| URL: | https://tuyasmartapp.com/index.html |
| Full analysis: | https://app.any.run/tasks/e14b6c7a-8184-4cb1-bd16-b95a3afbb8eb |
| Verdict: | Malicious activity |
| Threats: | Adware is a form of malware that targets users with unwanted advertisements, often disrupting their browsing experience. It typically infiltrates systems through software bundling, malicious websites, or deceptive downloads. Once installed, it may track user activity, collect sensitive data, and display intrusive ads, including pop-ups or banners. Some advanced adware variants can bypass security measures and establish persistence on devices, making removal challenging. Additionally, adware can create vulnerabilities that other malware can exploit, posing a significant risk to user privacy and system security. |
| Analysis date: | February 07, 2024, 15:15:59 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Tags: | |
| Indicators: | |
| MD5: | C736F269374C229387FB3E464E896EE7 |
| SHA1: | C28479D1560E11A3E56A40E48DAFCDA42CD6AE0D |
| SHA256: | AB44001D9F6F84CB7DF39B36C5F1FAC4738FD229E73C6497D3E1C142F23DBCA6 |
| SSDEEP: | 3:N8Y5+iVVyKbDG:2Y5+i/yKbDG |
MALICIOUS
Drops the executable file immediately after the start
- ExclusivetTool.exe (PID: 116)
- saBSI.exe (PID: 2432)
- installer.exe (PID: 3980)
- Tuya-Setup_922561.exe (PID: 120)
- cmd.exe (PID: 3468)
- cmd.exe (PID: 2944)
- WcInstaller.exe (PID: 2936)
- cmd.exe (PID: 3344)
- qdusetup.exe (PID: 1384)
- tbar.exe (PID: 3228)
- qdusetup.tmp (PID: 2760)
- RFileStpOv.exe (PID: 3416)
- tbar.tmp (PID: 1776)
- pmropn.exe (PID: 4080)
- pinst.exe (PID: 240)
- WebCompanionInstaller.exe (PID: 2616)
- avg_antivirus_free_setup.exe (PID: 3464)
- avg_antivirus_free_online_setup.exe (PID: 3388)
- icarus.exe (PID: 2792)
- csc.exe (PID: 296)
ADAWARE has been detected (SURICATA)
- WebCompanionInstaller.exe (PID: 2616)
Creates a writable file in the system directory
- pmropn.exe (PID: 4080)
Starts Visual C# compiler
- qdu.exe (PID: 1824)
SUSPICIOUS
Application launched itself
- Tuya-Setup_922561.exe (PID: 3664)
- cmd.exe (PID: 2480)
- cmd.exe (PID: 4072)
- cmd.exe (PID: 2448)
- cmd.exe (PID: 3924)
- cmd.exe (PID: 3192)
- cmd.exe (PID: 3256)
- cmd.exe (PID: 3668)
- cmd.exe (PID: 3944)
- cmd.exe (PID: 1888)
Reads the Internet Settings
- Tuya-Setup_922561.exe (PID: 3664)
- Tuya-Setup_922561.exe (PID: 120)
- ExclusivetTool.exe (PID: 116)
- saBSI.exe (PID: 2432)
- qdusetup.tmp (PID: 2760)
- pinst.exe (PID: 240)
- qdu.exe (PID: 1492)
- Barousel.exe (PID: 3320)
- qdu.exe (PID: 2976)
- WebCompanionInstaller.exe (PID: 2616)
- pmropn.exe (PID: 4080)
- RFileStpOv.exe (PID: 3416)
- qdu.exe (PID: 1824)
Reads settings of System Certificates
- Tuya-Setup_922561.exe (PID: 120)
- ExclusivetTool.exe (PID: 116)
- saBSI.exe (PID: 2432)
- WebCompanionInstaller.exe (PID: 2616)
- tbar.tmp (PID: 1776)
- qdu.exe (PID: 1492)
- Barousel.exe (PID: 3320)
- qdu.exe (PID: 2976)
- avg_antivirus_free_setup.exe (PID: 3464)
- pmropn.exe (PID: 4080)
- avg_antivirus_free_online_setup.exe (PID: 3388)
- qdu.exe (PID: 1824)
- qdu.exe (PID: 3728)
Executable content was dropped or overwritten
- Tuya-Setup_922561.exe (PID: 120)
- ExclusivetTool.exe (PID: 116)
- saBSI.exe (PID: 2432)
- cmd.exe (PID: 3468)
- cmd.exe (PID: 2944)
- WcInstaller.exe (PID: 2936)
- cmd.exe (PID: 3344)
- qdusetup.exe (PID: 1384)
- installer.exe (PID: 3980)
- tbar.exe (PID: 3228)
- RFileStpOv.exe (PID: 3416)
- tbar.tmp (PID: 1776)
- qdusetup.tmp (PID: 2760)
- WebCompanionInstaller.exe (PID: 2616)
- pmropn.exe (PID: 4080)
- pinst.exe (PID: 240)
- avg_antivirus_free_setup.exe (PID: 3464)
- avg_antivirus_free_online_setup.exe (PID: 3388)
- icarus.exe (PID: 2792)
- csc.exe (PID: 296)
Reads security settings of Internet Explorer
- ExclusivetTool.exe (PID: 116)
- saBSI.exe (PID: 2432)
- WebCompanionInstaller.exe (PID: 2616)
- qdu.exe (PID: 1492)
- Barousel.exe (PID: 3320)
- qdu.exe (PID: 2976)
- pmropn.exe (PID: 4080)
- qdu.exe (PID: 1824)
- qdu.exe (PID: 3728)
Drops 7-zip archiver for unpacking
- Tuya-Setup_922561.exe (PID: 120)
- qdusetup.tmp (PID: 2760)
- WebCompanionInstaller.exe (PID: 2616)
Searches for installed software
- ExclusivetTool.exe (PID: 116)
- WebCompanionInstaller.exe (PID: 2616)
- qdusetup.tmp (PID: 2760)
- pmropn.exe (PID: 4080)
- reg.exe (PID: 324)
- pmservice.exe (PID: 4072)
- pinst.exe (PID: 240)
Adds/modifies Windows certificates
- ExclusivetTool.exe (PID: 116)
- saBSI.exe (PID: 2432)
- WebCompanionInstaller.exe (PID: 2616)
- Barousel.exe (PID: 3320)
- pmservice.exe (PID: 4072)
Checks Windows Trust Settings
- saBSI.exe (PID: 2432)
- WebCompanionInstaller.exe (PID: 2616)
- ExclusivetTool.exe (PID: 116)
- qdu.exe (PID: 1492)
- Barousel.exe (PID: 3320)
- qdu.exe (PID: 2976)
- pmropn.exe (PID: 4080)
- qdu.exe (PID: 1824)
- qdu.exe (PID: 3728)
The process verifies whether the antivirus software is installed
- saBSI.exe (PID: 2432)
- installer.exe (PID: 3028)
- installer.exe (PID: 3980)
Starts CMD.EXE for commands execution
- ExclusivetTool.exe (PID: 116)
- cmd.exe (PID: 4072)
- cmd.exe (PID: 2480)
- cmd.exe (PID: 3924)
- cmd.exe (PID: 2448)
- cmd.exe (PID: 3192)
- cmd.exe (PID: 3256)
- cmd.exe (PID: 3944)
- cmd.exe (PID: 3668)
- cmd.exe (PID: 1888)
- RFileStpOv.exe (PID: 3416)
The executable file from the user directory is run by the CMD process
- RFileStpOv.exe (PID: 3416)
- WcInstaller.exe (PID: 2936)
- qdusetup.exe (PID: 1384)
- tbar.exe (PID: 3228)
Reads the Windows owner or organization settings
- qdusetup.tmp (PID: 2760)
- tbar.tmp (PID: 1776)
Uses TASKKILL.EXE to kill process
- qdusetup.tmp (PID: 2760)
Process drops legitimate windows executable
- tbar.tmp (PID: 1776)
- qdusetup.tmp (PID: 2760)
- WebCompanionInstaller.exe (PID: 2616)
Reads Microsoft Outlook installation path
- Barousel.exe (PID: 3320)
- qdu.exe (PID: 2976)
Reads Internet Explorer settings
- Barousel.exe (PID: 3320)
Executes as Windows Service
- PresentationFontCache.exe (PID: 992)
- pmservice.exe (PID: 4072)
The process drops C-runtime libraries
- WebCompanionInstaller.exe (PID: 2616)
Starts SC.EXE for service management
- WebCompanionInstaller.exe (PID: 2616)
The process deletes folder without confirmation
- RFileStpOv.exe (PID: 3416)
- cmd.exe (PID: 1888)
Uses TIMEOUT.EXE to delay execution
- cmd.exe (PID: 1888)
Uses .NET C# to load dll
- qdu.exe (PID: 1824)
The process executes via Task Scheduler
- qdu.exe (PID: 3728)
INFO
Executable content was dropped or overwritten
- iexplore.exe (PID: 3688)
- iexplore.exe (PID: 1392)
- iexplore.exe (PID: 3904)
Drops the executable file immediately after the start
- iexplore.exe (PID: 3904)
- iexplore.exe (PID: 1392)
- iexplore.exe (PID: 3688)
Application launched itself
- iexplore.exe (PID: 1392)
Reads the machine GUID from the registry
- Tuya-Setup_922561.exe (PID: 3664)
- Tuya-Setup_922561.exe (PID: 120)
- ExclusivetTool.exe (PID: 116)
- saBSI.exe (PID: 2432)
- RFileStpOv.exe (PID: 3416)
- WebCompanionInstaller.exe (PID: 2616)
- tbar.tmp (PID: 1776)
- qdu.exe (PID: 1492)
- Barousel.exe (PID: 3320)
- qdu.exe (PID: 2976)
- PresentationFontCache.exe (PID: 992)
- pmropn.exe (PID: 4080)
- pmservice.exe (PID: 4072)
- avg_antivirus_free_setup.exe (PID: 3464)
- avg_antivirus_free_online_setup.exe (PID: 3388)
- icarus.exe (PID: 2792)
- qdu.exe (PID: 1824)
- csc.exe (PID: 296)
- cvtres.exe (PID: 2356)
- qdu.exe (PID: 3728)
Checks supported languages
- Tuya-Setup_922561.exe (PID: 3664)
- Tuya-Setup_922561.exe (PID: 120)
- ExclusivetTool.exe (PID: 116)
- saBSI.exe (PID: 2432)
- installer.exe (PID: 3980)
- RFileStpOv.exe (PID: 3416)
- WcInstaller.exe (PID: 2936)
- WebCompanionInstaller.exe (PID: 2616)
- qdusetup.exe (PID: 1384)
- qdusetup.tmp (PID: 2760)
- tbar.tmp (PID: 1776)
- tbar.exe (PID: 3228)
- qdu.exe (PID: 1492)
- pinst.exe (PID: 240)
- Barousel.exe (PID: 3320)
- qdu.exe (PID: 2976)
- PresentationFontCache.exe (PID: 992)
- pmropn.exe (PID: 4080)
- pmservice.exe (PID: 4072)
- avg_antivirus_free_setup.exe (PID: 3464)
- avg_antivirus_free_online_setup.exe (PID: 3388)
- icarus.exe (PID: 2792)
- qdu.exe (PID: 1824)
- cvtres.exe (PID: 2356)
- csc.exe (PID: 296)
- qdu.exe (PID: 3728)
Reads the computer name
- Tuya-Setup_922561.exe (PID: 120)
- Tuya-Setup_922561.exe (PID: 3664)
- ExclusivetTool.exe (PID: 116)
- saBSI.exe (PID: 2432)
- RFileStpOv.exe (PID: 3416)
- WebCompanionInstaller.exe (PID: 2616)
- qdusetup.tmp (PID: 2760)
- tbar.tmp (PID: 1776)
- qdu.exe (PID: 1492)
- pinst.exe (PID: 240)
- Barousel.exe (PID: 3320)
- PresentationFontCache.exe (PID: 992)
- qdu.exe (PID: 2976)
- pmropn.exe (PID: 4080)
- pmservice.exe (PID: 4072)
- avg_antivirus_free_setup.exe (PID: 3464)
- avg_antivirus_free_online_setup.exe (PID: 3388)
- icarus.exe (PID: 2792)
- qdu.exe (PID: 1824)
- qdu.exe (PID: 3728)
Creates files in the program directory
- Tuya-Setup_922561.exe (PID: 120)
- saBSI.exe (PID: 2432)
- installer.exe (PID: 3980)
- WebCompanionInstaller.exe (PID: 2616)
- qdusetup.tmp (PID: 2760)
- pinst.exe (PID: 240)
- pmservice.exe (PID: 4072)
- pmropn.exe (PID: 4080)
- avg_antivirus_free_online_setup.exe (PID: 3388)
- icarus.exe (PID: 2792)
The process uses the downloaded file
- iexplore.exe (PID: 1392)
- Tuya-Setup_922561.exe (PID: 3664)
Checks proxy server information
- ExclusivetTool.exe (PID: 116)
- Barousel.exe (PID: 3320)
- qdu.exe (PID: 2976)
- pmropn.exe (PID: 4080)
Creates files or folders in the user directory
- ExclusivetTool.exe (PID: 116)
- saBSI.exe (PID: 2432)
- tbar.tmp (PID: 1776)
- qdu.exe (PID: 1492)
- Barousel.exe (PID: 3320)
- pinst.exe (PID: 240)
- qdu.exe (PID: 2976)
- pmropn.exe (PID: 4080)
- qdu.exe (PID: 1824)
Reads Environment values
- ExclusivetTool.exe (PID: 116)
- WebCompanionInstaller.exe (PID: 2616)
- qdu.exe (PID: 1492)
- Barousel.exe (PID: 3320)
- qdu.exe (PID: 2976)
- pmropn.exe (PID: 4080)
- qdu.exe (PID: 1824)
Create files in a temporary directory
- ExclusivetTool.exe (PID: 116)
- saBSI.exe (PID: 2432)
- WcInstaller.exe (PID: 2936)
- qdusetup.exe (PID: 1384)
- WebCompanionInstaller.exe (PID: 2616)
- tbar.exe (PID: 3228)
- RFileStpOv.exe (PID: 3416)
- tbar.tmp (PID: 1776)
- avg_antivirus_free_online_setup.exe (PID: 3388)
- icarus.exe (PID: 2792)
- qdu.exe (PID: 1824)
- csc.exe (PID: 296)
- cvtres.exe (PID: 2356)
- pinst.exe (PID: 240)
Reads Windows Product ID
- RFileStpOv.exe (PID: 3416)
Reads product name
- qdu.exe (PID: 1492)
- Barousel.exe (PID: 3320)
Creates a software uninstall entry
- qdusetup.tmp (PID: 2760)
Reads the time zone
- Barousel.exe (PID: 3320)
Reads CPU info
- icarus.exe (PID: 2792)
Manual execution by a user
- qdu.exe (PID: 1824)
Dropped object may contain TOR URL's
- icarus.exe (PID: 2792)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
Total processes
120
Monitored processes
56
Malicious processes
30
Suspicious processes
3
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 116 | "C:\Program Files\ExclusiveWingfvaTool\ExclusivetTool.exe" 61064157225713 h1+Aq3E41+fvM+EW57innoCRUivwJF8mwaeu/4jKsJ6RWqG1AaVMQHRiqwznCmViDjw+lJtt+NCHpQfn4YTh1AsSfYhmRaVAJdUl7s1cwaek8sKXgpUt518Q5VvybLXKUvOh58/Os/0zgfOvHVxeirV2XevobA9UXtJH/blXTBki5Un4Qhe2tsGLR6DLvVhCXaPnS7FZdbOMncaJXzGmcetyQ7bmBVbD++yFsLF7YzYcb0XofdPrSeYGKXXg1gLNLux/QdvNOtiRCGMjS8uCOqBIRZmh9RLwr+cJUP6nEweT0Vv9S1DqISdvyMfuRAncdsOG6+IMlUuj1bdKgwCOKJkctVypjVsEgBNUV++1Z8c= | C:\Program Files\ExclusiveWingfvaTool\ExclusivetTool.exe | Tuya-Setup_922561.exe | ||||||||||||
User: admin Company: Igor Pavlov Integrity Level: HIGH Description: 7z SFX Exit code: 0 Version: 23.01 Modules
| |||||||||||||||
| 120 | "C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\Tuya-Setup_922561.exe" -2 -1 | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\Tuya-Setup_922561.exe | Tuya-Setup_922561.exe | ||||||||||||
User: admin Company: Exclusive Tool Integrity Level: HIGH Description: Exclusive Tool Exit code: 0 Version: 1.0.0.0 Modules
| |||||||||||||||
| 240 | "C:\Users\admin\AppData\Local\Temp\G78GapMd\partners\pinst.exe" -c:1575 -t:IT_IW_DDMP_PP_PO | C:\Users\admin\AppData\Local\Temp\G78GapMd\partners\pinst.exe | RFileStpOv.exe | ||||||||||||
User: admin Company: VoiceFive Networks, Inc. Integrity Level: HIGH Description: PremierOpinion Installer Exit code: 0 Version: 1.0.8.1 (Build 1) Modules
| |||||||||||||||
| 296 | "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\admin\AppData\Local\Temp\oai-vniw.cmdline" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | qdu.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Visual C# Command Line Compiler Exit code: 0 Version: 8.0.50727.5483 (Win7SP1GDR.050727-5400) Modules
| |||||||||||||||
| 324 | reg.exe EXPORT "HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\{eeb86aef-4a5d-4b75-9d74-f16d438fc286}" C:\PROGRA~1\PREMIE~1\RData.reg /y | C:\Windows\System32\reg.exe | — | pmservice.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Registry Console Tool Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 332 | "sc.exe" Create "WCAssistantService" binPath= "C:\Program Files\Lavasoft\Web Companion\Application\Lavasoft.WCAssistant.WinService.exe" DisplayName= "WC Assistant" start= auto | C:\Windows\System32\sc.exe | — | WebCompanionInstaller.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: A tool to aid in developing services for WindowsNT Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 992 | C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe | C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe | — | services.exe | |||||||||||
User: LOCAL SERVICE Company: Microsoft Corporation Integrity Level: SYSTEM Description: PresentationFontCache.exe Exit code: 0 Version: 3.0.6920.4902 built by: NetFXw7 Modules
| |||||||||||||||
| 1384 | "C:\Users\admin\AppData\Local\Temp\G78GapMd\qdusetup.exe" /verysilent /ppi=1 /ppinag=2 /ddtime=500 /delay=2 /source=insttechqdu /pixel=INS5081_INS4971_RUNT /pubid=1 | C:\Users\admin\AppData\Local\Temp\G78GapMd\qdusetup.exe | cmd.exe | ||||||||||||
User: admin Company: Digital Protection Services S.R.L Integrity Level: HIGH Description: Quick Driver Updater Setup Exit code: 0 Version: 1.0.0.4 Modules
| |||||||||||||||
| 1392 | "C:\Program Files\Internet Explorer\iexplore.exe" "https://tuyasmartapp.com/index.html" | C:\Program Files\Internet Explorer\iexplore.exe | explorer.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Exit code: 0 Version: 11.00.9600.16428 (winblue_gdr.131013-1700) Modules
| |||||||||||||||
| 1492 | "C:\Program Files\Quick Driver Updater\qdu.exe" cntryphnno | C:\Program Files\Quick Driver Updater\qdu.exe | qdusetup.tmp | ||||||||||||
User: admin Company: Digital Protection Services S.R.L Integrity Level: HIGH Description: Quick Driver Updater Exit code: 0 Version: 1.0.0.4 Modules
| |||||||||||||||
Total events
114 588
Read events
114 105
Write events
457
Delete events
26
Modification events
| (PID) Process: | (1392) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing |
| Operation: | write | Name: | NTPDaysSinceLastAutoMigration |
Value: 0 | |||
| (PID) Process: | (1392) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing |
| Operation: | write | Name: | NTPLastLaunchHighDateTime |
Value: 30847387 | |||
| (PID) Process: | (1392) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager |
| Operation: | write | Name: | NextCheckForUpdateHighDateTime |
Value: 30847437 | |||
| (PID) Process: | (1392) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies |
| Operation: | write | Name: | CachePrefix |
Value: Cookie: | |||
| (PID) Process: | (1392) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History |
| Operation: | write | Name: | CachePrefix |
Value: Visited: | |||
| (PID) Process: | (1392) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main |
| Operation: | write | Name: | CompatibilityFlags |
Value: 0 | |||
| (PID) Process: | (1392) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | ProxyBypass |
Value: 1 | |||
| (PID) Process: | (1392) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | IntranetName |
Value: 1 | |||
| (PID) Process: | (1392) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | UNCAsIntranet |
Value: 1 | |||
| (PID) Process: | (1392) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | AutoDetect |
Value: 0 | |||
Executable files
200
Suspicious files
122
Text files
219
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 2736 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D | binary | |
MD5:1EFF47477D2033AB920E80A1D038A697 | SHA256:9FA1A40908780DF2CD9F06B599279128ACAB94658B23A8F209CD18D6CCD99552 | |||
| 2736 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\YTOWV792\bootstrap-grid.min[1].css | text | |
MD5:E1B9EE0C34DAB98A647193619182ADAE | SHA256:F75D0FED0CD4380843D322F38AA2CB0CEE3D128F28D5DC4C354623F6B0AC18A3 | |||
| 2736 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\MFAQUS6V\logo[1].png | image | |
MD5:413B85F29389EAD83D630CEAED3C0AF7 | SHA256:0F807805D9CC641300A77A7E79055BF9222B0DE778DF88620AA2D09F0C659079 | |||
| 2736 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E | binary | |
MD5:75949EF188F7620205F1046A7354C3D2 | SHA256:9D3524518F603FEAC56810945CF161CB5C338B1C4E3C2EEDF975D470BF072AE9 | |||
| 2736 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\5A22E0147F2BD88902B4EB12F35A82C3 | binary | |
MD5:E6C58997E6B8BECC6C9ECD97FF31EFB2 | SHA256:0054F88F372AC392C9D8D70D2A96870F6010395150076BF48BEC11AF8696AEA0 | |||
| 2736 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\DY534W2X\bootstrap.min[1].css | text | |
MD5:A868817CC1196143D0F062547AA8A967 | SHA256:CCB200F2C60844C5D34BC235A45EA7CB76B7084E5A85975F555CF5A52CCFF1E4 | |||
| 2736 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 | binary | |
MD5:E7B48B936C82A7FA98F8535A3253DA6D | SHA256:F1D269B2BE68E01F133C5DEB9E7CA2755C29DA05127B1F4E1E43E04F40E75736 | |||
| 2736 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\MFAQUS6V\index[1].htm | html | |
MD5:14EE5F662CE45D3A03343ABCC65630AA | SHA256:87FAA89DCBBA69D91A48F01BC6BF5963050F17405492E261769B238D775C67AC | |||
| 2736 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E | binary | |
MD5:80596F972D1C89BDA5F79E7070B157B5 | SHA256:AB3DBE59DA4E7DC00A0F409A599CA8FDE214D0FE42908DA0091987B4DC7D69C0 | |||
| 2736 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D | binary | |
MD5:C7A864A816EED32CB9DD9D8448121611 | SHA256:E43B776C62F2C121066B3442108BAF9FCA87A0301F274E16FAF8D2D36F295041 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
51
TCP/UDP connections
416
DNS requests
88
Threats
12
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
2736 | iexplore.exe | GET | 304 | 184.24.77.180:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?245ab6ffaf4de696 | unknown | — | — | unknown |
2736 | iexplore.exe | GET | 200 | 104.18.38.233:80 | http://ocsp.sectigo.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRDC9IOTxN6GmyRjyTl2n4yTUczyAQUjYxexFStiuF36Zv5mwXhuAGNYeECEH0L0iuualG%2Fsvs9aVchJwk%3D | unknown | binary | 471 b | unknown |
2736 | iexplore.exe | GET | 304 | 184.24.77.180:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?1e96081ee66de808 | unknown | — | — | unknown |
2736 | iexplore.exe | GET | 200 | 192.229.221.95:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAo3h2ReX7SMIk79G%2B0UDDw%3D | unknown | binary | 1.47 Kb | unknown |
3380 | iexplore.exe | GET | 200 | 142.250.186.99:80 | http://ocsp.pki.goog/gsr1/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS3V7W2nAf4FiMTjpDJKg6%2BMgGqMQQUYHtmGkUNl8qJUC99BM00qP%2F8%2FUsCEHe9DWzbNvka6iEPxPBY0w0%3D | unknown | binary | 1.41 Kb | unknown |
2736 | iexplore.exe | GET | 200 | 104.18.38.233:80 | http://ocsp.comodoca.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRTtU9uFqgVGHhJwXZyWCNXmVR5ngQUoBEKIz6W8Qfs4q8p74Klf9AwpLQCEDlyRDr5IrdR19NsEN0xNZU%3D | unknown | binary | 1.42 Kb | unknown |
2736 | iexplore.exe | GET | 200 | 104.18.38.233:80 | http://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTNMNJMNDqCqx8FcBWK16EHdimS6QQUU3m%2FWqorSs9UgOHYm8Cd8rIDZssCEH1bUSa0droR23QWC7xTDac%3D | unknown | binary | 2.18 Kb | unknown |
1392 | iexplore.exe | GET | 304 | 184.24.77.180:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?5565915fab5f2bac | unknown | — | — | unknown |
3380 | iexplore.exe | GET | 200 | 142.250.186.99:80 | http://ocsp.pki.goog/gtsr1/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBQwkcLWD4LqGJ7bE7B1XZsEbmfwUAQU5K8rJnEaK0gnhS9SZizv8IkTcT4CDQIDvFCjJ1PwkYAi7fE%3D | unknown | binary | 724 b | unknown |
2736 | iexplore.exe | GET | 200 | 184.24.77.180:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?ccff2b452c805560 | unknown | compressed | 65.2 Kb | unknown |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
2736 | iexplore.exe | 66.29.132.90:443 | tuyasmartapp.com | NAMECHEAP-NET | US | unknown |
1080 | svchost.exe | 224.0.0.252:5355 | — | — | — | unknown |
2736 | iexplore.exe | 184.24.77.180:80 | ctldl.windowsupdate.com | Akamai International B.V. | DE | unknown |
2736 | iexplore.exe | 104.18.38.233:80 | ocsp.comodoca.com | CLOUDFLARENET | — | shared |
2736 | iexplore.exe | 104.20.79.99:443 | s10.histats.com | CLOUDFLARENET | — | unknown |
2736 | iexplore.exe | 192.229.221.95:80 | ocsp.digicert.com | EDGECAST | US | whitelisted |
2736 | iexplore.exe | 149.56.240.130:443 | s4.histats.com | OVH SAS | CA | unknown |
1392 | iexplore.exe | 104.126.37.138:443 | www.bing.com | Akamai International B.V. | DE | unknown |
DNS requests
Domain | IP | Reputation |
|---|---|---|
tuyasmartapp.com |
| unknown |
ctldl.windowsupdate.com |
| whitelisted |
ocsp.comodoca.com |
| whitelisted |
ocsp.usertrust.com |
| whitelisted |
ocsp.sectigo.com |
| whitelisted |
s10.histats.com |
| whitelisted |
ocsp.digicert.com |
| whitelisted |
s4.histats.com |
| whitelisted |
api.bing.com |
| whitelisted |
www.bing.com |
| whitelisted |
Threats
PID | Process | Class | Message |
|---|---|---|---|
2616 | WebCompanionInstaller.exe | Possibly Unwanted Program Detected | ADWARE [ANY.RUN] Adaware Web Companion |
2616 | WebCompanionInstaller.exe | Possibly Unwanted Program Detected | ADWARE [ANY.RUN] Adaware Web Companion |
2616 | WebCompanionInstaller.exe | Possibly Unwanted Program Detected | ADWARE [ANY.RUN] Adaware Web Companion |
2616 | WebCompanionInstaller.exe | Possibly Unwanted Program Detected | ADWARE [ANY.RUN] Adaware Web Companion |
2616 | WebCompanionInstaller.exe | Possibly Unwanted Program Detected | ADWARE [ANY.RUN] Adaware Web Companion |
2616 | WebCompanionInstaller.exe | Possibly Unwanted Program Detected | ADWARE [ANY.RUN] Adaware Web Companion |
2616 | WebCompanionInstaller.exe | Possibly Unwanted Program Detected | ADWARE [ANY.RUN] Adaware Web Companion |
2616 | WebCompanionInstaller.exe | Possibly Unwanted Program Detected | ADWARE [ANY.RUN] Adaware Web Companion |
2616 | WebCompanionInstaller.exe | Potentially Bad Traffic | ET HUNTING Terse Request for Zip File (GET) |
2616 | WebCompanionInstaller.exe | Possibly Unwanted Program Detected | ADWARE [ANY.RUN] Adaware Web Companion |
Process | Message |
|---|---|
saBSI.exe | NCPrivateLoadAndValidateMPTDll: Looking in EXE directory
|
saBSI.exe | NotComDllGetInterface: C:\Users\admin\AppData\Local\Temp\saBSI.exe loading C:\Users\admin\AppData\Local\Temp\mfeaaca.dll, WinVerifyTrust failed with 80092003
|
saBSI.exe | NCPrivateLoadAndValidateMPTDll: Looking in current directory
|
saBSI.exe | NCPrivateLoadAndValidateMPTDll: Looking in EXE directory
|
saBSI.exe | NotComDllGetInterface: C:\Users\admin\AppData\Local\Temp\saBSI.exe loading C:\Users\admin\AppData\Local\Temp\mfeaaca.dll, WinVerifyTrust failed with 80092003
|
saBSI.exe | NCPrivateLoadAndValidateMPTDll: Looking in current directory
|
saBSI.exe | NCPrivateLoadAndValidateMPTDll: Looking in EXE directory
|
saBSI.exe | NotComDllGetInterface: C:\Users\admin\AppData\Local\Temp\saBSI.exe loading C:\Users\admin\AppData\Local\Temp\mfeaaca.dll, WinVerifyTrust failed with 80092003
|
saBSI.exe | NCPrivateLoadAndValidateMPTDll: Looking in current directory
|
saBSI.exe | NCPrivateLoadAndValidateMPTDll: Looking in EXE directory
|