analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

spybotsd-2.9.85.5.exe

Full analysis: https://app.any.run/tasks/cc44c667-fd38-4d36-8997-808dd8ef0274
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: July 07, 2024, 16:47:16
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
loader
crypto-regex
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

DB5F1DD85BCF9C2247532BCE86F7C691

SHA1:

F46F8BEF0FC9E68B9745DDD3382C9376EF79214B

SHA256:

08D8E206D5BAA738E4D50A7956984B84FCCABDD36A0B7FE6B51B9FA74C4E623B

SSDEEP:

393216:TMWSWyOmNM5hrZl2M2G2QNSlRoh99QIM0vEhwHL+2vsSe9AqK2ua:FS9O15h2/mQI+h0L+2US932T

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • spybotsd-2.9.85.5.exe (PID: 2892)
      • spybotsd-2.9.85.5.exe (PID: 1052)
      • spybotsd-2.9.85.5.tmp (PID: 8)

    • Creates a writable file in the system directory

      • spybotsd-2.9.85.5.tmp (PID: 8)

    • Changes the autorun value in the registry

      • spybotsd-2.9.85.5.tmp (PID: 8)

    • Actions looks like stealing of personal data

      • SDUpdate.exe (PID: 1328)
      • SDSpybotLab.exe (PID: 2120)

    • Steals credentials from Web Browsers

      • SDUpdate.exe (PID: 1328)
      • SDSpybotLab.exe (PID: 2120)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • spybotsd-2.9.85.5.tmp (PID: 4264)
      • spybotsd-2.9.85.5.tmp (PID: 8)
      • SDUpdate.exe (PID: 1328)

    • Executable content was dropped or overwritten

      • spybotsd-2.9.85.5.exe (PID: 2892)
      • spybotsd-2.9.85.5.tmp (PID: 8)
      • spybotsd-2.9.85.5.exe (PID: 1052)

    • Reads the date of Windows installation

      • spybotsd-2.9.85.5.tmp (PID: 4264)
      • SDUpdate.exe (PID: 1328)

    • Reads the Windows owner or organization settings

      • spybotsd-2.9.85.5.tmp (PID: 8)

    • Process requests binary or script from the Internet

      • spybotsd-2.9.85.5.tmp (PID: 8)

    • Potential Corporate Privacy Violation

      • spybotsd-2.9.85.5.tmp (PID: 8)

    • Process drops SQLite DLL files

      • spybotsd-2.9.85.5.tmp (PID: 8)

    • The process creates files with name similar to system file names

      • spybotsd-2.9.85.5.tmp (PID: 8)

    • Drops a system driver (possible attempt to evade defenses)

      • spybotsd-2.9.85.5.tmp (PID: 8)

    • Creates or modifies Windows services

      • spybotsd-2.9.85.5.tmp (PID: 8)
      • SDUpdate.exe (PID: 1328)

    • Detected use of alternative data streams (AltDS)

      • spybotsd-2.9.85.5.tmp (PID: 8)

    • Creates/Modifies COM task schedule object

      • spybotsd-2.9.85.5.tmp (PID: 8)

    • Checks Windows Trust Settings

      • SDUpdate.exe (PID: 1328)

    • Adds/modifies Windows certificates

      • SDUpdate.exe (PID: 1328)

    • The process verifies whether the antivirus software is installed

      • spybotsd-2.9.85.5.tmp (PID: 8)
      • SDSpybotLab.exe (PID: 2120)
      • SDUpdate.exe (PID: 1328)

    • The process executes via Task Scheduler

      • default-browser-agent.exe (PID: 3940)

    • Loads DLL from Mozilla Firefox

      • default-browser-agent.exe (PID: 3940)

    • Found regular expressions for crypto-addresses (YARA)

      • SDUpdate.exe (PID: 1328)

  • INFO

    • Reads the computer name

      • spybotsd-2.9.85.5.tmp (PID: 8)
      • spybotsd-2.9.85.5.tmp (PID: 4264)
      • SDUpdate.exe (PID: 1328)
      • SDSpybotLab.exe (PID: 2120)

    • Checks supported languages

      • spybotsd-2.9.85.5.exe (PID: 1052)
      • spybotsd-2.9.85.5.tmp (PID: 8)
      • spybotsd-2.9.85.5.tmp (PID: 4264)
      • spybotsd-2.9.85.5.exe (PID: 2892)
      • SDUpdate.exe (PID: 1328)
      • _setup64.tmp (PID: 4944)
      • SDSpybotLab.exe (PID: 2120)
      • default-browser-agent.exe (PID: 3940)

    • Create files in a temporary directory

      • spybotsd-2.9.85.5.exe (PID: 1052)
      • spybotsd-2.9.85.5.exe (PID: 2892)
      • spybotsd-2.9.85.5.tmp (PID: 8)

    • Reads the software policy settings

      • spybotsd-2.9.85.5.tmp (PID: 8)
      • SDUpdate.exe (PID: 1328)

    • Process checks computer location settings

      • spybotsd-2.9.85.5.tmp (PID: 4264)
      • SDUpdate.exe (PID: 1328)

    • Reads Environment values

      • spybotsd-2.9.85.5.tmp (PID: 8)
      • SDUpdate.exe (PID: 1328)
      • SDSpybotLab.exe (PID: 2120)

    • Creates files in the program directory

      • spybotsd-2.9.85.5.tmp (PID: 8)
      • SDUpdate.exe (PID: 1328)

    • Reads the machine GUID from the registry

      • spybotsd-2.9.85.5.tmp (PID: 8)
      • SDUpdate.exe (PID: 1328)
      • SDSpybotLab.exe (PID: 2120)

    • Checks proxy server information

      • spybotsd-2.9.85.5.tmp (PID: 8)
      • SDUpdate.exe (PID: 1328)

    • Creates a software uninstall entry

      • spybotsd-2.9.85.5.tmp (PID: 8)

    • Creates files or folders in the user directory

      • SDUpdate.exe (PID: 1328)

    • Application launched itself

      • firefox.exe (PID: 1324)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Inno Setup installer (67.7)
.exe | Win32 EXE PECompact compressed (generic) (25.6)
.exe | Win32 Executable (generic) (2.7)
.exe | Win16/32 Executable Delphi generic (1.2)
.exe | Generic Win/DOS Executable (1.2)

EXIF

EXE

ProductVersion: 2.9.85.5
ProductName: Spybot - Search & Destroy
OriginalFileName:
LegalCopyright: © 2000-2021 Safer-Networking Ltd.. All rights reserved.
FileVersion: 2.9.85.5
FileDescription: Spybot - Search & Destroy
CompanyName: Safer-Networking Ltd.
Comments: This installation was built with Inno Setup.
CharacterSet: Unicode
LanguageCode: Neutral
FileSubtype: -
ObjectFileType: Executable application
FileOS: Win32
FileFlags: (none)
FileFlagsMask: 0x003f
ProductVersionNumber: 2.9.85.5
FileVersionNumber: 2.9.85.5
Subsystem: Windows GUI
SubsystemVersion: 6.1
ImageVersion: 6
OSVersion: 6.1
EntryPoint: 0xb5eec
UninitializedDataSize: -
InitializedDataSize: 123904
CodeSize: 741888
LinkerVersion: 2.25
PEType: PE32
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
TimeStamp: 2023:02:15 14:54:16+00:00
MachineType: Intel 386 or later, and compatibles
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
120
Monitored processes
11
Malicious processes
6
Suspicious processes
0

Behavior graph

Click at the process to see the details
start spybotsd-2.9.85.5.exe spybotsd-2.9.85.5.tmp no specs spybotsd-2.9.85.5.exe spybotsd-2.9.85.5.tmp _setup64.tmp no specs conhost.exe no specs THREAT sdupdate.exe sdspybotlab.exe default-browser-agent.exe no specs firefox.exe no specs firefox.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2892"C:\Users\admin\Desktop\spybotsd-2.9.85.5.exe" C:\Users\admin\Desktop\spybotsd-2.9.85.5.exe
explorer.exe
User:
admin
Company:
Safer-Networking Ltd.
Integrity Level:
MEDIUM
Description:
Spybot - Search & Destroy
Version:
2.9.85.5
Modules
Images
c:\users\admin\desktop\spybotsd-2.9.85.5.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\comctl32.dll
4264"C:\Users\admin\AppData\Local\Temp\is-R70PU.tmp\spybotsd-2.9.85.5.tmp" /SL5="$B0166,64109152,866816,C:\Users\admin\Desktop\spybotsd-2.9.85.5.exe" C:\Users\admin\AppData\Local\Temp\is-R70PU.tmp\spybotsd-2.9.85.5.tmpspybotsd-2.9.85.5.exe
User:
admin
Company:
Safer-Networking Ltd.
Integrity Level:
MEDIUM
Description:
Setup/Uninstall
Version:
51.1052.0.0
Modules
Images
c:\users\admin\appdata\local\temp\is-r70pu.tmp\spybotsd-2.9.85.5.tmp
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\comdlg32.dll
1052"C:\Users\admin\Desktop\spybotsd-2.9.85.5.exe" /SPAWNWND=$502A2 /NOTIFYWND=$B0166 C:\Users\admin\Desktop\spybotsd-2.9.85.5.exe
spybotsd-2.9.85.5.tmp
User:
admin
Company:
Safer-Networking Ltd.
Integrity Level:
HIGH
Description:
Spybot - Search & Destroy
Version:
2.9.85.5
Modules
Images
c:\users\admin\desktop\spybotsd-2.9.85.5.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\comctl32.dll
8"C:\Users\admin\AppData\Local\Temp\is-IG2M4.tmp\spybotsd-2.9.85.5.tmp" /SL5="$802AE,64109152,866816,C:\Users\admin\Desktop\spybotsd-2.9.85.5.exe" /SPAWNWND=$502A2 /NOTIFYWND=$B0166 C:\Users\admin\AppData\Local\Temp\is-IG2M4.tmp\spybotsd-2.9.85.5.tmp
spybotsd-2.9.85.5.exe
User:
admin
Company:
Safer-Networking Ltd.
Integrity Level:
HIGH
Description:
Setup/Uninstall
Version:
51.1052.0.0
Modules
Images
c:\users\admin\appdata\local\temp\is-ig2m4.tmp\spybotsd-2.9.85.5.tmp
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\comdlg32.dll
4944helper 105 0xA44C:\Users\admin\AppData\Local\Temp\is-HP4H9.tmp\_isetup\_setup64.tmpspybotsd-2.9.85.5.tmp
User:
admin
Integrity Level:
HIGH
Modules
Images
c:\users\admin\appdata\local\temp\is-hp4h9.tmp\_isetup\_setup64.tmp
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
3168\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exe_setup64.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1328"C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdate.exe" /autoupdate /autoclose /forceC:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdate.exe
spybotsd-2.9.85.5.tmp
User:
admin
Company:
Safer-Networking Ltd.
Integrity Level:
HIGH
Description:
Update
Version:
2.9.85.116
Modules
Images
c:\program files (x86)\spybot - search & destroy 2\sdupdate.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
2120"C:\Program Files (x86)\Spybot - Search & Destroy 2\SDSpybotLab.exe" /updatedueC:\Program Files (x86)\Spybot - Search & Destroy 2\SDSpybotLab.exe
SDUpdate.exe
User:
admin
Company:
Safer-Networking Ltd.
Integrity Level:
HIGH
Exit code:
0
Version:
2.9.82.0
Modules
Images
c:\program files (x86)\spybot - search & destroy 2\sdspybotlab.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
3940"C:\Program Files\Mozilla Firefox\default-browser-agent.exe" do-task "308046B0AF4A39CB"C:\Program Files\Mozilla Firefox\default-browser-agent.exesvchost.exe
User:
admin
Company:
Mozilla Foundation
Integrity Level:
MEDIUM
Exit code:
2147500037
Version:
123.0
Modules
Images
c:\program files\mozilla firefox\default-browser-agent.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ole32.dll
1324"C:\Program Files\Mozilla Firefox\firefox.exe" --backgroundtask defaultagent do-task 308046B0AF4A39CBC:\Program Files\Mozilla Firefox\firefox.exedefault-browser-agent.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Exit code:
3
Version:
123.0
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\vcruntime140_1.dll
c:\program files\mozilla firefox\msvcp140.dll
c:\program files\mozilla firefox\vcruntime140.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
Total events
14 600
Read events
14 322
Write events
276
Delete events
2

Modification events

(PID) Process:(8) spybotsd-2.9.85.5.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:writeName:Owner
Value:
08000000D6B42F668DD0DA01
(PID) Process:(8) spybotsd-2.9.85.5.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:writeName:SessionHash
Value:
8FFD2956F8EFE178EB56C58CBB55D2A7ACAFC6A10CC513022103AEC94201A725
(PID) Process:(8) spybotsd-2.9.85.5.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:writeName:Sequence
Value:
1
(PID) Process:(8) spybotsd-2.9.85.5.tmpKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client
Operation:writeName:Enabled
Value:
(PID) Process:(8) spybotsd-2.9.85.5.tmpKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client
Operation:writeName:DisabledByDefault
Value:
0
(PID) Process:(8) spybotsd-2.9.85.5.tmpKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client
Operation:writeName:Server
Value:
(PID) Process:(8) spybotsd-2.9.85.5.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp
Operation:writeName:DefaultSecureProtocols
Value:
2048
(PID) Process:(8) spybotsd-2.9.85.5.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(8) spybotsd-2.9.85.5.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(8) spybotsd-2.9.85.5.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
Executable files
190
Suspicious files
134
Text files
21
Unknown types
4

Dropped files

PID
Process
Filename
Type
8spybotsd-2.9.85.5.tmpC:\Users\admin\AppData\Local\Temp\is-HP4H9.tmp\spybot-offer.jsonbinary
MD5:C93A11F71D6A5C254E8C455A3EA44126
SHA256:4EDABA3ACC103A1487734F43F452F41BE9A27C3133C9106E24871146333A717D
8spybotsd-2.9.85.5.tmpC:\Program Files (x86)\Spybot - Search & Destroy 2\is-GOM7U.tmpexecutable
MD5:A29521D7CB3CF93F6C28238A44328AED
SHA256:377BBF40F4979BA6EBC77DFBA25E63DDBC57DA55A49A3E1E66944378DC86BB0E
2892spybotsd-2.9.85.5.exeC:\Users\admin\AppData\Local\Temp\is-R70PU.tmp\spybotsd-2.9.85.5.tmpexecutable
MD5:D9CF57C7EBE21CB690106D34DB668607
SHA256:142E1A5E2494669927C82844DB6DB6D451F26B819469A5B3F0BF408ADB0037CC
8spybotsd-2.9.85.5.tmpC:\Program Files (x86)\Spybot - Search & Destroy 2\is-E0U13.tmpexecutable
MD5:D9CF57C7EBE21CB690106D34DB668607
SHA256:142E1A5E2494669927C82844DB6DB6D451F26B819469A5B3F0BF408ADB0037CC
8spybotsd-2.9.85.5.tmpC:\Users\admin\AppData\Local\Temp\is-HP4H9.tmp\inno-imgconvert.dllexecutable
MD5:C6D7B183C8737095B6EF0961878B7DA5
SHA256:CCCD543F453AC1459E7824A15B0F711A16846459D0325CFF3AB3B298830BFF42
8spybotsd-2.9.85.5.tmpC:\Program Files (x86)\Spybot - Search & Destroy 2\SDTasks.dllexecutable
MD5:A29521D7CB3CF93F6C28238A44328AED
SHA256:377BBF40F4979BA6EBC77DFBA25E63DDBC57DA55A49A3E1E66944378DC86BB0E
8spybotsd-2.9.85.5.tmpC:\Users\admin\AppData\Local\Temp\is-HP4H9.tmp\SDTasks.dllexecutable
MD5:A29521D7CB3CF93F6C28238A44328AED
SHA256:377BBF40F4979BA6EBC77DFBA25E63DDBC57DA55A49A3E1E66944378DC86BB0E
8spybotsd-2.9.85.5.tmpC:\Program Files (x86)\Spybot - Search & Destroy 2\is-9S7D8.tmpexecutable
MD5:98F2272A7D1BA8E3155FBEA167BCC613
SHA256:29DCE15201D8216AD847275ED8476699CD23ED48109F5362DA321094D1327FEF
8spybotsd-2.9.85.5.tmpC:\Users\admin\AppData\Local\Temp\is-HP4H9.tmp\WorkSans-Regular.ttfbinary
MD5:2291C47BC482691E572457B01328A926
SHA256:A3EF374A1B2613ED6EAEB86408EBB1928BFA1B73A1F18CADCBD8760995A304C2
8spybotsd-2.9.85.5.tmpC:\Program Files (x86)\Spybot - Search & Destroy 2\fonts\is-ENN3F.tmpttf
MD5:2291C47BC482691E572457B01328A926
SHA256:A3EF374A1B2613ED6EAEB86408EBB1928BFA1B73A1F18CADCBD8760995A304C2
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
56
TCP/UDP connections
67
DNS requests
26
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
95.216.205.152:443
https://offers.safer-networking.org/event.php?type=checkresponse&offer_product=Opera%20Browser&distributor_product=spybot_v2
unknown
GET
200
23.48.23.156:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
unknown
1968
svchost.exe
GET
200
23.48.23.156:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
unknown
1968
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
unknown
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
unknown
GET
200
95.216.205.152:443
https://offers.safer-networking.org/event.php?type=check&offer_product=Opera%20Browser&distributor_product=spybot_v2
unknown
8
spybotsd-2.9.85.5.tmp
HEAD
200
5.161.140.23:80
http://updates4.safer-networking.org/spybot1/spybotsd_includes.exe
unknown
unknown
GET
200
95.216.205.152:443
https://offers.safer-networking.org/event.php?type=present&offer_product=Opera%20Browser&distributor_product=spybot_v2
unknown
8
spybotsd-2.9.85.5.tmp
GET
302
15.235.53.196:80
http://www.safer-networking.org/updallocator.php
unknown
unknown
8
spybotsd-2.9.85.5.tmp
HEAD
302
15.235.53.196:80
http://www.safer-networking.org/updallocator.php
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
239.255.255.250:1900
whitelisted
51.104.136.2:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1968
svchost.exe
23.48.23.156:80
crl.microsoft.com
Akamai International B.V.
DE
unknown
23.48.23.156:80
crl.microsoft.com
Akamai International B.V.
DE
unknown
1968
svchost.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
unknown
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
unknown
4
System
192.168.100.255:138
whitelisted
4
System
192.168.100.255:137
whitelisted
8
spybotsd-2.9.85.5.tmp
95.216.205.152:443
offers.safer-networking.org
Hetzner Online GmbH
FI
unknown

DNS requests

Domain
IP
Reputation
crl.microsoft.com
  • 23.48.23.156
  • 23.48.23.143
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
settings-win.data.microsoft.com
  • 51.124.78.146
whitelisted
offers.safer-networking.org
  • 95.216.205.152
unknown
www.safer-networking.org
  • 15.235.53.196
whitelisted
updates4.safer-networking.org
  • 5.161.140.23
unknown
updates3.safer-networking.org
  • 95.217.7.90
unknown
self.events.data.microsoft.com
  • 20.189.173.8
whitelisted
oneocsp.microsoft.com
  • 204.79.197.203
whitelisted
www.bing.com
  • 104.126.37.176
  • 104.126.37.138
  • 104.126.37.179
  • 104.126.37.137
  • 104.126.37.177
  • 104.126.37.136
  • 104.126.37.178
  • 104.126.37.128
  • 104.126.37.185
whitelisted

Threats

PID
Process
Class
Message
A Network Trojan was detected
ET MALWARE Brute Ratel Fake User-Agent
A Network Trojan was detected
ET MALWARE Brute Ratel Fake User-Agent
A Network Trojan was detected
ET MALWARE Brute Ratel Fake User-Agent
A Network Trojan was detected
ET MALWARE Brute Ratel Fake User-Agent
A Network Trojan was detected
ET MALWARE Brute Ratel Fake User-Agent
8
spybotsd-2.9.85.5.tmp
A Network Trojan was detected
ET MALWARE Brute Ratel Fake User-Agent
8
spybotsd-2.9.85.5.tmp
A Network Trojan was detected
ET MALWARE Brute Ratel Fake User-Agent
8
spybotsd-2.9.85.5.tmp
A Network Trojan was detected
ET MALWARE Brute Ratel Fake User-Agent
8
spybotsd-2.9.85.5.tmp
A Network Trojan was detected
ET MALWARE Brute Ratel Fake User-Agent
8
spybotsd-2.9.85.5.tmp
A Network Trojan was detected
ET MALWARE Brute Ratel Fake User-Agent
Process
Message
SDUpdate.exe
C:\Program Files (x86)\Spybot - Search & Destroy 2\SDLicense.dll: GetCodeSignatureIssuerPE: -1
SDUpdate.exe
TMemoryMappedFileBase: Handle created,
SDUpdate.exe
TMemoryMappedFileBase: Handle created,
SDUpdate.exe
TMemoryMappedFileBase: Handle created,
SDUpdate.exe
TMemoryMappedFileBase: Handle created,
SDUpdate.exe
TMemoryMappedFileBase: Handle created,
SDUpdate.exe
TMemoryMappedFileBase: Handle created,
SDUpdate.exe
TMemoryMappedFileBase: Handle created,
SDUpdate.exe
TMemoryMappedFileBase: Handle created,
SDUpdate.exe
TMemoryMappedFileBase: Handle created,
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
spybotsd-2.9.85.5.exe