File name:

aTube_Catcher_v2.85.22.93.94.3.exe

Full analysis: https://app.any.run/tasks/1707e4f2-33aa-4e4d-b887-55ed15ce0e38
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: July 19, 2025, 18:26:28
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
netreactor
arch-exec
loader
auto-reg
evasion
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows, 3 sections
MD5:

BF1C147CA45943073D8B02CE2491E787

SHA1:

EBEEA33EF69B6002504EE42C04D7B2ED44B312FF

SHA256:

504EC3E3B3C8D6D294CED5EC1CF840F2B973AB823A47D167800E51CFA635AF47

SSDEEP:

24576:vKAeRQi7A0S+K7VQy6yXiJC0ABKPamoLi+t9RQAP1Ehl3qw0S+K7VQy6yXiJC0Av:vLemmA0S+K7VQy6yXiJC0ABKXii+t9RY

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Registers / Runs the DLL via REGSVR32.EXE

      • aTube_Catcher.tmp (PID: 7224)

    • Changes the autorun value in the registry

      • rundll32.exe (PID: 5496)
      • instup.exe (PID: 5288)

    • Executing a file with an untrusted certificate

      • eWorker.exe (PID: 1588)

    • Starts Visual C# compiler

      • WeatherZero.exe (PID: 7920)

  • SUSPICIOUS

    • Adds/modifies Windows certificates

      • aTube_Catcher_v2.85.22.93.94.3.exe (PID: 2216)
      • saBSI.exe (PID: 7884)
      • servicehost.exe (PID: 6832)

    • Reads security settings of Internet Explorer

      • aTube_Catcher_v2.85.22.93.94.3.exe (PID: 2216)
      • WZSetup.exe (PID: 6840)
      • saBSI.exe (PID: 7884)
      • saBSI.exe (PID: 2524)
      • WeatherZero.exe (PID: 7920)
      • aTube_Catcher.tmp (PID: 7224)
      • installer.exe (PID: 7620)
      • uihost.exe (PID: 8396)
      • saBSI.exe (PID: 7524)
      • saBSI.exe (PID: 9028)

    • Executable content was dropped or overwritten

      • WZSetup.exe (PID: 6840)
      • aTube_Catcher_v2.85.22.93.94.3.exe (PID: 2216)
      • saBSI.exe (PID: 7884)
      • WZSetup.exe (PID: 7728)
      • cookie_mmm_irs_ppi_005_888_d.exe (PID: 7848)
      • avast_free_antivirus_setup_online_x64.exe (PID: 5548)
      • aTube_Catcher.tmp (PID: 7224)
      • svchost.exe (PID: 2064)
      • aTube_Catcher.exe (PID: 4104)
      • saBSI.exe (PID: 2524)
      • Instup.exe (PID: 7188)
      • rundll32.exe (PID: 5496)
      • csc.exe (PID: 7220)
      • installer.exe (PID: 7620)
      • installer.exe (PID: 7768)
      • saBSI.exe (PID: 7524)
      • saBSI.exe (PID: 9028)

    • Executes as Windows Service

      • WeatherZeroService.exe (PID: 6376)
      • PresentationFontCache.exe (PID: 6036)
      • servicehost.exe (PID: 6832)

    • Creates a software uninstall entry

      • WZSetup.exe (PID: 6840)
      • installer.exe (PID: 7620)
      • servicehost.exe (PID: 6832)

    • Searches for installed software

      • WZSetup.exe (PID: 6840)
      • updater.exe (PID: 9036)

    • Reads the Windows owner or organization settings

      • aTube_Catcher.tmp (PID: 7224)

    • Process drops legitimate windows executable

      • aTube_Catcher.tmp (PID: 7224)
      • installer.exe (PID: 7620)

    • Uses TASKKILL.EXE to kill process

      • aTube_Catcher.tmp (PID: 7224)

