 2448)
  - ISightHost.exe (PID: 3108)
  - java.exe (PID: 2104)
  - java.exe (PID: 3052)
  - CrossRider.exe (PID: 2256)
  - 781.exe (PID: 956)
  - java.exe (PID: 2468)
  - java.exe (PID: 1840)
  - wb.exe (PID: 2576)
  - ISightHost.exe (PID: 2172)
  - ISightHost.exe (PID: 2800)
  - java.exe (PID: 912)
  - wb.exe (PID: 3356)
  - java.exe (PID: 3936)
  - dopeload.exe (PID: 3636)
  - winaspi32.exe (PID: 2072)
  - Flash.exe (PID: 3952)
  - SBInstaller.exe (PID: 3984)
  - WinAgir.exe (PID: 3056)
  - PricePeep.exe (PID: 3956)
  - PricePeep.exe (PID: 3104)
  - HPDefender.exe (PID: 912)
- Process checks whether UAC notifications are on
  - PricePeep.exe (PID: 3528)
  - PricePeep.exe (PID: 3956)
- Reads the machine GUID from the registry
  - SBInstaller.exe (PID: 3036)
  - PennyBee.exe (PID: 316)
  - PricePeep.exe (PID: 2024)
  - Web_Bar_Setup.tmp (PID: 2448)
  - ISightHost.exe (PID: 3108)
  - lyricsgizm.exe (PID: 2476)
  - WinAgir.exe (PID: 3564)
  - 781.exe (PID: 956)
  - wbsvc.exe (PID: 2160)
  - lyricsgizm.exe (PID: 3068)
  - smu.exe (PID: 2832)
  - wb.exe (PID: 2576)
  - ISightHost.exe (PID: 2172)
  - smu.exe (PID: 3768)
  - sma.exe (PID: 3588)
  - sma.exe (PID: 1880)
  - sma.exe (PID: 2780)
  - sma.exe (PID: 3772)
  - smp.exe (PID: 2036)
  - smp.exe (PID: 2712)
  - Your.exe (PID: 696)
  - smp.exe (PID: 1644)
  - winaux.exe (PID: 3228)
  - wb.exe (PID: 3356)
  - lyricsgizm.exe (PID: 896)
  - ISightHost.exe (PID: 2800)
  - winaspi32.exe (PID: 2072)
  - dopeload.exe (PID: 3636)
  - SBInstaller.exe (PID: 3984)
  - Flash.exe (PID: 3952)
  - smu.exe (PID: 2732)
  - PricePeep.exe (PID: 3104)
- Creates files or folders in the user directory
  - HPDefender.exe (PID: 968)
  - PricePeep.exe (PID: 2024)
  - PennyBee.exe (PID: 316)
  - WinAgir.exe (PID: 3564)
  - 781.exe (PID: 956)
  - wb.exe (PID: 2576)
  - SBInstaller.exe (PID: 3036)
  - Your.exe (PID: 696)
  - smp.exe (PID: 2712)
  - wb.exe (PID: 3356)
  - lyricsgizm.exe (PID: 896)
  - Flash.exe (PID: 3952)
  - PricePeep.exe (PID: 3104)
- Creates files in the program directory
  - PennyBee.exe (PID: 316)
  - java.exe (PID: 2104)
  - PricePeep.exe (PID: 2024)
  - WinAgir.exe (PID: 3564)
  - smw.exe (PID: 1592)
  - Web_Bar_Setup.tmp (PID: 2448)
  - wbsvc.exe (PID: 2160)
  - smu.exe (PID: 2832)
  - wb.exe (PID: 2576)
  - smp.exe (PID: 2712)
  - MediaBack.exe (PID: 480)
  - dopewars.exe (PID: 2640)
  - Flash.exe (PID: 3952)
- Checks proxy server information
  - PennyBee.exe (PID: 316)
  - PricePeep.exe (PID: 2024)
  - lyricsgizm.exe (PID: 2476)
  - WinAgir.exe (PID: 3564)
  - 781.exe (PID: 956)
  - lyricsgizm.exe (PID: 3068)
  - smu.exe (PID: 2832)
  - smu.exe (PID: 3768)
  - sma.exe (PID: 3588)
  - sma.exe (PID: 3772)
  - sma.exe (PID: 1880)
  - sma.exe (PID: 2780)
  - Your.exe (PID: 696)
  - winaux.exe (PID: 3228)
  - lyricsgizm.exe (PID: 896)
  - wb.exe (PID: 3356)
  - Flash.exe (PID: 3952)
  - smu.exe (PID: 2732)
  - PricePeep.exe (PID: 3104)
- Reads the software policy settings
  - WinAgir.exe (PID: 3564)
  - wbsvc.exe (PID: 2160)
  - winaux.exe (PID: 3228)
  - wb.exe (PID: 3356)
  - Flash.exe (PID: 3952)
- Creates a software uninstall entry
  - Web_Bar_Setup.tmp (PID: 2448)
- Reads Environment values
  - wb.exe (PID: 2576)
  - smw.exe (PID: 1592)
  - smp.exe (PID: 2036)
  - Your.exe (PID: 696)
  - smp.exe (PID: 2712)
  - lyricsgizm.exe (PID: 896)
  - wb.exe (PID: 3356)
- Reads product name
  - Your.exe (PID: 696)
- Application launched itself
  - msedge.exe (PID: 3760)
  - iexplore.exe (PID: 2876)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.7z	\|	7-Zip compressed archive (v0.4) (57.1)
.7z	\|	7-Zip compressed archive (gen) (42.8)

