download:

/avast-avg-avira-malwarebytes-spybot2-super/ninite.exe

Full analysis: https://app.any.run/tasks/d767e7ae-7f53-4344-89c0-ae5315877516
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: June 05, 2025, 13:52:14
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
loader
delphi
crypto-regex
pecompact
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 6 sections
MD5:

4B72F8BB4B22354564CD5E78D04FC298

SHA1:

3B3812A5CD41B7B33AED37A10388C0B83111F024

SHA256:

53DA14851405A462B690C0A4E0E75BA399F3FCC6FC92BCB6C4561001F884AFC3

SSDEEP:

12288:hLVP603RQX2pyf+cnci2N9pKKfyeo+pW1KKRyzE7:lVP60BM2pMUN9keo+c+zE7

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • target.tmp (PID: 1244)

    • Uses Task Scheduler to run other applications

      • setup.exe (PID: 7232)

    • Registers / Runs the DLL via REGSVR32.EXE

      • setup.exe (PID: 7232)
      • target.exe (PID: 8188)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • ninite.exe (PID: 4724)
      • Ninite.exe (PID: 2236)
      • Ninite.exe (PID: 7020)
      • SDTray.exe (PID: 1512)
      • SDFSSvc.exe (PID: 6708)
      • SDUpdSvc.exe (PID: 4200)
      • SDUpdate.exe (PID: 6940)

    • Executable content was dropped or overwritten

      • ninite.exe (PID: 4724)
      • target.exe (PID: 6048)
      • target.tmp (PID: 1244)
      • Ninite.exe (PID: 7020)
      • 7zG.exe (PID: 3032)
      • spybotsd2-install-bdcore-update-2023a.exe (PID: 5124)
      • spybotsd2-install-bdcore-update-2023a.tmp (PID: 5020)
      • SDUpdSvc.exe (PID: 4200)
      • avira_en____fm.exe (PID: 3096)
      • Avira.OE.Setup.Bundle.exe (PID: 5528)
      • rundll32.exe (PID: 5236)
      • rundll32.exe (PID: 6676)
      • rundll32.exe (PID: 5232)
      • rundll32.exe (PID: 1696)
      • avira_en____fm.exe (PID: 4748)
      • rundll32.exe (PID: 2136)
      • rundll32.exe (PID: 5344)
      • rundll32.exe (PID: 5124)
      • rundll32.exe (PID: 1600)
      • rundll32.exe (PID: 3332)
      • rundll32.exe (PID: 4728)
      • rundll32.exe (PID: 2092)
      • rundll32.exe (PID: 2660)
      • rundll32.exe (PID: 2152)
      • rundll32.exe (PID: 6388)
      • rundll32.exe (PID: 512)
      • rundll32.exe (PID: 3868)
      • rundll32.exe (PID: 1128)
      • setup.exe (PID: 7232)
      • Avira.ServiceHost.exe (PID: 5124)
      • avira.exe (PID: 7520)
      • Avira.OE.Setup.Bundle.exe (PID: 7648)
      • rundll32.exe (PID: 7908)
      • rundll32.exe (PID: 7852)
      • rundll32.exe (PID: 7188)
      • rundll32.exe (PID: 7976)
      • rundll32.exe (PID: 8096)
      • rundll32.exe (PID: 632)
      • rundll32.exe (PID: 4180)
      • rundll32.exe (PID: 3008)
      • rundll32.exe (PID: 5576)
      • rundll32.exe (PID: 6576)
      • rundll32.exe (PID: 3132)
      • rundll32.exe (PID: 7428)
      • rundll32.exe (PID: 7564)
      • rundll32.exe (PID: 8012)
      • rundll32.exe (PID: 7756)
      • drvinstall64.exe (PID: 7924)
      • rundll32.exe (PID: 668)
      • rundll32.exe (PID: 4728)
      • rundll32.exe (PID: 7424)
      • rundll32.exe (PID: 2136)
      • rundll32.exe (PID: 5048)
      • rundll32.exe (PID: 7320)
      • rundll32.exe (PID: 2092)
      • rundll32.exe (PID: 4276)
      • rundll32.exe (PID: 5400)
      • rundll32.exe (PID: 5164)
      • rundll32.exe (PID: 8020)
      • rundll32.exe (PID: 6464)
      • rundll32.exe (PID: 6072)
      • rundll32.exe (PID: 1228)
      • rundll32.exe (PID: 2644)
      • avira.exe (PID: 7544)
      • rundll32.exe (PID: 1600)
      • rundll32.exe (PID: 7540)
      • update.exe (PID: 2980)
      • rundll32.exe (PID: 2772)
      • rundll32.exe (PID: 6908)
      • rundll32.exe (PID: 6660)
      • rundll32.exe (PID: 1512)
      • rundll32.exe (PID: 672)
      • rundll32.exe (PID: 512)
      • rundll32.exe (PID: 5064)
      • rundll32.exe (PID: 3804)
      • rundll32.exe (PID: 1300)
      • Avira.OE.Setup.Bundle.exe (PID: 8008)
      • Avira.OE.Setup.Bundle.exe (PID: 2392)
      • target.exe (PID: 8188)
      • avg_antivirus_free_setup_offline.exe (PID: 1512)
      • Instup.exe (PID: 5216)
      • SUPERAntiSpyware.exe (PID: 7248)

    • Application launched itself

      • Ninite.exe (PID: 2236)
      • Ninite.exe (PID: 7020)
      • Avira.OE.Setup.Bundle.exe (PID: 2416)
      • Avira.OE.Setup.Bundle.exe (PID: 8008)
      • avscan.exe (PID: 5064)
      • update.exe (PID: 2980)

    • The process verifies whether the antivirus software is installed

      • Ninite.exe (PID: 7020)
      • target.tmp (PID: 1244)
      • SDTray.exe (PID: 1512)
      • SDFSSvc.exe (PID: 6708)
      • SDUpdSvc.exe (PID: 4200)
      • SDUpdate.exe (PID: 6940)
      • SDSpybotLab.exe (PID: 3096)

    • Process drops SQLite DLL files

      • target.tmp (PID: 1244)

    • The process creates files with name similar to system file names

      • target.tmp (PID: 1244)

    • Detected use of alternative data streams (AltDS)

      • target.tmp (PID: 1244)

    • Drops 7-zip archiver for unpacking

      • Ninite.exe (PID: 7020)

    • Creates/Modifies COM task schedule object

      • target.tmp (PID: 1244)

    • Process requests binary or script from the Internet

      • Ninite.exe (PID: 7020)
      • SDUpdSvc.exe (PID: 4200)
      • update.exe (PID: 2980)

    • Drops a system driver (possible attempt to evade defenses)

      • target.tmp (PID: 1244)
      • 7zG.exe (PID: 3032)
      • setup.exe (PID: 7232)
      • drvinstall64.exe (PID: 7924)
      • target.exe (PID: 8188)

    • Creates or modifies Windows services

      • target.tmp (PID: 1244)
      • SDFSSvc.exe (PID: 6708)
      • SDUpdSvc.exe (PID: 4200)

    • Executes as Windows Service

      • SDFSSvc.exe (PID: 6708)
      • SDUpdSvc.exe (PID: 4200)
      • Avira.ServiceHost.exe (PID: 5124)
      • protectedservice.exe (PID: 7392)
      • avguard.exe (PID: 7468)
      • avmailc7.exe (PID: 7516)
      • sched.exe (PID: 2656)
      • Avira.ServiceHost.exe (PID: 4180)
      • SASCore64.exe (PID: 7244)

    • Adds/modifies Windows certificates

      • SDFSSvc.exe (PID: 6708)

    • Reads the Windows owner or organization settings

      • target.tmp (PID: 1244)

    • The process executes via Task Scheduler

      • SDUpdate.exe (PID: 6940)

    • Searches for installed software

      • Ninite.exe (PID: 7020)

    • Found regular expressions for crypto-addresses (YARA)

      • SDFSSvc.exe (PID: 6708)
      • SDUpdSvc.exe (PID: 4200)

    • There is functionality for taking screenshot (YARA)

      • SDFSSvc.exe (PID: 6708)
      • SDUpdSvc.exe (PID: 4200)
      • avira_en____fm.exe (PID: 3096)
      • setup.exe (PID: 7232)
      • avira.exe (PID: 7544)
      • Avira.OE.Setup.Bundle.exe (PID: 7648)
      • avira.exe (PID: 7520)

    • Process drops legitimate windows executable

      • 7zG.exe (PID: 3032)
      • msiexec.exe (PID: 5404)
      • setup.exe (PID: 7232)
      • target.exe (PID: 8188)
      • Instup.exe (PID: 5216)

    • Starts itself from another location

      • avira_en____fm.exe (PID: 4748)
      • avira.exe (PID: 7544)

    • The process drops C-runtime libraries

      • msiexec.exe (PID: 5404)
      • target.exe (PID: 8188)
      • Instup.exe (PID: 5216)

    • Deletes scheduled task without confirmation

      • schtasks.exe (PID: 1540)
      • schtasks.exe (PID: 3180)
      • schtasks.exe (PID: 3132)

    • Potential Corporate Privacy Violation

      • Ninite.exe (PID: 7020)

    • Starts SC.EXE for service management

      • setup.exe (PID: 7232)

    • Creates a new Windows service

      • sc.exe (PID: 8132)

  • INFO

    • Checks supported languages

      • ninite.exe (PID: 4724)
      • Ninite.exe (PID: 2236)
      • Ninite.exe (PID: 7020)
      • target.tmp (PID: 1244)
      • target.exe (PID: 6048)
      • _setup64.tmp (PID: 536)
      • SDFSSvc.exe (PID: 6708)
      • SDTray.exe (PID: 1512)
      • SDUpdate.exe (PID: 6940)
      • SDSpybotLab.exe (PID: 3096)
      • SDUpdSvc.exe (PID: 4200)

    • The sample compiled with english language support

      • ninite.exe (PID: 4724)
      • target.tmp (PID: 1244)
      • Ninite.exe (PID: 7020)
      • 7zG.exe (PID: 3032)
      • spybotsd2-install-bdcore-update-2023a.tmp (PID: 5020)
      • Avira.OE.Setup.Bundle.exe (PID: 5528)
      • avira_en____fm.exe (PID: 3096)
      • avira_en____fm.exe (PID: 4748)
      • msiexec.exe (PID: 5404)
      • setup.exe (PID: 7232)
      • avira.exe (PID: 7520)
      • Avira.ServiceHost.exe (PID: 5124)
      • Avira.OE.Setup.Bundle.exe (PID: 7648)
      • avira.exe (PID: 7544)
      • drvinstall64.exe (PID: 7924)
      • update.exe (PID: 2980)
      • Avira.OE.Setup.Bundle.exe (PID: 8008)
      • Avira.OE.Setup.Bundle.exe (PID: 2392)
      • target.exe (PID: 8188)
      • avg_antivirus_free_setup_offline.exe (PID: 1512)
      • Instup.exe (PID: 5216)

    • Reads the computer name

      • ninite.exe (PID: 4724)
      • Ninite.exe (PID: 2236)
      • Ninite.exe (PID: 7020)
      • target.tmp (PID: 1244)
      • SDTray.exe (PID: 1512)
      • SDFSSvc.exe (PID: 6708)
      • SDUpdSvc.exe (PID: 4200)
      • SDUpdate.exe (PID: 6940)
      • SDSpybotLab.exe (PID: 3096)

    • Creates files or folders in the user directory

      • ninite.exe (PID: 4724)
      • Ninite.exe (PID: 7020)

    • Checks proxy server information

      • ninite.exe (PID: 4724)
      • Ninite.exe (PID: 7020)
      • SDTray.exe (PID: 1512)

    • Reads the machine GUID from the registry

      • ninite.exe (PID: 4724)
      • Ninite.exe (PID: 7020)
      • SDTray.exe (PID: 1512)
      • SDFSSvc.exe (PID: 6708)
      • SDUpdate.exe (PID: 6940)
      • SDSpybotLab.exe (PID: 3096)
      • SDUpdSvc.exe (PID: 4200)

    • Reads the software policy settings

      • ninite.exe (PID: 4724)
      • Ninite.exe (PID: 7020)
      • SDFSSvc.exe (PID: 6708)
      • SDUpdate.exe (PID: 6940)
      • SDUpdSvc.exe (PID: 4200)

    • Process checks computer location settings

      • Ninite.exe (PID: 2236)

    • Create files in a temporary directory

      • ninite.exe (PID: 4724)
      • target.exe (PID: 6048)
      • target.tmp (PID: 1244)
      • Ninite.exe (PID: 7020)

    • Creates files in the program directory

      • target.tmp (PID: 1244)
      • SDFSSvc.exe (PID: 6708)
      • SDUpdSvc.exe (PID: 4200)

    • The sample compiled with german language support

      • target.tmp (PID: 1244)
      • 7zG.exe (PID: 3032)
      • setup.exe (PID: 7232)

    • Creates a software uninstall entry

      • target.tmp (PID: 1244)

    • Launching a file from a Registry key

      • target.tmp (PID: 1244)

    • Compiled with Borland Delphi (YARA)

      • SDFSSvc.exe (PID: 6708)
      • SDUpdSvc.exe (PID: 4200)
      • setup.exe (PID: 7232)

    • PECompact has been detected (YARA)

      • SDUpdSvc.exe (PID: 4200)
      • SDFSSvc.exe (PID: 6708)

    • Executable content was dropped or overwritten

      • msiexec.exe (PID: 5404)

    • SQLite executable

      • msiexec.exe (PID: 5404)

    • Manual execution by a user

      • SDWelcome.exe (PID: 7984)
      • avgnt.exe (PID: 6576)
      • Avira.Systray.exe (PID: 3872)
      • SUPERAntiSpyware.exe (PID: 7248)
      • SUPERAntiSpyware.exe (PID: 8756)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (76.4)
.exe | Win32 Executable (generic) (12.4)
.exe | Generic Win/DOS Executable (5.5)
.exe | DOS Executable Generic (5.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2017:04:12 00:19:47+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 14
CodeSize: 233472
InitializedDataSize: 182272
UninitializedDataSize: -
EntryPoint: 0x1a53a
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
FileVersionNumber: 0.1.1.1183
ProductVersionNumber: 0.1.1.1183
FileFlagsMask: 0x0017
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: Secure By Design Inc.
FileDescription: Ninite
FileVersion: 0,1,1,1183
InternalName: Ninite
LegalCopyright: Copyright (C) 2009 Secure By Design Inc
OriginalFileName: -
ProductName: Ninite
ProductVersion: 0,1,1,1183
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
304
Monitored processes
166
Malicious processes
18
Suspicious processes
6

Behavior graph

Click at the process to see the details
start ninite.exe ninite.exe no specs ninite.exe sppextcomobj.exe no specs slui.exe target.exe target.tmp _setup64.tmp no specs conhost.exe no specs sdtray.exe no specs sdfssvc.exe sdupdsvc.exe sdupdate.exe sdspybotlab.exe 7zg.exe spybotsd2-install-bdcore-update-2023a.exe spybotsd2-install-bdcore-update-2023a.tmp presetup.exe no specs avira_en____fm.exe slui.exe avira_en____fm.exe avira.oe.setup.bundle.exe avira.oe.setup.prerequisites.exe no specs conhost.exe no specs avira.oe.setup.prerequisites.exe no specs conhost.exe no specs msiexec.exe msiexec.exe no specs rundll32.exe rundll32.exe rundll32.exe rundll32.exe rundll32.exe schtasks.exe no specs conhost.exe no specs rundll32.exe rundll32.exe rundll32.exe rundll32.exe rundll32.exe rundll32.exe rundll32.exe rundll32.exe msiexec.exe no specs rundll32.exe avira.servicehost.exe rundll32.exe rundll32.exe rundll32.exe avira.systray.exe no specs avira.systray.exe no specs rundll32.exe rundll32.exe setup.exe avira.exe avira.exe avira.oe.setup.bundle.exe avira.oe.setup.prerequisites.exe no specs conhost.exe no specs msiexec.exe no specs rundll32.exe rundll32.exe rundll32.exe sdwelcome.exe rundll32.exe rundll32.exe rundll32.exe rundll32.exe rundll32.exe rundll32.exe rundll32.exe rundll32.exe schtasks.exe no specs conhost.exe no specs rundll32.exe avconfig.exe no specs rundll32.exe rundll32.exe rundll32.exe checkwindows10drivers.exe no specs drvinstall64.exe conhost.exe no specs rundll32.exe rundll32.exe sc.exe no specs conhost.exe no specs installelamcertificateinfohelper.exe no specs schtasks.exe no specs schtasks.exe no specs conhost.exe no specs conhost.exe no specs regsvr32.exe no specs regsvr32.exe no specs licmgr.exe no specs regsvr32.exe no specs regsvr32.exe no specs protectedservice.exe no specs avirasecuritycenteragent.exe no specs avguard.exe sdimmunize.exe no specs sdimmunize.exe avshadow.exe no specs avirasecuritycenteragent.exe no specs sdscan.exe no specs sdscan.exe rundll32.exe avmailc7.exe no specs sched.exe no specs rundll32.exe ccuac.exe no specs rundll32.exe avgnt.exe no specs rundll32.exe avcenter.exe no specs rundll32.exe rundll32.exe rundll32.exe update.exe rundll32.exe rundll32.exe rundll32.exe avira.servicehost.exe rundll32.exe rundll32.exe rundll32.exe rundll32.exe schtasks.exe no specs conhost.exe no specs rundll32.exe rundll32.exe rundll32.exe rundll32.exe avira.systray.exe no specs avira.systray.exe rundll32.exe rundll32.exe rundll32.exe rundll32.exe avira.oe.setup.bundle.exe no specs ninite.exe avira.oe.setup.bundle.exe avira.oe.setup.bundle.exe avira.oe.setup.prerequisites.exe no specs conhost.exe no specs target.exe avira.systray.exe no specs sascore64.exe no specs conhost.exe no specs sascore64.exe no specs regsvr32.exe no specs superantispyware.exe no specs ssupdate64.exe avg_antivirus_free_setup_offline.exe avscan.exe no specs avscan.exe no specs update.exe no specs superantispyware.exe ssupdate64.exe instup.exe ielowutil.exe no specs iexplore.exe iexplore.exe sbr.exe no specs superantispyware.exe no specs ssupdate64.exe avirasecuritycenteragent.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
208\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeschtasks.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
444"C:\ProgramData\Package Cache\3774517F79CA2EBA0E576EF7652F5CB941BE12AA\Avira.OE.Setup.Prerequisites.exe" /enableMsiServiceC:\ProgramData\Package Cache\3774517F79CA2EBA0E576EF7652F5CB941BE12AA\Avira.OE.Setup.Prerequisites.exeAvira.OE.Setup.Bundle.exe
User:
SYSTEM
Company:
Avira Operations GmbH & Co. KG
Integrity Level:
SYSTEM
Description:
Avira.OE.Setup.Prerequisites
Exit code:
0
Version:
1.2.158.786
Modules
Images
c:\programdata\package cache\3774517f79ca2eba0e576ef7652f5cb941be12aa\avira.oe.setup.prerequisites.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
512rundll32.exe "C:\WINDOWS\Installer\MSID529.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_1168687 216 Avira.OE.Setup.CustomActions!Avira.OE.Setup.CustomActions.Configuration.ConfigureGlobalUninstallerC:\Windows\SysWOW64\rundll32.exe
msiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
512rundll32.exe "C:\WINDOWS\Installer\MSI948B.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_1283234 715 Avira.OE.Setup.CustomActions!Avira.OE.Setup.CustomActions.DesktopShortcut.UpdateStartMenuShortcutC:\Windows\SysWOW64\rundll32.exe
msiexec.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
536helper 105 0x460C:\Users\admin\AppData\Local\Temp\is-6TQ6I.tmp\_isetup\_setup64.tmptarget.tmp
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\is-6tq6i.tmp\_isetup\_setup64.tmp
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
536C:\Windows\syswow64\MsiExec.exe -Embedding 9D0D3A6C9E76127DC35FFC4819AEF3C1C:\Windows\SysWOW64\msiexec.exemsiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows® installer
Exit code:
0
Version:
5.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
632rundll32.exe "C:\WINDOWS\Installer\MSI84B3.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_1213625 318 Avira.OE.Setup.CustomActions!Avira.OE.Setup.CustomActions.Configuration.SetSmartCacheVersionC:\Windows\SysWOW64\rundll32.exe
msiexec.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
668rundll32.exe "C:\WINDOWS\Installer\MSI950C.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_1217765 455 Avira.OE.Setup.CustomActions!Avira.OE.Setup.CustomActions.SystrayCustomActions.StopSystrayC:\Windows\SysWOW64\rundll32.exe
msiexec.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
668"C:\Program Files (x86)\Spybot - Search & Destroy 2\SDScan.exe" /scanC:\Program Files (x86)\Spybot - Search & Destroy 2\SDScan.exe
SDWelcome.exe
User:
admin
Company:
Safer-Networking Ltd.
Integrity Level:
HIGH
Description:
Malware Scanner
Version:
2.9.85.200
Modules
Images
c:\program files (x86)\spybot - search & destroy 2\sdscan.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
672rundll32.exe "C:\WINDOWS\Installer\MSI82B3.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_1278687 678 Avira.OE.Setup.CustomActions!Avira.OE.Setup.CustomActions.Configuration.ConfigureGlobalUninstallerC:\Windows\SysWOW64\rundll32.exe
msiexec.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
Total events
150 342
Read events
147 170
Write events
2 700
Delete events
472

Modification events

(PID) Process:(1244) target.tmpKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client
Operation:writeName:Enabled
Value:
(PID) Process:(1244) target.tmpKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client
Operation:writeName:DisabledByDefault
Value:
0
(PID) Process:(1244) target.tmpKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client
Operation:writeName:Server
Value:
(PID) Process:(1244) target.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp
Operation:writeName:DefaultSecureProtocols
Value:
2048
(PID) Process:(1244) target.tmpKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SDUpdateService
Operation:writeName:DependOnService
Value:
Tcpip
(PID) Process:(1244) target.tmpKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
Operation:writeName:C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdate.exe
Value:
C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdate.exe:*:Enabled:Spybot-S&D 2 Updater
(PID) Process:(1244) target.tmpKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
Operation:writeName:C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe
Value:
C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe:*:Enabled:Spybot-S&D 2 Background update service
(PID) Process:(1244) target.tmpKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SDUpdateService
Operation:writeName:Description
Value:
Downloads updates and installs them.
(PID) Process:(1244) target.tmpKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
Operation:writeName:C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe
Value:
C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe:*:Enabled:Spybot-S&D 2 Tray Icon
(PID) Process:(1244) target.tmpKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
Operation:writeName:C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe
Value:
C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe:*:Enabled:Spybot - Search & Destroy tray access
Executable files
1 757
Suspicious files
901
Text files
1 100
Unknown types
1 649

Dropped files

PID
Process
Filename
Type
7020Ninite.exeC:\Users\admin\AppData\Local\Temp\4d653789-4214-11f0-b4ed-18f7786f96ee\target.exe_4d65378b-4214-11f0-b4ed-18f7786f96ee
MD5:
SHA256:
7020Ninite.exeC:\Users\admin\AppData\Local\Temp\4d653789-4214-11f0-b4ed-18f7786f96ee\target.exe
MD5:
SHA256:
4724ninite.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B039FEA45CB4CC4BBACFC013C7C55604_50385F8EB1F713E33924A830D7A2A41Cder
MD5:EDED87C6C700DE5F387A1D53CD782EE9
SHA256:3412D920477002C2BC426096F1876917B64A5AA744D5339B33E1D508DD1E9F45
7020Ninite.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751der
MD5:E192462F281446B5D1500D474FBACC4B
SHA256:F1BA9F1B63C447682EBF9DE956D0DA2A027B1B779ABEF9522D347D3479139A60
4724ninite.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\75CA58072B9926F763A91F0CC2798706_645BC4A49DCDC40FE5917FA45C6D4517der
MD5:50BD779CE7B91C5AA92478F8D84C0BEB
SHA256:ABE1762D0DDEE17DC40E027616E2953BD4902A301BA84FADC3CCA83A4DE654EF
1244target.tmpC:\Users\admin\AppData\Local\Temp\is-6TQ6I.tmp\idp.dllexecutable
MD5:55C310C0319260D798757557AB3BF636
SHA256:54E7E0AD32A22B775131A6288F083ED3286A9A436941377FC20F85DD9AD983ED
4724ninite.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9CB4373A4252DE8D2212929836304EC5_6C354C532D063DF5607A63BA827F5164binary
MD5:B2B3D36E686809E67FE5BB64EBE50652
SHA256:CDC27B75805209940781D222834FFCEBAF3F1483751C0FB026C6F5B217E6A715
4724ninite.exeC:\Users\admin\AppData\Local\Temp\4c2cdaec-4214-11f0-b4ed-18f7786f96ee\Ninite.exeexecutable
MD5:8C2C71081C6AFB8884501914E81FA20D
SHA256:AE60E4F6ED4EC4AA15E5A957A3A659AD06BB051A1C5BAF536B2D452CCF3D5494
4724ninite.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B039FEA45CB4CC4BBACFC013C7C55604_50385F8EB1F713E33924A830D7A2A41Cbinary
MD5:3151F0352A29742AABF2867C1F4E4494
SHA256:933B2F62CE8397D1C9A7E8858E894B4705E2A0896F772D334F1F4226C32C3B59
4724ninite.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A1D627669EFC8CD4F21BCF387D97F9B5_BCCFCBC66B448214318C9391CA0E275Fder
MD5:CEAFC16CC6EC1CA0479808571EC5B22F
SHA256:66095CCA2E2B57E85D7973B7340C0173372709BE7B6EC55C13E768DAE2CC51FE
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
229
TCP/UDP connections
281
DNS requests
101
Threats
11

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
7020
Ninite.exe
GET
200
2.16.252.233:80
http://x1.c.lencr.org/
unknown
whitelisted
4724
ninite.exe
GET
200
151.101.130.133:80
http://ocsp.globalsign.com/rootr3/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT1nGh%2FJBjWKnkPdZIzB1bqhelHBwQUj%2FBLf6guRSSuTVD6Y5qL3uLdG7wCEHgDGEJFcIpBz28BuO60qVQ%3D
unknown
whitelisted
7020
Ninite.exe
GET
200
18.245.65.219:80
http://ocsp.r2m01.amazontrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBShdVEFnSEQ0gG5CBtzM48cPMe9XwQUgbgOY4qJEhjl%2Bjs7UJWf5uWQE4UCEA1Li7YBN7RrmcmQi5xUsGk%3D
unknown
whitelisted
5496
MoUsoCoreWorker.exe
GET
200
23.32.238.112:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4724
ninite.exe
GET
200
151.101.130.133:80
http://ocsp.globalsign.com/gsgccr45codesignca2020/ME0wSzBJMEcwRTAJBgUrDgMCGgUABBTLuA3ygnKW%2F7xuSx%2F09F%2BhHVuEUQQU2rONwCSQo2t30wygWd0hZ2R2C3gCDGPUxoqhhiZifL455A%3D%3D
unknown
whitelisted
7020
Ninite.exe
GET
169.150.247.40:80
http://cdn.superantispyware.com/SUPERAntiSpyware.exe
unknown
whitelisted
7020
Ninite.exe
GET
200
18.245.38.41:80
http://ocsp.rootca1.amazontrust.com/MFQwUjBQME4wTDAJBgUrDgMCGgUABBRPWaOUU8%2B5VZ5%2Fa9jFTaU9pkK3FAQUhBjMhTTsvAyUlC4IWZzHshBOCggCEwdzEjgLnWaIozse2b%2BczaaODg8%3D
unknown
whitelisted
6708
SDFSSvc.exe
GET
200
131.253.33.203:80
http://oneocsp.microsoft.com/ocsp/MFQwUjBQME4wTDAJBgUrDgMCGgUABBTDHsfuqfubd3pihvq4mgQVWgHWNwQUyH7SaoUqG8oZmAQHJ89QEE9oqKICEzMAAAAHh6M0o3uljhwAAAAAAAc%3D
unknown
whitelisted
6708
SDFSSvc.exe
GET
200
131.253.33.203:80
http://oneocsp.microsoft.com/ocsp/MFQwUjBQME4wTDAJBgUrDgMCGgUABBQ0NE46krjtIffEj0l00lckKsLufgQUJEWZoXeQKnzDyoOwbmQWhCr4LGcCEzMAAGMYVvcunHAXzMQAAAAAYxg%3D
unknown
whitelisted
7020
Ninite.exe
GET
169.150.247.40:80
http://cdn.superantispyware.com/SUPERAntiSpyware.exe
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
5496
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
5496
MoUsoCoreWorker.exe
23.32.238.112:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5796
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4268
RUXIMICS.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5496
MoUsoCoreWorker.exe
2.23.181.156:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
4724
ninite.exe
65.9.66.14:443
ninite.com
AMAZON-02
US
whitelisted
4724
ninite.exe
18.245.38.41:80
ocsp.rootca1.amazontrust.com
US
whitelisted
4724
ninite.exe
151.101.130.133:80
ocsp.globalsign.com
FASTLY
US
whitelisted
2112
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.186.78
whitelisted
crl.microsoft.com
  • 23.32.238.112
  • 23.32.238.107
whitelisted
www.microsoft.com
  • 2.23.181.156
  • 23.219.150.101
whitelisted
ninite.com
  • 65.9.66.14
  • 65.9.66.60
  • 65.9.66.107
  • 65.9.66.56
whitelisted
ocsp.rootca1.amazontrust.com
  • 18.245.38.41
whitelisted
ocsp.globalsign.com
  • 151.101.130.133
  • 151.101.2.133
  • 151.101.66.133
  • 151.101.194.133
whitelisted
updates3.safer-networking.org
  • 95.217.7.90
whitelisted
x1.c.lencr.org
  • 2.16.252.233
whitelisted
client.wns.windows.com
  • 172.211.123.248
whitelisted
install.avira-update.com
  • 23.67.142.77
unknown

Threats

PID
Process
Class
Message
7020
Ninite.exe
Potential Corporate Privacy Violation
ET INFO PE EXE or DLL Windows file download HTTP
7020
Ninite.exe
Potential Corporate Privacy Violation
ET INFO PE EXE or DLL Windows file download HTTP
7020
Ninite.exe
Potential Corporate Privacy Violation
ET INFO PE EXE or DLL Windows file download HTTP
7020
Ninite.exe
Potential Corporate Privacy Violation
ET INFO PE EXE or DLL Windows file download HTTP
7020
Ninite.exe
Potential Corporate Privacy Violation
ET INFO PE EXE or DLL Windows file download HTTP
7020
Ninite.exe
Potential Corporate Privacy Violation
ET INFO PE EXE or DLL Windows file download HTTP
7020
Ninite.exe
Potential Corporate Privacy Violation
ET INFO PE EXE or DLL Windows file download HTTP
7020
Ninite.exe
Potential Corporate Privacy Violation
ET INFO PE EXE or DLL Windows file download HTTP
7020
Ninite.exe
Potential Corporate Privacy Violation
ET INFO PE EXE or DLL Windows file download HTTP
7020
Ninite.exe
Potential Corporate Privacy Violation
ET INFO PE EXE or DLL Windows file download HTTP
Process
Message
SDFSSvc.exe
IEData
SDFSSvc.exe
{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}
SDFSSvc.exe
Fontcore
SDFSSvc.exe
Microsoft Edge Update
SDFSSvc.exe
WIC
SDFSSvc.exe
{8bdfe669-9705-4184-9368-db9ce581e0e7}
SDFSSvc.exe
CCleaner
SDFSSvc.exe
DirectDrawEx
SDFSSvc.exe
{90160000-008C-0419-1000-0000000FF1CE}
SDFSSvc.exe
IE40
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
/avast-avg-avira-malwarebytes-spybot2-super/ninite.exe