File name:

adylkuzz.bin.zip

Full analysis: https://app.any.run/tasks/0bbe1dbe-0dab-4c29-827d-5fd5e670a30f
Verdict: Malicious activity
Threats:

Adware is a form of malware that targets users with unwanted advertisements, often disrupting their browsing experience. It typically infiltrates systems through software bundling, malicious websites, or deceptive downloads. Once installed, it may track user activity, collect sensitive data, and display intrusive ads, including pop-ups or banners. Some advanced adware variants can bypass security measures and establish persistence on devices, making removal challenging. Additionally, adware can create vulnerabilities that other malware can exploit, posing a significant risk to user privacy and system security.

Malware Trends Tracker     >>>
Analysis date: April 24, 2019, 21:25:24
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
loader
trojan
adware
installcore
pup
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

DFCD01A7804D178FB74B3CE044EDEBAE

SHA1:

101EADE30E8CBF73CC609DBFCB782782C34709B0

SHA256:

AD820477095CC6778EBABEBD80F4A8C24BE7E9C19BA04EF330218B53CEA0C7FF

SSDEEP:

24576:xh1FkhN9nnZ5j5TGjf8Gg9MgOgFKwGkWT8X1loDyrY7g4N89T8n77qw45ObtI6//:xhvUZll00XMgQwG58FXsEinvuOxIAkI

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • PowerISO7[1].exe (PID: 1868)
      • PowerISO7[1].exe (PID: 3436)
      • OperaSetup.exe (PID: 3112)
      • OperaSetup.exe (PID: 2488)
      • OperaSetup.exe (PID: 2500)
      • OperaSetup.exe (PID: 988)
      • OperaSetup.exe (PID: 3344)
      • avastfreeantivirussetuponline.m.exe (PID: 3800)
      • PWRISOVM.EXE (PID: 2968)
      • avast_free_antivirus_setup_online.exe (PID: 2668)
      • instup.exe (PID: 3332)
      • instup.exe (PID: 2936)
      • sbr.exe (PID: 2452)
      • _sfx.exe (PID: 2964)
      • assistant_installer.exe (PID: 2480)
      • installer.exe (PID: 2676)
      • installer.exe (PID: 972)
      • assistant_installer.exe (PID: 2164)
      • assistant_installer.exe (PID: 2580)
      • browser_assistant.exe (PID: 2776)
      • opera.exe (PID: 3624)
      • opera_crashreporter.exe (PID: 2576)
      • launcher.exe (PID: 2844)
      • opera.exe (PID: 328)
      • launcher.exe (PID: 3776)
      • opera.exe (PID: 332)
      • opera_crashreporter.exe (PID: 3328)
      • opera.exe (PID: 3772)
      • opera.exe (PID: 3228)
      • opera.exe (PID: 3760)
      • opera.exe (PID: 3928)
      • opera.exe (PID: 3684)
      • opera.exe (PID: 1476)
      • opera.exe (PID: 3396)
      • opera.exe (PID: 2120)
      • opera.exe (PID: 3976)
      • opera.exe (PID: 2228)
      • opera.exe (PID: 2252)
      • opera.exe (PID: 1944)
      • opera.exe (PID: 3072)
      • opera_autoupdate.exe (PID: 3456)
      • opera_autoupdate.exe (PID: 2204)
      • launcher.exe (PID: 2880)
      • opera.exe (PID: 1748)
      • installer.exe (PID: 2368)
      • opera_autoupdate.exe (PID: 3380)
      • opera_autoupdate.exe (PID: 2532)
      • opera_autoupdate.exe (PID: 3352)
      • opera_autoupdate.exe (PID: 2340)
      • launcher.exe (PID: 1092)
      • opera.exe (PID: 320)
      • opera.exe (PID: 1120)
      • opera.exe (PID: 3160)
      • opera.exe (PID: 3880)
      • opera.exe (PID: 1416)
      • opera.exe (PID: 3220)
      • opera_crashreporter.exe (PID: 3812)
      • opera.exe (PID: 3676)
      • opera.exe (PID: 3744)
      • opera.exe (PID: 2932)
      • opera.exe (PID: 2852)
      • opera.exe (PID: 676)
      • opera.exe (PID: 2332)
      • launcher.exe (PID: 2352)
      • opera_autoupdate.exe (PID: 3300)
      • installer.exe (PID: 2456)
      • opera_autoupdate.exe (PID: 3740)
      • opera_autoupdate.exe (PID: 272)
      • opera.exe (PID: 3940)
      • opera_autoupdate.exe (PID: 3200)
      • opera_autoupdate.exe (PID: 2680)
      • SetupInf.exe (PID: 3708)
      • SetupInf.exe (PID: 3940)
      • SetupInf.exe (PID: 3464)
      • SetupInf.exe (PID: 2984)
      • AvEmUpdate.exe (PID: 3628)
      • AvEmUpdate.exe (PID: 2840)
      • AvEmUpdate.exe (PID: 2212)
      • AvEmUpdate.exe (PID: 3836)
      • PowerISO.exe (PID: 880)
      • CCUpdate.exe (PID: 3452)
      • CCUpdate.exe (PID: 1344)
      • CCUpdate.exe (PID: 3272)
      • CCUpdate.exe (PID: 3620)
      • CCUpdate.exe (PID: 3508)
      • avBugReport.exe (PID: 2528)
      • RegSvr.exe (PID: 2296)
      • aswRunDll.exe (PID: 1532)
      • AvastNM.exe (PID: 3424)
      • AvastSvc.exe (PID: 3780)
      • RegSvr.exe (PID: 2468)
      • overseer.exe (PID: 2160)
      • engsup.exe (PID: 3188)
      • engsup.exe (PID: 284)
      • opera_autoupdate.exe (PID: 3996)
      • wsc_proxy.exe (PID: 3308)
      • aswEngSrv.exe (PID: 1952)

    • Downloads executable files from the Internet

      • iexplore.exe (PID: 2664)
      • PowerISO7[1].exe (PID: 3436)
      • avastfreeantivirussetuponline.m.exe (PID: 3800)
      • AvEmUpdate.exe (PID: 2840)
      • CCUpdate.exe (PID: 3272)

    • Loads dropped or rewritten executable

      • PowerISO7[1].exe (PID: 3436)
      • OperaSetup.exe (PID: 2488)
      • OperaSetup.exe (PID: 988)
      • OperaSetup.exe (PID: 3112)
      • OperaSetup.exe (PID: 3344)
      • OperaSetup.exe (PID: 2500)
      • regsvr32.exe (PID: 2628)
      • instup.exe (PID: 2936)
      • instup.exe (PID: 3332)
      • installer.exe (PID: 2676)
      • opera.exe (PID: 3624)
      • installer.exe (PID: 972)
      • opera.exe (PID: 328)
      • opera.exe (PID: 332)
      • opera.exe (PID: 3772)
      • opera.exe (PID: 3760)
      • opera.exe (PID: 3228)
      • opera.exe (PID: 3928)
      • opera.exe (PID: 3684)
      • opera.exe (PID: 1476)
      • opera.exe (PID: 3396)
      • opera.exe (PID: 2120)
      • opera.exe (PID: 2228)
      • opera.exe (PID: 2252)
      • opera.exe (PID: 3072)
      • opera.exe (PID: 1944)
      • opera.exe (PID: 1748)
      • installer.exe (PID: 2368)
      • opera.exe (PID: 320)
      • opera.exe (PID: 1120)
      • opera.exe (PID: 3160)
      • opera.exe (PID: 3880)
      • opera.exe (PID: 2332)
      • opera.exe (PID: 676)
      • opera.exe (PID: 3676)
      • opera.exe (PID: 3744)
      • opera.exe (PID: 2932)
      • opera.exe (PID: 1416)
      • opera.exe (PID: 3220)
      • installer.exe (PID: 2456)
      • opera.exe (PID: 3940)
      • opera.exe (PID: 2852)
      • AvEmUpdate.exe (PID: 3628)
      • opera.exe (PID: 3976)
      • AvEmUpdate.exe (PID: 2840)
      • AvEmUpdate.exe (PID: 3836)
      • AvEmUpdate.exe (PID: 2212)
      • PowerISO.exe (PID: 880)
      • regsvr32.exe (PID: 4024)
      • CCUpdate.exe (PID: 3620)
      • avBugReport.exe (PID: 2528)
      • RegSvr.exe (PID: 2468)
      • RegSvr.exe (PID: 2296)
      • aswRunDll.exe (PID: 1532)
      • engsup.exe (PID: 3188)
      • AvastSvc.exe (PID: 3780)
      • engsup.exe (PID: 284)
      • aswEngSrv.exe (PID: 1952)

    • INSTALLCORE was detected

      • PowerISO7[1].exe (PID: 3436)

    • Connects to CnC server

      • PowerISO7[1].exe (PID: 3436)

    • Registers / Runs the DLL via REGSVR32.EXE

      • PowerISO7[1].exe (PID: 3436)
      • PowerISO.exe (PID: 880)

    • Changes settings of System certificates

      • OperaSetup.exe (PID: 3112)
      • opera.exe (PID: 332)
      • AvastSvc.exe (PID: 3780)

    • Changes the autorun value in the registry

      • PowerISO7[1].exe (PID: 3436)
      • instup.exe (PID: 2936)
      • assistant_installer.exe (PID: 2580)

    • Loads the Task Scheduler COM API

      • assistant_installer.exe (PID: 2580)
      • installer.exe (PID: 2676)
      • opera.exe (PID: 332)
      • opera.exe (PID: 320)
      • AvEmUpdate.exe (PID: 3628)
      • AvEmUpdate.exe (PID: 2840)
      • CCUpdate.exe (PID: 3272)
      • CCUpdate.exe (PID: 3508)
      • overseer.exe (PID: 2160)

    • Actions looks like stealing of personal data

      • opera.exe (PID: 332)
      • opera.exe (PID: 320)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 2728)
      • iexplore.exe (PID: 2304)
      • PowerISO7[1].exe (PID: 3436)
      • iexplore.exe (PID: 2664)
      • cmd.exe (PID: 3372)
      • OperaSetup.exe (PID: 3112)
      • OperaSetup.exe (PID: 2488)
      • OperaSetup.exe (PID: 2500)
      • avastfreeantivirussetuponline.m.exe (PID: 3800)
      • avast_free_antivirus_setup_online.exe (PID: 2668)
      • instup.exe (PID: 3332)
      • OperaSetup.exe (PID: 3344)
      • installer.exe (PID: 972)
      • assistant_installer.exe (PID: 2580)
      • installer.exe (PID: 2676)
      • _sfx.exe (PID: 2964)
      • instup.exe (PID: 2936)
      • launcher.exe (PID: 2880)
      • installer.exe (PID: 2368)
      • launcher.exe (PID: 2352)
      • AvEmUpdate.exe (PID: 2840)
      • AvEmUpdate.exe (PID: 3836)
      • CCUpdate.exe (PID: 3452)
      • CCUpdate.exe (PID: 3272)
      • CCUpdate.exe (PID: 1344)
      • AvastSvc.exe (PID: 3780)

    • Uses RUNDLL32.EXE to load library

      • WinRAR.exe (PID: 2728)

    • Reads the machine GUID from the registry

      • PowerISO7[1].exe (PID: 3436)
      • opera.exe (PID: 3624)
      • opera.exe (PID: 332)

    • Starts Internet Explorer

      • rundll32.exe (PID: 3176)

    • Reads Environment values

      • PowerISO7[1].exe (PID: 3436)
      • AvastSvc.exe (PID: 3780)

    • Reads CPU info

      • PowerISO7[1].exe (PID: 3436)

    • Reads Windows Product ID

      • PowerISO7[1].exe (PID: 3436)

    • Reads internet explorer settings

      • PowerISO7[1].exe (PID: 3436)

    • Reads the date of Windows installation

      • PowerISO7[1].exe (PID: 3436)

    • Creates files in the Windows directory

      • PowerISO7[1].exe (PID: 3436)
      • avastfreeantivirussetuponline.m.exe (PID: 3800)
      • avast_free_antivirus_setup_online.exe (PID: 2668)
      • instup.exe (PID: 3332)
      • instup.exe (PID: 2936)
      • AvEmUpdate.exe (PID: 2840)
      • AvastSvc.exe (PID: 3780)

    • Creates files in the driver directory

      • PowerISO7[1].exe (PID: 3436)
      • instup.exe (PID: 2936)
      • AvEmUpdate.exe (PID: 2840)

    • Creates a software uninstall entry

      • PowerISO7[1].exe (PID: 3436)
      • installer.exe (PID: 2676)
      • instup.exe (PID: 2936)
      • AvEmUpdate.exe (PID: 3836)

    • Creates files in the program directory

      • PowerISO7[1].exe (PID: 3436)
      • avast_free_antivirus_setup_online.exe (PID: 2668)
      • instup.exe (PID: 3332)
      • installer.exe (PID: 2676)
      • assistant_installer.exe (PID: 2580)
      • OperaSetup.exe (PID: 3344)
      • opera_autoupdate.exe (PID: 3380)
      • instup.exe (PID: 2936)
      • AvEmUpdate.exe (PID: 3628)
      • AvEmUpdate.exe (PID: 2840)
      • CCUpdate.exe (PID: 3452)
      • CCUpdate.exe (PID: 1344)
      • CCUpdate.exe (PID: 3272)
      • CCUpdate.exe (PID: 3508)
      • avBugReport.exe (PID: 2528)
      • AvastNM.exe (PID: 3424)
      • engsup.exe (PID: 3188)
      • AvastSvc.exe (PID: 3780)
      • engsup.exe (PID: 284)
      • wsc_proxy.exe (PID: 3308)

    • Starts CMD.EXE for commands execution

      • PowerISO7[1].exe (PID: 3436)
      • cmd.exe (PID: 3120)

    • Creates or modifies windows services

      • PowerISO7[1].exe (PID: 3436)
      • instup.exe (PID: 2936)
      • AvastSvc.exe (PID: 3780)

    • Application launched itself

      • cmd.exe (PID: 3120)
      • OperaSetup.exe (PID: 3112)
      • OperaSetup.exe (PID: 3344)
      • opera.exe (PID: 3624)
      • opera.exe (PID: 332)
      • opera_autoupdate.exe (PID: 3456)
      • opera_autoupdate.exe (PID: 3380)
      • opera_autoupdate.exe (PID: 3200)
      • opera_autoupdate.exe (PID: 3740)
      • opera_autoupdate.exe (PID: 3996)
      • AvEmUpdate.exe (PID: 2840)
      • CCUpdate.exe (PID: 3272)
      • opera.exe (PID: 320)

    • Creates files in the user directory

      • OperaSetup.exe (PID: 2488)
      • installer.exe (PID: 2676)
      • browser_assistant.exe (PID: 2776)
      • opera.exe (PID: 332)
      • opera_autoupdate.exe (PID: 3456)
      • opera_autoupdate.exe (PID: 3200)
      • opera.exe (PID: 3624)
      • opera.exe (PID: 320)
      • PowerISO.exe (PID: 880)

    • Low-level read access rights to disk partition

      • avastfreeantivirussetuponline.m.exe (PID: 3800)
      • avast_free_antivirus_setup_online.exe (PID: 2668)
      • instup.exe (PID: 2936)
      • instup.exe (PID: 3332)
      • AvEmUpdate.exe (PID: 2840)
      • AvEmUpdate.exe (PID: 2212)
      • AvEmUpdate.exe (PID: 3836)
      • CCUpdate.exe (PID: 1344)
      • CCUpdate.exe (PID: 3272)
      • CCUpdate.exe (PID: 3620)
      • CCUpdate.exe (PID: 3452)
      • CCUpdate.exe (PID: 3508)
      • avBugReport.exe (PID: 2528)
      • overseer.exe (PID: 2160)
      • AvastSvc.exe (PID: 3780)

    • Starts itself from another location

      • OperaSetup.exe (PID: 3112)
      • instup.exe (PID: 3332)
      • CCUpdate.exe (PID: 1344)

    • Searches for installed software

      • PowerISO7[1].exe (PID: 3436)

    • Adds / modifies Windows certificates

      • OperaSetup.exe (PID: 3112)

    • Modifies the open verb of a shell class

      • PowerISO7[1].exe (PID: 3436)
      • installer.exe (PID: 2676)
      • instup.exe (PID: 2936)

    • Creates COM task schedule object

      • regsvr32.exe (PID: 2628)
      • instup.exe (PID: 2936)
      • RegSvr.exe (PID: 2468)
      • RegSvr.exe (PID: 2296)

    • Removes files from Windows directory

      • instup.exe (PID: 3332)
      • instup.exe (PID: 2936)
      • AvEmUpdate.exe (PID: 2840)
      • avast_free_antivirus_setup_online.exe (PID: 2668)

    • Changes IE settings (feature browser emulation)

      • assistant_installer.exe (PID: 2580)

    • Reads the cookies of Mozilla Firefox

      • engsup.exe (PID: 284)

    • Reads the cookies of Google Chrome

      • engsup.exe (PID: 284)

    • Reads Internet Cache Settings

      • instup.exe (PID: 2936)

  • INFO

    • Application launched itself

      • iexplore.exe (PID: 2304)

    • Reads Internet Cache Settings

      • iexplore.exe (PID: 2664)
      • iexplore.exe (PID: 2256)

    • Changes settings of System certificates

      • iexplore.exe (PID: 2304)

    • Changes internet zones settings

      • iexplore.exe (PID: 2304)

    • Creates files in the user directory

      • iexplore.exe (PID: 2664)
      • iexplore.exe (PID: 2256)
      • FlashUtil32_26_0_0_131_ActiveX.exe (PID: 952)
      • iexplore.exe (PID: 2304)

    • Reads internet explorer settings

      • iexplore.exe (PID: 2664)
      • iexplore.exe (PID: 2256)

    • Adds / modifies Windows certificates

      • iexplore.exe (PID: 2304)

    • Reads settings of System Certificates

      • iexplore.exe (PID: 2304)
      • installer.exe (PID: 2676)
      • browser_assistant.exe (PID: 2776)

    • Dropped object may contain Bitcoin addresses

      • iexplore.exe (PID: 2664)
      • instup.exe (PID: 2936)
      • OperaSetup.exe (PID: 3344)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 788
ZipBitFlag: 0x0001
ZipCompression: Deflated
ZipModifyDate: 2019:02:16 05:43:09
ZipCRC: 0x90dd8363
ZipCompressedSize: 1398326
ZipUncompressedSize: 1450500
ZipFileName: 8200755cbedd6f15eecd8207eba534709a01957b172d7a051b9cc4769ddbf233.bin
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
161
Monitored processes
114
Malicious processes
52
Suspicious processes
20

Behavior graph

Click at the process to see the details
start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start winrar.exe rundll32.exe no specs iexplore.exe iexplore.exe poweriso7[1].exe no specs #INSTALLCORE poweriso7[1].exe regsvr32.exe no specs cmd.exe no specs timeout.exe no specs cmd.exe cmd.exe no specs cmd.exe no specs operasetup.exe avastfreeantivirussetuponline.m.exe operasetup.exe operasetup.exe no specs operasetup.exe operasetup.exe regsvr32.exe no specs pwrisovm.exe no specs iexplore.exe avast_free_antivirus_setup_online.exe flashutil32_26_0_0_131_activex.exe no specs instup.exe instup.exe sbr.exe no specs rundll32.exe no specs _sfx.exe assistant_installer.exe installer.exe installer.exe assistant_installer.exe assistant_installer.exe browser_assistant.exe launcher.exe no specs unsecapp.exe no specs launcher.exe no specs opera.exe no specs opera_crashreporter.exe no specs opera.exe no specs opera.exe opera_crashreporter.exe no specs opera.exe no specs opera.exe no specs opera.exe no specs opera.exe no specs opera.exe no specs opera.exe no specs opera.exe no specs opera.exe no specs opera.exe no specs opera.exe no specs opera.exe no specs opera.exe no specs opera.exe no specs opera_autoupdate.exe opera_autoupdate.exe no specs launcher.exe opera.exe no specs installer.exe opera_autoupdate.exe opera_autoupdate.exe no specs opera_autoupdate.exe opera_autoupdate.exe no specs rundll32.exe no specs launcher.exe no specs opera.exe opera_crashreporter.exe no specs opera.exe no specs opera.exe no specs opera.exe no specs opera.exe no specs opera.exe no specs opera.exe no specs opera.exe no specs opera.exe no specs opera.exe no specs opera.exe no specs opera.exe no specs opera_autoupdate.exe launcher.exe opera_autoupdate.exe no specs installer.exe no specs opera_autoupdate.exe opera_autoupdate.exe no specs opera.exe no specs opera_autoupdate.exe opera_autoupdate.exe no specs setupinf.exe no specs setupinf.exe no specs setupinf.exe no specs setupinf.exe no specs avemupdate.exe no specs avemupdate.exe avemupdate.exe avemupdate.exe poweriso.exe regsvr32.exe no specs ccupdate.exe ccupdate.exe ccupdate.exe ccupdate.exe ccupdate.exe avbugreport.exe regsvr.exe no specs regsvr.exe no specs aswrundll.exe no specs avastnm.exe no specs overseer.exe engsup.exe no specs avastsvc.exe engsup.exe no specs aswengsrv.exe no specs wsc_proxy.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
272"C:\Program Files\Opera\60.0.3255.59\opera_autoupdate.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Temp\opera autoupdate" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Temp\opera autoupdate\Crash Reports" "--crash-count-file=C:\Users\admin\AppData\Local\Temp\opera autoupdate\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=60.0.3255.59 --initial-client-data=0xdc,0xe0,0xe4,0xd8,0xe8,0x11cc1b0,0x11cc1c0,0x11cc1ccC:\Program Files\Opera\60.0.3255.59\opera_autoupdate.exeopera_autoupdate.exe
User:
admin
Company:
Opera Software
Integrity Level:
HIGH
Description:
Opera auto-updater
Exit code:
0
Version:
60.0.3255.59
Modules
Images
c:\program files\opera\60.0.3255.59\opera_autoupdate.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
284"C:\Program Files\AVAST Software\Avast\defs\19042399\engsup.exe" /get_download_cookie /get_latest_ga_client_id /get_latest_gclidC:\Program Files\AVAST Software\Avast\defs\19042399\engsup.exeinstup.exe
User:
admin
Company:
AVAST Software
Integrity Level:
HIGH
Description:
Avast Antivirus vps tool
Exit code:
2
Version:
18.0.531.0
Modules
Images
c:\program files\avast software\avast\defs\19042399\engsup.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
320"C:\Program Files\Opera\60.0.3255.59\opera.exe" -noautoupdate --ran-launcher -- http://go.microsoft.com/fwlink/?LinkId=57426&Ext=binC:\Program Files\Opera\60.0.3255.59\opera.exe
launcher.exe
User:
admin
Company:
Opera Software
Integrity Level:
MEDIUM
Description:
Opera Internet Browser
Exit code:
3221225547
Version:
60.0.3255.59
Modules
Images
c:\program files\opera\60.0.3255.59\opera.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\opera\60.0.3255.59\opera_elf.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\user32.dll
328"C:\Program Files\Opera\60.0.3255.59\opera.exe" --type=gpu-process --field-trial-handle=1004,762638715604328908,11744351914387826160,131072 --with-feature:installer-experiment-test=off --with-feature:installer-use-minimal-package=off --gpu-preferences=KAAAAAAAAACAAwAAAQAAAAAAAAAAAGAAAAAAAAEAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAFAAAAEAAAAAAAAAAAAAAABgAAABAAAAAAAAAAAQAAAAUAAAAQAAAAAAAAAAEAAAAGAAAA --service-request-channel-token=1671875832870416297 --mojo-platform-channel-handle=1084 --ignored=" --type=renderer " /prefetch:2C:\Program Files\Opera\60.0.3255.59\opera.exeopera.exe
User:
admin
Company:
Opera Software
Integrity Level:
LOW
Description:
Opera Internet Browser
Exit code:
0
Version:
60.0.3255.59
Modules
Images
c:\program files\opera\60.0.3255.59\opera.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\opera\60.0.3255.59\opera_elf.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
332"C:\Program Files\Opera\60.0.3255.59\opera.exe" --start-maximized --ran-launcher --flag-switches-begin --flag-switches-end --enable-quic --lowered-browserC:\Program Files\Opera\60.0.3255.59\opera.exe
explorer.exe
User:
admin
Company:
Opera Software
Integrity Level:
MEDIUM
Description:
Opera Internet Browser
Exit code:
3221225547
Version:
60.0.3255.59
Modules
Images
c:\program files\opera\60.0.3255.59\opera.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\opera\60.0.3255.59\opera_elf.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
456C:\Windows\system32\wbem\unsecapp.exe -EmbeddingC:\Windows\system32\wbem\unsecapp.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Sink to receive asynchronous callbacks for WMI client application
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\wbem\unsecapp.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\wbemcomn.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
676"C:\Program Files\Opera\60.0.3255.59\opera.exe" --type=renderer --field-trial-handle=984,9953689491942459811,3757515846709059904,131072 --service-pipe-token=10435752951572177744 --lang=en-US --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --with-feature:installer-experiment-test=off --with-feature:installer-use-minimal-package=off --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=10435752951572177744 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1932 /prefetch:1C:\Program Files\Opera\60.0.3255.59\opera.exeopera.exe
User:
admin
Company:
Opera Software
Integrity Level:
LOW
Description:
Opera Internet Browser
Exit code:
0
Version:
60.0.3255.59
Modules
Images
c:\windows\system32\msftedit.dll
c:\program files\opera\60.0.3255.59\opera.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\opera\60.0.3255.59\opera_elf.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
880"C:\Program Files\PowerISO\PowerISO.exe" C:\Program Files\PowerISO\PowerISO.exe
explorer.exe
User:
admin
Company:
Power Software Ltd
Integrity Level:
MEDIUM
Description:
PowerISO
Exit code:
0
Version:
7, 4, 0, 0
Modules
Images
c:\program files\poweriso\poweriso.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\winmm.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
952C:\Windows\system32\Macromed\Flash\FlashUtil32_26_0_0_131_ActiveX.exe -EmbeddingC:\Windows\system32\Macromed\Flash\FlashUtil32_26_0_0_131_ActiveX.exesvchost.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
MEDIUM
Description:
Adobe® Flash® Player Installer/Uninstaller 26.0 r0
Exit code:
0
Version:
26,0,0,131
Modules
Images
c:\windows\system32\macromed\flash\flashutil32_26_0_0_131_activex.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
968"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\admin\AppData\Local\Temp\Rar$DIb2728.26226\8200755cbedd6f15eecd8207eba534709a01957b172d7a051b9cc4769ddbf233.binC:\Windows\system32\rundll32.exeWinRAR.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\rundll32.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imagehlp.dll
Total events
12 305
Read events
5 787
Write events
6 495
Delete events
23

Modification events

(PID) Process:(2728) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(2728) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(2728) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(2728) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\adylkuzz.bin.zip
(PID) Process:(2728) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(2728) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(2728) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(2728) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(2728) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface
Operation:writeName:ShowPassword
Value:
0
(PID) Process:(2304) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Operation:writeName:CompatibilityFlags
Value:
0
Executable files
595
Suspicious files
262
Text files
978
Unknown types
121

Dropped files

PID
Process
Filename
Type
2304iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\favicon[1].ico
MD5:
SHA256:
2304iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
2664iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\admin@bing[2].txt
MD5:
SHA256:
2664iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\CS5F54X5\search[1].txt
MD5:
SHA256:
2664iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.datdat
MD5:
SHA256:
2664iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\index.datdat
MD5:
SHA256:
2664iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\admin@bing[1].txttext
MD5:
SHA256:
2664iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\admin@www.bing[1].txttext
MD5:
SHA256:
2664iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\index.datdat
MD5:
SHA256:
2664iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\MSIMGSIZ.DATdbf
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
226
TCP/UDP connections
231
DNS requests
181
Threats
50

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2664
iexplore.exe
GET
302
23.38.36.63:80
http://go.microsoft.com/fwlink/?LinkId=57426&Ext=bin
NL
whitelisted
3436
PowerISO7[1].exe
HEAD
200
46.166.187.59:80
http://cdneu.powopibobu3.com/ofr/Solululadul/icut_v2_2.cis
NL
malicious
3436
PowerISO7[1].exe
GET
200
52.214.73.247:80
http://rp.powopibobu3.com/
IE
malicious
2664
iexplore.exe
GET
301
2.16.186.27:80
http://shell.windows.com/fileassoc/fileassoc.asp?Ext=bin
unknown
whitelisted
3436
PowerISO7[1].exe
HEAD
200
46.166.187.59:80
http://cdneu.powopibobu3.com/ofr/Niniwic/YL/Niniwic_Tefenece_12Apr16
NL
malicious
2664
iexplore.exe
GET
200
50.62.134.113:80
http://www.poweriso.com/download.php
US
html
6.77 Kb
suspicious
3436
PowerISO7[1].exe
POST
200
52.214.73.247:80
http://rp.powopibobu3.com/
IE
malicious
3436
PowerISO7[1].exe
POST
200
52.50.98.206:80
http://os.powopibobu3.com/FusionPowerISO/
IE
binary
542 Kb
malicious
2664
iexplore.exe
GET
200
52.85.188.76:80
http://d1jy0es72id004.cloudfront.net/4%7Cjfzrdzg01lo/PowerISO7.exe
US
executable
4.87 Mb
whitelisted
3436
PowerISO7[1].exe
GET
200
209.95.37.242:80
http://img.powopibobu3.com/img/Rowabobeso/icon1.png
US
image
481 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2304
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
2664
iexplore.exe
23.38.36.63:80
go.microsoft.com
Akamai Technologies, Inc.
NL
whitelisted
2664
iexplore.exe
2.16.186.27:80
shell.windows.com
Akamai International B.V.
whitelisted
2664
iexplore.exe
204.79.197.200:443
www.bing.com
Microsoft Corporation
US
whitelisted
2304
iexplore.exe
204.79.197.200:443
www.bing.com
Microsoft Corporation
US
whitelisted
2664
iexplore.exe
50.62.134.113:443
poweriso.com
GoDaddy.com, LLC
US
suspicious
2664
iexplore.exe
157.55.134.140:443
login.live.com
Microsoft Corporation
US
whitelisted
2304
iexplore.exe
50.62.134.113:443
poweriso.com
GoDaddy.com, LLC
US
suspicious
2304
iexplore.exe
50.62.134.113:80
poweriso.com
GoDaddy.com, LLC
US
suspicious
3800
avastfreeantivirussetuponline.m.exe
5.62.40.203:80
v7event.stats.avast.com
AVAST Software s.r.o.
DE
unknown

DNS requests

Domain
IP
Reputation
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
go.microsoft.com
  • 23.38.36.63
  • 104.109.80.115
whitelisted
shell.windows.com
  • 2.16.186.27
  • 2.16.186.24
whitelisted
login.live.com
  • 157.55.134.140
  • 157.55.135.130
  • 157.55.135.132
whitelisted
poweriso.com
  • 50.62.134.113
suspicious
www.poweriso.com
  • 50.62.134.113
suspicious
d1jy0es72id004.cloudfront.net
  • 52.85.188.76
  • 52.85.188.192
  • 52.85.188.142
  • 52.85.188.108
whitelisted
rp.powopibobu3.com
  • 52.214.73.247
  • 54.194.149.175
unknown
os.powopibobu3.com
  • 52.50.98.206
  • 52.31.245.195
  • 52.51.129.59
unknown
img.powopibobu3.com
  • 209.95.37.242
malicious

Threats

PID
Process
Class
Message
2664
iexplore.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
2664
iexplore.exe
Misc activity
ET INFO EXE - Served Attached HTTP
3436
PowerISO7[1].exe
Misc activity
ADWARE [PTsecurity] PUP.Optional.InstallCore Artifact M2
3436
PowerISO7[1].exe
Misc activity
ADWARE [PTsecurity] PUP.Optional.InstallCore Artifact M1
3436
PowerISO7[1].exe
Generic Protocol Command Decode
SURICATA STREAM excessive retransmissions
3436
PowerISO7[1].exe
Misc activity
ADWARE [PTsecurity] PUP.Optional.InstallCore Artifact M3
3436
PowerISO7[1].exe
Misc activity
ADWARE [PTsecurity] PUP.Optional.InstallCore Artifact M4
3436
PowerISO7[1].exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
3436
PowerISO7[1].exe
Misc activity
ET INFO EXE - Served Attached HTTP
3436
PowerISO7[1].exe
Generic Protocol Command Decode
SURICATA STREAM excessive retransmissions
33 ETPRO signatures available at the full report
Process
Message
assistant_installer.exe
[0424/222754.638:INFO:assistant_installer_main.cc(150)] Running assistant installer with command line "C:\Users\admin\AppData\Local\Temp\Opera Installer Temp\opera_package_201904242227001\assistant\assistant_installer.exe" --version
assistant_installer.exe
[0424/222804.559:INFO:assistant_installer_main.cc(150)] Running assistant installer with command line "C:\Users\admin\AppData\Local\Temp\Opera Installer Temp\opera_package_201904242227001\assistant\assistant_installer.exe" --installfolder="C:\Program Files\Opera\assistant" --copyonly=0 --allusers=0
assistant_installer.exe
[0424/222804.591:INFO:assistant_installer.cc(241)] Setting up the registry
assistant_installer.exe
[0424/222805.216:INFO:assistant_installer.cc(295)] Creating scheduled task
assistant_installer.exe
[0424/222805.325:INFO:assistant_installer_main.cc(150)] Running assistant installer with command line "C:\Program Files\Opera\assistant\assistant_installer.exe" --installfolder="C:\Program Files\Opera\assistant" --run-assistant --allusers=0
assistant_installer.exe
[0424/222805.325:INFO:assistant_installer.cc(152)] Performing PostElevation Install Tasks
assistant_installer.exe
[0424/222805.325:INFO:assistant_installer.cc(200)] Running Assistant
browser_assistant.exe
[0424/222806.169:INFO:browser_installation_event_reporter.cc(138)] Chrome
browser_assistant.exe
[0424/222806.169:INFO:browser_installation_event_reporter.cc(138)] Chrome
browser_assistant.exe
[0424/222806.169:INFO:browser_installation_event_reporter.cc(138)] Firefox
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
adylkuzz.bin.zip