| URL: | https://h2ocdn.adaware.com/filehorse/68c3f9f60cf05ceb224dc09c4f20ab4d2d600852/Python-3.7.4-(64-bit).exe?sv=2018-03-28&sr=b&sig=Wo4hU34hkZfRqV4oyQwleHXQoM2oHhLAUST0wuWyWBI%3D&se=2019-09-27T14%3A51%3A46Z&sp=r |
| Full analysis: | https://app.any.run/tasks/791f5bca-242c-4a33-9fc6-3dab3e8bae8d |
| Verdict: | Malicious activity |
| Threats: | Adware is a form of malware that targets users with unwanted advertisements, often disrupting their browsing experience. It typically infiltrates systems through software bundling, malicious websites, or deceptive downloads. Once installed, it may track user activity, collect sensitive data, and display intrusive ads, including pop-ups or banners. Some advanced adware variants can bypass security measures and establish persistence on devices, making removal challenging. Additionally, adware can create vulnerabilities that other malware can exploit, posing a significant risk to user privacy and system security. |
| Analysis date: | September 27, 2019, 14:27:03 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Tags: | |
| Indicators: | |
| MD5: | ADDEA7054E932F2A0229C0523F573693 |
| SHA1: | BEF3F20EB3A73BD8A9332CF379D82B64555471B3 |
| SHA256: | DDD7CADDC8B5C2D8FC20C670801871811F822F870B0A4E6A51C228F06E823610 |
| SSDEEP: | 6:2Z98Vb0G2GRLgRhL69qd7EUG3KvOt90+cVReUY6:2wb0ecJrGsC9IcUd |
MALICIOUS
Application was dropped or rewritten from another process
- Python-3.7.4-(64-bit).exe (PID: 3940)
- Python-3.7.4-(64-bit).exe (PID: 876)
- nbpqs1sp.f3b.exe (PID: 1256)
- nbpqs1sp.f3b.exe (PID: 3852)
- nbpqs1sp.f3b.exe (PID: 3128)
- nbpqs1sp.f3b.exe (PID: 3392)
- nbpqs1sp.f3b.exe (PID: 880)
- Python (64-bit).exe (PID: 2716)
- python-3.7.4-amd64.exe (PID: 3188)
- 3esp1s42.404.exe (PID: 3940)
Changes settings of System certificates
- GenericSetup.exe (PID: 3792)
LAVASOFT was detected
- installer.exe (PID: 2332)
Loads dropped or rewritten executable
- nbpqs1sp.f3b.exe (PID: 3392)
- nbpqs1sp.f3b.exe (PID: 3852)
- nbpqs1sp.f3b.exe (PID: 1256)
- nbpqs1sp.f3b.exe (PID: 3128)
- nbpqs1sp.f3b.exe (PID: 880)
Downloads executable files from the Internet
- GenericSetup.exe (PID: 3792)
SUSPICIOUS
Executable content was dropped or overwritten
- chrome.exe (PID: 488)
- chrome.exe (PID: 2772)
- nbpqs1sp.f3b.exe (PID: 3128)
- GenericSetup.exe (PID: 3792)
- nbpqs1sp.f3b.exe (PID: 1256)
- Python (64-bit).exe (PID: 2716)
Adds / modifies Windows certificates
- GenericSetup.exe (PID: 3792)
Reads Environment values
- GenericSetup.exe (PID: 3792)
Reads Windows owner or organization settings
- GenericSetup.exe (PID: 3792)
Reads the Windows organization settings
- GenericSetup.exe (PID: 3792)
Starts CMD.EXE for commands execution
- GenericSetup.exe (PID: 3792)
Application launched itself
- nbpqs1sp.f3b.exe (PID: 3128)
Creates files in the Windows directory
- Python (64-bit).exe (PID: 3512)
- Python (64-bit).exe (PID: 2716)
Creates files in the user directory
- nbpqs1sp.f3b.exe (PID: 1256)
Starts itself from another location
- nbpqs1sp.f3b.exe (PID: 3128)
- Python (64-bit).exe (PID: 2716)
Executed as Windows Service
- vssvc.exe (PID: 2480)
Searches for installed software
- python-3.7.4-amd64.exe (PID: 3188)
- GenericSetup.exe (PID: 3792)
Executed via COM
- DrvInst.exe (PID: 2976)
INFO
Application launched itself
- chrome.exe (PID: 2772)
Reads the hosts file
- chrome.exe (PID: 2772)
- chrome.exe (PID: 488)
Reads Internet Cache Settings
- chrome.exe (PID: 2772)
Reads settings of System Certificates
- GenericSetup.exe (PID: 3792)
Low-level read access rights to disk partition
- vssvc.exe (PID: 2480)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
Total processes
70
Monitored processes
28
Malicious processes
6
Suspicious processes
3
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 488 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --field-trial-handle=1032,12697451928710769922,8302865167174693617,131072 --enable-features=PasswordImport --lang=en-US --service-sandbox-type=network --service-request-channel-token=2810916545873458418 --mojo-platform-channel-handle=1544 /prefetch:8 | C:\Program Files\Google\Chrome\Application\chrome.exe | chrome.exe | ||||||||||||
User: admin Company: Google LLC Integrity Level: MEDIUM Description: Google Chrome Exit code: 0 Version: 75.0.3770.100 Modules
| |||||||||||||||
| 876 | "C:\Users\admin\Downloads\Python-3.7.4-(64-bit).exe" | C:\Users\admin\Downloads\Python-3.7.4-(64-bit).exe | chrome.exe | ||||||||||||
User: admin Company: Lavasoft Limited. All Rights Reserved. Integrity Level: HIGH Description: Software Installation Exit code: 0 Version: 3.3.1.1990 Modules
| |||||||||||||||
| 880 | "C:\Users\admin\AppData\Local\Temp\nbpqs1sp.f3b.exe" --backend --install --import-browser-data=1 --enable-stats=1 --enable-installer-stats=1 --launchopera=1 --installfolder="C:\Program Files\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pin-additional-shortcuts=1 --server-tracking-data=server_tracking_data --initial-pid=3128 --package-dir-prefix="C:\Users\admin\AppData\Local\Temp\Opera Installer Temp\opera_package_20190927152758" --session-guid=9470b99f-1e0a-4c96-bb0a-ca14978a6ced --server-tracking-blob=M2FkYjg1NTY4YTYzMDUwOGM4MTUwNDYyYmJmZjA4MzU3N2JhMjM4ZjNiZTQzZDA4Njk2NzA0ZWUwOGRjM2E0Yzp7ImNvdW50cnkiOiJESyIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijoib3BlcmEiLCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cz91dG1fc291cmNlPWxhdmFzb2Z0JnV0bV9tZWRpdW09cGImdXRtX2NhbXBhaWduPWxhdmFzb2Z0IiwidGltZXN0YW1wIjoiMTU2OTU5NDQ3NS45NzA2IiwidXRtIjp7ImNhbXBhaWduIjoiR0dfTkEiLCJtZWRpdW0iOiJwYiIsInNvdXJjZSI6ImxhdmFzb2Z0In0sInV1aWQiOiI2YzVhMDk3MC1mYjg2LTQ0MjgtOWQyNS03ZjJkNjM2NDIyNWEifQ== --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=CC02000000000000 | C:\Users\admin\AppData\Local\Temp\nbpqs1sp.f3b.exe | — | nbpqs1sp.f3b.exe | |||||||||||
User: admin Company: Opera Software Integrity Level: HIGH Description: Opera Installer Exit code: 0 Version: 63.0.3368.94 Modules
| |||||||||||||||
| 928 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1032,12697451928710769922,8302865167174693617,131072 --enable-features=PasswordImport --lang=en-US --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=17539525478332091454 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2248 /prefetch:1 | C:\Program Files\Google\Chrome\Application\chrome.exe | — | chrome.exe | |||||||||||
User: admin Company: Google LLC Integrity Level: LOW Description: Google Chrome Exit code: 0 Version: 75.0.3770.100 Modules
