File name:

eset_smart_security_premium_live_installer.exe

Full analysis: https://app.any.run/tasks/5e9d87f9-85a2-4c1b-86cb-1cb2d3382bf4
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: December 29, 2024, 14:18:31
OS: Windows 11 Professional (build: 22000, 64 bit)
Tags:
loader
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections
MD5:

2E8D9792525A7D89878FDCE5B4D08EE3

SHA1:

C86D8A7EF6D0A342E60C8F53F135690CAAD2F925

SHA256:

4F2EEEE3C09C45E4AFCA4A331263F23B30EEF50B97A010CBAFC7001A63A6ABE7

SSDEEP:

98304:/Jwm4Amt9PBynlg70Hcd9cOakgHxCd9t2rsJuc4BtLdQW6HB4Aacd/qdkcLQnOW2:JMmVrhmIUsCyIAiBmR

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • msiexec.exe (PID: 5872)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • eset_smart_security_premium_live_installer.exe (PID: 1216)
      • msiexec.exe (PID: 6672)

    • Executable content was dropped or overwritten

      • eset_smart_security_premium_live_installer.exe (PID: 1216)
      • eset_smart_security_premium_live_installer.exe (PID: 4296)
      • drvinst.exe (PID: 2260)
      • ekrn.exe (PID: 5916)
      • drvinst.exe (PID: 4400)
      • drvinst.exe (PID: 1196)
      • drvinst.exe (PID: 4068)
      • drvinst.exe (PID: 5012)
      • drvinst.exe (PID: 3252)
      • drvinst.exe (PID: 628)

    • Reads the Internet Settings

      • eset_smart_security_premium_live_installer.exe (PID: 1216)

    • Reads settings of System Certificates

      • eset_smart_security_premium_live_installer.exe (PID: 4296)

    • The process verifies whether the antivirus software is installed

      • eset_smart_security_premium_live_installer.exe (PID: 4296)
      • msiexec.exe (PID: 6672)
      • InstHelper.exe (PID: 5488)
      • drvinst.exe (PID: 2260)
      • efwd.exe (PID: 2384)
      • ekrn.exe (PID: 5916)
      • drvinst.exe (PID: 4400)
      • drvinst.exe (PID: 1196)
      • drvinst.exe (PID: 4068)
      • drvinst.exe (PID: 5012)
      • msiexec.exe (PID: 5872)
      • drvinst.exe (PID: 3252)
      • eComServer.exe (PID: 3608)

    • Connects to unusual port

      • eset_smart_security_premium_live_installer.exe (PID: 4296)
      • ekrn.exe (PID: 5916)

    • Checks Windows Trust Settings

      • msiexec.exe (PID: 5872)
      • drvinst.exe (PID: 2260)
      • drvinst.exe (PID: 4400)
      • drvinst.exe (PID: 1196)
      • drvinst.exe (PID: 4068)

    • Adds/modifies Windows certificates

      • msiexec.exe (PID: 5872)

    • Reads the Windows owner or organization settings

      • msiexec.exe (PID: 5872)

    • Reads the date of Windows installation

      • msiexec.exe (PID: 6672)

    • Drops a system driver (possible attempt to evade defenses)

      • msiexec.exe (PID: 5872)
      • drvinst.exe (PID: 2260)
      • ekrn.exe (PID: 5916)
      • drvinst.exe (PID: 4400)
      • drvinst.exe (PID: 1196)
      • drvinst.exe (PID: 4068)
      • drvinst.exe (PID: 5012)
      • drvinst.exe (PID: 3252)
      • drvinst.exe (PID: 628)

    • The process drops C-runtime libraries

      • msiexec.exe (PID: 5872)

    • Creates/Modifies COM task schedule object

      • msiexec.exe (PID: 6672)
      • ekrn.exe (PID: 5916)

    • Uses TASKKILL.EXE to kill process

      • msiexec.exe (PID: 6672)

    • Process drops legitimate windows executable

      • msiexec.exe (PID: 5872)

    • The process creates files with name similar to system file names

      • msiexec.exe (PID: 5872)

    • Executes as Windows Service

      • ekrn.exe (PID: 5916)
      • efwd.exe (PID: 2384)

    • Creates files in the driver directory

      • drvinst.exe (PID: 2260)
      • ekrn.exe (PID: 5916)
      • drvinst.exe (PID: 4400)
      • drvinst.exe (PID: 1196)
      • drvinst.exe (PID: 4068)
      • drvinst.exe (PID: 5012)
      • drvinst.exe (PID: 3252)
      • drvinst.exe (PID: 628)

