File name:

savsetupg_direct-sysweb_hp_menu.exe

Full analysis: https://app.any.run/tasks/efc9d6b4-6e01-4204-9092-b2dad01b1561
Verdict: Malicious activity
Threats:

Adware is a form of malware that targets users with unwanted advertisements, often disrupting their browsing experience. It typically infiltrates systems through software bundling, malicious websites, or deceptive downloads. Once installed, it may track user activity, collect sensitive data, and display intrusive ads, including pop-ups or banners. Some advanced adware variants can bypass security measures and establish persistence on devices, making removal challenging. Additionally, adware can create vulnerabilities that other malware can exploit, posing a significant risk to user privacy and system security.

Malware Trends Tracker     >>>
Analysis date: May 03, 2025, 01:40:31
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
adware
delphi
inno
installer
loader
auto-sch
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 10 sections
MD5:

1E0497CE4F1056DCFFBABE9ADF2040E7

SHA1:

04710E5C680DB6C39BD47069662C35A4C2713054

SHA256:

28B6CEB118FD2E4A990C3A027F074E13633D61C29B663E8284D954561003B2DA

SSDEEP:

393216:tB38aq0rGzdq1auTZa8p44nsMerr8KnhLad+GWFN:tB3Fq0Yd/t8p444rr84aYN

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Starts NET.EXE for service management

      • net.exe (PID: 2240)
      • savsetupg_direct-sysweb_hp_menu.tmp (PID: 6372)
      • net.exe (PID: 1328)
      • net.exe (PID: 872)
      • net.exe (PID: 5228)
      • endpoint-protection-installer.tmp (PID: 2504)
      • net.exe (PID: 924)
      • net.exe (PID: 6564)
      • net.exe (PID: 1096)
      • net.exe (PID: 5576)
      • net.exe (PID: 4740)
      • net.exe (PID: 6108)
      • net.exe (PID: 3900)
      • net.exe (PID: 3620)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • savsetupg_direct-sysweb_hp_menu.tmp (PID: 7052)
      • savsetupg_direct-sysweb_hp_menu.tmp (PID: 6372)

    • Executable content was dropped or overwritten

      • savsetupg_direct-sysweb_hp_menu.exe (PID: 6264)
      • savsetupg_direct-sysweb_hp_menu.tmp (PID: 6372)
      • endpoint-protection-installer.exe (PID: 720)
      • endpoint-protection-installer.tmp (PID: 2504)

    • There is functionality for taking screenshot (YARA)

      • savsetupg_direct-sysweb_hp_menu.tmp (PID: 6372)

    • Adds/modifies Windows certificates

      • certutil.exe (PID: 4180)
      • certutil.exe (PID: 4528)

    • Windows service management via SC.EXE

      • sc.exe (PID: 2416)
      • sc.exe (PID: 6964)
      • sc.exe (PID: 6752)
      • sc.exe (PID: 5072)
      • sc.exe (PID: 3304)
      • sc.exe (PID: 6392)
      • sc.exe (PID: 6828)
      • sc.exe (PID: 5188)
      • sc.exe (PID: 3012)
      • sc.exe (PID: 3396)
      • sc.exe (PID: 6652)
      • sc.exe (PID: 2240)
      • sc.exe (PID: 4152)
      • sc.exe (PID: 5044)

    • Stops a currently running service

      • sc.exe (PID: 6300)
      • sc.exe (PID: 1300)
      • sc.exe (PID: 4608)

    • Uses TASKKILL.EXE to kill process

      • savsetupg_direct-sysweb_hp_menu.tmp (PID: 6372)
      • cmd.exe (PID: 1300)

    • Process drops legitimate windows executable

      • savsetupg_direct-sysweb_hp_menu.tmp (PID: 6372)

    • Drops a system driver (possible attempt to evade defenses)

      • savsetupg_direct-sysweb_hp_menu.tmp (PID: 6372)
      • endpoint-protection-installer.tmp (PID: 2504)

    • Starts CMD.EXE for commands execution

      • savsetupg_direct-sysweb_hp_menu.tmp (PID: 6372)

    • Reads the Windows owner or organization settings

      • endpoint-protection-installer.tmp (PID: 2504)

    • Starts SC.EXE for service management

      • endpoint-protection-installer.tmp (PID: 2504)

  • INFO

    • Checks supported languages

      • savsetupg_direct-sysweb_hp_menu.exe (PID: 6264)
      • savsetupg_direct-sysweb_hp_menu.tmp (PID: 7052)
      • savsetupg_direct-sysweb_hp_menu.tmp (PID: 6372)
      • endpoint-protection-installer.exe (PID: 720)
      • endpoint-protection-installer.tmp (PID: 2504)

    • Process checks computer location settings

      • savsetupg_direct-sysweb_hp_menu.tmp (PID: 7052)
      • savsetupg_direct-sysweb_hp_menu.tmp (PID: 6372)

    • Create files in a temporary directory

      • savsetupg_direct-sysweb_hp_menu.exe (PID: 6264)
      • endpoint-protection-installer.exe (PID: 720)
      • endpoint-protection-installer.tmp (PID: 2504)

    • Reads the computer name

      • savsetupg_direct-sysweb_hp_menu.tmp (PID: 7052)
      • endpoint-protection-installer.tmp (PID: 2504)

    • Detects InnoSetup installer (YARA)

      • savsetupg_direct-sysweb_hp_menu.exe (PID: 6872)
      • savsetupg_direct-sysweb_hp_menu.tmp (PID: 6372)
      • savsetupg_direct-sysweb_hp_menu.exe (PID: 6264)
      • savsetupg_direct-sysweb_hp_menu.tmp (PID: 7052)
      • endpoint-protection-installer.exe (PID: 720)
      • endpoint-protection-installer.tmp (PID: 2504)

    • Creates files in the program directory

      • savsetupg_direct-sysweb_hp_menu.tmp (PID: 6372)
      • endpoint-protection-installer.tmp (PID: 2504)

    • Compiled with Borland Delphi (YARA)

      • savsetupg_direct-sysweb_hp_menu.tmp (PID: 7052)
      • savsetupg_direct-sysweb_hp_menu.exe (PID: 6264)
      • savsetupg_direct-sysweb_hp_menu.tmp (PID: 6372)
      • savsetupg_direct-sysweb_hp_menu.exe (PID: 6872)
      • endpoint-protection-installer.tmp (PID: 2504)
      • endpoint-protection-installer.exe (PID: 720)

    • The sample compiled with english language support

      • savsetupg_direct-sysweb_hp_menu.tmp (PID: 6372)
      • endpoint-protection-installer.tmp (PID: 2504)

    • Uses Task Scheduler to autorun other applications (AUTOMATE)

      • savsetupg_direct-sysweb_hp_menu.tmp (PID: 6372)

    • SQLite executable

      • savsetupg_direct-sysweb_hp_menu.tmp (PID: 6372)

    • Creates files or folders in the user directory

      • savsetupg_direct-sysweb_hp_menu.tmp (PID: 6372)

    • Creates a software uninstall entry

      • savsetupg_direct-sysweb_hp_menu.tmp (PID: 6372)

    • Reads the machine GUID from the registry

      • endpoint-protection-installer.tmp (PID: 2504)

    • Checks proxy server information

      • endpoint-protection-installer.tmp (PID: 2504)
      • slui.exe (PID: 3332)

    • Manual execution by a user

      • sysav.exe (PID: 5392)

    • Reads the software policy settings

      • slui.exe (PID: 3332)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Inno Setup installer (67.7)
.exe | Win32 EXE PECompact compressed (generic) (25.6)
.exe | Win32 Executable (generic) (2.7)
.exe | Win16/32 Executable Delphi generic (1.2)
.exe | Generic Win/DOS Executable (1.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2023:02:15 14:54:16+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType: PE32
LinkerVersion: 2.25
CodeSize: 741888
InitializedDataSize: 465920
UninitializedDataSize: -
EntryPoint: 0xb5eec
OSVersion: 6.1
ImageVersion: 6
SubsystemVersion: 6.1
Subsystem: Windows GUI
FileVersionNumber: 1.0.1001.6148
ProductVersionNumber: 1.0.1001.6148
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: This installation was built with Inno Setup.
CompanyName: Systweak
FileDescription: Systweak Antivirus Setup
FileVersion: 1.0.1001.6148
LegalCopyright: Copyright © 2024 Systweak Software, All rights reserved
OriginalFileName: savsetupipg_.exe
ProductName: Systweak Antivirus
ProductVersion: 1.0.1001.6148
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
250
Monitored processes
122
Malicious processes
5
Suspicious processes
1

Behavior graph

Click at the process to see the details
start savsetupg_direct-sysweb_hp_menu.exe savsetupg_direct-sysweb_hp_menu.tmp no specs savsetupg_direct-sysweb_hp_menu.exe savsetupg_direct-sysweb_hp_menu.tmp no specs net.exe no specs conhost.exe no specs net1.exe no specs taskkill.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs slui.exe cmd.exe no specs conhost.exe no specs taskkill.exe no specs schtasks.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs certutil.exe no specs conhost.exe no specs certutil.exe no specs conhost.exe no specs sysav.exe no specs endpoint-protection-installer.exe endpoint-protection-installer.tmp fltmc.exe no specs conhost.exe no specs fltmc.exe no specs conhost.exe no specs net.exe no specs conhost.exe no specs net1.exe no specs sc.exe no specs conhost.exe no specs net.exe no specs conhost.exe no specs net1.exe no specs sc.exe no specs conhost.exe no specs net.exe no specs conhost.exe no specs net1.exe no specs sc.exe no specs conhost.exe no specs net.exe no specs conhost.exe no specs net1.exe no specs sc.exe no specs conhost.exe no specs net.exe no specs conhost.exe no specs net1.exe no specs sc.exe no specs conhost.exe no specs net.exe no specs conhost.exe no specs net1.exe no specs sc.exe no specs conhost.exe no specs net.exe no specs conhost.exe no specs net1.exe no specs sc.exe no specs conhost.exe no specs net.exe no specs conhost.exe no specs net1.exe no specs sc.exe no specs conhost.exe no specs net.exe no specs conhost.exe no specs net1.exe no specs sc.exe no specs conhost.exe no specs net.exe no specs conhost.exe no specs net1.exe no specs sc.exe no specs conhost.exe no specs net.exe no specs conhost.exe no specs net1.exe no specs sc.exe no specs conhost.exe no specs svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
632"schtasks" /Create /F /RL Highest /SC ONLOGON /TN "Systweak Antivirus_startup" /TR "'C:\Program Files (x86)\Systweak Antivirus\configuration\sysav.exe' autolaunch"C:\Windows\SysWOW64\schtasks.exesavsetupg_direct-sysweb_hp_menu.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Task Scheduler Configuration Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
632\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exesc.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
684\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exenet.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
720"C:\Program Files (x86)\Systweak Antivirus\configuration\endpoint-protection-installer.exe" /dir="C:\Program Files (x86)\Systweak Antivirus\configuration\Endpoint Protection SDK" /AppData="C:\ProgramData\Systweak\Systweak Antivirus\Endpoint Protection SDK" /license="C:\Program Files (x86)\Systweak Antivirus\configuration\avira3000000035.lic" /WscAppName="Systweak Antivirus" /UiPath="C:\Program Files (x86)\Systweak Antivirus\configuration\syswsc.exe" /Config="C:\Program Files (x86)\Systweak Antivirus\configuration\AVEPPInstall_B2C.json" /UpdateAfterInstall=off /VERYSILENT /SuppressMsgBoxes /NoRestart /Telemetry=off /repairSdkC:\Program Files (x86)\Systweak Antivirus\configuration\endpoint-protection-installer.exe
savsetupg_direct-sysweb_hp_menu.tmp
User:
admin
Company:
Avira Operations GmbH & Co. KG
Integrity Level:
HIGH
Description:
Endpoint Protection SDK Setup
Version:
1.0.2310.1278
Modules
Images
c:\program files (x86)\systweak antivirus\configuration\endpoint-protection-installer.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\comctl32.dll
736C:\WINDOWS\system32\net1 stop EndpointProtectionServiceC:\Windows\System32\net1.exenet.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Net Command
Exit code:
2
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\net1.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\samcli.dll
c:\windows\system32\netutils.dll
856\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exetaskkill.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
864\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exetaskkill.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
872"net.exe" stop rtp_traverseC:\Windows\System32\net.exeendpoint-protection-installer.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Net Command
Exit code:
2
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\net.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
924"net.exe" stop netprotection_network_filterC:\Windows\System32\net.exeendpoint-protection-installer.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Net Command
Exit code:
2
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\net.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
968C:\WINDOWS\system32\net1 stop rtp_filesystem_filterC:\Windows\System32\net1.exenet.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Net Command
Exit code:
2
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\net1.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\samcli.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\bcrypt.dll
Total events
5 002
Read events
4 872
Write events
120
Delete events
10

Modification events

(PID) Process:(6372) savsetupg_direct-sysweb_hp_menu.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Systweak\Systweak Antivirus
Operation:writeName:TELNO
Value:
(PID) Process:(6372) savsetupg_direct-sysweb_hp_menu.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Systweak\Systweak Antivirus
Operation:writeName:TELNO
Value:
(PID) Process:(6372) savsetupg_direct-sysweb_hp_menu.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Systweak\Systweak Antivirus
Operation:writeName:isphone
Value:
0
(PID) Process:(6372) savsetupg_direct-sysweb_hp_menu.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Systweak\Systweak Antivirus
Operation:writeName:isphone
Value:
0
(PID) Process:(6372) savsetupg_direct-sysweb_hp_menu.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Systweak\Systweak Antivirus
Operation:writeName:issilent
Value:
1
(PID) Process:(6372) savsetupg_direct-sysweb_hp_menu.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Systweak\Systweak Antivirus
Operation:writeName:issilent
Value:
1
(PID) Process:(6372) savsetupg_direct-sysweb_hp_menu.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Systweak\Systweak Antivirus
Operation:writeName:CplURL
Value:
https://antivirus.systweak.com
(PID) Process:(6372) savsetupg_direct-sysweb_hp_menu.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Systweak\Systweak Antivirus
Operation:writeName:CplURL
Value:
https://antivirus.systweak.com
(PID) Process:(6372) savsetupg_direct-sysweb_hp_menu.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Systweak\Systweak Antivirus
Operation:writeName:GA
Value:
1
(PID) Process:(6372) savsetupg_direct-sysweb_hp_menu.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Systweak\Systweak Antivirus
Operation:writeName:GA
Value:
1
Executable files
248
Suspicious files
627
Text files
334
Unknown types
0

Dropped files

PID
Process
Filename
Type
6372savsetupg_direct-sysweb_hp_menu.tmpC:\ProgramData\Systweak\Systweak Antivirus\Setups\endpoint-protection-installer.exe
MD5:
SHA256:
6264savsetupg_direct-sysweb_hp_menu.exeC:\Users\admin\AppData\Local\Temp\is-H7KKT.tmp\savsetupg_direct-sysweb_hp_menu.tmpexecutable
MD5:4A574975A24EE8DE273D56D58F44298A
SHA256:A3134AD77E514BE47F8A24258860C9BE72666BEF75C354A0CF2096D4BB595920
6372savsetupg_direct-sysweb_hp_menu.tmpC:\Users\admin\AppData\Local\Temp\is-47TBP.tmp\_isetup\_setup64.tmpexecutable
MD5:E4211D6D009757C078A9FAC7FF4F03D4
SHA256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
6372savsetupg_direct-sysweb_hp_menu.tmpC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\RR3E01RZ\epsdk[1].asptext
MD5:9B309562A13A80ACC8C686C7A5B2D831
SHA256:41CECD08FD02680732F079FB95FCDE9671790A19FB110EF206CD178F635160F8
6372savsetupg_direct-sysweb_hp_menu.tmpC:\ProgramData\Systweak\Systweak Antivirus\Setups\avira3000000035.licbinary
MD5:6162D8D86DF96FC0CED418EC00E6D23C
SHA256:8612FE758AF11E308A34E55B8BC99D51903D2A60652E725D7809AEDBDCDA33E5
6372savsetupg_direct-sysweb_hp_menu.tmpC:\ProgramData\Systweak\Systweak Antivirus\Setups\MessageRpc.Net.dllexecutable
MD5:F004DD252B384A7C093A83BEDC017180
SHA256:478C3ECDD222074AD06630B6FE1937466A4C2015C36C5A0F5A8B0CF2CBAA8733
6372savsetupg_direct-sysweb_hp_menu.tmpC:\ProgramData\Systweak\Systweak Antivirus\Setups\EndpointProtectionInterfaces.dllexecutable
MD5:84C8F5E009E9EE5CDCB3341767D00C64
SHA256:D64CDC3135D264E6BEC6CF529077A4643A27D4440495ED4C3B703FF3D85D17B9
6372savsetupg_direct-sysweb_hp_menu.tmpC:\Users\admin\AppData\Local\Temp\is-47TBP.tmp\idp.dllexecutable
MD5:55C310C0319260D798757557AB3BF636
SHA256:54E7E0AD32A22B775131A6288F083ED3286A9A436941377FC20F85DD9AD983ED
6372savsetupg_direct-sysweb_hp_menu.tmpC:\Program Files (x86)\Systweak Antivirus\configuration\cumfc.exeexecutable
MD5:00CCEC611E47A77CF3617EA7298CFAF2
SHA256:7BCA947B1EFABBF4EF1BBDFF47304E233D5AA4241778E31E9A9FC6DA4047ABAE
6372savsetupg_direct-sysweb_hp_menu.tmpC:\Program Files (x86)\Systweak Antivirus\configuration\is-F4MA5.tmpimage
MD5:62810E1AD363646D941405497FFEBB83
SHA256:486EF1CD0A8EE68B2A44B053CAEA8F120B75188D93D016BD0471373E1D6D5267
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
17
TCP/UDP connections
22
DNS requests
17
Threats
15

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5496
MoUsoCoreWorker.exe
GET
200
23.216.77.6:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5496
MoUsoCoreWorker.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
2104
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
GET
200
52.222.214.79:80
http://cdn.systweak.com/setups/t9ep/eppsdk/epsdk.asp
unknown
unknown
HEAD
200
52.222.214.79:80
http://cdn.systweak.com/setups/av/eppkey/avira3000000035.lic
unknown
unknown
HEAD
200
52.222.214.79:80
http://cdn.systweak.com/setups/t9ep/eppsdk/EndpointProtectionClient.Net.dll
unknown
unknown
HEAD
200
52.222.214.79:80
http://cdn.systweak.com/setups/t9ep/eppsdk/EndpointProtectionInterfaces.dll
unknown
unknown
HEAD
200
52.222.214.79:80
http://cdn.systweak.com/setups/t9ep/eppsdk/MessageRpc.Net.dll
unknown
unknown
HEAD
200
52.222.214.79:80
http://cdn.systweak.com/setups/t9ep/eppsdk/x64/endpoint-protection-installer.exe
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5496
MoUsoCoreWorker.exe
23.216.77.6:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5496
MoUsoCoreWorker.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
2104
svchost.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
4
System
192.168.100.255:138
whitelisted
172.211.123.250:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
52.222.214.79:80
cdn.systweak.com
AMAZON-02
US
suspicious
20.190.160.3:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2.17.190.73:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.186.174
whitelisted
settings-win.data.microsoft.com
  • 51.104.136.2
  • 20.73.194.208
whitelisted
crl.microsoft.com
  • 23.216.77.6
  • 23.216.77.28
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
client.wns.windows.com
  • 172.211.123.250
whitelisted
cdn.systweak.com
  • 52.222.214.79
  • 52.222.214.26
  • 52.222.214.43
  • 52.222.214.36
unknown
login.live.com
  • 20.190.160.3
  • 20.190.160.128
  • 40.126.32.68
  • 20.190.160.132
  • 20.190.160.65
  • 40.126.32.138
  • 20.190.160.64
  • 20.190.160.67
whitelisted
ocsp.digicert.com
  • 2.17.190.73
whitelisted
slscr.update.microsoft.com
  • 20.109.210.53
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 13.85.23.206
whitelisted

Threats

PID
Process
Class
Message
Possibly Unwanted Program Detected
ADWARE [ANY.RUN] Inno Download Plugin UA
Potentially Bad Traffic
ET INFO Executable served from Amazon S3
Possibly Unwanted Program Detected
ADWARE [ANY.RUN] Inno Download Plugin UA
Possibly Unwanted Program Detected
ADWARE [ANY.RUN] Inno Download Plugin UA
Possibly Unwanted Program Detected
ADWARE [ANY.RUN] Inno Download Plugin UA
Possibly Unwanted Program Detected
ADWARE [ANY.RUN] Inno Download Plugin UA
Possibly Unwanted Program Detected
ADWARE [ANY.RUN] Inno Download Plugin UA
Possibly Unwanted Program Detected
ADWARE [ANY.RUN] Inno Download Plugin UA
Potentially Bad Traffic
ET INFO Executable served from Amazon S3
Possibly Unwanted Program Detected
ADWARE [ANY.RUN] Inno Download Plugin UA
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
savsetupg_direct-sysweb_hp_menu.exe