Malware analysis free-ip-camera-viewer_qbx-bh1.exe.zip Malicious activity

Add for printing

File name:	free-ip-camera-viewer_qbx-bh1.exe.zip
Full analysis:	https://app.any.run/tasks/9029ad4a-8a0c-44d6-9ae2-376e9423ce8d
Verdict:	Malicious activity
Threats:	Adware is a form of malware that targets users with unwanted advertisements, often disrupting their browsing experience. It typically infiltrates systems through software bundling, malicious websites, or deceptive downloads. Once installed, it may track user activity, collect sensitive data, and display intrusive ads, including pop-ups or banners. Some advanced adware variants can bypass security measures and establish persistence on devices, making removal challenging. Additionally, adware can create vulnerabilities that other malware can exploit, posing a significant risk to user privacy and system security. A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. Malware Trends Tracker >>>
Analysis date:	February 19, 2025, 07:27:38
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	arch-exec arch-doc adware innosetup loader
Indicators:
MIME:	application/zip
File info:	Zip archive data, at least v2.0 to extract, compression method=deflate
MD5:	EAD5C33741E2BB2FC988C9237A974A75
SHA1:	97317A33661415F59C87195CB0E1FA12D7C29324
SHA256:	9C192B1CFE5E1C12434F275D55A2271930266C3AB7B706D4FA6648B2EB11E007
SSDEEP:	98304:Z4orJ1I7hz2JEp7rgeq/PGGMw2UGZOKNpc09Lirw2JIOpcEejwNg+pNMDhmcqFK2:BAFeZ

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 60 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: none
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- Generic archive extractor
  - WinRAR.exe (PID: 6300)
- INNOSETUP has been detected (SURICATA)
  - free-ip-camera-viewer_qbx-bh1.tmp (PID: 7152)
SUSPICIOUS
- Executable content was dropped or overwritten
  - free-ip-camera-viewer_qbx-bh1.exe (PID: 6996)
  - free-ip-camera-viewer_qbx-bh1.exe (PID: 7132)
  - free-ip-camera-viewer_qbx-bh1.tmp (PID: 7152)
  - free-ip-camera-viewer.exe (PID: 4596)
  - free-ip-camera-viewer.tmp (PID: 6592)
- Reads security settings of Internet Explorer
  - WinRAR.exe (PID: 6300)
  - free-ip-camera-viewer_qbx-bh1.tmp (PID: 7016)
  - free-ip-camera-viewer_qbx-bh1.tmp (PID: 7152)
  - free-ip-camera-viewer.tmp (PID: 6592)
- Reads the Windows owner or organization settings
  - free-ip-camera-viewer_qbx-bh1.tmp (PID: 7152)
  - free-ip-camera-viewer.tmp (PID: 6592)
- Access to an unwanted program domain was detected
  - free-ip-camera-viewer_qbx-bh1.tmp (PID: 7152)
- Potential Corporate Privacy Violation
  - free-ip-camera-viewer_qbx-bh1.tmp (PID: 7152)
- Process requests binary or script from the Internet
  - free-ip-camera-viewer_qbx-bh1.tmp (PID: 7152)
- The process drops C-runtime libraries
  - free-ip-camera-viewer.tmp (PID: 6592)
- Executing commands from a ".bat" file
  - free-ip-camera-viewer.tmp (PID: 6592)
- Starts CMD.EXE for commands execution
  - free-ip-camera-viewer.tmp (PID: 6592)
- Process drops legitimate windows executable
  - free-ip-camera-viewer.tmp (PID: 6592)
INFO
- Executable content was dropped or overwritten
  - WinRAR.exe (PID: 6300)
- Create files in a temporary directory
  - free-ip-camera-viewer_qbx-bh1.exe (PID: 6996)
  - free-ip-camera-viewer_qbx-bh1.exe (PID: 7132)
  - free-ip-camera-viewer_qbx-bh1.tmp (PID: 7152)
  - free-ip-camera-viewer.exe (PID: 4596)
  - free-ip-camera-viewer.tmp (PID: 6592)
- Checks supported languages
  - free-ip-camera-viewer_qbx-bh1.tmp (PID: 7016)
  - free-ip-camera-viewer_qbx-bh1.exe (PID: 6996)
  - free-ip-camera-viewer_qbx-bh1.exe (PID: 7132)
  - free-ip-camera-viewer_qbx-bh1.tmp (PID: 7152)
  - free-ip-camera-viewer.tmp (PID: 6592)
  - free-ip-camera-viewer.exe (PID: 4596)
  - identity_helper.exe (PID: 7120)
  - ipCamera.exe (PID: 4592)
- Reads the computer name
  - free-ip-camera-viewer_qbx-bh1.tmp (PID: 7016)
  - free-ip-camera-viewer_qbx-bh1.exe (PID: 7132)
  - free-ip-camera-viewer_qbx-bh1.tmp (PID: 7152)
  - free-ip-camera-viewer.tmp (PID: 6592)
  - identity_helper.exe (PID: 7120)
  - ipCamera.exe (PID: 4592)
- Process checks computer location settings
  - free-ip-camera-viewer_qbx-bh1.tmp (PID: 7016)
  - free-ip-camera-viewer_qbx-bh1.tmp (PID: 7152)
  - free-ip-camera-viewer.tmp (PID: 6592)
- The sample compiled with english language support
  - free-ip-camera-viewer_qbx-bh1.tmp (PID: 7152)
  - free-ip-camera-viewer.tmp (PID: 6592)
- Reads the software policy settings
  - free-ip-camera-viewer_qbx-bh1.tmp (PID: 7152)
- Reads the machine GUID from the registry
  - free-ip-camera-viewer_qbx-bh1.tmp (PID: 7152)
  - ipCamera.exe (PID: 4592)
- Checks proxy server information
  - free-ip-camera-viewer_qbx-bh1.tmp (PID: 7152)
- Application launched itself
  - msedge.exe (PID: 5576)
  - msedge.exe (PID: 6132)
  - msedge.exe (PID: 6096)
- Reads Environment values
  - identity_helper.exe (PID: 7120)
- Manual execution by a user
  - msedge.exe (PID: 5576)
- Creates files in the program directory
  - free-ip-camera-viewer.tmp (PID: 6592)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.zip	\|	ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion:	20
ZipBitFlag:	-
ZipCompression:	Deflated
ZipModifyDate:	2025:02:19 07:27:14
ZipCRC:	0xd773d44b
ZipCompressedSize:	2113098
ZipUncompressedSize:	2650208
ZipFileName:	free-ip-camera-viewer_qbx-bh1.exe

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

175

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

540

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3532 --field-trial-handle=2372,i,12383098083976098778,17062565065680726246,262144 --variations-seed-version /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Exit code:

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

712

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=5472 --field-trial-handle=2372,i,12383098083976098778,17062565065680726246,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Exit code:

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

716

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=122.0.6261.70 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=122.0.2365.59 --initial-client-data=0x30c,0x310,0x314,0x304,0x31c,0x7ff821355fd8,0x7ff821355fe4,0x7ff821355ff0

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Microsoft Edge

Exit code:

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll

848

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=122.0.6261.70 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=122.0.2365.59 --initial-client-data=0x290,0x294,0x298,0x288,0x2ac,0x7ff821355fd8,0x7ff821355fe4,0x7ff821355ff0

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Microsoft Edge

Exit code:

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

2292

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=2376 --field-trial-handle=2132,i,7848297442010355876,13260717390343269571,262144 --variations-seed-version /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

2928

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=3360 --field-trial-handle=2132,i,7848297442010355876,13260717390343269571,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Exit code:

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

2996

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=3480 --field-trial-handle=2132,i,7848297442010355876,13260717390343269571,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Exit code:

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

3128

C:\WINDOWS\system32\cmd.exe /c ""C:\Program Files (x86)\IP Camera Viewer\ipCamera.bat" "

C:\Windows\SysWOW64\cmd.exe

—

free-ip-camera-viewer.tmp

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Windows Command Processor

Version:

10.0.19041.3636 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll

3224

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=5348 --field-trial-handle=2132,i,7848297442010355876,13260717390343269571,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Exit code:

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

3564

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --extension-process --renderer-sub-type=extension --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4048 --field-trial-handle=2372,i,12383098083976098778,17062565065680726246,262144 --variations-seed-version /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Exit code:

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

Add for printing

Total events

9 275

Read events

9 204

Write events

Delete events

Modification events


(PID) Process:	(6300) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	3
Value: C:\Users\admin\Desktop\preferences.zip
(PID) Process:	(6300) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	2
Value: C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:	(6300) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	1
Value: C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:	(6300) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	0
Value: C:\Users\admin\AppData\Local\Temp\free-ip-camera-viewer_qbx-bh1.exe.zip
(PID) Process:	(6300) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	name
Value: 120
(PID) Process:	(6300) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	size
Value: 80
(PID) Process:	(6300) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	type
Value: 120
(PID) Process:	(6300) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	mtime
Value: 100
(PID) Process:	(7152) free-ip-camera-viewer_qbx-bh1.tmp	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:	write	Name:	CachePrefix
Value:
(PID) Process:	(7152) free-ip-camera-viewer_qbx-bh1.tmp	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:	write	Name:	CachePrefix
Value: Cookie:

Add for printing

Executable files

102

Suspicious files

141

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
7152	free-ip-camera-viewer_qbx-bh1.tmp	C:\Users\admin\AppData\Local\Temp\is-B9NDO.tmp\AVAST.png		image
		MD5:378F74A0CBDD582D8B434B7B978FF375	SHA256:1225AFDA135B0BF3B5633595AF4096F8C6620EBB34AA5DF7C64253F03668B33D
7152	free-ip-camera-viewer_qbx-bh1.tmp	C:\Users\admin\AppData\Local\Temp\is-B9NDO.tmp\Helper.dll		executable
		MD5:4EB0347E66FA465F602E52C03E5C0B4B	SHA256:C73E53CBB7B98FEAFE27CC7DE8FDAD51DF438E2235E91891461C5123888F73CC
7132	free-ip-camera-viewer_qbx-bh1.exe	C:\Users\admin\AppData\Local\Temp\is-L56G6.tmp\free-ip-camera-viewer_qbx-bh1.tmp		executable
		MD5:DE4E6F20A126C887E4D1882CE07EF3AD	SHA256:8B9B174873ABE205D93FC90FA37C3DBE7C70C1C6F4357CBF227F580800FA7AAF
6996	free-ip-camera-viewer_qbx-bh1.exe	C:\Users\admin\AppData\Local\Temp\is-F5EC3.tmp\free-ip-camera-viewer_qbx-bh1.tmp		executable
		MD5:DE4E6F20A126C887E4D1882CE07EF3AD	SHA256:8B9B174873ABE205D93FC90FA37C3DBE7C70C1C6F4357CBF227F580800FA7AAF
7152	free-ip-camera-viewer_qbx-bh1.tmp	C:\Users\admin\AppData\Local\Temp\is-B9NDO.tmp\is-AG50V.tmp		binary
		MD5:334A5A339407AF2ECAF1D02C80856698	SHA256:C15284C97458A287ECE8308576FDA218A5E83CDE1204FCE70C16F1538FC5374E
7152	free-ip-camera-viewer_qbx-bh1.tmp	C:\Users\admin\AppData\Local\Temp\is-B9NDO.tmp\_isetup\_setup64.tmp		executable
		MD5:E4211D6D009757C078A9FAC7FF4F03D4	SHA256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
7152	free-ip-camera-viewer_qbx-bh1.tmp	C:\Users\admin\AppData\Local\Temp\is-B9NDO.tmp\loader.gif		image
		MD5:12D7FD91A06CEE2D0E76ABE0485036EE	SHA256:A6192B9A3FA5DB9917AEF72D651B7AD8FD8CCB9B53F3AD99D7C46701D00C78CB
7152	free-ip-camera-viewer_qbx-bh1.tmp	C:\Users\admin\AppData\Local\Temp\is-B9NDO.tmp\is-VC6MR.tmp		image
		MD5:9AC6287111CB2B272561781786C46CDD	SHA256:AB99CDB7D798CB7B7D8517584D546AA4ED54ECA1B808DE6D076710C8A400C8C4
7152	free-ip-camera-viewer_qbx-bh1.tmp	C:\Users\admin\AppData\Local\Temp\is-B9NDO.tmp\is-VIKQ7.tmp		image
		MD5:378F74A0CBDD582D8B434B7B978FF375	SHA256:1225AFDA135B0BF3B5633595AF4096F8C6620EBB34AA5DF7C64253F03668B33D
7152	free-ip-camera-viewer_qbx-bh1.tmp	C:\Users\admin\AppData\Local\Temp\is-B9NDO.tmp\WeatherZero.png		image
		MD5:9AC6287111CB2B272561781786C46CDD	SHA256:AB99CDB7D798CB7B7D8517584D546AA4ED54ECA1B808DE6D076710C8A400C8C4

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
—	—	GET	200	2.16.164.9:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
4712	MoUsoCoreWorker.exe	GET	200	23.222.10.99:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
—	—	GET	200	23.222.10.99:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
5064	SearchApp.exe	GET	200	2.23.77.188:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D	unknown	—	—	whitelisted
7152	free-ip-camera-viewer_qbx-bh1.tmp	GET	200	95.168.168.24:80	http://dl.jalecdn.com/IT/free-ip-camera-viewer.exe	unknown	—	—	unknown
5488	SIHClient.exe	GET	200	23.35.229.160:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl	unknown	—	—	whitelisted
4712	MoUsoCoreWorker.exe	GET	200	2.16.164.9:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
6760	backgroundTaskHost.exe	GET	200	2.17.190.73:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D	unknown	—	—	whitelisted
5488	SIHClient.exe	GET	200	23.35.229.160:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	unknown	—	—	whitelisted
1176	svchost.exe	GET	200	2.17.190.73:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
5972	RUXIMICS.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
—	—	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4712	MoUsoCoreWorker.exe	2.16.164.9:80	crl.microsoft.com	Akamai International B.V.	NL	whitelisted
—	—	2.16.164.9:80	crl.microsoft.com	Akamai International B.V.	NL	whitelisted
4712	MoUsoCoreWorker.exe	23.222.10.99:80	www.microsoft.com	AKAMAI-AS	US	whitelisted
—	—	23.222.10.99:80	www.microsoft.com	AKAMAI-AS	US	whitelisted
4712	MoUsoCoreWorker.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
5064	SearchApp.exe	2.19.122.33:443	www.bing.com	Akamai International B.V.	DE	whitelisted
5064	SearchApp.exe	2.23.77.188:80	ocsp.digicert.com	AKAMAI-AS	DE	whitelisted

DNS requests

Domain	IP	Reputation
settings-win.data.microsoft.com	51.124.78.146 40.127.240.158	whitelisted
google.com	216.58.212.174	whitelisted
crl.microsoft.com	2.16.164.9 2.16.164.106 2.16.164.120 2.16.164.72	whitelisted
www.microsoft.com	23.222.10.99 23.35.229.160	whitelisted
www.bing.com	2.19.122.33 2.19.122.39 2.19.122.40 2.19.122.44 2.19.122.38 2.19.122.32 2.19.122.34 2.19.122.41 2.19.122.31 92.123.104.30 92.123.104.22 92.123.104.29 92.123.104.18 92.123.104.28 92.123.104.19 92.123.104.5 92.123.104.32 92.123.104.9	whitelisted
ocsp.digicert.com	2.23.77.188 2.17.190.73	whitelisted
login.live.com	40.126.31.73 20.190.159.128 40.126.31.1 20.190.159.75 20.190.159.23 40.126.31.128 40.126.31.129 40.126.31.2	whitelisted
go.microsoft.com	2.18.97.227	whitelisted
d26eyevpqyunb6.cloudfront.net	143.204.205.100 143.204.205.70 143.204.205.176 143.204.205.227	whitelisted
static.download.it	104.22.56.224 172.67.26.92 104.22.57.224	unknown

Threats

PID	Process	Class	Message
7152	free-ip-camera-viewer_qbx-bh1.tmp	Potential Corporate Privacy Violation	ET INFO PE EXE or DLL Windows file download HTTP
7152	free-ip-camera-viewer_qbx-bh1.tmp	Possibly Unwanted Program Detected	ADWARE [ANY.RUN] InnoSetup Installer

Add for printing

No debug info

General Info

free-ip-camera-viewer_qbx-bh1.exe.zip

EAD5C33741E2BB2FC988C9237A974A75

97317A33661415F59C87195CB0E1FA12D7C29324

9C192B1CFE5E1C12434F275D55A2271930266C3AB7B706D4FA6648B2EB11E007

98304:Z4orJ1I7hz2JEp7rgeq/PGGMw2UGZOKNpc09Lirw2JIOpcEejwNg+pNMDhmcqFK2:BAFeZ

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Generic archive extractor

INNOSETUP has been detected (SURICATA)

SUSPICIOUS

Executable content was dropped or overwritten

Reads security settings of Internet Explorer

Reads the Windows owner or organization settings

Access to an unwanted program domain was detected

Potential Corporate Privacy Violation

Process requests binary or script from the Internet

The process drops C-runtime libraries

Executing commands from a ".bat" file

Starts CMD.EXE for commands execution

Process drops legitimate windows executable

INFO

Executable content was dropped or overwritten

Create files in a temporary directory

Checks supported languages

Reads the computer name

Process checks computer location settings

The sample compiled with english language support

Reads the software policy settings

Reads the machine GUID from the registry

Checks proxy server information

Application launched itself

Reads Environment values

Manual execution by a user

Creates files in the program directory

Malware configuration

Static information

TRiD

EXIF

ZIP

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings