Malware analysis spyhunterS.exe Malicious activity | ANY.RUN

Add for printing

File name:	spyhunterS.exe
Full analysis:	https://app.any.run/tasks/d9978500-c325-4b18-b48c-6f164bd91336
Verdict:	Malicious activity
Analysis date:	August 12, 2024, 14:53:18
OS:	Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME:	application/x-dosexec
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, WISE installer self-extracting archive
MD5:	C5129AAED888B5A223A2425464F371FA
SHA1:	2B5689118AF2DC8BF0DF097E01E138336C774C34
SHA256:	E991ECE0625C04C7A7B9753F76CC80A269C1860C809E856376C545419CB5D6DE
SSDEEP:	98304:NfHO/FzEhrbouPvsiau9ur8v8u6TVaevzm8eO4Rp0bPQ7UzGKYHGLvKmzhKBQ7nw:gkCVbZBhDYZhHuDcjtPVUjZ29qNG3

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 60 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: none
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- Uses Task Scheduler to autorun other applications
  - WiseCustomCalla11.exe (PID: 7480)
SUSPICIOUS
- Drops the executable file immediately after the start
  - spyhunterS.exe (PID: 6548)
  - msiexec.exe (PID: 6808)
  - msiexec.exe (PID: 232)
  - WiseCustomCalla.exe (PID: 7268)
  - WiseCustomCalla3.exe (PID: 7188)
  - msiexec.exe (PID: 6724)
  - WiseCustomCalla2.exe (PID: 7396)
  - WiseCustomCalla4.exe (PID: 7428)
  - ESGRKCHK.exe (PID: 7580)
  - WiseCustomCalla11.exe (PID: 7480)
- Reads security settings of Internet Explorer
  - spyhunterS.exe (PID: 6548)
- Reads the date of Windows installation
  - spyhunterS.exe (PID: 6548)
- Executes as Windows Service
  - VSSVC.exe (PID: 7040)
  - SH4Service.exe (PID: 7704)
- Reads the Windows owner or organization settings
  - msiexec.exe (PID: 6724)
- Executable content was dropped or overwritten
  - WiseCustomCalla3.exe (PID: 7188)
  - WiseCustomCalla.exe (PID: 7268)
  - WiseCustomCalla2.exe (PID: 7396)
  - WiseCustomCalla4.exe (PID: 7428)
  - WiseCustomCalla11.exe (PID: 7480)
- Deletes scheduled task without confirmation
  - schtasks.exe (PID: 7316)
- Drops a system driver (possible attempt to evade defenses)
  - msiexec.exe (PID: 6724)
INFO
- Creates files in the program directory
  - spyhunterS.exe (PID: 6548)
- Reads the computer name
  - msiexec.exe (PID: 6724)
  - msiexec.exe (PID: 6808)
  - spyhunterS.exe (PID: 6548)
  - msiexec.exe (PID: 232)
  - WiseCustomCalla3.exe (PID: 7188)
- Process checks computer location settings
  - spyhunterS.exe (PID: 6548)
- Checks supported languages
  - msiexec.exe (PID: 6724)
  - msiexec.exe (PID: 6808)
  - spyhunterS.exe (PID: 6548)
  - msiexec.exe (PID: 232)
  - WiseCustomCalla3.exe (PID: 7188)
- Executable content was dropped or overwritten
  - msiexec.exe (PID: 6808)
  - msiexec.exe (PID: 6608)
  - msiexec.exe (PID: 6724)
  - msiexec.exe (PID: 232)
- Reads Environment values
  - msiexec.exe (PID: 6808)
- Create files in a temporary directory
  - WiseCustomCalla3.exe (PID: 7188)
- Starts application with an unusual extension
  - msiexec.exe (PID: 6724)
- Application launched itself
  - msedge.exe (PID: 7804)
  - msedge.exe (PID: 8164)
- Manual execution by a user
  - msedge.exe (PID: 8164)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	InstallShield setup (36.8)
.exe	\|	Win32 Executable MS Visual C++ (generic) (26.6)
.exe	\|	Win64 Executable (generic) (23.6)
.dll	\|	Win32 Dynamic Link Library (generic) (5.6)
.exe	\|	Win32 Executable (generic) (3.8)

EXIF

EXE

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2007:11:20 21:52:34+00:00
ImageFileCharacteristics:	No relocs, Executable, No line numbers, No symbols, 32-bit
PEType:	PE32
LinkerVersion:	7.1
CodeSize:	25088
InitializedDataSize:	15365632
UninitializedDataSize:	-
EntryPoint:	0x4387
OSVersion:	4
ImageVersion:	4
SubsystemVersion:	4
Subsystem:	Windows GUI
FileVersionNumber:	4.1.11.0
ProductVersionNumber:	7.3.0.0
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Windows 16-bit
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	English (U.S.)
CharacterSet:	Windows, Latin1
CompanyName:	Enigma Software Group USA, LLC
FileDescription:	SpyHunter
FileVersion:	4.1.11
LegalCopyright:	Enigma Software Group USA, LLC

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

193

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

232

C:\Windows\syswow64\MsiExec.exe -Embedding CF7791A9B5C5673EB314983BE8440222

C:\Windows\SysWOW64\msiexec.exe

msiexec.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Windows® installer

Exit code:

Version:

5.0.19041.3636 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll

1124

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

SrTasks.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

2088

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=122.0.6261.70 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=122.0.2365.59 --initial-client-data=0x290,0x294,0x298,0x288,0x2a0,0x7fffd3e25fd8,0x7fffd3e25fe4,0x7fffd3e25ff0

