Malware analysis SecuriteInfo.com.suspected.of.Trojan.Downloader.gen.15131.13159 Malicious activity

Add for printing

File name:	SecuriteInfo.com.suspected.of.Trojan.Downloader.gen.15131.13159
Full analysis:	https://app.any.run/tasks/584e7919-bfe9-4dfb-9d26-4b1df7486adf
Verdict:	Malicious activity
Threats:	Adware is a form of malware that targets users with unwanted advertisements, often disrupting their browsing experience. It typically infiltrates systems through software bundling, malicious websites, or deceptive downloads. Once installed, it may track user activity, collect sensitive data, and display intrusive ads, including pop-ups or banners. Some advanced adware variants can bypass security measures and establish persistence on devices, making removal challenging. Additionally, adware can create vulnerabilities that other malware can exploit, posing a significant risk to user privacy and system security. Malware Trends Tracker >>>
Analysis date:	October 17, 2024, 11:51:42
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	upx adware
Indicators:
MIME:	application/x-dosexec
File info:	PE32 executable (GUI) Intel 80386, for MS Windows
MD5:	A5061D94383FB1FD3D259CF335FF0C5B
SHA1:	6672CDC9C160235BACDC4E0995541C29D55CA4FC
SHA256:	947575CBA1B1FFEDA1E3CBB765C219BD2ECC7A1A91EBA1E721255DAE4528E670
SSDEEP:	12288:gNXVfbbSZpN2QCt8Und8qMzkqycb44kk44D44d44v44844x44Er44W44v44j44uY:gXfbbSZpTCZdeLOg3nT7PuLGxy

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 120 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: none
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
No malicious indicators.
SUSPICIOUS
- Executable content was dropped or overwritten
  - SecuriteInfo.com.suspected.of.Trojan.Downloader.gen.15131.13159.exe (PID: 1792)
  - TiWorker.exe (PID: 6364)
  - rundll32.exe (PID: 6692)
- The process drops C-runtime libraries
  - msiexec.exe (PID: 5588)
  - TiWorker.exe (PID: 6364)
- Executes as Windows Service
  - SZServer.exe (PID: 1432)
  - VSSVC.exe (PID: 2056)
- Access to an unwanted program domain was detected
  - SecuriteInfo.com.suspected.of.Trojan.Downloader.gen.15131.13159.exe (PID: 1792)
- Drops a system driver (possible attempt to evade defenses)
  - msiexec.exe (PID: 5588)
  - rundll32.exe (PID: 6692)
  - msiexec.exe (PID: 3620)
- Process drops legitimate windows executable
  - msiexec.exe (PID: 5588)
  - TiWorker.exe (PID: 6364)
- Uses RUNDLL32.EXE to load library
  - SZServer.exe (PID: 1432)
- Drops 7-zip archiver for unpacking
  - msiexec.exe (PID: 5588)
INFO
- UPX packer has been detected
  - SecuriteInfo.com.suspected.of.Trojan.Downloader.gen.15131.13159.exe (PID: 1792)
- Manages system restore points
  - SrTasks.exe (PID: 5524)
- Executable content was dropped or overwritten
  - msiexec.exe (PID: 3620)
  - msiexec.exe (PID: 5588)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	InstallShield setup (25.2)
.exe	\|	Win32 Executable MS Visual C++ (generic) (18.2)
.exe	\|	Win64 Executable (generic) (16.1)
.exe	\|	UPX compressed Win32 Executable (15.8)
.exe	\|	Win32 EXE Yoda's Crypter (15.5)

EXIF

EXE

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2012:09:24 21:32:00+00:00
ImageFileCharacteristics:	Executable, 32-bit
PEType:	PE32
LinkerVersion:	8
CodeSize:	327680
InitializedDataSize:	348160
UninitializedDataSize:	-
EntryPoint:	0x2eb2e
OSVersion:	4
ImageVersion:	-
SubsystemVersion:	4
Subsystem:	Windows GUI
FileVersionNumber:	5.0.90.1
ProductVersionNumber:	5.0.90.1
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Windows NT 32-bit
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	English (U.S.)
CharacterSet:	Unicode
FileVersion:	5.0.90.1
CompanyName:	iS3, Inc.
ProductVersion:	5.0.90.1

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

163

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

1156

"C:\Program Files (x86)\STOPzilla!\SZTargetUpdate.Exe" "path=C:\Program Files (x86)\STOPzilla!\fullupd.rsf" "provider=SZ"

C:\Program Files (x86)\STOPzilla!\SZTargetUpdate.Exe

—

SZServer.exe

User:

SYSTEM

Company:

iS3, Inc.

