| File name: | httrack-3.49.2.exe |
| Full analysis: | https://app.any.run/tasks/e3054f4b-863b-43e5-b1da-94b76c11f9bb |
| Verdict: | Malicious activity |
| Analysis date: | November 06, 2023, 13:44:56 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Indicators: | |
| MIME: | application/x-dosexec |
| File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
| MD5: | E56F69E10A5F995F559557DA1C2DE7C3 |
| SHA1: | EAFD7FBE4B900BBE9A0F09E020A45EBDDB1B3159 |
| SHA256: | AF0F3101D0E7C8927A49E7C29BE2B3A92A9109B4481FE3E2A6BC5D813B470DC3 |
| SSDEEP: | 98304:ODnXE2ruClmjZacGIcCTpaQc3bffieWnGaZV2FLVpWTFyAD15cjcOCzniRIh5/Fa:zTOSdr0nau |
MALICIOUS
Drops the executable file immediately after the start
- httrack-3.49.2.exe (PID: 3128)
- httrack-3.49.2.exe (PID: 3572)
- httrack-3.49.2.tmp (PID: 3464)
SUSPICIOUS
Process drops legitimate windows executable
- httrack-3.49.2.tmp (PID: 3464)
The process drops C-runtime libraries
- httrack-3.49.2.tmp (PID: 3464)
Reads the Windows owner or organization settings
- httrack-3.49.2.tmp (PID: 3464)
INFO
Checks supported languages
- httrack-3.49.2.tmp (PID: 3432)
- httrack-3.49.2.exe (PID: 3128)
- httrack-3.49.2.exe (PID: 3572)
- httrack-3.49.2.tmp (PID: 3464)
- wmpnscfg.exe (PID: 3404)
- wmpnscfg.exe (PID: 3632)
- WinHTTrack.exe (PID: 3840)
Create files in a temporary directory
- httrack-3.49.2.exe (PID: 3128)
- httrack-3.49.2.exe (PID: 3572)
- httrack-3.49.2.tmp (PID: 3464)
Reads the computer name
- httrack-3.49.2.tmp (PID: 3432)
- httrack-3.49.2.tmp (PID: 3464)
- wmpnscfg.exe (PID: 3632)
- WinHTTrack.exe (PID: 3840)
- wmpnscfg.exe (PID: 3404)
Reads the machine GUID from the registry
- wmpnscfg.exe (PID: 3404)
- wmpnscfg.exe (PID: 3632)
- WinHTTrack.exe (PID: 3840)
Application launched itself
- msedge.exe (PID: 4032)
Manual execution by a user
- wmpnscfg.exe (PID: 3404)
- wmpnscfg.exe (PID: 3632)
Creates files in the program directory
- httrack-3.49.2.tmp (PID: 3464)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Inno Setup installer (71.1) |
|---|---|---|
| .exe | | | Win32 Executable Delphi generic (9.1) |
| .scr | | | Windows screen saver (8.4) |
| .dll | | | Win32 Dynamic Link Library (generic) (4.2) |
| .exe | | | Win32 Executable (generic) (2.9) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 1992:06:20 00:22:17+02:00 |
| ImageFileCharacteristics: | No relocs, Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi |
| PEType: | PE32 |
| LinkerVersion: | 2.25 |
| CodeSize: | 40448 |
| InitializedDataSize: | 18944 |
| UninitializedDataSize: | - |
| EntryPoint: | 0xa5f8 |
| OSVersion: | 1 |
| ImageVersion: | 6 |
| SubsystemVersion: | 4 |
| Subsystem: | Windows GUI |
| FileVersionNumber: | 0.0.0.0 |
| ProductVersionNumber: | 0.0.0.0 |
| FileFlagsMask: | 0x003f |
| FileFlags: | (none) |
| FileOS: | Win32 |
| ObjectFileType: | Executable application |
| FileSubtype: | - |
| LanguageCode: | Neutral |
| CharacterSet: | Unicode |
| Comments: | This installation was built with Inno Setup. |
| CompanyName: | HTTrack |
| FileDescription: | WinHTTrack Website Copier Setup |
| FileVersion: | |
| LegalCopyright: | |
| ProductName: | WinHTTrack Website Copier |
| ProductVersion: | 3.49.2 |
Total processes
59
Monitored processes
21
Malicious processes
4
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 280 | "C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3760 --field-trial-handle=1308,i,17979710520598235520,8433749245859115325,131072 /prefetch:8 | C:\Program Files\Microsoft\Edge\Application\msedge.exe | — | msedge.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Edge Exit code: 0 Version: 109.0.1518.115 Modules
| |||||||||||||||
| 448 | "C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1540 --field-trial-handle=1308,i,17979710520598235520,8433749245859115325,131072 /prefetch:2 | C:\Program Files\Microsoft\Edge\Application\msedge.exe | — | msedge.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Edge Exit code: 0 Version: 109.0.1518.115 Modules
| |||||||||||||||
| 604 | "C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3460 --field-trial-handle=1308,i,17979710520598235520,8433749245859115325,131072 /prefetch:8 | C:\Program Files\Microsoft\Edge\Application\msedge.exe | — | msedge.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Edge Exit code: 0 Version: 109.0.1518.115 Modules
| |||||||||||||||
| 732 | "C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=3800 --field-trial-handle=1308,i,17979710520598235520,8433749245859115325,131072 /prefetch:8 | C:\Program Files\Microsoft\Edge\Application\msedge.exe | — | msedge.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Edge Exit code: 0 Version: 109.0.1518.115 Modules
| |||||||||||||||
| 788 | "C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1528 --field-trial-handle=1308,i,17979710520598235520,8433749245859115325,131072 /prefetch:3 | C:\Program Files\Microsoft\Edge\Application\msedge.exe | msedge.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Edge Exit code: 0 Version: 109.0.1518.115 Modules
| |||||||||||||||
| 1508 | "C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1300 --field-trial-handle=1308,i,17979710520598235520,8433749245859115325,131072 /prefetch:2 | C:\Program Files\Microsoft\Edge\Application\msedge.exe | — | msedge.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Edge Exit code: 0 Version: 109.0.1518.115 Modules
| |||||||||||||||
| 1612 | "C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=renderer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2352 --field-trial-handle=1308,i,17979710520598235520,8433749245859115325,131072 /prefetch:1 | C:\Program Files\Microsoft\Edge\Application\msedge.exe | — | msedge.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Edge Exit code: 0 Version: 109.0.1518.115 Modules
| |||||||||||||||
| 1880 | "C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=renderer --first-renderer-process --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2296 --field-trial-handle=1308,i,17979710520598235520,8433749245859115325,131072 /prefetch:1 | C:\Program Files\Microsoft\Edge\Application\msedge.exe | — | msedge.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Edge Exit code: 0 Version: 109.0.1518.115 Modules
| |||||||||||||||
| 1892 | "C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=1640 --field-trial-handle=1308,i,17979710520598235520,8433749245859115325,131072 /prefetch:8 | C:\Program Files\Microsoft\Edge\Application\msedge.exe | — | msedge.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Edge Exit code: 0 Version: 109.0.1518.115 Modules
| |||||||||||||||
| 2080 | "C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1488 --field-trial-handle=1308,i,17979710520598235520,8433749245859115325,131072 /prefetch:2 | C:\Program Files\Microsoft\Edge\Application\msedge.exe | — | msedge.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Edge Exit code: 0 Version: 109.0.1518.115 Modules
| |||||||||||||||
Total events
3 909
Read events
3 873
Write events
20
Delete events
16
Modification events
| (PID) Process: | (3404) wmpnscfg.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Media Player NSS\3.0\Events\{A8EC6296-6901-4282-B4F7-86E5A6C83760}\{FFE9D7E0-E223-4A1B-80C0-B500DF3E92F2} |
| Operation: | delete key | Name: | (default) |
Value: | |||
| (PID) Process: | (3404) wmpnscfg.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Media Player NSS\3.0\Events\{A8EC6296-6901-4282-B4F7-86E5A6C83760} |
| Operation: | delete key | Name: | (default) |
Value: | |||
| (PID) Process: | (3404) wmpnscfg.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Media Player NSS\3.0\Events\{E68F2BBE-56B3-4B08-A90B-E09F12873CA2}\{FFE9D7E0-E223-4A1B-80C0-B500DF3E92F2} |
| Operation: | delete key | Name: | (default) |
Value: | |||
| (PID) Process: | (3404) wmpnscfg.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Media Player NSS\3.0\Events\{E68F2BBE-56B3-4B08-A90B-E09F12873CA2} |
| Operation: | delete key | Name: | (default) |
Value: | |||
| (PID) Process: | (3404) wmpnscfg.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Health\{15A88E33-FC49-4644-B04F-6BBD26F4079F} |
| Operation: | delete key | Name: | (default) |
Value: | |||
| (PID) Process: | (3632) wmpnscfg.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Media Player NSS\3.0\Events\{DAE9BD3E-B266-4F65-955D-1881D875A644}\{2E4D6889-3126-467B-A773-AB9B4BFF8A60} |
| Operation: | delete key | Name: | (default) |
Value: | |||
| (PID) Process: | (3632) wmpnscfg.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Media Player NSS\3.0\Events\{DAE9BD3E-B266-4F65-955D-1881D875A644} |
| Operation: | delete key | Name: | (default) |
Value: | |||
| (PID) Process: | (3632) wmpnscfg.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Health\{836DB1DB-B061-4472-99E7-B949E18F9153} |
| Operation: | delete key | Name: | (default) |
Value: | |||
| (PID) Process: | (3464) httrack-3.49.2.tmp | Key: | HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000 |
| Operation: | delete value | Name: | RegFilesHash |
Value: B319C16FC72AB545BDEFCF6A20B23CACA458764D3FE249EBBB77CD716A784A56 | |||
| (PID) Process: | (3464) httrack-3.49.2.tmp | Key: | HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000 |
| Operation: | delete value | Name: | RegFiles0000 |
Value: C:\Program Files\WinHTTrack\htsjava.dll | |||
Executable files
31
Suspicious files
145
Text files
1 093
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 3464 | httrack-3.49.2.tmp | C:\Program Files\WinHTTrack\html\is-FJ2KI.tmp | html | |
MD5:FDD1D618AAC1BE97B2F14D52AFAAA5F6 | SHA256:0FD76E56BF1C7C123B8C1B3B3C93FE6FAFBD294A70445B719161C7665835B318 | |||
| 3464 | httrack-3.49.2.tmp | C:\Program Files\WinHTTrack\html\dev.html | html | |
MD5:9597BC7F175505FDD558FA22EACD654C | SHA256:7B7DDB0A96CA2850E10E95A4967C7A8F01BEA4249A9BC293713A3833E7629ECA | |||
| 3464 | httrack-3.49.2.tmp | C:\Program Files\WinHTTrack\html\abuse.html | html | |
MD5:1D89A9A7547179DAAE778DCC0EF908B5 | SHA256:282770D2A8BD03CA4083F7453001A9E827958408019C6CBFD940AC65D213B149 | |||
| 3464 | httrack-3.49.2.tmp | C:\Program Files\WinHTTrack\html\is-NVC45.tmp | html | |
MD5:D00CB59EB5E64E6FD3FFC10962C8E114 | SHA256:EFF26868A40711316674C7889982A1C8442CC5D2AEB18422B56CF16BE9566A04 | |||
| 3464 | httrack-3.49.2.tmp | C:\Program Files\WinHTTrack\is-IVV3D.tmp | executable | |
MD5:BC3AE216EE497C33A727652E67305CD6 | SHA256:111AE632794A8D94B3C112ACC28DC22EBD303ADB867A9A31812B1B65AD0BE649 | |||
| 3464 | httrack-3.49.2.tmp | C:\Program Files\WinHTTrack\html\is-QO4PN.tmp | html | |
MD5:1D89A9A7547179DAAE778DCC0EF908B5 | SHA256:282770D2A8BD03CA4083F7453001A9E827958408019C6CBFD940AC65D213B149 | |||
| 3572 | httrack-3.49.2.exe | C:\Users\admin\AppData\Local\Temp\is-PRL8Q.tmp\httrack-3.49.2.tmp | executable | |
MD5:BC3AE216EE497C33A727652E67305CD6 | SHA256:111AE632794A8D94B3C112ACC28DC22EBD303ADB867A9A31812B1B65AD0BE649 | |||
| 3128 | httrack-3.49.2.exe | C:\Users\admin\AppData\Local\Temp\is-5CK3J.tmp\httrack-3.49.2.tmp | executable | |
MD5:BC3AE216EE497C33A727652E67305CD6 | SHA256:111AE632794A8D94B3C112ACC28DC22EBD303ADB867A9A31812B1B65AD0BE649 | |||
| 3464 | httrack-3.49.2.tmp | C:\Users\admin\AppData\Local\Temp\is-7A5C6.tmp\_isetup\_shfoldr.dll | executable | |
MD5:92DC6EF532FBB4A5C3201469A5B5EB63 | SHA256:9884E9D1B4F8A873CCBD81F8AD0AE257776D2348D027D811A56475E028360D87 | |||
| 3464 | httrack-3.49.2.tmp | C:\Program Files\WinHTTrack\html\cmddoc.html | html | |
MD5:D00CB59EB5E64E6FD3FFC10962C8E114 | SHA256:EFF26868A40711316674C7889982A1C8442CC5D2AEB18422B56CF16BE9566A04 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
16
TCP/UDP connections
73
DNS requests
17
Threats
0
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
3840 | WinHTTrack.exe | GET | 200 | 142.250.186.100:80 | http://www.google.com/robots.txt | unknown | text | 1.96 Kb | unknown |
3840 | WinHTTrack.exe | GET | 200 | 142.250.186.100:80 | http://www.google.com/ | unknown | html | 11.8 Kb | unknown |
3840 | WinHTTrack.exe | GET | 301 | 142.250.186.100:80 | http://www.google.com/intl/de/about/ | unknown | html | 226 b | unknown |
3840 | WinHTTrack.exe | GET | 301 | 142.250.186.100:80 | http://www.google.com/advanced_search?hl=de&authuser=0 | unknown | html | 256 b | unknown |
3840 | WinHTTrack.exe | GET | 404 | 142.250.186.100:80 | http://www.google.com/intl/de/policies/privacy/curl | unknown | html | 1.55 Kb | unknown |
3840 | WinHTTrack.exe | GET | 301 | 142.250.186.100:80 | http://www.google.com/intl/de/about.html | unknown | html | 233 b | unknown |
3840 | WinHTTrack.exe | GET | 200 | 142.250.186.100:80 | http://www.google.com/images/branding/googlelogo/1x/googlelogo_white_background_color_272x92dp.png | unknown | image | 5.35 Kb | unknown |
3840 | WinHTTrack.exe | GET | 200 | 142.250.186.100:80 | http://www.google.com/intl/de/policies/terms/ | unknown | html | 679 b | unknown |
3840 | WinHTTrack.exe | GET | 302 | 142.250.186.100:80 | http://www.google.com/setprefs?sig=0_YSBC3pon58bCdLhAosNVfbN2s6Q%3D&hl=en&source=homepage&sa=X&ved=0ahUKEwj74Oakwa-CAxW4VfEDHQwAC0wQ2ZgBCAQ | unknown | html | 218 b | unknown |
3840 | WinHTTrack.exe | GET | 404 | 142.250.186.100:80 | http://www.google.com/intl/de/policies/terms/curl | unknown | html | 1.55 Kb | unknown |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
868 | svchost.exe | 95.101.148.135:80 | armmf.adobe.com | Akamai International B.V. | NL | unknown |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
3840 | WinHTTrack.exe | 142.250.186.100:80 | www.google.com | GOOGLE | US | whitelisted |
3840 | WinHTTrack.exe | 142.250.184.227:443 | ssl.gstatic.com | GOOGLE | US | whitelisted |
3840 | WinHTTrack.exe | 142.250.186.100:443 | www.google.com | GOOGLE | US | whitelisted |
3840 | WinHTTrack.exe | 142.250.186.163:443 | www.gstatic.com | GOOGLE | US | whitelisted |
3840 | WinHTTrack.exe | 142.250.184.227:80 | ssl.gstatic.com | GOOGLE | US | whitelisted |
4032 | msedge.exe | 239.255.255.250:1900 | — | — | — | whitelisted |
788 | msedge.exe | 52.123.243.86:443 | config.edge.skype.com | MICROSOFT-CORP-MSN-AS-BLOCK | DE | unknown |
DNS requests
Domain | IP | Reputation |
|---|---|---|
armmf.adobe.com |
| whitelisted |
www.google.com |
| whitelisted |
ssl.gstatic.com |
| whitelisted |
www.gstatic.com |
| whitelisted |
config.edge.skype.com |
| whitelisted |
edge.microsoft.com |
| whitelisted |
www.bing.com |
| whitelisted |
msedgeextensions.sf.tlu.dl.delivery.mp.microsoft.com |
| whitelisted |