analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Downloads.zip

Full analysis: https://app.any.run/tasks/59dfe9c6-8539-4b10-8fd0-1536ffcaf599
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Analysis date: March 30, 2020, 18:57:31
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
adware
pua
lavasoft
loader
evasion
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

FC7F30E3EFF5D2E39CD4C2EDA7E61B2E

SHA1:

9C4D9E3C5EAF387539942E3854E5BAC419BB33A3

SHA256:

A972729CCD8771C09D53ED32262A60534D8EE02753CA8A50B822A140184EF950

SSDEEP:

196608:iC91QGauTpuHXCWgLMZp174LU0/njeoXTodCo0T5QeYhdiPIUWd/i:iCLlaikHXAlL1/njjqCoYTtBW5i

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • isoworkshop_9.1.exe (PID: 3264)
      • isoworkshop_9.1.exe (PID: 3516)
      • GenericSetup.exe (PID: 3212)
      • installer.exe (PID: 3084)
      • ISOWorkshop.exe (PID: 2908)
      • OfferInstaller.exe (PID: 2356)
      • ISOTools.exe (PID: 924)
      • u1ggojr1.k2g.exe (PID: 1812)
      • xmyllw4g.wji.exe (PID: 2152)
      • avast_free_antivirus_setup_online.exe (PID: 3604)
      • instup.exe (PID: 3580)
      • instup.exe (PID: 4000)
      • sbr.exe (PID: 2460)
      • AvEmUpdate.exe (PID: 1840)
      • AvEmUpdate.exe (PID: 3060)
      • AvEmUpdate.exe (PID: 2140)
      • AvEmUpdate.exe (PID: 2588)
      • CCUpdate.exe (PID: 3976)
      • CCUpdate.exe (PID: 3920)
      • CCUpdate.exe (PID: 3512)
      • avBugReport.exe (PID: 3788)
      • RegSvr.exe (PID: 2772)
      • avBugReport.exe (PID: 2244)
      • CCUpdate.exe (PID: 3584)
      • RegSvr.exe (PID: 1932)
      • wsc_proxy.exe (PID: 3804)
      • AvastNM.exe (PID: 740)
      • engsup.exe (PID: 2872)
      • AvastSvc.exe (PID: 3668)
      • engsup.exe (PID: 3376)
      • overseer.exe (PID: 2780)
      • SetupInf.exe (PID: 3364)
      • aswEngSrv.exe (PID: 1852)
      • SetupInf.exe (PID: 3760)
      • SetupInf.exe (PID: 3244)
      • SetupInf.exe (PID: 4052)
      • wsc_proxy.exe (PID: 956)
    • Loads dropped or rewritten executable

      • GenericSetup.exe (PID: 3212)
      • ISOTools.exe (PID: 924)
      • instup.exe (PID: 3580)
      • instup.exe (PID: 4000)
      • AvEmUpdate.exe (PID: 3060)
      • AvEmUpdate.exe (PID: 2588)
      • AvEmUpdate.exe (PID: 2140)
      • RegSvr.exe (PID: 1932)
      • engsup.exe (PID: 2872)
      • AvastSvc.exe (PID: 3668)
      • engsup.exe (PID: 3376)
      • aswEngSrv.exe (PID: 1852)
    • LAVASOFT was detected

      • installer.exe (PID: 3084)
    • Changes settings of System certificates

      • u1ggojr1.k2g.exe (PID: 1812)
      • instup.exe (PID: 3580)
      • isoworkshop_9.1.tmp (PID: 1524)
      • AvastSvc.exe (PID: 3668)
    • Downloads executable files from the Internet

      • OfferInstaller.exe (PID: 2356)
      • xmyllw4g.wji.exe (PID: 2152)
      • AvEmUpdate.exe (PID: 3060)
      • CCUpdate.exe (PID: 3512)
    • Changes the autorun value in the registry

      • instup.exe (PID: 4000)
    • Loads the Task Scheduler COM API

      • AvEmUpdate.exe (PID: 1840)
      • AvEmUpdate.exe (PID: 3060)
      • CCUpdate.exe (PID: 3512)
      • CCUpdate.exe (PID: 1536)
      • overseer.exe (PID: 2780)
      • AvastSvc.exe (PID: 3668)
  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 3540)
      • isoworkshop_9.1.exe (PID: 3516)
      • isoworkshop_9.1.exe (PID: 3264)
      • isoworkshop_9.1.tmp (PID: 1524)
      • BA003.exe (PID: 2228)
      • OfferInstaller.exe (PID: 2356)
      • xmyllw4g.wji.exe (PID: 2152)
      • avast_free_antivirus_setup_online.exe (PID: 3604)
      • instup.exe (PID: 3580)
      • instup.exe (PID: 4000)
      • AvEmUpdate.exe (PID: 3060)
      • AvEmUpdate.exe (PID: 2588)
      • CCUpdate.exe (PID: 3976)
      • CCUpdate.exe (PID: 3920)
      • overseer.exe (PID: 2780)
      • AvastSvc.exe (PID: 3668)
    • Reads the Windows organization settings

      • isoworkshop_9.1.tmp (PID: 1524)
      • GenericSetup.exe (PID: 3212)
      • OfferInstaller.exe (PID: 2356)
    • Reads Windows owner or organization settings

      • isoworkshop_9.1.tmp (PID: 1524)
      • GenericSetup.exe (PID: 3212)
      • OfferInstaller.exe (PID: 2356)
    • Reads Internet Cache Settings

      • isoworkshop_9.1.tmp (PID: 1524)
      • ISOWorkshop.exe (PID: 2908)
    • Reads Environment values

      • GenericSetup.exe (PID: 3212)
      • OfferInstaller.exe (PID: 2356)
      • AvastSvc.exe (PID: 3668)
    • Adds / modifies Windows certificates

      • u1ggojr1.k2g.exe (PID: 1812)
      • instup.exe (PID: 3580)
      • isoworkshop_9.1.tmp (PID: 1524)
    • Starts CMD.EXE for commands execution

      • OfferInstaller.exe (PID: 2356)
    • Creates files in the program directory

      • u1ggojr1.k2g.exe (PID: 1812)
      • avast_free_antivirus_setup_online.exe (PID: 3604)
      • instup.exe (PID: 3580)
      • instup.exe (PID: 4000)
      • AvEmUpdate.exe (PID: 1840)
      • AvEmUpdate.exe (PID: 3060)
      • CCUpdate.exe (PID: 3976)
      • CCUpdate.exe (PID: 3512)
      • CCUpdate.exe (PID: 1536)
      • CCUpdate.exe (PID: 3920)
      • avBugReport.exe (PID: 3788)
      • engsup.exe (PID: 2872)
      • AvastNM.exe (PID: 740)
      • overseer.exe (PID: 2780)
      • wsc_proxy.exe (PID: 3804)
      • AvastSvc.exe (PID: 3668)
      • engsup.exe (PID: 3376)
    • Creates files in the Windows directory

      • xmyllw4g.wji.exe (PID: 2152)
      • avast_free_antivirus_setup_online.exe (PID: 3604)
      • instup.exe (PID: 3580)
      • instup.exe (PID: 4000)
      • AvEmUpdate.exe (PID: 3060)
      • AvastSvc.exe (PID: 3668)
    • Low-level read access rights to disk partition

      • xmyllw4g.wji.exe (PID: 2152)
      • avast_free_antivirus_setup_online.exe (PID: 3604)
      • instup.exe (PID: 3580)
      • instup.exe (PID: 4000)
      • AvEmUpdate.exe (PID: 3060)
      • AvEmUpdate.exe (PID: 2140)
      • AvEmUpdate.exe (PID: 2588)
      • CCUpdate.exe (PID: 3976)
      • CCUpdate.exe (PID: 3920)
      • CCUpdate.exe (PID: 3584)
      • CCUpdate.exe (PID: 3512)
      • CCUpdate.exe (PID: 1536)
      • avBugReport.exe (PID: 3788)
      • avBugReport.exe (PID: 2244)
      • overseer.exe (PID: 2780)
      • wsc_proxy.exe (PID: 3804)
      • AvastSvc.exe (PID: 3668)
      • wsc_proxy.exe (PID: 956)
    • Creates or modifies windows services

      • instup.exe (PID: 3580)
      • instup.exe (PID: 4000)
      • SetupInf.exe (PID: 3244)
      • SetupInf.exe (PID: 3760)
      • SetupInf.exe (PID: 4052)
      • SetupInf.exe (PID: 3364)
      • AvEmUpdate.exe (PID: 1840)
      • AvEmUpdate.exe (PID: 3060)
      • AvEmUpdate.exe (PID: 2140)
      • AvEmUpdate.exe (PID: 2588)
      • RegSvr.exe (PID: 1932)
      • avBugReport.exe (PID: 3788)
      • avBugReport.exe (PID: 2244)
      • RegSvr.exe (PID: 2772)
      • wsc_proxy.exe (PID: 3804)
      • AvastSvc.exe (PID: 3668)
      • wsc_proxy.exe (PID: 956)
    • Starts itself from another location

      • instup.exe (PID: 3580)
      • CCUpdate.exe (PID: 3920)
    • Removes files from Windows directory

      • instup.exe (PID: 3580)
      • instup.exe (PID: 4000)
      • AvEmUpdate.exe (PID: 3060)
    • Creates files in the driver directory

      • instup.exe (PID: 4000)
      • AvEmUpdate.exe (PID: 3060)
    • Creates COM task schedule object

      • instup.exe (PID: 4000)
      • RegSvr.exe (PID: 2772)
      • RegSvr.exe (PID: 1932)
    • Creates a software uninstall entry

      • instup.exe (PID: 4000)
      • AvEmUpdate.exe (PID: 2588)
    • Modifies the open verb of a shell class

      • instup.exe (PID: 4000)
    • Searches for installed software

      • OfferInstaller.exe (PID: 2356)
      • AvastSvc.exe (PID: 3668)
      • GenericSetup.exe (PID: 3212)
    • Application launched itself

      • AvEmUpdate.exe (PID: 3060)
      • CCUpdate.exe (PID: 3512)
    • Checks for external IP

      • AvEmUpdate.exe (PID: 3060)
      • AvEmUpdate.exe (PID: 2140)
      • AvEmUpdate.exe (PID: 2588)
      • CCUpdate.exe (PID: 3976)
      • CCUpdate.exe (PID: 3920)
      • CCUpdate.exe (PID: 3584)
      • CCUpdate.exe (PID: 3512)
      • CCUpdate.exe (PID: 1536)
      • AvastSvc.exe (PID: 3668)
    • Executed as Windows Service

      • AvastSvc.exe (PID: 3668)
    • Reads the cookies of Google Chrome

      • engsup.exe (PID: 3376)
    • Reads the cookies of Mozilla Firefox

      • engsup.exe (PID: 3376)
  • INFO

    • Application was dropped or rewritten from another process

      • isoworkshop_9.1.tmp (PID: 1524)
      • isoworkshop_9.1.tmp (PID: 1500)
      • BA003.exe (PID: 2228)
    • Loads dropped or rewritten executable

      • isoworkshop_9.1.tmp (PID: 1524)
    • Creates a software uninstall entry

      • isoworkshop_9.1.tmp (PID: 1524)
    • Reads settings of System Certificates

      • isoworkshop_9.1.tmp (PID: 1524)
    • Creates files in the program directory

      • isoworkshop_9.1.tmp (PID: 1524)
    • Manual execution by user

      • ISOWorkshop.exe (PID: 2908)
    • Reads the hosts file

      • instup.exe (PID: 3580)
      • instup.exe (PID: 4000)
      • overseer.exe (PID: 2780)
      • AvastSvc.exe (PID: 3668)
    • Dropped object may contain Bitcoin addresses

      • instup.exe (PID: 4000)
      • AvEmUpdate.exe (PID: 3060)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: Deflated
ZipModifyDate: 2020:03:30 13:36:22
ZipCRC: 0x76126107
ZipCompressedSize: 5988256
ZipUncompressedSize: 6048152
ZipFileName: Firefox_Setup_2.0.0.20.exe
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
85
Monitored processes
44
Malicious processes
28
Suspicious processes
9

Behavior graph

Click at the process to see the details
drop and start start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start winrar.exe isoworkshop_9.1.exe isoworkshop_9.1.tmp no specs isoworkshop_9.1.exe isoworkshop_9.1.tmp ba003.exe #LAVASOFT installer.exe genericsetup.exe isoworkshop.exe isotools.exe no specs offerinstaller.exe cmd.exe no specs u1ggojr1.k2g.exe cmd.exe no specs xmyllw4g.wji.exe avast_free_antivirus_setup_online.exe instup.exe instup.exe sbr.exe no specs setupinf.exe no specs setupinf.exe no specs setupinf.exe no specs setupinf.exe no specs avemupdate.exe no specs avemupdate.exe avemupdate.exe avemupdate.exe ccupdate.exe ccupdate.exe ccupdate.exe ccupdate.exe ccupdate.exe avbugreport.exe avbugreport.exe regsvr.exe no specs regsvr.exe no specs avastnm.exe no specs overseer.exe engsup.exe no specs wsc_proxy.exe no specs avastsvc.exe engsup.exe no specs aswengsrv.exe no specs wsc_proxy.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3540"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Downloads.zip"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
3516"C:\Users\admin\AppData\Local\Temp\Rar$EXa3540.611\isoworkshop_9.1.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa3540.611\isoworkshop_9.1.exe
WinRAR.exe
User:
admin
Company:
Glorylogic
Integrity Level:
MEDIUM
Description:
ISO Workshop Installation
Version:
9.1.0.0
1500"C:\Users\admin\AppData\Local\Temp\is-1CKKM.tmp\isoworkshop_9.1.tmp" /SL5="$10023E,3213412,121344,C:\Users\admin\AppData\Local\Temp\Rar$EXa3540.611\isoworkshop_9.1.exe" C:\Users\admin\AppData\Local\Temp\is-1CKKM.tmp\isoworkshop_9.1.tmpisoworkshop_9.1.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Setup/Uninstall
Version:
51.1052.0.0
3264"C:\Users\admin\AppData\Local\Temp\Rar$EXa3540.611\isoworkshop_9.1.exe" /SPAWNWND=$60246 /NOTIFYWND=$10023E C:\Users\admin\AppData\Local\Temp\Rar$EXa3540.611\isoworkshop_9.1.exe
isoworkshop_9.1.tmp
User:
admin
Company:
Glorylogic
Integrity Level:
HIGH
Description:
ISO Workshop Installation
Version:
9.1.0.0
1524"C:\Users\admin\AppData\Local\Temp\is-QE5J0.tmp\isoworkshop_9.1.tmp" /SL5="$601CC,3213412,121344,C:\Users\admin\AppData\Local\Temp\Rar$EXa3540.611\isoworkshop_9.1.exe" /SPAWNWND=$60246 /NOTIFYWND=$10023E C:\Users\admin\AppData\Local\Temp\is-QE5J0.tmp\isoworkshop_9.1.tmp
isoworkshop_9.1.exe
User:
admin
Integrity Level:
HIGH
Description:
Setup/Uninstall
Version:
51.1052.0.0
2228"C:\Users\admin\AppData\Local\Temp\is-UNF3Q.tmp\BA003.exe"C:\Users\admin\AppData\Local\Temp\is-UNF3Q.tmp\BA003.exe
isoworkshop_9.1.tmp
User:
admin
Company:
Glorylogic
Integrity Level:
HIGH
Description:
Glorylogic Installation
Exit code:
0
Version:
10.3.0.0
3084.\installer.exeC:\Users\admin\AppData\Local\Temp\7zS4B86DBF6\installer.exe
BA003.exe
User:
admin
Company:
adaware
Integrity Level:
HIGH
Description:
Glorylogic Installation
Exit code:
0
Version:
2.5.0.1009
3212C:\Users\admin\AppData\Local\Temp\7zS4B86DBF6\GenericSetup.exe husertype=AdminC:\Users\admin\AppData\Local\Temp\7zS4B86DBF6\GenericSetup.exe
installer.exe
User:
admin
Company:
adaware
Integrity Level:
HIGH
Description:
Glorylogic Installation
Exit code:
0
Version:
2.5.0.1009
2908"C:\Program Files\Glorylogic\ISO Workshop\ISOWorkshop.exe" C:\Program Files\Glorylogic\ISO Workshop\ISOWorkshop.exe
explorer.exe
User:
admin
Company:
Glorylogic
Integrity Level:
MEDIUM
Description:
ISO Workshop
Version:
9.1.0.0
924"C:\Program Files\Glorylogic\ISO Workshop\ISOTools.exe" 2C:\Program Files\Glorylogic\ISO Workshop\ISOTools.exeISOWorkshop.exe
User:
admin
Company:
Glorylogic
Integrity Level:
MEDIUM
Description:
ISO Tools
Version:
9.1.0.0
Total events
18 692
Read events
12 341
Write events
0
Delete events
0

Modification events

No data
Executable files
454
Suspicious files
87
Text files
261
Unknown types
33

Dropped files

PID
Process
Filename
Type
1524isoworkshop_9.1.tmpC:\Users\admin\AppData\Local\Temp\CabD317.tmp
MD5:
SHA256:
1524isoworkshop_9.1.tmpC:\Users\admin\AppData\Local\Temp\TarD318.tmp
MD5:
SHA256:
1524isoworkshop_9.1.tmpC:\Program Files\Glorylogic\ISO Workshop\is-DFEC1.tmp
MD5:
SHA256:
1524isoworkshop_9.1.tmpC:\Program Files\Glorylogic\ISO Workshop\is-J8Q1D.tmp
MD5:
SHA256:
1524isoworkshop_9.1.tmpC:\Program Files\Glorylogic\ISO Workshop\is-S399F.tmp
MD5:
SHA256:
1524isoworkshop_9.1.tmpC:\Program Files\Glorylogic\ISO Workshop\is-9N643.tmp
MD5:
SHA256:
1524isoworkshop_9.1.tmpC:\Program Files\Glorylogic\ISO Workshop\is-S2H4D.tmp
MD5:
SHA256:
1524isoworkshop_9.1.tmpC:\Program Files\Glorylogic\ISO Workshop\is-95ME7.tmp
MD5:
SHA256:
1524isoworkshop_9.1.tmpC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\5080DC7A65DB6A5960ECD874088F3328_862BA1770B2FEE013603D2FF9ABEAFDAbinary
MD5:BAC5B43110872976174E85B8D8BCA57E
SHA256:92E84622936AA035FB94950FD3312F0E5FDB5A46ED3DE7557871D77FCDFB7120
1524isoworkshop_9.1.tmpC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\5457A8CE4B2A7499F8299A013B6E1C7C_CE50F893881D43DC0C815E4D80FAF2B4binary
MD5:6DA387CF1B59554799046868FC147087
SHA256:7CD73E636F86A0A05EF98CA63007B75A2B30431D1BDB63425A85239858571EAA
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
128
TCP/UDP connections
109
DNS requests
130
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2356
OfferInstaller.exe
GET
200
104.16.236.79:80
http://sdl.adaware.com/cdn/saBSI.exe
US
executable
1.06 Mb
whitelisted
1524
isoworkshop_9.1.tmp
GET
200
151.139.128.14:80
http://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBR8sWZUnKvbRO5iJhat9GV793rVlAQUrb2YejS0Jvf6xCZU7wO94CTLVBoCECdm7lbrSfOOq9dwovyE3iI%3D
US
der
471 b
whitelisted
1524
isoworkshop_9.1.tmp
GET
200
151.139.128.14:80
http://ocsp.comodoca.com/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBReAhtobFzTvhaRmVeJ38QUchY9AwQUu69%2BAj36pvE8hI6t7jiY7NkyMtQCEQDwHUvue3yjezwFZqwFlyRY
US
der
728 b
whitelisted
3212
GenericSetup.exe
POST
200
104.16.236.79:80
http://sos.adaware.com/v1/bundle/list/?bundleId=BA003
US
text
9.13 Kb
whitelisted
3580
instup.exe
GET
200
92.123.101.193:80
http://b1477563.iavs9x.u.avast.com/iavs9x/servers.def.vpx
unknown
binary
3.25 Kb
whitelisted
2152
xmyllw4g.wji.exe
POST
204
5.62.44.223:80
http://v7event.stats.avast.com/cgi-bin/iavsevents.cgi
US
whitelisted
3580
instup.exe
GET
200
92.123.101.193:80
http://h1745978.iavs9x.u.avast.com/iavs9x/prod-pgm.vpx
unknown
binary
602 b
whitelisted
3580
instup.exe
GET
200
92.123.101.193:80
http://h1745978.iavs9x.u.avast.com/iavs9x/avdump_x86_ais-95d.vpx
unknown
binary
331 Kb
whitelisted
4000
instup.exe
GET
200
2.19.194.243:80
http://r7110576.vps18tiny.u.avcdn.net/vps18tiny/prod-vps.vpx
unknown
binary
336 b
whitelisted
3580
instup.exe
GET
200
92.123.101.193:80
http://h1745978.iavs9x.u.avast.com/iavs9x/sbr_x86_ais-95d.vpx
unknown
binary
7.27 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1524
isoworkshop_9.1.tmp
208.100.25.83:443
www.glorylogic.com
Steadfast
US
suspicious
2908
ISOWorkshop.exe
208.100.25.83:80
www.glorylogic.com
Steadfast
US
suspicious
1524
isoworkshop_9.1.tmp
151.139.128.14:80
ocsp.usertrust.com
Highwinds Network Group, Inc.
US
suspicious
3212
GenericSetup.exe
104.16.236.79:443
sos.adaware.com
Cloudflare Inc
US
shared
3212
GenericSetup.exe
104.16.236.79:80
sos.adaware.com
Cloudflare Inc
US
shared
3212
GenericSetup.exe
104.18.88.101:443
flow.lavasoft.com
Cloudflare Inc
US
shared
2356
OfferInstaller.exe
104.16.236.79:80
sos.adaware.com
Cloudflare Inc
US
shared
2908
ISOWorkshop.exe
208.100.25.83:443
www.glorylogic.com
Steadfast
US
suspicious
3084
installer.exe
104.18.87.101:80
flow.lavasoft.com
Cloudflare Inc
US
shared
2356
OfferInstaller.exe
104.18.88.101:443
flow.lavasoft.com
Cloudflare Inc
US
shared

DNS requests

Domain
IP
Reputation
www.glorylogic.com
  • 208.100.25.83
suspicious
ocsp.usertrust.com
  • 151.139.128.14
whitelisted
ocsp.comodoca.com
  • 151.139.128.14
whitelisted
www.google.com
  • 172.217.22.36
whitelisted
sos.adaware.com
  • 104.16.236.79
  • 104.16.235.79
whitelisted
flow.lavasoft.com
  • 104.18.87.101
  • 104.18.88.101
whitelisted
dns.msftncsi.com
  • 131.107.255.255
shared
sdl.adaware.com
  • 104.16.236.79
  • 104.16.235.79
whitelisted
cu1pehnswad01.servicebus.windows.net
  • 104.208.16.0
whitelisted
sadownload.mcafee.com
  • 72.247.225.70
whitelisted

Threats

PID
Process
Class
Message
3084
installer.exe
A Network Trojan was detected
ET MALWARE Lavasoft PUA/Adware Client Install
3084
installer.exe
Misc activity
ADWARE [PTsecurity] lavasoft StubBundleStart PUP Install
3084
installer.exe
Misc activity
ADWARE [PTsecurity] lavasoft StubBundleStart PUP Install
2356
OfferInstaller.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
2356
OfferInstaller.exe
Potentially Bad Traffic
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
2356
OfferInstaller.exe
Misc activity
ET INFO Packed Executable Download
2152
xmyllw4g.wji.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
3060
AvEmUpdate.exe
Potential Corporate Privacy Violation
ET POLICY External IP Lookup (avast .com)
3060
AvEmUpdate.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
2140
AvEmUpdate.exe
Potential Corporate Privacy Violation
ET POLICY External IP Lookup (avast .com)
14 ETPRO signatures available at the full report
Process
Message
u1ggojr1.k2g.exe
NotComDllGetInterface: DLL not found in install location, looking in current directory
u1ggojr1.k2g.exe
NotComDllGetInterface: C:\Users\admin\AppData\Local\Temp\u1ggojr1.k2g.exe loading C:\Users\admin\AppData\Local\Temp\mfeaaca.dll, WinVerifyTrust failed with 80092003
u1ggojr1.k2g.exe
NotComDllGetInterface: DLL not found in install location, looking in current directory
u1ggojr1.k2g.exe
NotComDllGetInterface: C:\Users\admin\AppData\Local\Temp\u1ggojr1.k2g.exe loading C:\Users\admin\AppData\Local\Temp\mfeaaca.dll, WinVerifyTrust failed with 80092003
u1ggojr1.k2g.exe
NotComDllGetInterface: DLL not found in install location, looking in current directory
u1ggojr1.k2g.exe
NotComDllGetInterface: C:\Users\admin\AppData\Local\Temp\u1ggojr1.k2g.exe loading C:\Users\admin\AppData\Local\Temp\mfeaaca.dll, WinVerifyTrust failed with 80092003
AvastSvc.exe
[2020-03-30 19:01:32.779] [error ] [av_pp_prov ] [ 3668: 1508] Exception: get_file_content 'C:\Program Files\AVAST Software\Avast\gui_resources\default\updatefile.json' Code: 0x00000003 (3)
AvastSvc.exe
[2020-03-30 19:01:33.857] [error ] [av_pp_prov ] [ 3668: 2892] Exception: Request 'app.browserExtensions.GetDetails' was not processed. Routing parameters:
AvastSvc.exe
[2020-03-30 19:01:33.857] [error ] [av_pp_prov ] [ 3668: 2892] Exception: Request 'app.browserExtensions.GetDetails' was not processed. Routing parameters:
AvastSvc.exe
[2020-03-30 19:01:33.857] [error ] [av_pp_prov ] [ 3668: 2892] Exception: Request 'app.browserExtensions.GetDetails' was not processed. Routing parameters: