File name:

DriverPack-17-Online.exe

Full analysis: https://app.any.run/tasks/82f64bba-d83a-4675-a329-3263f0f43e30
Verdict: Malicious activity
Threats:

Adware is a form of malware that targets users with unwanted advertisements, often disrupting their browsing experience. It typically infiltrates systems through software bundling, malicious websites, or deceptive downloads. Once installed, it may track user activity, collect sensitive data, and display intrusive ads, including pop-ups or banners. Some advanced adware variants can bypass security measures and establish persistence on devices, making removal challenging. Additionally, adware can create vulnerabilities that other malware can exploit, posing a significant risk to user privacy and system security.

Malware Trends Tracker     >>>
Analysis date: January 29, 2025, 21:16:30
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
qrcode
pua
adware
stealer
loader
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive, 5 sections
MD5:

1B1DC6120DC6B427C42968886902E2B4

SHA1:

C325EE370E7656EE7021FE109B7B0DFE28E582E6

SHA256:

C99687E9829DE410B66AD7006B0604C3FDDB4582050CE205C1D00FF9F309E6B8

SSDEEP:

196608:fW0uGE5bqFkSOcaYam+YkmrvyMOb/yvpNRIfUrkNfEjjAk:fDbElq3OcatMOb/yRg8SfUEk

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • ADWARE has been detected (SURICATA)

      • svchost.exe (PID: 2192)
      • aria2c.exe (PID: 396)
      • aria2c.exe (PID: 5544)
      • aria2c.exe (PID: 5340)

    • Changes powershell execution policy (Bypass)

      • cmd.exe (PID: 3224)

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 2600)

    • Starts Visual C# compiler

      • powershell.exe (PID: 2600)

    • Actions looks like stealing of personal data

      • mshta.exe (PID: 6472)

  • SUSPICIOUS

    • The process creates files with name similar to system file names

      • DriverPack-17-Online.exe (PID: 6496)

    • Creates a software uninstall entry

      • DriverPack-17-Online.exe (PID: 6496)

    • Executable content was dropped or overwritten

      • DriverPack-17-Online.exe (PID: 6496)
      • csc.exe (PID: 5028)
      • mshta.exe (PID: 6472)
      • aria2c.exe (PID: 396)

    • Malware-specific behavior (creating "System.dll" in Temp)

      • DriverPack-17-Online.exe (PID: 6496)

    • There is functionality for taking screenshot (YARA)

      • DriverPack-17-Online.exe (PID: 6496)

    • Executing commands from a ".bat" file

      • DriverPack-17-Online.exe (PID: 6496)

    • Starts CMD.EXE for commands execution

      • DriverPack-17-Online.exe (PID: 6496)
      • mshta.exe (PID: 6472)

    • The process hide an interactive prompt from the user

      • cmd.exe (PID: 3224)

    • The process hides Powershell's copyright startup banner

      • cmd.exe (PID: 3224)

    • Possibly malicious use of IEX has been detected

      • cmd.exe (PID: 3224)

    • The process bypasses the loading of PowerShell profile settings

      • cmd.exe (PID: 3224)

    • Access to an unwanted program domain was detected

      • svchost.exe (PID: 2192)
      • aria2c.exe (PID: 396)
      • aria2c.exe (PID: 5340)
      • aria2c.exe (PID: 5544)

    • Uses NETSH.EXE to delete a firewall rule or allowed programs

      • cmd.exe (PID: 2448)

    • Executing commands from ".cmd" file

      • mshta.exe (PID: 6472)

    • Get information on the list of running processes

      • cmd.exe (PID: 3224)

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 3224)

    • Uses NETSH.EXE to add a firewall rule or allowed programs

      • cmd.exe (PID: 5972)

    • CSC.EXE is used to compile C# code

      • csc.exe (PID: 5028)

    • Uses .NET C# to load dll

      • powershell.exe (PID: 2600)

    • Starts application with an unusual extension

      • cmd.exe (PID: 5544)

    • Uses NETSH.EXE to obtain data on the network

      • cmd.exe (PID: 5544)

    • Process requests binary or script from the Internet

      • mshta.exe (PID: 6472)
      • aria2c.exe (PID: 396)
      • aria2c.exe (PID: 6332)
      • aria2c.exe (PID: 4908)
      • aria2c.exe (PID: 5340)
      • aria2c.exe (PID: 5544)

    • Potential Corporate Privacy Violation

      • mshta.exe (PID: 6472)
      • aria2c.exe (PID: 5340)
      • aria2c.exe (PID: 5544)
      • aria2c.exe (PID: 396)
      • aria2c.exe (PID: 6332)
      • aria2c.exe (PID: 4908)

    • Process drops legitimate windows executable

      • mshta.exe (PID: 6472)

    • Drops 7-zip archiver for unpacking

      • mshta.exe (PID: 6472)

  • INFO

    • Checks supported languages

      • DriverPack-17-Online.exe (PID: 6496)
      • csc.exe (PID: 5028)
      • driverpack-wget.exe (PID: 1704)
      • cvtres.exe (PID: 5300)
      • driverpack-wget.exe (PID: 5880)
      • driverpack-wget.exe (PID: 396)
      • driverpack-wget.exe (PID: 1804)
      • chcp.com (PID: 6768)
      • driverpack-wget.exe (PID: 6552)
      • driverpack-wget.exe (PID: 6624)
      • driverpack-wget.exe (PID: 520)
      • aria2c.exe (PID: 5544)
      • driverpack-wget.exe (PID: 3188)
      • aria2c.exe (PID: 5340)
      • driverpack-wget.exe (PID: 7108)
      • driverpack-wget.exe (PID: 7112)
      • driverpack-wget.exe (PID: 5712)
      • aria2c.exe (PID: 4908)
      • aria2c.exe (PID: 396)
      • aria2c.exe (PID: 6332)
      • driverpack-wget.exe (PID: 2904)
      • driverpack-wget.exe (PID: 1944)
      • driverpack-wget.exe (PID: 5592)

    • Creates files in the program directory

      • DriverPack-17-Online.exe (PID: 6496)
      • mshta.exe (PID: 6472)
      • driverpack-wget.exe (PID: 1804)
      • driverpack-wget.exe (PID: 396)
      • driverpack-wget.exe (PID: 1704)
      • driverpack-wget.exe (PID: 5880)
      • driverpack-wget.exe (PID: 6552)
      • driverpack-wget.exe (PID: 520)
      • driverpack-wget.exe (PID: 5712)
      • driverpack-wget.exe (PID: 7108)
      • driverpack-wget.exe (PID: 7112)
      • driverpack-wget.exe (PID: 6624)
      • driverpack-wget.exe (PID: 7148)
      • driverpack-wget.exe (PID: 3420)
      • driverpack-wget.exe (PID: 5968)
      • driverpack-wget.exe (PID: 5592)

    • The sample compiled with english language support

      • DriverPack-17-Online.exe (PID: 6496)
      • mshta.exe (PID: 6472)

    • The sample compiled with russian language support

      • DriverPack-17-Online.exe (PID: 6496)

    • Reads the computer name

      • DriverPack-17-Online.exe (PID: 6496)
      • driverpack-wget.exe (PID: 5880)
      • driverpack-wget.exe (PID: 1704)
      • driverpack-wget.exe (PID: 1804)
      • driverpack-wget.exe (PID: 7108)
      • driverpack-wget.exe (PID: 3188)
      • aria2c.exe (PID: 6332)
      • aria2c.exe (PID: 4908)
      • driverpack-wget.exe (PID: 5712)
      • driverpack-wget.exe (PID: 1604)
      • driverpack-wget.exe (PID: 7148)
      • driverpack-wget.exe (PID: 1944)
      • driverpack-wget.exe (PID: 5592)

    • Create files in a temporary directory

      • DriverPack-17-Online.exe (PID: 6496)
      • cvtres.exe (PID: 5300)
      • csc.exe (PID: 5028)

    • Reads Internet Explorer settings

      • mshta.exe (PID: 6472)

    • Checks proxy server information

      • mshta.exe (PID: 6472)

    • Reads the machine GUID from the registry

      • csc.exe (PID: 5028)
      • aria2c.exe (PID: 5544)
      • aria2c.exe (PID: 5340)
      • aria2c.exe (PID: 4908)
      • aria2c.exe (PID: 6332)

    • Creates files or folders in the user directory

      • driverpack-wget.exe (PID: 1704)
      • driverpack-wget.exe (PID: 396)
      • driverpack-wget.exe (PID: 1804)
      • driverpack-wget.exe (PID: 3736)
      • driverpack-wget.exe (PID: 7112)
      • driverpack-wget.exe (PID: 6624)
      • driverpack-wget.exe (PID: 520)
      • driverpack-wget.exe (PID: 3188)
      • driverpack-wget.exe (PID: 7108)
      • driverpack-wget.exe (PID: 6552)
      • aria2c.exe (PID: 5544)
      • aria2c.exe (PID: 5340)
      • aria2c.exe (PID: 4908)
      • aria2c.exe (PID: 396)
      • driverpack-wget.exe (PID: 3420)
      • driverpack-wget.exe (PID: 1604)
      • driverpack-wget.exe (PID: 7148)
      • aria2c.exe (PID: 6332)
      • driverpack-wget.exe (PID: 1944)
      • driverpack-wget.exe (PID: 5036)
      • driverpack-wget.exe (PID: 5968)
      • driverpack-wget.exe (PID: 5592)

    • Changes the display of characters in the console

      • cmd.exe (PID: 5544)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (67.4)
.dll | Win32 Dynamic Link Library (generic) (14.2)
.exe | Win32 Executable (generic) (9.7)
.exe | Generic Win/DOS Executable (4.3)
.exe | DOS Executable Generic (4.3)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2021:09:25 22:04:50+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 26624
InitializedDataSize: 428544
UninitializedDataSize: 16384
EntryPoint: 0x3640
OSVersion: 4
ImageVersion: 6
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
234
Monitored processes
101
Malicious processes
12
Suspicious processes
4

Behavior graph

Click at the process to see the details
start driverpack-17-online.exe cmd.exe no specs conhost.exe no specs mshta.exe cmd.exe no specs conhost.exe no specs powershell.exe no specs #ADWARE svchost.exe cmd.exe no specs conhost.exe no specs netsh.exe no specs rundll32.exe no specs cmd.exe no specs conhost.exe no specs netsh.exe no specs csc.exe cvtres.exe no specs cmd.exe no specs cmd.exe no specs conhost.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs driverpack-wget.exe driverpack-wget.exe driverpack-wget.exe driverpack-wget.exe cmd.exe no specs conhost.exe no specs chcp.com no specs netsh.exe no specs rundll32.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs cmd.exe no specs conhost.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs cmd.exe no specs conhost.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs driverpack-wget.exe driverpack-wget.exe driverpack-wget.exe driverpack-wget.exe #ADWARE aria2c.exe #ADWARE aria2c.exe driverpack-wget.exe driverpack-wget.exe driverpack-wget.exe #ADWARE aria2c.exe aria2c.exe aria2c.exe driverpack-wget.exe cmd.exe no specs conhost.exe no specs cmd.exe no specs cmd.exe no specs conhost.exe no specs conhost.exe no specs driverpack-wget.exe driverpack-wget.exe driverpack-wget.exe cmd.exe no specs conhost.exe no specs driverpack-wget.exe cmd.exe no specs conhost.exe no specs cmd.exe no specs cmd.exe no specs conhost.exe no specs conhost.exe no specs driverpack-wget.exe driverpack-wget.exe driverpack-wget.exe cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs driverpack-wget.exe driverpack-wget.exe driverpack-17-online.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
396"tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/START-LOADED-1.mp3" -o "C:\Users\admin\AppData\Roaming\DRPSu\temp\wget_log_45010.log" C:\Program Files (x86)\DriverPack\Tools\driverpack-wget.exe
cmd.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\program files (x86)\driverpack\tools\driverpack-wget.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
396"tools\aria2c.exe" "http://dl.driverpack.io/soft/SearcherBar.exe.torrent" --dir="C:\Users\admin\AppData\Roaming\DRPSu\PROGRAMS" --quiet --continue --min-split-size=1M --follow-torrent=true --check-integrity --seed-time=0 --bt-stop-timeout=120 C:\Program Files (x86)\DriverPack\Tools\aria2c.exe
cmd.exe
User:
admin
Integrity Level:
HIGH
Modules
Images
c:\program files (x86)\driverpack\tools\aria2c.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
520"tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/TEAM-PROOF-3.mp3" -o "C:\Users\admin\AppData\Roaming\DRPSu\temp\wget_log_35146.log" C:\Program Files (x86)\DriverPack\Tools\driverpack-wget.exe
cmd.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\program files (x86)\driverpack\tools\driverpack-wget.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
624netsh advfirewall firewall delete rule name="DriverPack aria2c.exe" C:\Windows\SysWOW64\netsh.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Network Command Shell
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\netsh.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\oleaut32.dll
624"C:\Windows\System32\cmd.exe" /c ""tools\aria2c.exe" "http://dl.driverpack.io/soft/ab/4/Internet-Start.exe.torrent" --dir="C:\Users\admin\AppData\Roaming\DRPSu\PROGRAMS" --quiet --continue --min-split-size=1M --follow-torrent=true --check-integrity --seed-time=0 --bt-stop-timeout=120 || echo Done & call echo Done %^errorLevel% > "C:\Users\admin\AppData\Roaming\DRPSu\temp\run_command_84226.txt""C:\Windows\SysWOW64\cmd.exemshta.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
1080"C:\Windows\System32\cmd.exe" /c ""tools\aria2c.exe" "http://dl.driverpack.io/soft/OperaBlink64.exe.torrent" --dir="C:\Users\admin\AppData\Roaming\DRPSu\PROGRAMS" --quiet --continue --min-split-size=1M --follow-torrent=true --check-integrity --seed-time=0 --bt-stop-timeout=120 || echo Done & call echo Done %^errorLevel% > "C:\Users\admin\AppData\Roaming\DRPSu\temp\run_command_28905.txt""C:\Windows\SysWOW64\cmd.exemshta.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
1604"tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/ANTIVIRUS-2.mp3" -o "C:\Users\admin\AppData\Roaming\DRPSu\temp\wget_log_79713.log" C:\Program Files (x86)\DriverPack\Tools\driverpack-wget.exe
cmd.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\program files (x86)\driverpack\tools\driverpack-wget.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
1616\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1704"tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/intro.mp3" -o "C:\Users\admin\AppData\Roaming\DRPSu\temp\wget_log_3854.log" C:\Program Files (x86)\DriverPack\Tools\driverpack-wget.exe
cmd.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\program files (x86)\driverpack\tools\driverpack-wget.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
1740"C:\Windows\System32\cmd.exe" /c ""tools\aria2c.exe" "http://dl.driverpack.io/tools/DriverPack-Alice.exe.torrent" --dir="C:\Users\admin\AppData\Roaming\DRPSu\PROGRAMS" --quiet --continue --min-split-size=1M --follow-torrent=true --check-integrity --seed-time=0 --bt-stop-timeout=120 || echo Done & call echo Done %^errorLevel% > "C:\Users\admin\AppData\Roaming\DRPSu\temp\run_command_72819.txt""C:\Windows\SysWOW64\cmd.exemshta.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
Total events
23 228
Read events
23 096
Write events
132
Delete events
0

Modification events

(PID) Process:(6496) DriverPack-17-Online.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\drp.su\update
Operation:writeName:http
Value:
1
(PID) Process:(6496) DriverPack-17-Online.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\drp.su\update
Operation:writeName:https
Value:
1
(PID) Process:(6496) DriverPack-17-Online.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:writeName:GlobalUserOffline
Value:
0
(PID) Process:(6496) DriverPack-17-Online.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\DriverPack
Operation:writeName:DisplayName
Value:
DriverPack
(PID) Process:(6496) DriverPack-17-Online.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\DriverPack
Operation:writeName:DisplayVersion
Value:
17.11
(PID) Process:(6496) DriverPack-17-Online.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\DriverPack
Operation:writeName:DisplayIcon
Value:
"C:\Program Files (x86)\DriverPack\Tools\Icon.ico"
(PID) Process:(6496) DriverPack-17-Online.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\DriverPack
Operation:writeName:UninstallString
Value:
"C:\Program Files (x86)\DriverPack\Uninstall.exe"
(PID) Process:(6496) DriverPack-17-Online.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\DriverPack
Operation:writeName:Publisher
Value:
DriverPack
(PID) Process:(6496) DriverPack-17-Online.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\DriverPack
Operation:writeName:NoModify
Value:
1
(PID) Process:(6496) DriverPack-17-Online.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\DriverPack
Operation:writeName:NoRepair
Value:
1
Executable files
18
Suspicious files
119
Text files
566
Unknown types
0

Dropped files

PID
Process
Filename
Type
6496DriverPack-17-Online.exeC:\Program Files (x86)\DriverPack\Tools\driverpack-wget.exeexecutable
MD5:BD126A7B59D5D1F97BA89A3E71425731
SHA256:A48AD33695A44DE887BBA8F2F3174FD8FB01A46A19E3EC9078B0118647CCF599
6496DriverPack-17-Online.exeC:\Program Files (x86)\DriverPack\Tools\patch.regtext
MD5:D49DB2EC30494B46D332D516CEAD4969
SHA256:C86EF9ED6E111D166818E8E0ADB3CF5E2A3A5DFC6EDC932ABC298141ED6F2208
6496DriverPack-17-Online.exeC:\Users\admin\AppData\Local\Temp\nso6D94.tmp\ioSpecial.initext
MD5:E2D5070BC28DB1AC745613689FF86067
SHA256:D95AED234F932A1C48A2B1B0D98C60CA31F962310C03158E2884AB4DDD3EA1E0
6496DriverPack-17-Online.exeC:\Program Files (x86)\DriverPack\drp.csstext
MD5:5FDAF0FD106200153F8243EBB8BC6B18
SHA256:439BFD8BF9F9176C1757BA277850525F0ABEC59BB3EF7CD8A974A5AD1D2B3004
6496DriverPack-17-Online.exeC:\Program Files (x86)\DriverPack\DriverPackSolution.htmlhtml
MD5:203AC1542D8E93EDBBC80F7B59DB5C44
SHA256:8892E63141854BCF4BB1452ABEF68DD2C348C59322D697EF11A7AB7C5E3C4AEA
6496DriverPack-17-Online.exeC:\Program Files (x86)\DriverPack\Tools\Icon.icoimage
MD5:CBD76182149BBA7EB76EC535DA43DB7F
SHA256:8707AE608F38AFD9ADE700BBDCA79344A4F50EAFC9EA3592B1E9FD6B616A6314
6496DriverPack-17-Online.exeC:\Program Files (x86)\DriverPack\run.htahtml
MD5:6BCAB16CD99663B1093D10F827CA0323
SHA256:02BD627D6825599ED039F053FECBE7F15000B5D5071E9B6BAAB488BEFA4F02DD
6496DriverPack-17-Online.exeC:\Program Files (x86)\DriverPack\css\icons-checkbox.csstext
MD5:3BE98220035017D9B818F3CC94F87587
SHA256:CB134DCB95A407795C671A512C389894D3525FBA3F6A2168FC5B9B7E875E78DC
6496DriverPack-17-Online.exeC:\Program Files (x86)\DriverPack\drp.jsbinary
MD5:A7AF01062EA3C1687B11930F26A6D9E8
SHA256:C0AE6134F693B80D71ECE89965CDE42C819E815C7218D54FCFAD0372A62DEC21
6496DriverPack-17-Online.exeC:\Program Files (x86)\DriverPack\start.battext
MD5:F66F13D4770EB90E6D81222FE3525A3F
SHA256:88EBE6FC9F45E734243DD674A3CDD9222BE692BDE089D0BC06726DD32156B892
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
282
TCP/UDP connections
171
DNS requests
50
Threats
219

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3884
svchost.exe
GET
200
23.209.214.100:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
23.209.214.100:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1176
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
3296
backgroundTaskHost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
6932
SIHClient.exe
GET
200
23.209.214.100:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
6932
SIHClient.exe
GET
200
23.209.214.100:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
6472
mshta.exe
GET
301
104.21.48.1:80
http://allfont.ru/allfont.css?fonts=lucida-console
unknown
whitelisted
6472
mshta.exe
GET
200
142.250.185.163:80
http://c.pki.goog/r/gsr1.crl
unknown
whitelisted
6472
mshta.exe
GET
200
142.250.185.163:80
http://c.pki.goog/r/r4.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
4712
MoUsoCoreWorker.exe
23.209.214.100:80
www.microsoft.com
PT. Telekomunikasi Selular
ID
whitelisted
3884
svchost.exe
23.209.214.100:80
www.microsoft.com
PT. Telekomunikasi Selular
ID
whitelisted
4.231.128.59:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5064
SearchApp.exe
2.19.122.20:443
www.bing.com
Akamai International B.V.
DE
whitelisted
2.17.190.73:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
1176
svchost.exe
40.126.32.72:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
1176
svchost.exe
2.17.190.73:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
1076
svchost.exe
184.28.89.167:443
go.microsoft.com
AKAMAI-AS
US
whitelisted
3884
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
www.microsoft.com
  • 23.209.214.100
whitelisted
google.com
  • 142.250.186.142
whitelisted
www.bing.com
  • 2.19.122.20
  • 2.19.122.14
  • 2.19.122.27
  • 2.19.122.11
  • 2.19.122.17
  • 2.19.122.13
  • 2.19.122.22
  • 2.19.122.19
  • 2.19.122.12
whitelisted
ocsp.digicert.com
  • 2.17.190.73
whitelisted
login.live.com
  • 40.126.32.72
  • 40.126.32.140
  • 40.126.32.76
  • 40.126.32.74
  • 20.190.160.17
  • 40.126.32.136
  • 20.190.160.14
  • 40.126.32.133
whitelisted
go.microsoft.com
  • 184.28.89.167
whitelisted
settings-win.data.microsoft.com
  • 40.127.240.158
whitelisted
arc.msn.com
  • 20.223.35.26
whitelisted
slscr.update.microsoft.com
  • 52.149.20.212
whitelisted
fd.api.iris.microsoft.com
  • 20.223.36.55
whitelisted

Threats

PID
Process
Class
Message
2192
svchost.exe
Possibly Unwanted Program Detected
ET ADWARE_PUP DriverPack Domain in DNS Query
2192
svchost.exe
Possibly Unwanted Program Detected
ET ADWARE_PUP Observed DNS Query to DriverPack Domain ( .drp .su)
6472
mshta.exe
Potentially Bad Traffic
ET INFO HTTP Request to .su TLD (Soviet Union) Often Malware Related
2192
svchost.exe
Possibly Unwanted Program Detected
ET ADWARE_PUP DriverPack Domain in DNS Query
6472
mshta.exe
Potentially Bad Traffic
ET INFO HTTP Request to .su TLD (Soviet Union) Often Malware Related
2192
svchost.exe
Possibly Unwanted Program Detected
ET ADWARE_PUP Observed DNS Query to DriverPack Domain ( .drp .su)
6472
mshta.exe
Potentially Bad Traffic
ET INFO HTTP Request to .su TLD (Soviet Union) Often Malware Related
6472
mshta.exe
Potentially Bad Traffic
ET INFO HTTP Request to .su TLD (Soviet Union) Often Malware Related
6472
mshta.exe
Potentially Bad Traffic
ET INFO HTTP Request to .su TLD (Soviet Union) Often Malware Related
6472
mshta.exe
Potentially Bad Traffic
ET INFO HTTP Request to .su TLD (Soviet Union) Often Malware Related
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
DriverPack-17-Online.exe