File name:

spybotsd-2.9.85.5.exe

Full analysis: https://app.any.run/tasks/cc44c667-fd38-4d36-8997-808dd8ef0274
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: July 07, 2024, 16:47:16
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
loader
crypto-regex
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

DB5F1DD85BCF9C2247532BCE86F7C691

SHA1:

F46F8BEF0FC9E68B9745DDD3382C9376EF79214B

SHA256:

08D8E206D5BAA738E4D50A7956984B84FCCABDD36A0B7FE6B51B9FA74C4E623B

SSDEEP:

393216:TMWSWyOmNM5hrZl2M2G2QNSlRoh99QIM0vEhwHL+2vsSe9AqK2ua:FS9O15h2/mQI+h0L+2US932T

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • spybotsd-2.9.85.5.exe (PID: 2892)
      • spybotsd-2.9.85.5.exe (PID: 1052)
      • spybotsd-2.9.85.5.tmp (PID: 8)

    • Creates a writable file in the system directory

      • spybotsd-2.9.85.5.tmp (PID: 8)

    • Changes the autorun value in the registry

      • spybotsd-2.9.85.5.tmp (PID: 8)

    • Steals credentials from Web Browsers

      • SDUpdate.exe (PID: 1328)
      • SDSpybotLab.exe (PID: 2120)

    • Actions looks like stealing of personal data

      • SDUpdate.exe (PID: 1328)
      • SDSpybotLab.exe (PID: 2120)

  • SUSPICIOUS

    • Reads the Windows owner or organization settings

      • spybotsd-2.9.85.5.tmp (PID: 8)

    • Executable content was dropped or overwritten

      • spybotsd-2.9.85.5.exe (PID: 2892)
      • spybotsd-2.9.85.5.exe (PID: 1052)
      • spybotsd-2.9.85.5.tmp (PID: 8)

    • Reads security settings of Internet Explorer

      • spybotsd-2.9.85.5.tmp (PID: 4264)
      • spybotsd-2.9.85.5.tmp (PID: 8)
      • SDUpdate.exe (PID: 1328)

    • Reads the date of Windows installation

      • spybotsd-2.9.85.5.tmp (PID: 4264)
      • SDUpdate.exe (PID: 1328)

    • Drops a system driver (possible attempt to evade defenses)

      • spybotsd-2.9.85.5.tmp (PID: 8)

    • Process requests binary or script from the Internet

      • spybotsd-2.9.85.5.tmp (PID: 8)

    • Creates or modifies Windows services

      • spybotsd-2.9.85.5.tmp (PID: 8)
      • SDUpdate.exe (PID: 1328)

    • Potential Corporate Privacy Violation

      • spybotsd-2.9.85.5.tmp (PID: 8)

    • Detected use of alternative data streams (AltDS)

      • spybotsd-2.9.85.5.tmp (PID: 8)

    • Creates/Modifies COM task schedule object

      • spybotsd-2.9.85.5.tmp (PID: 8)

    • The process creates files with name similar to system file names

      • spybotsd-2.9.85.5.tmp (PID: 8)

    • Process drops SQLite DLL files

      • spybotsd-2.9.85.5.tmp (PID: 8)

    • Checks Windows Trust Settings

      • SDUpdate.exe (PID: 1328)

    • Adds/modifies Windows certificates

      • SDUpdate.exe (PID: 1328)

    • The process verifies whether the antivirus software is installed

      • SDUpdate.exe (PID: 1328)
      • spybotsd-2.9.85.5.tmp (PID: 8)
      • SDSpybotLab.exe (PID: 2120)

    • Found regular expressions for crypto-addresses (YARA)

      • SDUpdate.exe (PID: 1328)

    • Loads DLL from Mozilla Firefox

      • default-browser-agent.exe (PID: 3940)

    • The process executes via Task Scheduler

      • default-browser-agent.exe (PID: 3940)

  • INFO

    • Checks supported languages

      • spybotsd-2.9.85.5.exe (PID: 2892)
      • spybotsd-2.9.85.5.tmp (PID: 4264)
      • spybotsd-2.9.85.5.exe (PID: 1052)
      • _setup64.tmp (PID: 4944)
      • SDUpdate.exe (PID: 1328)
      • SDSpybotLab.exe (PID: 2120)
      • spybotsd-2.9.85.5.tmp (PID: 8)
      • default-browser-agent.exe (PID: 3940)

    • Reads the computer name

      • spybotsd-2.9.85.5.tmp (PID: 4264)
      • SDUpdate.exe (PID: 1328)
      • SDSpybotLab.exe (PID: 2120)
      • spybotsd-2.9.85.5.tmp (PID: 8)

    • Create files in a temporary directory

      • spybotsd-2.9.85.5.exe (PID: 2892)
      • spybotsd-2.9.85.5.exe (PID: 1052)
      • spybotsd-2.9.85.5.tmp (PID: 8)

    • Process checks computer location settings

      • spybotsd-2.9.85.5.tmp (PID: 4264)
      • SDUpdate.exe (PID: 1328)

    • Reads the machine GUID from the registry

      • spybotsd-2.9.85.5.tmp (PID: 8)
      • SDUpdate.exe (PID: 1328)
      • SDSpybotLab.exe (PID: 2120)

    • Reads Environment values

      • spybotsd-2.9.85.5.tmp (PID: 8)
      • SDUpdate.exe (PID: 1328)
      • SDSpybotLab.exe (PID: 2120)

    • Checks proxy server information

      • spybotsd-2.9.85.5.tmp (PID: 8)
      • SDUpdate.exe (PID: 1328)

    • Creates files in the program directory

      • spybotsd-2.9.85.5.tmp (PID: 8)
      • SDUpdate.exe (PID: 1328)

    • Creates a software uninstall entry

      • spybotsd-2.9.85.5.tmp (PID: 8)

    • Reads the software policy settings

      • SDUpdate.exe (PID: 1328)
      • spybotsd-2.9.85.5.tmp (PID: 8)

    • Creates files or folders in the user directory

      • SDUpdate.exe (PID: 1328)

    • Application launched itself

      • firefox.exe (PID: 1324)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Inno Setup installer (67.7)
.exe | Win32 EXE PECompact compressed (generic) (25.6)
.exe | Win32 Executable (generic) (2.7)
.exe | Win16/32 Executable Delphi generic (1.2)
.exe | Generic Win/DOS Executable (1.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2023:02:15 14:54:16+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType: PE32
LinkerVersion: 2.25
CodeSize: 741888
InitializedDataSize: 123904
UninitializedDataSize: -
EntryPoint: 0xb5eec
OSVersion: 6.1
ImageVersion: 6
SubsystemVersion: 6.1
Subsystem: Windows GUI
FileVersionNumber: 2.9.85.5
ProductVersionNumber: 2.9.85.5
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: This installation was built with Inno Setup.
CompanyName: Safer-Networking Ltd.
FileDescription: Spybot - Search & Destroy
FileVersion: 2.9.85.5
LegalCopyright: © 2000-2021 Safer-Networking Ltd.. All rights reserved.
OriginalFileName:
ProductName: Spybot - Search & Destroy
ProductVersion: 2.9.85.5
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
120
Monitored processes
11
Malicious processes
6
Suspicious processes
0

Behavior graph

Click at the process to see the details
start spybotsd-2.9.85.5.exe spybotsd-2.9.85.5.tmp no specs spybotsd-2.9.85.5.exe spybotsd-2.9.85.5.tmp _setup64.tmp no specs conhost.exe no specs THREAT sdupdate.exe sdspybotlab.exe default-browser-agent.exe no specs firefox.exe no specs firefox.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
8"C:\Users\admin\AppData\Local\Temp\is-IG2M4.tmp\spybotsd-2.9.85.5.tmp" /SL5="$802AE,64109152,866816,C:\Users\admin\Desktop\spybotsd-2.9.85.5.exe" /SPAWNWND=$502A2 /NOTIFYWND=$B0166 C:\Users\admin\AppData\Local\Temp\is-IG2M4.tmp\spybotsd-2.9.85.5.tmp
spybotsd-2.9.85.5.exe
User:
admin
Company:
Safer-Networking Ltd.
Integrity Level:
HIGH
Description:
Setup/Uninstall
Version:
51.1052.0.0
Modules
Images
c:\users\admin\appdata\local\temp\is-ig2m4.tmp\spybotsd-2.9.85.5.tmp
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\comdlg32.dll
1052"C:\Users\admin\Desktop\spybotsd-2.9.85.5.exe" /SPAWNWND=$502A2 /NOTIFYWND=$B0166 C:\Users\admin\Desktop\spybotsd-2.9.85.5.exe
spybotsd-2.9.85.5.tmp
User:
admin
Company:
Safer-Networking Ltd.
Integrity Level:
HIGH
Description:
Spybot - Search & Destroy
Version:
2.9.85.5
Modules
Images
c:\users\admin\desktop\spybotsd-2.9.85.5.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\comctl32.dll
1324"C:\Program Files\Mozilla Firefox\firefox.exe" --backgroundtask defaultagent do-task 308046B0AF4A39CBC:\Program Files\Mozilla Firefox\firefox.exedefault-browser-agent.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Exit code:
3
Version:
123.0
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\vcruntime140_1.dll
c:\program files\mozilla firefox\msvcp140.dll
c:\program files\mozilla firefox\vcruntime140.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
1328"C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdate.exe" /autoupdate /autoclose /forceC:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdate.exe
spybotsd-2.9.85.5.tmp
User:
admin
Company:
Safer-Networking Ltd.
Integrity Level:
HIGH
Description:
Update
Version:
2.9.85.116
Modules
Images
c:\program files (x86)\spybot - search & destroy 2\sdupdate.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
1784"C:\Program Files\Mozilla Firefox\firefox.exe" --backgroundtask defaultagent do-task 308046B0AF4A39CBC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Exit code:
3
Version:
123.0
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\vcruntime140.dll
2120"C:\Program Files (x86)\Spybot - Search & Destroy 2\SDSpybotLab.exe" /updatedueC:\Program Files (x86)\Spybot - Search & Destroy 2\SDSpybotLab.exe
SDUpdate.exe
User:
admin
Company:
Safer-Networking Ltd.
Integrity Level:
HIGH
Exit code:
0
Version:
2.9.82.0
Modules
Images
c:\program files (x86)\spybot - search & destroy 2\sdspybotlab.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
2892"C:\Users\admin\Desktop\spybotsd-2.9.85.5.exe" C:\Users\admin\Desktop\spybotsd-2.9.85.5.exe
explorer.exe
User:
admin
Company:
Safer-Networking Ltd.
Integrity Level:
MEDIUM
Description:
Spybot - Search & Destroy
Version:
2.9.85.5
Modules
Images
c:\users\admin\desktop\spybotsd-2.9.85.5.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\comctl32.dll
3168\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exe_setup64.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3940"C:\Program Files\Mozilla Firefox\default-browser-agent.exe" do-task "308046B0AF4A39CB"C:\Program Files\Mozilla Firefox\default-browser-agent.exesvchost.exe
User:
admin
Company:
Mozilla Foundation
Integrity Level:
MEDIUM
Exit code:
2147500037
Version:
123.0
Modules
Images
c:\program files\mozilla firefox\default-browser-agent.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ole32.dll
4264"C:\Users\admin\AppData\Local\Temp\is-R70PU.tmp\spybotsd-2.9.85.5.tmp" /SL5="$B0166,64109152,866816,C:\Users\admin\Desktop\spybotsd-2.9.85.5.exe" C:\Users\admin\AppData\Local\Temp\is-R70PU.tmp\spybotsd-2.9.85.5.tmpspybotsd-2.9.85.5.exe
User:
admin
Company:
Safer-Networking Ltd.
Integrity Level:
MEDIUM
Description:
Setup/Uninstall
Version:
51.1052.0.0
Modules
Images
c:\users\admin\appdata\local\temp\is-r70pu.tmp\spybotsd-2.9.85.5.tmp
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\comdlg32.dll
Total events
14 600
Read events
14 322
Write events
276
Delete events
2

Modification events

(PID) Process:(8) spybotsd-2.9.85.5.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:writeName:Owner
Value:
08000000D6B42F668DD0DA01
(PID) Process:(8) spybotsd-2.9.85.5.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:writeName:SessionHash
Value:
8FFD2956F8EFE178EB56C58CBB55D2A7ACAFC6A10CC513022103AEC94201A725
(PID) Process:(8) spybotsd-2.9.85.5.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:writeName:Sequence
Value:
1
(PID) Process:(8) spybotsd-2.9.85.5.tmpKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client
Operation:writeName:Enabled
Value:
(PID) Process:(8) spybotsd-2.9.85.5.tmpKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client
Operation:writeName:DisabledByDefault
Value:
0
(PID) Process:(8) spybotsd-2.9.85.5.tmpKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client
Operation:writeName:Server
Value:
(PID) Process:(8) spybotsd-2.9.85.5.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp
Operation:writeName:DefaultSecureProtocols
Value:
2048
(PID) Process:(8) spybotsd-2.9.85.5.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(8) spybotsd-2.9.85.5.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(8) spybotsd-2.9.85.5.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
Executable files
190
Suspicious files
134
Text files
21
Unknown types
4

Dropped files

PID
Process
Filename
Type
8spybotsd-2.9.85.5.tmpC:\Users\admin\AppData\Local\Temp\is-HP4H9.tmp\_isetup\_setup64.tmpexecutable
MD5:E4211D6D009757C078A9FAC7FF4F03D4
SHA256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
8spybotsd-2.9.85.5.tmpC:\Users\admin\AppData\Local\Temp\is-HP4H9.tmp\SDTasks.dllexecutable
MD5:A29521D7CB3CF93F6C28238A44328AED
SHA256:377BBF40F4979BA6EBC77DFBA25E63DDBC57DA55A49A3E1E66944378DC86BB0E
8spybotsd-2.9.85.5.tmpC:\Users\admin\AppData\Local\Temp\is-HP4H9.tmp\idp.dllexecutable
MD5:55C310C0319260D798757557AB3BF636
SHA256:54E7E0AD32A22B775131A6288F083ED3286A9A436941377FC20F85DD9AD983ED
1052spybotsd-2.9.85.5.exeC:\Users\admin\AppData\Local\Temp\is-IG2M4.tmp\spybotsd-2.9.85.5.tmpexecutable
MD5:D9CF57C7EBE21CB690106D34DB668607
SHA256:142E1A5E2494669927C82844DB6DB6D451F26B819469A5B3F0BF408ADB0037CC
8spybotsd-2.9.85.5.tmpC:\Users\admin\AppData\Local\Temp\is-HP4H9.tmp\inno-imgconvert.dllexecutable
MD5:C6D7B183C8737095B6EF0961878B7DA5
SHA256:CCCD543F453AC1459E7824A15B0F711A16846459D0325CFF3AB3B298830BFF42
2892spybotsd-2.9.85.5.exeC:\Users\admin\AppData\Local\Temp\is-R70PU.tmp\spybotsd-2.9.85.5.tmpexecutable
MD5:D9CF57C7EBE21CB690106D34DB668607
SHA256:142E1A5E2494669927C82844DB6DB6D451F26B819469A5B3F0BF408ADB0037CC
8spybotsd-2.9.85.5.tmpC:\Program Files (x86)\Spybot - Search & Destroy 2\is-E0U13.tmpexecutable
MD5:D9CF57C7EBE21CB690106D34DB668607
SHA256:142E1A5E2494669927C82844DB6DB6D451F26B819469A5B3F0BF408ADB0037CC
8spybotsd-2.9.85.5.tmpC:\Users\admin\AppData\Local\Temp\is-HP4H9.tmp\WorkSans-Regular.ttfbinary
MD5:2291C47BC482691E572457B01328A926
SHA256:A3EF374A1B2613ED6EAEB86408EBB1928BFA1B73A1F18CADCBD8760995A304C2
8spybotsd-2.9.85.5.tmpC:\Users\admin\AppData\Local\Temp\is-HP4H9.tmp\PrivacyPolicy.rtftext
MD5:66BA720645C0DE1109D101E908624E07
SHA256:1C649F1239410A2DB86E8AA203A428820C266CF96BF3FA423EF4F06CA9DC4E14
8spybotsd-2.9.85.5.tmpC:\Users\admin\AppData\Local\Temp\is-HP4H9.tmp\setup-signatures.exeexecutable
MD5:037938525C7FD43563D0DF699FF5274E
SHA256:1C23B3DBB875822C8AF3EF76DB17CE49A6D3768DE95F25F1AC935B9344491ED2
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
56
TCP/UDP connections
67
DNS requests
26
Threats
12

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1968
svchost.exe
GET
200
23.48.23.156:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
unknown
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
unknown
GET
200
95.216.205.152:443
https://offers.safer-networking.org/event.php?type=checkresponse&offer_product=Opera%20Browser&distributor_product=spybot_v2
unknown
GET
200
23.48.23.156:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
unknown
GET
200
95.216.205.152:443
https://offers.safer-networking.org/event.php?type=present&offer_product=Opera%20Browser&distributor_product=spybot_v2
unknown
8
spybotsd-2.9.85.5.tmp
HEAD
200
5.161.140.23:80
http://updates4.safer-networking.org/spybot1/spybotsd_includes.exe
unknown
unknown
GET
200
95.216.205.152:443
https://offers.safer-networking.org/event.php?type=check&offer_product=Opera%20Browser&distributor_product=spybot_v2
unknown
GET
200
95.216.205.152:443
https://offers.safer-networking.org/event.php?type=present&offer_product=Opera%20Browser&distributor_product=spybot_v2
unknown
8
spybotsd-2.9.85.5.tmp
HEAD
200
95.217.7.90:80
http://updates3.safer-networking.org/spybot1/spybotsd_includes.exe
unknown
unknown
8
spybotsd-2.9.85.5.tmp
GET
200
5.161.140.23:80
http://updates4.safer-networking.org/spybot1/spybotsd_includes.exe
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
239.255.255.250:1900
whitelisted
51.104.136.2:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1968
svchost.exe
23.48.23.156:80
crl.microsoft.com
Akamai International B.V.
DE
unknown
23.48.23.156:80
crl.microsoft.com
Akamai International B.V.
DE
unknown
1968
svchost.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
unknown
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
unknown
4
System
192.168.100.255:138
whitelisted
4
System
192.168.100.255:137
whitelisted
8
spybotsd-2.9.85.5.tmp
95.216.205.152:443
offers.safer-networking.org
Hetzner Online GmbH
FI
unknown

DNS requests

Domain
IP
Reputation
crl.microsoft.com
  • 23.48.23.156
  • 23.48.23.143
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
settings-win.data.microsoft.com
  • 51.124.78.146
whitelisted
offers.safer-networking.org
  • 95.216.205.152
unknown
www.safer-networking.org
  • 15.235.53.196
whitelisted
updates4.safer-networking.org
  • 5.161.140.23
unknown
updates3.safer-networking.org
  • 95.217.7.90
unknown
self.events.data.microsoft.com
  • 20.189.173.8
whitelisted
oneocsp.microsoft.com
  • 204.79.197.203
whitelisted
www.bing.com
  • 104.126.37.176
  • 104.126.37.138
  • 104.126.37.179
  • 104.126.37.137
  • 104.126.37.177
  • 104.126.37.136
  • 104.126.37.178
  • 104.126.37.128
  • 104.126.37.185
whitelisted

Threats

PID
Process
Class
Message
A Network Trojan was detected
ET MALWARE Brute Ratel Fake User-Agent
A Network Trojan was detected
ET MALWARE Brute Ratel Fake User-Agent
A Network Trojan was detected
ET MALWARE Brute Ratel Fake User-Agent
A Network Trojan was detected
ET MALWARE Brute Ratel Fake User-Agent
A Network Trojan was detected
ET MALWARE Brute Ratel Fake User-Agent
8
spybotsd-2.9.85.5.tmp
A Network Trojan was detected
ET MALWARE Brute Ratel Fake User-Agent
8
spybotsd-2.9.85.5.tmp
A Network Trojan was detected
ET MALWARE Brute Ratel Fake User-Agent
8
spybotsd-2.9.85.5.tmp
A Network Trojan was detected
ET MALWARE Brute Ratel Fake User-Agent
8
spybotsd-2.9.85.5.tmp
A Network Trojan was detected
ET MALWARE Brute Ratel Fake User-Agent
8
spybotsd-2.9.85.5.tmp
A Network Trojan was detected
ET MALWARE Brute Ratel Fake User-Agent
Process
Message
SDUpdate.exe
C:\Program Files (x86)\Spybot - Search & Destroy 2\SDLicense.dll: GetCodeSignatureIssuerPE: -1
SDUpdate.exe
TMemoryMappedFileBase: Handle created,
SDUpdate.exe
TMemoryMappedFileBase: Handle created,
SDUpdate.exe
TMemoryMappedFileBase: Handle created,
SDUpdate.exe
TMemoryMappedFileBase: Handle created,
SDUpdate.exe
TMemoryMappedFileBase: Handle created,
SDUpdate.exe
TMemoryMappedFileBase: Handle created,
SDUpdate.exe
TMemoryMappedFileBase: Handle created,
SDUpdate.exe
TMemoryMappedFileBase: Handle created,
SDUpdate.exe
TMemoryMappedFileBase: Handle created,
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
spybotsd-2.9.85.5.exe