    • Creates or modifies Windows services

      • ekrn.exe (PID: 5916)

    • Starts POWERSHELL.EXE for commands execution

      • ekrn.exe (PID: 5916)

    • The process hide an interactive prompt from the user

      • ekrn.exe (PID: 5916)

    • Found IP address in command line

      • powershell.exe (PID: 1060)

    • Process requests binary or script from the Internet

      • ekrn.exe (PID: 5916)

  • INFO

    • Create files in a temporary directory

      • eset_smart_security_premium_live_installer.exe (PID: 1216)
      • eset_smart_security_premium_live_installer.exe (PID: 4296)
      • msiexec.exe (PID: 1652)
      • msiexec.exe (PID: 6672)
      • InstHelper.exe (PID: 1496)

    • Reads the computer name

      • eset_smart_security_premium_live_installer.exe (PID: 1216)
      • eset_smart_security_premium_live_installer.exe (PID: 4296)
      • msiexec.exe (PID: 5872)
      • msiexec.exe (PID: 1652)
      • msiexec.exe (PID: 6672)
      • InstHelper.exe (PID: 5488)
      • ekrn.exe (PID: 5916)
      • drvinst.exe (PID: 2260)
      • efwd.exe (PID: 2384)
      • drvinst.exe (PID: 4400)
      • drvinst.exe (PID: 1196)
      • drvinst.exe (PID: 4068)
      • drvinst.exe (PID: 3252)
      • eComServer.exe (PID: 3608)
      • InstHelper.exe (PID: 1496)

    • The sample compiled with english language support

      • eset_smart_security_premium_live_installer.exe (PID: 1216)
      • eset_smart_security_premium_live_installer.exe (PID: 4296)
      • msiexec.exe (PID: 1652)
      • msiexec.exe (PID: 5872)
      • msiexec.exe (PID: 6672)
      • drvinst.exe (PID: 2260)
      • ekrn.exe (PID: 5916)
      • drvinst.exe (PID: 4400)
      • drvinst.exe (PID: 1196)
      • drvinst.exe (PID: 4068)
      • drvinst.exe (PID: 5012)
      • drvinst.exe (PID: 3252)
      • drvinst.exe (PID: 628)

    • Checks supported languages

      • eset_smart_security_premium_live_installer.exe (PID: 1216)
      • eset_smart_security_premium_live_installer.exe (PID: 4296)
      • BootHelper.exe (PID: 1328)
      • msiexec.exe (PID: 5872)
      • msiexec.exe (PID: 1652)
      • msiexec.exe (PID: 6672)
      • InstHelper.exe (PID: 5488)
      • drvinst.exe (PID: 2260)
      • ekrn.exe (PID: 5916)
      • efwd.exe (PID: 2384)
      • drvinst.exe (PID: 4400)
      • drvinst.exe (PID: 1196)
      • drvinst.exe (PID: 4068)
      • drvinst.exe (PID: 5012)
      • drvinst.exe (PID: 3252)
      • eComServer.exe (PID: 3608)
      • InstHelper.exe (PID: 1496)
      • InstHelper.exe (PID: 6660)

    • The process uses the downloaded file

      • eset_smart_security_premium_live_installer.exe (PID: 1216)
      • msiexec.exe (PID: 6672)

    • Reads the machine GUID from the registry

      • eset_smart_security_premium_live_installer.exe (PID: 4296)
      • msiexec.exe (PID: 5872)
      • InstHelper.exe (PID: 5488)
      • drvinst.exe (PID: 2260)
      • efwd.exe (PID: 2384)
      • drvinst.exe (PID: 4400)
      • ekrn.exe (PID: 5916)
      • drvinst.exe (PID: 1196)
      • drvinst.exe (PID: 3252)
      • drvinst.exe (PID: 5012)
      • drvinst.exe (PID: 4068)

    • Reads the software policy settings

      • eset_smart_security_premium_live_installer.exe (PID: 4296)
      • msiexec.exe (PID: 5872)
      • drvinst.exe (PID: 2260)
      • drvinst.exe (PID: 4400)
      • drvinst.exe (PID: 1196)
      • drvinst.exe (PID: 4068)
      • ekrn.exe (PID: 5916)
      • drvinst.exe (PID: 628)

    • Reads Environment values

      • eset_smart_security_premium_live_installer.exe (PID: 4296)
      • msiexec.exe (PID: 1652)
      • ekrn.exe (PID: 5916)

