Malware analysis MDE_File_Sample_5a3d778b829c0682d468b6c7d73891d0e5fae6fa (1).zip Malicious activity

Add for printing

File name:	MDE_File_Sample_5a3d778b829c0682d468b6c7d73891d0e5fae6fa (1).zip
Full analysis:	https://app.any.run/tasks/c930ba4b-f385-41cd-bec0-84fc8105d677
Verdict:	Malicious activity
Threats:	A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. Malware Trends Tracker >>>
Analysis date:	April 03, 2023, 07:09:40
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:	loader
Indicators:
MIME:	application/zip
File info:	Zip archive data, at least v2.0 to extract
MD5:	DCD61691690A105D430EF4101772F798
SHA1:	545A1A5607FFB7C35D9BF173F4D45BCF68389775
SHA256:	930545276557C83D2206285F50ECC5AE811C18B6F1DC3F9A923296CD3AD88889
SSDEEP:	24576:cJke1aENUJKidCDJhVpbrYmukc1CgQ+EAKjKDQ67c7y:c6C5LDJ4Ix+EAKjcQ674y

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.0.9600.19596 KB4534251
Adobe Acrobat Reader DC (20.013.20064)
Adobe Acrobat Reader DC (20.013.20064)
Adobe Flash Player 32 ActiveX (32.0.0.453)
Adobe Flash Player 32 ActiveX (32.0.0.453)
Adobe Flash Player 32 NPAPI (32.0.0.453)
Adobe Flash Player 32 NPAPI (32.0.0.453)
Adobe Flash Player 32 PPAPI (32.0.0.453)
Adobe Flash Player 32 PPAPI (32.0.0.453)
Adobe Refresh Manager (1.8.0)
Adobe Refresh Manager (1.8.0)
CCleaner (5.74)
CCleaner (5.74)
FileZilla Client 3.51.0 (3.51.0)
FileZilla Client 3.51.0 (3.51.0)
Google Chrome (86.0.4240.198)
Google Chrome (86.0.4240.198)
Google Update Helper (1.3.36.31)
Google Update Helper (1.3.36.31)
Java 8 Update 271 (8.0.2710.9)
Java 8 Update 271 (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Java Auto Updater (2.8.271.9)
Microsoft .NET Framework 4.5.2 (4.5.51209)
Microsoft .NET Framework 4.5.2 (4.5.51209)
Microsoft .NET Framework 4.5.2 (4.5.51209)
Microsoft .NET Framework 4.5.2 (4.5.51209)
Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Access MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Excel MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Groove MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Groove MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office IME (Japanese) 2010 (14.0.4763.1000)
Microsoft Office IME (Japanese) 2010 (14.0.4763.1000)
Microsoft Office IME (Korean) 2010 (14.0.4763.1000)
Microsoft Office IME (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (French) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (French) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (German) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (German) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office InfoPath MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Language Pack 2010 - French/Français (14.0.4763.1000)
Microsoft Office Language Pack 2010 - French/Français (14.0.4763.1000)
Microsoft Office Language Pack 2010 - German/Deutsch (14.0.4763.1000)
Microsoft Office Language Pack 2010 - German/Deutsch (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Italian/Italiano (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Italian/Italiano (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Japanese/日本語 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Japanese/日本語 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Korean/한국어 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Korean/한국어 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Portuguese/Português (Brasil) (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Portuguese/Português (Brasil) (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Russian/русский (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Russian/русский (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Spanish/Español (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Spanish/Español (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Turkish/Türkçe (14.0.4763.1013)
Microsoft Office Language Pack 2010 - Turkish/Türkçe (14.0.4763.1013)
Microsoft Office O MUI (French) 2010 (14.0.4763.1000)
Microsoft Office O MUI (French) 2010 (14.0.4763.1000)
Microsoft Office O MUI (German) 2010 (14.0.4763.1000)
Microsoft Office O MUI (German) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office O MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
Microsoft Office OneNote MUI (French) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (French) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (German) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (German) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office OneNote MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Outlook MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Outlook MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
Microsoft Office PowerPoint MUI (French) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (French) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (German) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (German) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office PowerPoint MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Professional 2010 (14.0.6029.1000)
Microsoft Office Professional 2010 (14.0.6029.1000)
Microsoft Office Proof (Arabic) 2010 (14.0.4763.1000)
Microsoft Office Proof (Arabic) 2010 (14.0.4763.1000)
Microsoft Office Proof (Basque) 2010 (14.0.4763.1000)
Microsoft Office Proof (Basque) 2010 (14.0.4763.1000)
Microsoft Office Proof (Catalan) 2010 (14.0.4763.1000)
Microsoft Office Proof (Catalan) 2010 (14.0.4763.1000)
Microsoft Office Proof (Dutch) 2010 (14.0.4763.1000)
Microsoft Office Proof (Dutch) 2010 (14.0.4763.1000)
Microsoft Office Proof (English) 2010 (14.0.6029.1000)
Microsoft Office Proof (English) 2010 (14.0.6029.1000)
Microsoft Office Proof (French) 2010 (14.0.6029.1000)
Microsoft Office Proof (French) 2010 (14.0.6029.1000)
Microsoft Office Proof (Galician) 2010 (14.0.4763.1000)
Microsoft Office Proof (Galician) 2010 (14.0.4763.1000)
Microsoft Office Proof (German) 2010 (14.0.4763.1000)
Microsoft Office Proof (German) 2010 (14.0.4763.1000)
Microsoft Office Proof (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proof (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proof (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proof (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proof (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proof (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proof (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
Microsoft Office Proof (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Proof (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Proof (Ukrainian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Ukrainian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
Microsoft Office Proofing (French) 2010 (14.0.4763.1000)
Microsoft Office Proofing (French) 2010 (14.0.4763.1000)
Microsoft Office Proofing (German) 2010 (14.0.4763.1000)
Microsoft Office Proofing (German) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Proofing (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Publisher MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Publisher MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office SharePoint Designer MUI (French) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (French) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (German) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (German) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office SharePoint Designer MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Single Image 2010 (14.0.6029.1000)
Microsoft Office Single Image 2010 (14.0.6029.1000)
Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Word MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Word MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office X MUI (French) 2010 (14.0.4763.1000)
Microsoft Office X MUI (French) 2010 (14.0.4763.1000)
Microsoft Office X MUI (German) 2010 (14.0.4763.1000)
Microsoft Office X MUI (German) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office X MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2019 Redistributable (x86) - 14.21.27702 (14.21.27702.2)
Microsoft Visual C++ 2015-2019 Redistributable (x86) - 14.21.27702 (14.21.27702.2)
Microsoft Visual C++ 2019 X86 Additional Runtime - 14.21.27702 (14.21.27702)
Microsoft Visual C++ 2019 X86 Additional Runtime - 14.21.27702 (14.21.27702)
Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.21.27702 (14.21.27702)
Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.21.27702 (14.21.27702)
Mozilla Firefox 83.0 (x86 en-US) (83.0)
Mozilla Firefox 83.0 (x86 en-US) (83.0)
Mozilla Maintenance Service (83.0.0.7621)
Mozilla Maintenance Service (83.0.0.7621)
Notepad++ (32-bit x86) (7.9.1)
Notepad++ (32-bit x86) (7.9.1)
Opera 12.15 (12.15.1748)
Opera 12.15 (12.15.1748)
Skype version 8.29 (8.29)
Skype version 8.29 (8.29)
VLC media player (3.0.11)
VLC media player (3.0.11)
WinRAR 5.91 (32-bit) (5.91.0)
WinRAR 5.91 (32-bit) (5.91.0)

Add for printing

MALICIOUS
- Application was dropped or rewritten from another process
  - btweb_installer.exe (PID: 3548)
  - btweb_installer.exe (PID: 2400)
  - saBSI.exe (PID: 1540)
  - cookie_mmm_irs_ppi_902_451_o.exe (PID: 2316)
  - btweb.exe (PID: 2416)
  - avg_antivirus_free_setup.exe (PID: 2440)
  - Instup.exe (PID: 3532)
  - instup.exe (PID: 876)
  - sbr.exe (PID: 1748)
- Loads dropped or rewritten executable
  - btweb_install_rr.exe (PID: 2780)
SUSPICIOUS
- Executable content was dropped or overwritten
  - btweb_installer.exe (PID: 3548)
  - btweb_installer.exe (PID: 2400)
  - btweb_installer.tmp (PID: 2664)
  - btweb_install_rr.exe (PID: 2780)
  - cookie_mmm_irs_ppi_902_451_o.exe (PID: 2316)
  - btweb.exe (PID: 2416)
  - avg_antivirus_free_setup.exe (PID: 2440)
  - Instup.exe (PID: 3532)
- Reads the Windows owner or organization settings
  - btweb_installer.tmp (PID: 2664)
- Reads settings of System Certificates
  - btweb_installer.tmp (PID: 2664)
  - saBSI.exe (PID: 1540)
  - avg_antivirus_free_setup.exe (PID: 2440)
  - btweb.exe (PID: 2416)
  - Instup.exe (PID: 3532)
  - instup.exe (PID: 876)
- Reads the Internet Settings
  - btweb_installer.tmp (PID: 2664)
  - btweb_install_rr.exe (PID: 2780)
  - saBSI.exe (PID: 1540)
  - btweb.exe (PID: 2416)
  - Instup.exe (PID: 3532)
  - instup.exe (PID: 876)
- The process creates files with name similar to system file names
  - btweb_install_rr.exe (PID: 2780)
- Process requests binary or script from the Internet
  - cookie_mmm_irs_ppi_902_451_o.exe (PID: 2316)
- Adds/modifies Windows certificates
  - btweb_installer.tmp (PID: 2664)
  - cookie_mmm_irs_ppi_902_451_o.exe (PID: 2316)
- Reads security settings of Internet Explorer
  - saBSI.exe (PID: 1540)
  - btweb.exe (PID: 2416)
- Checks Windows Trust Settings
  - saBSI.exe (PID: 1540)
  - btweb.exe (PID: 2416)
- Starts itself from another location
  - Instup.exe (PID: 3532)
- The process checks presence of the antivirus software
  - instup.exe (PID: 876)
INFO
- Checks supported languages
  - btweb_installer.exe (PID: 3548)
  - btweb_installer.tmp (PID: 3736)
  - btweb_installer.exe (PID: 2400)
  - btweb_installer.tmp (PID: 2664)
  - btweb_install_rr.exe (PID: 2780)
  - saBSI.exe (PID: 1540)
  - cookie_mmm_irs_ppi_902_451_o.exe (PID: 2316)
  - btweb.exe (PID: 2416)
  - avg_antivirus_free_setup.exe (PID: 2440)
  - Instup.exe (PID: 3532)
  - wmpnscfg.exe (PID: 1624)
  - instup.exe (PID: 876)
  - sbr.exe (PID: 1748)
- Create files in a temporary directory
  - btweb_installer.exe (PID: 3548)
  - btweb_installer.tmp (PID: 2664)
  - btweb_installer.exe (PID: 2400)
  - btweb_install_rr.exe (PID: 2780)
  - iexplore.exe (PID: 3648)
- Executable content was dropped or overwritten
  - WinRAR.exe (PID: 2680)
- The process checks LSA protection
  - btweb_installer.tmp (PID: 3736)
  - btweb_installer.tmp (PID: 2664)
  - btweb_install_rr.exe (PID: 2780)
  - saBSI.exe (PID: 1540)
  - cookie_mmm_irs_ppi_902_451_o.exe (PID: 2316)
  - btweb.exe (PID: 2416)
  - avg_antivirus_free_setup.exe (PID: 2440)
  - Instup.exe (PID: 3532)
  - wmpnscfg.exe (PID: 1624)
  - instup.exe (PID: 876)
- Application was dropped or rewritten from another process
  - btweb_installer.tmp (PID: 3736)
  - btweb_installer.tmp (PID: 2664)
  - btweb_install_rr.exe (PID: 2780)
- Reads the computer name
  - btweb_installer.tmp (PID: 3736)
  - btweb_installer.tmp (PID: 2664)
  - btweb_install_rr.exe (PID: 2780)
  - saBSI.exe (PID: 1540)
  - cookie_mmm_irs_ppi_902_451_o.exe (PID: 2316)
  - btweb.exe (PID: 2416)
  - avg_antivirus_free_setup.exe (PID: 2440)
  - Instup.exe (PID: 3532)
  - instup.exe (PID: 876)
  - wmpnscfg.exe (PID: 1624)
- Creates files or folders in the user directory
  - btweb_install_rr.exe (PID: 2780)
  - btweb.exe (PID: 2416)
- Reads the machine GUID from the registry
  - btweb_installer.tmp (PID: 2664)
  - btweb_install_rr.exe (PID: 2780)
  - saBSI.exe (PID: 1540)
  - cookie_mmm_irs_ppi_902_451_o.exe (PID: 2316)
  - btweb.exe (PID: 2416)
  - avg_antivirus_free_setup.exe (PID: 2440)
  - Instup.exe (PID: 3532)
  - wmpnscfg.exe (PID: 1624)
  - instup.exe (PID: 876)
- Checks proxy server information
  - btweb_install_rr.exe (PID: 2780)
  - Instup.exe (PID: 3532)
  - instup.exe (PID: 876)
- Creates files in the program directory
  - saBSI.exe (PID: 1540)
  - avg_antivirus_free_setup.exe (PID: 2440)
  - Instup.exe (PID: 3532)
  - instup.exe (PID: 876)
- Application launched itself
  - iexplore.exe (PID: 3648)
- Reads CPU info
  - avg_antivirus_free_setup.exe (PID: 2440)
  - Instup.exe (PID: 3532)
  - instup.exe (PID: 876)
- Reads Environment values
  - Instup.exe (PID: 3532)
  - instup.exe (PID: 876)
- Manual execution by a user
  - wmpnscfg.exe (PID: 1624)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.zip	\|	ZIP compressed archive (100)

EXIF

ZIP

ZipFileName:	btweb_installer.exe
ZipUncompressedSize:	1822280
ZipCompressedSize:	1294262
ZipCRC:	0xff658fd1
ZipModifyDate:	2023:04:03 07:06:06
ZipCompression:	Deflated
ZipBitFlag:	0x0001
ZipRequiredVersion:	20

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

876

"C:\Windows\Temp\asw.408a6ce76e8a7e33\New_17020cc9\instup.exe" /sfx /sfxstorage:C:\Windows\Temp\asw.408a6ce76e8a7e33 /edition:15 /prod:ais /guid:e22fe244-cd49-421f-8467-1a68d7e585df /ga_clientid:3d54e99d-67a3-4686-a94e-022abe0fe75a /silent /ws /psh:92pTtVppTmAE7qoHGJAQQ7su32HC8E103Xz5GK9x8XNKMdEtkkUpQSg4DhjKpPjEKblQSolPJyWotg /cookie:mmm_irs_ppi_902_451_o /edat_dir:C:\Windows\Temp\asw.0b579184ff7fde4e /online_installer

C:\Windows\Temp\asw.408a6ce76e8a7e33\New_17020cc9\instup.exe

Instup.exe

User:

admin

Company:

AVG Technologies CZ, s.r.o.

Integrity Level:

HIGH

Description:

AVG Antivirus Installer

Exit code:

Version:

23.2.7961.0

Modules

Images
c:\windows\temp\asw.408a6ce76e8a7e33\new_17020cc9\instup.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\wininet.dll
c:\windows\system32\user32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-user32-l1-1-0.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll

1540

"C:\Users\admin\AppData\Local\Temp\is-7ESQ0.tmp\component0_extract\saBSI.exe" /affid 91082 PaidDistribution=true

C:\Users\admin\AppData\Local\Temp\is-7ESQ0.tmp\component0_extract\saBSI.exe

btweb_installer.tmp

User:

admin

Company:

McAfee, LLC

Integrity Level:

HIGH

Description:

McAfee WebAdvisor(bootstrap installer)

Exit code:

4294967295

Version:

4,1,1,663

Modules

Images
c:\users\admin\appdata\local\temp\is-7esq0.tmp\component0_extract\sabsi.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\shell32.dll

1624

"C:\Program Files\Windows Media Player\wmpnscfg.exe"

C:\Program Files\Windows Media Player\wmpnscfg.exe

—

explorer.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Media Player Network Sharing Service Configuration Application

Exit code:

Version:

12.0.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\program files\windows media player\wmpnscfg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\gdi32.dll

1748

"C:\Windows\Temp\asw.408a6ce76e8a7e33\New_17020cc9\sbr.exe" 876 "AVG Antivirus setup" "AVG Antivirus is being installed. Do not shut down your computer!"

C:\Windows\Temp\asw.408a6ce76e8a7e33\New_17020cc9\sbr.exe

—

instup.exe

User:

admin

Company:

AVG Technologies CZ, s.r.o.

Integrity Level:

HIGH

Description:

AVG Shutdown blocker

Exit code:

Version:

23.2.7961.0

Modules

Images
c:\windows\temp\asw.408a6ce76e8a7e33\new_17020cc9\sbr.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\shell32.dll

2316

"C:\Users\admin\AppData\Local\Temp\is-7ESQ0.tmp\component1_extract\cookie_mmm_irs_ppi_902_451_o.exe" /silent /ws /psh:92pTtVppTmAE7qoHGJAQQ7su32HC8E103Xz5GK9x8XNKMdEtkkUpQSg4DhjKpPjEKblQSolPJyWotg

C:\Users\admin\AppData\Local\Temp\is-7ESQ0.tmp\component1_extract\cookie_mmm_irs_ppi_902_451_o.exe

btweb_installer.tmp

User:

admin

Company:

AVG Technologies CZ, s.r.o.

Integrity Level:

HIGH

Description:

AVG Antivirus Installer

Exit code:

Version:

2.1.1279.0

Modules

Images
c:\users\admin\appdata\local\temp\is-7esq0.tmp\component1_extract\cookie_mmm_irs_ppi_902_451_o.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll

2400

"C:\Users\admin\AppData\Local\Temp\Rar$EXb2680.28058\btweb_installer.exe" /SPAWNWND=$2017A /NOTIFYWND=$4015C

C:\Users\admin\AppData\Local\Temp\Rar$EXb2680.28058\btweb_installer.exe

btweb_installer.tmp

User:

admin

Company:

Integrity Level:

HIGH

Description:

BitTorrent Web®

Exit code:

Version:

1.3

Modules

Images
c:\users\admin\appdata\local\temp\rar$exb2680.28058\btweb_installer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\lpk.dll
c:\windows\system32\user32.dll
c:\windows\system32\shlwapi.dll

2416

"C:\Users\admin\AppData\Roaming\BitTorrent Web\btweb.exe" /RUNONSTARTUP

C:\Users\admin\AppData\Roaming\BitTorrent Web\btweb.exe

btweb_installer.tmp

User:

admin

Company:

BitTorrent Inc.

Integrity Level:

MEDIUM

Description:

BitTorrent Web

Exit code:

Version:

1.3.0.5655

Modules

Images
c:\windows\system32\ntdll.dll
c:\users\admin\appdata\roaming\bittorrent web\btweb.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\version.dll

2440

"C:\Windows\Temp\asw.0b579184ff7fde4e\avg_antivirus_free_setup.exe" /silent /ws /psh:92pTtVppTmAE7qoHGJAQQ7su32HC8E103Xz5GK9x8XNKMdEtkkUpQSg4DhjKpPjEKblQSolPJyWotg /cookie:mmm_irs_ppi_902_451_o /ga_clientid:3d54e99d-67a3-4686-a94e-022abe0fe75a /edat_dir:C:\Windows\Temp\asw.0b579184ff7fde4e

C:\Windows\Temp\asw.0b579184ff7fde4e\avg_antivirus_free_setup.exe

cookie_mmm_irs_ppi_902_451_o.exe

User:

admin

Company:

AVG Technologies CZ, s.r.o.

Integrity Level:

HIGH

Description:

AVG Antivirus

Exit code:

Version:

23.2.7961.0

Modules

Images
c:\windows\temp\asw.0b579184ff7fde4e\avg_antivirus_free_setup.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\rpcrt4.dll

2664

"C:\Users\admin\AppData\Local\Temp\is-CKHME.tmp\btweb_installer.tmp" /SL5="$30178,905130,843776,C:\Users\admin\AppData\Local\Temp\Rar$EXb2680.28058\btweb_installer.exe" /SPAWNWND=$2017A /NOTIFYWND=$4015C

C:\Users\admin\AppData\Local\Temp\is-CKHME.tmp\btweb_installer.tmp

btweb_installer.exe

User:

admin

Company:

Integrity Level:

HIGH

Description:

Setup/Uninstall

Exit code:

Version:

51.1052.0.0

Modules

Images
c:\users\admin\appdata\local\temp\is-ckhme.tmp\btweb_installer.tmp
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\mpr.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll

2680

"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\MDE_File_Sample_5a3d778b829c0682d468b6c7d73891d0e5fae6fa (1).zip"

C:\Program Files\WinRAR\WinRAR.exe

explorer.exe

User:

admin

Company:

Alexander Roshal

Integrity Level:

MEDIUM

Description:

WinRAR archiver

Exit code:

Version:

5.91.0

Modules

Images
c:\program files\winrar\winrar.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\shlwapi.dll

Add for printing

Total events

77 648

Read events

72 496

Write events

5 132

Delete events

Modification events


(PID) Process:	(2680) WinRAR.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\MuiCache\16D\52C64B7E
Operation:	write	Name:	LanguageList
Value: en-US
(PID) Process:	(2680) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:	write	Name:	2
Value: C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip
(PID) Process:	(2680) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:	write	Name:	1
Value: C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:	(2680) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:	write	Name:	0
Value: C:\Users\admin\Desktop\phacker.zip
(PID) Process:	(2680) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	name
Value: 120
(PID) Process:	(2680) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	size
Value: 80
(PID) Process:	(2680) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	type
Value: 120
(PID) Process:	(2680) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	mtime
Value: 100
(PID) Process:	(2680) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	ProxyBypass
Value: 1
(PID) Process:	(2680) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	IntranetName
Value: 1

Add for printing

Executable files

Suspicious files

136

Text files

120

Unknown types

Dropped files

PID	Process	Filename		Type
3548	btweb_installer.exe	C:\Users\admin\AppData\Local\Temp\is-BKDE6.tmp\btweb_installer.tmp		executable
		MD5:—	SHA256:—
2680	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$EXb2680.28058\btweb_installer.exe		executable
		MD5:—	SHA256:—
2400	btweb_installer.exe	C:\Users\admin\AppData\Local\Temp\is-CKHME.tmp\btweb_installer.tmp		executable
		MD5:—	SHA256:—
2664	btweb_installer.tmp	C:\Users\admin\AppData\Local\Temp\is-7ESQ0.tmp\is-FLIP6.tmp		executable
		MD5:—	SHA256:—
2780	btweb_install_rr.exe	C:\Users\admin\AppData\Roaming\BitTorrent Web\webui\version.txt		text
		MD5:—	SHA256:—
2664	btweb_installer.tmp	C:\Users\admin\AppData\Local\Temp\is-7ESQ0.tmp\btweb_install_rr.exe		executable
		MD5:—	SHA256:—
2664	btweb_installer.tmp	C:\Users\admin\AppData\Local\Temp\is-7ESQ0.tmp\Logo.png		image
		MD5:D0743D0DB691B4E932DCF098F070C5FC	SHA256:93520D9E40F227FD89021341ABAD301D2351704D1509711587E3D4F6FE35FB59
2664	btweb_installer.tmp	C:\Users\admin\AppData\Local\Temp\is-7ESQ0.tmp\botva2.dll		executable
		MD5:67965A5957A61867D661F05AE1F4773E	SHA256:450B9B0BA25BF068AFBC2B23D252585A19E282939BF38326384EA9112DFD0105
2664	btweb_installer.tmp	C:\Users\admin\AppData\Local\Temp\is-7ESQ0.tmp\is-O8PO2.tmp		image
		MD5:F1F21BE822C2E22934C88478DDA2FD74	SHA256:5F3223DBFD67DC3BA0E0A3C23F5294258251272E06A66FDEE6416DACC160FAD4
2664	btweb_installer.tmp	C:\Users\admin\AppData\Local\Temp\is-7ESQ0.tmp\is-BQI1Q.tmp		compressed
		MD5:3306273378D0D40FC1E6F28E3F52DD37	SHA256:3D70BA97A68A00EFA090F26B70F30ABE0EE3172B711F2C446FD3782806B2C353

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
876	instup.exe	GET	200	95.100.146.56:80	http://k6951768.avi18tiny.u.avcdn.net/avi18tiny/prod-vps.vpx	unknown	binary	341 b	suspicious
2316	cookie_mmm_irs_ppi_902_451_o.exe	POST	204	34.117.223.223:80	http://v7event.stats.avast.com/cgi-bin/iavsevents.cgi	US	—	—	whitelisted
2316	cookie_mmm_irs_ppi_902_451_o.exe	GET	200	23.48.23.20:80	http://iavs9x.avg.u.avcdn.net/avg/iavs9x/avg_antivirus_free_setup.exe	US	executable	8.78 Mb	whitelisted
2316	cookie_mmm_irs_ppi_902_451_o.exe	POST	204	34.117.223.223:80	http://v7event.stats.avast.com/cgi-bin/iavsevents.cgi	US	—	—	whitelisted
3532	Instup.exe	GET	200	95.100.146.51:80	http://f2077074.iavs9x.avg.u.avcdn.net/avg/iavs9x/servers.def.vpx	unknown	binary	1.36 Kb	whitelisted
3532	Instup.exe	GET	200	95.100.146.51:80	http://l9518228.iavs9x.avg.u.avcdn.net/avg/iavs9x/prod-pgm.vpx	unknown	binary	571 b	whitelisted
3532	Instup.exe	GET	200	95.100.146.51:80	http://l9518228.iavs9x.avg.u.avcdn.net/avg/iavs9x/avdump_x86_ais-cc9.vpx	unknown	binary	402 Kb	whitelisted
3532	Instup.exe	GET	200	95.100.146.51:80	http://l9518228.iavs9x.avg.u.avcdn.net/avg/iavs9x/avbugreport_ais-cc9.vpx	unknown	binary	1.23 Mb	whitelisted
2780	btweb_install_rr.exe	POST	200	34.226.45.204:80	http://i-4102.b-5655.btweb.bench.utorrent.com/e?i=4102	US	binary	21 b	suspicious
2780	btweb_install_rr.exe	POST	200	34.226.45.204:80	http://i-4102.b-5655.btweb.bench.utorrent.com/e?i=4102	US	binary	21 b	suspicious

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
2664	btweb_installer.tmp	18.66.97.18:443	api.playanext.com	—	US	suspicious
2780	btweb_install_rr.exe	34.226.45.204:80	i-4102.b-5655.btweb.bench.utorrent.com	AMAZON-AES	US	suspicious
2664	btweb_installer.tmp	82.221.103.243:443	download-lb.utorrent.com	Advania Island ehf	IS	suspicious
2316	cookie_mmm_irs_ppi_902_451_o.exe	142.250.185.206:80	www.google-analytics.com	GOOGLE	US	whitelisted
2316	cookie_mmm_irs_ppi_902_451_o.exe	34.117.223.223:80	v7event.stats.avast.com	GOOGLE-CLOUD-PLATFORM	US	unknown
2316	cookie_mmm_irs_ppi_902_451_o.exe	23.48.23.20:80	iavs9x.avg.u.avcdn.net	Akamai International B.V.	DE	suspicious
1540	saBSI.exe	54.200.146.120:443	apis.mosaic.analytics.awscommon.mcafee.com	AMAZON-02	US	unknown
1540	saBSI.exe	23.35.236.52:443	sadownload.mcafee.com	AKAMAI-AS	DE	suspicious
2416	btweb.exe	18.66.112.80:443	btweb.rainberrytv.com	AMAZON-02	US	suspicious
2416	btweb.exe	13.224.189.62:443	web.utorrent.com	AMAZON-02	US	suspicious

DNS requests

Domain	IP	Reputation
d1was4hi8hlp7e.cloudfront.net	99.86.1.119 99.86.1.51 99.86.1.81 99.86.1.154	unknown
dtyaopwujvlcj.cloudfront.net	143.204.101.11 143.204.101.81 143.204.101.6 143.204.101.51	unknown
api.playanext.com	18.66.97.18 18.66.97.76 18.66.97.82 18.66.97.48	whitelisted
download-lb.utorrent.com	82.221.103.243 82.221.103.242	whitelisted
i-4102.b-5655.btweb.bench.utorrent.com	34.226.45.204 52.4.61.157 3.222.46.202 52.73.240.226 34.234.228.70 54.85.255.122 54.227.160.188 34.239.41.175	suspicious
cu1pehnswad01.servicebus.windows.net	104.208.16.0	whitelisted
www.google-analytics.com	142.250.185.206	whitelisted
v7event.stats.avast.com	34.117.223.223	whitelisted
iavs9x.avg.u.avcdn.net	23.48.23.20 23.48.23.6	whitelisted
apis.mosaic.analytics.awscommon.mcafee.com	54.200.146.120 35.85.190.38	unknown

Threats

PID	Process	Class	Message
2664	btweb_installer.tmp	Potentially Bad Traffic	ET INFO TLS Handshake Failure
2664	btweb_installer.tmp	Potentially Bad Traffic	ET INFO TLS Handshake Failure
2780	btweb_install_rr.exe	Potentially Bad Traffic	ET USER_AGENTS Observed Suspicious UA (NSIS_Inetc (Mozilla))
2780	btweb_install_rr.exe	Potentially Bad Traffic	ET USER_AGENTS Observed Suspicious UA (NSIS_Inetc (Mozilla))
2316	cookie_mmm_irs_ppi_902_451_o.exe	Potential Corporate Privacy Violation	ET POLICY PE EXE or DLL Windows file download HTTP
1540	saBSI.exe	Potentially Bad Traffic	ET INFO TLS Handshake Failure
1540	saBSI.exe	Potentially Bad Traffic	ET INFO TLS Handshake Failure
—	—	Potential Corporate Privacy Violation	ET P2P BitTorrent DHT ping request
2416	btweb.exe	Potentially Bad Traffic	ET POLICY Executable served from Amazon S3
2416	btweb.exe	Potential Corporate Privacy Violation	ET POLICY PE EXE or DLL Windows file download HTTP

Add for printing

Process	Message
saBSI.exe	NCPrivateLoadAndValidateMPTDll: Looking in EXE directory
saBSI.exe	NCPrivateLoadAndValidateMPTDll: Looking in current directory
saBSI.exe	NCPrivateLoadAndValidateMPTDll: Looking in EXE directory
saBSI.exe	NCPrivateLoadAndValidateMPTDll: Looking in current directory
saBSI.exe	NCPrivateLoadAndValidateMPTDll: Looking in current directory
saBSI.exe	NCPrivateLoadAndValidateMPTDll: Looking in EXE directory
saBSI.exe	NCPrivateLoadAndValidateMPTDll: Looking in current directory
saBSI.exe	NCPrivateLoadAndValidateMPTDll: Looking in EXE directory
saBSI.exe	NCPrivateLoadAndValidateMPTDll: Looking in EXE directory
saBSI.exe	NCPrivateLoadAndValidateMPTDll: Looking in EXE directory

General Info

MDE_File_Sample_5a3d778b829c0682d468b6c7d73891d0e5fae6fa (1).zip

DCD61691690A105D430EF4101772F798

545A1A5607FFB7C35D9BF173F4D45BCF68389775

930545276557C83D2206285F50ECC5AE811C18B6F1DC3F9A923296CD3AD88889

24576:cJke1aENUJKidCDJhVpbrYmukc1CgQ+EAKjKDQ67c7y:c6C5LDJ4Ix+EAKjcQ674y

Software environment set and analysis options

Launch configuration

Software preset

Behavior activities

MALICIOUS

Application was dropped or rewritten from another process

Loads dropped or rewritten executable

SUSPICIOUS

Executable content was dropped or overwritten

Reads the Windows owner or organization settings

Reads settings of System Certificates

Reads the Internet Settings

The process creates files with name similar to system file names

Process requests binary or script from the Internet

Adds/modifies Windows certificates

Reads security settings of Internet Explorer

Checks Windows Trust Settings

Starts itself from another location

The process checks presence of the antivirus software

INFO

Checks supported languages

Create files in a temporary directory

Executable content was dropped or overwritten

The process checks LSA protection

Application was dropped or rewritten from another process

Reads the computer name

Creates files or folders in the user directory

Reads the machine GUID from the registry

Checks proxy server information

Creates files in the program directory

Application launched itself

Reads CPU info

Reads Environment values

Manual execution by a user

Malware configuration

Static information

TRiD

EXIF

ZIP

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings