File name:	SecuriteInfo.com.Trojan.InstallCore.4099.24415.17034.exe
Full analysis:	https://app.any.run/tasks/fb4986e3-3930-4d6a-9ad0-d61233e7ec0e
Verdict:	Malicious activity
Threats:	Adware is a form of malware that targets users with unwanted advertisements, often disrupting their browsing experience. It typically infiltrates systems through software bundling, malicious websites, or deceptive downloads. Once installed, it may track user activity, collect sensitive data, and display intrusive ads, including pop-ups or banners. Some advanced adware variants can bypass security measures and establish persistence on devices, making removal challenging. Additionally, adware can create vulnerabilities that other malware can exploit, posing a significant risk to user privacy and system security. A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. PrivateLoader is a malware family that is specifically created to infect computer systems and drop additional malicious programs. It operates using a pay-per-install business model, which means that the individuals behind it are paid for each instance of successful deployment of different types of harmful programs, including trojans, stealers, and other ransomware. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	April 28, 2025, 14:41:02
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	auto privateloader loader stealer adware innosetup delphi inno installer arch-exec bittorrent arch-scr arch-html
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, 10 sections
MD5:	21C7202E3985AD7DEFE13C840AEADF79
SHA1:	04333D7E2BE8684472D57E34AA31FDAB09D7B288
SHA256:	5A9038021945615156EFCB3E0E4F1905C774659A0647E009B2A582FA05E30B20
SSDEEP:	98304:P+QqZ8fQJ1CfEW6v7SoSLerx5uO4QBAOOVm2Jah5nn+ojEOyoqcCvPrEMv0T9WQL:fydlko3

.exe	\|	Inno Setup installer (67.7)
.exe	\|	Win32 EXE PECompact compressed (generic) (25.6)
.exe	\|	Win32 Executable (generic) (2.7)
.exe	\|	Win16/32 Executable Delphi generic (1.2)
.exe	\|	Generic Win/DOS Executable (1.2)

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2020:11:15 09:48:30+00:00
ImageFileCharacteristics:	No relocs, Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType:	PE32
LinkerVersion:	2.25
CodeSize:	741376
InitializedDataSize:	135680
UninitializedDataSize:	-
EntryPoint:	0xb5eec
OSVersion:	6.1
ImageVersion:	6
SubsystemVersion:	6.1
Subsystem:	Windows GUI
FileVersionNumber:	2.12.1.8
ProductVersionNumber:	2.12.1.8
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	Neutral
CharacterSet:	Unicode
Comments:	This installation was built with Inno Setup.
CompanyName:
FileDescription:	BitComet Installer
FileVersion:	2.12.1.8
LegalCopyright:	© BitComet
OriginalFileName:
ProductName:	BitComet
ProductVersion:	2.12.1.8


(PID) Process:	(6272) BitComet_2.12_setup.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E8A058D1-C830-437F-A029-10D777A8DD40}\TypeLib
Operation:	write	Name:	Version
Value: 1.0
(PID) Process:	(6272) BitComet_2.12_setup.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\BitComet
Operation:	write	Name:	InstallSettingCaptureIEDownload
Value: 0
(PID) Process:	(6272) BitComet_2.12_setup.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\BitComet\BitComet
Operation:	write	Name:	CaptureIEDownload
Value: 0
(PID) Process:	(6272) BitComet_2.12_setup.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\BitComet
Operation:	write	Name:	Install Date
Value: 20250428
(PID) Process:	(6272) BitComet_2.12_setup.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\BitComet
Operation:	write	Name:	NewInstall
Value: 1
(PID) Process:	(6272) BitComet_2.12_setup.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\BitComet
Operation:	write	Name:	PackageName
Value: BitComet_2.12_setup.exe
(PID) Process:	(6272) BitComet_2.12_setup.exe	Key:	HKEY_CLASSES_ROOT\.torrent
Operation:	write	Name:	Content Type
Value: application/x-bittorrent
(PID) Process:	(6272) BitComet_2.12_setup.exe	Key:	HKEY_CLASSES_ROOT\MIME\Database\Content Type\application/x-bittorrent
Operation:	write	Name:	Extension
Value: .torrent
(PID) Process:	(6272) BitComet_2.12_setup.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\bc
Operation:	write	Name:	URL Protocol
Value:
(PID) Process:	(6272) BitComet_2.12_setup.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\BitCometAgent.DLL
Operation:	write	Name:	AppID
Value: {B99B5DF3-3AD2-463F-8F8C-86787623E1D5}

PID	Process	Filename		Type
1052	SecuriteInfo.com.Trojan.InstallCore.4099.24415.17034.tmp	C:\Users\admin\AppData\Local\Temp\is-N069K.tmp\is-EN4R8.tmp		—
		MD5:—	SHA256:—
1052	SecuriteInfo.com.Trojan.InstallCore.4099.24415.17034.tmp	C:\Users\admin\AppData\Local\Temp\is-N069K.tmp\BitComet_2.12_setup.exe		—
		MD5:—	SHA256:—
4244	SecuriteInfo.com.Trojan.InstallCore.4099.24415.17034.exe	C:\Users\admin\AppData\Local\Temp\is-2VQ2N.tmp\SecuriteInfo.com.Trojan.InstallCore.4099.24415.17034.tmp		executable
		MD5:B09C06DF6B37FFD9F39765F3C2DAF15E	SHA256:57DF8D5253F5C9FE6AC94359D9943AD40B2DED400B705BAF1FFB3FE5E5AAE8C7
6272	BitComet_2.12_setup.exe	C:\Users\admin\AppData\Local\Temp\nsrEABD.tmp\System.dll		executable
		MD5:E405C971FA29E1FD177E9A821A6369EF	SHA256:42C54657B37CF6363421052C4673514860E33BD08CFACA42DF00A4437821491B
1052	SecuriteInfo.com.Trojan.InstallCore.4099.24415.17034.tmp	C:\Users\admin\AppData\Local\Temp\is-N069K.tmp\WebAdvisor.png		image
		MD5:4CFFF8DC30D353CD3D215FD3A5DBAC24	SHA256:0C430E56D69435D8AB31CBB5916A73A47D11EF65B37D289EE7D11130ADF25856
1052	SecuriteInfo.com.Trojan.InstallCore.4099.24415.17034.tmp	C:\Users\admin\AppData\Local\Temp\is-N069K.tmp\is-ML9EI.tmp		image
		MD5:CD3771BFEC21E8D8F1DB6588C5645515	SHA256:6DCA28F08A5198BF74C38B956963E6E4652D2649D87DF5ECF7BBE01A3C4645A7
1052	SecuriteInfo.com.Trojan.InstallCore.4099.24415.17034.tmp	C:\Users\admin\AppData\Local\Temp\is-N069K.tmp\error.png		image
		MD5:D034069F2920B2CAACC6C188A25FB333	SHA256:E52C2E9AA527E9A2F88E2D5BC2BC16590AC5998E622C338E6CE8E0039CA99F06
2108	SecuriteInfo.com.Trojan.InstallCore.4099.24415.17034.exe	C:\Users\admin\AppData\Local\Temp\is-QURTC.tmp\SecuriteInfo.com.Trojan.InstallCore.4099.24415.17034.tmp		executable
		MD5:B09C06DF6B37FFD9F39765F3C2DAF15E	SHA256:57DF8D5253F5C9FE6AC94359D9943AD40B2DED400B705BAF1FFB3FE5E5AAE8C7
1052	SecuriteInfo.com.Trojan.InstallCore.4099.24415.17034.tmp	C:\Users\admin\AppData\Local\Temp\is-N069K.tmp\zbShieldUtils.dll		executable
		MD5:CBDBBFBBCA6093D9DC462A59CCEA2713	SHA256:8AA3ECA63350A70CA97F39867F842DDCBB153254F58C0E97FADBDB528E2CAB79
1052	SecuriteInfo.com.Trojan.InstallCore.4099.24415.17034.tmp	C:\Users\admin\AppData\Local\Temp\is-N069K.tmp\prod0		compressed
		MD5:1C0964C9D7556CC5FC7D578A5EDAA5D7	SHA256:FE9727282D40EA088852575FD609FF533C25E157D1B30F5BC51A3C370F2AEC38

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
2104	svchost.exe	GET	200	23.48.23.160:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
2104	svchost.exe	GET	200	2.23.246.101:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
—	—	GET	304	4.245.163.56:443	https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL	unknown	—	—	—
900	SIHClient.exe	GET	200	23.48.23.168:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl	unknown	—	—	whitelisted
900	SIHClient.exe	GET	200	23.35.229.160:80	http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl	unknown	—	—	whitelisted
900	SIHClient.exe	GET	200	23.48.23.168:80	http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl	unknown	—	—	whitelisted
900	SIHClient.exe	GET	200	23.35.229.160:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	unknown	—	—	whitelisted
—	—	GET	200	20.3.187.198:443	https://fe3cr.delivery.mp.microsoft.com/clientwebservice/ping	unknown	—	—	—
900	SIHClient.exe	GET	200	23.35.229.160:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.1.crl	unknown	—	—	whitelisted
—	—	GET	200	18.245.45.206:443	https://d1hboxy79wgmk4.cloudfront.net/f/BitComet/1695/BitComet_2.12_setup.exe	unknown	executable	35.3 Mb	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
—	—	51.124.78.146:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
2104	svchost.exe	51.124.78.146:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
—	—	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
—	—	172.211.123.248:443	client.wns.windows.com	MICROSOFT-CORP-MSN-AS-BLOCK	FR	whitelisted
2104	svchost.exe	23.48.23.160:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
2104	svchost.exe	2.23.246.101:80	www.microsoft.com	Ooredoo Q.S.C.	QA	whitelisted
1052	SecuriteInfo.com.Trojan.InstallCore.4099.24415.17034.tmp	18.245.45.231:443	d1hboxy79wgmk4.cloudfront.net	—	US	whitelisted
6544	svchost.exe	40.126.32.136:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	20.73.194.208 4.231.128.59	whitelisted
google.com	216.58.206.78	whitelisted
client.wns.windows.com	172.211.123.248	whitelisted
crl.microsoft.com	23.48.23.160 23.48.23.155 23.48.23.171 23.48.23.162 23.48.23.170 23.48.23.157 23.48.23.161 23.48.23.153 23.48.23.158 23.48.23.168 23.48.23.176 23.48.23.174 23.48.23.173 23.48.23.193 23.48.23.159 23.48.23.192 23.48.23.179 23.48.23.183	whitelisted
www.microsoft.com	2.23.246.101 23.35.229.160	whitelisted
d1hboxy79wgmk4.cloudfront.net	18.245.45.231 18.245.45.10 18.245.45.206 18.245.45.110	whitelisted
login.live.com	40.126.32.136 20.190.160.128 40.126.32.140 40.126.32.68 20.190.160.5 20.190.160.64 20.190.160.14 40.126.32.134	whitelisted
slscr.update.microsoft.com	4.245.163.56	whitelisted
fe3cr.delivery.mp.microsoft.com	20.3.187.198	whitelisted
activation-v2.sls.microsoft.com	20.83.72.98 40.91.76.224	whitelisted

PID	Process	Class	Message
—	—	A Network Trojan was detected	ET ADWARE_PUP Win32/OfferCore Checkin M1
—	—	Generic Protocol Command Decode	SURICATA HTTP Request unrecognized authorization method
—	—	A Network Trojan was detected	ET ADWARE_PUP Win32/OfferCore Checkin M2
—	—	Possibly Unwanted Program Detected	ADWARE [ANY.RUN] InnoSetup Installer
—	—	Possibly Unwanted Program Detected	ADWARE [ANY.RUN] InnoSetup Installer
—	—	Potential Corporate Privacy Violation	ET INFO PE EXE or DLL Windows file download HTTP
—	—	Potentially Bad Traffic	ET INFO Executable served from Amazon S3
—	—	Possibly Unwanted Program Detected	ADWARE [ANY.RUN] InnoSetup Installer
3332	BitComet.exe	Misc activity	INFO [ANY.RUN] P2P BitTorrent Protocol

Process	Message
BitCometService.exe	BITCOMET_HELPER_SERVICE
BitCometService.exe	ServiceProcess lunched.

General Info

SecuriteInfo.com.Trojan.InstallCore.4099.24415.17034.exe

21C7202E3985AD7DEFE13C840AEADF79

04333D7E2BE8684472D57E34AA31FDAB09D7B288

5A9038021945615156EFCB3E0E4F1905C774659A0647E009B2A582FA05E30B20

98304:P+QqZ8fQJ1CfEW6v7SoSLerx5uO4QBAOOVm2Jah5nn+ojEOyoqcCvPrEMv0T9WQL:fydlko3

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

LOADER has been found (auto)

Actions looks like stealing of personal data

BITTORRENT has been detected (SURICATA)

SUSPICIOUS

Executable content was dropped or overwritten

Reads security settings of Internet Explorer

Reads the Windows owner or organization settings

There is functionality for taking screenshot (YARA)

The process creates files with name similar to system file names

Malware-specific behavior (creating "System.dll" in Temp)

Creates/Modifies COM task schedule object

Creates or modifies Windows services

Process drops legitimate windows executable

The process executes via Task Scheduler

Reads the date of Windows installation

Adds/modifies Windows certificates

Reads Microsoft Outlook installation path

Reads Internet Explorer settings

Executes as Windows Service

Executes application which crashes

The process verifies whether the antivirus software is installed

Changes default file association

Starts CMD.EXE for commands execution

INFO

Create files in a temporary directory

Reads the computer name

Checks supported languages

Process checks computer location settings

Reads the machine GUID from the registry

Checks proxy server information

The sample compiled with english language support

Reads the software policy settings

Detects InnoSetup installer (YARA)

Compiled with Borland Delphi (YARA)

The sample compiled with chinese language support

Manual execution by a user

Creates a software uninstall entry

Creates files in the program directory

Creates files or folders in the user directory

Yandex updater related mutex has been found

Reads CPU info

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information