    • Creates/Modifies COM task schedule object

      • regsvr32.exe (PID: 7736)
      • regsvr32.exe (PID: 5496)
      • regsvr32.exe (PID: 7672)
      • regsvr32.exe (PID: 7152)
      • regsvr32.exe (PID: 6304)
      • regsvr32.exe (PID: 2320)
      • regsvr32.exe (PID: 1588)
      • regsvr32.exe (PID: 7732)
      • regsvr32.exe (PID: 7172)
      • regsvr32.exe (PID: 7920)
      • regsvr32.exe (PID: 7444)
      • regsvr32.exe (PID: 5284)
      • regsvr32.exe (PID: 7248)
      • regsvr32.exe (PID: 7584)
      • regsvr32.exe (PID: 7620)
      • regsvr32.exe (PID: 7580)
      • regsvr32.exe (PID: 4836)
      • regsvr32.exe (PID: 7424)
      • regsvr32.exe (PID: 7600)
      • regsvr32.exe (PID: 1964)
      • regsvr32.exe (PID: 6720)
      • regsvr32.exe (PID: 7696)
      • regsvr32.exe (PID: 7776)
      • regsvr32.exe (PID: 7768)
      • installer.exe (PID: 7620)

    • The process verifies whether the antivirus software is installed

      • saBSI.exe (PID: 2524)
      • installer.exe (PID: 7768)
      • installer.exe (PID: 7620)
      • servicehost.exe (PID: 6832)
      • uihost.exe (PID: 8396)
      • instup.exe (PID: 5288)
      • updater.exe (PID: 9036)
      • cmd.exe (PID: 9168)
      • cmd.exe (PID: 9116)
      • saBSI.exe (PID: 9028)

    • There is functionality for taking screenshot (YARA)

      • cookie_mmm_irs_ppi_005_888_d.exe (PID: 7848)

    • Uses .NET C# to load dll

      • WeatherZero.exe (PID: 7920)

    • Starts itself from another location

      • Instup.exe (PID: 7188)

    • Checks for external IP

      • svchost.exe (PID: 2200)
      • WeatherZero.exe (PID: 7920)

    • The process creates files with name similar to system file names

      • installer.exe (PID: 7620)

    • Reads Mozilla Firefox installation path

      • servicehost.exe (PID: 6832)
      • uihost.exe (PID: 8396)

    • Process checks presence of unattended files

      • instup.exe (PID: 5288)

    • Starts CMD.EXE for commands execution

      • updater.exe (PID: 9036)

  • INFO

    • Checks proxy server information

      • aTube_Catcher_v2.85.22.93.94.3.exe (PID: 2216)
      • WZSetup.exe (PID: 6840)
      • saBSI.exe (PID: 7884)
      • avast_free_antivirus_setup_online_x64.exe (PID: 5548)
      • Instup.exe (PID: 7188)
      • saBSI.exe (PID: 2524)
      • WeatherZero.exe (PID: 7920)
      • instup.exe (PID: 5288)
      • slui.exe (PID: 4768)
      • saBSI.exe (PID: 7524)
      • saBSI.exe (PID: 9028)

    • Disables trace logs

      • aTube_Catcher_v2.85.22.93.94.3.exe (PID: 2216)
      • WeatherZero.exe (PID: 7920)

    • Reads the machine GUID from the registry

      • aTube_Catcher_v2.85.22.93.94.3.exe (PID: 2216)
      • saBSI.exe (PID: 7884)
      • cookie_mmm_irs_ppi_005_888_d.exe (PID: 7848)
      • saBSI.exe (PID: 2524)
      • WZSetup.exe (PID: 6840)
      • WeatherZeroService.exe (PID: 6348)
      • avast_free_antivirus_setup_online_x64.exe (PID: 5548)
      • Instup.exe (PID: 7188)
      • WeatherZeroService.exe (PID: 6376)
      • WeatherZero.exe (PID: 7920)
      • cvtres.exe (PID: 7472)
      • csc.exe (PID: 7220)
      • PresentationFontCache.exe (PID: 6036)
      • instup.exe (PID: 5288)
      • installer.exe (PID: 7620)
      • servicehost.exe (PID: 6832)
      • uihost.exe (PID: 8396)
      • saBSI.exe (PID: 7524)
      • saBSI.exe (PID: 9028)
      • updater.exe (PID: 9036)

    • .NET Reactor protector has been detected

      • aTube_Catcher_v2.85.22.93.94.3.exe (PID: 2216)

    • Creates files or folders in the user directory

      • aTube_Catcher_v2.85.22.93.94.3.exe (PID: 2216)
      • WeatherZero.exe (PID: 7920)