| |||||||||||||||
| 1256 | C:\Users\admin\AppData\Local\Temp\nbpqs1sp.f3b.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=63.0.3368.94 --initial-client-data=0xdc,0xe4,0xe8,0xe0,0xec,0x5ca6f558,0x5ca6f568,0x5ca6f574 | C:\Users\admin\AppData\Local\Temp\nbpqs1sp.f3b.exe | nbpqs1sp.f3b.exe | ||||||||||||
User: admin Company: Opera Software Integrity Level: HIGH Description: Opera Installer Exit code: 0 Version: 63.0.3368.94 Modules
| |||||||||||||||
| 1500 | "C:\Windows\system32\cmd.exe" /C ""C:\Users\admin\AppData\Local\Temp\3esp1s42.404.exe" " | C:\Windows\system32\cmd.exe | — | GenericSetup.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
| 1816 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1032,12697451928710769922,8302865167174693617,131072 --enable-features=PasswordImport --gpu-preferences=KAAAAAAAAADgAAAgAQAAAAAAAAAAAGAAAAAAAAAAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAFAAAAEAAAAAAAAAAAAAAABgAAABAAAAAAAAAAAQAAAAUAAAAQAAAAAAAAAAEAAAAGAAAA --service-request-channel-token=6441088690400771268 --mojo-platform-channel-handle=1056 --ignored=" --type=renderer " /prefetch:2 | C:\Program Files\Google\Chrome\Application\chrome.exe | — | chrome.exe | |||||||||||
User: admin Company: Google LLC Integrity Level: LOW Description: Google Chrome Exit code: 0 Version: 75.0.3770.100 Modules
| |||||||||||||||
| 2332 | .\installer.exe | C:\Users\admin\AppData\Local\Temp\7zSC63517AF\installer.exe | Python-3.7.4-(64-bit).exe | ||||||||||||
User: admin Company: adaware Integrity Level: HIGH Exit code: 0 Version: 3.3.1.1990 Modules
| |||||||||||||||
| 2384 | "C:\Windows\system32\cmd.exe" /C ""C:\Users\admin\AppData\Local\Temp\nbpqs1sp.f3b.exe" --silent --otd="utm.medium:pb,utm.source:lavasoft,utm.campaign:GG_NA"" | C:\Windows\system32\cmd.exe | — | GenericSetup.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
| 2480 | C:\Windows\system32\vssvc.exe | C:\Windows\system32\vssvc.exe | — | services.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Microsoft® Volume Shadow Copy Service Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
Total events
3 213
Read events
3 005
Write events
205
Delete events
3
Modification events
| (PID) Process: | (2772) chrome.exe | Key: | HKEY_CURRENT_USER\Software\Google\Chrome\BLBeacon |
| Operation: | write | Name: | failed_count |
Value: 0 | |||
| (PID) Process: | (2772) chrome.exe | Key: | HKEY_CURRENT_USER\Software\Google\Chrome\BLBeacon |
| Operation: | write | Name: | state |
Value: 2 | |||
| (PID) Process: | (2772) chrome.exe | Key: | HKEY_CURRENT_USER\Software\Google\Chrome\ThirdParty |
| Operation: | write | Name: | StatusCodes |
Value: | |||
| (PID) Process: | (2772) chrome.exe | Key: | HKEY_CURRENT_USER\Software\Google\Chrome\ThirdParty |
| Operation: | write | Name: | StatusCodes |
Value: 01000000 | |||
| (PID) Process: | (2772) chrome.exe | Key: | HKEY_CURRENT_USER\Software\Google\Chrome\BLBeacon |
| Operation: | write | Name: | state |
Value: 1 | |||
| (PID) Process: | (3016) chrome.exe | Key: | HKEY_CURRENT_USER\Software\Google\Chrome\BrowserExitCodes |
| Operation: | write | Name: | 2772-13214068039039750 |
Value: 259 | |||