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

210

Monitored processes

116

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

316

"C:\Users\admin\Desktop\PennyBee.exe"

C:\Users\admin\Desktop\PennyBee.exe

explorer.exe

User:

admin

Company:

lyricsgizm

Integrity Level:

HIGH

Description:

Main Installer

Exit code:

Version:

3.0.0.0

Modules

Images
c:\users\admin\desktop\pennybee.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll

480

"C:\Users\admin\Desktop\MediaBack.exe"

C:\Users\admin\Desktop\MediaBack.exe

explorer.exe

User:

admin

Integrity Level:

HIGH

Exit code:

Modules

Images
c:\users\admin\desktop\mediaback.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll

548

"C:\Users\admin\Desktop\Web_Bar_Setup.exe" /SPAWNWND=$20278 /NOTIFYWND=$801EE

C:\Users\admin\Desktop\Web_Bar_Setup.exe

Web_Bar_Setup.tmp

User:

admin

Company:

Web Bar Media

Integrity Level:

HIGH

Description:

Web Bar Setup

Exit code:

Version:

Modules

Images
c:\users\admin\desktop\web_bar_setup.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll

572

"C:\Program Files\Microsoft\Edge\Application\109.0.1518.115\BHO\ie_to_edge_stub.exe" --create-cache-container=0

C:\Program Files\Microsoft\Edge\Application\109.0.1518.115\BHO\ie_to_edge_stub.exe

—

iexplore.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

IEToEdge BHO

Exit code:

Version:

109.0.1518.115

Modules

Images
c:\program files\microsoft\edge\application\109.0.1518.115\bho\ie_to_edge_stub.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll

696

"C:\Users\admin\AppData\Local\Your\Your.exe" /firstrun

C:\Users\admin\AppData\Local\Your\Your.exe

SBInstaller.exe

User:

admin

Company:

Springtech LTD

Integrity Level:

MEDIUM

Description:

Desktop web search

Exit code:

Version:

2.29.0.24

Modules

Images
c:\users\admin\appdata\local\your\your.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-ole32-l1-1-0.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll

844

"C:\Users\admin\Desktop\installer.exe"

C:\Users\admin\Desktop\installer.exe

explorer.exe

User:

admin

Integrity Level:

HIGH

Description:

Installer

Exit code:

4294967295

Version:

1.0.0.1

Modules

Images
c:\users\admin\desktop\installer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\apphelp.dll

896

C:\ProgramData\lyricsgizm\lyricsgizm.exe

PennyBee.exe

User:

admin

Company:

Video Song Gizmos Agent

Integrity Level:

HIGH

Exit code:

Version:

1.1.0.12

Modules

Images
c:\programdata\lyricsgizm\lyricsgizm.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll

912

"C:\Program Files\Java\jre1.8.0_271\bin\java.exe" -version

C:\Program Files\Java\jre1.8.0_271\bin\java.exe

—

ISightHost.exe

User:

admin

Company:

Oracle Corporation

Integrity Level:

MEDIUM

Description:

Java(TM) Platform SE binary

Exit code:

Version:

8.0.2710.9

Modules

Images
c:\program files\java\jre1.8.0_271\bin\java.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll

912

"C:\Users\admin\Desktop\HPDefender.exe"

C:\Users\admin\Desktop\HPDefender.exe

explorer.exe

User:

admin

Company:

so near with their lips

Integrity Level:

MEDIUM

Description:

together. Villanous thoughts

Exit code:

Version:

15.21.597.6931

Modules

Images
c:\users\admin\desktop\hpdefender.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll

956

"C:\Users\admin\AppData\Local\Temp\\781.exe" /asru

C:\Users\admin\AppData\Local\Temp\781.exe

CrossRider.exe

User:

admin

Integrity Level:

HIGH

Exit code:

Version:

106.0.0.0

Modules

Images
c:\users\admin\appdata\local\temp\781.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\nsi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\userenv.dll

Add for printing

Total events

184 663

Read events

181 031

Write events

3 005

Delete events

627

Modification events


(PID) Process:	(3668) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:	write	Name:	ShellExtBMP
Value:
(PID) Process:	(3668) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:	write	Name:	ShellExtIcon
Value:
(PID) Process:	(3668) WinRAR.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:	write	Name:	LanguageList
Value: en-US
(PID) Process:	(3668) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:	write	Name:	3
Value: C:\Users\admin\Desktop\phacker.zip
(PID) Process:	(3668) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:	write	Name:	2
Value: C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:	(3668) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:	write	Name:	1
Value: C:\Users\admin\Desktop\curl-8.5.0_1-win32-mingw.zip
(PID) Process:	(3668) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:	write	Name:	0
Value: C:\Users\admin\AppData\Local\Temp\early-2010s-adware.7z
(PID) Process:	(3668) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	name
Value: 120
(PID) Process:	(3668) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	size
Value: 80
(PID) Process:	(3668) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	type
Value: 120

Add for printing

Executable files

122

Suspicious files

137

Text files

256

Unknown types

Dropped files

PID	Process	Filename		Type
3668	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\early-2010s-adware\Flash.exe		executable
		MD5:D1BAFC44D0D9E573758172F45694DBA1	SHA256:A2BA2E085F7475517068AE95927A3762455AF72323B50834D2E9EA26ABE416AA
3668	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\early-2010s-adware\CrossRider.exe		executable
		MD5:C359B1996E911B652B42011BD6BBFD87	SHA256:0CAE1EF0A97EAE1E8F061E9015FCDE96B48E7F8491FD70534B5E373B87EB4B4C
3668	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\early-2010s-adware\PricePeep.exe		executable
		MD5:115E8A3579B3435C12B22E566BB0E123	SHA256:7E1DA0C43606EF23B71CADE66246FC53458D363DDD86D31EE6F55569585FC901
3668	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\early-2010s-adware\SBInstaller.exe		executable
		MD5:E127C25BCD4354189EE7B517E621DEF0	SHA256:4CB1350ABF27A77D6867D9E658AF8A49E23508F0F58AC463E7EE12E2BA81DE16
3668	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\early-2010s-adware\installer.exe		executable
		MD5:E9C54F04632871BF5D429964B53CA1E1	SHA256:ECD061BB175898879DDE68CA11AD1EA9FA6D52E334CC3A78AC70DC37A1AE8E5F
3668	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\early-2010s-adware\MediaBack.exe		executable
		MD5:FB2410A9A356327D16650B3B97F61DAA	SHA256:2348AE8EF84FF79518BE22686D58987909924662843958340F33169E26FCB081
3668	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\early-2010s-adware\whkim.exe		executable
		MD5:2BCE4A069AB5B4CA54C1B97B2E79049E	SHA256:D4BAEFEA68D19D86A1DB175693EAB4D60798380117CCECCDFF8258E547D02050
3668	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\early-2010s-adware\smw.exe		executable
		MD5:5F146F30856087B52E39BE7072A125FE	SHA256:E0410A686B08042A01B81D2EB53E938DAC59D2F049766BD5AEF8B1CB66B96062
968	HPDefender.exe	C:\Users\admin\AppData\Local\Temp\nsu15E3.tmp\nsProcess.dll		executable
		MD5:F0438A894F3A7E01A4AAE8D1B5DD0289	SHA256:30C6C3DD3CC7FCEA6E6081CE821ADC7B2888542DAE30BF00E881C0A105EB4D11
3668	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\early-2010s-adware\PennyBee.exe		executable
		MD5:CE82328636D917085664F07AE6767EF5	SHA256:A304949D56D4664B807A02D60243122DD59804F1AE0BBD49AFD02B189CA1DDDC

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

185

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
2024	PricePeep.exe	GET	302	77.247.179.84:80	http://rpt.myshopres.com/reporter/JSReport.aspx?distributorid=50001&channelid=1&builddate=1337842865&clientversion=2.1.0.12&reportid=1009&browser=all&status=started	unknown	text	11 b	unknown
2024	PricePeep.exe	GET	200	15.197.204.56:80	http://ww1.myshopres.com/	unknown	html	524 b	unknown
2024	PricePeep.exe	GET	200	77.247.179.84:80	http://rpt.myshopres.com/reporter/JSReport.aspx?distributorid=50001&channelid=1&builddate=1337842865&clientversion=2.1.0.12&reportid=1009&browser=all&status=completedSuccessfully	unknown	html	631 b	unknown
3564	WinAgir.exe	GET	301	199.36.158.100:80	http://www.pluginsoft.co.kr/config/auto_config.txt	unknown	—	—	unknown
3564	WinAgir.exe	GET	200	172.217.18.3:80	http://ocsp.pki.goog/gsr1/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS3V7W2nAf4FiMTjpDJKg6%2BMgGqMQQUYHtmGkUNl8qJUC99BM00qP%2F8%2FUsCEHe9DWzbNvka6iEPxPBY0w0%3D	unknown	binary	1.41 Kb	unknown
3564	WinAgir.exe	GET	200	172.217.18.3:80	http://ocsp.pki.goog/gtsr1/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBQwkcLWD4LqGJ7bE7B1XZsEbmfwUAQU5K8rJnEaK0gnhS9SZizv8IkTcT4CDQIAjrICMzZli2TN25s%3D	unknown	binary	724 b	unknown
3564	WinAgir.exe	GET	200	172.217.18.3:80	http://ocsp.pki.goog/s/gts1d4/qJZQFfzliN8/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBSMBFDqU0NJQdZdEGU3bkhj0FoRrQQUJeIYDrJXkZQq5dRdhpCD3lOzuJICEQC0buZPqCMjDRJuu2GSFUg7	unknown	binary	472 b	unknown
956	781.exe	GET	302	93.115.28.104:80	http://ipgeoapi.com/	unknown	text	11 b	unknown
956	781.exe	GET	200	199.59.243.225:80	http://survey-smiles.com/	unknown	html	1.03 Kb	unknown
2832	smu.exe	GET	—	65.9.94.22:80	http://d1y2jryd6u59ns.cloudfront.net/p.ashx?e=XJYuqQQo69e7kz6lYX7QXuq66llvd8hKb1U7tDd0IfY6IGChvSsxGS23k0nQgAJlcKvrcZtT0LiCG4Fts5sDzA7ZyYfqFDOIxm8eLhHOQtq81bLQaw2AZJ+Yd948cnJ5bmvo3dCzdSQdFBY7drduOgXfW+Af7YyuLhu0b45kiT9oVCXmex/z8Ny8pKBoXpEXs+IILilpWF3MlW9RFqOnilTs7tVSauzs	unknown	—	—	unknown

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
1080	svchost.exe	224.0.0.252:5355	—	—	—	unknown
4	System	192.168.100.255:138	—	—	—	whitelisted
2024	PricePeep.exe	77.247.179.84:80	rpt.myshopres.com	NForce Entertainment B.V.	NL	unknown
2024	PricePeep.exe	15.197.204.56:80	ww1.myshopres.com	AMAZON-02	US	unknown
3564	WinAgir.exe	199.36.158.100:80	www.pluginsoft.co.kr	FASTLY	US	unknown
3564	WinAgir.exe	199.36.158.100:443	www.pluginsoft.co.kr	FASTLY	US	unknown
3564	WinAgir.exe	184.24.77.201:80	ctldl.windowsupdate.com	Akamai International B.V.	DE	unknown
3564	WinAgir.exe	172.217.18.3:80	ocsp.pki.goog	GOOGLE	US	whitelisted
956	781.exe	93.115.28.104:80	ipgeoapi.com	UAB Cherry Servers	LT	unknown

DNS requests

Domain	IP	Reputation
ws.xcodelib.net	—	unknown
rpt.myshopres.com	77.247.179.84	unknown
ww1.myshopres.com	15.197.204.56 3.33.243.145	unknown
tracking.instnode.com	—	unknown
www.pluginsoft.co.kr	199.36.158.100	unknown
ctldl.windowsupdate.com	184.24.77.201 184.24.77.193 184.24.77.174 184.24.77.202 184.24.77.209 184.24.77.206 184.24.77.173 184.24.77.197 184.24.77.205 184.24.77.184 184.24.77.192 184.24.77.186 184.24.77.187	whitelisted
ocsp.pki.goog	172.217.18.3	whitelisted
pluginsoft.co.kr	199.36.158.100	unknown
ipgeoapi.com	93.115.28.104	unknown
survey-smiles.com	199.59.243.225	whitelisted

Threats

PID	Process	Class	Message
2024	PricePeep.exe	Potentially Bad Traffic	ET USER_AGENTS Observed Suspicious UA (NSIS_Inetc (Mozilla))
2024	PricePeep.exe	Potentially Bad Traffic	ET USER_AGENTS Observed Suspicious UA (NSIS_Inetc (Mozilla))
2024	PricePeep.exe	Potentially Bad Traffic	ET USER_AGENTS Observed Suspicious UA (NSIS_Inetc (Mozilla))
1880	sma.exe	Potential Corporate Privacy Violation	ET POLICY Unsupported/Fake Windows NT Version 5.0
2780	sma.exe	Potential Corporate Privacy Violation	ET POLICY Unsupported/Fake Windows NT Version 5.0
3952	Flash.exe	Potentially Bad Traffic	ET USER_AGENTS Observed Suspicious UA (NSIS_Inetc (Mozilla))
3104	PricePeep.exe	Potentially Bad Traffic	ET USER_AGENTS Observed Suspicious UA (NSIS_Inetc (Mozilla))
3104	PricePeep.exe	Potentially Bad Traffic	ET USER_AGENTS Observed Suspicious UA (NSIS_Inetc (Mozilla))
3356	wb.exe	Device Retrieving External IP Address Detected	SUSPICIOUS [ANY.RUN] Received IP address from server as result of HTTP request

7 ETPRO signatures available at the full report

Add for printing

Process	Message
lyricsgizm.exe	02/18/24 15:24:25 (6843) -~- ProccesId: 2476, ThreadId: 884 -~- OnInitDialog -~- Starting agent process cmdline: "C:\ProgramData\lyricsgizm\lyricsgizm.exe" /InstallOn=0 /closebr=0 /active=24 /update=24 /interval=2880 /pubId=1001 /affId=10010047 /appId=111 /uId={541629DA-2F3B-4262-9DA4-5C952A5A1B35} /version=3.0.0.0 /Override=false /Firstime=1 /IEhome=0 /IEsearch=0 /FFhome=0 /FFsearch=0 /CHhome=0 /CHsearch=0 /FFaddon= /CHaddon= /AutoSP= /regAppName=lyricsgizm /curSID=S-1-5-21-1302019708-1500728564-335382590-1000 /logf=C:\Users\admin\AppData\Local\Temp\lyricsgizm_installer_{541629DA-2F3B-4262-9DA4-5C952A5A1B35}_1708269855.txt /chPol=0 /mac=12A9866C77DE /tst=None
lyricsgizm.exe	02/18/24 15:24:25 (6843) -~- ProccesId: 2476, ThreadId: 884 -~- OnInitDialog -~- First time running
lyricsgizm.exe	02/18/24 15:24:25 (6843) -~- ProccesId: 2476, ThreadId: 884 -~- FirstTimeStat -~- Install starting, sending stats
lyricsgizm.exe	02/18/24 15:24:25 (6859) -~- ProccesId: 2476, ThreadId: 884 -~- SendStats -~- ws.xcodelib.net/ytlyrics/bho/report.php?type=install&sch=4&affId=10010047&pubId=1001&appId=111&agver=1.1.0.12&fferr=scss&chrerr=scss&guid={541629DA-2F3B-4262-9DA4-5C952A5A1B35}&override=false&affIdLast=none&os=6.1&manu=&ff=115.0.2 (x86 en-US)&ch=109.0.5414.120&ie=11.0.9600.19596&mac=12A9866C77DE&newagnt=0&sltm=0&wktm=27&ltm=18_02_15_24_25&tst=none&x=112
lyricsgizm.exe	02/18/24 15:24:41 (22765) -~- ProccesId: 2476, ThreadId: 884 -~- SendStats -~- Error 12007 encountered at: Error 0x2ee7 at Failed HttpSendRequest
lyricsgizm.exe	02/18/24 15:24:41 (22765) -~- ProccesId: 2476, ThreadId: 884 -~- UpdateRegistryFromArguments -~- Updating registry
lyricsgizm.exe	02/18/24 15:24:41 (22765) -~- ProccesId: 2476, ThreadId: 884 -~- StartWorkerTasks -~- Starting tasks
lyricsgizm.exe	02/18/24 15:24:45 (26906) -~- ProccesId: 2476, ThreadId: 884 -~- EndInstallStat -~- Install finished, sending stats
lyricsgizm.exe	02/18/24 15:24:45 (26906) -~- ProccesId: 2476, ThreadId: 884 -~- SetTaskComment -~- Comment is: {"regs":{"ffErr":""}}
lyricsgizm.exe	02/18/24 15:24:45 (26906) -~- ProccesId: 2476, ThreadId: 884 -~- SetTaskComment -~- Comment is: {"regs":{"chromeErr":"","ffErr":""}}

General Info

early-2010s-adware.7z

C0137B76D986D63D1A96C8E4E2266E05

78ECA78558E3F2E23766C76B54B06DC9E99AEA85

F6CA92E7AFE93E719BBE70561A9216A295B92353EA5C6F87D403FB5BAB456184

98304:shBk3pQNTEvtsQdxHymmZT3IfgTdp1mJxRwFqlWv5ueaw8dS+C0S+1Fpuh5GL+SG:QfVE3sTN8M2MT0b45UESDYawSHI

Software environment set and analysis options

Launch configuration

Software preset

Behavior activities

MALICIOUS

Drops the executable file immediately after the start

Changes the autorun value in the registry

Actions looks like stealing of personal data

Connects to the CnC server

Steals credentials from Web Browsers

Changes the AppInit_DLLs value (autorun option)

Starts CMD.EXE for self-deleting

Creates a writable file in the system directory

Opens an HTTP connection (SCRIPT)

Creates internet connection object (SCRIPT)

Sends HTTP request (SCRIPT)

Create files in the Startup directory

SUSPICIOUS

Executable content was dropped or overwritten

Malware-specific behavior (creating "System.dll" in Temp)

The process creates files with name similar to system file names

Reads the Internet Settings

Reads security settings of Internet Explorer

Application launched itself

Searches for installed software

Creates a software uninstall entry

Process drops legitimate windows executable

Reads the Windows owner or organization settings

Checks for Java to be installed

Creates/Modifies COM task schedule object

Reads settings of System Certificates

Executes as Windows Service

Checks Windows Trust Settings

Starts itself from another location

Drops a system driver (possible attempt to evade defenses)

The process executes via Task Scheduler

Starts application with an unusual extension

Starts CMD.EXE for commands execution

Starts SC.EXE for service management

Checks whether a specific file exists (SCRIPT)

Creates FileSystem object to access computer's file system (SCRIPT)

Changes Internet Explorer settings (feature browser emulation)

Reads Internet Explorer settings

Creates a Folder object (SCRIPT)

Reads the date of Windows installation

Reads Microsoft Outlook installation path

Uses TIMEOUT.EXE to delay execution

Process requests binary or script from the Internet

Detected use of alternative data streams (AltDS)

Changes the title of the Internet Explorer window

Changes the Home page of Internet Explorer

Accesses command line arguments (SCRIPT)

Runs shell command (SCRIPT)

INFO

Executable content was dropped or overwritten

Manual execution by a user

Checks supported languages

Reads the computer name

Create files in a temporary directory

Process checks whether UAC notifications are on

Reads the machine GUID from the registry

Creates files or folders in the user directory

Creates files in the program directory

Checks proxy server information

Reads the software policy settings

Creates a software uninstall entry

Reads Environment values

Reads product name

Application launched itself

Malware configuration

Static information

TRiD

Video and screenshots

Processes