    • Reads the software policy settings

      • aTube_Catcher_v2.85.22.93.94.3.exe (PID: 2216)
      • saBSI.exe (PID: 7884)
      • cookie_mmm_irs_ppi_005_888_d.exe (PID: 7848)
      • WZSetup.exe (PID: 6840)
      • saBSI.exe (PID: 2524)
      • avast_free_antivirus_setup_online_x64.exe (PID: 5548)
      • Instup.exe (PID: 7188)
      • WeatherZero.exe (PID: 7920)
      • installer.exe (PID: 7620)
      • servicehost.exe (PID: 6832)
      • uihost.exe (PID: 8396)
      • instup.exe (PID: 5288)
      • slui.exe (PID: 4768)
      • saBSI.exe (PID: 7524)
      • updater.exe (PID: 9036)
      • saBSI.exe (PID: 9028)

    • Application launched itself

      • msedge.exe (PID: 4820)
      • msedge.exe (PID: 4700)
      • msedge.exe (PID: 2492)

    • Manual execution by a user

      • msedge.exe (PID: 4700)
      • cookie_mmm_irs_ppi_005_888_d.exe (PID: 7440)
      • cookie_mmm_irs_ppi_005_888_d.exe (PID: 7764)
      • WZSetup.exe (PID: 1468)
      • WZSetup.exe (PID: 7728)
      • grpconv.exe (PID: 4684)
      • saBSI.exe (PID: 6308)
      • saBSI.exe (PID: 7524)

    • Checks supported languages

      • identity_helper.exe (PID: 7732)
      • cookie_mmm_irs_ppi_005_888_d.exe (PID: 7848)
      • WZSetup.exe (PID: 6840)
      • saBSI.exe (PID: 7884)
      • saBSI.exe (PID: 2524)
      • cookie_mmm_irs_ppi_005_888_d.exe (PID: 7764)
      • WeatherZeroService.exe (PID: 1964)
      • WeatherZeroService.exe (PID: 6376)
      • avast_free_antivirus_setup_online_x64.exe (PID: 5548)
      • WZSetup.exe (PID: 7728)
      • WeatherZeroService.exe (PID: 6348)
      • Instup.exe (PID: 7188)
      • aTube_Catcher.tmp (PID: 7224)
      • aTube_Catcher.exe (PID: 4104)
      • eWorker.exe (PID: 1588)
      • WeatherZero.exe (PID: 7920)
      • csc.exe (PID: 7220)
      • cvtres.exe (PID: 7472)
      • instup.exe (PID: 5288)
      • saBSI.exe (PID: 7524)
      • PresentationFontCache.exe (PID: 6036)
      • installer.exe (PID: 7620)
      • installer.exe (PID: 7768)
      • servicehost.exe (PID: 6832)
      • uihost.exe (PID: 8396)
      • sbr.exe (PID: 8968)
      • updater.exe (PID: 9036)
      • saBSI.exe (PID: 9028)

    • Reads Environment values

      • identity_helper.exe (PID: 7732)
      • Instup.exe (PID: 7188)
      • instup.exe (PID: 5288)

    • Reads the computer name

      • identity_helper.exe (PID: 7732)
      • saBSI.exe (PID: 7884)
      • cookie_mmm_irs_ppi_005_888_d.exe (PID: 7848)
      • cookie_mmm_irs_ppi_005_888_d.exe (PID: 7764)
      • saBSI.exe (PID: 2524)
      • WZSetup.exe (PID: 6840)
      • WZSetup.exe (PID: 7728)
      • WeatherZeroService.exe (PID: 1964)
      • WeatherZeroService.exe (PID: 6348)
      • WeatherZeroService.exe (PID: 6376)
      • avast_free_antivirus_setup_online_x64.exe (PID: 5548)
      • Instup.exe (PID: 7188)
      • aTube_Catcher.tmp (PID: 7224)
      • eWorker.exe (PID: 1588)
      • WeatherZero.exe (PID: 7920)
      • instup.exe (PID: 5288)
      • saBSI.exe (PID: 7524)
      • PresentationFontCache.exe (PID: 6036)
      • installer.exe (PID: 7620)
      • servicehost.exe (PID: 6832)
      • updater.exe (PID: 9036)
      • saBSI.exe (PID: 9028)
      • uihost.exe (PID: 8396)

    • Create files in a temporary directory

      • svchost.exe (PID: 2064)
      • WZSetup.exe (PID: 6840)
      • aTube_Catcher_v2.85.22.93.94.3.exe (PID: 2216)
      • WZSetup.exe (PID: 7728)
      • aTube_Catcher.tmp (PID: 7224)
      • aTube_Catcher.exe (PID: 4104)
      • saBSI.exe (PID: 2524)
      • regsvr32.exe (PID: 7600)
      • WeatherZero.exe (PID: 7920)
      • csc.exe (PID: 7220)
      • cvtres.exe (PID: 7472)
      • installer.exe (PID: 7620)
      • saBSI.exe (PID: 9028)

    • Creates files in the program directory

      • saBSI.exe (PID: 7884)
      • WZSetup.exe (PID: 6840)
      • avast_free_antivirus_setup_online_x64.exe (PID: 5548)
      • Instup.exe (PID: 7188)
      • aTube_Catcher.tmp (PID: 7224)
      • saBSI.exe (PID: 2524)
      • installer.exe (PID: 7620)
      • installer.exe (PID: 7768)
      • servicehost.exe (PID: 6832)
      • uihost.exe (PID: 8396)
      • saBSI.exe (PID: 7524)
      • instup.exe (PID: 5288)

    • The sample compiled with english language support

      • aTube_Catcher_v2.85.22.93.94.3.exe (PID: 2216)
      • svchost.exe (PID: 2064)
      • WZSetup.exe (PID: 6840)
      • saBSI.exe (PID: 7884)
      • cookie_mmm_irs_ppi_005_888_d.exe (PID: 7848)
      • avast_free_antivirus_setup_online_x64.exe (PID: 5548)
      • aTube_Catcher.tmp (PID: 7224)
      • Instup.exe (PID: 7188)
      • rundll32.exe (PID: 5496)
      • installer.exe (PID: 7620)
      • saBSI.exe (PID: 2524)
      • installer.exe (PID: 7768)
      • saBSI.exe (PID: 7524)

    • Reads CPU info

      • avast_free_antivirus_setup_online_x64.exe (PID: 5548)
      • Instup.exe (PID: 7188)
      • instup.exe (PID: 5288)

    • Reads mouse settings

      • regsvr32.exe (PID: 7152)

    • Creates a software uninstall entry

      • aTube_Catcher.tmp (PID: 7224)

    • Launching a file from a Registry key

      • rundll32.exe (PID: 5496)
      • instup.exe (PID: 5288)

    • Reads the time zone

      • runonce.exe (PID: 7172)

    • Reads security settings of Internet Explorer

      • runonce.exe (PID: 7172)

    • Process checks computer location settings

      • aTube_Catcher.tmp (PID: 7224)
      • servicehost.exe (PID: 6832)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (64.6)
.dll | Win32 Dynamic Link Library (generic) (15.4)
.exe | Win32 Executable (generic) (10.5)
.exe | Generic Win/DOS Executable (4.6)
.exe | DOS Executable Generic (4.6)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2022:08:25 12:35:42+00:00
ImageFileCharacteristics: Executable, No line numbers, No symbols, Large address aware, 32-bit
PEType: PE32
LinkerVersion: 48
CodeSize: 992256
InitializedDataSize: 152064
UninitializedDataSize: -
EntryPoint: 0xf43be
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 1.92.1.8262
ProductVersionNumber: 1.92.1.8262
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: aTube Installer
CompanyName: -
FileDescription: aTube Installer
FileVersion: 1.92.1.8262
InternalName: aTube.exe
LegalCopyright: Copyright aTube 2022
LegalTrademarks: -
OriginalFileName: aTube.exe
ProductName: aTube Installer
ProductVersion: 1.92.1.8262
AssemblyVersion: 1.92.1.8262
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
251
Monitored processes
111
Malicious processes
18
Suspicious processes
10

Behavior graph

Click at the process to see the details
start drop and start atube_catcher_v2.85.22.93.94.3.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs svchost.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs sabsi.exe cookie_mmm_irs_ppi_005_888_d.exe no specs slui.exe wzsetup.exe cookie_mmm_irs_ppi_005_888_d.exe no specs cookie_mmm_irs_ppi_005_888_d.exe sabsi.exe wzsetup.exe no specs wzsetup.exe weatherzeroservice.exe no specs conhost.exe no specs weatherzeroservice.exe no specs conhost.exe no specs weatherzeroservice.exe no specs avast_free_antivirus_setup_online_x64.exe instup.exe atube_catcher.exe no specs atube_catcher.tmp taskkill.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs regsvr32.exe no specs regsvr32.exe regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs rundll32.exe runonce.exe no specs grpconv.exe no specs eworker.exe no specs msedge.exe no specs weatherzero.exe grpconv.exe no specs msedge.exe no specs csc.exe conhost.exe no specs cvtres.exe no specs sabsi.exe no specs presentationfontcache.exe no specs sabsi.exe svchost.exe instup.exe msedge.exe no specs installer.exe installer.exe msedge.exe no specs servicehost.exe uihost.exe no specs sbr.exe no specs sabsi.exe updater.exe cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs atube_catcher_v2.85.22.93.94.3.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
984"C:\WINDOWS\system32\regsvr32.exe" /s "C:\Program Files (x86)\DsNET Corp\aTube Catcher 2.0\lame_enc.dll"C:\Windows\SysWOW64\regsvr32.exeaTube_Catcher.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft(C) Register Server
Exit code:
4
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\regsvr32.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
984"C:\Windows\System32\grpconv.exe" -oC:\Windows\SysWOW64\grpconv.exerunonce.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Progman Group Converter
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\grpconv.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
1300"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --disable-quic --message-loop-type-ui --string-annotations --always-read-main-dll --field-trial-handle=5152,i,9861216872785352056,12713035596426644759,262144 --variations-seed-version --mojo-platform-channel-handle=7132 /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Exit code:
0
Version:
133.0.3065.92
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1468"C:\Users\admin\Desktop\WZSetup.exe" C:\Users\admin\Desktop\WZSetup.exeexplorer.exe
User:
admin
Company:
Weather Zero
Integrity Level:
MEDIUM
Description:
WeatherZero
Exit code:
3221226540
Version:
1.0.0.9
Modules
Images
c:\users\admin\desktop\wzsetup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
1588"C:\WINDOWS\system32\regsvr32.exe" /s "C:\Program Files (x86)\DsNET Corp\aTube Catcher 2.0\ExGrid.dll"C:\Windows\SysWOW64\regsvr32.exeaTube_Catcher.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft(C) Register Server
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\regsvr32.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
1588"C:\Program Files (x86)\DsNET Corp\aTube Catcher 2.0\eWorker.exe" /RegServerC:\Program Files (x86)\DsNET Corp\aTube Catcher 2.0\eWorker.exeaTube_Catcher.tmp
User:
admin
Company:
DsNET Corp.
Integrity Level:
HIGH
Description:
Helps aTube Catcher to independently run other tasks.
Exit code:
0
Version:
2.00.0125
Modules
Images
c:\program files (x86)\dsnet corp\atube catcher 2.0\eworker.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvbvm60.dll
1964"C:\Program Files (x86)\WeatherZero\WeatherZeroService.exe" installC:\Program Files (x86)\WeatherZero\WeatherZeroService.exeWZSetup.exe
User:
admin
Company:
Weather Information Service
Integrity Level:
HIGH
Description:
Weather Delivery Service
Exit code:
0
Version:
1.0.0.9
Modules
Images
c:\program files (x86)\weatherzero\weatherzeroservice.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
1964"C:\WINDOWS\system32\regsvr32.exe" /s "C:\Program Files (x86)\DsNET Corp\aTube Catcher 2.0\DSNCLiteTimer.dll"C:\Windows\SysWOW64\regsvr32.exeaTube_Catcher.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft(C) Register Server
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\regsvr32.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
2064C:\WINDOWS\System32\svchost.exe -k netsvcs -p -s BITSC:\Windows\System32\svchost.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
2192"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --disable-quic --message-loop-type-ui --string-annotations --always-read-main-dll --field-trial-handle=6652,i,9861216872785352056,12713035596426644759,262144 --variations-seed-version --mojo-platform-channel-handle=1516 /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Exit code:
0
Version:
133.0.3065.92
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
103 973
Read events
99 452
Write events
4 371
Delete events
150

Modification events

(PID) Process:(2216) aTube_Catcher_v2.85.22.93.94.3.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\aTube_Catcher_v2_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(2216) aTube_Catcher_v2.85.22.93.94.3.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\aTube_Catcher_v2_RASAPI32
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(2216) aTube_Catcher_v2.85.22.93.94.3.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\aTube_Catcher_v2_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(2216) aTube_Catcher_v2.85.22.93.94.3.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\aTube_Catcher_v2_RASAPI32
Operation:writeName:FileTracingMask
Value:
(PID) Process:(2216) aTube_Catcher_v2.85.22.93.94.3.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\aTube_Catcher_v2_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
(PID) Process:(2216) aTube_Catcher_v2.85.22.93.94.3.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\aTube_Catcher_v2_RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(2216) aTube_Catcher_v2.85.22.93.94.3.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\aTube_Catcher_v2_RASAPI32
Operation:writeName:FileDirectory
Value:
%windir%\tracing
(PID) Process:(2216) aTube_Catcher_v2.85.22.93.94.3.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\aTube_Catcher_v2_RASMANCS
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(2216) aTube_Catcher_v2.85.22.93.94.3.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\aTube_Catcher_v2_RASMANCS
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(2216) aTube_Catcher_v2.85.22.93.94.3.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\aTube_Catcher_v2_RASMANCS
Operation:writeName:EnableConsoleTracing
Value:
0
Executable files
158
Suspicious files
471
Text files
904
Unknown types
0

Dropped files

PID
Process
Filename
Type
2216aTube_Catcher_v2.85.22.93.94.3.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EB21C1B17C45072B190F0A4B65D95F99_38F61414E9EDFC91A41218E8674E926Dbinary
MD5:501E4C60F4B98045DBCC2A21550741AC
SHA256:A002397D14FB30DAEFA09E91355C442BF8EF58822BC34AEAE4293460BFF31048
2216aTube_Catcher_v2.85.22.93.94.3.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\54C62B182F5BF07FA8427C07B0A3AAF8_C0FCA017E5E8DC85A76F14D75ABCD153binary
MD5:035A85506464C0B7CF9B58EFBE171AEF
SHA256:D38C9A1DBD46EED0193C1EDDA2C1B372E5EA17AB1AE37C2AD9E0B39D0A896B3F
4700msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG.old~RF1916ba.TMPtext
MD5:B936D341FF5FF88DD93C57E66FBE2F0C
SHA256:E45649D6492C9DD7D008C538BCBC9FC04B1B5F52C8CC875D9A3D44BDB2270E62
2216aTube_Catcher_v2.85.22.93.94.3.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\009879608CAFAEA3D83BD836A5260DFF_494C964ABB8DFAE54253C96871A2D7F3binary
MD5:C87C1FD216844A468BDB164B19F657F6
SHA256:2175D828AE00A7A4B6B5B1ACA071BDE8A07CFF1D24A92D9DE8202B5F9AB588A8
2216aTube_Catcher_v2.85.22.93.94.3.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77CF52543AB0ECD9BF6546AAF6AC33DBbinary
MD5:30B422749DE52F643D0B82F4FA0EEC08
SHA256:78E1550525BD380B406698087A3D001970FC6E962F9C355BD999663903162DE9
4700msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\PersistentOriginTrials\LOG.old~RF1916da.TMP
MD5:
SHA256:
4700msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\PersistentOriginTrials\LOG.old
MD5:
SHA256:
4700msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\ClientCertificates\LOG.old~RF1916ca.TMP
MD5:
SHA256:
4700msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\ClientCertificates\LOG.old
MD5:
SHA256:
2216aTube_Catcher_v2.85.22.93.94.3.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EB21C1B17C45072B190F0A4B65D95F99_38F61414E9EDFC91A41218E8674E926Dbinary
MD5:5BFA51F3A417B98E7443ECA90FC94703
SHA256:BEBE2853A3485D1C2E5C5BE4249183E0DDAFF9F87DE71652371700A89D937128
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
332
TCP/UDP connections
263
DNS requests
394
Threats
26

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1268
svchost.exe
GET
200
23.216.77.6:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
304
23.216.77.6:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1268
svchost.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
108.138.34.226:443
https://d2xallnh7vf4dd.cloudfront.net/config/aTube/v2.85.22.93.94.3
unknown
POST
400
40.126.31.3:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
203 b
whitelisted
POST
400
40.126.31.3:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
203 b
whitelisted
GET
200
108.138.34.42:443
https://d2xallnh7vf4dd.cloudfront.net/assets/schema/1.0/schema.xsd
unknown
POST
200
108.138.34.226:443
https://d2xallnh7vf4dd.cloudfront.net/sec
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1268
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
1268
svchost.exe
23.216.77.6:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
23.216.77.6:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1268
svchost.exe
2.23.246.101:80
www.microsoft.com
Ooredoo Q.S.C.
QA
whitelisted
2.23.246.101:80
www.microsoft.com
Ooredoo Q.S.C.
QA
whitelisted
5944
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5708
svchost.exe
20.190.159.130:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 4.231.128.59
whitelisted
google.com
  • 142.250.185.174
  • 142.250.186.174
whitelisted
crl.microsoft.com
  • 23.216.77.6
  • 23.216.77.18
  • 23.216.77.22
  • 23.216.77.20
  • 23.216.77.25
  • 23.216.77.28
  • 2.16.241.12
  • 2.16.241.14
whitelisted
www.microsoft.com
  • 2.23.246.101
  • 95.101.149.131
whitelisted
login.live.com
  • 20.190.159.130
  • 40.126.31.2
  • 40.126.31.69
  • 20.190.159.68
  • 20.190.159.129
  • 20.190.159.64
  • 20.190.159.4
  • 40.126.31.130
whitelisted
d2xallnh7vf4dd.cloudfront.net
  • 108.138.34.174
  • 108.138.34.226
  • 108.138.34.222
  • 108.138.34.42
whitelisted
sslcom.ocsp-certum.com
  • 2.21.239.27
  • 2.21.239.21
whitelisted
ocsps.ssl.com
  • 108.138.36.71
  • 108.138.36.51
  • 108.138.36.22
  • 108.138.36.12
whitelisted
crls.ssl.com
  • 54.230.228.50
  • 54.230.228.45
  • 54.230.228.3
  • 54.230.228.68
whitelisted
edge.microsoft.com
  • 150.171.27.11
  • 150.171.28.11
whitelisted

Threats

PID
Process
Class
Message
Generic Protocol Command Decode
SURICATA HTTP Request unrecognized authorization method
Generic Protocol Command Decode
SURICATA HTTP Request unrecognized authorization method
5988
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Google Tag Manager analytics (googletagmanager .com)
5988
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Google Tag Manager analytics (googletagmanager .com)
5988
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Google Tag Manager analytics (googletagmanager .com)
5988
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Google Tag Manager analytics (googletagmanager .com)
Generic Protocol Command Decode
SURICATA HTTP Request unrecognized authorization method
Generic Protocol Command Decode
SURICATA HTTP Request unrecognized authorization method
Potentially Bad Traffic
ET USER_AGENTS Observed Suspicious UA (NSIS_Inetc (Mozilla))
Generic Protocol Command Decode
SURICATA HTTP Request unrecognized authorization method
Process
Message
saBSI.exe
NCPrivateLoadAndValidateMPTDll: Looking in current directory
saBSI.exe
NCPrivateLoadAndValidateMPTDll: Looking in EXE directory
saBSI.exe
NotComDllGetInterface: C:\Users\admin\AppData\Local\Temp\aTube_Catcher_files\saBSI.exe loading C:\Users\admin\AppData\Local\Temp\aTube_Catcher_files\mfeaaca.dll, WinVerifyTrust failed with 80092003
saBSI.exe
NCPrivateLoadAndValidateMPTDll: Looking in current directory
saBSI.exe
NCPrivateLoadAndValidateMPTDll: Looking in EXE directory
saBSI.exe
NotComDllGetInterface: C:\Users\admin\AppData\Local\Temp\aTube_Catcher_files\saBSI.exe loading C:\Users\admin\AppData\Local\Temp\aTube_Catcher_files\mfeaaca.dll, WinVerifyTrust failed with 80092003
saBSI.exe
NCPrivateLoadAndValidateMPTDll: Looking in current directory
saBSI.exe
NCPrivateLoadAndValidateMPTDll: Looking in EXE directory
saBSI.exe
NotComDllGetInterface: C:\Users\admin\AppData\Local\Temp\aTube_Catcher_files\saBSI.exe loading C:\Users\admin\AppData\Local\Temp\aTube_Catcher_files\mfeaaca.dll, WinVerifyTrust failed with 80092003
saBSI.exe
NCPrivateLoadAndValidateMPTDll: Looking in current directory
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
aTube_Catcher_v2.85.22.93.94.3.exe