Integrity Level:

SYSTEM

Description:

STOPzilla Application

Exit code:

Version:

6.1.100.3

1376

"C:\Program Files (x86)\STOPzilla!\STOPzilla.exe" /msirun

C:\Program Files (x86)\STOPzilla!\STOPzilla.exe

—

SecuriteInfo.com.suspected.of.Trojan.Downloader.gen.15131.13159.exe

User:

admin

Company:

iS3, Inc.

Integrity Level:

HIGH

Description:

STOPzilla Application

Exit code:

Version:

6.1.100.3

1376

"C:\Program Files (x86)\STOPzilla!\SZOptions.exe" /firstrun /scan=intelligent

C:\Program Files (x86)\STOPzilla!\SZOptions.exe

—

SZServer.exe

User:

admin

Company:

iS3, Inc.

Integrity Level:

MEDIUM

Description:

STOPzilla Application

Version:

6.1.100.3

1432

"C:\Program Files (x86)\STOPzilla!\SZServer.exe"

C:\Program Files (x86)\STOPzilla!\SZServer.exe

—

services.exe

User:

SYSTEM

Company:

iS3, Inc.

Integrity Level:

SYSTEM

Description:

STOPzilla Service

Version:

6.1.100.3

1792

"C:\Users\admin\AppData\Local\Temp\SecuriteInfo.com.suspected.of.Trojan.Downloader.gen.15131.13159.exe"

C:\Users\admin\AppData\Local\Temp\SecuriteInfo.com.suspected.of.Trojan.Downloader.gen.15131.13159.exe

explorer.exe

User:

admin

Company:

iS3, Inc.

Integrity Level:

HIGH

Exit code:

Version:

5.0.90.1

Modules

Images
c:\users\admin\appdata\local\temp\securiteinfo.com.suspected.of.trojan.downloader.gen.15131.13159.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll

2056

C:\WINDOWS\system32\vssvc.exe

C:\Windows\System32\VSSVC.exe

—

services.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Microsoft® Volume Shadow Copy Service

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\vssvc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

3620

C:\Windows\syswow64\MsiExec.exe -Embedding 71D4AAC9AC0CBEF979E7398C0FD61C7B

C:\Windows\SysWOW64\msiexec.exe

msiexec.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Windows® installer

Exit code:

Version:

5.0.19041.3636 (WinBuild.160101.0800)

4032

"C:\Users\admin\AppData\Local\Temp\SecuriteInfo.com.suspected.of.Trojan.Downloader.gen.15131.13159.exe"

C:\Users\admin\AppData\Local\Temp\SecuriteInfo.com.suspected.of.Trojan.Downloader.gen.15131.13159.exe

—

explorer.exe

User:

admin

Company:

iS3, Inc.

Integrity Level:

MEDIUM

Exit code:

3221226540

Version:

5.0.90.1

Modules

Images
c:\users\admin\appdata\local\temp\securiteinfo.com.suspected.of.trojan.downloader.gen.15131.13159.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll

5276

C:\WINDOWS\system32\SppExtComObj.exe -Embedding

C:\Windows\System32\SppExtComObj.Exe

—

svchost.exe

User:

NETWORK SERVICE

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

KMS Connection Broker

Version:

10.0.19041.3996 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\sppextcomobj.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\oleaut32.dll

5524

C:\WINDOWS\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:11

C:\Windows\System32\SrTasks.exe

—

msiexec.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Microsoft® Windows System Protection background tasks.

Version:

10.0.19041.1 (WinBuild.160101.0800)

Add for printing

Total events

5 201

Read events

5 160

Write events

Delete events

Modification events


(PID) Process:	(1792) SecuriteInfo.com.suspected.of.Trojan.Downloader.gen.15131.13159.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\dskMetrics
Operation:	write	Name:	ID
Value: CD28B9A3A3034AEDAA9462FA48FB8479
(PID) Process:	(1792) SecuriteInfo.com.suspected.of.Trojan.Downloader.gen.15131.13159.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\ISSS\STOPzilla
Operation:	write	Name:	EXTCONF
Value: 3C3F786D6C2076657273696F6E3D22312E302220656E636F64696E673D227574662D38223F3E3C636F6E6669673E3C706172616D206E616D653D226E61675F696E74657276616C5F7370222076616C75653D223022202F3E3C706172616D206E616D653D226E61675F696E74657276616C5F6E7370222076616C75653D223522202F3E3C706172616D206E616D653D226E61675F686964655F747269616C5F706179222076616C75653D223022202F3E3C706172616D206E616D653D2264656661756C745F7363616E5F74797065222076616C75653D22696E74656C6C6967656E7422202F3E3C706172616D206E616D653D2273757070726573735F7265626F6F74222076616C75653D223022202F3E3C706172616D206E616D653D22646F5F747261636B696E67222076616C75653D223122202F3E3C706172616D206E616D653D22736B69705F3634636865636B222076616C75653D223122202F3E3C706172616D206E616D653D22646D222076616C75653D2270726F6422202F3E3C706172616D206E616D653D226D696E697363616E5F636F6C6C656374696F6E5F656E61626C6564222076616C75653D223122202F3E3C2F636F6E6669673E00
(PID) Process:	(1792) SecuriteInfo.com.suspected.of.Trojan.Downloader.gen.15131.13159.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\ISSS\STOPzilla
Operation:	write	Name:	AID
Value: 10000
(PID) Process:	(1792) SecuriteInfo.com.suspected.of.Trojan.Downloader.gen.15131.13159.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:	write	Name:	CachePrefix
Value:
(PID) Process:	(1792) SecuriteInfo.com.suspected.of.Trojan.Downloader.gen.15131.13159.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:	write	Name:	CachePrefix
Value: Cookie:
(PID) Process:	(1792) SecuriteInfo.com.suspected.of.Trojan.Downloader.gen.15131.13159.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:	write	Name:	CachePrefix
Value: Visited:
(PID) Process:	(1792) SecuriteInfo.com.suspected.of.Trojan.Downloader.gen.15131.13159.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\ISSS\STOPzilla\Setup
Operation:	write	Name:	demo
Value: 0
(PID) Process:	(5588) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SystemRestore
Operation:	write	Name:	SrCreateRp (Enter)
Value: 48000000000000006249DC178B20DB01D4150000C40D0000D50700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:	(5588) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:	write	Name:	SppGetSnapshots (Enter)
Value: 48000000000000006249DC178B20DB01D4150000C40D0000D20700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:	(5588) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:	write	Name:	SppGetSnapshots (Leave)
Value: 4800000000000000062313188B20DB01D4150000C40D0000D20700000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000

Add for printing

Executable files

133

Suspicious files

184

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
1792	SecuriteInfo.com.suspected.of.Trojan.Downloader.gen.15131.13159.exe	C:\Users\admin\AppData\Local\Temp\STOPzilla!\SZPro5.msi		—
		MD5:—	SHA256:—
5588	msiexec.exe	C:\System Volume Information\SPP\metadata-2		—
		MD5:—	SHA256:—
5588	msiexec.exe	C:\Windows\Installer\9f205.msi		—
		MD5:—	SHA256:—
1792	SecuriteInfo.com.suspected.of.Trojan.Downloader.gen.15131.13159.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9A19ADAD9D098E039450ABBEDD5616EB_434C0A72907B1D333FF3B54D38C7FCEE		binary
		MD5:96FAC160C6D567B79F63AABD2DE709F1	SHA256:F1EA75F2AF1D586857F98B004B426752DE686C6AA15A1099BAE7E098B5823190
1792	SecuriteInfo.com.suspected.of.Trojan.Downloader.gen.15131.13159.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7D266D9E1E69FA1EEFB9699B009B34C8_0A9BFDD75B598C2110CBF610C078E6E6		binary
		MD5:187A9A66850D98278D54A314B09812C4	SHA256:95728C14C23A6615B61BBF922665ABF50162B722E9FD7D486DB9170EF009A0F0
1792	SecuriteInfo.com.suspected.of.Trojan.Downloader.gen.15131.13159.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\9A19ADAD9D098E039450ABBEDD5616EB_434C0A72907B1D333FF3B54D38C7FCEE		binary
		MD5:5BFA51F3A417B98E7443ECA90FC94703	SHA256:BEBE2853A3485D1C2E5C5BE4249183E0DDAFF9F87DE71652371700A89D937128
1792	SecuriteInfo.com.suspected.of.Trojan.Downloader.gen.15131.13159.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8DFDF057024880D7A081AFBF6D26B92F		binary
		MD5:543FF9C4BB3FD6F4D35C0A80BA5533FC	SHA256:40C04D540C3D7D80564F34AF3A512036BDD8E17B4CA74BA3B7E45D6D93466BCD
1792	SecuriteInfo.com.suspected.of.Trojan.Downloader.gen.15131.13159.exe	C:\Users\admin\AppData\Local\Temp\DeskMetrics.dll		executable
		MD5:1BE52FA937585CCFEB9D0B6568B1C9D0	SHA256:AAF66540597D8DEC861E4DDB8DD4FD810CA83AC129E9FCA68BB01A85DB9599D0
1792	SecuriteInfo.com.suspected.of.Trojan.Downloader.gen.15131.13159.exe	C:\Users\admin\AppData\Local\Temp\MSI9A21.tmp		executable
		MD5:648212691FA53C7EE0896FCCA371475E	SHA256:D9C8A2CCE149C40FB0414EB9268F7B23B18B2E89F982ED5FA913943DF98D9898
5588	msiexec.exe	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log		text
		MD5:EEFFF0FA33F4E28312E6C29677382C50	SHA256:1F416D8DA77A69B545E9A59BE991538198C671B63CA2197467921F8C48A7E378

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
6944	svchost.exe	GET	200	2.16.164.120:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
4360	SearchApp.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D	unknown	—	—	whitelisted
6584	SIHClient.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	unknown	—	—	whitelisted
1880	svchost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
6944	svchost.exe	GET	200	95.101.149.131:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
6584	SIHClient.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl	unknown	—	—	whitelisted
1792	SecuriteInfo.com.suspected.of.Trojan.Downloader.gen.15131.13159.exe	GET	—	18.173.205.19:80	http://download.stopzilla.com/binaries/stopzilla/auto_installer/SZPro5.msi	unknown	—	—	unknown
3960	backgroundTaskHost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D	unknown	—	—	whitelisted
1792	SecuriteInfo.com.suspected.of.Trojan.Downloader.gen.15131.13159.exe	GET	206	18.173.205.19:80	http://download.stopzilla.com/binaries/stopzilla/auto_installer/SZPro5.msi	unknown	—	—	unknown
1792	SecuriteInfo.com.suspected.of.Trojan.Downloader.gen.15131.13159.exe	GET	206	18.173.205.19:80	http://download.stopzilla.com/binaries/stopzilla/auto_installer/SZPro5.msi	unknown	—	—	unknown

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
7060	RUXIMICS.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
5488	MoUsoCoreWorker.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
6944	svchost.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
1792	SecuriteInfo.com.suspected.of.Trojan.Downloader.gen.15131.13159.exe	34.233.172.109:80	stopzilla.net	AMAZON-AES	US	unknown
4	System	192.168.100.255:138	—	—	—	whitelisted
6944	svchost.exe	2.16.164.120:80	crl.microsoft.com	Akamai International B.V.	NL	whitelisted
6944	svchost.exe	95.101.149.131:80	www.microsoft.com	Akamai International B.V.	NL	whitelisted
5488	MoUsoCoreWorker.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
1792	SecuriteInfo.com.suspected.of.Trojan.Downloader.gen.15131.13159.exe	52.203.165.0:80	stopzilla.net	AMAZON-AES	US	unknown

DNS requests

Domain	IP	Reputation
settings-win.data.microsoft.com	51.104.136.2 20.73.194.208 4.231.128.59	whitelisted
google.com	142.250.184.206	whitelisted
4e6f82f5a14ad77ca7000000.api.deskmetrics.com	—	unknown
stopzilla.net	34.233.172.109 52.203.165.0 54.221.218.150	unknown
crl.microsoft.com	2.16.164.120 2.16.164.49	whitelisted
www.microsoft.com	95.101.149.131 184.30.21.171	whitelisted
www.bing.com	104.126.37.145 104.126.37.160 104.126.37.161 104.126.37.153 104.126.37.162 104.126.37.146 104.126.37.147 104.126.37.155 104.126.37.139	whitelisted
ocsp.digicert.com	192.229.221.95	whitelisted
login.live.com	20.190.159.64 20.190.159.0 20.190.159.75 40.126.31.69 40.126.31.73 20.190.159.68 40.126.31.67 20.190.159.23	whitelisted
th.bing.com	104.126.37.145 104.126.37.147 104.126.37.128 104.126.37.139 104.126.37.123 104.126.37.146 104.126.37.131 104.126.37.130 104.126.37.136	whitelisted

Threats

PID	Process	Class	Message
1792	SecuriteInfo.com.suspected.of.Trojan.Downloader.gen.15131.13159.exe	Possibly Unwanted Program Detected	ET ADWARE_PUP STOPzilla Download Accelerator Activity
1792	SecuriteInfo.com.suspected.of.Trojan.Downloader.gen.15131.13159.exe	Possibly Unwanted Program Detected	ET ADWARE_PUP STOPzilla Download Accelerator Activity
1792	SecuriteInfo.com.suspected.of.Trojan.Downloader.gen.15131.13159.exe	Possibly Unwanted Program Detected	ET ADWARE_PUP STOPzilla Download Accelerator Activity
1792	SecuriteInfo.com.suspected.of.Trojan.Downloader.gen.15131.13159.exe	Possibly Unwanted Program Detected	ET ADWARE_PUP STOPzilla Download Accelerator Activity
1792	SecuriteInfo.com.suspected.of.Trojan.Downloader.gen.15131.13159.exe	Possibly Unwanted Program Detected	ET ADWARE_PUP STOPzilla Download Accelerator Activity

Add for printing

Process	Message
SecuriteInfo.com.suspected.of.Trojan.Downloader.gen.15131.13159.exe	setup send stopzilla.net: uninstall="" os_version="1.6.2" skip_64check="1" current_version="0.0.0.0" sz_install="" msi_install="" email="" aid="10000" product="STOPzilla" install="" do_tracking="1" dm="prod" product_install="" corpflags="" edition="PRO" local_version="" alt_home="" cmd_line="" register="none" msi_version="5.0.19041.3636" home=""
SecuriteInfo.com.suspected.of.Trojan.Downloader.gen.15131.13159.exe	Failed initial connection to send install params. Attempting to use alternates.
SecuriteInfo.com.suspected.of.Trojan.Downloader.gen.15131.13159.exe	setup send stopzilla.net: uninstall="" os_version="1.6.2" skip_64check="1" current_version="0.0.0.0" sz_install="" msi_install="" email="" aid="10000" product="STOPzilla" install="" do_tracking="1" dm="prod" product_install="" corpflags="" edition="PRO" local_version="" alt_home="" cmd_line="" register="none" msi_version="5.0.19041.3636" home=""
SecuriteInfo.com.suspected.of.Trojan.Downloader.gen.15131.13159.exe	setup recv stopzilla.net:
SecuriteInfo.com.suspected.of.Trojan.Downloader.gen.15131.13159.exe	Adding alternate download URL
SecuriteInfo.com.suspected.of.Trojan.Downloader.gen.15131.13159.exe	msi_install =
SecuriteInfo.com.suspected.of.Trojan.Downloader.gen.15131.13159.exe
SecuriteInfo.com.suspected.of.Trojan.Downloader.gen.15131.13159.exe	Installing:
SecuriteInfo.com.suspected.of.Trojan.Downloader.gen.15131.13159.exe	SZPro5.msi
SecuriteInfo.com.suspected.of.Trojan.Downloader.gen.15131.13159.exe	Alternate failed

General Info

SecuriteInfo.com.suspected.of.Trojan.Downloader.gen.15131.13159

A5061D94383FB1FD3D259CF335FF0C5B

6672CDC9C160235BACDC4E0995541C29D55CA4FC

947575CBA1B1FFEDA1E3CBB765C219BD2ECC7A1A91EBA1E721255DAE4528E670

12288:gNXVfbbSZpN2QCt8Und8qMzkqycb44kk44D44d44v44844x44Er44W44v44j44uY:gXfbbSZpTCZdeLOg3nT7PuLGxy

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

SUSPICIOUS

Executable content was dropped or overwritten

The process drops C-runtime libraries

Executes as Windows Service

Access to an unwanted program domain was detected

Drops a system driver (possible attempt to evade defenses)

Process drops legitimate windows executable

Uses RUNDLL32.EXE to load library

Drops 7-zip archiver for unpacking

INFO

UPX packer has been detected

Manages system restore points

Executable content was dropped or overwritten

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Information

Information

Information

Information

Modules

Information

Modules

Information

Information

Modules

Information

Modules

Information

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings