Malware analysis d10f367e9f06ade8a710e20b00d1b4eecb456e1923369725a276eee871841417.exe Malicious activity

Add for printing

File name:	d10f367e9f06ade8a710e20b00d1b4eecb456e1923369725a276eee871841417.exe
Full analysis:	https://app.any.run/tasks/856a2038-269a-428c-a549-db916760d62f
Verdict:	Malicious activity
Analysis date:	March 06, 2024, 09:28:34
OS:	Windows 10 Professional (build: 19044, 64 bit)
Indicators:
MIME:	application/x-dosexec
File info:	PE32 executable (console) Intel 80386, for MS Windows
MD5:	26BC45B7EDADC11281B6ACB58D1E1D03
SHA1:	F184F4C70928BDC55AB3D5FAF42C359D6232D9AE
SHA256:	D10F367E9F06ADE8A710E20B00D1B4EECB456E1923369725A276EEE871841417
SSDEEP:	196608:Jtq9owWFa2lVHhXsILm+XXZjU8YBg5reMyujDlnTu4XNY:JEqe4V1LLm+XJjHYq5Hb9nTuwNY

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 120 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: none
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.789.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (112.0.5615.50)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (111.0.1661.62)
Microsoft Edge Update (1.3.173.51)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (111.0.1)
Mozilla Maintenance Service (111.0.1)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.67.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)

Add for printing

MALICIOUS
- Creates a writable file in the system directory
  - d10f367e9f06ade8a710e20b00d1b4eecb456e1923369725a276eee871841417.exe (PID: 6552)
  - BvWinFspMgr.exe (PID: 6192)
  - msiexec.exe (PID: 2944)
- Drops the executable file immediately after the start
  - BvWinFspMgr.exe (PID: 6192)
  - d10f367e9f06ade8a710e20b00d1b4eecb456e1923369725a276eee871841417.exe (PID: 6552)
  - msiexec.exe (PID: 2944)
SUSPICIOUS
- Creates files in the driver directory
  - BvWinFspMgr.exe (PID: 6192)
- Drops a system driver (possible attempt to evade defenses)
  - d10f367e9f06ade8a710e20b00d1b4eecb456e1923369725a276eee871841417.exe (PID: 6552)
  - BvWinFspMgr.exe (PID: 6192)
- Executable content was dropped or overwritten
  - BvWinFspMgr.exe (PID: 6192)
  - d10f367e9f06ade8a710e20b00d1b4eecb456e1923369725a276eee871841417.exe (PID: 6552)
- Creates or modifies Windows services
  - BvWinFspMgr.exe (PID: 6192)
- Creates a software uninstall entry
  - d10f367e9f06ade8a710e20b00d1b4eecb456e1923369725a276eee871841417.exe (PID: 6552)
- Checks Windows Trust Settings
  - msiexec.exe (PID: 2944)
  - BvSsh.exe (PID: 5296)
- Adds/modifies Windows certificates
  - msiexec.exe (PID: 2944)
- Reads the Windows owner or organization settings
  - msiexec.exe (PID: 2944)
- Process drops legitimate windows executable
  - msiexec.exe (PID: 2944)
- The process drops C-runtime libraries
  - msiexec.exe (PID: 2944)
- Creates/Modifies COM task schedule object
  - d10f367e9f06ade8a710e20b00d1b4eecb456e1923369725a276eee871841417.exe (PID: 6552)
- Searches for installed software
  - BvSsh.exe (PID: 5296)
- Reads security settings of Internet Explorer
  - BvSsh.exe (PID: 5296)
INFO
- Checks supported languages
  - d10f367e9f06ade8a710e20b00d1b4eecb456e1923369725a276eee871841417.exe (PID: 6552)
  - BvWinFspMgr.exe (PID: 6192)
  - BvEventSource.exe (PID: 2368)
  - msiexec.exe (PID: 2944)
  - BvSsh.exe (PID: 5296)
- Creates files in the program directory
  - d10f367e9f06ade8a710e20b00d1b4eecb456e1923369725a276eee871841417.exe (PID: 6552)
- Reads the computer name
  - d10f367e9f06ade8a710e20b00d1b4eecb456e1923369725a276eee871841417.exe (PID: 6552)
  - BvWinFspMgr.exe (PID: 6192)
  - msiexec.exe (PID: 2944)
  - BvSsh.exe (PID: 5296)
- Reads the machine GUID from the registry
  - msiexec.exe (PID: 2944)
  - BvSsh.exe (PID: 5296)
- Reads the software policy settings
  - msiexec.exe (PID: 2944)
  - BvSsh.exe (PID: 5296)
  - slui.exe (PID: 3752)
- Executable content was dropped or overwritten
  - msiexec.exe (PID: 2944)
- Creates files or folders in the user directory
  - msiexec.exe (PID: 2944)
  - BvSsh.exe (PID: 5296)
- Manual execution by a user
  - BvSsh.exe (PID: 5296)
- Checks proxy server information
  - slui.exe (PID: 3752)
  - BvSsh.exe (PID: 5296)
- Creates a software uninstall entry
  - msiexec.exe (PID: 2944)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	Win32 Executable (generic) (52.9)
.exe	\|	Generic Win/DOS Executable (23.5)
.exe	\|	DOS Executable Generic (23.5)

EXIF

EXE

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2023:12:20 22:33:07+00:00
ImageFileCharacteristics:	Executable, 32-bit
PEType:	PE32
LinkerVersion:	14
CodeSize:	756736
InitializedDataSize:	26369024
UninitializedDataSize:	-
EntryPoint:	0x85ab0
OSVersion:	5.1
ImageVersion:	-
SubsystemVersion:	5.1
Subsystem:	Windows command line
FileVersionNumber:	9.33.0.0
ProductVersionNumber:	9.33.0.0
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	English (U.S.)
CharacterSet:	Unicode
Comments:	-
CompanyName:	Bitvise Limited
FileDescription:	Bitvise SSH Client Installer
FileVersion:	9.33.0.0
InternalName:	BvSshClient-Inst
LegalCopyright:	Copyright (C) 2000-2023 by Bitvise Limited.
LegalTrademarks:	-
OriginalFileName:	BvSshClient-Inst.exe
PrivateBuild:	-
ProductName:	Bitvise SSH Client
ProductVersion:	9.33
SpecialBuild:	-

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

137

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

1020

msiexec.exe /i "C:\Program Files (x86)\Bitvise SSH Client\FlowSshNet64.msi" INSTALLDIR="C:\Program Files (x86)\Bitvise SSH Client" /quiet /norestart MSIRESTARTMANAGERCONTROL="Disable"

C:\Windows\SysWOW64\msiexec.exe

—

d10f367e9f06ade8a710e20b00d1b4eecb456e1923369725a276eee871841417.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Windows® installer

Exit code:

Version:

5.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll

1460

msiexec.exe /i "C:\Program Files (x86)\Bitvise SSH Client\FlowSshNet32.msi" INSTALLDIR="C:\Program Files (x86)\Bitvise SSH Client" /quiet /norestart MSIRESTARTMANAGERCONTROL="Disable"

C:\Windows\SysWOW64\msiexec.exe

—

d10f367e9f06ade8a710e20b00d1b4eecb456e1923369725a276eee871841417.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Windows® installer

Exit code:

Version:

5.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll

2368

"C:\WINDOWS\system32\BvEventSource.exe" register

C:\Windows\System32\BvEventSource.exe

—

d10f367e9f06ade8a710e20b00d1b4eecb456e1923369725a276eee871841417.exe

User:

admin

Company:

Bitvise Limited

Integrity Level:

HIGH

Description:

Bitvise Log Event Source Utility

Exit code:

Version:

1.02

Modules

Images
c:\windows\system32\bveventsource.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll

2460

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

d10f367e9f06ade8a710e20b00d1b4eecb456e1923369725a276eee871841417.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

2944

C:\WINDOWS\system32\msiexec.exe /V

C:\Windows\System32\msiexec.exe

services.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Windows® installer

Exit code:

Version:

5.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll

3752

C:\WINDOWS\System32\slui.exe -Embedding

C:\Windows\System32\slui.exe

svchost.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Activation Client

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll

5296

"C:\Program Files (x86)\Bitvise SSH Client\BvSsh.exe"

C:\Program Files (x86)\Bitvise SSH Client\BvSsh.exe

explorer.exe

User:

admin

Company:

Bitvise Limited

Integrity Level:

MEDIUM

Description:

Bitvise SSH Client

Exit code:

Version:

9.33.0.0

Modules

Images
c:\program files (x86)\bitvise ssh client\bvssh.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\crypt32.dll

6192

"C:\WINDOWS\BvWinFspMgr.exe" Install

C:\Windows\BvWinFspMgr.exe

d10f367e9f06ade8a710e20b00d1b4eecb456e1923369725a276eee871841417.exe

User:

admin

Company:

Bitvise Limited

Integrity Level:

HIGH

Description:

Bitvise WinFsp Driver Management Utility

Exit code:

Version:

1.01

Modules

Images
c:\windows\bvwinfspmgr.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll

6552

"C:\Users\admin\AppData\Local\Temp\d10f367e9f06ade8a710e20b00d1b4eecb456e1923369725a276eee871841417.exe"

C:\Users\admin\AppData\Local\Temp\d10f367e9f06ade8a710e20b00d1b4eecb456e1923369725a276eee871841417.exe

explorer.exe

User:

admin

Company:

Bitvise Limited

Integrity Level:

HIGH

Description:

Bitvise SSH Client Installer

Exit code:

Version:

9.33.0.0

Modules

Images
c:\users\admin\appdata\local\temp\d10f367e9f06ade8a710e20b00d1b4eecb456e1923369725a276eee871841417.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll

6912

"C:\Users\admin\AppData\Local\Temp\d10f367e9f06ade8a710e20b00d1b4eecb456e1923369725a276eee871841417.exe"

C:\Users\admin\AppData\Local\Temp\d10f367e9f06ade8a710e20b00d1b4eecb456e1923369725a276eee871841417.exe

—

explorer.exe

User:

admin

Company:

Bitvise Limited

Integrity Level:

MEDIUM

Description:

Bitvise SSH Client Installer

Exit code:

3221226540

Version:

9.33.0.0

Modules

Images
c:\users\admin\appdata\local\temp\d10f367e9f06ade8a710e20b00d1b4eecb456e1923369725a276eee871841417.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll

Add for printing

Total events

12 727

Read events

12 331

Write events

366

Delete events

Modification events


(PID) Process:	(2368) BvEventSource.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Application\Bitvise Installer
Operation:	write	Name:	EventMessageFile
Value: C:\WINDOWS\system32\BvEventSource.exe
(PID) Process:	(2368) BvEventSource.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Application\Bitvise Installer
Operation:	write	Name:	TypesSupported
Value: 7
(PID) Process:	(6552) d10f367e9f06ade8a710e20b00d1b4eecb456e1923369725a276eee871841417.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Bitvise\Installers
Operation:	write	Name:	Bitvise SSH Client Installer
Value: "C:\Users\admin\AppData\Local\Temp\d10f367e9f06ade8a710e20b00d1b4eecb456e1923369725a276eee871841417.exe" -acceptEULA -installDir="C:\Program Files (x86)\Bitvise SSH Client" -interactive -runWhenDone
(PID) Process:	(6552) d10f367e9f06ade8a710e20b00d1b4eecb456e1923369725a276eee871841417.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:	delete value	Name:	Bitvise SSH Client Installer
Value:
(PID) Process:	(6552) d10f367e9f06ade8a710e20b00d1b4eecb456e1923369725a276eee871841417.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:	delete value	Name:	Tunnelier Installer
Value:
(PID) Process:	(6552) d10f367e9f06ade8a710e20b00d1b4eecb456e1923369725a276eee871841417.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager
Operation:	write	Name:	Bitvise-WWLib-CRegSafeModify-Guard-45150DC24C566C9D69E778BD71FF42F8585C46D2
Value: 0
(PID) Process:	(6192) BvWinFspMgr.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinFsp.Np\NetworkProvider
Operation:	write	Name:	Name
Value: Windows File System Proxy
(PID) Process:	(6192) BvWinFspMgr.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinFsp.Np\NetworkProvider
Operation:	write	Name:	DeviceName
Value: \Device\WinFsp.Mup
(PID) Process:	(6192) BvWinFspMgr.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinFsp.Np\NetworkProvider
Operation:	write	Name:	ProviderPath
Value: C:\WINDOWS\system32\BvWinFsp.dll
(PID) Process:	(6192) BvWinFspMgr.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinFsp.Np
Operation:	write	Name:	Group
Value: NetworkProvider

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
6552	d10f367e9f06ade8a710e20b00d1b4eecb456e1923369725a276eee871841417.exe	C:\Program Files (x86)\Bitvise SSH Client\CiCpFips32.dll		executable
		MD5:7444B33ED49B788089E2EB4C29A64F72	SHA256:4EF057D09CDB4D7B7037EB45080928BCD01CD75AF23D278A1ABF1C316FD57670
6552	d10f367e9f06ade8a710e20b00d1b4eecb456e1923369725a276eee871841417.exe	C:\Program Files (x86)\Bitvise SSH Client\CiWinCng64.dll		executable
		MD5:CC9393ADF63E1D1CB7AB6DEB7FD73E1C	SHA256:C1596B987462EDFCAE5895D7DAE2552E4CC737A2419DA46C2E6911CC91B41C08
6552	d10f367e9f06ade8a710e20b00d1b4eecb456e1923369725a276eee871841417.exe	C:\Program Files (x86)\Bitvise SSH Client\BscInstalledResources.htm		html
		MD5:F7CD682253A9FFFFE3D6C811F5195352	SHA256:527284A653383EA5B929F7687085882860974DE62E51AAD3E46F9DEF70B298A4
6552	d10f367e9f06ade8a710e20b00d1b4eecb456e1923369725a276eee871841417.exe	C:\Program Files (x86)\Bitvise SSH Client\BvSsh.exe		executable
		MD5:971A0C43BF49E4A40DEB9586BB626D40	SHA256:AF7858102EEB9AE1D63F4971A83EEA672D977FA6B824A5A4A177E53FD40F0519
6552	d10f367e9f06ade8a710e20b00d1b4eecb456e1923369725a276eee871841417.exe	C:\Program Files (x86)\Bitvise SSH Client\Countries.bin		bs
		MD5:338EC61E822FDF00B7A9C195013FA491	SHA256:986146928A9938573F7B088BB0F3175F67EB7151C650D5ABC4CB99B406E5DF9E
6552	d10f367e9f06ade8a710e20b00d1b4eecb456e1923369725a276eee871841417.exe	C:\Program Files (x86)\Bitvise SSH Client\BvSshUpdate.exe		executable
		MD5:2FFFCBFD4FD008808DBF0B2368DABB67	SHA256:0308BFC6C2B1A48A316120712E3FB3B1CBA211453C2B05C6F5E38EC4C1712F32
6552	d10f367e9f06ade8a710e20b00d1b4eecb456e1923369725a276eee871841417.exe	C:\Program Files (x86)\Bitvise SSH Client\BvDump64.exe		executable
		MD5:AA46F6C69C7501FBA41AEEB4AFA6287C	SHA256:85B7317B97AB673D9489C3227BCAD0D69459A97F7428FBAD6924A31C1748A69A
6552	d10f367e9f06ade8a710e20b00d1b4eecb456e1923369725a276eee871841417.exe	C:\Program Files (x86)\Bitvise SSH Client\BvSshCtrl.exe		executable
		MD5:157F80FF21E4044D9E3CEBC969D33ED0	SHA256:E4406C26C9ADBEC14ABEAC919D6389B2850E514C62D3722A35BA384960972F6A
6552	d10f367e9f06ade8a710e20b00d1b4eecb456e1923369725a276eee871841417.exe	C:\Program Files (x86)\Bitvise SSH Client\BscActCode.exe		executable
		MD5:46726A7A2D9B7234E97161A3BBD86AEB	SHA256:20F13CA46D9ECC2A026C239D928B27DFC8CE020CAED526DE7920A49709F4AAE4
6552	d10f367e9f06ade8a710e20b00d1b4eecb456e1923369725a276eee871841417.exe	C:\Program Files (x86)\Bitvise SSH Client\totermc.exe		executable
		MD5:2236433DEC253EC4BC6FAD4472DFDB21	SHA256:DE49C64F6F996C941D5534E78455FDEC0F14D10BFB2F6E3DB577EDF75141A0B5

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
—	—	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEA177el9ggmWelJjG4vdGL0%3D	unknown	binary	471 b	unknown
5928	svchost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	binary	471 b	unknown
5928	svchost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	binary	471 b	unknown
5928	svchost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	binary	471 b	unknown
2944	msiexec.exe	GET	200	104.18.38.233:80	http://ocsp.sectigo.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSdE3gf41WAic8Uh9lF92%2BIJqh5qwQUMuuSmv81lkgvKEBCcCA2kVwXheYCEGIdbQxSAZ47kHkVIIkhHAo%3D	unknown	binary	765 b	unknown
872	backgroundTaskHost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAzlnDD9eoNTLi0BRrMy%2BWU%3D	unknown	binary	313 b	unknown
2944	msiexec.exe	GET	200	104.18.38.233:80	http://ocsp.comodoca.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRTtU9uFqgVGHhJwXZyWCNXmVR5ngQUoBEKIz6W8Qfs4q8p74Klf9AwpLQCEEj8k7RgVZSNNqfJionWlBY%3D	unknown	binary	1.42 Kb	unknown
5296	BvSsh.exe	GET	200	172.64.149.23:80	http://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTNMNJMNDqCqx8FcBWK16EHdimS6QQUU3m%2FWqorSs9UgOHYm8Cd8rIDZssCEChOOcFLOG2InHKZ5YzQWlc%3D	unknown	binary	2.18 Kb	unknown
2464	svchost.exe	GET	200	2.19.105.18:80	http://x1.c.lencr.org/	unknown	binary	717 b	unknown
2944	msiexec.exe	GET	200	104.18.38.233:80	http://ocsp.sectigo.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQVD%2BnGf79Hpedv3mhy6uKMVZkPCQQUDyrLIIcouOxvSK4rVKYpqhekzQwCEGL3Tmi4GXrLF6oYQjkos38%3D	unknown	binary	637 b	unknown

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	unknown
3848	svchost.exe	239.255.255.250:1900	—	—	—	unknown
5928	svchost.exe	20.190.159.4:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
—	—	192.168.100.255:138	—	—	—	unknown
—	—	20.190.159.4:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	IE	unknown
5928	svchost.exe	192.229.221.95:80	ocsp.digicert.com	EDGECAST	US	unknown
—	—	20.103.156.88:443	arc.msn.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	unknown
—	—	192.229.221.95:80	ocsp.digicert.com	EDGECAST	US	unknown
—	—	4.231.128.59:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	IE	unknown
5928	svchost.exe	20.190.159.23:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	IE	unknown

DNS requests

Domain	IP	Reputation
ocsp.digicert.com	192.229.221.95	whitelisted
arc.msn.com	20.103.156.88	whitelisted
www.bing.com	23.213.161.200 23.213.161.217 23.213.161.214 23.213.161.224 23.213.161.225 23.213.161.198 23.213.161.222 23.213.161.223 23.213.161.219 23.213.161.204 23.213.161.196 23.213.161.205 23.213.161.202 23.213.161.206	whitelisted
settings-win.data.microsoft.com	51.124.78.146	whitelisted
slscr.update.microsoft.com	13.85.23.86	whitelisted
ocsp.comodoca.com	104.18.38.233 172.64.149.23	whitelisted
ocsp.sectigo.com	104.18.38.233 172.64.149.23	whitelisted
activation-v2.sls.microsoft.com	40.91.76.224	whitelisted
bitvise.com	18.188.178.2	whitelisted
ocsp.usertrust.com	172.64.149.23 104.18.38.233	whitelisted

Threats

No threats detected

Add for printing

No debug info

General Info

d10f367e9f06ade8a710e20b00d1b4eecb456e1923369725a276eee871841417.exe

26BC45B7EDADC11281B6ACB58D1E1D03

F184F4C70928BDC55AB3D5FAF42C359D6232D9AE

D10F367E9F06ADE8A710E20B00D1B4EECB456E1923369725A276EEE871841417

196608:Jtq9owWFa2lVHhXsILm+XXZjU8YBg5reMyujDlnTu4XNY:JEqe4V1LLm+XJjHYq5Hb9nTuwNY

Software environment set and analysis options

Launch configuration

Software preset

Behavior activities

MALICIOUS

Creates a writable file in the system directory

Drops the executable file immediately after the start

SUSPICIOUS

Creates files in the driver directory

Drops a system driver (possible attempt to evade defenses)

Executable content was dropped or overwritten

Creates or modifies Windows services

Creates a software uninstall entry

Checks Windows Trust Settings

Adds/modifies Windows certificates

Reads the Windows owner or organization settings

Process drops legitimate windows executable

The process drops C-runtime libraries

Creates/Modifies COM task schedule object

Searches for installed software

Reads security settings of Internet Explorer

INFO

Checks supported languages

Creates files in the program directory

Reads the computer name

Reads the machine GUID from the registry

Reads the software policy settings

Executable content was dropped or overwritten

Creates files or folders in the user directory

Manual execution by a user

Checks proxy server information

Creates a software uninstall entry

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings