download:

DriverPack-17-Online_1095198222.1550542880.exe

Full analysis: https://app.any.run/tasks/5d30e87e-ac2a-4e10-a009-d244dd60ea4e
Verdict: Malicious activity
Threats:

Adware is a form of malware that targets users with unwanted advertisements, often disrupting their browsing experience. It typically infiltrates systems through software bundling, malicious websites, or deceptive downloads. Once installed, it may track user activity, collect sensitive data, and display intrusive ads, including pop-ups or banners. Some advanced adware variants can bypass security measures and establish persistence on devices, making removal challenging. Additionally, adware can create vulnerabilities that other malware can exploit, posing a significant risk to user privacy and system security.

Malware Trends Tracker     >>>
Analysis date: February 19, 2019, 03:37:19
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
opendir
adware
loader
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

322FB8FEFBA52747081B718DD9CE97CD

SHA1:

36FC35EEB4DF743C08A7243F1FAA5212A638C8B9

SHA256:

D0C972191CC20E3B9747138318C74E8BCDE21DCF226590B95AD8566E3FCB6373

SSDEEP:

24576:ujdYgaTe70j27c5BVQiVN+UWYrGDRl9REfXhju:ujdYga6g7VN7WYSlXREfXhju

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executes PowerShell scripts

      • cmd.exe (PID: 4032)

    • Application was dropped or rewritten from another process

      • driverpack-7za.exe (PID: 4080)
      • aria2c.exe (PID: 880)
      • aria2c.exe (PID: 3148)
      • aria2c.exe (PID: 3632)
      • aria2c.exe (PID: 3484)
      • driverpack-7za.exe (PID: 1780)
      • driverpack-7za.exe (PID: 2264)
      • devcon.exe (PID: 3336)
      • AvastAntivirusWorldwideA.exe (PID: 3820)
      • avast_free_antivirus_setup_online.exe (PID: 1536)
      • instup.exe (PID: 3232)
      • instup.exe (PID: 3460)
      • sbr.exe (PID: 2668)
      • CCUpdate.exe (PID: 3612)
      • CCUpdate.exe (PID: 3636)
      • CCUpdate.exe (PID: 2408)
      • CCUpdate.exe (PID: 1268)
      • aswRunDll.exe (PID: 1840)
      • instup.exe (PID: 540)
      • instup.exe (PID: 2816)
      • RuntimePack.exe (PID: 3796)
      • DirectX.exe (PID: 3664)
      • AvastSvc.exe (PID: 3288)
      • AvastNM.exe (PID: 3476)

    • Downloads executable files from the Internet

      • wscript.exe (PID: 2944)
      • aria2c.exe (PID: 3632)
      • aria2c.exe (PID: 3484)
      • aria2c.exe (PID: 3148)
      • AvastAntivirusWorldwideA.exe (PID: 3820)
      • AvEmUpdate.exe (PID: 640)
      • CCUpdate.exe (PID: 2408)

    • Changes internet zones settings

      • mshta.exe (PID: 2872)

    • Loads dropped or rewritten executable

      • DrvInst.exe (PID: 3328)
      • instup.exe (PID: 3232)
      • instup.exe (PID: 3460)
      • engsup.exe (PID: 3720)
      • AvEmUpdate.exe (PID: 3248)
      • AvEmUpdate.exe (PID: 640)
      • AvEmUpdate.exe (PID: 2552)
      • AvEmUpdate.exe (PID: 2544)
      • RegSvr.exe (PID: 2356)
      • aswRunDll.exe (PID: 1840)
      • RegSvr.exe (PID: 2420)
      • AvastSvc.exe (PID: 3288)
      • engsup.exe (PID: 2580)
      • instup.exe (PID: 540)
      • DirectX.exe (PID: 3664)

    • Changes the autorun value in the registry

      • instup.exe (PID: 3460)

    • Loads the Task Scheduler COM API

      • AvEmUpdate.exe (PID: 3248)
      • AvEmUpdate.exe (PID: 640)
      • CCUpdate.exe (PID: 2408)
      • CCUpdate.exe (PID: 2600)
      • overseer.exe (PID: 3944)

    • Changes settings of System certificates

      • AvastSvc.exe (PID: 3288)

  • SUSPICIOUS

    • Starts MSHTA.EXE for opening HTA or HTMLS files

      • DriverPack-17-Online_1095198222.1550542880.exe (PID: 3876)

    • Executes scripts

      • mshta.exe (PID: 2872)

    • Uses REG.EXE to modify Windows registry

      • DriverPack-17-Online_1095198222.1550542880.exe (PID: 3876)

    • Creates files in the user directory

      • cmd.exe (PID: 4032)
      • mshta.exe (PID: 2872)
      • cmd.exe (PID: 3840)
      • powershell.exe (PID: 3152)
      • wscript.exe (PID: 2416)
      • cmd.exe (PID: 2344)
      • wscript.exe (PID: 2136)
      • wscript.exe (PID: 3580)
      • wscript.exe (PID: 3952)
      • cmd.exe (PID: 3500)
      • cmd.exe (PID: 2908)
      • aria2c.exe (PID: 3484)
      • aria2c.exe (PID: 3632)
      • driverpack-7za.exe (PID: 4080)
      • cmd.exe (PID: 3528)
      • aria2c.exe (PID: 880)
      • aria2c.exe (PID: 3148)
      • cmd.exe (PID: 2196)
      • cmd.exe (PID: 3208)
      • cmd.exe (PID: 2576)
      • cmd.exe (PID: 3832)
      • cmd.exe (PID: 876)
      • cmd.exe (PID: 3616)
      • cmd.exe (PID: 3884)
      • cmd.exe (PID: 2572)
      • cmd.exe (PID: 2888)

    • Executable content was dropped or overwritten

      • wscript.exe (PID: 2944)
      • aria2c.exe (PID: 3148)
      • aria2c.exe (PID: 3484)
      • aria2c.exe (PID: 3632)
      • driverpack-7za.exe (PID: 2264)
      • devcon.exe (PID: 3336)
      • DrvInst.exe (PID: 4052)
      • DrvInst.exe (PID: 3328)
      • AvastAntivirusWorldwideA.exe (PID: 3820)
      • avast_free_antivirus_setup_online.exe (PID: 1536)
      • instup.exe (PID: 3232)
      • instup.exe (PID: 3460)
      • AvEmUpdate.exe (PID: 640)
      • AvEmUpdate.exe (PID: 2544)
      • CCUpdate.exe (PID: 3612)
      • CCUpdate.exe (PID: 3636)
      • AvastSvc.exe (PID: 3288)
      • RuntimePack.exe (PID: 3796)
      • DirectX.exe (PID: 3664)

    • Uses NETSH.EXE for network configuration

      • cmd.exe (PID: 3840)
      • cmd.exe (PID: 2344)
      • cmd.exe (PID: 3500)

    • Starts CMD.EXE for commands execution

      • mshta.exe (PID: 2872)
      • cmd.exe (PID: 2576)

    • Reads Internet Cache Settings

      • mshta.exe (PID: 2872)
      • instup.exe (PID: 3460)

    • Uses RUNDLL32.EXE to load library

      • mshta.exe (PID: 2872)
      • DrvInst.exe (PID: 4052)

    • Starts application with an unusual extension

      • cmd.exe (PID: 3500)
      • cmd.exe (PID: 2576)

    • Starts SC.EXE for service management

      • cmd.exe (PID: 2908)

    • Searches for installed software

      • DllHost.exe (PID: 3368)
      • DrvInst.exe (PID: 4052)

    • Application launched itself

      • cmd.exe (PID: 2576)
      • AvEmUpdate.exe (PID: 640)
      • CCUpdate.exe (PID: 2408)

    • Uses TASKLIST.EXE to query information about running processes

      • cmd.exe (PID: 2576)

    • Removes files from Windows directory

      • DrvInst.exe (PID: 4052)
      • DrvInst.exe (PID: 3328)
      • instup.exe (PID: 3232)
      • instup.exe (PID: 3460)
      • AvEmUpdate.exe (PID: 640)
      • avast_free_antivirus_setup_online.exe (PID: 1536)

    • Creates files in the driver directory

      • DrvInst.exe (PID: 4052)
      • DrvInst.exe (PID: 3328)
      • instup.exe (PID: 3460)
      • AvEmUpdate.exe (PID: 640)

    • Creates files in the Windows directory

      • DrvInst.exe (PID: 3328)
      • DrvInst.exe (PID: 4052)
      • AvastAntivirusWorldwideA.exe (PID: 3820)
      • avast_free_antivirus_setup_online.exe (PID: 1536)
      • instup.exe (PID: 3232)
      • instup.exe (PID: 3460)
      • AvEmUpdate.exe (PID: 640)
      • AvastSvc.exe (PID: 3288)
      • DirectX.exe (PID: 3664)

    • Low-level read access rights to disk partition

      • AvastAntivirusWorldwideA.exe (PID: 3820)
      • avast_free_antivirus_setup_online.exe (PID: 1536)
      • instup.exe (PID: 3232)
      • instup.exe (PID: 3460)
      • AvEmUpdate.exe (PID: 640)
      • AvEmUpdate.exe (PID: 2552)
      • AvEmUpdate.exe (PID: 2544)
      • CCUpdate.exe (PID: 3612)
      • CCUpdate.exe (PID: 3636)
      • CCUpdate.exe (PID: 2408)
      • CCUpdate.exe (PID: 1268)
      • CCUpdate.exe (PID: 2600)
      • overseer.exe (PID: 3944)
      • AvastSvc.exe (PID: 3288)
      • wsc_proxy.exe (PID: 3856)
      • instup.exe (PID: 540)
      • instup.exe (PID: 2816)

    • Creates files in the program directory

      • avast_free_antivirus_setup_online.exe (PID: 1536)
      • instup.exe (PID: 3232)
      • engsup.exe (PID: 3720)
      • AvEmUpdate.exe (PID: 640)
      • CCUpdate.exe (PID: 3612)
      • CCUpdate.exe (PID: 3636)
      • CCUpdate.exe (PID: 2408)
      • CCUpdate.exe (PID: 2600)
      • AvastNM.exe (PID: 3476)
      • AvastSvc.exe (PID: 3288)
      • engsup.exe (PID: 2580)
      • wsc_proxy.exe (PID: 3856)
      • instup.exe (PID: 540)
      • instup.exe (PID: 3460)

    • Starts itself from another location

      • instup.exe (PID: 3232)
      • CCUpdate.exe (PID: 3636)

    • Creates a software uninstall entry

      • instup.exe (PID: 3460)
      • AvEmUpdate.exe (PID: 2544)

    • Creates COM task schedule object

      • instup.exe (PID: 3460)
      • RegSvr.exe (PID: 2356)
      • RegSvr.exe (PID: 2420)

    • Modifies the open verb of a shell class

      • instup.exe (PID: 3460)

    • Creates or modifies windows services

      • instup.exe (PID: 3460)
      • AvastSvc.exe (PID: 3288)

    • Reads Environment values

      • AvastSvc.exe (PID: 3288)

    • Reads the cookies of Mozilla Firefox

      • engsup.exe (PID: 2580)

    • Reads the cookies of Google Chrome

      • engsup.exe (PID: 2580)

  • INFO

    • Reads settings of System Certificates

      • mshta.exe (PID: 2872)
      • AvastSvc.exe (PID: 3288)

    • Reads internet explorer settings

      • mshta.exe (PID: 2872)

    • Low-level read access rights to disk partition

      • vssvc.exe (PID: 2752)

    • Dropped object may contain Bitcoin addresses

      • instup.exe (PID: 3460)
      • AvEmUpdate.exe (PID: 640)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Generic Win/DOS Executable (50)
.exe | DOS Executable Generic (49.9)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2016:03:20 08:29:28+01:00
PEType: PE32
LinkerVersion: 8
CodeSize: 111616
InitializedDataSize: 375296
UninitializedDataSize: -
EntryPoint: 0x1b9bf
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 17.10.0.0
ProductVersionNumber: 17.10.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
CompanyName: DriverPack Solution
FileDescription: DriverPack
FileVersion: 17.10.0
InternalName: DriverPack
LegalCopyright: Copyright © Kuzyakov Artur
OriginalFileName: DriverPack-Online-v17.10.0-d5b5e85.exe
PrivateBuild: 2018
ProductName: driverpack online
ProductVersion: 17.10.0

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 20-Mar-2016 07:29:28
Detected languages:
  • English - United States
  • Russian - Russia
CompanyName: DriverPack Solution
FileDescription: DriverPack
FileVersion: 17.10.0
InternalName: DriverPack
LegalCopyright: Copyright © Kuzyakov Artur
OriginalFilename: DriverPack-Online-v17.10.0-d5b5e85.exe
PrivateBuild: 2018
ProductName: driverpack online
ProductVersion: 17.10.0

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0060
Pages in file: 0x0001
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x00000060

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 4
Time date stamp: 20-Mar-2016 07:29:28
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_RELOCS_STRIPPED

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00001000
0x0001B36A
0x0001B400
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.69607
.rdata
0x0001D000
0x000040D2
0x00004200
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
5.65115
.data
0x00022000
0x00004C30
0x00000800
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
3.82595
.rsrc
0x00027000
0x00057000
0x00057000
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
3.83394

Resources

Title
Entropy
Size
Codepage
Language
Type
1
5.23595
932
UNKNOWN
English - United States
RT_MANIFEST
2
2.9356
19496
Latin 1 / Western European
Russian - Russia
RT_ICON
3
3.23783
11432
Latin 1 / Western European
Russian - Russia
RT_ICON
4
3.5842
5672
Latin 1 / Western European
Russian - Russia
RT_ICON
5
4.08499
3752
UNKNOWN
Russian - Russia
RT_ICON
6
4.47772
2216
UNKNOWN
Russian - Russia
RT_ICON
7
4.59548
1736
UNKNOWN
Russian - Russia
RT_ICON
8
4.67063
1384
UNKNOWN
Russian - Russia
RT_ICON
9
7.94023
15006
UNKNOWN
Russian - Russia
RT_ICON
10
2.61384
67624
UNKNOWN
Russian - Russia
RT_ICON

Imports

ADVAPI32.dll
COMCTL32.dll
GDI32.dll
KERNEL32.dll
MSVCRT.dll
OLEAUT32.dll
SHELL32.dll
USER32.dll
ole32.dll
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
152
Monitored processes
93
Malicious processes
21
Suspicious processes
9

Behavior graph

Click at the process to see the details
start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start driverpack-17-online_1095198222.1550542880.exe reg.exe no specs mshta.exe wscript.exe no specs wscript.exe no specs wscript.exe no specs wscript.exe no specs wscript.exe cmd.exe no specs powershell.exe no specs cmd.exe no specs netsh.exe no specs csc.exe cvtres.exe no specs cmd.exe no specs netsh.exe no specs driverpack-7za.exe no specs rundll32.exe no specs cmd.exe no specs chcp.com no specs netsh.exe no specs cmd.exe no specs sc.exe no specs vssvc.exe no specs cmd.exe no specs wmic.exe no specs SPPSurrogate no specs drvinst.exe no specs rundll32.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs aria2c.exe aria2c.exe aria2c.exe aria2c.exe cmd.exe no specs chcp.com no specs tasklist.exe no specs cmd.exe no specs timeout.exe no specs rundll32.exe no specs cmd.exe no specs cmd.exe no specs driverpack-7za.exe no specs driverpack-7za.exe findstr.exe no specs find.exe no specs cmd.exe no specs devcon.exe drvinst.exe rundll32.exe no specs rundll32.exe no specs rundll32.exe no specs drvinst.exe no specs drvinst.exe cmd.exe no specs avastantivirusworldwidea.exe avast_free_antivirus_setup_online.exe instup.exe instup.exe sbr.exe no specs setupinf.exe no specs setupinf.exe no specs setupinf.exe no specs setupinf.exe no specs engsup.exe no specs avemupdate.exe no specs avemupdate.exe avemupdate.exe 1a4ac913-2070-4b1a-b7cc-d367a2c3c13c.exe no specs avemupdate.exe ccupdate.exe ccupdate.exe ccupdate.exe ccupdate.exe ccupdate.exe regsvr.exe no specs regsvr.exe no specs aswrundll.exe no specs avastnm.exe no specs overseer.exe avastsvc.exe engsup.exe no specs wsc_proxy.exe no specs cmd.exe no specs cmd.exe no specs instup.exe no specs instup.exe no specs directx.exe runtimepack.exe driverpack-17-online_1095198222.1550542880.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
540"C:\Program Files\AVAST Software\Avast\setup\instup.exe" /edat_dir:C:\Windows\Temp\asw.0a8d85c6f720672e /instop:finish_delayed_installation /session_id:1 /silent /waitC:\Program Files\AVAST Software\Avast\setup\instup.exeAvastSvc.exe
User:
SYSTEM
Company:
AVAST Software
Integrity Level:
SYSTEM
Description:
Avast Antivirus Installer
Exit code:
0
Version:
19.2.4186.0
Modules
Images
c:\program files\avast software\avast\setup\instup.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\windows\system32\version.dll
c:\windows\system32\psapi.dll
640"C:\Program Files\AVAST Software\Avast\AvEmUpdate.exe" /installer1C:\Program Files\AVAST Software\Avast\AvEmUpdate.exe
instup.exe
User:
admin
Company:
AVAST Software
Integrity Level:
HIGH
Description:
Avast Emergency Update
Exit code:
0
Version:
19.2.4186.0
Modules
Images
c:\program files\avast software\avast\avemupdate.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\webio.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
876"C:\Windows\System32\cmd.exe" /c ""tools\aria2c.exe" "http://download.drp.su/driverpacks/repack/Vendor/KVM/FORCED/7x86/KVM-FORCED-7x86-drp.zip.torrent" --dir="C:\Users\admin\AppData\Roaming\DRPSu\DRIVERS" --quiet --continue --min-split-size=1M --follow-torrent=true --check-integrity --seed-time=0 --bt-stop-timeout=120 || echo Done & call echo Done %^errorLevel% > "C:\Users\admin\AppData\Roaming\DRPSu\temp\run_command_87746.txt""C:\Windows\System32\cmd.exemshta.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
880"tools\aria2c.exe" "http://download.drp.su/driverpacks/repack/Vendor/KVM/FORCED/7x86/KVM-FORCED-7x86-drp.zip.torrent" --dir="C:\Users\admin\AppData\Roaming\DRPSu\DRIVERS" --quiet --continue --min-split-size=1M --follow-torrent=true --check-integrity --seed-time=0 --bt-stop-timeout=120 C:\Users\admin\AppData\Local\Temp\7ZipSfx.000\bin\tools\aria2c.exe
cmd.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\7zipsfx.000\bin\tools\aria2c.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
1156"C:\Windows\System32\reg.exe" import "C:\Users\admin\AppData\Local\Temp\7ZipSfx.000\bin\Tools\patch.reg"C:\Windows\System32\reg.exeDriverPack-17-Online_1095198222.1550542880.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\reg.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
1268CCUpdate.exe /emupdater /applydll "C:\Program Files\CCleaner\Setup\ff660b73-3074-4e32-b972-ea32a33a2a0b.dll"C:\Program Files\CCleaner\CCUpdate.exe
CCUpdate.exe
User:
admin
Company:
Piriform Ltd
Integrity Level:
HIGH
Description:
CCleaner emergency updater
Exit code:
0
Version:
18.6.553.0
Modules
Images
c:\program files\ccleaner\ccupdate.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\ole32.dll
1416find /v /c "" C:\Windows\system32\find.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Find String (grep) Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\find.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ulib.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
1536"C:\Windows\Temp\asw.0a8d85c6f720672e\avast_free_antivirus_setup_online.exe" /silent /ga_clientid:f8b9aa7a-ff5f-43b5-af70-a9fa2c58f303 /edat_dir:C:\Windows\Temp\asw.0a8d85c6f720672eC:\Windows\Temp\asw.0a8d85c6f720672e\avast_free_antivirus_setup_online.exe
AvastAntivirusWorldwideA.exe
User:
admin
Company:
AVAST Software
Integrity Level:
HIGH
Description:
Avast Antivirus Installer
Exit code:
0
Version:
19.2.4186.0
Modules
Images
c:\windows\temp\asw.0a8d85c6f720672e\avast_free_antivirus_setup_online.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
1780tools\driverpack-7za.exe l "C:\Users\admin\AppData\Roaming\DRPSu\DRIVERS\KVM-FORCED-7x86-drp.zip" C:\Users\admin\AppData\Local\Temp\7ZipSfx.000\bin\tools\driverpack-7za.execmd.exe
User:
admin
Company:
Igor Pavlov
Integrity Level:
HIGH
Description:
7-Zip Standalone Console
Exit code:
0
Version:
18.05
Modules
Images
c:\users\admin\appdata\local\temp\7zipsfx.000\bin\tools\driverpack-7za.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
1808"C:\Windows\System32\cmd.exe" /c ""C:\Users\admin\AppData\Roaming\DRPSu\PROGRAMS\RuntimePack.exe" -y -gm2 -fm0 || echo Done & call echo Done %^errorLevel% > "C:\Users\admin\AppData\Roaming\DRPSu\temp\installing_77027.txt""C:\Windows\System32\cmd.exemshta.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
Total events
10 563
Read events
4 296
Write events
6 256
Delete events
11

Modification events

(PID) Process:(1156) reg.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\drp.su\update
Operation:writeName:http
Value:
1
(PID) Process:(1156) reg.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\drp.su\update
Operation:writeName:https
Value:
1
(PID) Process:(1156) reg.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:writeName:GlobalUserOffline
Value:
0
(PID) Process:(1156) reg.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Styles
Operation:writeName:MaxScriptStatements
Value:
4294967295
(PID) Process:(1156) reg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Styles
Operation:writeName:MaxScriptStatements
Value:
4294967295
(PID) Process:(3876) DriverPack-17-Online_1095198222.1550542880.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
(PID) Process:(3876) DriverPack-17-Online_1095198222.1550542880.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
1
(PID) Process:(2872) mshta.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
(PID) Process:(2872) mshta.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
1
(PID) Process:(2872) mshta.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication
Operation:writeName:Name
Value:
mshta.exe
Executable files
257
Suspicious files
161
Text files
758
Unknown types
71

Dropped files

PID
Process
Filename
Type
3876DriverPack-17-Online_1095198222.1550542880.exeC:\Users\admin\AppData\Local\Temp\7ZipSfx.000\bin\drp.csstext
MD5:
SHA256:
3876DriverPack-17-Online_1095198222.1550542880.exeC:\Users\admin\AppData\Local\Temp\7ZipSfx.000\bin\img\screens\globe_normal.pngimage
MD5:A42CCA03383138F026F43CF9C0A36AA6
SHA256:29624620F0FD8B8904418A8248B90E5CAC58904C07C5F2EB6C29BE510D0121AA
3876DriverPack-17-Online_1095198222.1550542880.exeC:\Users\admin\AppData\Local\Temp\7ZipSfx.000\bin\Tools\Icon.icoimage
MD5:733D67C2E70BC804CD9497D20FE96696
SHA256:0A3EDD3D1FD9AE649D0D6164858705017DC482CE56D090A478F57D02619E88CE
3876DriverPack-17-Online_1095198222.1550542880.exeC:\Users\admin\AppData\Local\Temp\7ZipSfx.000\bin\css\fonts\DRPcheckbox\DRPcheckbox.svgimage
MD5:940B3297E8EB64F9FCE869980104D86C
SHA256:A6E2003E977A3B8D1BAB342C7FBDEBB2DE22CA39CFC69B5301D8284CC7AF80A4
3876DriverPack-17-Online_1095198222.1550542880.exeC:\Users\admin\AppData\Local\Temp\7ZipSfx.000\bin\css\fonts\DRPicons\DRPicons-webfont.svgimage
MD5:7013E3964CC64258A6BDCEDF499088DE
SHA256:E69B080B44B611BC292E6F33C24CBF310935D3465903AF93FE0BB508071CE755
3876DriverPack-17-Online_1095198222.1550542880.exeC:\Users\admin\AppData\Local\Temp\7ZipSfx.000\bin\img\programs\start_arrow.pngimage
MD5:E1A705761DA081FD6D6C8DAD4D991DA9
SHA256:30E7A27E1389697263579B7C2A0AE2CE026EEBFD91BC69F764D38CC0FBA37135
3876DriverPack-17-Online_1095198222.1550542880.exeC:\Users\admin\AppData\Local\Temp\7ZipSfx.000\bin\css\custom-control.csstext
MD5:F7F8703ADA2176DC144343A2C2ACB1CD
SHA256:7D7853E95258A7A3F8EAF41795F7124E7D2DACDEB5F1EFE212B3FF7ED0DA9E50
3876DriverPack-17-Online_1095198222.1550542880.exeC:\Users\admin\AppData\Local\Temp\7ZipSfx.000\bin\css\fonts\ProximaNova\proxima_nova_light-webfont.svgimage
MD5:6942D42196D3356DCEC29A4737A0AC68
SHA256:8E3FE8B36F91652FD295EFB026873BDE460C2B10D0D53F21183157121DCF3AA1
3876DriverPack-17-Online_1095198222.1550542880.exeC:\Users\admin\AppData\Local\Temp\7ZipSfx.000\bin\img\header\header-bell.pngimage
MD5:9528E73430A6B902EA9BF2A7141851EF
SHA256:DE7BC7CEB22EA3F89CD18801A38614FCCF9C89F3CB059ADEBEF07011E2CAA650
3876DriverPack-17-Online_1095198222.1550542880.exeC:\Users\admin\AppData\Local\Temp\7ZipSfx.000\bin\css\fonts\ProximaNova\proxima_nova_semibold-webfont.svgimage
MD5:CC4E1FA796CABA2CF5DC44B67A1DB837
SHA256:16E9561A7F81AFA42973E3C8469963ABD1FCA5081997C6DA11DFFF6D0EEA93D4
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
386
TCP/UDP connections
249
DNS requests
144
Threats
261

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2872
mshta.exe
GET
200
82.145.55.124:80
http://update.drp.su/beetle/17.10.0/DriverPackSolution.html
GB
html
1.65 Kb
malicious
2872
mshta.exe
GET
200
82.145.55.124:80
http://update.drp.su/v2/
GB
text
58.6 Kb
malicious
2872
mshta.exe
GET
200
82.145.55.124:80
http://update.drp.su/beetle/17.10.0/drp.css
GB
text
25.8 Kb
malicious
2872
mshta.exe
GET
200
82.145.55.124:80
http://update.drp.su/beetle/17.10.0/config.js
GB
text
1005 b
malicious
2872
mshta.exe
GET
200
82.145.55.124:80
http://update.drp.su/beetle/17.10.0/drp.js
GB
binary
536 Kb
malicious
2872
mshta.exe
GET
301
104.24.123.67:80
http://allfont.ru/allfont.css?fonts=lucida-console
US
html
552 b
whitelisted
2872
mshta.exe
GET
200
82.145.55.124:80
http://update.drp.su/beetle/17.10.0/css/open-sans.css
GB
text
290 b
malicious
2872
mshta.exe
GET
200
82.145.55.124:80
http://update.drp.su/beetle/17.10.0/css/custom-control.css
GB
text
1.91 Kb
malicious
2872
mshta.exe
GET
200
82.145.55.124:80
http://update.drp.su/beetle/17.10.0/css/normalize.min.css
GB
text
906 b
malicious
2872
mshta.exe
GET
200
82.145.55.124:80
http://update.drp.su/beetle/17.10.0/css/roboto.css
GB
text
263 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2872
mshta.exe
82.145.55.124:80
update.drp.su
iomart Cloud Services Limited.
GB
unknown
2872
mshta.exe
104.24.123.67:80
allfont.ru
Cloudflare Inc
US
shared
2944
wscript.exe
88.150.137.207:80
download.drp.su
iomart Cloud Services Limited.
GB
unknown
2872
mshta.exe
178.162.204.5:80
auth.drp.su
Leaseweb Deutschland GmbH
DE
suspicious
2872
mshta.exe
77.88.21.119:443
mc.yandex.ru
YANDEX LLC
RU
whitelisted
2872
mshta.exe
216.58.207.78:80
www.google-analytics.com
Google Inc.
US
whitelisted
2872
mshta.exe
88.150.137.207:80
download.drp.su
iomart Cloud Services Limited.
GB
unknown
2872
mshta.exe
2.16.186.26:80
www.msftncsi.com
Akamai International B.V.
whitelisted
880
aria2c.exe
95.154.237.19:80
download.drp.su
iomart Cloud Services Limited.
GB
malicious
3484
aria2c.exe
88.150.137.207:80
download.drp.su
iomart Cloud Services Limited.
GB
unknown

DNS requests

Domain
IP
Reputation
update.drp.su
  • 82.145.55.124
  • 87.117.235.116
malicious
allfont.ru
  • 104.24.123.67
  • 104.24.122.67
whitelisted
download.drp.su
  • 88.150.137.207
  • 87.117.231.157
  • 81.94.205.66
  • 87.117.239.150
  • 87.117.239.148
  • 81.94.192.167
  • 87.117.239.151
  • 95.154.237.19
malicious
auth.drp.su
  • 178.162.204.5
suspicious
mc.yandex.ru
  • 77.88.21.119
  • 87.250.250.119
  • 87.250.251.119
  • 93.158.134.119
whitelisted
www.google-analytics.com
  • 216.58.207.78
  • 172.217.23.174
whitelisted
www.msftncsi.com
  • 2.16.186.26
  • 2.16.186.17
whitelisted
bt2.driverpacks.net
  • 178.162.204.29
suspicious
iavs9x.u.avast.com
  • 2.16.186.50
  • 2.16.186.104
whitelisted
v7event.stats.avast.com
  • 5.62.40.203
  • 5.62.40.204
  • 5.45.59.11
  • 5.62.53.224
whitelisted

Threats

PID
Process
Class
Message
1052
svchost.exe
Potentially Bad Traffic
ET DNS Query for .su TLD (Soviet Union) Often Malware Related
2872
mshta.exe
A Network Trojan was detected
ET POLICY HTTP Request to .su TLD (Soviet Union) Often Malware Related
2872
mshta.exe
A Network Trojan was detected
ET POLICY HTTP Request to .su TLD (Soviet Union) Often Malware Related
2872
mshta.exe
A Network Trojan was detected
ET POLICY HTTP Request to .su TLD (Soviet Union) Often Malware Related
2872
mshta.exe
A Network Trojan was detected
ET POLICY HTTP Request to .su TLD (Soviet Union) Often Malware Related
2872
mshta.exe
A Network Trojan was detected
ET POLICY HTTP Request to .su TLD (Soviet Union) Often Malware Related
2872
mshta.exe
A Network Trojan was detected
ET POLICY HTTP Request to .su TLD (Soviet Union) Often Malware Related
2872
mshta.exe
A Network Trojan was detected
ET POLICY HTTP Request to .su TLD (Soviet Union) Often Malware Related
2872
mshta.exe
A Network Trojan was detected
ET POLICY HTTP Request to .su TLD (Soviet Union) Often Malware Related
2872
mshta.exe
A Network Trojan was detected
ET POLICY HTTP Request to .su TLD (Soviet Union) Often Malware Related
2 ETPRO signatures available at the full report
Process
Message
csc.exe
*** HR originated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
csc.exe
*** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe
*** HR originated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
csc.exe
*** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe
*** HR originated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
csc.exe
*** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe
*** HR originated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
csc.exe
*** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe
*** HR originated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
csc.exe
*** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
DriverPack-17-Online_1095198222.1550542880.exe