URL:

https://web.utorrent.com/update/

Full analysis: https://app.any.run/tasks/445c8cd6-92c5-45b5-b900-ac70bfd31189
Verdict: Malicious activity
Threats:

Adware is a form of malware that targets users with unwanted advertisements, often disrupting their browsing experience. It typically infiltrates systems through software bundling, malicious websites, or deceptive downloads. Once installed, it may track user activity, collect sensitive data, and display intrusive ads, including pop-ups or banners. Some advanced adware variants can bypass security measures and establish persistence on devices, making removal challenging. Additionally, adware can create vulnerabilities that other malware can exploit, posing a significant risk to user privacy and system security.

Malware Trends Tracker     >>>
Analysis date: May 20, 2019, 09:45:05
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
adware
pua
lavasoft
loader
Indicators:
MD5:

AF35A32133F35D8F5C0D93DBCE07B233

SHA1:

467E30D1FA8094BFB564060BD19B8D1AD09D9A30

SHA256:

A23BC55FC4CEA6EDEC8239496F40B566E722FC822BA3E3879150120AC00359FE

SSDEEP:

3:N8RERKORLKUmK:2SBRL39

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • utweb_installer.exe (PID: 3496)
      • installer.exe (PID: 2128)
      • GenericSetup.exe (PID: 2744)
      • Carrier.exe (PID: 2524)
      • bwmnhjdu.34f.exe (PID: 2748)
      • bwmnhjdu.34f.exe (PID: 3060)
      • bwmnhjdu.34f.exe (PID: 4024)
      • bwmnhjdu.34f.exe (PID: 2304)
      • bwmnhjdu.34f.exe (PID: 3876)
      • of4dlk5r.fcr.exe (PID: 2944)
      • WebCompanionInstaller.exe (PID: 2076)
      • utweb.exe (PID: 2968)
      • WebCompanion.exe (PID: 2728)
      • Lavasoft.WCAssistant.WinService.exe (PID: 392)
      • assistant_installer.exe (PID: 2536)
      • _sfx.exe (PID: 1524)
      • utweb.exe (PID: 3424)
      • installer.exe (PID: 3792)
      • installer.exe (PID: 1892)
      • Ad-Aware Web Companion.exe (PID: 2648)
      • launcher.exe (PID: 3644)
      • assistant_installer.exe (PID: 1364)
      • assistant_installer.exe (PID: 4080)
      • browser_assistant.exe (PID: 3976)
      • launcher.exe (PID: 288)
      • opera.exe (PID: 3600)
      • opera_crashreporter.exe (PID: 3636)
      • opera.exe (PID: 3720)
      • opera.exe (PID: 3628)
      • opera_crashreporter.exe (PID: 596)
      • opera.exe (PID: 3544)
      • opera.exe (PID: 1456)
      • opera.exe (PID: 1572)
      • opera.exe (PID: 1700)
      • opera.exe (PID: 1224)
      • opera.exe (PID: 3144)
      • opera.exe (PID: 3240)
      • opera.exe (PID: 3476)
      • opera.exe (PID: 2696)
      • opera.exe (PID: 4068)
      • opera.exe (PID: 3848)
      • opera.exe (PID: 3532)
      • opera.exe (PID: 2884)
      • opera.exe (PID: 3800)
      • opera.exe (PID: 2432)
      • opera_autoupdate.exe (PID: 2576)
      • WebCompanion.exe (PID: 2368)
      • opera_autoupdate.exe (PID: 2848)
      • launcher.exe (PID: 328)
      • installer.exe (PID: 2688)
      • opera_autoupdate.exe (PID: 4240)
      • opera_autoupdate.exe (PID: 5164)
      • opera.exe (PID: 4820)
      • opera.exe (PID: 5068)

    • Changes settings of System certificates

      • GenericSetup.exe (PID: 2744)

    • Loads dropped or rewritten executable

      • GenericSetup.exe (PID: 2744)
      • Carrier.exe (PID: 2524)
      • bwmnhjdu.34f.exe (PID: 2748)
      • bwmnhjdu.34f.exe (PID: 2304)
      • bwmnhjdu.34f.exe (PID: 3060)
      • bwmnhjdu.34f.exe (PID: 4024)
      • bwmnhjdu.34f.exe (PID: 3876)
      • utweb.exe (PID: 2968)
      • WebCompanionInstaller.exe (PID: 2076)
      • WebCompanion.exe (PID: 2728)
      • Lavasoft.WCAssistant.WinService.exe (PID: 392)
      • installer.exe (PID: 3792)
      • utweb.exe (PID: 3424)
      • installer.exe (PID: 1892)
      • opera.exe (PID: 3600)
      • opera.exe (PID: 3628)
      • opera.exe (PID: 3720)
      • opera.exe (PID: 3544)
      • opera.exe (PID: 1456)
      • opera.exe (PID: 1572)
      • opera.exe (PID: 1224)
      • opera.exe (PID: 1700)
      • opera.exe (PID: 3240)
      • opera.exe (PID: 3144)
      • opera.exe (PID: 4068)
      • opera.exe (PID: 2696)
      • opera.exe (PID: 3476)
      • opera.exe (PID: 2884)
      • opera.exe (PID: 2432)
      • opera.exe (PID: 3800)
      • WebCompanion.exe (PID: 2368)
      • installer.exe (PID: 2688)
      • opera.exe (PID: 5068)
      • opera.exe (PID: 4820)

    • LAVASOFT was detected

      • installer.exe (PID: 2128)

    • Downloads executable files from the Internet

      • GenericSetup.exe (PID: 2744)

    • Loads the Task Scheduler COM API

      • GenericSetup.exe (PID: 2744)
      • installer.exe (PID: 3792)
      • assistant_installer.exe (PID: 1364)
      • opera.exe (PID: 3628)

    • Changes the autorun value in the registry

      • utweb.exe (PID: 2968)
      • WebCompanion.exe (PID: 2728)
      • assistant_installer.exe (PID: 1364)

    • Changes internet zones settings

      • WebCompanionInstaller.exe (PID: 2076)

    • Actions looks like stealing of personal data

      • opera.exe (PID: 3628)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • opera.exe (PID: 2568)
      • utweb_installer.exe (PID: 3496)
      • Carrier.exe (PID: 2524)
      • GenericSetup.exe (PID: 2744)
      • bwmnhjdu.34f.exe (PID: 2304)
      • bwmnhjdu.34f.exe (PID: 3060)
      • bwmnhjdu.34f.exe (PID: 2748)
      • bwmnhjdu.34f.exe (PID: 4024)
      • of4dlk5r.fcr.exe (PID: 2944)
      • WebCompanionInstaller.exe (PID: 2076)
      • _sfx.exe (PID: 1524)
      • installer.exe (PID: 1892)
      • installer.exe (PID: 3792)
      • assistant_installer.exe (PID: 1364)
      • launcher.exe (PID: 328)
      • installer.exe (PID: 2688)

    • Reads Windows owner or organization settings

      • GenericSetup.exe (PID: 2744)

    • Reads Environment values

      • GenericSetup.exe (PID: 2744)

    • Reads the Windows organization settings

      • GenericSetup.exe (PID: 2744)

    • Adds / modifies Windows certificates

      • GenericSetup.exe (PID: 2744)

    • Creates files in the user directory

      • Carrier.exe (PID: 2524)
      • bwmnhjdu.34f.exe (PID: 2748)
      • utweb.exe (PID: 2968)
      • WebCompanionInstaller.exe (PID: 2076)
      • installer.exe (PID: 3792)
      • browser_assistant.exe (PID: 3976)
      • WebCompanion.exe (PID: 2728)
      • opera.exe (PID: 3600)
      • opera.exe (PID: 3628)
      • opera_autoupdate.exe (PID: 2848)

    • Starts CMD.EXE for commands execution

      • GenericSetup.exe (PID: 2744)
      • WebCompanionInstaller.exe (PID: 2076)
      • Lavasoft.WCAssistant.WinService.exe (PID: 392)

    • Creates a software uninstall entry

      • Carrier.exe (PID: 2524)
      • WebCompanionInstaller.exe (PID: 2076)
      • installer.exe (PID: 3792)

    • Reads Internet Cache Settings

      • Carrier.exe (PID: 2524)
      • utweb.exe (PID: 2968)
      • bwmnhjdu.34f.exe (PID: 2304)

    • Modifies the open verb of a shell class

      • Carrier.exe (PID: 2524)
      • installer.exe (PID: 3792)

    • Application launched itself

      • bwmnhjdu.34f.exe (PID: 2304)
      • opera.exe (PID: 3600)
      • opera.exe (PID: 3628)
      • opera_autoupdate.exe (PID: 2848)
      • opera_autoupdate.exe (PID: 5164)

    • Executed via Task Scheduler

      • utweb.exe (PID: 2968)
      • launcher.exe (PID: 328)

    • Starts Internet Explorer

      • utweb.exe (PID: 2968)

    • Creates files in the program directory

      • WebCompanionInstaller.exe (PID: 2076)
      • WebCompanion.exe (PID: 2728)
      • Lavasoft.WCAssistant.WinService.exe (PID: 392)
      • installer.exe (PID: 3792)
      • bwmnhjdu.34f.exe (PID: 3060)
      • assistant_installer.exe (PID: 1364)
      • WebCompanion.exe (PID: 2368)

    • Starts SC.EXE for service management

      • WebCompanionInstaller.exe (PID: 2076)

    • Uses NETSH.EXE for network configuration

      • cmd.exe (PID: 1708)
      • cmd.exe (PID: 944)

    • Executed as Windows Service

      • Lavasoft.WCAssistant.WinService.exe (PID: 392)
      • PresentationFontCache.exe (PID: 5916)

    • Creates files in the Windows directory

      • Lavasoft.WCAssistant.WinService.exe (PID: 392)
      • WebCompanion.exe (PID: 2728)
      • WebCompanionInstaller.exe (PID: 2076)

    • Removes files from Windows directory

      • Lavasoft.WCAssistant.WinService.exe (PID: 392)
      • WebCompanionInstaller.exe (PID: 2076)

    • Changes IE settings (feature browser emulation)

      • assistant_installer.exe (PID: 1364)

    • Executed via COM

      • unsecapp.exe (PID: 284)

    • Changes the started page of IE

      • WebCompanion.exe (PID: 2728)

    • Reads the machine GUID from the registry

      • opera.exe (PID: 3628)
      • opera.exe (PID: 3600)
      • opera_autoupdate.exe (PID: 2576)

    • Searches for installed software

      • GenericSetup.exe (PID: 2744)

  • INFO

    • Creates files in the user directory

      • opera.exe (PID: 2568)
      • iexplore.exe (PID: 4032)
      • iexplore.exe (PID: 2212)

    • Reads settings of System Certificates

      • GenericSetup.exe (PID: 2744)
      • bwmnhjdu.34f.exe (PID: 2304)

    • Changes internet zones settings

      • iexplore.exe (PID: 2212)
      • iexplore.exe (PID: 3868)

    • Application launched itself

      • iexplore.exe (PID: 2212)
      • iexplore.exe (PID: 3868)

    • Reads Internet Cache Settings

      • iexplore.exe (PID: 4032)
      • iexplore.exe (PID: 2212)
      • iexplore.exe (PID: 3572)

    • Reads internet explorer settings

      • iexplore.exe (PID: 4032)
      • iexplore.exe (PID: 3572)

    • Dropped object may contain Bitcoin addresses

      • WebCompanionInstaller.exe (PID: 2076)
      • bwmnhjdu.34f.exe (PID: 3060)
      • WebCompanion.exe (PID: 2728)

    • Manual execution by user

      • utweb.exe (PID: 3424)
      • assistant_installer.exe (PID: 4080)
      • opera.exe (PID: 3628)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
123
Monitored processes
73
Malicious processes
29
Suspicious processes
12

Behavior graph

Click at the process to see the details
drop and start start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start opera.exe utweb_installer.exe #LAVASOFT installer.exe genericsetup.exe cmd.exe no specs carrier.exe cmd.exe no specs bwmnhjdu.34f.exe bwmnhjdu.34f.exe bwmnhjdu.34f.exe no specs bwmnhjdu.34f.exe bwmnhjdu.34f.exe cmd.exe no specs of4dlk5r.fcr.exe utweb.exe webcompanioninstaller.exe iexplore.exe iexplore.exe sc.exe no specs sc.exe no specs sc.exe no specs cmd.exe no specs netsh.exe no specs webcompanion.exe lavasoft.wcassistant.winservice.exe _sfx.exe assistant_installer.exe installer.exe installer.exe cmd.exe no specs utweb.exe no specs csc.exe no specs netsh.exe no specs cvtres.exe no specs assistant_installer.exe ad-aware web companion.exe no specs assistant_installer.exe browser_assistant.exe launcher.exe no specs iexplore.exe unsecapp.exe no specs launcher.exe no specs opera.exe no specs iexplore.exe opera_crashreporter.exe no specs opera.exe no specs opera.exe opera_crashreporter.exe no specs opera.exe no specs opera.exe no specs opera.exe no specs opera.exe no specs opera.exe no specs opera.exe no specs opera.exe no specs opera.exe no specs opera.exe no specs opera.exe no specs opera.exe no specs opera.exe no specs opera.exe no specs opera.exe no specs opera.exe no specs opera_autoupdate.exe webcompanion.exe launcher.exe opera_autoupdate.exe no specs installer.exe opera.exe no specs opera_autoupdate.exe opera_autoupdate.exe no specs opera.exe no specs presentationfontcache.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
284C:\Windows\system32\wbem\unsecapp.exe -EmbeddingC:\Windows\system32\wbem\unsecapp.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Sink to receive asynchronous callbacks for WMI client application
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\wbem\unsecapp.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\wbemcomn.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
288"C:\Program Files\Opera\launcher.exe" --start-maximizedC:\Program Files\Opera\launcher.exeinstaller.exe
User:
admin
Company:
Opera Software
Integrity Level:
HIGH
Description:
Opera Internet Browser
Exit code:
0
Version:
60.0.3255.95
Modules
Images
c:\program files\opera\launcher.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
328"C:\Program Files\Opera\launcher.exe" --scheduledautoupdate --autoupdaterequesttype=start --autoupdateoperaversion=60.0.3255.95C:\Program Files\Opera\launcher.exe
taskeng.exe
User:
admin
Company:
Opera Software
Integrity Level:
HIGH
Description:
Opera Internet Browser
Exit code:
0
Version:
60.0.3255.95
Modules
Images
c:\program files\opera\launcher.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
392"C:\Program Files\Lavasoft\Web Companion\Application\Lavasoft.WCAssistant.WinService.exe"C:\Program Files\Lavasoft\Web Companion\Application\Lavasoft.WCAssistant.WinService.exe
services.exe
User:
SYSTEM
Integrity Level:
SYSTEM
Description:
SPWindowsService
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\program files\lavasoft\web companion\application\lavasoft.wcassistant.winservice.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
596"C:\Program Files\Opera\60.0.3255.95\opera_crashreporter.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=60.0.3255.95 --initial-client-data=0x148,0x14c,0x150,0x144,0x154,0x55abf540,0x55abf550,0x55abf55cC:\Program Files\Opera\60.0.3255.95\opera_crashreporter.exeopera.exe
User:
admin
Company:
Opera Software
Integrity Level:
MEDIUM
Description:
Opera crash-reporter
Exit code:
0
Version:
60.0.3255.95
Modules
Images
c:\program files\opera\60.0.3255.95\opera_crashreporter.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
944"C:\Windows\System32\cmd.exe" /C netsh http add urlacl url=http://+:9007/ user=EveryoneC:\Windows\System32\cmd.exeLavasoft.WCAssistant.WinService.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Command Processor
Exit code:
1
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
1000"sc.exe" Create "WCAssistantService" binPath= "C:\Program Files\Lavasoft\Web Companion\Application\Lavasoft.WCAssistant.WinService.exe" DisplayName= "WC Assistant" start= autoC:\Windows\system32\sc.exeWebCompanionInstaller.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
A tool to aid in developing services for WindowsNT
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\sc.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\apphelp.dll
1004"sc.exe" failure WCAssistantService reset= 30 actions= restart/60000C:\Windows\system32\sc.exeWebCompanionInstaller.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
A tool to aid in developing services for WindowsNT
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\sc.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\apphelp.dll
1224"C:\Program Files\Opera\60.0.3255.95\opera.exe" --type=utility --field-trial-handle=1044,3921568849845183161,3794412733737818788,131072 --lang=en-US --service-sandbox-type=utility --enable-quic --with-feature:installer-experiment-test=off --with-feature:installer-use-minimal-package=off --ab_tests=DNA-74377-gb-ref:DNA-74377-gb --service-request-channel-token=17733084038064694408 --mojo-platform-channel-handle=2344 --ignored=" --type=renderer " /prefetch:8C:\Program Files\Opera\60.0.3255.95\opera.exeopera.exe
User:
admin
Company:
Opera Software
Integrity Level:
LOW
Description:
Opera Internet Browser
Exit code:
0
Version:
60.0.3255.95
Modules
Images
c:\program files\opera\60.0.3255.95\opera.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\opera\60.0.3255.95\opera_elf.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
1364"C:\Users\admin\AppData\Local\Temp\Opera Installer Temp\opera_package_201905201046261\assistant\assistant_installer.exe" --installfolder="C:\Program Files\Opera\assistant" --copyonly=0 --allusers=0C:\Users\admin\AppData\Local\Temp\Opera Installer Temp\opera_package_201905201046261\assistant\assistant_installer.exe
installer.exe
User:
admin
Company:
Opera Software
Integrity Level:
HIGH
Description:
Opera Browser Assistant Installer
Exit code:
0
Version:
60.0.3255.95
Modules
Images
c:\users\admin\appdata\local\temp\opera installer temp\opera_package_201905201046261\assistant\assistant_installer.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
Total events
7 431
Read events
6 498
Write events
925
Delete events
8

Modification events

(PID) Process:(2568) opera.exeKey:HKEY_CURRENT_USER\Software\Opera Software
Operation:writeName:Last CommandLine v2
Value:
C:\Program Files\Opera\opera.exe https://web.utorrent.com/update/
(PID) Process:(2568) opera.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(2568) opera.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
(PID) Process:(2568) opera.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
1
(PID) Process:(2128) installer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
(PID) Process:(2128) installer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
1
(PID) Process:(2744) GenericSetup.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
(PID) Process:(2744) GenericSetup.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
1
(PID) Process:(2744) GenericSetup.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(2744) GenericSetup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81
Operation:writeName:Blob
Value:
0F000000010000001400000085FEF11B4F47FE3952F98301C9F98976FEFEE0CE09000000010000002A000000302806082B0601050507030106082B0601050507030206082B0601050507030406082B0601050507030353000000010000002500000030233021060B6086480186F8450107300130123010060A2B0601040182373C0101030200C01400000001000000140000007B5B45CFAFCECB7AFD31921A6AB6F346EB5748501D00000001000000100000005B3B67000EEB80022E42605B6B3B72400B000000010000000E000000740068006100770074006500000003000000010000001400000091C6D6EE3E8AC86384E548C299295C756C817B812000000001000000240400003082042030820308A0030201020210344ED55720D5EDEC49F42FCE37DB2B6D300D06092A864886F70D01010505003081A9310B300906035504061302555331153013060355040A130C7468617774652C20496E632E31283026060355040B131F43657274696669636174696F6E205365727669636573204469766973696F6E31383036060355040B132F2863292032303036207468617774652C20496E632E202D20466F7220617574686F72697A656420757365206F6E6C79311F301D06035504031316746861777465205072696D61727920526F6F74204341301E170D3036313131373030303030305A170D3336303731363233353935395A3081A9310B300906035504061302555331153013060355040A130C7468617774652C20496E632E31283026060355040B131F43657274696669636174696F6E205365727669636573204469766973696F6E31383036060355040B132F2863292032303036207468617774652C20496E632E202D20466F7220617574686F72697A656420757365206F6E6C79311F301D06035504031316746861777465205072696D61727920526F6F7420434130820122300D06092A864886F70D01010105000382010F003082010A0282010100ACA0F0FB8059D49CC7A4CF9DA159730910450C0D2C6E68F16C5B4868495937FC0B3319C2777FCC102D95341CE6EB4D09A71CD2B8C9973602B789D4245F06C0CC4494948D02626FEB5ADD118D289A5C8490107A0DBD74662F6A38A0E2D55444EB1D079F07BA6FEEE9FD4E0B29F53E84A001F19CABF81C7E89A4E8A1D871650DA3517BEEBCD222600DB95B9DDFBAFC515B0BAF98B2E92EE904E86287DE2BC8D74EC14C641EDDCF8758BA4A4FCA68071D1C9D4AC6D52F91CC7C71721CC5C067EB32FDC9925C94DA85C09BBF537D2B09F48C9D911F976A52CBDE0936A477D87B875044D53E6E2969FB3949261E09A5807B402DEBE82785C9FE61FD7EE67C971DD59D0203010001A3423040300F0603551D130101FF040530030101FF300E0603551D0F0101FF040403020106301D0603551D0E041604147B5B45CFAFCECB7AFD31921A6AB6F346EB574850300D06092A864886F70D010105050003820101007911C04BB391B6FCF0E967D40D6E45BE55E893D2CE033FEDDA25B01D57CB1E3A76A04CEC5076E864720CA4A9F1B88BD6D68784BB32E54111C077D9B3609DEB1BD5D16E4444A9A601EC55621D77B85C8E48497C9C3B5711ACAD73378E2F785C906847D96060E6FC073D222017C4F716E9C4D872F9C8737CDF162F15A93EFD6A27B6A1EB5ABA981FD5E34D640A9D13C861BAF5391C87BAB8BD7B227FF6FEAC4079E5AC106F3D8F1B79768BC437B3211884E53600EB632099B9E9FE3304BB41C8C102F94463209E81CE42D3D63F2C76D3639C59DD8FA6E10EA02E41F72E9547CFBCFD33F3F60B617E7E912B8147C22730EEA7105D378F5C392BE404F07B8D568C68
Executable files
140
Suspicious files
147
Text files
806
Unknown types
92

Dropped files

PID
Process
Filename
Type
2568opera.exeC:\Users\admin\AppData\Roaming\Opera\Opera\sessions\opr3897.tmp
MD5:
SHA256:
2568opera.exeC:\Users\admin\AppData\Roaming\Opera\Opera\opr38A8.tmp
MD5:
SHA256:
2568opera.exeC:\Users\admin\AppData\Roaming\Opera\Opera\opr38F7.tmp
MD5:
SHA256:
2568opera.exeC:\Users\admin\AppData\Local\Opera\Opera\cache\sesn\opr00001.tmp
MD5:
SHA256:
2568opera.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\TPU5LYQP5UV6Q3WZ4RGA.temp
MD5:
SHA256:
2568opera.exeC:\Users\admin\AppData\Roaming\Opera\Opera\sessions\opr476F.tmp
MD5:
SHA256:
2568opera.exeC:\Users\admin\AppData\Roaming\Opera\Opera\sessions\opr5981.tmp
MD5:
SHA256:
2568opera.exeC:\Users\admin\AppData\Roaming\Opera\Opera\opssl6.datbinary
MD5:
SHA256:
2568opera.exeC:\Users\admin\AppData\Roaming\Opera\Opera\operaprefs.initext
MD5:
SHA256:
2568opera.exeC:\Users\admin\AppData\Roaming\Opera\Opera\tasks.xmlxml
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
73
TCP/UDP connections
282
DNS requests
87
Threats
13

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2568
opera.exe
GET
200
93.184.220.29:80
http://crl3.digicert.com/DigiCertGlobalRootCA.crl
US
der
581 b
whitelisted
2568
opera.exe
GET
200
151.139.128.14:80
http://ocsp.comodoca.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBR64T7ooMQqLLQoy%2BemBUYZQOKh6QQUkK9qOpRaC9iQ6hJWc99DtDoo2ucCEBQZr8DeSFN%2FkpmVCws6msc%3D
US
der
471 b
whitelisted
2568
opera.exe
GET
200
93.184.220.29:80
http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl
US
der
543 b
whitelisted
2568
opera.exe
GET
200
151.139.128.14:80
http://crl.usertrust.com/AddTrustExternalCARoot.crl
US
der
673 b
whitelisted
2568
opera.exe
GET
200
93.184.220.29:80
http://status.thawte.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSFvn094QJ%2BcWGTwWWEy%2BBXPZkW8AQUo8heZVTlMHjBBeoHCmpZzLn%2B3loCEAp5FymMEbmBiJidWot7PQs%3D
US
der
471 b
whitelisted
2568
opera.exe
GET
200
151.139.128.14:80
http://ocsp.comodoca.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBR64T7ooMQqLLQoy%2BemBUYZQOKh6QQUkK9qOpRaC9iQ6hJWc99DtDoo2ucCEDVcoTH82eAUPv6eGMIxtds%3D
US
der
471 b
whitelisted
2568
opera.exe
GET
200
192.35.177.64:80
http://crl.identrust.com/DSTROOTCAX3CRL.crl
US
der
896 b
whitelisted
2568
opera.exe
GET
200
172.217.18.163:80
http://ocsp.pki.goog/GTSGIAG3/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT27bBjYjKBmjX2jXWgnQJKEapsrQQUd8K4UJpndnaxLcKG0IOgfqZ%2BuksCEB80oLaeU1vhpYbVfJsgxYg%3D
US
der
471 b
whitelisted
2568
opera.exe
GET
200
151.139.128.14:80
http://crl.comodoca.com/COMODORSACertificationAuthority.crl
US
der
812 b
whitelisted
2568
opera.exe
GET
200
172.217.18.163:80
http://ocsp.pki.goog/GTSGIAG3/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT27bBjYjKBmjX2jXWgnQJKEapsrQQUd8K4UJpndnaxLcKG0IOgfqZ%2BuksCEDJ%2BbiZYJROiISCOfH68sRM%3D
US
der
471 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2568
opera.exe
54.230.93.234:443
web.utorrent.com
Amazon.com, Inc.
US
unknown
2568
opera.exe
185.26.182.93:443
sitecheck2.opera.com
Opera Software AS
whitelisted
2568
opera.exe
185.26.182.112:443
sitecheck2.opera.com
Opera Software AS
malicious
2568
opera.exe
93.184.220.29:80
crl3.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
2568
opera.exe
185.26.182.94:443
sitecheck2.opera.com
Opera Software AS
whitelisted
2568
opera.exe
87.248.222.180:443
www.utorrent.com
Limelight Networks, Inc.
IT
suspicious
2568
opera.exe
209.197.3.15:443
netdna.bootstrapcdn.com
Highwinds Network Group, Inc.
US
whitelisted
2568
opera.exe
104.19.196.151:443
cdnjs.cloudflare.com
Cloudflare Inc
US
shared
2568
opera.exe
205.185.208.52:443
code.jquery.com
Highwinds Network Group, Inc.
US
unknown
2568
opera.exe
172.217.22.74:443
fonts.googleapis.com
Google Inc.
US
whitelisted

DNS requests

Domain
IP
Reputation
web.utorrent.com
  • 54.230.93.234
  • 54.230.93.15
  • 54.230.93.200
  • 54.230.93.198
shared
sitecheck2.opera.com
  • 185.26.182.112
  • 185.26.182.93
  • 185.26.182.94
  • 185.26.182.111
whitelisted
certs.opera.com
  • 185.26.182.93
  • 185.26.182.94
whitelisted
crl3.digicert.com
  • 93.184.220.29
whitelisted
status.thawte.com
  • 93.184.220.29
whitelisted
crl4.digicert.com
  • 93.184.220.29
whitelisted
www.utorrent.com
  • 87.248.222.180
whitelisted
netdna.bootstrapcdn.com
  • 209.197.3.15
whitelisted
code.jquery.com
  • 205.185.208.52
whitelisted
fonts.googleapis.com
  • 172.217.22.74
whitelisted

Threats

PID
Process
Class
Message
2128
installer.exe
A Network Trojan was detected
ET MALWARE Lavasoft PUA/Adware Client Install
2744
GenericSetup.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
2744
GenericSetup.exe
Potentially Bad Traffic
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
2744
GenericSetup.exe
Misc activity
ET INFO EXE - Served Attached HTTP
2524
Carrier.exe
A Network Trojan was detected
ET POLICY User-Agent (NSIS_Inetc (Mozilla)) - Sometimes used by hostile installers
2524
Carrier.exe
A Network Trojan was detected
ET POLICY User-Agent (NSIS_Inetc (Mozilla)) - Sometimes used by hostile installers
2744
GenericSetup.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
2744
GenericSetup.exe
Potentially Bad Traffic
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
2744
GenericSetup.exe
Misc activity
ET INFO EXE - Served Attached HTTP
Potential Corporate Privacy Violation
ET P2P BitTorrent DHT ping request
2 ETPRO signatures available at the full report
Process
Message
WebCompanionInstaller.exe
Detecting windows culture
WebCompanionInstaller.exe
5/20/2019 10:46:44 AM :-> Starting installer 4.7.1987.3881 with: .\WebCompanionInstaller.exe --partner=BT171001 --version=4.7.1987.3881 --prod --silent --homepage=1 --search=1 --partner=BT171001, Run as admin: True
WebCompanionInstaller.exe
Preparing for installing Web Companion
WebCompanionInstaller.exe
5/20/2019 10:46:46 AM :-> Generating Machine and Install Id ...
WebCompanionInstaller.exe
5/20/2019 10:46:46 AM :-> Machine Id and Install Id has been generated
WebCompanionInstaller.exe
5/20/2019 10:46:46 AM :-> Checking prerequisites ...
WebCompanionInstaller.exe
5/20/2019 10:46:46 AM :-> Antivirus not detected
WebCompanionInstaller.exe
5/20/2019 10:46:46 AM :-> vm_check False
WebCompanionInstaller.exe
5/20/2019 10:46:46 AM :-> reg_check :False
WebCompanionInstaller.exe
5/20/2019 10:46:46 AM :-> Installed .Net framework is V40
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
https://web.utorrent.com/update/