analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

8d070b107b16ebcdefee6ee609f4f042-content.zip

Full analysis: https://app.any.run/tasks/d23d4a39-e2aa-4d4a-8949-fa741e0a253e
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Analysis date: December 18, 2018, 14:14:11
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
adware
installcore
pup
loader
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

67875D506181C32D4CD42605F41E5575

SHA1:

C8F69A68761FAB32F0DCC2EF345439BCAE5DCB1A

SHA256:

BCAC25EF202D80860F6E5BA8C1F2BEDFA504F18A7BEEADF959841055572B1B75

SSDEEP:

49152:Dya0mTIFdiIr2VFesyQ0Hn7oztHZMO21cseID2wFE/Ww:uqK0IrQFesyQ0boztO715y8E/P

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • aTube_Catcher_3928599341.exe (PID: 3652)
      • aTube_Catcher_3928599341.exe (PID: 3648)
      • aTube_Catcher_3928599341.exe (PID: 3748)
      • instup.exe (PID: 4000)
      • avast_free_antivirus_setup_online.exe (PID: 3156)
      • aTubeCatcherNOAD9618.exe (PID: 3960)
      • installer.exe (PID: 3088)
      • launcher.exe (PID: 2816)
      • installer.exe (PID: 1472)
      • opera.exe (PID: 3588)
      • opera.exe (PID: 3608)
      • sbr.exe (PID: 1732)
      • opera.exe (PID: 3312)
      • opera.exe (PID: 3344)
      • opera.exe (PID: 3664)
      • opera.exe (PID: 3216)
      • opera.exe (PID: 2720)
      • opera.exe (PID: 2488)
      • opera.exe (PID: 1064)
      • opera.exe (PID: 2628)
      • opera_crashreporter.exe (PID: 1172)
      • opera.exe (PID: 1596)
      • launcher.exe (PID: 2900)
      • opera.exe (PID: 2540)
      • opera_autoupdate.exe (PID: 2872)
      • opera.exe (PID: 2184)
      • instup.exe (PID: 2080)
      • opera.exe (PID: 1760)
      • opera_crashreporter.exe (PID: 3440)
      • opera_autoupdate.exe (PID: 2536)
      • opera_autoupdate.exe (PID: 2160)
      • opera_autoupdate.exe (PID: 1984)
      • installer.exe (PID: 3456)
      • eWorker.exe (PID: 3796)
      • opera_crashreporter.exe (PID: 3744)
      • opera.exe (PID: 2368)
      • opera.exe (PID: 1616)
      • launcher.exe (PID: 3472)
      • opera.exe (PID: 3008)
      • launcher.exe (PID: 3204)
      • 48ad8dd9-6338-471b-9614-2222c93c32d6.exe (PID: 3296)
      • yct.exe (PID: 1476)
      • opera.exe (PID: 3800)
      • opera_crashreporter.exe (PID: 2624)
      • opera.exe (PID: 648)
      • opera.exe (PID: 3900)
      • CCUpdate.exe (PID: 1068)
      • CCUpdate.exe (PID: 3580)
      • CCUpdate.exe (PID: 3500)
      • CCUpdate.exe (PID: 2992)
      • AvastSvc.exe (PID: 3576)
      • AvEmUpdate.exe (PID: 2288)
      • AvEmUpdate.exe (PID: 2368)
      • AvEmUpdate.exe (PID: 2420)
      • AvastNM.exe (PID: 3584)
      • instup.exe (PID: 1812)
      • instup.exe (PID: 3856)
      • wsc_proxy.exe (PID: 3164)
      • AvEmUpdate.exe (PID: 1960)
      • instup.exe (PID: 3976)
      • RegSvr.exe (PID: 3992)
      • RegSvr.exe (PID: 2512)
      • SetupInf.exe (PID: 2140)
      • RegSvr.exe (PID: 1036)
      • aswRunDll.exe (PID: 3792)
      • SetupInf.exe (PID: 1752)
      • SetupInf.exe (PID: 2988)
      • overseer.exe (PID: 2340)
      • SetupInf.exe (PID: 2372)
    • Connects to CnC server

      • aTube_Catcher_3928599341.exe (PID: 3652)
    • INSTALLCORE was detected

      • aTube_Catcher_3928599341.exe (PID: 3652)
    • Loads dropped or rewritten executable

      • OperaSetup.exe (PID: 2528)
      • OperaSetup.exe (PID: 2180)
      • OperaSetup.exe (PID: 3804)
      • OperaSetup.exe (PID: 2764)
      • OperaSetup.exe (PID: 3328)
      • instup.exe (PID: 4000)
      • installer.exe (PID: 1472)
      • installer.exe (PID: 3088)
      • regsvr32.exe (PID: 2852)
      • instup.exe (PID: 2080)
      • regsvr32.exe (PID: 2708)
      • opera.exe (PID: 3588)
      • opera.exe (PID: 3312)
      • regsvr32.exe (PID: 2916)
      • regsvr32.exe (PID: 2724)
      • installer.exe (PID: 3456)
      • regsvr32.exe (PID: 2132)
      • regsvr32.exe (PID: 2936)
      • opera.exe (PID: 1760)
      • regsvr32.exe (PID: 3116)
      • regsvr32.exe (PID: 2556)
      • regsvr32.exe (PID: 3352)
      • regsvr32.exe (PID: 2344)
      • regsvr32.exe (PID: 2960)
      • regsvr32.exe (PID: 1700)
      • regsvr32.exe (PID: 2284)
      • regsvr32.exe (PID: 2792)
      • regsvr32.exe (PID: 2468)
      • regsvr32.exe (PID: 3856)
      • regsvr32.exe (PID: 884)
      • regsvr32.exe (PID: 3820)
      • regsvr32.exe (PID: 2300)
      • regsvr32.exe (PID: 3972)
      • regsvr32.exe (PID: 2164)
      • regsvr32.exe (PID: 1980)
      • regsvr32.exe (PID: 2744)
      • regsvr32.exe (PID: 3404)
      • regsvr32.exe (PID: 2860)
      • regsvr32.exe (PID: 3808)
      • AvEmUpdate.exe (PID: 1960)
      • yct.exe (PID: 1476)
      • AvEmUpdate.exe (PID: 2420)
      • RegSvr.exe (PID: 3992)
      • AvastSvc.exe (PID: 3576)
      • aswRunDll.exe (PID: 3792)
      • AvEmUpdate.exe (PID: 2368)
      • instup.exe (PID: 1812)
      • instup.exe (PID: 3856)
    • Changes settings of System certificates

      • OperaSetup.exe (PID: 2528)
      • AvastSvc.exe (PID: 3576)
    • Loads the Task Scheduler COM API

      • installer.exe (PID: 1472)
      • opera.exe (PID: 2488)
      • AvEmUpdate.exe (PID: 2288)
      • aTube_Catcher_3928599341.exe (PID: 3652)
      • AvEmUpdate.exe (PID: 2368)
      • CCUpdate.exe (PID: 3500)
      • overseer.exe (PID: 2340)
    • Registers / Runs the DLL via REGSVR32.EXE

      • aTubeCatcherNOAD9618.tmp (PID: 2228)
    • Actions looks like stealing of personal data

      • opera.exe (PID: 2488)
    • Changes the autorun value in the registry

      • instup.exe (PID: 2080)
      • rundll32.exe (PID: 3464)
    • Downloads executable files from the Internet

      • AvEmUpdate.exe (PID: 2368)
      • CCUpdate.exe (PID: 3500)
  • SUSPICIOUS

    • Application launched itself

      • aTube_Catcher_3928599341.exe (PID: 3648)
      • cmd.exe (PID: 3628)
      • OperaSetup.exe (PID: 2528)
      • cmd.exe (PID: 2876)
      • installer.exe (PID: 1472)
      • opera.exe (PID: 3608)
      • opera.exe (PID: 2488)
      • opera_autoupdate.exe (PID: 2872)
      • opera.exe (PID: 3008)
      • AvEmUpdate.exe (PID: 2368)
      • opera.exe (PID: 3900)
      • CCUpdate.exe (PID: 3500)
    • Reads Environment values

      • aTube_Catcher_3928599341.exe (PID: 3652)
    • Reads internet explorer settings

      • aTube_Catcher_3928599341.exe (PID: 3652)
    • Creates files in the program directory

      • aTube_Catcher_3928599341.exe (PID: 3652)
      • avast_free_antivirus_setup_online.exe (PID: 3156)
      • instup.exe (PID: 4000)
      • installer.exe (PID: 1472)
      • OperaSetup.exe (PID: 3328)
      • instup.exe (PID: 2080)
      • opera_autoupdate.exe (PID: 2160)
      • AvEmUpdate.exe (PID: 2368)
      • CCUpdate.exe (PID: 3500)
      • CCUpdate.exe (PID: 1068)
      • CCUpdate.exe (PID: 2992)
      • AvastNM.exe (PID: 3584)
      • AvastSvc.exe (PID: 3576)
      • wsc_proxy.exe (PID: 3164)
      • instup.exe (PID: 1812)
      • instup.exe (PID: 3856)
    • Creates files in the user directory

      • aTube_Catcher_3928599341.exe (PID: 3652)
      • OperaSetup.exe (PID: 2764)
      • installer.exe (PID: 1472)
      • opera.exe (PID: 3608)
      • opera.exe (PID: 2488)
      • opera_autoupdate.exe (PID: 2872)
      • opera.exe (PID: 3008)
      • opera.exe (PID: 3900)
    • Reads CPU info

      • aTube_Catcher_3928599341.exe (PID: 3652)
    • Executable content was dropped or overwritten

      • aTube_Catcher_3928599341.exe (PID: 3652)
      • OperaSetup.exe (PID: 2764)
      • OperaSetup.exe (PID: 2528)
      • cmd.exe (PID: 2120)
      • OperaSetup.exe (PID: 3804)
      • OperaSetup.exe (PID: 3328)
      • avast_free_antivirus_setup_online.exe (PID: 3156)
      • cmd.exe (PID: 2460)
      • aTubeCatcherNOAD9618.exe (PID: 3960)
      • instup.exe (PID: 4000)
      • aTubeCatcherNOAD9618.tmp (PID: 2228)
      • installer.exe (PID: 3088)
      • installer.exe (PID: 1472)
      • installer.exe (PID: 3456)
      • launcher.exe (PID: 2900)
      • instup.exe (PID: 2080)
      • rundll32.exe (PID: 3464)
      • AvEmUpdate.exe (PID: 2368)
      • AvEmUpdate.exe (PID: 2420)
      • CCUpdate.exe (PID: 1068)
      • CCUpdate.exe (PID: 2992)
      • AvastSvc.exe (PID: 3576)
      • instup.exe (PID: 3856)
    • Reads the date of Windows installation

      • aTube_Catcher_3928599341.exe (PID: 3652)
    • Starts CMD.EXE for commands execution

      • cmd.exe (PID: 3628)
      • aTube_Catcher_3928599341.exe (PID: 3652)
      • cmd.exe (PID: 2876)
    • Starts itself from another location

      • OperaSetup.exe (PID: 2528)
      • CCUpdate.exe (PID: 2992)
    • Low-level read access rights to disk partition

      • instup.exe (PID: 4000)
      • avast_free_antivirus_setup_online.exe (PID: 3156)
      • instup.exe (PID: 2080)
      • AvEmUpdate.exe (PID: 2368)
      • AvEmUpdate.exe (PID: 1960)
      • AvEmUpdate.exe (PID: 2420)
      • CCUpdate.exe (PID: 1068)
      • CCUpdate.exe (PID: 2992)
      • CCUpdate.exe (PID: 3500)
      • CCUpdate.exe (PID: 3580)
      • overseer.exe (PID: 2340)
      • AvastSvc.exe (PID: 3576)
      • wsc_proxy.exe (PID: 3164)
      • instup.exe (PID: 1812)
      • instup.exe (PID: 3856)
      • instup.exe (PID: 3976)
    • Reads Internet Cache Settings

      • instup.exe (PID: 4000)
      • instup.exe (PID: 2080)
    • Adds / modifies Windows certificates

      • OperaSetup.exe (PID: 2528)
    • Uses TASKKILL.EXE to kill process

      • aTubeCatcherNOAD9618.tmp (PID: 2228)
    • Reads the Windows organization settings

      • aTubeCatcherNOAD9618.tmp (PID: 2228)
    • Reads Windows owner or organization settings

      • aTubeCatcherNOAD9618.tmp (PID: 2228)
    • Connects to server without host name

      • instup.exe (PID: 4000)
    • Modifies the open verb of a shell class

      • installer.exe (PID: 1472)
      • instup.exe (PID: 2080)
    • Creates a software uninstall entry

      • installer.exe (PID: 1472)
      • instup.exe (PID: 2080)
      • aTube_Catcher_3928599341.exe (PID: 3652)
      • AvEmUpdate.exe (PID: 2420)
    • Creates files in the Windows directory

      • aTubeCatcherNOAD9618.tmp (PID: 2228)
      • regsvr32.exe (PID: 2708)
      • rundll32.exe (PID: 3464)
      • instup.exe (PID: 2080)
      • AvEmUpdate.exe (PID: 2368)
      • AvastSvc.exe (PID: 3576)
      • keytool.exe (PID: 2356)
      • keytool.exe (PID: 3712)
    • Creates COM task schedule object

      • regsvr32.exe (PID: 2852)
      • regsvr32.exe (PID: 2708)
      • regsvr32.exe (PID: 2724)
      • regsvr32.exe (PID: 2936)
      • regsvr32.exe (PID: 2468)
      • regsvr32.exe (PID: 2556)
      • regsvr32.exe (PID: 2344)
      • regsvr32.exe (PID: 884)
      • regsvr32.exe (PID: 2284)
      • regsvr32.exe (PID: 2960)
      • regsvr32.exe (PID: 2792)
      • regsvr32.exe (PID: 3972)
      • regsvr32.exe (PID: 1980)
      • regsvr32.exe (PID: 3808)
      • regsvr32.exe (PID: 2164)
      • regsvr32.exe (PID: 2744)
      • regsvr32.exe (PID: 2860)
      • instup.exe (PID: 2080)
      • RegSvr.exe (PID: 3992)
      • RegSvr.exe (PID: 1036)
      • RegSvr.exe (PID: 2512)
    • Reads the machine GUID from the registry

      • opera.exe (PID: 3608)
      • opera.exe (PID: 2488)
      • opera.exe (PID: 3008)
      • opera.exe (PID: 3900)
    • Connects to unusual port

      • opera.exe (PID: 2488)
    • Uses RUNDLL32.EXE to load library

      • aTubeCatcherNOAD9618.tmp (PID: 2228)
    • Removes files from Windows directory

      • rundll32.exe (PID: 3464)
      • AvEmUpdate.exe (PID: 2368)
      • AvastSvc.exe (PID: 3576)
    • Creates or modifies windows services

      • instup.exe (PID: 2080)
      • AvastSvc.exe (PID: 3576)
    • Creates files in the driver directory

      • instup.exe (PID: 2080)
      • AvEmUpdate.exe (PID: 2368)
    • Reads the cookies of Mozilla Firefox

      • instup.exe (PID: 2080)
    • Reads the cookies of Google Chrome

      • instup.exe (PID: 2080)
    • Searches for installed software

      • AvastSvc.exe (PID: 3576)
  • INFO

    • Dropped object may contain Bitcoin addresses

      • OperaSetup.exe (PID: 3328)
      • aTubeCatcherNOAD9618.tmp (PID: 2228)
      • instup.exe (PID: 2080)
    • Loads dropped or rewritten executable

      • aTubeCatcherNOAD9618.tmp (PID: 2228)
    • Creates files in the program directory

      • aTubeCatcherNOAD9618.tmp (PID: 2228)
    • Application was dropped or rewritten from another process

      • aTubeCatcherNOAD9618.tmp (PID: 2228)
    • Reads settings of System Certificates

      • opera.exe (PID: 2488)
      • AvastSvc.exe (PID: 3576)
    • Creates a software uninstall entry

      • aTubeCatcherNOAD9618.tmp (PID: 2228)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipFileName: aTube_Catcher_3928599341.exe.zs
ZipUncompressedSize: 2557792
ZipCompressedSize: 2468215
ZipCRC: 0x959b027f
ZipModifyDate: 2018:12:18 12:07:17
ZipCompression: Deflated
ZipBitFlag: -
ZipRequiredVersion: 20
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
168
Monitored processes
123
Malicious processes
29
Suspicious processes
24

Behavior graph

Click at the process to see the details
start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start winrar.exe no specs winrar.exe no specs atube_catcher_3928599341.exe no specs #INSTALLCORE atube_catcher_3928599341.exe atube_catcher_3928599341.exe no specs cmd.exe no specs timeout.exe no specs operasetup.exe operasetup.exe cmd.exe cmd.exe no specs cmd.exe no specs operasetup.exe no specs operasetup.exe avast_free_antivirus_setup_online.exe operasetup.exe instup.exe cmd.exe no specs timeout.exe no specs cmd.exe cmd.exe no specs cmd.exe no specs atubecatchernoad9618.exe atubecatchernoad9618.tmp taskkill.exe no specs taskkill.exe no specs installer.exe installer.exe taskkill.exe no specs instup.exe launcher.exe no specs opera.exe no specs regsvr32.exe no specs opera_crashreporter.exe no specs regsvr32.exe opera.exe no specs regsvr32.exe no specs opera.exe opera_crashreporter.exe no specs opera.exe no specs opera.exe no specs opera.exe no specs opera.exe no specs opera.exe no specs opera.exe no specs opera.exe no specs opera.exe no specs sbr.exe no specs opera.exe no specs opera.exe no specs opera_autoupdate.exe opera_autoupdate.exe no specs regsvr32.exe no specs launcher.exe opera.exe no specs regsvr32.exe no specs installer.exe opera_autoupdate.exe regsvr32.exe no specs opera_autoupdate.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs rundll32.exe runonce.exe no specs grpconv.exe no specs eworker.exe no specs launcher.exe no specs opera.exe no specs opera_crashreporter.exe no specs opera.exe no specs opera.exe no specs setupinf.exe no specs setupinf.exe no specs setupinf.exe no specs setupinf.exe no specs avemupdate.exe no specs avemupdate.exe avemupdate.exe launcher.exe no specs yct.exe opera.exe no specs 48ad8dd9-6338-471b-9614-2222c93c32d6.exe no specs opera_crashreporter.exe no specs avemupdate.exe opera.exe no specs opera.exe no specs ccupdate.exe ccupdate.exe ccupdate.exe ccupdate.exe regsvr.exe no specs regsvr.exe no specs regsvr.exe no specs aswrundll.exe no specs avastnm.exe no specs overseer.exe avastsvc.exe wsc_proxy.exe no specs instup.exe instup.exe unsecapp.exe no specs instup.exe no specs keytool.exe no specs keytool.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3600"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\8d070b107b16ebcdefee6ee609f4f042-content.zip"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
2896"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\8d070b107b16ebcdefee6ee609f4f042-content.zip"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
3648"C:\Users\admin\Desktop\aTube_Catcher_3928599341.exe" C:\Users\admin\Desktop\aTube_Catcher_3928599341.exeexplorer.exe
User:
admin
Company:
Integrity Level:
MEDIUM
Description:
File Installer Setup
Exit code:
0
Version:
3652"C:\Users\admin\Desktop\aTube_Catcher_3928599341.exe" /RSF /ppn:YyhwYgxaFRAiP211FM5W /mnlC:\Users\admin\Desktop\aTube_Catcher_3928599341.exe
aTube_Catcher_3928599341.exe
User:
admin
Company:
Integrity Level:
HIGH
Description:
File Installer Setup
Exit code:
0
Version:
3748"C:\Users\admin\Desktop\aTube_Catcher_3928599341.exe" C:\Users\admin\Desktop\aTube_Catcher_3928599341.exeexplorer.exe
User:
admin
Company:
Integrity Level:
MEDIUM
Description:
File Installer Setup
Exit code:
0
Version:
3628/d /c TIMEOUT 1 & cmd /d /c copy /B /Y "C:\Users\admin\AppData\Local\Temp\D71874~1.DAT"+"C:\Users\admin\AppData\Local\Temp\D71874~2.DAT" "C:\Users\admin\AppData\Local\Temp\in30BF1E8E\403EC063_stp\avast_free_antivirus_setup_online.exe" & cmd /d /c del "C:\Users\admin\AppData\Local\Temp\D71874~1.DAT" & cmd /d /c del "C:\Users\admin\AppData\Local\Temp\D71874~2.DAT"C:\Windows\system32\cmd.exeaTube_Catcher_3928599341.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2304TIMEOUT 1 C:\Windows\system32\timeout.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
timeout - pauses command processing
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2528"C:\Users\admin\AppData\Local\Temp\in30BF1E8E\OperaSetup.exe" --silent --otd="utm.medium:pb,utm.source:ais,utm.campaign:Model-10-16_TXT_nc_Y,utm.id:Mja7WXJt6lB3b%2Bsld2ueInRp61NhLLsQem3vVX9u7VV%2FbutVcm%2FsUHRm%2BQshOboWehCvATU%2BnRYoKKwBNXm8FiRs7Vl2bOdTc27mUndt%2Fk4AAABHX99k" --allusers=0C:\Users\admin\AppData\Local\Temp\in30BF1E8E\OperaSetup.exe
aTube_Catcher_3928599341.exe
User:
admin
Company:
Opera Software
Integrity Level:
HIGH
Description:
Opera Installer
Exit code:
0
Version:
57.0.3098.91
2764C:\Users\admin\AppData\Local\Temp\in30BF1E8E\OperaSetup.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=57.0.3098.91 --initial-client-data=0xd8,0xe0,0xe4,0xdc,0xe8,0x6d7cd5e0,0x6d7cd5f0,0x6d7cd5fcC:\Users\admin\AppData\Local\Temp\in30BF1E8E\OperaSetup.exe
OperaSetup.exe
User:
admin
Company:
Opera Software
Integrity Level:
HIGH
Description:
Opera Installer
Exit code:
0
Version:
57.0.3098.91
2120cmd /d /c copy /B /Y "C:\Users\admin\AppData\Local\Temp\D71874~1.DAT"+"C:\Users\admin\AppData\Local\Temp\D71874~2.DAT" "C:\Users\admin\AppData\Local\Temp\in30BF1E8E\403EC063_stp\avast_free_antivirus_setup_online.exe" C:\Windows\system32\cmd.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Total events
15 458
Read events
4 772
Write events
0
Delete events
0

Modification events

No data
Executable files
494
Suspicious files
209
Text files
731
Unknown types
120

Dropped files

PID
Process
Filename
Type
2896WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2896.48967\aTube_Catcher_3928599341.exe.zs
MD5:
SHA256:
3652aTube_Catcher_3928599341.exeC:\Users\admin\AppData\Local\Temp\00142DF4.log
MD5:
SHA256:
3652aTube_Catcher_3928599341.exeC:\Users\admin\AppData\Local\Temp\inH132248419457\css\main.scsstext
MD5:CB247E0D3C350863F3E1401D839BE114
SHA256:EECACEF42E8FE49F478E5BB9D8B5C76AECA2FECFD95734F7CCBF4445B228FE25
3652aTube_Catcher_3928599341.exeC:\Users\admin\AppData\Local\Temp\inH132248419457\css\main.csstext
MD5:B124F669D793409FBAF802E99C4C9050
SHA256:50E33605BFBB2B573DD63FC016DFB82540BA9ADC7B8831F2711B60421D346530
3652aTube_Catcher_3928599341.exeC:\Users\admin\AppData\Local\Temp\inH132248419457\css\ie6_main.csstext
MD5:4380298AB45468332DD3BAEC638E2BD1
SHA256:5EEE1C6442EDB46B3EE800FCC13557C1AF5858949D98655647514BCFDCFE99DC
3652aTube_Catcher_3928599341.exeC:\Users\admin\AppData\Local\Temp\inH132248419457\css\swAgent.csstext
MD5:2543E3AF757C7D7C8A26C7CF57795F60
SHA256:C38892A06C8F50C6386ED794AF4F1EA3E1897AD5F0C7E19594D9EA7B20CFB3F1
3652aTube_Catcher_3928599341.exeC:\Users\admin\AppData\Local\Temp\inH132248419457\csshover3.htchtml
MD5:52FA0DA50BF4B27EE625C80D36C67941
SHA256:E37E99DDFC73AC7BA774E23736B2EF429D9A0CB8C906453C75B14C029BDD5493
3652aTube_Catcher_3928599341.exeC:\Users\admin\AppData\Local\Temp\inH132248419457\css\_functions.scsstext
MD5:8F7259DE64F6DDF352BF461F44D34A81
SHA256:80EDC9D67172BC830D68D33F4547735FB072CADF3EF25AAB37A10B50DB87A069
3652aTube_Catcher_3928599341.exeC:\Users\admin\AppData\Local\Temp\inH132248419457\css\helpers\_display.scsstext
MD5:7FC18252C6212F1EBB349B5F7F429217
SHA256:1B1F774D3B163C1BA9C86CAD87D4B594FBA588A364132121F8A234F149816429
3652aTube_Catcher_3928599341.exeC:\Users\admin\AppData\Local\Temp\inH132248419457\css\_helpers.scsstext
MD5:5F158DBBD9FC4594A2F6C13854501916
SHA256:BF12B79F67F1CB9988797F7D81F6F504C8DFE0F0435482E64819A140DBC8DA14
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
317
TCP/UDP connections
210
DNS requests
219
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3652
aTube_Catcher_3928599341.exe
HEAD
200
85.159.237.103:80
http://app.catinntehi.com/app/aTube/aTube_12Sep18.cis
NL
malicious
3652
aTube_Catcher_3928599341.exe
GET
192.96.201.162:80
http://www2.catinntehi.com/ofr/Rowabobeso/operaY32_57.0.3098.91.exe
US
malicious
3652
aTube_Catcher_3928599341.exe
GET
206
85.159.237.103:80
http://app.catinntehi.com/ofr/Tavasat/Tavasat_09Feb17.cis
NL
binary
1.46 Mb
malicious
3652
aTube_Catcher_3928599341.exe
HEAD
200
85.159.237.103:80
http://app.catinntehi.com/ofr/Tavasat/Tavasat_09Feb17.cis
NL
malicious
3652
aTube_Catcher_3928599341.exe
GET
200
192.96.201.161:80
http://img.catinntehi.com/img/Rowabobeso/bg_custom_TB.png
US
image
11.7 Kb
malicious
3652
aTube_Catcher_3928599341.exe
POST
200
54.154.255.147:80
http://gw.catinntehi.com/aTube/
IE
binary
529 Kb
malicious
3652
aTube_Catcher_3928599341.exe
GET
200
192.96.201.162:80
http://www2.catinntehi.com/app/aTube/aTube_12Sep18.cis
US
binary
18.2 Mb
malicious
3652
aTube_Catcher_3928599341.exe
GET
85.159.237.103:80
http://app.catinntehi.com/ofr/Tavasat/Tavasat_09Feb17.cis
NL
malicious
3652
aTube_Catcher_3928599341.exe
GET
200
192.96.201.161:80
http://img.catinntehi.com/img/Tavasat/15Feb17/v2/EN.png
US
image
43.9 Kb
malicious
3652
aTube_Catcher_3928599341.exe
GET
206
85.159.237.103:80
http://app.catinntehi.com/ofr/Tavasat/Tavasat_09Feb17.cis
NL
binary
2.82 Mb
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3652
aTube_Catcher_3928599341.exe
192.96.201.161:80
img.catinntehi.com
Leaseweb USA, Inc.
US
malicious
3652
aTube_Catcher_3928599341.exe
192.96.201.162:80
www2.catinntehi.com
Leaseweb USA, Inc.
US
malicious
3652
aTube_Catcher_3928599341.exe
54.194.149.175:80
ww2.catinntehi.com
Amazon.com, Inc.
IE
malicious
3652
aTube_Catcher_3928599341.exe
85.159.237.103:80
app.catinntehi.com
NForce Entertainment B.V.
NL
malicious
3652
aTube_Catcher_3928599341.exe
54.154.255.147:80
gw.catinntehi.com
Amazon.com, Inc.
IE
malicious
3156
avast_free_antivirus_setup_online.exe
74.125.140.113:80
www.google-analytics.com
Google Inc.
US
whitelisted
4000
instup.exe
77.234.43.231:443
alpha-iqs.ff.avast.com
AVAST Software s.r.o.
GB
unknown
4000
instup.exe
5.45.62.121:443
auth.ff.avast.com
AVAST Software s.r.o.
NL
malicious
4000
instup.exe
77.234.42.107:80
shepherd.ff.avast.com
AVAST Software s.r.o.
US
unknown
2528
OperaSetup.exe
185.26.182.105:443
autoupdate.geo.opera.com
Opera Software AS
unknown

DNS requests

Domain
IP
Reputation
ww2.catinntehi.com
  • 54.194.149.175
  • 52.214.73.247
malicious
gw.catinntehi.com
  • 54.154.255.147
  • 52.30.154.50
malicious
img.catinntehi.com
  • 192.96.201.161
malicious
app.catinntehi.com
  • 85.159.237.103
malicious
www2.catinntehi.com
  • 192.96.201.162
malicious
autoupdate.geo.opera.com
  • 185.26.182.105
  • 185.26.182.95
whitelisted
desktop-netinstaller-sub.osp.opera.software
  • 82.145.217.121
whitelisted
www.google-analytics.com
  • 74.125.140.113
  • 74.125.140.100
  • 74.125.140.139
  • 74.125.140.138
  • 74.125.140.102
  • 74.125.140.101
whitelisted
v7event.stats.avast.com
  • 77.234.45.54
  • 77.234.45.53
  • 5.45.59.11
whitelisted
shepherd.ff.avast.com
  • 77.234.42.107
  • 77.234.42.243
whitelisted

Threats

PID
Process
Class
Message
3652
aTube_Catcher_3928599341.exe
Misc activity
ADWARE [PTsecurity] PUP.Optional.InstallCore Artifact M2
3652
aTube_Catcher_3928599341.exe
Misc activity
ADWARE [PTsecurity] PUP.Optional.InstallCore Artifact M1
3652
aTube_Catcher_3928599341.exe
A Network Trojan was detected
SC TROJAN_DOWNLOADER Possible threat - .exe downloading with HEAD option
3652
aTube_Catcher_3928599341.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
3652
aTube_Catcher_3928599341.exe
Misc activity
ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
3652
aTube_Catcher_3928599341.exe
unknown
SURICATA TCPv4 invalid checksum
3652
aTube_Catcher_3928599341.exe
Misc activity
ADWARE [PTsecurity] PUP.Optional.InstallCore Artifact M3
3652
aTube_Catcher_3928599341.exe
Misc activity
ADWARE [PTsecurity] PUP.Optional.InstallCore Artifact M4
2080
instup.exe
unknown
SURICATA TCPv4 invalid checksum
2080
instup.exe
unknown
SURICATA IPv4 invalid checksum
1 ETPRO signatures available at the full report
Process
Message
instup.exe
[2018-12-18 14:15:26.549] [error ] [settings ] [ 4000: 4032] Failed to get program directory Exception: Unable to retrieve path of the program directory! Code: 0x00000002 (2)
regsvr32.exe
14:15:50:596.794 [02644] : [InitDebug]: Level=0
regsvr32.exe
HKCR { NoRemove AppID { '{3DD7EA49-B5E1-4493-895D-C73562138FC0}' = s 'StarBurnXLib' 'StarBurnX12.DLL' { val AppID = s '{3DD7EA49-B5E1-4493-895D-C73562138FC0}' 'Version' = s '[!output TYPELIB_VERSION_MAJOR].[!output TYPELIB_VERSION_MINOR]' } } }
regsvr32.exe
HKCR { StarBurnX.DriveSpeed.12 = s 'DriveSpeed Class' { CLSID = s '{E0EEE430-80D8-42D7-8D83-F046AECD7536}' } StarBurnX.DriveSpeed = s 'DriveSpeed Class' { CLSID = s '{E0EEE430-80D8-42D7-8D83-F046AECD7536}' CurVer = s 'StarBurnX.DriveSpeed.12' } NoRemove CLSID { ForceRemove {E0EEE430-80D8-42D7-8D83-F046AECD7536} = s 'DriveSpeed Class' { ProgID = s 'StarBurnX.DriveSpeed.12' VersionIndependentProgID = s 'StarBurnX.DriveSpeed' ForceRemove 'Programmable' InprocServer32 = s 'C:\Program Files\DsNET Corp\aTube Catcher 2.0\StarBurnX12.dll' { val ThreadingModel = s 'Free' } 'TypeLib' = s '{93CBA48A-1C58-4648-B22D-8F3588CB8D95}' 'Version' = s '12.0' } } }
regsvr32.exe
HKCR { StarBurnX.DriveSpeeds.12 = s 'DriveSpeeds Class' { CLSID = s '{7169A231-64EC-4702-98AB-05ABB6D882A9}' } StarBurnX.DriveSpeeds = s 'DriveSpeeds Class' { CLSID = s '{7169A231-64EC-4702-98AB-05ABB6D882A9}' CurVer = s 'StarBurnX.DriveSpeeds.12' } NoRemove CLSID { ForceRemove {7169A231-64EC-4702-98AB-05ABB6D882A9} = s 'DriveSpeeds Class' { ProgID = s 'StarBurnX.DriveSpeeds.12' VersionIndependentProgID = s 'StarBurnX.DriveSpeeds' ForceRemove 'Programmable' InprocServer32 = s 'C:\Program Files\DsNET Corp\aTube Catcher 2.0\StarBurnX12.dll' { val ThreadingModel = s 'Free' } 'TypeLib' = s '{93CBA48A-1C58-4648-B22D-8F3588CB8D95}' 'Version' = s '12.0' } } }
regsvr32.exe
HKCR { StarBurnX.DriveInfo.12 = s 'DriveInfo Class' { CLSID = s '{996C8DFD-8CE6-43B2-9414-CB6132485363}' } StarBurnX.DriveInfo = s 'DriveInfo Class' { CLSID = s '{996C8DFD-8CE6-43B2-9414-CB6132485363}' CurVer = s 'StarBurnX.DriveInfo.12' } NoRemove CLSID { ForceRemove {996C8DFD-8CE6-43B2-9414-CB6132485363} = s 'DriveInfo Class' { ProgID = s 'StarBurnX.DriveInfo.12' VersionIndependentProgID = s 'StarBurnX.DriveInfo' ForceRemove 'Programmable' InprocServer32 = s 'C:\Program Files\DsNET Corp\aTube Catcher 2.0\StarBurnX12.dll' { val ThreadingModel = s 'Free' } 'TypeLib' = s '{93CBA48A-1C58-4648-B22D-8F3588CB8D95}' 'Version' = s '12.0' } } }
regsvr32.exe
HKCR { StarBurnX.Track.12 = s 'Track Class' { CLSID = s '{F750BC9F-72CE-45C6-9D1F-BFEFB0765918}' } StarBurnX.Track = s 'Track Class' { CLSID = s '{F750BC9F-72CE-45C6-9D1F-BFEFB0765918}' CurVer = s 'StarBurnX.Track.12' } NoRemove CLSID { ForceRemove {F750BC9F-72CE-45C6-9D1F-BFEFB0765918} = s 'Track Class' { ProgID = s 'StarBurnX.Track.12' VersionIndependentProgID = s 'StarBurnX.Track' ForceRemove 'Programmable' InprocServer32 = s 'C:\Program Files\DsNET Corp\aTube Catcher 2.0\StarBurnX12.dll' { val ThreadingModel = s 'Free' } 'TypeLib' = s '{93CBA48A-1C58-4648-B22D-8F3588CB8D95}' 'Version' = s '12.0' } } }
regsvr32.exe
HKCR { StarBurnX.Tracks.12 = s 'Tracks Class' { CLSID = s '{AE860CE7-C15E-4B9C-BA5B-2EB38369E4AF}' } StarBurnX.Tracks = s 'Tracks Class' { CLSID = s '{AE860CE7-C15E-4B9C-BA5B-2EB38369E4AF}' CurVer = s 'StarBurnX.Tracks.12' } NoRemove CLSID { ForceRemove {AE860CE7-C15E-4B9C-BA5B-2EB38369E4AF} = s 'Tracks Class' { ProgID = s 'StarBurnX.Tracks.12' VersionIndependentProgID = s 'StarBurnX.Tracks' ForceRemove 'Programmable' InprocServer32 = s 'C:\Program Files\DsNET Corp\aTube Catcher 2.0\StarBurnX12.dll' { val ThreadingModel = s 'Free' } 'TypeLib' = s '{93CBA48A-1C58-4648-B22D-8F3588CB8D95}' 'Version' = s '12.0' } } }
regsvr32.exe
HKCR { StarBurnX.Session.12 = s 'Session Class' { CLSID = s '{80E026F0-CE90-4F15-986A-45317268AB5A}' } StarBurnX.Session = s 'Session Class' { CLSID = s '{80E026F0-CE90-4F15-986A-45317268AB5A}' CurVer = s 'StarBurnX.Session.12' } NoRemove CLSID { ForceRemove {80E026F0-CE90-4F15-986A-45317268AB5A} = s 'Session Class' { ProgID = s 'StarBurnX.Session.12' VersionIndependentProgID = s 'StarBurnX.Session' ForceRemove 'Programmable' InprocServer32 = s 'C:\Program Files\DsNET Corp\aTube Catcher 2.0\StarBurnX12.dll' { val ThreadingModel = s 'Free' } 'TypeLib' = s '{93CBA48A-1C58-4648-B22D-8F3588CB8D95}' 'Version' = s '12.0' } } }
regsvr32.exe
HKCR { StarBurnX.Sessions.12 = s 'Sessions Class' { CLSID = s '{4EE12AA6-A781-490F-96DA-783969C58A1A}' } StarBurnX.Sessions = s 'Sessions Class' { CLSID = s '{4EE12AA6-A781-490F-96DA-783969C58A1A}' CurVer = s 'StarBurnX.Sessions.12' } NoRemove CLSID { ForceRemove {4EE12AA6-A781-490F-96DA-783969C58A1A} = s 'Sessions Class' { ProgID = s 'StarBurnX.Sessions.12' VersionIndependentProgID = s 'StarBurnX.Sessions' ForceRemove 'Programmable' InprocServer32 = s 'C:\Program Files\DsNET Corp\aTube Catcher 2.0\StarBurnX12.dll' { val ThreadingModel = s 'Free' } 'TypeLib' = s '{93CBA48A-1C58-4648-B22D-8F3588CB8D95}' 'Version' = s '12.0' } } }