Malware analysis https://download2447.mediafire.com/zm21nnk7aujg2JM70Ikl3C5_Na_jQ1lihcVm28yRVWJaSaEftzg0m3ps-j4bS194hYAx7iVUl1hhSiO3GsvFKIyjE0vD3Nya9WlTCginEvtHRegd5NblkC6gc3ftl8nTn8sj3xNtQNg5y94Ysrk8an6mha8o89ik0GyhDNwyOYRA6Q/2akwfxzvwowoigt/JDownloaderSetup.exe Malicious activity

Add for printing

URL:	https://download2447.mediafire.com/zm21nnk7aujg2JM70Ikl3C5_Na_jQ1lihcVm28yRVWJaSaEftzg0m3ps-j4bS194hYAx7iVUl1hhSiO3GsvFKIyjE0vD3Nya9WlTCginEvtHRegd5NblkC6gc3ftl8nTn8sj3xNtQNg5y94Ysrk8an6mha8o89ik0GyhDNwyOYRA6Q/2akwfxzvwowoigt/JDownloaderSetup.exe
Full analysis:	https://app.any.run/tasks/e5ce86a3-fc98-4cc3-8353-f8a29b0ae0a9
Verdict:	Malicious activity
Analysis date:	February 17, 2024, 18:19:51
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:	covid19
Indicators:
MD5:	73E261F415A928D23806A99FFCB44434
SHA1:	5896627594D7203B952A52C217EA27F9BAFCB6B2
SHA256:	703027A0AC4F776D2379EBFE63EDF3E7F09D9D7C5FB68A724DF83B15CDBC8A5A
SSDEEP:	6:2SWo2eGddZk2jzceRzB4gMWILPkxFfbrBeJvK7EHLMnzsA:2t3eQdZkgLB4gMWILPkt4K7k8

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.0.9600.19596 KB4534251
Adobe Acrobat Reader DC (20.013.20064)
Adobe Acrobat Reader DC (20.013.20064)
Adobe Flash Player 32 ActiveX (32.0.0.453)
Adobe Flash Player 32 ActiveX (32.0.0.453)
Adobe Flash Player 32 NPAPI (32.0.0.453)
Adobe Flash Player 32 NPAPI (32.0.0.453)
Adobe Flash Player 32 PPAPI (32.0.0.453)
Adobe Flash Player 32 PPAPI (32.0.0.453)
Adobe Refresh Manager (1.8.0)
Adobe Refresh Manager (1.8.0)
CCleaner (6.14)
CCleaner (6.14)
FileZilla 3.65.0 (3.65.0)
FileZilla 3.65.0 (3.65.0)
Google Chrome (109.0.5414.120)
Google Chrome (109.0.5414.120)
Google Update Helper (1.3.36.31)
Google Update Helper (1.3.36.31)
Java 8 Update 271 (8.0.2710.9)
Java 8 Update 271 (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Java Auto Updater (2.8.271.9)
Microsoft .NET Framework 4.8 (4.8.03761)
Microsoft .NET Framework 4.8 (4.8.03761)
Microsoft .NET Framework 4.8 (4.8.03761)
Microsoft .NET Framework 4.8 (4.8.03761)
Microsoft Edge (109.0.1518.115)
Microsoft Edge (109.0.1518.115)
Microsoft Edge Update (1.3.175.29)
Microsoft Edge Update (1.3.175.29)
Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Access MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Excel MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Groove MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Groove MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office IME (Japanese) 2010 (14.0.4763.1000)
Microsoft Office IME (Japanese) 2010 (14.0.4763.1000)
Microsoft Office IME (Korean) 2010 (14.0.4763.1000)
Microsoft Office IME (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (French) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (French) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (German) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (German) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office InfoPath MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Language Pack 2010 - French/Français (14.0.4763.1000)
Microsoft Office Language Pack 2010 - French/Français (14.0.4763.1000)
Microsoft Office Language Pack 2010 - German/Deutsch (14.0.4763.1000)
Microsoft Office Language Pack 2010 - German/Deutsch (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Italian/Italiano (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Italian/Italiano (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Japanese/日本語 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Japanese/日本語 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Korean/한국어 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Korean/한국어 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Portuguese/Português (Brasil) (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Portuguese/Português (Brasil) (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Russian/русский (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Russian/русский (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Spanish/Español (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Spanish/Español (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Turkish/Türkçe (14.0.4763.1013)
Microsoft Office Language Pack 2010 - Turkish/Türkçe (14.0.4763.1013)
Microsoft Office O MUI (French) 2010 (14.0.4763.1000)
Microsoft Office O MUI (French) 2010 (14.0.4763.1000)
Microsoft Office O MUI (German) 2010 (14.0.4763.1000)
Microsoft Office O MUI (German) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office O MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
Microsoft Office OneNote MUI (French) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (French) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (German) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (German) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office OneNote MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Outlook MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Outlook MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
Microsoft Office PowerPoint MUI (French) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (French) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (German) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (German) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office PowerPoint MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Professional 2010 (14.0.6029.1000)
Microsoft Office Professional 2010 (14.0.6029.1000)
Microsoft Office Proof (Arabic) 2010 (14.0.4763.1000)
Microsoft Office Proof (Arabic) 2010 (14.0.4763.1000)
Microsoft Office Proof (Basque) 2010 (14.0.4763.1000)
Microsoft Office Proof (Basque) 2010 (14.0.4763.1000)
Microsoft Office Proof (Catalan) 2010 (14.0.4763.1000)
Microsoft Office Proof (Catalan) 2010 (14.0.4763.1000)
Microsoft Office Proof (Dutch) 2010 (14.0.4763.1000)
Microsoft Office Proof (Dutch) 2010 (14.0.4763.1000)
Microsoft Office Proof (English) 2010 (14.0.6029.1000)
Microsoft Office Proof (English) 2010 (14.0.6029.1000)
Microsoft Office Proof (French) 2010 (14.0.6029.1000)
Microsoft Office Proof (French) 2010 (14.0.6029.1000)
Microsoft Office Proof (Galician) 2010 (14.0.4763.1000)
Microsoft Office Proof (Galician) 2010 (14.0.4763.1000)
Microsoft Office Proof (German) 2010 (14.0.4763.1000)
Microsoft Office Proof (German) 2010 (14.0.4763.1000)
Microsoft Office Proof (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proof (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proof (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proof (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proof (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proof (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proof (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
Microsoft Office Proof (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Proof (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Proof (Ukrainian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Ukrainian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
Microsoft Office Proofing (French) 2010 (14.0.4763.1000)
Microsoft Office Proofing (French) 2010 (14.0.4763.1000)
Microsoft Office Proofing (German) 2010 (14.0.4763.1000)
Microsoft Office Proofing (German) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Proofing (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Publisher MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Publisher MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office SharePoint Designer MUI (French) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (French) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (German) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (German) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office SharePoint Designer MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Single Image 2010 (14.0.6029.1000)
Microsoft Office Single Image 2010 (14.0.6029.1000)
Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Word MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Word MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office X MUI (French) 2010 (14.0.4763.1000)
Microsoft Office X MUI (French) 2010 (14.0.4763.1000)
Microsoft Office X MUI (German) 2010 (14.0.4763.1000)
Microsoft Office X MUI (German) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office X MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x86 en-US) (115.0.2)
Mozilla Firefox (x86 en-US) (115.0.2)
Mozilla Maintenance Service (115.0.2)
Mozilla Maintenance Service (115.0.2)
Notepad++ (32-bit x86) (7.9.1)
Notepad++ (32-bit x86) (7.9.1)
PowerShell 7-x86 (7.2.11.0)
PowerShell 7-x86 (7.2.11.0)
Skype version 8.110 (8.110)
Skype version 8.110 (8.110)
Update for Microsoft .NET Framework 4.8 (KB4503575) (1)
Update for Microsoft .NET Framework 4.8 (KB4503575) (1)
VLC media player (3.0.11)
VLC media player (3.0.11)
WinRAR 5.91 (32-bit) (5.91.0)
WinRAR 5.91 (32-bit) (5.91.0)

Add for printing

MALICIOUS
- Drops the executable file immediately after the start
  - JDownloaderSetup.exe (PID: 1972)
  - Carrier.exe (PID: 1892)
  - avira__sptl1___lavasoft.exe (PID: 3484)
SUSPICIOUS
- The process creates files with name similar to system file names
  - JDownloaderSetup.exe (PID: 1972)
  - avira__sptl1___lavasoft.exe (PID: 3484)
- Executable content was dropped or overwritten
  - JDownloaderSetup.exe (PID: 1972)
  - Carrier.exe (PID: 1892)
  - avira__sptl1___lavasoft.exe (PID: 3484)
- Reads the Internet Settings
  - installer.exe (PID: 2960)
  - cmd.exe (PID: 840)
  - Avira.Spotlight.Bootstrapper.exe (PID: 548)
  - GenericSetup.exe (PID: 2644)
  - Carrier.exe (PID: 1892)
  - reg.exe (PID: 3936)
  - reg.exe (PID: 3344)
  - reg.exe (PID: 2292)
  - reg.exe (PID: 2064)
- Reads security settings of Internet Explorer
  - GenericSetup.exe (PID: 2644)
  - Avira.Spotlight.Bootstrapper.exe (PID: 548)
  - installer.exe (PID: 2960)
- Searches for installed software
  - GenericSetup.exe (PID: 2644)
  - Avira.Spotlight.Bootstrapper.exe (PID: 548)
- Checks Windows Trust Settings
  - GenericSetup.exe (PID: 2644)
- Starts CMD.EXE for commands execution
  - GenericSetup.exe (PID: 2644)
- Reads settings of System Certificates
  - GenericSetup.exe (PID: 2644)
  - Avira.Spotlight.Bootstrapper.exe (PID: 548)
- Adds/modifies Windows certificates
  - GenericSetup.exe (PID: 2644)
- The executable file from the user directory is run by the CMD process
  - Carrier.exe (PID: 1892)
  - avira__sptl1___lavasoft.exe (PID: 3484)
- Reads the Windows owner or organization settings
  - GenericSetup.exe (PID: 2644)
- Process drops legitimate windows executable
  - Carrier.exe (PID: 1892)
- The process drops C-runtime libraries
  - Carrier.exe (PID: 1892)
- Process requests binary or script from the Internet
  - Carrier.exe (PID: 1892)
INFO
- Drops the executable file immediately after the start
  - iexplore.exe (PID: 3952)
- Application launched itself
  - iexplore.exe (PID: 3864)
- Executable content was dropped or overwritten
  - iexplore.exe (PID: 3952)
- Modifies the phishing filter of IE
  - iexplore.exe (PID: 3864)
- Checks supported languages
  - JDownloaderSetup.exe (PID: 1972)
  - installer.exe (PID: 2960)
  - GenericSetup.exe (PID: 2644)
  - Carrier.exe (PID: 1892)
  - unpack200.exe (PID: 1608)
  - unpack200.exe (PID: 1840)
  - unpack200.exe (PID: 3036)
  - unpack200.exe (PID: 2808)
  - unpack200.exe (PID: 124)
  - unpack200.exe (PID: 920)
  - unpack200.exe (PID: 3900)
  - unpack200.exe (PID: 1652)
  - unpack200.exe (PID: 2828)
  - unpack200.exe (PID: 948)
  - unpack200.exe (PID: 3232)
  - unpack200.exe (PID: 3292)
  - avira__sptl1___lavasoft.exe (PID: 3484)
  - Avira.Spotlight.Bootstrapper.exe (PID: 548)
  - unpack200.exe (PID: 2032)
  - unpack200.exe (PID: 2104)
  - unpack200.exe (PID: 3436)
  - unpack200.exe (PID: 3572)
  - unpack200.exe (PID: 3756)
  - unpack200.exe (PID: 3360)
  - java.exe (PID: 3388)
  - unpack200.exe (PID: 3428)
  - unpack200.exe (PID: 864)
  - unpack200.exe (PID: 3672)
  - javaw.exe (PID: 2908)
- Create files in a temporary directory
  - JDownloaderSetup.exe (PID: 1972)
  - GenericSetup.exe (PID: 2644)
  - Carrier.exe (PID: 1892)
  - unpack200.exe (PID: 3036)
  - unpack200.exe (PID: 1608)
  - unpack200.exe (PID: 2808)
  - unpack200.exe (PID: 124)
  - unpack200.exe (PID: 1840)
  - unpack200.exe (PID: 3292)
  - unpack200.exe (PID: 3232)
  - unpack200.exe (PID: 3900)
  - unpack200.exe (PID: 2828)
  - unpack200.exe (PID: 1652)
  - unpack200.exe (PID: 920)
  - unpack200.exe (PID: 948)
  - avira__sptl1___lavasoft.exe (PID: 3484)
  - Avira.Spotlight.Bootstrapper.exe (PID: 548)
  - unpack200.exe (PID: 2104)
  - unpack200.exe (PID: 2032)
  - unpack200.exe (PID: 3436)
  - unpack200.exe (PID: 3572)
  - installer.exe (PID: 2960)
  - unpack200.exe (PID: 3756)
  - unpack200.exe (PID: 3360)
  - java.exe (PID: 3388)
  - unpack200.exe (PID: 3672)
  - unpack200.exe (PID: 3428)
  - unpack200.exe (PID: 864)
  - javaw.exe (PID: 2908)
- The process uses the downloaded file
  - iexplore.exe (PID: 3864)
- Reads the computer name
  - installer.exe (PID: 2960)
  - Avira.Spotlight.Bootstrapper.exe (PID: 548)
  - GenericSetup.exe (PID: 2644)
  - Carrier.exe (PID: 1892)
- Reads the machine GUID from the registry
  - installer.exe (PID: 2960)
  - GenericSetup.exe (PID: 2644)
  - Avira.Spotlight.Bootstrapper.exe (PID: 548)
  - Carrier.exe (PID: 1892)
- Reads the software policy settings
  - GenericSetup.exe (PID: 2644)
  - Avira.Spotlight.Bootstrapper.exe (PID: 548)
- Reads Environment values
  - GenericSetup.exe (PID: 2644)
  - Avira.Spotlight.Bootstrapper.exe (PID: 548)
- Reads product name
  - GenericSetup.exe (PID: 2644)
- Creates files in the program directory
  - Avira.Spotlight.Bootstrapper.exe (PID: 548)
  - java.exe (PID: 3388)
  - Carrier.exe (PID: 1892)
- Creates files or folders in the user directory
  - javaw.exe (PID: 2908)
  - Carrier.exe (PID: 1892)
- Checks proxy server information
  - reg.exe (PID: 3344)
  - reg.exe (PID: 3936)
  - reg.exe (PID: 2292)
  - reg.exe (PID: 2064)
- Drops a (possible) Coronavirus decoy
  - Carrier.exe (PID: 1892)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

113

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

124

-r "jre\lib\jsse.jar.pack" "jre\lib\jsse.jar"

C:\Users\admin\AppData\Local\Temp\e4j3E76.tmp_dir1708194085\jre\bin\unpack200.exe

—

Carrier.exe

User:

admin

Company:

Oracle Corporation

Integrity Level:

HIGH

Description:

Java(TM) Platform SE binary

Exit code:

Version:

8.0.1620.12

Modules

Images
c:\users\admin\appdata\local\temp\e4j3e76.tmp_dir1708194085\jre\bin\unpack200.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\users\admin\appdata\local\temp\e4j3e76.tmp_dir1708194085\jre\bin\msvcr100.dll

548

"C:\Users\admin\AppData\Local\Temp\.CR.6493\Avira.Spotlight.Bootstrapper.exe" "C:\Users\admin\AppData\Local\Temp\.CR.6493\Avira.Spotlight.Bootstrapper.exe" OriginalFileName=avira__sptl1___lavasoft.exe Silent=true AcceptEula=true LaunchUi=true

C:\Users\admin\AppData\Local\Temp\.CR.6493\Avira.Spotlight.Bootstrapper.exe

avira__sptl1___lavasoft.exe

User:

admin

Company:

Avira Operations GmbH

Integrity Level:

HIGH

Description:

Avira Security

Exit code:

Version:

1.0.47.529

Modules

Images
c:\users\admin\appdata\local\temp\.cr.6493\avira.spotlight.bootstrapper.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll

840

"C:\Windows\system32\cmd.exe" /C ""anyPDF-h20-5.msi" /quiet"

C:\Windows\System32\cmd.exe

—

GenericSetup.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Windows Command Processor

Exit code:

1620

Version:

6.1.7601.17514 (win7sp1_rtm.101119-1850)

Modules

Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll

864

-r "C:\Users\admin\AppData\Local\Temp\e4j3E76.tmp_dir1708194085\user\JDownloader.jar.pack" "C:\Users\admin\AppData\Local\Temp\e4j3E76.tmp_dir1708194085\user\JDownloader.jar"

C:\Users\admin\AppData\Local\Temp\e4j3E76.tmp_dir1708194085\jre\bin\unpack200.exe

—

Carrier.exe

User:

admin

Company:

Oracle Corporation

Integrity Level:

HIGH

Description:

Java(TM) Platform SE binary

Exit code:

Version:

8.0.1620.12

Modules

Images
c:\users\admin\appdata\local\temp\e4j3e76.tmp_dir1708194085\jre\bin\unpack200.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\users\admin\appdata\local\temp\e4j3e76.tmp_dir1708194085\jre\bin\msvcr100.dll

920

-r "jre\lib\management-agent.jar.pack" "jre\lib\management-agent.jar"

C:\Users\admin\AppData\Local\Temp\e4j3E76.tmp_dir1708194085\jre\bin\unpack200.exe

—

Carrier.exe

User:

admin

Company:

Oracle Corporation

Integrity Level:

HIGH

Description:

Java(TM) Platform SE binary

Exit code:

Version:

8.0.1620.12

Modules

Images
c:\users\admin\appdata\local\temp\e4j3e76.tmp_dir1708194085\jre\bin\unpack200.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\users\admin\appdata\local\temp\e4j3e76.tmp_dir1708194085\jre\bin\msvcr100.dll

948

-r "jre\lib\plugin.jar.pack" "jre\lib\plugin.jar"

C:\Users\admin\AppData\Local\Temp\e4j3E76.tmp_dir1708194085\jre\bin\unpack200.exe

—

Carrier.exe

User:

admin

Company:

Oracle Corporation

Integrity Level:

HIGH

Description:

Java(TM) Platform SE binary

Exit code:

Version:

8.0.1620.12

Modules

Images
c:\users\admin\appdata\local\temp\e4j3e76.tmp_dir1708194085\jre\bin\unpack200.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\users\admin\appdata\local\temp\e4j3e76.tmp_dir1708194085\jre\bin\msvcr100.dll

1608

-r "jre\lib\charsets.jar.pack" "jre\lib\charsets.jar"

C:\Users\admin\AppData\Local\Temp\e4j3E76.tmp_dir1708194085\jre\bin\unpack200.exe

—

Carrier.exe

User:

admin

Company:

Oracle Corporation

Integrity Level:

HIGH

Description:

Java(TM) Platform SE binary

Exit code:

Version:

8.0.1620.12

Modules

Images
c:\users\admin\appdata\local\temp\e4j3e76.tmp_dir1708194085\jre\bin\unpack200.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\users\admin\appdata\local\temp\e4j3e76.tmp_dir1708194085\jre\bin\msvcr100.dll

1652

-r "jre\lib\ext\cldrdata.jar.pack" "jre\lib\ext\cldrdata.jar"

C:\Users\admin\AppData\Local\Temp\e4j3E76.tmp_dir1708194085\jre\bin\unpack200.exe

—

Carrier.exe

User:

admin

Company:

Oracle Corporation

Integrity Level:

HIGH

Description:

Java(TM) Platform SE binary

Exit code:

Version:

8.0.1620.12

Modules

Images
c:\users\admin\appdata\local\temp\e4j3e76.tmp_dir1708194085\jre\bin\unpack200.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\users\admin\appdata\local\temp\e4j3e76.tmp_dir1708194085\jre\bin\msvcr100.dll

1840

-r "jre\lib\jfr.jar.pack" "jre\lib\jfr.jar"

C:\Users\admin\AppData\Local\Temp\e4j3E76.tmp_dir1708194085\jre\bin\unpack200.exe

—

Carrier.exe

User:

admin

Company:

Oracle Corporation

Integrity Level:

HIGH

Description:

Java(TM) Platform SE binary

Exit code:

Version:

8.0.1620.12

Modules

Images
c:\users\admin\appdata\local\temp\e4j3e76.tmp_dir1708194085\jre\bin\unpack200.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\users\admin\appdata\local\temp\e4j3e76.tmp_dir1708194085\jre\bin\msvcr100.dll

1892

"C:\Users\admin\AppData\Local\Temp\7zS4B7E6C98\Carrier.exe" "-Dregistry=true" -DinstallationDir="C:\Users\admin\AppData\Local\JDownloader 2.0" -q "-Dfilelinks=dlc,jdc,ccf,rsdf" "-Ddesktoplink=true" "-Dquicklaunch=false"

C:\Users\admin\AppData\Local\Temp\7zS4B7E6C98\Carrier.exe

cmd.exe

User:

admin

Company:

AppWork GmbH

Integrity Level:

HIGH

Description:

JDownloader

Exit code:

Version:

2.0

Modules

Images
c:\users\admin\appdata\local\temp\7zs4b7e6c98\carrier.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll

Add for printing

Total events

264 133

Read events

204 579

Write events

59 506

Delete events

Modification events


(PID) Process:	(3864) iexplore.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
Operation:	write	Name:	NTPDaysSinceLastAutoMigration
Value: 1
(PID) Process:	(3864) iexplore.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
Operation:	write	Name:	NTPLastLaunchLowDateTime
Value:
(PID) Process:	(3864) iexplore.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
Operation:	write	Name:	NTPLastLaunchHighDateTime
Value: 31089101
(PID) Process:	(3864) iexplore.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager
Operation:	write	Name:	NextCheckForUpdateLowDateTime
Value:
(PID) Process:	(3864) iexplore.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager
Operation:	write	Name:	NextCheckForUpdateHighDateTime
Value: 31089101
(PID) Process:	(3864) iexplore.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:	write	Name:	CachePrefix
Value:
(PID) Process:	(3864) iexplore.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:	write	Name:	CachePrefix
Value: Cookie:
(PID) Process:	(3864) iexplore.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:	write	Name:	CachePrefix
Value: Visited:
(PID) Process:	(3864) iexplore.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Operation:	write	Name:	CompatibilityFlags
Value: 0
(PID) Process:	(3864) iexplore.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	ProxyBypass
Value: 1

Add for printing

Executable files

544

Suspicious files

2 041

Text files

387

Unknown types

Dropped files

PID	Process	Filename		Type
3952	iexplore.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\JDownloaderSetup.exe.uednp5o.partial		—
		MD5:—	SHA256:—
3864	iexplore.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\JDownloaderSetup.exe		—
		MD5:—	SHA256:—
3864	iexplore.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\JDownloaderSetup.exe.uednp5o.partial:Zone.Identifier		text
		MD5:FBCCF14D504B7B2DBCB5A5BDA75BD93B	SHA256:EACD09517CE90D34BA562171D15AC40D302F0E691B439F91BE1B6406E25F5913
3952	iexplore.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157		binary
		MD5:DBF565618B82F979C417E8B582DBA856	SHA256:2D96D4B6E5BA12FAC19B790132D069F49716A5D228E995AF4054F02123ED50E6
3952	iexplore.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_BACC6CD2B29F18349081C9FD2343833B		binary
		MD5:B8AFEC44772040692071A1A9DD0320F7	SHA256:8D73CDE76EABF51FF9199F0FE9EDD8B92B7D9A8D1B0526AEA9238BA7223B4ED2
1972	JDownloaderSetup.exe	C:\Users\admin\AppData\Local\Temp\7zS4B7E6C98\BundleConfig.json		binary
		MD5:F7FAD34FF06230D2A6613786C10C6290	SHA256:85B76ED9D5A824587DED19DDECD82FB3595AC3B935E53D8BE777192B65D129A3
3864	iexplore.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776		binary
		MD5:A2D26ECD425E801E13609DE524E4CDA2	SHA256:EA59863F24DFCD52B6412A4FF61997438B212DB6BE807AEC7EF818B4B9E2E9EE
3952	iexplore.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\MFAQUS6V\JDownloaderSetup[1].exe		executable
		MD5:BFA028BBFB6CDCF3240BC2BF14FDF1BE	SHA256:D78417B5E36A69B3670BC2AD9EFDE1247475AF1CDAB4338C411C8D603F90E549
3864	iexplore.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776		binary
		MD5:E4877DBE9F7E0ED1752F023913F0A3B6	SHA256:23F3F01C529C28C066F42CA9D99EA015FA981E5DAB96DBA004B34E3DAB4CA2EF
3952	iexplore.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_BACC6CD2B29F18349081C9FD2343833B		binary
		MD5:C3D3DAC113DF3B4072E4935C159F7E2C	SHA256:8B720BABEC7332A69A4ED320AAE2CD6D0D9D3DE078BE33DA771E3B2E678AD438

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
3952	iexplore.exe	GET	304	173.222.108.243:80	http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?545e1839169dd0e6	unknown	—	—	unknown
3952	iexplore.exe	GET	304	173.222.108.243:80	http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?f78d505714a595e3	unknown	—	—	unknown
3952	iexplore.exe	GET	200	172.64.149.23:80	http://ocsp.sectigo.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQh80WaEMqmyEvaHjlisSfVM4p8SAQUF9nWJSdn%2BTHCSUPZMDZEjGypT%2BsCED%2B0KeRQ8NP60VP53TIby3A%3D	unknown	binary	471 b	unknown
3952	iexplore.exe	GET	200	104.18.38.233:80	http://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTNMNJMNDqCqx8FcBWK16EHdimS6QQUU3m%2FWqorSs9UgOHYm8Cd8rIDZssCEBN9U5yqfDGppDNwGWiEeo0%3D	unknown	binary	2.18 Kb	unknown
3864	iexplore.exe	GET	304	2.19.198.41:80	http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?18014fff35250a83	unknown	—	—	unknown
3864	iexplore.exe	GET	304	2.19.198.41:80	http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?76ad697231f9b13b	unknown	—	—	unknown
1080	svchost.exe	GET	200	2.19.198.41:80	http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?3e412f7b4eff0943	unknown	compressed	65.2 Kb	unknown
3864	iexplore.exe	GET	304	2.19.198.41:80	http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?9aee5c2adfb08fdb	unknown	—	—	unknown
3864	iexplore.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	binary	471 b	unknown
1080	svchost.exe	GET	304	2.19.198.41:80	http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?e2ddf83a2417bb20	unknown	compressed	65.2 Kb	unknown

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:138	—	—	—	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
3952	iexplore.exe	199.91.155.188:443	download2447.mediafire.com	MEDIAFIRE	US	unknown
3952	iexplore.exe	173.222.108.243:80	ctldl.windowsupdate.com	Akamai International B.V.	CH	unknown
3952	iexplore.exe	104.18.38.233:80	ocsp.usertrust.com	CLOUDFLARENET	—	shared
3952	iexplore.exe	172.64.149.23:80	ocsp.usertrust.com	CLOUDFLARENET	US	unknown
1080	svchost.exe	224.0.0.252:5355	—	—	—	unknown
3864	iexplore.exe	152.199.19.161:443	iecvlist.microsoft.com	EDGECAST	US	whitelisted
1080	svchost.exe	2.19.198.41:80	ctldl.windowsupdate.com	Akamai International B.V.	DE	unknown
3864	iexplore.exe	2.19.198.41:80	ctldl.windowsupdate.com	Akamai International B.V.	DE	unknown

DNS requests

Domain	IP	Reputation
download2447.mediafire.com	199.91.155.188	unknown
ctldl.windowsupdate.com	173.222.108.243 173.222.108.227 173.222.108.219 173.222.108.179 2.19.198.41 2.19.198.65 23.32.238.155 23.32.238.113 23.32.238.161 23.32.238.129 23.32.238.120 23.32.238.114 2.19.198.75	whitelisted
ocsp.usertrust.com	104.18.38.233 172.64.149.23	whitelisted
ocsp.sectigo.com	172.64.149.23 104.18.38.233	whitelisted
iecvlist.microsoft.com	152.199.19.161	whitelisted
r20swj13mr.microsoft.com	152.199.19.161	whitelisted
ocsp.digicert.com	192.229.221.95	whitelisted
flow.lavasoft.com	104.17.8.52 104.17.9.52	whitelisted
sos.adaware.com	104.18.67.73 104.18.68.73	whitelisted
ieonline.microsoft.com	204.79.197.200	whitelisted

Threats

PID	Process	Class	Message
1080	svchost.exe	Potentially Bad Traffic	ET HUNTING File Sharing Related Domain in DNS Lookup (download .mediafire .com)
2960	installer.exe	Possibly Unwanted Program Detected	ET ADWARE_PUP Lavasoft PUA/Adware Client Install

12 ETPRO signatures available at the full report

Add for printing

Process	Message
GenericSetup.exe	Error: File not found - h2osciter:console.tis
GenericSetup.exe	at sciter:init-script.tis
GenericSetup.exe
GenericSetup.exe
GenericSetup.exe	file:resources/tis/TranslateOfferTemplate.tis(82) : warning :'async' does not contain any 'await'
GenericSetup.exe	Error: File not found - h2osciter:console.tis
GenericSetup.exe	at sciter:init-script.tis
GenericSetup.exe
GenericSetup.exe
GenericSetup.exe	file:resources/tis/TranslateOfferTemplate.tis(82) : warning :'async' does not contain any 'await'

General Info

https://download2447.mediafire.com/zm21nnk7aujg2JM70Ikl3C5_Na_jQ1lihcVm28yRVWJaSaEftzg0m3ps-j4bS194hYAx7iVUl1hhSiO3GsvFKIyjE0vD3Nya9WlTCginEvtHRegd5NblkC6gc3ftl8nTn8sj3xNtQNg5y94Ysrk8an6mha8o89ik0GyhDNwyOYRA6Q/2akwfxzvwowoigt/JDownloaderSetup.exe

73E261F415A928D23806A99FFCB44434

5896627594D7203B952A52C217EA27F9BAFCB6B2

703027A0AC4F776D2379EBFE63EDF3E7F09D9D7C5FB68A724DF83B15CDBC8A5A

6:2SWo2eGddZk2jzceRzB4gMWILPkxFfbrBeJvK7EHLMnzsA:2t3eQdZkgLB4gMWILPkt4K7k8

Software environment set and analysis options

Launch configuration

Software preset

Behavior activities

MALICIOUS

Drops the executable file immediately after the start

SUSPICIOUS

The process creates files with name similar to system file names

Executable content was dropped or overwritten

Reads the Internet Settings

Reads security settings of Internet Explorer

Searches for installed software

Checks Windows Trust Settings

Starts CMD.EXE for commands execution

Reads settings of System Certificates

Adds/modifies Windows certificates

The executable file from the user directory is run by the CMD process

Reads the Windows owner or organization settings

Process drops legitimate windows executable

The process drops C-runtime libraries

Process requests binary or script from the Internet

INFO

Drops the executable file immediately after the start

Application launched itself

Executable content was dropped or overwritten

Modifies the phishing filter of IE

Checks supported languages

Create files in a temporary directory

The process uses the downloaded file

Reads the computer name

Reads the machine GUID from the registry

Reads the software policy settings

Reads Environment values

Reads product name

Creates files in the program directory

Creates files or folders in the user directory

Checks proxy server information

Drops a (possible) Coronavirus decoy

Malware configuration

Static information

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats