Malware analysis BatteryBarSetup-3.6.6.exe Malicious activity

Add for printing

File name:	BatteryBarSetup-3.6.6.exe
Full analysis:	https://app.any.run/tasks/125ec16f-ad7e-4a56-b80d-2d31edd1a809
Verdict:	Malicious activity
Analysis date:	July 01, 2024, 08:41:53
OS:	Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME:	application/x-dosexec
File info:	PE32 executable (GUI) Intel 80386, for MS Windows
MD5:	92CBB10DC644D331CFA47F8744AB2ED0
SHA1:	5750A8FC66C9C7B1F062D25272AE055CFE55206C
SHA256:	1054A4D1327E9E79B93F84F07144D4F55933F51A5C62F5FDA77A40469A6F5828
SSDEEP:	49152:7BgweMAa+CVmIQCubvMF7t+3jsHMqhxPsh7r3sZlAQhIrQAm0w+iRX+KQmOak8et:7B3eCsIQ3vMJsTsHMqhxPsh7r3sZlAQE

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- Drops the executable file immediately after the start
  - BatteryBarSetup-3.6.6.exe (PID: 3840)
  - csc.exe (PID: 5280)
  - csc.exe (PID: 4820)
- Changes the autorun value in the registry
  - BatteryBarSetup-3.6.6.exe (PID: 3840)
SUSPICIOUS
- Malware-specific behavior (creating "System.dll" in Temp)
  - BatteryBarSetup-3.6.6.exe (PID: 3840)
- Creates/Modifies COM task schedule object
  - BatteryBarSetup-3.6.6.exe (PID: 3840)
- The process creates files with name similar to system file names
  - BatteryBarSetup-3.6.6.exe (PID: 3840)
- Executable content was dropped or overwritten
  - BatteryBarSetup-3.6.6.exe (PID: 3840)
  - csc.exe (PID: 5280)
  - csc.exe (PID: 4820)
- Creates a software uninstall entry
  - BatteryBarSetup-3.6.6.exe (PID: 3840)
- The process executes via Task Scheduler
  - PLUGScheduler.exe (PID: 3680)
INFO
- Create files in a temporary directory
  - BatteryBarSetup-3.6.6.exe (PID: 3840)
  - explorer.exe (PID: 4612)
  - csc.exe (PID: 5280)
  - cvtres.exe (PID: 4860)
  - csc.exe (PID: 4820)
  - cvtres.exe (PID: 5016)
- Creates files in the program directory
  - BatteryBarSetup-3.6.6.exe (PID: 3840)
  - PLUGScheduler.exe (PID: 3680)
- Reads security settings of Internet Explorer
  - explorer.exe (PID: 4612)
- Checks supported languages
  - BatteryBarSetup-3.6.6.exe (PID: 3840)
  - ngen.exe (PID: 5568)
  - ShowBatteryBar.exe (PID: 5184)
  - csc.exe (PID: 5280)
  - cvtres.exe (PID: 4860)
  - TextInputHost.exe (PID: 2344)
  - PLUGScheduler.exe (PID: 3680)
  - csc.exe (PID: 4820)
  - cvtres.exe (PID: 5016)
- Reads the computer name
  - BatteryBarSetup-3.6.6.exe (PID: 3840)
  - ngen.exe (PID: 5568)
  - TextInputHost.exe (PID: 2344)
  - PLUGScheduler.exe (PID: 3680)
- Creates files or folders in the user directory
  - explorer.exe (PID: 4612)
- Manual execution by a user
  - csc.exe (PID: 5280)
  - csc.exe (PID: 4820)
  - ShowBatteryBar.exe (PID: 5500)
- Reads the machine GUID from the registry
  - csc.exe (PID: 5280)
  - csc.exe (PID: 4820)
- Disables trace logs
  - explorer.exe (PID: 4612)
- Checks proxy server information
  - explorer.exe (PID: 4612)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	Win32 Executable MS Visual C++ (generic) (42.2)
.exe	\|	Win64 Executable (generic) (37.3)
.dll	\|	Win32 Dynamic Link Library (generic) (8.8)
.exe	\|	Win32 Executable (generic) (6)
.exe	\|	Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2012:02:24 19:19:59+00:00
ImageFileCharacteristics:	Executable, 32-bit
PEType:	PE32
LinkerVersion:	10
CodeSize:	28672
InitializedDataSize:	445952
UninitializedDataSize:	16896
EntryPoint:	0x39e3
OSVersion:	5
ImageVersion:	6
SubsystemVersion:	5
Subsystem:	Windows GUI

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

269

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

2344

"C:\WINDOWS\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXjd5de1g66v206tj52m9d0dtpppx4cgpn.mca

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe

—

svchost.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Exit code:

Version:

123.26505.0.0

Modules

Images
c:\windows\systemapps\microsoftwindows.client.cbs_cw5n1h2txyewy\textinputhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\systemapps\microsoftwindows.client.cbs_cw5n1h2txyewy\vcruntime140_app.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\msvcrt.dll

2864

"C:\Users\admin\AppData\Local\Temp\BatteryBarSetup-3.6.6.exe"

C:\Users\admin\AppData\Local\Temp\BatteryBarSetup-3.6.6.exe

—

explorer.exe

User:

admin

Integrity Level:

MEDIUM

Exit code:

3221226540

Modules

Images
c:\users\admin\appdata\local\temp\batterybarsetup-3.6.6.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll

3168

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

ngen.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

3680

"C:\Program Files\RUXIM\PLUGscheduler.exe"

C:\Program Files\RUXIM\PLUGScheduler.exe

—

svchost.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Windows Update LifeCycle Component Scheduler

Exit code:

Version:

10.0.19041.3623 (WinBuild.160101.0800)

Modules

Images
c:\program files\ruxim\plugscheduler.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll

3840

"C:\Users\admin\AppData\Local\Temp\BatteryBarSetup-3.6.6.exe"

C:\Users\admin\AppData\Local\Temp\BatteryBarSetup-3.6.6.exe

explorer.exe

User:

admin

Integrity Level:

HIGH

Exit code:

Modules

Images
c:\users\admin\appdata\local\temp\batterybarsetup-3.6.6.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll

4320

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

csc.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

4612

C:\WINDOWS\Explorer.EXE

C:\Windows\explorer.exe

—

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Explorer

Exit code:

1073807364

Version:

10.0.19041.3758 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\smartscreenps.dll
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\aepic.dll

4820

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\admin\AppData\Local\Temp\wuur2mdo.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

explorer.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Visual C# Command Line Compiler

Exit code:

Version:

4.8.9037.0 built by: NET481REL1

Modules

Images
c:\windows\microsoft.net\framework64\v4.0.30319\csc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ole32.dll

4848

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

csc.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

4860

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\admin\AppData\Local\Temp\RES414B.tmp" "c:\Users\admin\AppData\Local\Temp\CSC4BDEA9FB4364FCC9A188FDAB75A57.TMP"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

—

csc.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Microsoft® Resource File To COFF Object Conversion Utility

Exit code:

Version:

14.32.31326.0

Modules

Images
c:\windows\microsoft.net\framework64\v4.0.30319\cvtres.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\vcruntime140_1_clr0400.dll

Add for printing

Total events

10 214

Read events

10 143

Write events

Delete events

Modification events


(PID) Process:	(4612) explorer.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Security and Maintenance\Checks\{C8E6F269-B90A-4053-A3BE-499AFCEC98C4}.check.0
Operation:	write	Name:	CheckSetting
Value: 23004100430042006C006F006200000000000000000000000100000000002E006A007000
(PID) Process:	(4612) explorer.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000000901D6
Operation:	write	Name:	VirtualDesktop
Value: 1000000030304456249F86704CD0354CAF53943DFF6B26B6
(PID) Process:	(3840) BatteryBarSetup-3.6.6.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\BatteryBar
Operation:	write	Name:	DisplayName
Value: BatteryBar (remove only)
(PID) Process:	(3840) BatteryBarSetup-3.6.6.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\BatteryBar
Operation:	write	Name:	DisplayIcon
Value: "C:\Program Files\BatteryBar\Uninstall.exe,0"
(PID) Process:	(3840) BatteryBarSetup-3.6.6.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\BatteryBar
Operation:	write	Name:	UninstallString
Value: "C:\Program Files\BatteryBar\Uninstall.exe"
(PID) Process:	(3840) BatteryBarSetup-3.6.6.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{10149DAF-506B-4488-8376-DF24F0185196}
Operation:	write	Name:	HelpText
Value: Displays the life remaining on your battery
(PID) Process:	(3840) BatteryBarSetup-3.6.6.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{10149DAF-506B-4488-8376-DF24F0185196}
Operation:	write	Name:	MenuText
Value: BatteryBar
(PID) Process:	(3840) BatteryBarSetup-3.6.6.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{10149DAF-506B-4488-8376-DF24F0185196}\InProcServer32
Operation:	write	Name:	Assembly
Value: BatteryBar, Version=3.5.0.0, Culture=neutral, PublicKeyToken=0ff63241f9c0efba
(PID) Process:	(3840) BatteryBarSetup-3.6.6.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{10149DAF-506B-4488-8376-DF24F0185196}\InProcServer32
Operation:	write	Name:	Class
Value: BatteryBar.BatteryBar
(PID) Process:	(3840) BatteryBarSetup-3.6.6.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{10149DAF-506B-4488-8376-DF24F0185196}\InProcServer32
Operation:	write	Name:	CodeBase
Value: file:///C:/Program Files/BatteryBar/BatteryBar.dll

Add for printing

Executable files

Suspicious files

Text files

282

Unknown types

Dropped files

PID	Process	Filename		Type
3840	BatteryBarSetup-3.6.6.exe	C:\Users\admin\AppData\Local\Temp\nszDFF3.tmp\System.dll		executable
		MD5:BF712F32249029466FA86756F5546950	SHA256:7851CB12FA4131F1FEE5DE390D650EF65CAC561279F1CFE70AD16CC9780210AF
3840	BatteryBarSetup-3.6.6.exe	C:\Users\admin\AppData\Local\Temp\nszDFF3.tmp\nsDialogs.dll		executable
		MD5:4CCC4A742D4423F2F0ED744FD9C81F63	SHA256:416133DD86C0DFF6B0FCAF1F46DFE97FDC85B37F90EFFB2D369164A8F7E13AE6
3840	BatteryBarSetup-3.6.6.exe	C:\Users\admin\AppData\Local\Temp\nszDFF3.tmp\modern-header.bmp		image
		MD5:9929239D5FD6557718E3EE49F5D9AC58	SHA256:6462BDC56ABA84E2ACF567B78E0787B7599490FC226C23D127F88BADDB61BDDE
3840	BatteryBarSetup-3.6.6.exe	C:\Users\admin\AppData\Local\Temp\nszDFF3.tmp\modern-wizard.bmp		image
		MD5:CC932859F82109F6BF94A4F09D843ACD	SHA256:9790D1B850329C9A50AF22EBA61DBAE897D83D1FAE620BAC9BE0B38B555497D6
3840	BatteryBarSetup-3.6.6.exe	C:\Program Files\BatteryBar\license.txt		text
		MD5:8E2DF15C3A03B6A6A47165D237B8E453	SHA256:D5A9B6455891712B8C136E935FF0AA05F336E95D59CC853D85C176758DFACED4
3840	BatteryBarSetup-3.6.6.exe	C:\Program Files\BatteryBar\BatteryBar.Utilities.dll		executable
		MD5:52E349C23D822942B78B84C24AC13E6B	SHA256:B0525E5060BF32BF04F0A1C320D20D85B2286B6A93088B06E622FAD5D821CA65
3840	BatteryBarSetup-3.6.6.exe	C:\Program Files\BatteryBar\BatteryBar.dll		executable
		MD5:12E34743719870605F861A5CD33BEE80	SHA256:3122CC12EEEE7EE367661C8DF9B467181FBE74FC854716E5DAC3ECB1B4A966A3
3840	BatteryBarSetup-3.6.6.exe	C:\Program Files\BatteryBar\changelog.txt		text
		MD5:2BC90AD2C885F103DAC560C7066172AE	SHA256:95E60DC412D90EE775267041E97025584B5D44A5D8BD1B4EB3E010BF676B6D36
3840	BatteryBarSetup-3.6.6.exe	C:\Program Files\BatteryBar\BarExplorerHook.dll		executable
		MD5:0E64DB250CAA69E2EF717696BCE651AA	SHA256:EBA91486F42D6E88588A67099597B486D2505353C21746D7C4D885BBD6870CD6
3840	BatteryBarSetup-3.6.6.exe	C:\Program Files\BatteryBar\ShowBatteryBar.exe		executable
		MD5:EB00A4E988042F2CB4855ED1ABB5B5BA	SHA256:2865C4D027DE4D835273798B0897F929B118DDE20D94C4B433BD1370BEA140D8

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
4612	explorer.exe	POST	200	74.48.138.167:80	http://osirisdevelopment.com/LicenseManager/license.php	unknown	—	—	unknown
4864	SIHClient.exe	GET	200	23.35.229.160:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl	unknown	—	—	unknown
4864	SIHClient.exe	GET	200	23.35.229.160:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	unknown	—	—	unknown
4452	backgroundTaskHost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D	unknown	—	—	unknown
6024	backgroundTaskHost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D	unknown	—	—	unknown
2944	OfficeClickToRun.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D	unknown	—	—	unknown
2536	svchost.exe	GET	200	23.48.23.156:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	unknown
2536	svchost.exe	GET	200	23.35.229.160:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	unknown
—	—	POST	200	74.48.138.167:80	http://osirisdevelopment.com/LicenseManager/license.php	unknown	—	—	unknown
4656	SearchApp.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D	unknown	—	—	unknown

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4656	SearchApp.exe	92.123.104.52:443	r.bing.com	Akamai International B.V.	DE	unknown
4032	svchost.exe	239.255.255.250:1900	—	—	—	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
2868	RUXIMICS.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
2456	MoUsoCoreWorker.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
2536	svchost.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
2536	svchost.exe	23.48.23.156:80	crl.microsoft.com	Akamai International B.V.	DE	unknown
2536	svchost.exe	23.35.229.160:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
3040	OfficeClickToRun.exe	52.168.112.66:443	self.events.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	unknown
4656	SearchApp.exe	92.123.104.42:443	—	Akamai International B.V.	DE	unknown

DNS requests

Domain	IP	Reputation
settings-win.data.microsoft.com	20.73.194.208	whitelisted
crl.microsoft.com	23.48.23.156 23.48.23.143	whitelisted
www.microsoft.com	23.35.229.160	whitelisted
self.events.data.microsoft.com	52.168.112.66 20.189.173.11	whitelisted
ocsp.digicert.com	192.229.221.95	whitelisted
login.live.com	40.126.32.140 20.190.160.20 40.126.32.136 40.126.32.68 20.190.160.17 40.126.32.72 40.126.32.74 40.126.32.138 20.190.159.71 20.190.159.23 40.126.31.73 20.190.159.73 20.190.159.4 20.190.159.2 40.126.31.69 40.126.31.71	whitelisted
r.bing.com	92.123.104.5 92.123.104.4 92.123.104.11 92.123.104.66 92.123.104.67 92.123.104.9 92.123.104.7 92.123.104.6 92.123.104.8 92.123.104.57 92.123.104.52 92.123.104.58 92.123.104.43 92.123.104.51 92.123.104.59 92.123.104.46 92.123.104.54 92.123.104.50	whitelisted
go.microsoft.com	23.35.238.131	whitelisted
osirisdevelopment.com	74.48.138.167	unknown
slscr.update.microsoft.com	13.85.23.86	whitelisted

Threats

Found threats are available for the paid subscriptions

2 ETPRO signatures available at the full report

Add for printing

No debug info

General Info

BatteryBarSetup-3.6.6.exe

92CBB10DC644D331CFA47F8744AB2ED0

5750A8FC66C9C7B1F062D25272AE055CFE55206C

1054A4D1327E9E79B93F84F07144D4F55933F51A5C62F5FDA77A40469A6F5828

49152:7BgweMAa+CVmIQCubvMF7t+3jsHMqhxPsh7r3sZlAQhIrQAm0w+iRX+KQmOak8et:7B3eCsIQ3vMJsTsHMqhxPsh7r3sZlAQE

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Drops the executable file immediately after the start

Changes the autorun value in the registry

SUSPICIOUS

Malware-specific behavior (creating "System.dll" in Temp)

Creates/Modifies COM task schedule object

The process creates files with name similar to system file names

Executable content was dropped or overwritten

Creates a software uninstall entry

The process executes via Task Scheduler

INFO

Create files in a temporary directory

Creates files in the program directory

Reads security settings of Internet Explorer

Checks supported languages

Reads the computer name

Creates files or folders in the user directory

Manual execution by a user

Reads the machine GUID from the registry

Disables trace logs

Checks proxy server information

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings