Malware analysis SecuriteInfo.com.Trojan.Inject5.6971.18861.4102 Malicious activity

Add for printing

File name:	SecuriteInfo.com.Trojan.Inject5.6971.18861.4102
Full analysis:	https://app.any.run/tasks/0e7e1537-28c8-40c7-8648-32bd6b587f76
Verdict:	Malicious activity
Analysis date:	August 11, 2024, 14:19:49
OS:	Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME:	application/x-dosexec
File info:	PE32 executable (GUI) Intel 80386, for MS Windows
MD5:	DC849F6C2BC4C70D7D9B6710179BB689
SHA1:	DA66C75FCC16BAF4D3B5EAD360E4371E7481AC2C
SHA256:	90F033F2FFAE0AD8A43CEFB0E273ED33B54497BA65C19E0173E4CC7E6DEC1757
SSDEEP:	98304:imzr1kid/fC7dvIu1UYzQ0Q6d/4xsutJV7lVnk4eNa0DoUXkmCdcqWLb1klQmMcj:nbkUNWS0C

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 120 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: none
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
No malicious indicators.
SUSPICIOUS
- Drops the executable file immediately after the start
  - SecuriteInfo.com.Trojan.Inject5.6971.18861.4102.exe (PID: 6480)
  - itubego_v8.0.0_x64.exe (PID: 3372)
  - itubego_v8.0.0_x64.tmp (PID: 4604)
- Reads the Windows owner or organization settings
  - itubego_v8.0.0_x64.tmp (PID: 4604)
- Executable content was dropped or overwritten
  - itubego_v8.0.0_x64.tmp (PID: 4604)
  - itubego_v8.0.0_x64.exe (PID: 3372)
- Reads security settings of Internet Explorer
  - itubego_v8.0.0_x64.tmp (PID: 4604)
- Reads the date of Windows installation
  - itubego_v8.0.0_x64.tmp (PID: 4604)
- Starts CMD.EXE for commands execution
  - itubego_v8.0.0_x64.tmp (PID: 4604)
- Get information on the list of running processes
  - itubego_v8.0.0_x64.tmp (PID: 4604)
  - cmd.exe (PID: 4292)
- Drops 7-zip archiver for unpacking
  - itubego_v8.0.0_x64.tmp (PID: 4604)
- Using 'findstr.exe' to search for text patterns in files and output
  - cmd.exe (PID: 4292)
- Process drops legitimate windows executable
  - itubego_v8.0.0_x64.tmp (PID: 4604)
- The process drops C-runtime libraries
  - itubego_v8.0.0_x64.tmp (PID: 4604)
INFO
- Checks proxy server information
  - SecuriteInfo.com.Trojan.Inject5.6971.18861.4102.exe (PID: 6480)
  - itubegow.exe (PID: 5328)
- Checks supported languages
  - SecuriteInfo.com.Trojan.Inject5.6971.18861.4102.exe (PID: 6480)
  - itubego_v8.0.0_x64.tmp (PID: 4604)
  - itubegow.exe (PID: 5328)
  - itubego_v8.0.0_x64.exe (PID: 3372)
- Reads the computer name
  - SecuriteInfo.com.Trojan.Inject5.6971.18861.4102.exe (PID: 6480)
  - itubego_v8.0.0_x64.tmp (PID: 4604)
  - itubegow.exe (PID: 5328)
- Create files in a temporary directory
  - itubego_v8.0.0_x64.tmp (PID: 4604)
  - itubego_v8.0.0_x64.exe (PID: 3372)
  - itubegow.exe (PID: 5328)
  - SecuriteInfo.com.Trojan.Inject5.6971.18861.4102.exe (PID: 6480)
- Reads the machine GUID from the registry
  - SecuriteInfo.com.Trojan.Inject5.6971.18861.4102.exe (PID: 6480)
  - itubegow.exe (PID: 5328)
- Process checks computer location settings
  - itubego_v8.0.0_x64.tmp (PID: 4604)
- Creates files in the program directory
  - itubego_v8.0.0_x64.tmp (PID: 4604)
  - itubegow.exe (PID: 5328)
  - SecuriteInfo.com.Trojan.Inject5.6971.18861.4102.exe (PID: 6480)
- Creates a software uninstall entry
  - itubego_v8.0.0_x64.tmp (PID: 4604)
- Creates files or folders in the user directory
  - itubegow.exe (PID: 5328)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	Win64 Executable (generic) (18)
.exe	\|	Win32 Executable (generic) (2.9)
.exe	\|	Generic Win/DOS Executable (1.3)
.exe	\|	DOS Executable Generic (1.3)

EXIF

EXE

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2024:07:17 07:29:03+00:00
ImageFileCharacteristics:	Executable, 32-bit
PEType:	PE32
LinkerVersion:	14.16
CodeSize:	2227200
InitializedDataSize:	1053696
UninitializedDataSize:	-
EntryPoint:	0x1dc0e3
OSVersion:	6
ImageVersion:	-
SubsystemVersion:	6
Subsystem:	Windows GUI
FileVersionNumber:	24.7.12.1
ProductVersionNumber:	4.0.0.0
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Windows NT 32-bit
ObjectFileType:	Unknown
FileSubtype:	-
LanguageCode:	Chinese (Simplified)
CharacterSet:	Unicode
FileDescription:	iTubeGo
FileVersion:	24.7.12.1
LegalCopyright:	Copyright (c) 2024 iTubeGo Studio. All rights reserved.
ProductName:	iTubeGo
ProductVersion:	4.0.0.0

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

139

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

3372

"C:\Users\admin\AppData\Local\Temp\\tmp123_downloader\download\itubego_v8.0.0_x64.exe" /verysilent /wait_run /DIR="C:\Program Files\iTubeGo" /LANG=english

C:\Users\admin\AppData\Local\Temp\tmp123_downloader\download\itubego_v8.0.0_x64.exe

SecuriteInfo.com.Trojan.Inject5.6971.18861.4102.exe

User:

admin

Company:

LuckyDog Software, Inc.

Integrity Level:

HIGH

Description:

iTubeGo Setup

Exit code:

Version:

Modules

Images
c:\users\admin\appdata\local\temp\tmp123_downloader\download\itubego_v8.0.0_x64.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll

4292

"C:\WINDOWS\system32\cmd.exe" /c tasklist | findstr "itubegow.exe" > "C:\Users\admin\AppData\Local\Temp\findProcessRes.txt"

C:\Windows\SysWOW64\cmd.exe

—

itubego_v8.0.0_x64.tmp

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Windows Command Processor

Exit code:

Version:

10.0.19041.3636 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll

4604

"C:\Users\admin\AppData\Local\Temp\is-MA11I.tmp\itubego_v8.0.0_x64.tmp" /SL5="$B0040,131159345,784384,C:\Users\admin\AppData\Local\Temp\tmp123_downloader\download\itubego_v8.0.0_x64.exe" /verysilent /wait_run /DIR="C:\Program Files\iTubeGo" /LANG=english

C:\Users\admin\AppData\Local\Temp\is-MA11I.tmp\itubego_v8.0.0_x64.tmp

itubego_v8.0.0_x64.exe

User:

admin

Integrity Level:

HIGH

Description:

Setup/Uninstall

Exit code:

Version:

51.1052.0.0

Modules

Images
c:\users\admin\appdata\local\temp\is-ma11i.tmp\itubego_v8.0.0_x64.tmp
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\comdlg32.dll

5300

findstr "itubegow.exe"

C:\Windows\SysWOW64\findstr.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Find String (QGREP) Utility

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\findstr.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll

5328

"C:\Program Files\iTubeGo\itubegow.exe"

C:\Program Files\iTubeGo\itubegow.exe

SecuriteInfo.com.Trojan.Inject5.6971.18861.4102.exe

User:

admin

Integrity Level:

HIGH

Description:

iTubeGo

Version:

8.0.0.0

Modules

Images
c:\program files\itubego\itubegow.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll

6260

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

6432

"C:\Users\admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Inject5.6971.18861.4102.exe"

C:\Users\admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Inject5.6971.18861.4102.exe

—

explorer.exe

User:

admin

Integrity Level:

MEDIUM

Description:

iTubeGo

Exit code:

3221226540

Version:

24.7.12.1

Modules

Images
c:\users\admin\appdata\local\temp\securiteinfo.com.trojan.inject5.6971.18861.4102.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll

6480

"C:\Users\admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Inject5.6971.18861.4102.exe"

C:\Users\admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Inject5.6971.18861.4102.exe

explorer.exe

User:

admin

Integrity Level:

HIGH

Description:

iTubeGo

Exit code:

Version:

24.7.12.1

Modules

Images
c:\users\admin\appdata\local\temp\securiteinfo.com.trojan.inject5.6971.18861.4102.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll

7048

tasklist

C:\Windows\SysWOW64\tasklist.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Lists the current running tasks

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\tasklist.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll

Add for printing

Total events

4 938

Read events

4 833

Write events

Delete events

Modification events


(PID) Process:	(4604) itubego_v8.0.0_x64.tmp	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:	write	Name:	Owner
Value: FC11000066DB48B9F9EBDA01
(PID) Process:	(4604) itubego_v8.0.0_x64.tmp	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:	write	Name:	SessionHash
Value: 8BB94CE61808C1EEBDE8A336B4D52DEFF9912F5F4B54E943535FB4D357F95291
(PID) Process:	(4604) itubego_v8.0.0_x64.tmp	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:	write	Name:	Sequence
Value: 1
(PID) Process:	(4604) itubego_v8.0.0_x64.tmp	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	ProxyBypass
Value: 1
(PID) Process:	(4604) itubego_v8.0.0_x64.tmp	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	IntranetName
Value: 1
(PID) Process:	(4604) itubego_v8.0.0_x64.tmp	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	UNCAsIntranet
Value: 1
(PID) Process:	(4604) itubego_v8.0.0_x64.tmp	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	AutoDetect
Value: 0
(PID) Process:	(4604) itubego_v8.0.0_x64.tmp	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:	write	Name:	RegFiles0000
Value: C:\Program Files\iTubeGo\7z.dll
(PID) Process:	(4604) itubego_v8.0.0_x64.tmp	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:	write	Name:	RegFilesHash
Value: CAE62251925267A56CF14B2C0FA998BA0B49A33612ABC2256604F773A247FA22
(PID) Process:	(4604) itubego_v8.0.0_x64.tmp	Key:	HKEY_CURRENT_USER\SOFTWARE\iTubeGo\iTubeGo
Operation:	write	Name:	language
Value: 0

Add for printing

Executable files

232

Suspicious files

220

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
6480	SecuriteInfo.com.Trojan.Inject5.6971.18861.4102.exe	C:\Users\admin\AppData\Local\Temp\tmp123_downloader\Cache\e501f\language\de.ini		text
		MD5:C82316492E4DCB98651DCDE4DED5C33C	SHA256:EE089A6439F29B60F7EE5AA68B43CAF83CF482066F9879FF23ED902647DCA6F5
6480	SecuriteInfo.com.Trojan.Inject5.6971.18861.4102.exe	C:\Users\admin\AppData\Local\Temp\tmp123_downloader\Cache\e501f\language\en.ini		text
		MD5:761DCB59FD2BDC0796911ED7E995D4D4	SHA256:F5E520096EC75AA7017C9B2753C64EB7BF27D6B3CE3AE841C811DB5BFB966516
6480	SecuriteInfo.com.Trojan.Inject5.6971.18861.4102.exe	C:\Users\admin\AppData\Local\Temp\tmp123_downloader\Cache\e501f\language\ru.ini		text
		MD5:B17A5C76A6C4FD0BE68126F105A116D2	SHA256:D502131E499167D06D844ACA7D32A38D8BED42AF044650EB0B1D7B6907546345
6480	SecuriteInfo.com.Trojan.Inject5.6971.18861.4102.exe	C:\Users\admin\AppData\Local\Temp\tmp123_downloader\Cache\e501f\skin\btn\btn_cancel_hover.png		image
		MD5:C55EA4EE9B20218BEEBE666DCFAF0AAD	SHA256:85B3E131D81AC8D51BC546FD02888929035C2AA7DDF22FF63CCFF46285B2134D
6480	SecuriteInfo.com.Trojan.Inject5.6971.18861.4102.exe	C:\Users\admin\AppData\Local\Temp\tmp123_downloader\Cache\e501f\language\fr.ini		text
		MD5:1F822119AE1F972D5F5A83EE42AC3EBD	SHA256:9CD60D4F4C6A7A0039BE04029FBCD691D125939E1A573374F58AEEEE15F6F9BE
6480	SecuriteInfo.com.Trojan.Inject5.6971.18861.4102.exe	C:\Users\admin\AppData\Local\Temp\tmp123_downloader\Cache\e501f\language\jp.ini		text
		MD5:8A0268FB8064CA25D190E208459E4DDB	SHA256:68C96F9B6B5CAABE2C5E9A88EEEF19D3A09379CA6F77447FD0CFB9CC0A73DE96
6480	SecuriteInfo.com.Trojan.Inject5.6971.18861.4102.exe	C:\Users\admin\AppData\Local\Temp\tmp123_downloader\Cache\e501f\skin\btn\btn_cancel_normal.png		image
		MD5:B4AB74E009BB0656C50C95691714A779	SHA256:73BD8210AD43110774A573EEAAA752C8801C30C344B2306A368052272DB48539
6480	SecuriteInfo.com.Trojan.Inject5.6971.18861.4102.exe	C:\Users\admin\AppData\Local\Temp\tmp123_downloader\Cache\e501f\language\es.ini		text
		MD5:1DAE06D903FDC18A802D623935B1C0CD	SHA256:96D22E1E501B70B963281B4918897BB68FB42368EB32627B84A47FBCB915BA78
6480	SecuriteInfo.com.Trojan.Inject5.6971.18861.4102.exe	C:\Users\admin\AppData\Local\Temp\tmp123_downloader\Cache\e501f\language\hi.ini		text
		MD5:1753471314BBE3D428D8038B7BC9D66A	SHA256:E46C2BD9D71A73B9FB765B856DB81FD12BC72F95ED738FBFBC13110CC08B8185
6480	SecuriteInfo.com.Trojan.Inject5.6971.18861.4102.exe	C:\Users\admin\AppData\Local\Temp\tmp123_downloader\Cache\e501f\skin\btn\btn_cancel_press.png		image
		MD5:19A43C8071F0D8912B7AE5732D1D6B45	SHA256:588C81B4D8FB041F96181D647567D07742E21611849C8FF8BC010628790BE1E3

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
5336	SearchApp.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D	unknown	—	—	whitelisted
6776	backgroundTaskHost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D	unknown	—	—	whitelisted
2608	svchost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
6824	backgroundTaskHost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4100	svchost.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	unknown
3188	RUXIMICS.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	unknown
2120	MoUsoCoreWorker.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	unknown
3888	svchost.exe	239.255.255.250:1900	—	—	—	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
6480	SecuriteInfo.com.Trojan.Inject5.6971.18861.4102.exe	142.250.185.174:443	www.google-analytics.com	GOOGLE	US	whitelisted
6480	SecuriteInfo.com.Trojan.Inject5.6971.18861.4102.exe	104.21.234.151:443	download.itubego.com	CLOUDFLARENET	—	unknown
4	System	192.168.100.255:137	—	—	—	whitelisted
4100	svchost.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
5336	SearchApp.exe	104.126.37.145:443	www.bing.com	Akamai International B.V.	DE	unknown

DNS requests

Domain	IP	Reputation
settings-win.data.microsoft.com	40.127.240.158 51.104.136.2 4.231.128.59	whitelisted
google.com	142.250.186.46	whitelisted
download.itubego.com	104.21.234.151 104.21.234.150	unknown
www.google-analytics.com	142.250.185.174 142.250.185.206	whitelisted
www.bing.com	104.126.37.145 104.126.37.139 104.126.37.123 104.126.37.128 104.126.37.160 104.126.37.153 104.126.37.130 104.126.37.144 104.126.37.154	whitelisted
ocsp.digicert.com	192.229.221.95	whitelisted
login.live.com	20.190.160.17 40.126.32.72 20.190.160.14 40.126.32.140 40.126.32.138 20.190.160.22 40.126.32.134 20.190.160.20	whitelisted
client.wns.windows.com	40.113.110.67 40.115.3.253	whitelisted
th.bing.com	104.126.37.177 104.126.37.186 104.126.37.146 104.126.37.163 104.126.37.145 104.126.37.179 104.126.37.153 104.126.37.171 104.126.37.170	whitelisted
fd.api.iris.microsoft.com	20.223.35.26	whitelisted

Threats

No threats detected

Add for printing

Process	Message
itubegow.exe	C:/Users/admin/AppData/Local/iTubeGo/Log\AppLog.log

General Info

SecuriteInfo.com.Trojan.Inject5.6971.18861.4102

DC849F6C2BC4C70D7D9B6710179BB689

DA66C75FCC16BAF4D3B5EAD360E4371E7481AC2C

90F033F2FFAE0AD8A43CEFB0E273ED33B54497BA65C19E0173E4CC7E6DEC1757

98304:imzr1kid/fC7dvIu1UYzQ0Q6d/4xsutJV7lVnk4eNa0DoUXkmCdcqWLb1klQmMcj:nbkUNWS0C

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

SUSPICIOUS

Drops the executable file immediately after the start

Reads the Windows owner or organization settings

Executable content was dropped or overwritten

Reads security settings of Internet Explorer

Reads the date of Windows installation

Starts CMD.EXE for commands execution

Get information on the list of running processes

Drops 7-zip archiver for unpacking

Using 'findstr.exe' to search for text patterns in files and output

Process drops legitimate windows executable

The process drops C-runtime libraries

INFO

Checks proxy server information

Checks supported languages

Reads the computer name

Create files in a temporary directory

Reads the machine GUID from the registry

Process checks computer location settings

Creates files in the program directory

Creates a software uninstall entry

Creates files or folders in the user directory

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings