analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

TorchSetupstub.exe

Full analysis: https://app.any.run/tasks/08310e59-7d70-44ab-ba70-a0c413786c00
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Analysis date: February 22, 2020, 00:22:56
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
loader
searchsuite
adware
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

FCED5130CDA43C74B50234CCC0CD771A

SHA1:

B73B7FB16FDFD887CB1B9090285E4472721BC11B

SHA256:

567401F1EDEE57AD7361F3EBA2401C2D785EC768CCCB5322B8AE2A367E4CBDC1

SSDEEP:

49152:IT5H7Ns6xTI8JSKKYR2TUHIfN1P/C3AmDRoVopC:IVJs6JFKy2AoFlIDRoyC

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Loads dropped or rewritten executable

      • TorchSetupstub.exe (PID: 1844)
      • TorchSetupstub.exe (PID: 3756)
      • torch.exe (PID: 2184)
      • torch.exe (PID: 2568)
      • torch.exe (PID: 2552)
      • torch.exe (PID: 3536)
      • torch.exe (PID: 2728)
      • torch.exe (PID: 3004)
      • torch.exe (PID: 3796)
      • torch.exe (PID: 3752)
      • torch.exe (PID: 3312)
      • torch.exe (PID: 2808)
      • torch.exe (PID: 4072)
      • torch.exe (PID: 3088)
      • torch.exe (PID: 3112)
      • torch.exe (PID: 3472)
      • torch.exe (PID: 2464)
      • torch.exe (PID: 2636)
      • torch.exe (PID: 2588)
      • torch.exe (PID: 2012)
      • torch.exe (PID: 2620)
      • torch.exe (PID: 880)
      • torch.exe (PID: 3488)
      • torch.exe (PID: 3128)
      • torch.exe (PID: 3540)
      • torch.exe (PID: 2716)
      • torch.exe (PID: 3024)
      • torch.exe (PID: 2056)
      • torch.exe (PID: 3404)
      • torch.exe (PID: 2548)
      • torch.exe (PID: 1832)
      • torch.exe (PID: 3572)
      • torch.exe (PID: 3040)
      • torch.exe (PID: 536)
      • torch.exe (PID: 3348)
      • torch.exe (PID: 3504)
      • torch.exe (PID: 2976)
      • torch.exe (PID: 2420)
      • torch.exe (PID: 552)
      • torch.exe (PID: 3044)
      • torch.exe (PID: 2108)
      • torch.exe (PID: 2648)
      • torch.exe (PID: 3620)
      • torch.exe (PID: 872)
      • torch.exe (PID: 3320)
      • torch.exe (PID: 2848)
      • torch.exe (PID: 3064)
      • torch.exe (PID: 3448)
      • torch.exe (PID: 3544)
      • torch.exe (PID: 3556)
      • torch.exe (PID: 2600)
      • torch.exe (PID: 1872)
      • torch.exe (PID: 2116)
      • torch.exe (PID: 2500)
      • torch.exe (PID: 3800)
      • torch.exe (PID: 2468)
      • torch.exe (PID: 1564)
      • torch.exe (PID: 1756)
      • torch.exe (PID: 3192)
      • torch.exe (PID: 580)
      • torch.exe (PID: 3760)
      • torch.exe (PID: 2864)
      • torch.exe (PID: 3840)
      • torch.exe (PID: 3676)
      • torch.exe (PID: 3728)
      • torch.exe (PID: 3012)
      • torch.exe (PID: 3120)
      • torch.exe (PID: 1064)
      • torch.exe (PID: 968)
      • torch.exe (PID: 2780)
      • torch.exe (PID: 1356)
      • torch.exe (PID: 1756)
      • torch.exe (PID: 3300)
      • torch.exe (PID: 3016)
      • torch.exe (PID: 3892)
      • torch.exe (PID: 2864)
      • torch.exe (PID: 2168)
      • torch.exe (PID: 3384)
      • torch.exe (PID: 608)
      • torch.exe (PID: 440)
      • torch.exe (PID: 3632)
      • torch.exe (PID: 3652)
      • torch.exe (PID: 2532)
      • torch.exe (PID: 3876)
      • torch.exe (PID: 2484)
      • torch.exe (PID: 3364)
      • torch.exe (PID: 3716)
      • torch.exe (PID: 3704)
      • torch.exe (PID: 2528)
      • torch.exe (PID: 3964)
      • torch.exe (PID: 2096)
      • torch.exe (PID: 2640)
      • torch.exe (PID: 1460)
      • torch.exe (PID: 3820)
      • torch.exe (PID: 2696)
      • torch.exe (PID: 2128)
      • torch.exe (PID: 3164)
    • Application was dropped or rewritten from another process

      • nsA81E.tmp (PID: 1412)
      • nsC45F.tmp (PID: 1516)
      • setup.exe (PID: 2232)
      • setup.exe (PID: 376)
      • nsC39.tmp (PID: 3812)
      • ns979.tmp (PID: 2828)
      • ns1081.tmp (PID: 3584)
      • nsE5D.tmp (PID: 3972)
      • ns145C.tmp (PID: 620)
      • ns1238.tmp (PID: 3304)
      • torch.exe (PID: 2568)
      • torch.exe (PID: 2552)
      • torch.exe (PID: 2184)
      • torch.exe (PID: 3536)
      • torch.exe (PID: 3004)
      • torch.exe (PID: 2728)
      • torch.exe (PID: 3752)
      • torch.exe (PID: 3312)
      • torch.exe (PID: 3796)
      • torch.exe (PID: 3088)
      • torch.exe (PID: 2808)
      • torch.exe (PID: 2636)
      • TorchUpdate.exe (PID: 912)
      • torch.exe (PID: 4072)
      • torch.exe (PID: 3112)
      • torch.exe (PID: 3472)
      • torch.exe (PID: 3488)
      • torch.exe (PID: 2620)
      • torch.exe (PID: 2464)
      • torch.exe (PID: 2588)
      • torch.exe (PID: 2012)
      • torch.exe (PID: 880)
      • torch.exe (PID: 2716)
      • torch.exe (PID: 2056)
      • torch.exe (PID: 3024)
      • torch.exe (PID: 3404)
      • torch.exe (PID: 3348)
      • torch.exe (PID: 3128)
      • torch.exe (PID: 3540)
      • torch.exe (PID: 3504)
      • torch.exe (PID: 536)
      • torch.exe (PID: 2548)
      • torch.exe (PID: 1832)
      • torch.exe (PID: 3572)
      • torch.exe (PID: 2976)
      • torch.exe (PID: 3040)
      • torch.exe (PID: 2648)
      • torch.exe (PID: 552)
      • torch.exe (PID: 3044)
      • torch.exe (PID: 872)
      • torch.exe (PID: 2848)
      • torch.exe (PID: 3620)
      • torch.exe (PID: 2108)
      • torch.exe (PID: 2420)
      • torch.exe (PID: 3320)
      • torch.exe (PID: 2116)
      • torch.exe (PID: 3448)
      • torch.exe (PID: 3064)
      • torch.exe (PID: 2600)
      • torch.exe (PID: 1872)
      • torch.exe (PID: 3556)
      • torch.exe (PID: 3544)
      • torch.exe (PID: 1564)
      • torch.exe (PID: 2500)
      • torch.exe (PID: 3192)
      • torch.exe (PID: 3800)
      • torch.exe (PID: 1756)
      • torch.exe (PID: 2864)
      • torch.exe (PID: 580)
      • torch.exe (PID: 3760)
      • torch.exe (PID: 2468)
      • torch.exe (PID: 3300)
      • torch.exe (PID: 3012)
      • torch.exe (PID: 3728)
      • torch.exe (PID: 3676)
      • torch.exe (PID: 1064)
      • torch.exe (PID: 3120)
      • torch.exe (PID: 2780)
      • torch.exe (PID: 3840)
      • torch.exe (PID: 968)
      • torch.exe (PID: 1356)
      • torch.exe (PID: 3892)
      • torch.exe (PID: 3016)
      • torch.exe (PID: 1756)
      • torch.exe (PID: 2864)
      • torch.exe (PID: 3632)
      • torch.exe (PID: 2168)
      • torch.exe (PID: 440)
      • torch.exe (PID: 3652)
      • torch.exe (PID: 608)
      • torch.exe (PID: 3384)
      • torch.exe (PID: 2532)
      • torch.exe (PID: 2484)
      • torch.exe (PID: 3364)
      • torch.exe (PID: 3716)
      • torch.exe (PID: 3876)
      • torch.exe (PID: 3704)
      • torch.exe (PID: 2528)
      • torch.exe (PID: 2640)
      • torch.exe (PID: 3964)
      • torch.exe (PID: 2096)
      • torch.exe (PID: 1460)
      • torch.exe (PID: 3164)
      • torch.exe (PID: 3820)
      • torch.exe (PID: 2696)
      • torch.exe (PID: 2128)
    • Downloads executable files from the Internet

      • TorchSetupstub.exe (PID: 1844)
    • SEARCHSUITE was detected

      • TorchSetupstub.exe (PID: 1844)
    • Connects to CnC server

      • TorchSetupstub.exe (PID: 1844)
    • Actions looks like stealing of personal data

      • torch.exe (PID: 2568)
    • Changes settings of System certificates

      • torch.exe (PID: 2568)
  • SUSPICIOUS

    • Application launched itself

      • TorchSetupstub.exe (PID: 3756)
      • setup.exe (PID: 2232)
      • torch.exe (PID: 2568)
    • Executable content was dropped or overwritten

      • TorchSetupstub.exe (PID: 3756)
      • TorchSetupstub.exe (PID: 1844)
      • pack.exe (PID: 3288)
      • setup.exe (PID: 2232)
      • torch.exe (PID: 2728)
    • Starts application with an unusual extension

      • TorchSetupstub.exe (PID: 3756)
      • TorchSetupstub.exe (PID: 1844)
    • Modifies the open verb of a shell class

      • setup.exe (PID: 2232)
      • TorchSetupstub.exe (PID: 1844)
    • Creates a software uninstall entry

      • setup.exe (PID: 2232)
      • TorchSetupstub.exe (PID: 1844)
    • Uses NETSH.EXE for network configuration

      • nsE5D.tmp (PID: 3972)
      • nsC39.tmp (PID: 3812)
      • ns979.tmp (PID: 2828)
      • ns145C.tmp (PID: 620)
      • ns1238.tmp (PID: 3304)
      • ns1081.tmp (PID: 3584)
    • Reads Internet Cache Settings

      • TorchSetupstub.exe (PID: 1844)
    • Creates files in the user directory

      • TorchSetupstub.exe (PID: 1844)
  • INFO

    • Dropped object may contain Bitcoin addresses

      • setup.exe (PID: 2232)
    • Reads the hosts file

      • torch.exe (PID: 2568)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

ProductVersion: 69.0.0.2990
ProductName: Torch
LegalCopyright: Copyright (C) 2017 Torch Media Inc.
FileVersion: 69.0.0.2990
FileDescription: Torch Browser
CompanyName: Torch Media, Inc
CharacterSet: Unicode
LanguageCode: Neutral
FileSubtype: -
ObjectFileType: Executable application
FileOS: Win32
FileFlags: (none)
FileFlagsMask: 0x0000
ProductVersionNumber: 69.0.0.2990
FileVersionNumber: 69.0.0.2990
Subsystem: Windows GUI
SubsystemVersion: 5
ImageVersion: 6
OSVersion: 5
EntryPoint: 0x38af
UninitializedDataSize: 16896
InitializedDataSize: 489984
CodeSize: 29696
LinkerVersion: 10
PEType: PE32
TimeStamp: 2012:02:24 20:20:04+01:00
MachineType: Intel 386 or later, and compatibles

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 24-Feb-2012 19:20:04
Detected languages:
  • English - United States
CompanyName: Torch Media, Inc
FileDescription: Torch Browser
FileVersion: 69.0.0.2990
LegalCopyright: Copyright (C) 2017 Torch Media Inc.
ProductName: Torch
ProductVersion: 69.0.0.2990

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x000000D0

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 6
Time date stamp: 24-Feb-2012 19:20:04
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00001000
0x0000728C
0x00007400
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.49971
.rdata
0x00009000
0x00002B6E
0x00002C00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
4.49793
.data
0x0000C000
0x00072B9C
0x00000200
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
1.80494
.ndata
0x0007F000
0x00451000
0x00000000
IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
0
.rsrc
0x004D0000
0x00009368
0x00009400
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
5.44403
.reloc
0x004DA000
0x00000FD6
0x00001000
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
6.29275

Resources

Title
Entropy
Size
Codepage
Language
Type
1
5.2266
957
UNKNOWN
English - United States
RT_MANIFEST
2
5.29125
9640
UNKNOWN
English - United States
RT_ICON
3
5.85096
4264
UNKNOWN
English - United States
RT_ICON
4
6.06617
2440
UNKNOWN
English - United States
RT_ICON
5
6.39235
1128
UNKNOWN
English - United States
RT_ICON
103
2.79808
76
UNKNOWN
English - United States
RT_GROUP_ICON
105
2.57437
512
UNKNOWN
English - United States
RT_DIALOG
106
2.91148
248
UNKNOWN
English - United States
RT_DIALOG
111
2.92787
238
UNKNOWN
English - United States
RT_DIALOG

Imports

ADVAPI32.dll
COMCTL32.dll
GDI32.dll
KERNEL32.dll
SHELL32.dll
USER32.dll
VERSION.dll
ole32.dll
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
164
Monitored processes
115
Malicious processes
48
Suspicious processes
51

Behavior graph

Click at the process to see the details
drop and start start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start torchsetupstub.exe #SEARCHSUITE torchsetupstub.exe nsa81e.tmp no specs pack.exe nsc45f.tmp no specs setup.exe setup.exe no specs ns979.tmp no specs netsh.exe no specs nsc39.tmp no specs netsh.exe no specs nse5d.tmp no specs netsh.exe no specs ns1081.tmp no specs netsh.exe no specs ns1238.tmp no specs netsh.exe no specs ns145c.tmp no specs netsh.exe no specs torch.exe torch.exe no specs torch.exe no specs torch.exe no specs torch.exe no specs torch.exe torch.exe no specs torch.exe no specs torch.exe no specs torch.exe no specs torchupdate.exe torch.exe no specs torch.exe no specs torch.exe no specs torch.exe no specs torch.exe no specs torch.exe no specs torch.exe no specs torch.exe no specs torch.exe no specs torch.exe no specs torch.exe no specs torch.exe no specs torch.exe no specs torch.exe no specs torch.exe no specs torch.exe no specs torch.exe no specs torch.exe no specs torch.exe no specs torch.exe no specs torch.exe no specs torch.exe no specs torch.exe no specs torch.exe no specs torch.exe no specs torch.exe no specs torch.exe no specs torch.exe no specs torch.exe no specs torch.exe no specs torch.exe no specs torch.exe no specs torch.exe no specs torch.exe no specs torch.exe no specs torch.exe no specs torch.exe no specs torch.exe no specs torch.exe no specs torch.exe no specs torch.exe no specs torch.exe no specs torch.exe no specs torch.exe no specs torch.exe no specs torch.exe no specs torch.exe no specs torch.exe no specs torch.exe no specs torch.exe no specs torch.exe no specs torch.exe no specs torch.exe no specs torch.exe no specs torch.exe no specs torch.exe no specs torch.exe no specs torch.exe no specs torch.exe no specs torch.exe no specs torch.exe no specs torch.exe no specs torch.exe no specs torch.exe no specs torch.exe no specs torch.exe no specs torch.exe no specs torch.exe no specs torch.exe no specs torch.exe no specs torch.exe no specs torch.exe no specs torch.exe no specs torch.exe no specs torch.exe no specs torch.exe no specs torch.exe no specs torch.exe no specs torch.exe no specs torch.exe no specs torch.exe no specs torch.exe no specs torch.exe no specs torch.exe no specs torch.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3756"C:\Users\admin\AppData\Local\Temp\TorchSetupstub.exe" C:\Users\admin\AppData\Local\Temp\TorchSetupstub.exe
explorer.exe
User:
admin
Company:
Torch Media, Inc
Integrity Level:
MEDIUM
Description:
Torch Browser
Exit code:
1223
Version:
69.0.0.2990
1844"C:\Users\admin\AppData\Local\Temp\TorchSetupstub.exe" /UAC:501C2 /NCRC C:\Users\admin\AppData\Local\Temp\TorchSetupstub.exe
TorchSetupstub.exe
User:
admin
Company:
Torch Media, Inc
Integrity Level:
HIGH
Description:
Torch Browser
Exit code:
3221225547
Version:
69.0.0.2990
1412"C:\Users\admin\AppData\Local\Temp\nsl70C4.tmp\nsA81E.tmp" "C:\Users\admin\AppData\Local\Temp\nsl70C4.tmp\nsfAD62.tmp\pack.exe" "-oC:\Users\admin\AppData\Local\Temp\nsl70C4.tmp\nsfAD62.tmp" -yC:\Users\admin\AppData\Local\Temp\nsl70C4.tmp\nsA81E.tmpTorchSetupstub.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
3288"C:\Users\admin\AppData\Local\Temp\nsl70C4.tmp\nsfAD62.tmp\pack.exe" "-oC:\Users\admin\AppData\Local\Temp\nsl70C4.tmp\nsfAD62.tmp" -yC:\Users\admin\AppData\Local\Temp\nsl70C4.tmp\nsfAD62.tmp\pack.exe
nsA81E.tmp
User:
admin
Company:
Igor Pavlov
Integrity Level:
HIGH
Description:
7z Console SFX
Exit code:
0
Version:
9.20
1516"C:\Users\admin\AppData\Local\Temp\nsp6E24.tmp\nsC45F.tmp" "C:\Users\admin\AppData\Local\Temp\nsl70C4.tmp\nsfAD62.tmp\setup.exe" --install-archive="C:\Users\admin\AppData\Local\Temp\nsl70C4.tmp\nsfAD62.tmp\chrome.packed.7z" --do-not-launch-chrome --do-not-create-any-shortcutsC:\Users\admin\AppData\Local\Temp\nsp6E24.tmp\nsC45F.tmpTorchSetupstub.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
2232"C:\Users\admin\AppData\Local\Temp\nsl70C4.tmp\nsfAD62.tmp\setup.exe" --install-archive="C:\Users\admin\AppData\Local\Temp\nsl70C4.tmp\nsfAD62.tmp\chrome.packed.7z" --do-not-launch-chrome --do-not-create-any-shortcutsC:\Users\admin\AppData\Local\Temp\nsl70C4.tmp\nsfAD62.tmp\setup.exe
nsC45F.tmp
User:
admin
Company:
Torch Media Inc.
Integrity Level:
MEDIUM
Description:
Torch Installer
Exit code:
0
Version:
69.0.0.2990
376C:\Users\admin\AppData\Local\Temp\nsl70C4.tmp\nsfAD62.tmp\setup.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Torch\User Data\Crashpad" --annotation=plat=Win32 --annotation=prod=Torch --annotation=ver=69.0.0.2990 --initial-client-data=0x10c,0x110,0x114,0x100,0x118,0x10bd428,0x10bd438,0x10bd444C:\Users\admin\AppData\Local\Temp\nsl70C4.tmp\nsfAD62.tmp\setup.exesetup.exe
User:
admin
Company:
Torch Media Inc.
Integrity Level:
MEDIUM
Description:
Torch Installer
Exit code:
0
Version:
69.0.0.2990
2828"C:\Users\admin\AppData\Local\Temp\nsl70C4.tmp\ns979.tmp" netsh advfirewall firewall delete rule name="Torch" program="C:\Users\admin\AppData\Local\Torch\Application\torch.exe"C:\Users\admin\AppData\Local\Temp\nsl70C4.tmp\ns979.tmpTorchSetupstub.exe
User:
admin
Integrity Level:
HIGH
Exit code:
1
3324netsh advfirewall firewall delete rule name="Torch" program="C:\Users\admin\AppData\Local\Torch\Application\torch.exe"C:\Windows\system32\netsh.exens979.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Network Command Shell
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3812"C:\Users\admin\AppData\Local\Temp\nsl70C4.tmp\nsC39.tmp" netsh advfirewall firewall add rule name="Torch" dir=in action=allow program="C:\Users\admin\AppData\Local\Torch\Application\torch.exe" enable=yesC:\Users\admin\AppData\Local\Temp\nsl70C4.tmp\nsC39.tmpTorchSetupstub.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Total events
2 690
Read events
1 694
Write events
0
Delete events
0

Modification events

No data
Executable files
39
Suspicious files
41
Text files
958
Unknown types
121

Dropped files

PID
Process
Filename
Type
1844TorchSetupstub.exeC:\Users\admin\AppData\Local\Temp\nsl70C4.tmp\nsfAD62.tmp\pack.exe
MD5:
SHA256:
1844TorchSetupstub.exeC:\Users\admin\AppData\Local\Temp\nsl70C4.tmp\modern-header.bmpimage
MD5:95755E65C1A29CC6E4A612E7CF24841E
SHA256:7C59807ACC260C9C9B7EBC8282D2A6393E5DD5E8A99562605EFAF68FAED71B05
3756TorchSetupstub.exeC:\Users\admin\AppData\Local\Temp\nsp6E24.tmp\modern-header.bmpimage
MD5:95755E65C1A29CC6E4A612E7CF24841E
SHA256:7C59807ACC260C9C9B7EBC8282D2A6393E5DD5E8A99562605EFAF68FAED71B05
1844TorchSetupstub.exeC:\Users\admin\AppData\Local\Temp\nsl70C4.tmp\Banner3.jpgimage
MD5:F1B8093862B5927DE7DD8E47093E483F
SHA256:C8D37CC923A3F8FCCD1C07636C074162E97D9E778C7BC1338FBB04894E29D041
3288pack.exeC:\Users\admin\AppData\Local\Temp\nsl70C4.tmp\nsfAD62.tmp\chrome.packed.7z
MD5:
SHA256:
1844TorchSetupstub.exeC:\Users\admin\AppData\Local\Temp\nsl70C4.tmp\Banner2.jpgimage
MD5:FD9B890F6DA88D96E16074E9E0D6F457
SHA256:46EF86DC55A6CEB0D50FE3B4C2921136DBC7E6653D8403AEB02E0B5309431FCD
1844TorchSetupstub.exeC:\Users\admin\AppData\Local\Temp\nsl70C4.tmp\Banner1.jpgimage
MD5:92DF3F857290C59E3C549493D3209E5F
SHA256:93633FAC7D17C8766414D5C0B64FA1FF362B924BB31157053A9B0DB730D1E573
1844TorchSetupstub.exeC:\Users\admin\AppData\Local\Temp\nsl70C4.tmp\Uninstall.exeexecutable
MD5:98F1328F7FDFA8A56113AEAA0556E753
SHA256:566D4F8926A2C3C54CE467C76DD5B7B222E51DAE193A1C014F95BB2D1031D93D
1844TorchSetupstub.exeC:\Users\admin\AppData\Local\Temp\nsl70C4.tmp\Banner5.jpgimage
MD5:6642285661E2688457CAC63A3CC0C796
SHA256:A60B118F9F5F208352121065C47EF666AA6FF28F7CE69FBFDEC4C7F8370CAC11
3756TorchSetupstub.exeC:\Users\admin\AppData\Local\Temp\nsp6E24.tmp\registry.dllexecutable
MD5:2B7007ED0262CA02EF69D8990815CBEB
SHA256:0B25B20F26DE5D5BD795F934C70447112B4981343FCB2DFAB3374A4018D28C2D
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
137
TCP/UDP connections
84
DNS requests
56
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
HEAD
200
159.148.69.143:80
http://r4---sn-a5uoxu-gpme.gvt1.com/edgedl/release2/chrome_component/AKncN-n2fBuTEXKtsqg8WQs_32.0.0.330/AK4j5jHPiLzon8VtoAvFY94?cms_redirect=yes&mip=159.148.186.246&mm=28&mn=sn-a5uoxu-gpme&ms=nvh&mt=1582330748&mv=u&mvi=3&pl=24&shardbypass=yes
LV
whitelisted
HEAD
302
172.217.23.174:80
http://redirector.gvt1.com/edgedl/release2/chrome_component/AKncN-n2fBuTEXKtsqg8WQs_32.0.0.330/AK4j5jHPiLzon8VtoAvFY94
US
whitelisted
GET
206
159.148.69.143:80
http://r4---sn-a5uoxu-gpme.gvt1.com/edgedl/release2/chrome_component/AKncN-n2fBuTEXKtsqg8WQs_32.0.0.330/AK4j5jHPiLzon8VtoAvFY94?cms_redirect=yes&mip=159.148.186.246&mm=28&mn=sn-a5uoxu-gpme&ms=nvh&mt=1582330748&mv=u&mvi=3&pl=24&shardbypass=yes
LV
binary
5.76 Kb
whitelisted
1844
TorchSetupstub.exe
GET
200
178.79.242.16:80
http://598c3e7fc74b.bitsngo.net/packs/pack.exe
DE
executable
75.5 Mb
malicious
GET
206
159.148.69.143:80
http://r4---sn-a5uoxu-gpme.gvt1.com/edgedl/release2/chrome_component/AKncN-n2fBuTEXKtsqg8WQs_32.0.0.330/AK4j5jHPiLzon8VtoAvFY94?cms_redirect=yes&mip=159.148.186.246&mm=28&mn=sn-a5uoxu-gpme&ms=nvh&mt=1582330748&mv=u&mvi=3&pl=24&shardbypass=yes
LV
binary
10.7 Kb
whitelisted
GET
302
172.217.23.174:80
http://redirector.gvt1.com/edgedl/release2/chrome_component/AKncN-n2fBuTEXKtsqg8WQs_32.0.0.330/AK4j5jHPiLzon8VtoAvFY94
US
html
475 b
whitelisted
GET
302
172.217.23.174:80
http://redirector.gvt1.com/edgedl/release2/chrome_component/AKncN-n2fBuTEXKtsqg8WQs_32.0.0.330/AK4j5jHPiLzon8VtoAvFY94
US
html
475 b
whitelisted
2568
torch.exe
GET
200
212.235.109.38:80
http://service.torchbrowser.com/proactor.php?xml
IL
text
18.5 Kb
malicious
GET
302
172.217.23.174:80
http://redirector.gvt1.com/edgedl/release2/chrome_component/AKncN-n2fBuTEXKtsqg8WQs_32.0.0.330/AK4j5jHPiLzon8VtoAvFY94
US
html
475 b
whitelisted
912
TorchUpdate.exe
GET
200
212.235.109.38:80
http://preved.torchbrowser.com/login?XML=%3clogin_request%3e%3cclient_info%3e%3csysid%3e678%3c/sysid%3e%3cappid%3e0%3c/appid%3e%3cclid%3e%7b0B0FEC5A-C75D-4171-9A51-1C8A271E0E80%7d%3c/clid%3e%3cln%3een%3c/ln%3e%3cosver%3e6.1%3c/osver%3e%3costype%3ex86%3c/ostype%3e%3cosl%3een-us%3c/osl%3e%3cpver%3e69.0.0.2990%3c/pver%3e%3cenv%3e%3c/env%3e%3citime%3e2020-02-22%3c/itime%3e%3cdsu%3e%3c/dsu%3e%3chpu%3e%3c/hpu%3e%3cspu%3e%3c/spu%3e%3c/client_info%3e%3c/login_request%3e
IL
xml
352 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2568
torch.exe
172.217.16.131:443
update.googleapis.com
Google Inc.
US
whitelisted
2568
torch.exe
212.235.109.38:80
service.torchbrowser.com
013 NetVision Ltd
IL
malicious
2568
torch.exe
172.217.23.163:443
ssl.gstatic.com
Google Inc.
US
whitelisted
2568
torch.exe
172.217.22.13:443
accounts.google.com
Google Inc.
US
whitelisted
1844
TorchSetupstub.exe
178.79.242.16:80
598c3e7fc74b.bitsngo.net
Limelight Networks, Inc.
DE
suspicious
1844
TorchSetupstub.exe
212.235.109.38:80
service.torchbrowser.com
013 NetVision Ltd
IL
malicious
2568
torch.exe
216.58.208.46:443
clients2.google.com
Google Inc.
US
whitelisted
2568
torch.exe
216.58.207.65:443
clients2.googleusercontent.com
Google Inc.
US
whitelisted
2568
torch.exe
172.217.23.99:443
www.gstatic.com
Google Inc.
US
whitelisted
912
TorchUpdate.exe
212.235.109.38:80
service.torchbrowser.com
013 NetVision Ltd
IL
malicious

DNS requests

Domain
IP
Reputation
598c3e7fc74b.bitsngo.net
  • 178.79.242.16
  • 178.79.242.181
malicious
service.torchbrowser.com
  • 212.235.109.38
malicious
accounts.google.com
  • 172.217.22.13
shared
clients2.google.com
  • 216.58.208.46
whitelisted
www.gstatic.com
  • 172.217.23.99
whitelisted
clients2.googleusercontent.com
  • 216.58.207.65
whitelisted
preved.torchbrowser.com
  • 212.235.109.38
malicious
ssl.gstatic.com
  • 172.217.23.163
whitelisted
update.googleapis.com
  • 172.217.16.131
whitelisted
redirector.gvt1.com
  • 172.217.23.174
whitelisted

Threats

PID
Process
Class
Message
1844
TorchSetupstub.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
1844
TorchSetupstub.exe
A Network Trojan was detected
ET MALWARE W32/SearchSuite Install CnC Beacon
1844
TorchSetupstub.exe
Misc activity
ADWARE [PTsecurity] Toolbar.SearchSuit
1 ETPRO signatures available at the full report
No debug info