| (PID) Process: | (2772) chrome.exe | Key: | HKEY_CURRENT_USER\Software\Google\Update\ClientState\{8A69D345-D564-463c-AFF1-A69D9E530F96} |
| Operation: | write | Name: | dr |
Value: 1 | |||
| (PID) Process: | (2772) chrome.exe | Key: | HKEY_CURRENT_USER\Software\Google\Chrome |
| Operation: | write | Name: | UsageStatsInSample |
Value: 0 | |||
| (PID) Process: | (2772) chrome.exe | Key: | HKEY_CURRENT_USER\Software\Google\Chrome\BrowserExitCodes |
| Operation: | delete value | Name: | 1512-13197841398593750 |
Value: 0 | |||
| (PID) Process: | (2772) chrome.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Google\Update\ClientStateMedium\{8A69D345-D564-463C-AFF1-A69D9E530F96} |
| Operation: | write | Name: | usagestats |
Value: 0 | |||
Executable files
9
Suspicious files
6
Text files
51
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 2772 | chrome.exe | C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\b6f9f53d-7fdb-486a-9c6b-52918cfa52db.tmp | — | |
MD5:— | SHA256:— | |||
| 2772 | chrome.exe | C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\000020.dbtmp | — | |
MD5:— | SHA256:— | |||
| 2772 | chrome.exe | C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOG.old | text | |
MD5:— | SHA256:— | |||
| 2772 | chrome.exe | C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\LOG.old | text | |
MD5:— | SHA256:— | |||
| 2772 | chrome.exe | C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\LOG.old | — | |
MD5:— | SHA256:— | |||
| 2772 | chrome.exe | C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\BudgetDatabase\LOG.old | text | |
MD5:— | SHA256:— | |||
| 2772 | chrome.exe | C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\LOG.old~RFf48a8.TMP | text | |
MD5:— | SHA256:— | |||
| 2772 | chrome.exe | C:\Users\admin\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\data_1 | — | |
MD5:— | SHA256:— | |||
| 2772 | chrome.exe | C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\LOG.old~RFf48a8.TMP | text | |
MD5:— | SHA256:— | |||
| 2772 | chrome.exe | C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOG.old~RFf48a8.TMP | text | |
MD5:— | SHA256:— | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
13
TCP/UDP connections
29
DNS requests
19
Threats
7
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
3792 | GenericSetup.exe | GET | — | 185.26.182.112:80 | http://net.geo.opera.com/opera/stable/windows?utm_source=lavasoft&utm_medium=pb&utm_campaign=lavasoft | unknown | — | — | whitelisted |
3940 | 3esp1s42.404.exe | HEAD | 200 | 172.217.18.164:80 | http://www.google.com/ | US | — | — | malicious |
3792 | GenericSetup.exe | POST | 200 | 104.16.236.79:80 | http://sos.adaware.com/v1/bundle/list/?bundleId=FH002 | US | text | 4.92 Kb | whitelisted |
3792 | GenericSetup.exe | GET | 200 | 13.224.196.124:80 | http://download.enigmasoftware.com/spyhunter-free-download/lav/SpyHunter-Installer.exe | US | executable | 6.51 Mb | shared |
3792 | GenericSetup.exe | GET | 200 | 104.16.236.79:80 | http://sos.adaware.com/v1/offer/detail/?_id=5d8d164d96c8490007c55a6a | US | html | 62.1 Kb | whitelisted |
3792 | GenericSetup.exe | GET | 200 | 104.16.236.79:80 | http://sos.adaware.com/v1/offer/detail/?_id=5d8d164d96c8490007c55a5b | US | — | 121 Kb | whitelisted |
3940 | 3esp1s42.404.exe | GET | 200 | 52.222.168.57:80 | http://installer.enigmasoftware.com/log_collect.cfg | US | text | 78 b | shared |
3940 | 3esp1s42.404.exe | GET | 200 | 52.222.168.57:80 | http://installer.enigmasoftware.com/sh5/5.6.1.119/filelist.ecf | US | binary | 1.91 Kb | shared |
3940 | 3esp1s42.404.exe | GET | 200 | 52.222.168.57:80 | http://installer.enigmasoftware.com/sh5/latest.ecf | US | binary | 224 b | shared |
3940 | 3esp1s42.404.exe | GET | 200 | 52.222.168.57:80 | http://installer.enigmasoftware.com/sh5/5.6.1.119/setup.ecf | US | binary | 6.22 Kb | shared |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
3792 | GenericSetup.exe | 13.224.196.124:80 | download.enigmasoftware.com | — | US | suspicious |
3792 | GenericSetup.exe | 185.26.182.112:80 | net.geo.opera.com | Opera Software AS | — | malicious |
488 | chrome.exe | 104.16.236.79:443 | h2ocdn.adaware.com | Cloudflare Inc | US | shared |
488 | chrome.exe | 172.217.22.3:443 | clientservices.googleapis.com | Google Inc. | US | whitelisted |
488 | chrome.exe | 172.217.22.45:443 | accounts.google.com | Google Inc. | US | whitelisted |
488 | chrome.exe | 172.217.18.164:443 | www.google.com | Google Inc. | US | whitelisted |
488 | chrome.exe | 172.217.18.3:443 | ssl.gstatic.com | Google Inc. | US | whitelisted |
488 | chrome.exe | 172.217.23.110:443 | sb-ssl.google.com | Google Inc. | US | whitelisted |
3792 | GenericSetup.exe | 104.16.236.79:443 | h2ocdn.adaware.com | Cloudflare Inc | US | shared |
3128 | nbpqs1sp.f3b.exe | 185.26.182.95:443 | autoupdate.geo.opera.com | Opera Software AS | — | unknown |
DNS requests
Domain | IP | Reputation |
|---|---|---|
h2ocdn.adaware.com |
| malicious |
clientservices.googleapis.com |
| whitelisted |
accounts.google.com |
| shared |
www.google.com |
| malicious |
ssl.gstatic.com |
| whitelisted |
sb-ssl.google.com |
| whitelisted |
h2oapi.adaware.com |
| malicious |
flow.lavasoft.com |
| whitelisted |
sos.adaware.com |
| whitelisted |
download.enigmasoftware.com |
| shared |
Threats
PID | Process | Class | Message |
|---|---|---|---|
2332 | installer.exe | A Network Trojan was detected | ET MALWARE Lavasoft PUA/Adware Client Install |
3792 | GenericSetup.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
3792 | GenericSetup.exe | Potentially Bad Traffic | ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download |
3792 | GenericSetup.exe | Misc activity | ET INFO EXE - Served Attached HTTP |
3792 | GenericSetup.exe | Potentially Bad Traffic | ET POLICY Executable served from Amazon S3 |
3792 | GenericSetup.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
3792 | GenericSetup.exe | Potentially Bad Traffic | ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download |
Process | Message |
|---|---|
GenericSetup.exe | Error: File not found - h2osciter:console.tis
|
GenericSetup.exe | at sciter:init-script.tis
|
GenericSetup.exe | |
GenericSetup.exe | |
GenericSetup.exe | at sciter:init-script.tis
|
GenericSetup.exe | at sciter:init-script.tis
|
GenericSetup.exe | |
GenericSetup.exe | |
GenericSetup.exe | at @113@41.@127@92 (file:resources/OfferPage.tis(137))
|
GenericSetup.exe | at @113@41.@127@92 (file:resources/OfferPage.tis(137))
|