Malware analysis F-SecureOnlineScanner.exe Malicious activity

Add for printing

File name:	F-SecureOnlineScanner.exe
Full analysis:	https://app.any.run/tasks/3b8e8487-6372-4eea-ba8d-27cd811909bb
Verdict:	Malicious activity
Analysis date:	November 15, 2024, 22:15:31
OS:	Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections
MD5:	3EC24E45871D15C748979B63813C465C
SHA1:	4AE08291C5C4917D90831538D9B81BA5CA84F28D
SHA256:	5EF846820D669CCC6F9410B44E70E510400ACC153C556F58BF61BBD8068C2F03
SSDEEP:	98304:ODUxeWTbH1FgWUgmqajkyroDuGfxGA/yTHzDEdqiUNEsNHFEJkHElnL4IBhbkyaF:6pRwqADM4GS9RbWu23P2RtpvDtI5

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- Changes the autorun value in the registry
  - fssos.exe (PID: 6592)
SUSPICIOUS
- Reads security settings of Internet Explorer
  - F-SecureOnlineScanner.exe (PID: 6436)
- Executable content was dropped or overwritten
  - F-SecureOnlineScanner.exe (PID: 6436)
  - fssos_admin_helper.exe (PID: 4224)
  - online_ultralight_sdk.exe (PID: 6792)
  - ulu.exe (PID: 7040)
  - ulu.exe (PID: 4676)
- Checks Windows Trust Settings
  - F-SecureOnlineScanner.exe (PID: 6436)
- The process verifies whether the antivirus software is installed
  - install.exe (PID: 5644)
  - online_ultralight_sdk.exe (PID: 6792)
- Drops 7-zip archiver for unpacking
  - ulu.exe (PID: 4676)
  - ulu.exe (PID: 7040)
- Drops a system driver (possible attempt to evade defenses)
  - ulu.exe (PID: 4676)
  - ulu.exe (PID: 7040)
INFO
- Reads the machine GUID from the registry
  - F-SecureOnlineScanner.exe (PID: 6436)
  - fssos.exe (PID: 6592)
- Checks supported languages
  - F-SecureOnlineScanner.exe (PID: 6436)
  - fssos.exe (PID: 6592)
- Creates files or folders in the user directory
  - F-SecureOnlineScanner.exe (PID: 6436)
  - fssos.exe (PID: 6592)
  - fssos_admin_helper.exe (PID: 4224)
- Reads the computer name
  - F-SecureOnlineScanner.exe (PID: 6436)
  - fssos.exe (PID: 6592)
- Reads the software policy settings
  - F-SecureOnlineScanner.exe (PID: 6436)
  - fssos.exe (PID: 6592)
- Reads product name
  - fssos.exe (PID: 6592)
- Reads Environment values
  - fssos.exe (PID: 6592)
- Creates files in the program directory
  - fssos_admin_helper.exe (PID: 4224)
  - online_ultralight_sdk.exe (PID: 6792)
  - install.exe (PID: 5644)
  - ulu.exe (PID: 4676)
- The process uses the downloaded file
  - fssos.exe (PID: 6592)
- Create files in a temporary directory
  - online_ultralight_sdk.exe (PID: 6792)
  - ulu.exe (PID: 4676)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	Win64 Executable (generic) (76.4)
.exe	\|	Win32 Executable (generic) (12.4)
.exe	\|	Generic Win/DOS Executable (5.5)
.exe	\|	DOS Executable Generic (5.5)

EXIF

EXE

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2024:04:17 09:52:08+00:00
ImageFileCharacteristics:	Executable, 32-bit
PEType:	PE32
LinkerVersion:	14.39
CodeSize:	189952
InitializedDataSize:	139264
UninitializedDataSize:	-
EntryPoint:	0x176db
OSVersion:	6
ImageVersion:	-
SubsystemVersion:	6
Subsystem:	Windows GUI
FileVersionNumber:	8.11.13.0
ProductVersionNumber:	8.11.13.0
FileFlagsMask:	0x0000
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	English (U.S.)
CharacterSet:	Unicode
CompanyName:	F-Secure Corporation
FileDescription:	F-Secure Detection Tool
FileVersion:	8.11.13
InternalName:	fssos_launcher
LegalCopyright:	© F-Secure Corporation. All rights reserved.
LegalTrademarks:	'F-Secure' and F-logo are registered trademarks of F-Secure Corporation. F-Secure product and technology names and F-Secure logos are either trademarks or registered trademarks of F-Secure Corporation. Other product names and logos referenced herein are trademarks or registered trademarks of their respective companies.
OriginalFileName:	fssos_launcher.exe
ProductName:	F-Secure OneClient
ProductVersion:	8.11.13
Comments:	-

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

151

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

1784

"C:\Users\admin\AppData\Local\FSDART\cc2031c6-843b-48d1-ad3a-2cbaf46d95dd\fssos_admin_helper.exe"

C:\Users\admin\AppData\Local\FSDART\cc2031c6-843b-48d1-ad3a-2cbaf46d95dd\fssos_admin_helper.exe

—

fssos.exe

User:

admin

Company:

F-Secure Corporation

Integrity Level:

MEDIUM

Description:

F-Secure Detection Tool

Exit code:

3221226540

Version:

8.11.13

Modules

Images
c:\users\admin\appdata\local\fsdart\cc2031c6-843b-48d1-ad3a-2cbaf46d95dd\fssos_admin_helper.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll

3700

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

ulu.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Console Window Host

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

3972

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

ulu.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

4224

"C:\Users\admin\AppData\Local\FSDART\cc2031c6-843b-48d1-ad3a-2cbaf46d95dd\fssos_admin_helper.exe"

C:\Users\admin\AppData\Local\FSDART\cc2031c6-843b-48d1-ad3a-2cbaf46d95dd\fssos_admin_helper.exe

fssos.exe

User:

admin

Company:

F-Secure Corporation

Integrity Level:

HIGH

Description:

F-Secure Detection Tool

Version:

8.11.13

Modules

Images
c:\users\admin\appdata\local\fsdart\cc2031c6-843b-48d1-ad3a-2cbaf46d95dd\fssos_admin_helper.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\crypt32.dll

4228

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

fssos_admin_helper.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Console Window Host

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

4436

C:\WINDOWS\System32\slui.exe -Embedding

C:\Windows\System32\slui.exe

svchost.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Activation Client

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll

4464

C:\WINDOWS\system32\SppExtComObj.exe -Embedding

C:\Windows\System32\SppExtComObj.Exe

—

svchost.exe

User:

NETWORK SERVICE

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

KMS Connection Broker

Exit code:

Version:

10.0.19041.3996 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\sppextcomobj.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\oleaut32.dll

4676

"C:\Users\admin\AppData\Local\Temp\FS_UL_1\updates\ulu.exe" --download-only --data="C:\ProgramData\F-Secure\Ultralight\Guts2" --install="C:\Users\admin\AppData\Local\Temp\FS_UL_1\updates\ulu" --url=http://guts2.sp.f-secure.com --namespace="default"

C:\Users\admin\AppData\Local\Temp\FS_UL_1\updates\ulu.exe

online_ultralight_sdk.exe

User:

admin

Company:

WithSecure Corporation

Integrity Level:

HIGH

Description:

Ultralight Updater

Exit code:

Version:

1.3.57.32

Modules

Images
c:\users\admin\appdata\local\temp\fs_ul_1\updates\ulu.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\winhttp.dll

5196

"C:\WINDOWS\System32\SLUI.exe" RuleId=3482d82e-ca2c-4e1f-8864-da0267b484b2;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c;NotificationInterval=1440;Trigger=TimerEvent

C:\Windows\System32\slui.exe

SppExtComObj.Exe

User:

NETWORK SERVICE

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Windows Activation Client

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll

5644

"C:\Program Files\F-Secure\Ultralight\ulcore\1\install.exe"

C:\Program Files\F-Secure\Ultralight\ulcore\1\install.exe

—

online_ultralight_sdk.exe

User:

admin

Company:

WithSecure Corporation

Integrity Level:

HIGH

Description:

WithSecure Ultralight Daas2 installer

Exit code:

Version:

2.8.24

Modules

Images
c:\program files\f-secure\ultralight\ulcore\1\install.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll

Add for printing

Total events

11 534

Read events

11 503

Write events

Delete events

Modification events


(PID) Process:	(6592) fssos.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Operation:	write	Name:	RemovalTool
Value: "C:\Users\admin\AppData\Local\FSDART\CC2031~1\fssos.exe" /reboot /user_consented 0
(PID) Process:	(4224) fssos_admin_helper.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\F-Secure.CCFIPCNames
Operation:	write	Name:	{75907E30-8BF3-40d4-A83D-7404DB6A9A87}
Value: 5907547652054201378
(PID) Process:	(6792) online_ultralight_sdk.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\F-Secure\Ultralight
Operation:	write	Name:	InstallationPackage
Value: online_ultralight_sdk_prod_rc
(PID) Process:	(6792) online_ultralight_sdk.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\F-Secure\Ultralight
Operation:	write	Name:	dart
Value: 1
(PID) Process:	(6792) online_ultralight_sdk.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\F-Secure\Ultralight\updates
Operation:	write	Name:	InstallDirectory
Value: C:\Program Files\F-Secure\Ultralight
(PID) Process:	(6792) online_ultralight_sdk.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\F-Secure\Ultralight\updates
Operation:	write	Name:	Guts2Url
Value: http://guts2.sp.f-secure.com
(PID) Process:	(6792) online_ultralight_sdk.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\F-Secure\Ultralight\updates
Operation:	write	Name:	Guts2DataDirectory
Value: C:\ProgramData\F-Secure\Ultralight\Guts2
(PID) Process:	(6792) online_ultralight_sdk.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\F-Secure\Ultralight\Settings\scan_box.doorman.url
Operation:	write	Name:	value
Value: https://api.prd.glb.doorman.fsapi.com/doorman/v1/tokens
(PID) Process:	(6792) online_ultralight_sdk.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\F-Secure\Ultralight\Settings\scan_box.doorman.id
Operation:	write	Name:	value
Value: ultralight_windows_dart_prod_20180903
(PID) Process:	(6792) online_ultralight_sdk.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\F-Secure\Ultralight\Settings\scan_box.doorman.sha1
Operation:	write	Name:	value
Value: 8cab2b8f636b4039b40e16a50f994e00d8910d96

Add for printing

Executable files

203

Suspicious files

Text files

125

Unknown types

Dropped files

PID	Process	Filename		Type
4224	fssos_admin_helper.exe	C:\Users\admin\AppData\Local\FSDART\cc2031c6-843b-48d1-ad3a-2cbaf46d95dd\removal-tool\cleanup_tool.exe		executable
		MD5:F2680DBC6D92DC0401050DA945535E0B	SHA256:6AECCADBCD8886AD3373BDA51E168203D0FD65BA76E0A65DD8340E2AFE345B3A
4224	fssos_admin_helper.exe	C:\Users\admin\AppData\Local\FSDART\cc2031c6-843b-48d1-ad3a-2cbaf46d95dd\removal-tool\quarantine_helper.exe		executable
		MD5:7EBFB11D6D531F4B7E70647CEE7EF3A2	SHA256:DC88DFCCE9D73B3F92F8381E8BA6BBA47143FE80B58D36EE3229DBEADC13697E
6792	online_ultralight_sdk.exe	C:\Program Files\F-Secure\Ultralight\ulcore\1\daas2ns64.dll		executable
		MD5:3FD8837E5E26FF212A976168C07AE427	SHA256:E1F4784F5CC7C0F58FC775BE70E98EF733A6329DF281A74D8E9F579A5C93D6C2
4224	fssos_admin_helper.exe	C:\Users\admin\AppData\Local\FSDART\cc2031c6-843b-48d1-ad3a-2cbaf46d95dd\removal-tool\scan.exe		executable
		MD5:CB9DCE410C53EA53729230BF199A7841	SHA256:385F2EC6C1DF95CC5C6C334881CE078EAEC55379A10C7A32601504577B19B17C
6792	online_ultralight_sdk.exe	C:\Program Files\F-Secure\Ultralight\ulcore\1\install.exe		executable
		MD5:7B78DB4DCE6BFF57373C70DF5C30FAC8	SHA256:E82603D565B0F40E8E1FB1F06BB1BBB9AAF60DC6F845C3072A2D15D1686E00C1
4224	fssos_admin_helper.exe	C:\Users\admin\AppData\Local\FSDART\cc2031c6-843b-48d1-ad3a-2cbaf46d95dd\removal-tool\online_ultralight_sdk.exe		executable
		MD5:F71B1264BF64749AA11686CC28D4FE2D	SHA256:B1FFC57EDB89DE80B24D616CE51CAF9FA5B3291433321DA4C12BE8F4AA3C0DF4
5644	install.exe	C:\ProgramData\F-Secure\DAAS2\acl\fsc_root.acl		binary
		MD5:F14B4B96B383F617D497A07A69ECFDD4	SHA256:CA28F5FB7B9CEE928F69DCA1836D0BD26E4DB8B8A9F00E3F3B989F4C9F462B1F
6436	F-SecureOnlineScanner.exe	C:\Users\admin\AppData\Local\FSDART\cc2031c6-843b-48d1-ad3a-2cbaf46d95dd\fssos_admin_helper.exe		executable
		MD5:A6AEF987E0F58B349FFA4EF06EB272F8	SHA256:FB96D3A88D843D541B7BA240664800FD4A31C3A9851BC82ABB74FF1C84A00C26
6792	online_ultralight_sdk.exe	C:\Program Files\F-Secure\Ultralight\ulcore\1\trust_revoke_hq.acl		binary
		MD5:C386F527DA80A64616D33593DF3CDA30	SHA256:693E68E90C20E0E0E432B779589418885E748349EF6C7FCF4F0A6FB0AF7F6A59
6792	online_ultralight_sdk.exe	C:\Program Files\F-Secure\Ultralight\ulcore\1\trust.acl		binary
		MD5:3E91C33B8EF78AF9D0B110E131E866F5	SHA256:E005DD5FD8E1FB6C1F4F689C06F0D91A56F07134E66CCFB0CD49BF464FF5BC1D

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
3676	svchost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	US	binary	471 b	whitelisted
4360	SearchApp.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D	US	binary	314 b	whitelisted
6944	svchost.exe	GET	200	23.48.23.139:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	DE	binary	1.01 Kb	whitelisted
6596	backgroundTaskHost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D	US	binary	471 b	whitelisted
6944	svchost.exe	GET	200	23.52.120.96:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	DE	binary	973 b	whitelisted
4676	ulu.exe	GET	200	23.53.42.122:80	http://guts2.sp.f-secure.com/u;t=-	DE	binary	15 b	whitelisted
4676	ulu.exe	GET	200	23.53.42.122:80	http://guts2.sp.f-secure.com/u;t=ulupdater-win64	DE	binary	87 b	whitelisted
4676	ulu.exe	GET	200	23.53.42.122:80	http://guts2.sp.f-secure.com/h;t=ulupdater-win64;v=1724832972;c=b2269704	DE	binary	1.86 Kb	whitelisted
4676	ulu.exe	GET	200	23.53.42.122:80	http://guts2.sp.f-secure.com/o;t=ulupdater-win64;v=1724832972;c=b2269704	DE	binary	113 b	whitelisted
4676	ulu.exe	GET	200	23.53.42.122:80	http://guts2.sp.f-secure.com/u;t=lynx-win64;ulupdater-win64	DE	binary	156 b	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
6944	svchost.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
1280	RUXIMICS.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
5488	MoUsoCoreWorker.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
6592	fssos.exe	35.71.140.36:443	api.prd.glb.doorman.f-sos.net	AMAZON-02	US	unknown
6592	fssos.exe	52.51.50.44:443	api.prd.glb.disobus.f-sos.net	AMAZON-02	IE	unknown
3676	svchost.exe	20.190.159.68:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4360	SearchApp.exe	2.16.110.176:443	www.bing.com	Akamai International B.V.	DE	whitelisted
3676	svchost.exe	192.229.221.95:80	ocsp.digicert.com	EDGECAST	US	whitelisted

DNS requests

Domain	IP	Reputation
settings-win.data.microsoft.com	4.231.128.59 40.127.240.158	whitelisted
google.com	216.58.212.174	whitelisted
api.prd.glb.doorman.f-sos.net	35.71.140.36 75.2.80.129	unknown
api.prd.glb.disobus.f-sos.net	52.51.50.44 54.77.36.159	unknown
login.live.com	20.190.159.68 20.190.159.2 40.126.31.71 20.190.159.75 20.190.159.64 20.190.159.73 20.190.159.4 40.126.31.67	whitelisted
www.bing.com	2.16.110.176 2.16.110.123 2.16.110.170 2.16.110.171	whitelisted
ocsp.digicert.com	192.229.221.95	whitelisted
th.bing.com	2.16.110.170 2.16.110.121 2.16.110.171	whitelisted
go.microsoft.com	23.213.170.81	whitelisted
crl.microsoft.com	23.48.23.139 23.48.23.141 23.48.23.143 23.48.23.166 23.48.23.150 23.48.23.146 23.48.23.147 23.48.23.169 23.48.23.167	whitelisted

Threats

No threats detected

Add for printing

No debug info

General Info

F-SecureOnlineScanner.exe

3EC24E45871D15C748979B63813C465C

4AE08291C5C4917D90831538D9B81BA5CA84F28D

5EF846820D669CCC6F9410B44E70E510400ACC153C556F58BF61BBD8068C2F03

98304:ODUxeWTbH1FgWUgmqajkyroDuGfxGA/yTHzDEdqiUNEsNHFEJkHElnL4IBhbkyaF:6pRwqADM4GS9RbWu23P2RtpvDtI5

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Changes the autorun value in the registry

SUSPICIOUS

Reads security settings of Internet Explorer

Executable content was dropped or overwritten

Checks Windows Trust Settings

The process verifies whether the antivirus software is installed

Drops 7-zip archiver for unpacking

Drops a system driver (possible attempt to evade defenses)

INFO

Reads the machine GUID from the registry

Checks supported languages

Creates files or folders in the user directory

Reads the computer name

Reads the software policy settings

Reads product name

Reads Environment values

Creates files in the program directory

The process uses the downloaded file

Create files in a temporary directory

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings