analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

adylkuzz.bin.zip

Full analysis: https://app.any.run/tasks/0bbe1dbe-0dab-4c29-827d-5fd5e670a30f
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: April 24, 2019, 21:25:24
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
loader
trojan
adware
installcore
pup
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

DFCD01A7804D178FB74B3CE044EDEBAE

SHA1:

101EADE30E8CBF73CC609DBFCB782782C34709B0

SHA256:

AD820477095CC6778EBABEBD80F4A8C24BE7E9C19BA04EF330218B53CEA0C7FF

SSDEEP:

24576:xh1FkhN9nnZ5j5TGjf8Gg9MgOgFKwGkWT8X1loDyrY7g4N89T8n77qw45ObtI6//:xhvUZll00XMgQwG58FXsEinvuOxIAkI

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • PowerISO7[1].exe (PID: 3436)
      • PowerISO7[1].exe (PID: 1868)
      • OperaSetup.exe (PID: 2488)
      • OperaSetup.exe (PID: 3112)
      • OperaSetup.exe (PID: 2500)
      • OperaSetup.exe (PID: 988)
      • OperaSetup.exe (PID: 3344)
      • avastfreeantivirussetuponline.m.exe (PID: 3800)
      • PWRISOVM.EXE (PID: 2968)
      • avast_free_antivirus_setup_online.exe (PID: 2668)
      • instup.exe (PID: 3332)
      • instup.exe (PID: 2936)
      • assistant_installer.exe (PID: 2480)
      • installer.exe (PID: 972)
      • sbr.exe (PID: 2452)
      • _sfx.exe (PID: 2964)
      • installer.exe (PID: 2676)
      • assistant_installer.exe (PID: 2164)
      • browser_assistant.exe (PID: 2776)
      • assistant_installer.exe (PID: 2580)
      • launcher.exe (PID: 3776)
      • launcher.exe (PID: 2844)
      • opera.exe (PID: 3624)
      • opera.exe (PID: 3772)
      • opera.exe (PID: 328)
      • opera_crashreporter.exe (PID: 3328)
      • opera.exe (PID: 332)
      • opera_crashreporter.exe (PID: 2576)
      • opera.exe (PID: 3760)
      • opera.exe (PID: 3976)
      • opera.exe (PID: 1944)
      • opera.exe (PID: 3396)
      • opera.exe (PID: 3928)
      • opera.exe (PID: 3684)
      • opera.exe (PID: 3228)
      • opera.exe (PID: 2120)
      • opera.exe (PID: 2252)
      • opera.exe (PID: 3072)
      • opera.exe (PID: 1476)
      • opera.exe (PID: 2228)
      • opera.exe (PID: 1748)
      • opera_autoupdate.exe (PID: 3456)
      • installer.exe (PID: 2368)
      • opera_autoupdate.exe (PID: 2204)
      • opera_autoupdate.exe (PID: 3380)
      • launcher.exe (PID: 2880)
      • opera_autoupdate.exe (PID: 2532)
      • opera_autoupdate.exe (PID: 2340)
      • opera.exe (PID: 320)
      • opera_autoupdate.exe (PID: 3352)
      • opera.exe (PID: 1120)
      • opera.exe (PID: 3880)
      • launcher.exe (PID: 1092)
      • opera.exe (PID: 3220)
      • opera.exe (PID: 2332)
      • opera.exe (PID: 3160)
      • opera.exe (PID: 1416)
      • opera_crashreporter.exe (PID: 3812)
      • opera.exe (PID: 3676)
      • opera.exe (PID: 2932)
      • opera_autoupdate.exe (PID: 3200)
      • opera.exe (PID: 676)
      • launcher.exe (PID: 2352)
      • opera_autoupdate.exe (PID: 3300)
      • opera.exe (PID: 3744)
      • opera_autoupdate.exe (PID: 3740)
      • opera_autoupdate.exe (PID: 272)
      • installer.exe (PID: 2456)
      • opera.exe (PID: 3940)
      • opera.exe (PID: 2852)
      • opera_autoupdate.exe (PID: 2680)
      • opera_autoupdate.exe (PID: 3996)
      • SetupInf.exe (PID: 3464)
      • SetupInf.exe (PID: 3708)
      • SetupInf.exe (PID: 2984)
      • SetupInf.exe (PID: 3940)
      • AvEmUpdate.exe (PID: 3628)
      • AvEmUpdate.exe (PID: 2840)
      • AvEmUpdate.exe (PID: 2212)
      • PowerISO.exe (PID: 880)
      • AvEmUpdate.exe (PID: 3836)
      • CCUpdate.exe (PID: 3452)
      • CCUpdate.exe (PID: 1344)
      • CCUpdate.exe (PID: 3620)
      • CCUpdate.exe (PID: 3272)
      • CCUpdate.exe (PID: 3508)
      • avBugReport.exe (PID: 2528)
      • RegSvr.exe (PID: 2468)
      • RegSvr.exe (PID: 2296)
      • aswRunDll.exe (PID: 1532)
      • overseer.exe (PID: 2160)
      • AvastNM.exe (PID: 3424)
      • engsup.exe (PID: 3188)
      • AvastSvc.exe (PID: 3780)
      • engsup.exe (PID: 284)
      • aswEngSrv.exe (PID: 1952)
      • wsc_proxy.exe (PID: 3308)

    • Loads dropped or rewritten executable

      • PowerISO7[1].exe (PID: 3436)
      • OperaSetup.exe (PID: 2500)
      • OperaSetup.exe (PID: 3112)
      • OperaSetup.exe (PID: 2488)
      • OperaSetup.exe (PID: 988)
      • OperaSetup.exe (PID: 3344)
      • regsvr32.exe (PID: 2628)
      • instup.exe (PID: 3332)
      • instup.exe (PID: 2936)
      • installer.exe (PID: 972)
      • opera.exe (PID: 3624)
      • installer.exe (PID: 2676)
      • opera.exe (PID: 332)
      • opera.exe (PID: 328)
      • opera.exe (PID: 3772)
      • opera.exe (PID: 3976)
      • opera.exe (PID: 3928)
      • opera.exe (PID: 3396)
      • opera.exe (PID: 1476)
      • opera.exe (PID: 3684)
      • opera.exe (PID: 3760)
      • opera.exe (PID: 3228)
      • opera.exe (PID: 2252)
      • opera.exe (PID: 2120)
      • opera.exe (PID: 1944)
      • opera.exe (PID: 2228)
      • opera.exe (PID: 3072)
      • opera.exe (PID: 1748)
      • installer.exe (PID: 2368)
      • opera.exe (PID: 1416)
      • opera.exe (PID: 1120)
      • opera.exe (PID: 320)
      • opera.exe (PID: 2332)
      • opera.exe (PID: 3880)
      • opera.exe (PID: 3160)
      • opera.exe (PID: 3676)
      • opera.exe (PID: 2852)
      • opera.exe (PID: 2932)
      • opera.exe (PID: 3220)
      • opera.exe (PID: 676)
      • installer.exe (PID: 2456)
      • opera.exe (PID: 3744)
      • opera.exe (PID: 3940)
      • AvEmUpdate.exe (PID: 3628)
      • AvEmUpdate.exe (PID: 2840)
      • regsvr32.exe (PID: 4024)
      • AvEmUpdate.exe (PID: 2212)
      • AvEmUpdate.exe (PID: 3836)
      • PowerISO.exe (PID: 880)
      • CCUpdate.exe (PID: 3620)
      • avBugReport.exe (PID: 2528)
      • RegSvr.exe (PID: 2468)
      • RegSvr.exe (PID: 2296)
      • aswRunDll.exe (PID: 1532)
      • AvastSvc.exe (PID: 3780)
      • engsup.exe (PID: 3188)
      • engsup.exe (PID: 284)
      • aswEngSrv.exe (PID: 1952)

    • Downloads executable files from the Internet

      • iexplore.exe (PID: 2664)
      • PowerISO7[1].exe (PID: 3436)
      • avastfreeantivirussetuponline.m.exe (PID: 3800)
      • AvEmUpdate.exe (PID: 2840)
      • CCUpdate.exe (PID: 3272)

    • INSTALLCORE was detected

      • PowerISO7[1].exe (PID: 3436)

    • Registers / Runs the DLL via REGSVR32.EXE

      • PowerISO7[1].exe (PID: 3436)
      • PowerISO.exe (PID: 880)

    • Connects to CnC server

      • PowerISO7[1].exe (PID: 3436)

    • Changes the autorun value in the registry

      • PowerISO7[1].exe (PID: 3436)
      • instup.exe (PID: 2936)
      • assistant_installer.exe (PID: 2580)

    • Changes settings of System certificates

      • OperaSetup.exe (PID: 3112)
      • opera.exe (PID: 332)
      • AvastSvc.exe (PID: 3780)

    • Loads the Task Scheduler COM API

      • installer.exe (PID: 2676)
      • assistant_installer.exe (PID: 2580)
      • opera.exe (PID: 332)
      • opera.exe (PID: 320)
      • AvEmUpdate.exe (PID: 3628)
      • AvEmUpdate.exe (PID: 2840)
      • CCUpdate.exe (PID: 3272)
      • CCUpdate.exe (PID: 3508)
      • overseer.exe (PID: 2160)

    • Actions looks like stealing of personal data

      • opera.exe (PID: 332)
      • opera.exe (PID: 320)

  • SUSPICIOUS

    • Starts Internet Explorer

      • rundll32.exe (PID: 3176)

    • Uses RUNDLL32.EXE to load library

      • WinRAR.exe (PID: 2728)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 2728)
      • iexplore.exe (PID: 2664)
      • PowerISO7[1].exe (PID: 3436)
      • iexplore.exe (PID: 2304)
      • cmd.exe (PID: 3372)
      • OperaSetup.exe (PID: 3112)
      • OperaSetup.exe (PID: 2488)
      • OperaSetup.exe (PID: 2500)
      • OperaSetup.exe (PID: 3344)
      • avastfreeantivirussetuponline.m.exe (PID: 3800)
      • avast_free_antivirus_setup_online.exe (PID: 2668)
      • instup.exe (PID: 3332)
      • installer.exe (PID: 2676)
      • installer.exe (PID: 972)
      • _sfx.exe (PID: 2964)
      • assistant_installer.exe (PID: 2580)
      • instup.exe (PID: 2936)
      • installer.exe (PID: 2368)
      • launcher.exe (PID: 2880)
      • launcher.exe (PID: 2352)
      • AvEmUpdate.exe (PID: 2840)
      • AvEmUpdate.exe (PID: 3836)
      • CCUpdate.exe (PID: 3452)
      • CCUpdate.exe (PID: 3272)
      • CCUpdate.exe (PID: 1344)
      • AvastSvc.exe (PID: 3780)

    • Reads Environment values

      • PowerISO7[1].exe (PID: 3436)
      • AvastSvc.exe (PID: 3780)

    • Reads the machine GUID from the registry

      • PowerISO7[1].exe (PID: 3436)
      • opera.exe (PID: 332)
      • opera.exe (PID: 3624)

    • Creates files in the Windows directory

      • PowerISO7[1].exe (PID: 3436)
      • avastfreeantivirussetuponline.m.exe (PID: 3800)
      • avast_free_antivirus_setup_online.exe (PID: 2668)
      • instup.exe (PID: 3332)
      • instup.exe (PID: 2936)
      • AvEmUpdate.exe (PID: 2840)
      • AvastSvc.exe (PID: 3780)

    • Reads CPU info

      • PowerISO7[1].exe (PID: 3436)

    • Reads Windows Product ID

      • PowerISO7[1].exe (PID: 3436)

    • Reads the date of Windows installation

      • PowerISO7[1].exe (PID: 3436)

    • Reads internet explorer settings

      • PowerISO7[1].exe (PID: 3436)

    • Creates a software uninstall entry

      • PowerISO7[1].exe (PID: 3436)
      • installer.exe (PID: 2676)
      • instup.exe (PID: 2936)
      • AvEmUpdate.exe (PID: 3836)

    • Creates files in the driver directory

      • PowerISO7[1].exe (PID: 3436)
      • instup.exe (PID: 2936)
      • AvEmUpdate.exe (PID: 2840)

    • Creates files in the program directory

      • PowerISO7[1].exe (PID: 3436)
      • avast_free_antivirus_setup_online.exe (PID: 2668)
      • instup.exe (PID: 3332)
      • installer.exe (PID: 2676)
      • assistant_installer.exe (PID: 2580)
      • OperaSetup.exe (PID: 3344)
      • opera_autoupdate.exe (PID: 3380)
      • AvEmUpdate.exe (PID: 3628)
      • AvEmUpdate.exe (PID: 2840)
      • instup.exe (PID: 2936)
      • CCUpdate.exe (PID: 3452)
      • CCUpdate.exe (PID: 3272)
      • CCUpdate.exe (PID: 1344)
      • CCUpdate.exe (PID: 3508)
      • avBugReport.exe (PID: 2528)
      • AvastNM.exe (PID: 3424)
      • engsup.exe (PID: 3188)
      • AvastSvc.exe (PID: 3780)
      • engsup.exe (PID: 284)
      • wsc_proxy.exe (PID: 3308)

    • Starts CMD.EXE for commands execution

      • PowerISO7[1].exe (PID: 3436)
      • cmd.exe (PID: 3120)

    • Creates or modifies windows services

      • PowerISO7[1].exe (PID: 3436)
      • instup.exe (PID: 2936)
      • AvastSvc.exe (PID: 3780)

    • Application launched itself

      • cmd.exe (PID: 3120)
      • OperaSetup.exe (PID: 3112)
      • OperaSetup.exe (PID: 3344)
      • opera.exe (PID: 3624)
      • opera.exe (PID: 332)
      • opera_autoupdate.exe (PID: 3456)
      • opera.exe (PID: 320)
      • opera_autoupdate.exe (PID: 3380)
      • opera_autoupdate.exe (PID: 3740)
      • opera_autoupdate.exe (PID: 3200)
      • opera_autoupdate.exe (PID: 3996)
      • AvEmUpdate.exe (PID: 2840)
      • CCUpdate.exe (PID: 3272)

    • Creates files in the user directory

      • OperaSetup.exe (PID: 2488)
      • installer.exe (PID: 2676)
      • browser_assistant.exe (PID: 2776)
      • opera.exe (PID: 3624)
      • opera.exe (PID: 332)
      • opera_autoupdate.exe (PID: 3456)
      • opera.exe (PID: 320)
      • opera_autoupdate.exe (PID: 3200)
      • PowerISO.exe (PID: 880)

    • Low-level read access rights to disk partition

      • avastfreeantivirussetuponline.m.exe (PID: 3800)
      • avast_free_antivirus_setup_online.exe (PID: 2668)
      • instup.exe (PID: 3332)
      • instup.exe (PID: 2936)
      • AvEmUpdate.exe (PID: 2840)
      • AvEmUpdate.exe (PID: 3836)
      • AvEmUpdate.exe (PID: 2212)
      • CCUpdate.exe (PID: 3452)
      • CCUpdate.exe (PID: 1344)
      • CCUpdate.exe (PID: 3620)
      • CCUpdate.exe (PID: 3272)
      • CCUpdate.exe (PID: 3508)
      • avBugReport.exe (PID: 2528)
      • overseer.exe (PID: 2160)
      • AvastSvc.exe (PID: 3780)

    • Starts itself from another location

      • OperaSetup.exe (PID: 3112)
      • instup.exe (PID: 3332)
      • CCUpdate.exe (PID: 1344)

    • Searches for installed software

      • PowerISO7[1].exe (PID: 3436)

    • Modifies the open verb of a shell class

      • PowerISO7[1].exe (PID: 3436)
      • installer.exe (PID: 2676)
      • instup.exe (PID: 2936)

    • Creates COM task schedule object

      • regsvr32.exe (PID: 2628)
      • instup.exe (PID: 2936)
      • RegSvr.exe (PID: 2296)
      • RegSvr.exe (PID: 2468)

    • Adds / modifies Windows certificates

      • OperaSetup.exe (PID: 3112)

    • Removes files from Windows directory

      • instup.exe (PID: 3332)
      • instup.exe (PID: 2936)
      • AvEmUpdate.exe (PID: 2840)
      • avast_free_antivirus_setup_online.exe (PID: 2668)

    • Changes IE settings (feature browser emulation)

      • assistant_installer.exe (PID: 2580)

    • Reads Internet Cache Settings

      • instup.exe (PID: 2936)

    • Reads the cookies of Google Chrome

      • engsup.exe (PID: 284)

    • Reads the cookies of Mozilla Firefox

      • engsup.exe (PID: 284)

  • INFO

    • Changes internet zones settings

      • iexplore.exe (PID: 2304)

    • Reads settings of System Certificates

      • iexplore.exe (PID: 2304)
      • installer.exe (PID: 2676)
      • browser_assistant.exe (PID: 2776)

    • Reads Internet Cache Settings

      • iexplore.exe (PID: 2664)
      • iexplore.exe (PID: 2256)

    • Reads internet explorer settings

      • iexplore.exe (PID: 2664)
      • iexplore.exe (PID: 2256)

    • Application launched itself

      • iexplore.exe (PID: 2304)

    • Creates files in the user directory

      • iexplore.exe (PID: 2664)
      • iexplore.exe (PID: 2256)
      • FlashUtil32_26_0_0_131_ActiveX.exe (PID: 952)
      • iexplore.exe (PID: 2304)

    • Changes settings of System certificates

      • iexplore.exe (PID: 2304)

    • Dropped object may contain Bitcoin addresses

      • iexplore.exe (PID: 2664)
      • OperaSetup.exe (PID: 3344)
      • instup.exe (PID: 2936)

    • Adds / modifies Windows certificates

      • iexplore.exe (PID: 2304)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipFileName: 8200755cbedd6f15eecd8207eba534709a01957b172d7a051b9cc4769ddbf233.bin
ZipUncompressedSize: 1450500
ZipCompressedSize: 1398326
ZipCRC: 0x90dd8363
ZipModifyDate: 2019:02:16 05:43:09
ZipCompression: Deflated
ZipBitFlag: 0x0001
ZipRequiredVersion: 788
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
161
Monitored processes
114
Malicious processes
52
Suspicious processes
20

Behavior graph

Click at the process to see the details
start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start winrar.exe rundll32.exe no specs iexplore.exe iexplore.exe poweriso7[1].exe no specs #INSTALLCORE poweriso7[1].exe regsvr32.exe no specs cmd.exe no specs timeout.exe no specs cmd.exe cmd.exe no specs cmd.exe no specs operasetup.exe avastfreeantivirussetuponline.m.exe operasetup.exe operasetup.exe no specs operasetup.exe operasetup.exe regsvr32.exe no specs pwrisovm.exe no specs iexplore.exe avast_free_antivirus_setup_online.exe flashutil32_26_0_0_131_activex.exe no specs instup.exe instup.exe sbr.exe no specs rundll32.exe no specs _sfx.exe assistant_installer.exe installer.exe installer.exe assistant_installer.exe assistant_installer.exe browser_assistant.exe launcher.exe no specs unsecapp.exe no specs launcher.exe no specs opera.exe no specs opera_crashreporter.exe no specs opera.exe no specs opera.exe opera_crashreporter.exe no specs opera.exe no specs opera.exe no specs opera.exe no specs opera.exe no specs opera.exe no specs opera.exe no specs opera.exe no specs opera.exe no specs opera.exe no specs opera.exe no specs opera.exe no specs opera.exe no specs opera.exe no specs opera_autoupdate.exe opera_autoupdate.exe no specs launcher.exe opera.exe no specs installer.exe opera_autoupdate.exe opera_autoupdate.exe no specs opera_autoupdate.exe opera_autoupdate.exe no specs rundll32.exe no specs launcher.exe no specs opera.exe opera_crashreporter.exe no specs opera.exe no specs opera.exe no specs opera.exe no specs opera.exe no specs opera.exe no specs opera.exe no specs opera.exe no specs opera.exe no specs opera.exe no specs opera.exe no specs opera.exe no specs opera_autoupdate.exe launcher.exe opera_autoupdate.exe no specs installer.exe no specs opera_autoupdate.exe opera_autoupdate.exe no specs opera.exe no specs opera_autoupdate.exe opera_autoupdate.exe no specs setupinf.exe no specs setupinf.exe no specs setupinf.exe no specs setupinf.exe no specs avemupdate.exe no specs avemupdate.exe avemupdate.exe avemupdate.exe poweriso.exe regsvr32.exe no specs ccupdate.exe ccupdate.exe ccupdate.exe ccupdate.exe ccupdate.exe avbugreport.exe regsvr.exe no specs regsvr.exe no specs aswrundll.exe no specs avastnm.exe no specs overseer.exe engsup.exe no specs avastsvc.exe engsup.exe no specs aswengsrv.exe no specs wsc_proxy.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2728"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\adylkuzz.bin.zip"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
3176"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\admin\AppData\Local\Temp\Rar$DIb2728.15599\8200755cbedd6f15eecd8207eba534709a01957b172d7a051b9cc4769ddbf233.binC:\Windows\system32\rundll32.exeWinRAR.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2304"C:\Program Files\Internet Explorer\iexplore.exe" -nohomeC:\Program Files\Internet Explorer\iexplore.exe
rundll32.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
1
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
2664"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2304 CREDAT:71937C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
1868"C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\PowerISO7[1].exe" C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\PowerISO7[1].exeiexplore.exe
User:
admin
Company:
Power Software Ltd
Integrity Level:
MEDIUM
Description:
PowerISO Setup
Exit code:
3221226540
Version:
7.4.0.0
3436"C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\PowerISO7[1].exe" C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\PowerISO7[1].exe
iexplore.exe
User:
admin
Company:
Power Software Ltd
Integrity Level:
HIGH
Description:
PowerISO Setup
Exit code:
0
Version:
7.4.0.0
3604regsvr32.exe /s /u "C:\Program Files\PowerISO\PWRISOSH.DLL"C:\Windows\system32\regsvr32.exePowerISO7[1].exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft(C) Register Server
Exit code:
3
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3120/d /c TIMEOUT 1 & cmd /d /c copy /B /Y "C:\Users\admin\AppData\Local\Temp\D96839~1.DAT"+"C:\Users\admin\AppData\Local\Temp\D96839~2.DAT" "C:\Users\admin\AppData\Local\Temp\ns6C7051C9\26BAD121_stp\avastfreeantivirussetuponline.m.exe" & cmd /d /c del "C:\Users\admin\AppData\Local\Temp\D96839~1.DAT" & cmd /d /c del "C:\Users\admin\AppData\Local\Temp\D96839~2.DAT"C:\Windows\system32\cmd.exePowerISO7[1].exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2136TIMEOUT 1 C:\Windows\system32\timeout.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
timeout - pauses command processing
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3372cmd /d /c copy /B /Y "C:\Users\admin\AppData\Local\Temp\D96839~1.DAT"+"C:\Users\admin\AppData\Local\Temp\D96839~2.DAT" "C:\Users\admin\AppData\Local\Temp\ns6C7051C9\26BAD121_stp\avastfreeantivirussetuponline.m.exe" C:\Windows\system32\cmd.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Total events
12 305
Read events
5 787
Write events
0
Delete events
0

Modification events

No data
Executable files
595
Suspicious files
262
Text files
978
Unknown types
121

Dropped files

PID
Process
Filename
Type
2304iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\favicon[1].ico
MD5:
SHA256:
2304iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
2664iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\admin@bing[2].txt
MD5:
SHA256:
2664iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\CS5F54X5\search[1].txt
MD5:
SHA256:
2664iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][1].txttext
MD5:71104B6577804919B217FC40A562E243
SHA256:542C0E47C906E2CC7C207EF1BBDEF53D570F0B444639C2527D1029AC961DC968
2664iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.datdat
MD5:7E8505EA3E2394CF4414C49DB7B914BA
SHA256:78F6C270C2BD382CEDBC8F8F861D55DD22729D8BDBF87B8625C6763DB2DD3933
2664iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\index.datdat
MD5:43BA65F3F0428A3FF50B54B325963D46
SHA256:B0E0DC222CFBFC07C347222D04651656779A8912789541BF4D6BE886C664622B
2664iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\admin@bing[1].txttext
MD5:6A5BC205AE7873D008333E288DA50434
SHA256:0E90A03F47129E8D4E88C3726C375E8E2FB53AB77C8B91D5948022BD586A81C4
2664iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\desktop.iniini
MD5:4A3DEB274BB5F0212C2419D3D8D08612
SHA256:2842973D15A14323E08598BE1DFB87E54BF88A76BE8C7BC94C56B079446EDF38
2664iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\MSIMGSIZ.DATdbf
MD5:D52DB6EBED3A4ED299CBDD902599D416
SHA256:4FC4B4DF6FBD2DC5CCF87E67C59EE49B7284819830E76DFD036CA85B121C250D
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
226
TCP/UDP connections
231
DNS requests
181
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2664
iexplore.exe
GET
302
23.38.36.63:80
http://go.microsoft.com/fwlink/?LinkId=57426&Ext=bin
NL
whitelisted
2664
iexplore.exe
GET
200
50.62.134.113:80
http://www.poweriso.com/download.php
US
html
6.77 Kb
suspicious
3436
PowerISO7[1].exe
HEAD
200
46.166.187.59:80
http://cdneu.powopibobu3.com/ofr/Niniwic/YL/Niniwic_Tefenece_12Apr16
NL
malicious
3436
PowerISO7[1].exe
HEAD
200
46.166.187.59:80
http://cdneu.powopibobu3.com/ofr/Solululadul/icut_v2_2.cis
NL
malicious
2664
iexplore.exe
GET
301
2.16.186.27:80
http://shell.windows.com/fileassoc/fileassoc.asp?Ext=bin
unknown
whitelisted
3436
PowerISO7[1].exe
GET
200
52.214.73.247:80
http://rp.powopibobu3.com/
IE
malicious
3436
PowerISO7[1].exe
POST
200
52.214.73.247:80
http://rp.powopibobu3.com/
IE
malicious
2664
iexplore.exe
GET
200
52.85.188.76:80
http://d1jy0es72id004.cloudfront.net/4%7Cjfzrdzg01lo/PowerISO7.exe
US
executable
4.87 Mb
whitelisted
2664
iexplore.exe
GET
200
50.62.134.113:80
http://www.poweriso.com/images/top3-1.jpg
US
image
480 b
suspicious
3436
PowerISO7[1].exe
GET
200
209.95.37.242:80
http://img.powopibobu3.com/img/Rowabobeso/b2_fus_clean.png
US
image
33.6 Kb
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2304
iexplore.exe
204.79.197.200:443
www.bing.com
Microsoft Corporation
US
whitelisted
2664
iexplore.exe
2.16.186.27:80
shell.windows.com
Akamai International B.V.
whitelisted
2304
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
2664
iexplore.exe
204.79.197.200:443
www.bing.com
Microsoft Corporation
US
whitelisted
2664
iexplore.exe
23.38.36.63:80
go.microsoft.com
Akamai Technologies, Inc.
NL
whitelisted
2304
iexplore.exe
50.62.134.113:443
poweriso.com
GoDaddy.com, LLC
US
suspicious
2664
iexplore.exe
157.55.134.140:443
login.live.com
Microsoft Corporation
US
whitelisted
2664
iexplore.exe
50.62.134.113:443
poweriso.com
GoDaddy.com, LLC
US
suspicious
2664
iexplore.exe
50.62.134.113:80
poweriso.com
GoDaddy.com, LLC
US
suspicious
2304
iexplore.exe
50.62.134.113:80
poweriso.com
GoDaddy.com, LLC
US
suspicious

DNS requests

Domain
IP
Reputation
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
go.microsoft.com
  • 23.38.36.63
  • 104.109.80.115
whitelisted
shell.windows.com
  • 2.16.186.27
  • 2.16.186.24
whitelisted
login.live.com
  • 157.55.134.140
  • 157.55.135.130
  • 157.55.135.132
whitelisted
poweriso.com
  • 50.62.134.113
suspicious
www.poweriso.com
  • 50.62.134.113
suspicious
d1jy0es72id004.cloudfront.net
  • 52.85.188.76
  • 52.85.188.192
  • 52.85.188.142
  • 52.85.188.108
whitelisted
rp.powopibobu3.com
  • 52.214.73.247
  • 54.194.149.175
unknown
os.powopibobu3.com
  • 52.50.98.206
  • 52.31.245.195
  • 52.51.129.59
unknown
img.powopibobu3.com
  • 209.95.37.242
malicious

Threats

PID
Process
Class
Message
2664
iexplore.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
2664
iexplore.exe
Misc activity
ET INFO EXE - Served Attached HTTP
3436
PowerISO7[1].exe
Misc activity
ADWARE [PTsecurity] PUP.Optional.InstallCore Artifact M2
3436
PowerISO7[1].exe
Misc activity
ADWARE [PTsecurity] PUP.Optional.InstallCore Artifact M1
3436
PowerISO7[1].exe
Generic Protocol Command Decode
SURICATA STREAM excessive retransmissions
3436
PowerISO7[1].exe
Misc activity
ADWARE [PTsecurity] PUP.Optional.InstallCore Artifact M3
3436
PowerISO7[1].exe
Misc activity
ADWARE [PTsecurity] PUP.Optional.InstallCore Artifact M4
3436
PowerISO7[1].exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
3436
PowerISO7[1].exe
Misc activity
ET INFO EXE - Served Attached HTTP
3436
PowerISO7[1].exe
Generic Protocol Command Decode
SURICATA STREAM excessive retransmissions
33 ETPRO signatures available at the full report
Process
Message
assistant_installer.exe
[0424/222754.638:INFO:assistant_installer_main.cc(150)] Running assistant installer with command line "C:\Users\admin\AppData\Local\Temp\Opera Installer Temp\opera_package_201904242227001\assistant\assistant_installer.exe" --version
assistant_installer.exe
[0424/222804.559:INFO:assistant_installer_main.cc(150)] Running assistant installer with command line "C:\Users\admin\AppData\Local\Temp\Opera Installer Temp\opera_package_201904242227001\assistant\assistant_installer.exe" --installfolder="C:\Program Files\Opera\assistant" --copyonly=0 --allusers=0
assistant_installer.exe
[0424/222804.591:INFO:assistant_installer.cc(241)] Setting up the registry
assistant_installer.exe
[0424/222805.216:INFO:assistant_installer.cc(295)] Creating scheduled task
assistant_installer.exe
[0424/222805.325:INFO:assistant_installer_main.cc(150)] Running assistant installer with command line "C:\Program Files\Opera\assistant\assistant_installer.exe" --installfolder="C:\Program Files\Opera\assistant" --run-assistant --allusers=0
assistant_installer.exe
[0424/222805.325:INFO:assistant_installer.cc(152)] Performing PostElevation Install Tasks
assistant_installer.exe
[0424/222805.325:INFO:assistant_installer.cc(200)] Running Assistant
browser_assistant.exe
[0424/222806.169:INFO:browser_installation_event_reporter.cc(138)] Chrome
browser_assistant.exe
[0424/222806.169:INFO:browser_installation_event_reporter.cc(138)] Chrome
browser_assistant.exe
[0424/222806.169:INFO:browser_installation_event_reporter.cc(138)] Firefox
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
adylkuzz.bin.zip