File name:

snap-camera-1.21.0-installer_bhrr-U1.exe

Full analysis: https://app.any.run/tasks/a4131bdc-be76-496a-b5f3-b18db698b398
Verdict: Malicious activity
Threats:

IcedID is a banking trojan-type malware which allows attackers to utilize it to steal banking credentials of the victims. IcedID aka BokBot mainly targets businesses and steals payment information, it also acts as a loader and can deliver another viruses or download additional modules.

Malware Trends Tracker     >>>
Analysis date: February 21, 2025, 18:39:01
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
arch-exec
stealer
delphi
inno
installer
icedid
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections
MD5:

AC8CA19033E167CAE06E3AB4A5E242C5

SHA1:

8794E10C8F053B5709F6610F85FCAED2A142E508

SHA256:

D6EFEB15923AC6C89B65F87A0486E18E0B7C5BFF0D4897173809D1515A9ED507

SSDEEP:

98304:EPIRMu5DUrszskSGjKuV3XNr/g4T6Gq+flu+eSce/Unba+O+CB3jD9hl3:r

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executing a file with an untrusted certificate

      • snap-camera-1.21.0-installer_bhrr-U1.exe (PID: 6264)
      • snap-camera-1.21.0-installer_bhrr-U1.exe (PID: 6424)
      • snap-camera-1.21.0-installer.exe (PID: 4328)
      • Snap Camera.exe (PID: 7052)

    • Actions looks like stealing of personal data

      • servicehost.exe (PID: 188)
      • uihost.exe (PID: 1416)

    • Steals credentials from Web Browsers

      • servicehost.exe (PID: 188)

    • ICEDID has been detected (YARA)

      • servicehost.exe (PID: 188)

    • Registers / Runs the DLL via REGSVR32.EXE

      • snap-camera-1.21.0-installer.tmp (PID: 6032)

    • Changes the autorun value in the registry

      • snap-camera-1.21.0-installer.tmp (PID: 6032)

  • SUSPICIOUS

    • Checks Windows Trust Settings

      • saBSI.exe (PID: 7128)
      • saBSI.exe (PID: 5244)
      • installer.exe (PID: 3560)
      • servicehost.exe (PID: 188)
      • uihost.exe (PID: 1416)
      • updater.exe (PID: 3952)
      • installer.exe (PID: 5980)
      • drvinst.exe (PID: 2436)

    • Reads security settings of Internet Explorer

      • saBSI.exe (PID: 7128)
      • snap-camera-1.21.0-installer_bhrr-U1.exe (PID: 6424)
      • installer.exe (PID: 3560)
      • saBSI.exe (PID: 5244)
      • uihost.exe (PID: 1416)
      • installer.exe (PID: 5980)

    • Executable content was dropped or overwritten

      • saBSI.exe (PID: 7128)
      • snap-camera-1.21.0-installer_bhrr-U1.exe (PID: 6424)
      • installer.exe (PID: 1704)
      • installer.exe (PID: 3560)
      • saBSI.exe (PID: 5244)
      • snap-camera-1.21.0-installer.tmp (PID: 6032)
      • snap-camera-1.21.0-installer.exe (PID: 4328)
      • vc_redist.x64.exe (PID: 6800)
      • vc_redist.x86.exe (PID: 6976)
      • vc_redist.x64.exe (PID: 6028)
      • vc_redist.x86.exe (PID: 5936)
      • installer.exe (PID: 5980)
      • drvinst.exe (PID: 2436)
      • drvinst.exe (PID: 6860)

    • Adds/modifies Windows certificates

      • saBSI.exe (PID: 7128)
      • servicehost.exe (PID: 188)

    • The process verifies whether the antivirus software is installed

      • installer.exe (PID: 1704)
      • saBSI.exe (PID: 5244)
      • installer.exe (PID: 3560)
      • uihost.exe (PID: 1416)
      • servicehost.exe (PID: 188)
      • updater.exe (PID: 3952)
      • cmd.exe (PID: 1468)
      • cmd.exe (PID: 6656)

    • Creates/Modifies COM task schedule object

      • installer.exe (PID: 3560)
      • drvinst.exe (PID: 6860)

    • The process creates files with name similar to system file names

      • installer.exe (PID: 3560)
      • servicehost.exe (PID: 188)

    • Creates a software uninstall entry

      • installer.exe (PID: 3560)
      • servicehost.exe (PID: 188)

    • Process drops legitimate windows executable

      • installer.exe (PID: 3560)
      • snap-camera-1.21.0-installer.tmp (PID: 6032)
      • vc_redist.x86.exe (PID: 6976)
      • vc_redist.x64.exe (PID: 6028)

    • Executes as Windows Service

      • servicehost.exe (PID: 188)

    • Reads the Windows owner or organization settings

      • snap-camera-1.21.0-installer.tmp (PID: 6032)

    • Reads Mozilla Firefox installation path

      • servicehost.exe (PID: 188)
      • uihost.exe (PID: 1416)

    • Drops a system driver (possible attempt to evade defenses)

      • snap-camera-1.21.0-installer.tmp (PID: 6032)
      • installer.exe (PID: 5980)
      • drvinst.exe (PID: 2436)
      • drvinst.exe (PID: 6860)

    • Searches for installed software

      • updater.exe (PID: 3952)
      • vc_redist.x86.exe (PID: 5936)
      • vc_redist.x64.exe (PID: 6800)

    • Starts CMD.EXE for commands execution

      • updater.exe (PID: 3952)

    • Starts a Microsoft application from unusual location

      • vc_redist.x64.exe (PID: 6800)
      • vc_redist.x86.exe (PID: 5936)

    • Creates files in the driver directory

      • drvinst.exe (PID: 2436)
      • drvinst.exe (PID: 6860)

    • Uses WMIC.EXE to obtain CPU information

      • Snap Camera.exe (PID: 7052)

    • Creates or modifies Windows services

      • drvinst.exe (PID: 6860)

  • INFO

    • Reads the machine GUID from the registry

      • snap-camera-1.21.0-installer_bhrr-U1.exe (PID: 6424)
      • saBSI.exe (PID: 7128)
      • saBSI.exe (PID: 5244)
      • installer.exe (PID: 3560)
      • servicehost.exe (PID: 188)
      • uihost.exe (PID: 1416)
      • updater.exe (PID: 3952)
      • installer.exe (PID: 5980)
      • drvinst.exe (PID: 2436)

    • Reads the computer name

      • snap-camera-1.21.0-installer_bhrr-U1.exe (PID: 6424)
      • saBSI.exe (PID: 7128)
      • saBSI.exe (PID: 5244)
      • installer.exe (PID: 3560)
      • servicehost.exe (PID: 188)
      • uihost.exe (PID: 1416)
      • updater.exe (PID: 3952)
      • snap-camera-1.21.0-installer.tmp (PID: 6032)
      • vc_redist.x64.exe (PID: 6800)
      • vc_redist.x86.exe (PID: 5936)
      • installer.exe (PID: 5980)
      • drvinst.exe (PID: 2436)
      • drvinst.exe (PID: 6860)
      • Snap Camera.exe (PID: 7052)

    • Create files in a temporary directory

      • snap-camera-1.21.0-installer_bhrr-U1.exe (PID: 6424)
      • saBSI.exe (PID: 5244)
      • installer.exe (PID: 3560)
      • snap-camera-1.21.0-installer.exe (PID: 4328)
      • snap-camera-1.21.0-installer.tmp (PID: 6032)
      • vc_redist.x64.exe (PID: 6800)
      • vc_redist.x86.exe (PID: 5936)
      • installer.exe (PID: 5980)

    • Creates files in the program directory

      • saBSI.exe (PID: 7128)
      • saBSI.exe (PID: 5244)
      • installer.exe (PID: 1704)
      • installer.exe (PID: 3560)
      • snap-camera-1.21.0-installer.tmp (PID: 6032)
      • servicehost.exe (PID: 188)
      • uihost.exe (PID: 1416)

    • Checks supported languages

      • saBSI.exe (PID: 7128)
      • saBSI.exe (PID: 5244)
      • snap-camera-1.21.0-installer_bhrr-U1.exe (PID: 6424)
      • installer.exe (PID: 1704)
      • installer.exe (PID: 3560)
      • servicehost.exe (PID: 188)
      • uihost.exe (PID: 1416)
      • updater.exe (PID: 3952)
      • snap-camera-1.21.0-installer.tmp (PID: 6032)
      • snap-camera-1.21.0-installer.exe (PID: 4328)
      • vc_redist.x64.exe (PID: 6800)
      • vc_redist.x64.exe (PID: 6028)
      • vc_redist.x86.exe (PID: 6976)
      • vc_redist.x86.exe (PID: 5936)
      • installer.exe (PID: 5980)
      • drvinst.exe (PID: 2436)
      • drvinst.exe (PID: 6860)
      • Snap Camera.exe (PID: 7052)

    • Checks proxy server information

      • saBSI.exe (PID: 7128)
      • snap-camera-1.21.0-installer_bhrr-U1.exe (PID: 6424)
      • saBSI.exe (PID: 5244)

    • Reads the software policy settings

      • saBSI.exe (PID: 7128)
      • saBSI.exe (PID: 5244)
      • snap-camera-1.21.0-installer_bhrr-U1.exe (PID: 6424)
      • installer.exe (PID: 3560)
      • servicehost.exe (PID: 188)
      • uihost.exe (PID: 1416)
      • updater.exe (PID: 3952)
      • installer.exe (PID: 5980)
      • drvinst.exe (PID: 2436)

    • The sample compiled with english language support

      • snap-camera-1.21.0-installer_bhrr-U1.exe (PID: 6424)
      • saBSI.exe (PID: 5244)
      • installer.exe (PID: 1704)
      • installer.exe (PID: 3560)
      • saBSI.exe (PID: 7128)
      • snap-camera-1.21.0-installer.tmp (PID: 6032)
      • vc_redist.x64.exe (PID: 6800)
      • vc_redist.x86.exe (PID: 6976)
      • vc_redist.x86.exe (PID: 5936)
      • installer.exe (PID: 5980)
      • drvinst.exe (PID: 2436)
      • drvinst.exe (PID: 6860)
      • vc_redist.x64.exe (PID: 6028)

    • Process checks computer location settings

      • snap-camera-1.21.0-installer_bhrr-U1.exe (PID: 6424)
      • servicehost.exe (PID: 188)
      • uihost.exe (PID: 1416)

    • Compiled with Borland Delphi (YARA)

      • snap-camera-1.21.0-installer.exe (PID: 4328)
      • snap-camera-1.21.0-installer.tmp (PID: 6032)

    • Detects InnoSetup installer (YARA)

      • snap-camera-1.21.0-installer.exe (PID: 4328)
      • snap-camera-1.21.0-installer.tmp (PID: 6032)

    • Creates a software uninstall entry

      • snap-camera-1.21.0-installer.tmp (PID: 6032)

    • Reads security settings of Internet Explorer

      • WMIC.exe (PID: 4500)

    • Creates files or folders in the user directory

      • Snap Camera.exe (PID: 7052)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (17.3)
.dll | Win32 Dynamic Link Library (generic) (4.1)
.exe | Win32 Executable (generic) (2.8)
.exe | Generic Win/DOS Executable (1.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2024:10:31 15:04:33+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 14.42
CodeSize: 2143744
InitializedDataSize: 2316288
UninitializedDataSize: -
EntryPoint: 0x1c118b
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 3.0.11.0
ProductVersionNumber: 3.0.11.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: Softonic
FileDescription: Softonic
FileVersion: 3.0.11.0.0
LegalCopyright: (c) Softonic
ProductName: Softonic
ProductVersion: 3.0.11.0.0
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
161
Monitored processes
29
Malicious processes
13
Suspicious processes
5

Behavior graph

Click at the process to see the details
start snap-camera-1.21.0-installer_bhrr-u1.exe sabsi.exe sabsi.exe installer.exe installer.exe snap-camera-1.21.0-installer.exe snap-camera-1.21.0-installer.tmp #ICEDID servicehost.exe uihost.exe updater.exe cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs vc_redist.x64.exe vc_redist.x64.exe vc_redist.x86.exe vc_redist.x86.exe installer.exe conhost.exe no specs drvinst.exe drvinst.exe regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs snap camera.exe no specs wmic.exe no specs conhost.exe no specs snap-camera-1.21.0-installer_bhrr-u1.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
188"C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe"C:\Program Files\McAfee\WebAdvisor\servicehost.exe
services.exe
User:
SYSTEM
Company:
McAfee, LLC
Integrity Level:
SYSTEM
Description:
McAfee WebAdvisor(service)
Version:
4,1,1,1010
Modules
Images
c:\program files\mcafee\webadvisor\servicehost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
1416"C:\Program Files\McAfee\WebAdvisor\UIHost.exe" C:\Program Files\McAfee\WebAdvisor\uihost.exe
servicehost.exe
User:
admin
Company:
McAfee, LLC
Integrity Level:
MEDIUM
Description:
McAfee WebAdvisor(user level process)
Version:
4,1,1,1010
Modules
Images
c:\program files\mcafee\webadvisor\uihost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
1468C:\WINDOWS\system32\cmd.exe /c DEL "C:\Program Files\McAfee\WebAdvisor\*.tmp" C:\Windows\System32\cmd.exeupdater.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
1704"C:\ProgramData\McAfee\WebAdvisor\saBSI\\installer.exe" /setOem:Affid=91082 /s /thirdparty /upgrade C:\ProgramData\McAfee\WebAdvisor\saBSI\installer.exe
saBSI.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\programdata\mcafee\webadvisor\sabsi\installer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
2120\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2436DrvInst.exe "4" "0" "C:\Users\admin\AppData\Local\Temp\{05ff6f03-aaeb-8c45-809a-e6471aea2a7c}\snapcameravirtualdevice.inf" "9" "4abe0b79f" "00000000000001D4" "WinSta0\Default" "00000000000001E4" "208" "c:\program files\snap inc\snap camera\driver"C:\Windows\System32\drvinst.exe
svchost.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Driver Installation Module
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\drvinst.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\devrtl.dll
c:\windows\system32\drvstore.dll
2972\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3560"C:\Program Files\McAfee\Temp779413972\installer.exe" /setOem:Affid=91082 /s /thirdparty /upgrade C:\Program Files\McAfee\Temp779413972\installer.exe
installer.exe
User:
admin
Company:
McAfee, LLC
Integrity Level:
HIGH
Description:
McAfee WebAdvisor(installer)
Exit code:
0
Version:
4,1,1,1010
Modules
Images
c:\program files\mcafee\temp779413972\installer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\ucrtbase.dll
3952"C:\Program Files\McAfee\WebAdvisor\updater.exe" C:\Program Files\McAfee\WebAdvisor\updater.exe
servicehost.exe
User:
SYSTEM
Company:
McAfee, LLC
Integrity Level:
SYSTEM
Description:
McAfee WebAdvisor(updater)
Exit code:
0
Version:
4,1,1,1010
Modules
Images
c:\program files\mcafee\webadvisor\updater.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
4024 /s /u "C:\Program Files\Snap Inc\Snap Camera\SnapVirtualCam64.dll"C:\Windows\System32\regsvr32.exeregsvr32.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft(C) Register Server
Exit code:
4
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\regsvr32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
Total events
36 482
Read events
35 469
Write events
996
Delete events
17

Modification events

(PID) Process:(6424) snap-camera-1.21.0-installer_bhrr-U1.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}\Enum
Operation:writeName:Implementing
Value:
1C00000001000000E907020005001500120027003B003203010000001E768127E028094199FEB9D127C57AFE
(PID) Process:(6424) snap-camera-1.21.0-installer_bhrr-U1.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached
Operation:writeName:{2781761E-28E0-4109-99FE-B9D127C57AFE} {56FFCC30-D398-11D0-B2AE-00A0C908FA49} 0xFFFF
Value:
010000000000000044373B039084DB01
(PID) Process:(7128) saBSI.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\McAfee\WebAdvisor
Operation:writeName:UUID
Value:
{41FACFC2-612B-40F5-8A1A-A4016348B868}
(PID) Process:(7128) saBSI.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\McAfee\WebAdvisor
Operation:writeName:InstallerFlags
Value:
1
(PID) Process:(7128) saBSI.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates
Operation:delete valueName:4EFC31460C619ECAE59C1BCE2C008036D94C84B8
Value:
(PID) Process:(7128) saBSI.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8
Operation:writeName:Blob
Value:
040000000100000010000000E94FB54871208C00DF70F708AC47085B0F0000000100000030000000C130BBA37B8B350E89FD5ED76B4F78777FEEE220D3B9E729042BEF6AF46E8E4C1B252E32B3080C681BC9A8A1AFDD0A3C0300000001000000140000004EFC31460C619ECAE59C1BCE2C008036D94C84B809000000010000000C000000300A06082B060105050703031D00000001000000100000005467B0ADDE8D858E30EE517B1A19ECD91400000001000000140000001F00BF46800AFC7839B7A5B443D95650BBCE963B53000000010000001F000000301D301B060567810C010330123010060A2B0601040182373C0101030200C06200000001000000200000007B9D553E1C92CB6E8803E137F4F287D4363757F5D44B37D52F9FCA22FB97DF860B000000010000004200000047006C006F00620061006C005300690067006E00200043006F006400650020005300690067006E0069006E006700200052006F006F007400200052003400350000001900000001000000100000005D1B8FF2C30F63F5B536EDD400F7F9B4200000000100000076050000308205723082035AA00302010202107653FEAC75464893F5E5D74A483A4EF8300D06092A864886F70D01010C05003053310B300906035504061302424531193017060355040A1310476C6F62616C5369676E206E762D73613129302706035504031320476C6F62616C5369676E20436F6465205369676E696E6720526F6F7420523435301E170D3230303331383030303030305A170D3435303331383030303030305A3053310B300906035504061302424531193017060355040A1310476C6F62616C5369676E206E762D73613129302706035504031320476C6F62616C5369676E20436F6465205369676E696E6720526F6F742052343530820222300D06092A864886F70D01010105000382020F003082020A0282020100B62DC530DD7AE8AB903D0372B03A4B991661B2E5FFA5671D371CE57EEC9383AA84F5A3439B98458AB863575D9B00880425E9F868924B82D84BC94A03F3A87F6A8F8A6127BDA144D0FDF53F22C2A34F918DB305B22882915DFB5988050B9706C298F82CA73324EE503A41CCF0A0B07B1D4DD2A8583896E9DFF91B91BB8B102CD2C7431DA20974A180AF7BE6330A0C596B8EBCF4AB5A977B7FAE55FB84F080FE844CD7E2BABDC475A16FBD61107444B29807E274ABFF68DC6C263EE91FE5E00487AD30D30C8D037C55B816705C24782025EB676788ABBA4E34986B7011DE38CAD4BEA1C09CE1DF1E0201D83BE1674384B6CFFC74B72F84A3BFBA09373D676CB1455C1961AB4183F5AC1DEB770D464773CEBFBD9595ED9D2B8810FEFA58E8A757E1B3CFA85AE907259B12C49E80723D93DC8C94DF3B44E62680FCD2C303F08C0CD245D62EE78F989EE604EE426E677E42167162E704F960C664A1B69C81214E2BC66D689486C699747367317A91F2D48C796E7CA6BB7E466F4DC585122BCF9A224408A88537CE07615706171224C0C43173A1983557477E103A45D92DA4519098A9A00737C4651AAA1C6B1677F7A797EC3F1930996F31FBEA40B2E7D2C4FAC9D0F050767459FA8D6D1732BEF8E97E03F4E787759AD44A912C850313022B4280F2896A36CFC84CA0CE9EF8CB8DAD16A7D3DED59B18A7C6923AF18263F12E0E2464DF0203010001A3423040300E0603551D0F0101FF040403020186300F0603551D130101FF040530030101FF301D0603551D0E041604141F00BF46800AFC7839B7A5B443D95650BBCE963B300D06092A864886F70D01010C050003820201005E2BBA749734445F764828408493EE016EE9A1B3D68025E67BE4BC09913D0FFC76ADD7D43020BB8F60D091D61CF29CEF781A2B943202C12496525202D0F3D1FCF29B396E99E11F8E43417D9A1E5BC95D9A84FC26E687F3747226ADA41BD93D3B6A52A03C091E2F1E7BB333B445C7F7ACB1AF9360AD76AEB8B21578EB836AEBFFDB46AB24E5EE02FA901F59C02F5DD6B75DA45C10B77253F8414ECCFA781A254ACAFE85624361C3B437AA81D2F4D63A0FBD8D597E3047DE2B6BE72150335FD4679BD4B8679F3C279903FF85438E7312CA20CDE861D5B166DC17D6396D0FDBCF2337A182894E1C6B3FD6A0CDAA079D3E4226AAD70CEEFA47BF1A527ED17581D3C98A62176D4F88A021A0263EAF6DD962301FE99828AE6E8DD58E4C726693808D2AE355C760679042565C22510FB3DC4E39EE4DDDD91D7810543B6ED0976F03B51EB22373C612B29A64D0FC958524A8FFDFA1B0DC9140AEDF0933ABB9DD92B7F1CC91743B69EB67971B90BFE7C7A06F71BB57BFB78F5AED7A406A16CD80842D2FE102D4249443B315FC0C2B1BFD716FFCCBBC75173A5E83D2C9B32F1BD59C8D7F54FE7E7EE456A387A79DE1595294418F6D5BBE86959AFF1A76DD40D2514A70B41F336323773FEC271E59E40887ED34824A0F3FFEA01DC1F56773458678F4AA29E92787C619DBC61314C33949874DA097E06513F59D7756E9DAB358C73AF2C0CD82
(PID) Process:(7128) saBSI.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8
Operation:writeName:Blob
Value:
5C0000000100000004000000001000001900000001000000100000005D1B8FF2C30F63F5B536EDD400F7F9B40B000000010000004200000047006C006F00620061006C005300690067006E00200043006F006400650020005300690067006E0069006E006700200052006F006F007400200052003400350000006200000001000000200000007B9D553E1C92CB6E8803E137F4F287D4363757F5D44B37D52F9FCA22FB97DF8653000000010000001F000000301D301B060567810C010330123010060A2B0601040182373C0101030200C01400000001000000140000001F00BF46800AFC7839B7A5B443D95650BBCE963B1D00000001000000100000005467B0ADDE8D858E30EE517B1A19ECD909000000010000000C000000300A06082B060105050703030300000001000000140000004EFC31460C619ECAE59C1BCE2C008036D94C84B80F0000000100000030000000C130BBA37B8B350E89FD5ED76B4F78777FEEE220D3B9E729042BEF6AF46E8E4C1B252E32B3080C681BC9A8A1AFDD0A3C040000000100000010000000E94FB54871208C00DF70F708AC47085B200000000100000076050000308205723082035AA00302010202107653FEAC75464893F5E5D74A483A4EF8300D06092A864886F70D01010C05003053310B300906035504061302424531193017060355040A1310476C6F62616C5369676E206E762D73613129302706035504031320476C6F62616C5369676E20436F6465205369676E696E6720526F6F7420523435301E170D3230303331383030303030305A170D3435303331383030303030305A3053310B300906035504061302424531193017060355040A1310476C6F62616C5369676E206E762D73613129302706035504031320476C6F62616C5369676E20436F6465205369676E696E6720526F6F742052343530820222300D06092A864886F70D01010105000382020F003082020A0282020100B62DC530DD7AE8AB903D0372B03A4B991661B2E5FFA5671D371CE57EEC9383AA84F5A3439B98458AB863575D9B00880425E9F868924B82D84BC94A03F3A87F6A8F8A6127BDA144D0FDF53F22C2A34F918DB305B22882915DFB5988050B9706C298F82CA73324EE503A41CCF0A0B07B1D4DD2A8583896E9DFF91B91BB8B102CD2C7431DA20974A180AF7BE6330A0C596B8EBCF4AB5A977B7FAE55FB84F080FE844CD7E2BABDC475A16FBD61107444B29807E274ABFF68DC6C263EE91FE5E00487AD30D30C8D037C55B816705C24782025EB676788ABBA4E34986B7011DE38CAD4BEA1C09CE1DF1E0201D83BE1674384B6CFFC74B72F84A3BFBA09373D676CB1455C1961AB4183F5AC1DEB770D464773CEBFBD9595ED9D2B8810FEFA58E8A757E1B3CFA85AE907259B12C49E80723D93DC8C94DF3B44E62680FCD2C303F08C0CD245D62EE78F989EE604EE426E677E42167162E704F960C664A1B69C81214E2BC66D689486C699747367317A91F2D48C796E7CA6BB7E466F4DC585122BCF9A224408A88537CE07615706171224C0C43173A1983557477E103A45D92DA4519098A9A00737C4651AAA1C6B1677F7A797EC3F1930996F31FBEA40B2E7D2C4FAC9D0F050767459FA8D6D1732BEF8E97E03F4E787759AD44A912C850313022B4280F2896A36CFC84CA0CE9EF8CB8DAD16A7D3DED59B18A7C6923AF18263F12E0E2464DF0203010001A3423040300E0603551D0F0101FF040403020186300F0603551D130101FF040530030101FF301D0603551D0E041604141F00BF46800AFC7839B7A5B443D95650BBCE963B300D06092A864886F70D01010C050003820201005E2BBA749734445F764828408493EE016EE9A1B3D68025E67BE4BC09913D0FFC76ADD7D43020BB8F60D091D61CF29CEF781A2B943202C12496525202D0F3D1FCF29B396E99E11F8E43417D9A1E5BC95D9A84FC26E687F3747226ADA41BD93D3B6A52A03C091E2F1E7BB333B445C7F7ACB1AF9360AD76AEB8B21578EB836AEBFFDB46AB24E5EE02FA901F59C02F5DD6B75DA45C10B77253F8414ECCFA781A254ACAFE85624361C3B437AA81D2F4D63A0FBD8D597E3047DE2B6BE72150335FD4679BD4B8679F3C279903FF85438E7312CA20CDE861D5B166DC17D6396D0FDBCF2337A182894E1C6B3FD6A0CDAA079D3E4226AAD70CEEFA47BF1A527ED17581D3C98A62176D4F88A021A0263EAF6DD962301FE99828AE6E8DD58E4C726693808D2AE355C760679042565C22510FB3DC4E39EE4DDDD91D7810543B6ED0976F03B51EB22373C612B29A64D0FC958524A8FFDFA1B0DC9140AEDF0933ABB9DD92B7F1CC91743B69EB67971B90BFE7C7A06F71BB57BFB78F5AED7A406A16CD80842D2FE102D4249443B315FC0C2B1BFD716FFCCBBC75173A5E83D2C9B32F1BD59C8D7F54FE7E7EE456A387A79DE1595294418F6D5BBE86959AFF1A76DD40D2514A70B41F336323773FEC271E59E40887ED34824A0F3FFEA01DC1F56773458678F4AA29E92787C619DBC61314C33949874DA097E06513F59D7756E9DAB358C73AF2C0CD82
(PID) Process:(5244) saBSI.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\McAfee\WebAdvisor
Operation:writeName:InstallationStatus
Value:
PENDING
(PID) Process:(5244) saBSI.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\McAfee\WebAdvisor
Operation:writeName:InstallationID
Value:
UNDEFINED
(PID) Process:(5244) saBSI.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\McAfee\WebAdvisor
Operation:writeName:CountryCode
Value:
DE
Executable files
185
Suspicious files
789
Text files
2 202
Unknown types
0

Dropped files

PID
Process
Filename
Type
6424snap-camera-1.21.0-installer_bhrr-U1.exeC:\Users\admin\Downloads\snap-camera-1.21.0-installer.exe
MD5:
SHA256:
1704installer.exeC:\Program Files\McAfee\Temp779413972\browserplugin.cab
MD5:
SHA256:
1704installer.exeC:\Program Files\McAfee\Temp779413972\analyticstelemetry.cabcompressed
MD5:55EECD40D5105E22FB75EDD5A8DBD005
SHA256:09EF9FD9F988227E646478D43A60028C1E89CED52D0A30A008EAC757819D0BE4
1704installer.exeC:\Program Files\McAfee\Temp779413972\balloon_safe_annotation.pngimage
MD5:2048DF489A12C4C9E2341BEF42883205
SHA256:DDA74B071B5869A22B327633D9641F1340EC5B913359BB389C34C44A6DB579A5
7128saBSI.exeC:\ProgramData\McAfee\WebAdvisor\saBSI.exe\log_00000057003F001D0006.txttext
MD5:3B97E9E27055A44EB00B3B8A75E95CE4
SHA256:26C2C33C06E2789BA18CA1B77F9DA8B5F0981926E67189DCB3DCAE6B0C0D3CB6
6424snap-camera-1.21.0-installer_bhrr-U1.exeC:\Users\admin\AppData\Local\Temp\ISV693D.tmp\saBSI.zipcompressed
MD5:F68008B70822BD28C82D13A289DEB418
SHA256:CC6F4FAF4E8A9F4D2269D1D69A69EA326F789620FB98078CC98597F3CB998589
1704installer.exeC:\Program Files\McAfee\Temp779413972\installer.exeexecutable
MD5:8E9953B04910C76F284F0E34E1F9921E
SHA256:8DB3FA3F2871B611BFCBB2A0A148B6780DDDA432B415A9C4EFD1241C0B9F6152
1704installer.exeC:\Program Files\McAfee\Temp779413972\icon_laptop.pngimage
MD5:4D3A0258CF71A406CB7669FBE3FBEB2E
SHA256:C156050A5D788BAD7D8F36482072B44A23F502F23C5F9198F6EB1EB066765DEE
1704installer.exeC:\Program Files\McAfee\Temp779413972\icon_failed.pngimage
MD5:AEE9C26A50511C3E4196C28662BCE665
SHA256:0E2904A557F79BCE71A47BFB03E49FA9C5B54C7855017B54143EA2214501BFE6
5244saBSI.exeC:\ProgramData\McAfee\WebAdvisor\saBSI\installer.exeexecutable
MD5:BDC856946755585518B19CA8411AA834
SHA256:76DDFA53F14675DCB2E1437115190AFA04BED37691BBBD1C50FE81823D731119
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
9
TCP/UDP connections
57
DNS requests
27
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5496
svchost.exe
GET
200
104.79.89.142:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1176
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
5496
svchost.exe
GET
200
23.53.41.248:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
23.53.41.248:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
104.79.89.142:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5064
SearchApp.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
6576
backgroundTaskHost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
6948
SIHClient.exe
GET
200
104.79.89.142:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
6948
SIHClient.exe
GET
200
104.79.89.142:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
5308
RUXIMICS.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
4712
MoUsoCoreWorker.exe
23.53.41.248:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5496
svchost.exe
23.53.41.248:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4712
MoUsoCoreWorker.exe
104.79.89.142:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
5496
svchost.exe
104.79.89.142:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
5496
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6424
snap-camera-1.21.0-installer_bhrr-U1.exe
18.245.78.185:443
di7e1j5f1plfo.cloudfront.net
US
whitelisted
6424
snap-camera-1.21.0-installer_bhrr-U1.exe
151.101.1.91:443
images.sftcdn.net
FASTLY
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
whitelisted
crl.microsoft.com
  • 23.53.41.248
  • 23.53.42.18
whitelisted
www.microsoft.com
  • 104.79.89.142
whitelisted
google.com
  • 216.58.206.46
whitelisted
di7e1j5f1plfo.cloudfront.net
  • 18.245.78.185
  • 18.245.78.188
  • 18.245.78.212
  • 18.245.78.145
whitelisted
images.sftcdn.net
  • 151.101.1.91
  • 151.101.193.91
  • 151.101.129.91
  • 151.101.65.91
whitelisted
www.bing.com
  • 184.86.251.7
  • 184.86.251.9
  • 184.86.251.17
  • 184.86.251.21
  • 184.86.251.27
  • 184.86.251.22
whitelisted
go.microsoft.com
  • 23.52.121.103
  • 2.19.106.8
whitelisted
gsf-fl.softonic.com
  • 151.101.193.91
  • 151.101.129.91
  • 151.101.1.91
  • 151.101.65.91
whitelisted
login.live.com
  • 40.126.32.72
  • 20.190.160.65
  • 40.126.32.136
  • 20.190.160.128
  • 40.126.32.134
  • 20.190.160.66
  • 40.126.32.138
  • 20.190.160.14
whitelisted

Threats

No threats detected
Process
Message
snap-camera-1.21.0-installer_bhrr-U1.exe
LoadingPage
snap-camera-1.21.0-installer_bhrr-U1.exe
WelcomePage
snap-camera-1.21.0-installer_bhrr-U1.exe
ProductPage
snap-camera-1.21.0-installer_bhrr-U1.exe
DownloadPageDLM
snap-camera-1.21.0-installer_bhrr-U1.exe
FinishPageDLM
saBSI.exe
NCPrivateLoadAndValidateMPTDll: Looking in current directory
saBSI.exe
NotComDllGetInterface: C:\Users\admin\AppData\Local\Temp\ISV693D.tmp\saBSI\saBSI.exe loading C:\Users\admin\AppData\Local\Temp\ISV693D.tmp\saBSI\mfeaaca.dll, WinVerifyTrust failed with 80092003
saBSI.exe
NCPrivateLoadAndValidateMPTDll: Looking in EXE directory
saBSI.exe
NotComDllGetInterface: C:\Users\admin\AppData\Local\Temp\ISV693D.tmp\saBSI\saBSI.exe loading C:\Users\admin\AppData\Local\Temp\ISV693D.tmp\saBSI\mfeaaca.dll, WinVerifyTrust failed with 80092003
saBSI.exe
NCPrivateLoadAndValidateMPTDll: Looking in current directory
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
snap-camera-1.21.0-installer_bhrr-U1.exe