    • Reads product name

      • eset_smart_security_premium_live_installer.exe (PID: 4296)
      • ekrn.exe (PID: 5916)

    • Reads Windows Product ID

      • eset_smart_security_premium_live_installer.exe (PID: 4296)
      • ekrn.exe (PID: 5916)

    • Creates files or folders in the user directory

      • msiexec.exe (PID: 5872)
      • ekrn.exe (PID: 5916)

    • Executable content was dropped or overwritten

      • msiexec.exe (PID: 5872)
      • msiexec.exe (PID: 1652)
      • msiexec.exe (PID: 6672)

    • Application launched itself

      • msiexec.exe (PID: 5872)

    • Creates files in the program directory

      • ekrn.exe (PID: 5916)

    • Reads Microsoft Office registry keys

      • ekrn.exe (PID: 5916)

    • Creates a software uninstall entry

      • msiexec.exe (PID: 5872)
      • msiexec.exe (PID: 6672)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (76.4)
.exe | Win32 Executable (generic) (12.4)
.exe | Generic Win/DOS Executable (5.5)
.exe | DOS Executable Generic (5.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2024:10:07 15:11:18+00:00
ImageFileCharacteristics: Executable, 32-bit, Removable run from swap, Net run from swap
PEType: PE32
LinkerVersion: 14.41
CodeSize: 330752
InitializedDataSize: 10334208
UninitializedDataSize: -
EntryPoint: 0x2c7e0
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 10.48.17.0
ProductVersionNumber: 18.0.2.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Windows, Latin1
CompanyName: ESET
FileDescription: ESET Live Installer
FileVersion: 10.48.17.0
InternalName: Bootstrapper.exe
LegalCopyright: Copyright (c) ESET, spol. s r.o. 1992-2024. All rights reserved.
LegalTrademarks: NOD, NOD32, AMON, ESET are registered trademarks of ESET.
OriginalFileName: Bootstrapper.exe
ProductName: ESET Security
ProductVersion: 18.0.2.0
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
144
Monitored processes
26
Malicious processes
14
Suspicious processes
1

Behavior graph

Click at the process to see the details
start eset_smart_security_premium_live_installer.exe eset_smart_security_premium_live_installer.exe boothelper.exe no specs msiexec.exe msiexec.exe msiexec.exe taskkill.exe no specs conhost.exe no specs insthelper.exe no specs conhost.exe no specs ekrn.exe drvinst.exe efwd.exe no specs drvinst.exe drvinst.exe drvinst.exe drvinst.exe drvinst.exe ecomserver.exe no specs drvinst.exe insthelper.exe no specs conhost.exe no specs insthelper.exe conhost.exe no specs powershell.exe no specs conhost.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
628DrvInst.exe "4" "9" "C:\Program Files\ESET\ESET Security\Drivers\epfw\epfw.inf" "9" "456eea8cb" "00000000000001AC" "Service-0x0-3e7$\Default" "00000000000001B0" "208" "C:\Program Files\ESET\ESET Security\Drivers\epfw"C:\Windows\System32\drvinst.exe
svchost.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Driver Installation Module
Exit code:
0
Version:
10.0.22000.653 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\bcrypt.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\gpapi.dll
812\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeInstHelper.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.22000.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
1060"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NonInteractive -Command if (((Get-AppxPackage -Name 'EsetContextMenu').length -ne '1') -Or ((Get-AppxPackage -Name 'EsetContextMenu').version -ne '10.48.20.0')) { Get-AppxPackage -Name 'EsetContextMenu' | Remove-AppxPackage; Add-AppxPackage -Path 'C:\Program Files\ESET\ESET Security\EsetContextMenu.msix' -ExternalLocation 'C:\Program Files\ESET\ESET Security\' }C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeekrn.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.22000.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1196DrvInst.exe "4" "9" "C:\Program Files\ESET\ESET Security\Drivers\ekbdflt\ekbdflt.inf" "9" "4f39970b7" "0000000000000174" "Service-0x0-3e7$\Default" "0000000000000158" "208" "C:\Program Files\ESET\ESET Security\Drivers\ekbdflt"C:\Windows\System32\drvinst.exe
svchost.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Driver Installation Module
Exit code:
0
Version:
10.0.22000.653 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\drvinst.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\devrtl.dll
c:\windows\system32\drvstore.dll
1216"C:\Users\admin\Desktop\eset_smart_security_premium_live_installer.exe" C:\Users\admin\Desktop\eset_smart_security_premium_live_installer.exe
explorer.exe
User:
admin
Company:
ESET
Integrity Level:
MEDIUM
Description:
ESET Live Installer
Version:
10.48.17.0
Modules
Images
c:\users\admin\desktop\eset_smart_security_premium_live_installer.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64base.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64con.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
1328"C:\Users\admin\AppData\Local\Temp\eset\bts.session\b477bbb4-4d9d-460e-a46e-442634fbb7f3\BootHelper.exe" --watchdog 4296 --product "ESET Live Installer" 18.0.2.0 1033C:\Users\admin\AppData\Local\Temp\eset\bts.session\b477bbb4-4d9d-460e-a46e-442634fbb7f3\BootHelper.exeeset_smart_security_premium_live_installer.exe
User:
admin
Company:
ESET
Integrity Level:
HIGH
Description:
ESET Live Installer
Version:
10.48.17.0
Modules
Images
c:\users\admin\appdata\local\temp\eset\bts.session\b477bbb4-4d9d-460e-a46e-442634fbb7f3\boothelper.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64base.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64con.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
1496"C:\Users\admin\AppData\Local\Temp\eset.temp\{02D83BBE-1AE6-6EDF-23F8-34CD012362FF}\InstHelper.exe" -sd "C:\Windows\Temp\eset\bts.stats" "ESET Security" "18.0.12.0" "1033"C:\Users\admin\AppData\Local\Temp\eset.temp\{02D83BBE-1AE6-6EDF-23F8-34CD012362FF}\InstHelper.exe
msiexec.exe
User:
admin
Company:
ESET
Integrity Level:
HIGH
Description:
ESET Install Helper
Exit code:
0
Version:
10.48.20.0
Modules
Images
c:\users\admin\appdata\local\temp\eset.temp\{02d83bbe-1ae6-6edf-23f8-34cd012362ff}\insthelper.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
1652C:\Windows\System32\MsiExec.exe -Embedding 7D05964101139AF4A17EA8841A1F845BC:\Windows\System32\msiexec.exe
msiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows® installer
Exit code:
0
Version:
5.0.22000.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
2260DrvInst.exe "4" "9" "C:\Program Files\ESET\ESET Security\Drivers\eelam\eelam.inf" "9" "4d8859be3" "0000000000000168" "Service-0x0-3e7$\Default" "0000000000000178" "208" "C:\Program Files\ESET\ESET Security\Drivers\eelam"C:\Windows\System32\drvinst.exe
svchost.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Driver Installation Module
Exit code:
0
Version:
10.0.22000.653 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\drvinst.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\devrtl.dll
c:\windows\system32\drvstore.dll
2384"C:\Program Files\ESET\ESET Security\efwd.exe"C:\Program Files\ESET\ESET Security\efwd.exeservices.exe
User:
NETWORK SERVICE
Company:
ESET
Integrity Level:
SYSTEM
Description:
ESET Forwarder
Version:
10.48.20.0
Modules
Images
c:\program files\eset\eset security\efwd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\program files\eset\eset security\protobuflite.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
Total events
48 518
Read events
47 519
Write events
962
Delete events
37

Modification events

(PID) Process:(1216) eset_smart_security_premium_live_installer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(1216) eset_smart_security_premium_live_installer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(1216) eset_smart_security_premium_live_installer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(1216) eset_smart_security_premium_live_installer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(4296) eset_smart_security_premium_live_installer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\ESET\ESET Security\CurrentVersion\Plugins\01000400\settings
Operation:writeName:LastUpdateCertTimestamp
Value:
F996765100000000
(PID) Process:(4296) eset_smart_security_premium_live_installer.exeKey:HKEY_CURRENT_USER\Software\ESET\Setup
Operation:delete valueName:CAError
Value:
(PID) Process:(4296) eset_smart_security_premium_live_installer.exeKey:HKEY_CURRENT_USER\Software\ESET\Setup
Operation:delete valueName:CADuration
Value:
(PID) Process:(5872) msiexec.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates
Operation:delete valueName:DDFB16CD4931C973A2037D3FC83A4D7D775D05E4
Value:
(PID) Process:(5872) msiexec.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4
Operation:writeName:Blob
Value:
04000000010000001000000078F2FCAA601F2FB4EBC937BA532E7549140000000100000014000000ECD7E382D2715D644CDF2E673FE7BA98AE1C0F4F0B00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006F006F0074002000470034000000530000000100000040000000303E301F06096086480186FD6C020130123010060A2B0601040182373C0101030200C0301B060567810C010330123010060A2B0601040182373C0101030200C00F00000001000000300000004EA1B34B10B982A96A38915843507820AD632C6AAD8343E337B34D660CD8366FA154544AE80668AE1FDF3931D57E1996030000000100000014000000DDFB16CD4931C973A2037D3FC83A4D7D775D05E4190000000100000010000000FFAC207997BB2CFE865570179EE037B9090000000100000034000000303206082B0601050507030206082B0601050507030306082B0601050507030406082B0601050507030106082B06010505070308620000000100000020000000552F7BDCF1A7AF9E6CE672017F4F12ABF77240C78E761AC203D1D9D20AC899881D0000000100000010000000A86DC6A233EB339610F3ED414927C5592000000001000000940500003082059030820378A0030201020210059B1B579E8E2132E23907BDA777755C300D06092A864886F70D01010C05003062310B300906035504061302555331153013060355040A130C446967694365727420496E6331193017060355040B13107777772E64696769636572742E636F6D3121301F060355040313184469676943657274205472757374656420526F6F74204734301E170D3133303830313132303030305A170D3338303131353132303030305A3062310B300906035504061302555331153013060355040A130C446967694365727420496E6331193017060355040B13107777772E64696769636572742E636F6D3121301F060355040313184469676943657274205472757374656420526F6F7420473430820222300D06092A864886F70D01010105000382020F003082020A0282020100BFE6907368DEBBE45D4A3C3022306933ECC2A7252EC9213DF28AD859C2E129A73D58AB769ACDAE7B1B840DC4301FF31BA43816EB56C6976D1DABB279F2CA11D2E45FD6053C520F521FC69E15A57EBE9FA95716595572AF689370C2B2BA75996A733294D11044102EDF82F30784E6743B6D71E22D0C1BEE20D5C9201D63292DCEEC5E4EC893F821619B34EB05C65EEC5B1ABCEBC9CFCDAC34405FB17A66EE77C848A86657579F54588E0C2BB74FA730D956EECA7B5DE3ADC94F5EE535E731CBDA935EDC8E8F80DAB69198409079C378C7B6B1C4B56A183803108DD8D437A42E057D88F5823E109170AB55824132D7DB04732A6E91017C214CD4BCAE1B03755D7866D93A31449A3340BF08D75A49A4C2E6A9A067DDA427BCA14F39B5115817F7245C468F64F7C169887698763D595D4276878997697A48F0E0A2121B669A74CADE4B1EE70E63AEE6D4EF92923A9E3DDC00E4452589B69A44192B7EC094B4D2616DEB33D9C5DF4B0400CC7D1C95C38FF721B2B211B7BB7FF2D58C702C4160AAB1631844951A76627EF680B0FBE864A633D18907E1BDB7E643A418B8A67701E10F940C211DB2542925896CE50E52514774BE26ACB64175DE7AAC5F8D3FC9BCD34111125BE51050EB31C5CA72162209DF7C4C753F63EC215FC420516B6FB1AB868B4FC2D6455F9D20FCA11EC5C08FA2B17E0A2699F5E4692F981D2DF5D9A9B21DE51B0203010001A3423040300F0603551D130101FF040530030101FF300E0603551D0F0101FF040403020186301D0603551D0E04160414ECD7E382D2715D644CDF2E673FE7BA98AE1C0F4F300D06092A864886F70D01010C05000382020100BB61D97DA96CBE17C4911BC3A1A2008DE364680F56CF77AE70F9FD9A4A99B9C9785C0C0C5FE4E61429560B36495D4463E0AD9C9618661B230D3D79E96D6BD654F8D23CC14340AE1D50F552FC903BBB9899696BC7C1A7A868A427DC9DF927AE3085B9F6674D3A3E8F5939225344EBC85D03CAED507A7D62210A80C87366D1A005605FE8A5B4A7AFA8F76D359C7C5A8AD6A23899F3788BF44DD2200BDE04EE8C9B4781720DC01432EF30592EAEE071F256E46A976F92506D968D687A9AB236147A06F224B9091150D708B1B8897A8423614229E5A3CDA22041D7D19C64D9EA26A18B14D74C19B25041713D3F4D7023860C4ADC81D2CC3294840D0809971C4FC0EE6B207430D2E03934108521150108E85532DE7149D92817504DE6BE4DD175ACD0CAFB41B843A5AAD3C305444F2C369BE2FAE245B823536C066F67557F46B54C3F6E285A7926D2A4A86297D21EE2ED4A8BBC1BFD474A0DDF67667EB25B41D03BE4F43BF40463E9EFC2540051A08A2AC9CE78CCD5EA870418B3CEAF4988AFF39299B6B3E6610FD28500E7501AE41B959D19A1B99CB19BB1001EEFD00F4F426CC90ABCEE43FA3A71A5C84D26A535FD895DBC85621D32D2A02B54ED9A57C1DBFA10CF19B78B4A1B8F01B6279553E8B6896D5BBC68D423E88B51A256F9F0A680A0D61EB3BC0F0F537529AAEA1377E4DE8C8121AD07104711AD873D07D175BCCFF3667E
(PID) Process:(5872) msiexec.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4
Operation:writeName:Blob
Value:
5C0000000100000004000000001000001D0000000100000010000000A86DC6A233EB339610F3ED414927C559620000000100000020000000552F7BDCF1A7AF9E6CE672017F4F12ABF77240C78E761AC203D1D9D20AC89988090000000100000034000000303206082B0601050507030206082B0601050507030306082B0601050507030406082B0601050507030106082B06010505070308190000000100000010000000FFAC207997BB2CFE865570179EE037B9030000000100000014000000DDFB16CD4931C973A2037D3FC83A4D7D775D05E40F00000001000000300000004EA1B34B10B982A96A38915843507820AD632C6AAD8343E337B34D660CD8366FA154544AE80668AE1FDF3931D57E1996530000000100000040000000303E301F06096086480186FD6C020130123010060A2B0601040182373C0101030200C0301B060567810C010330123010060A2B0601040182373C0101030200C00B00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006F006F0074002000470034000000140000000100000014000000ECD7E382D2715D644CDF2E673FE7BA98AE1C0F4F04000000010000001000000078F2FCAA601F2FB4EBC937BA532E75492000000001000000940500003082059030820378A0030201020210059B1B579E8E2132E23907BDA777755C300D06092A864886F70D01010C05003062310B300906035504061302555331153013060355040A130C446967694365727420496E6331193017060355040B13107777772E64696769636572742E636F6D3121301F060355040313184469676943657274205472757374656420526F6F74204734301E170D3133303830313132303030305A170D3338303131353132303030305A3062310B300906035504061302555331153013060355040A130C446967694365727420496E6331193017060355040B13107777772E64696769636572742E636F6D3121301F060355040313184469676943657274205472757374656420526F6F7420473430820222300D06092A864886F70D01010105000382020F003082020A0282020100BFE6907368DEBBE45D4A3C3022306933ECC2A7252EC9213DF28AD859C2E129A73D58AB769ACDAE7B1B840DC4301FF31BA43816EB56C6976D1DABB279F2CA11D2E45FD6053C520F521FC69E15A57EBE9FA95716595572AF689370C2B2BA75996A733294D11044102EDF82F30784E6743B6D71E22D0C1BEE20D5C9201D63292DCEEC5E4EC893F821619B34EB05C65EEC5B1ABCEBC9CFCDAC34405FB17A66EE77C848A86657579F54588E0C2BB74FA730D956EECA7B5DE3ADC94F5EE535E731CBDA935EDC8E8F80DAB69198409079C378C7B6B1C4B56A183803108DD8D437A42E057D88F5823E109170AB55824132D7DB04732A6E91017C214CD4BCAE1B03755D7866D93A31449A3340BF08D75A49A4C2E6A9A067DDA427BCA14F39B5115817F7245C468F64F7C169887698763D595D4276878997697A48F0E0A2121B669A74CADE4B1EE70E63AEE6D4EF92923A9E3DDC00E4452589B69A44192B7EC094B4D2616DEB33D9C5DF4B0400CC7D1C95C38FF721B2B211B7BB7FF2D58C702C4160AAB1631844951A76627EF680B0FBE864A633D18907E1BDB7E643A418B8A67701E10F940C211DB2542925896CE50E52514774BE26ACB64175DE7AAC5F8D3FC9BCD34111125BE51050EB31C5CA72162209DF7C4C753F63EC215FC420516B6FB1AB868B4FC2D6455F9D20FCA11EC5C08FA2B17E0A2699F5E4692F981D2DF5D9A9B21DE51B0203010001A3423040300F0603551D130101FF040530030101FF300E0603551D0F0101FF040403020186301D0603551D0E04160414ECD7E382D2715D644CDF2E673FE7BA98AE1C0F4F300D06092A864886F70D01010C05000382020100BB61D97DA96CBE17C4911BC3A1A2008DE364680F56CF77AE70F9FD9A4A99B9C9785C0C0C5FE4E61429560B36495D4463E0AD9C9618661B230D3D79E96D6BD654F8D23CC14340AE1D50F552FC903BBB9899696BC7C1A7A868A427DC9DF927AE3085B9F6674D3A3E8F5939225344EBC85D03CAED507A7D62210A80C87366D1A005605FE8A5B4A7AFA8F76D359C7C5A8AD6A23899F3788BF44DD2200BDE04EE8C9B4781720DC01432EF30592EAEE071F256E46A976F92506D968D687A9AB236147A06F224B9091150D708B1B8897A8423614229E5A3CDA22041D7D19C64D9EA26A18B14D74C19B25041713D3F4D7023860C4ADC81D2CC3294840D0809971C4FC0EE6B207430D2E03934108521150108E85532DE7149D92817504DE6BE4DD175ACD0CAFB41B843A5AAD3C305444F2C369BE2FAE245B823536C066F67557F46B54C3F6E285A7926D2A4A86297D21EE2ED4A8BBC1BFD474A0DDF67667EB25B41D03BE4F43BF40463E9EFC2540051A08A2AC9CE78CCD5EA870418B3CEAF4988AFF39299B6B3E6610FD28500E7501AE41B959D19A1B99CB19BB1001EEFD00F4F426CC90ABCEE43FA3A71A5C84D26A535FD895DBC85621D32D2A02B54ED9A57C1DBFA10CF19B78B4A1B8F01B6279553E8B6896D5BBC68D423E88B51A256F9F0A680A0D61EB3BC0F0F537529AAEA1377E4DE8C8121AD07104711AD873D07D175BCCFF3667E
Executable files
281
Suspicious files
117
Text files
155
Unknown types
39

Dropped files

PID
Process
Filename
Type
4296eset_smart_security_premium_live_installer.exeC:\Users\admin\AppData\Local\Temp\eset\bts.session\b477bbb4-4d9d-460e-a46e-442634fbb7f3\em000_32_l1.dll.nup
MD5:
SHA256:
4296eset_smart_security_premium_live_installer.exeC:\Users\admin\AppData\Local\Temp\eset\bts.session\b477bbb4-4d9d-460e-a46e-442634fbb7f3\em000_32_l2.dll.nup
MD5:
SHA256:
4296eset_smart_security_premium_live_installer.exeC:\Users\admin\AppData\Local\Temp\eset\bts.session\b477bbb4-4d9d-460e-a46e-442634fbb7f3\em045_32_l2.dll.nup
MD5:
SHA256:
4296eset_smart_security_premium_live_installer.exeC:\Users\admin\AppData\Local\Temp\eset\bts.session\b477bbb4-4d9d-460e-a46e-442634fbb7f3\acstest.exeexecutable
MD5:0E78E89C9F55AD01B72F5BE795B18795
SHA256:B33C79EE3B195AD49128806A19EAA3721D61CB337481265E0E7294864EE74259
4296eset_smart_security_premium_live_installer.exeC:\Users\admin\AppData\Local\Temp\eset\bts.session\b477bbb4-4d9d-460e-a46e-442634fbb7f3\.erm\epi-base.zipcompressed
MD5:963CBFE7B2F86694EB72DA30E5827CE5
SHA256:78E94B38448BCBDDF7FBBDEE46593815F7352BFEC0925DAA01D56F818D899CB8
1216eset_smart_security_premium_live_installer.exeC:\Users\admin\AppData\Local\Temp\eset\bts.session\b477bbb4-4d9d-460e-a46e-442634fbb7f3\eset_smart_security_premium_live_installer.exeexecutable
MD5:E042423B19D722D147B8941DF2D6E7D4
SHA256:B827CDC99D7C6A7FE5DDE679B058C6D9FFC500BACC206F4666034555B1DAC140
4296eset_smart_security_premium_live_installer.exeC:\Users\admin\AppData\Local\Temp\eset\bts.session\b477bbb4-4d9d-460e-a46e-442634fbb7f3\eguiActivationLang.dllexecutable
MD5:F672FCF56330A5EEC4D1F57419C4CCFD
SHA256:699541D4AD0FCA7DB2753532C5433CC0AFB8DA865AA35F35AD663F280BDADCD4
4296eset_smart_security_premium_live_installer.exeC:\Users\admin\AppData\Local\Temp\eset\bts.session\b477bbb4-4d9d-460e-a46e-442634fbb7f3\plgInstaller.dllexecutable
MD5:F0BE7B26044A9CF8F948A9F0E1D61F2D
SHA256:60116FCAA4E27956E474374580A5F579F8F4D91C13F986FC05983311929BDE75
4296eset_smart_security_premium_live_installer.exeC:\Users\admin\AppData\Local\Temp\eset\bts.session\b477bbb4-4d9d-460e-a46e-442634fbb7f3\eguiActivation.dllexecutable
MD5:F09CA35EB1BFFA0C094B947FBA7A4A56
SHA256:DC426CFFFE5C3CE8012140AB65396A7D232D84BC5BDB508116EBA2B373E1A013
4296eset_smart_security_premium_live_installer.exeC:\Users\admin\AppData\Local\Temp\eset\bts.session\b477bbb4-4d9d-460e-a46e-442634fbb7f3\updater.dllexecutable
MD5:F3237939965D93C1D111886A40ECB406
SHA256:17F694BD4456C0B9B49196B485EC62CA36117534F55D8FF15E8F5FB1724EE254
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
113
TCP/UDP connections
80
DNS requests
60
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
88.221.110.216:80
http://www.msftconnecttest.com/connecttest.txt
unknown
whitelisted
5324
MoUsoCoreWorker.exe
GET
200
199.232.214.172:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?e9ffd2b465a6cb5b
unknown
whitelisted
4296
eset_smart_security_premium_live_installer.exe
GET
200
91.228.166.23:80
http://repository.eset.com/v1/connectivity_check
unknown
whitelisted
4204
firefox.exe
POST
200
95.101.54.195:80
http://r11.o.lencr.org/
unknown
whitelisted
4296
eset_smart_security_premium_live_installer.exe
GET
302
91.228.166.23:80
http://repository.eset.com/v1/com/eset/apps/home/security/windows/metadata3
unknown
whitelisted
HEAD
200
23.35.236.109:443
https://fs.microsoft.com/fs/windows/config.json
unknown
4204
firefox.exe
POST
200
95.101.54.211:80
http://r11.o.lencr.org/
unknown
whitelisted
4296
eset_smart_security_premium_live_installer.exe
GET
200
91.228.166.23:80
http://repositorynocdn.eset.com/v1/com/eset/apps/home/security/windows/metadata3.default
unknown
whitelisted
4296
eset_smart_security_premium_live_installer.exe
GET
200
91.228.166.23:80
http://repository.eset.com/v1/com/eset/apps/home/security/windows/v18/18.0.12.0/ehs_nt64.msi.eula/manifest.erm
unknown
whitelisted
4296
eset_smart_security_premium_live_installer.exe
GET
200
91.228.166.23:80
http://repository.eset.com/v1/com/eset/apps/home/security/windows/v18/18.0.12.0/ehs_nt64.msi.eula/eulaenu.html
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
unknown
4204
firefox.exe
34.120.208.123:443
incoming.telemetry.mozilla.org
GOOGLE-CLOUD-PLATFORM
US
whitelisted
4204
firefox.exe
34.149.100.209:443
firefox.settings.services.mozilla.com
GOOGLE
US
whitelisted
256
rundll32.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5904
OfficeC2RClient.exe
52.109.76.240:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
88.221.110.216:80
Akamai International B.V.
DE
unknown
5324
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5324
MoUsoCoreWorker.exe
199.232.214.172:80
ctldl.windowsupdate.com
FASTLY
US
whitelisted
4296
eset_smart_security_premium_live_installer.exe
91.228.166.23:80
repository.eset.com
ESET, spol. s r.o.
SK
whitelisted
5904
OfficeC2RClient.exe
52.113.194.132:443
ecs.office.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
incoming.telemetry.mozilla.org
  • 34.120.208.123
whitelisted
firefox.settings.services.mozilla.com
  • 34.149.100.209
whitelisted
telemetry-incoming.r53-2.services.mozilla.com
  • 34.120.208.123
whitelisted
prod.remote-settings.prod.webservices.mozgcp.net
  • 34.149.100.209
whitelisted
google.com
  • 216.58.206.46
whitelisted
settings-win.data.microsoft.com
  • 4.231.128.59
whitelisted
ctldl.windowsupdate.com
  • 199.232.214.172
  • 199.232.210.172
whitelisted
repository.eset.com
  • 91.228.166.23
whitelisted
ecs.office.com
  • 52.113.194.132
whitelisted
edf.eset.com
  • 23.99.12.158
whitelisted

Threats

PID
Process
Class
Message
Misc activity
ET INFO Microsoft Connection Test
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
eset_smart_security_premium_live_installer.exe