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Microsoft Edge

Version:

122.0.2365.59

3144

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=6380 --field-trial-handle=2200,i,15030865037837330616,4289547944214208495,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Exit code:

Version:

122.0.2365.59

4004

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=6388 --field-trial-handle=2200,i,15030865037837330616,4289547944214208495,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Exit code:

Version:

122.0.2365.59

4132

"C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.59\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=6208 --field-trial-handle=2200,i,15030865037837330616,4289547944214208495,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.59\identity_helper.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

PWA Identity Proxy Host

Exit code:

Version:

122.0.2365.59

4192

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=6472 --field-trial-handle=2200,i,15030865037837330616,4289547944214208495,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Exit code:

Version:

122.0.2365.59

4192

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.ProfileImport --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=7020 --field-trial-handle=2200,i,15030865037837330616,4289547944214208495,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Microsoft Edge

Exit code:

Version:

122.0.2365.59

6240

C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.59\identity_helper.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

PWA Identity Proxy Host

Exit code:

3221226029

Version:

122.0.2365.59

6384

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=6672 --field-trial-handle=2200,i,15030865037837330616,4289547944214208495,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Exit code:

Version:

122.0.2365.59

Add for printing

Total events

5 652

Read events

5 471

Write events

170

Delete events

Modification events


(PID) Process:	(6548) spyhunterS.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:	delete value	Name:	WiseStubReboot
Value:
(PID) Process:	(6548) spyhunterS.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	ProxyBypass
Value: 1
(PID) Process:	(6548) spyhunterS.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	IntranetName
Value: 1
(PID) Process:	(6548) spyhunterS.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	UNCAsIntranet
Value: 1
(PID) Process:	(6548) spyhunterS.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	AutoDetect
Value: 0
(PID) Process:	(6608) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{618736E0-3C3D-11CF-810C-00AA00389B71}\TypeLib
Operation:	write	Name:	Version
Value: 1.1
(PID) Process:	(6608) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{618736E0-3C3D-11CF-810C-00AA00389B71}\TypeLib
Operation:	write	Name:	Version
Value: 1.1
(PID) Process:	(6608) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Volatile\00\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{03022430-ABC4-11D0-BDE2-00AA001A1953}\TypeLib
Operation:	write	Name:	Version
Value: 1.1
(PID) Process:	(6608) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Volatile\00\MACHINE\SOFTWARE\Classes\Interface\{03022430-ABC4-11D0-BDE2-00AA001A1953}\TypeLib
Operation:	write	Name:	Version
Value: 1.1
(PID) Process:	(6808) msiexec.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows Script\Settings
Operation:	write	Name:	JITDebug
Value: 0

Add for printing

Executable files

Suspicious files

115

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
6548	spyhunterS.exe	C:\Program Files (x86)\Common Files\Wise Installation Wizard\WIS4FC9DA9DF608454E8191D7EFFDCC5726_4_1_11.MSI		—
		MD5:—	SHA256:—
6724	msiexec.exe	C:\System Volume Information\SPP\metadata-2		—
		MD5:—	SHA256:—
6724	msiexec.exe	C:\Windows\Installer\ec30d.msi		—
		MD5:—	SHA256:—
6808	msiexec.exe	C:\Windows\4FC9DA9DF608454E8191D7EFFDCC5726.TMP\WiseCustomCalla2.dll		executable
		MD5:1323278BD7A10B2C26361CC2DF475A9A	SHA256:81228317F4219EF77541A909969247A866A1CA695FFA6AD2157050062CD6D963
6608	msiexec.exe	C:\Users\admin\AppData\Local\Temp\MSI6B19.tmp		executable
		MD5:B85F937B14379CA00D8E59B59925602C	SHA256:6D1A4B6C2DE4A48CE03C511820A3705C58458C14FD822F2BD019DCB9762385A4
6724	msiexec.exe	C:\Windows\Installer\MSIC407.tmp		executable
		MD5:53BFC64D0C686AD04E92CA884BCFACF6	SHA256:84FD0ECBE013C9AF8649B8DE36807AD2F37D33CD85FB9EBD1B01B59F295A8051
6724	msiexec.exe	C:\System Volume Information\SPP\snapshot-2		binary
		MD5:12D9D5A3CCB66A11A661ACF920FB16C1	SHA256:C430F6FCB36BC5357D7781D371599B7444F6289A2186E8EBE485666B9AE7B72F
6808	msiexec.exe	C:\Windows\4FC9DA9DF608454E8191D7EFFDCC5726.TMP\WiseCustomCalla11.dll		executable
		MD5:EE2BBFA13ABF5DA559FD7753CEC411AF	SHA256:C8B047064AE97F71248A37A99414AE2982B105CAB3219A826E1500E648B0964E
6724	msiexec.exe	C:\System Volume Information\SPP\OnlineMetadataCache\{7c9514a7-8d15-42e1-aa8c-5f32be84ae40}_OnDiskSnapshotProp		binary
		MD5:12D9D5A3CCB66A11A661ACF920FB16C1	SHA256:C430F6FCB36BC5357D7781D371599B7444F6289A2186E8EBE485666B9AE7B72F
6608	msiexec.exe	C:\Users\admin\AppData\Local\Temp\MSI6BA7.tmp		executable
		MD5:D9D9718000704053E7325752829BD5C9	SHA256:80CAAEFDA1B2CEDA08E27CDFA2A579A2EE9F225A3ED436447F402A67D9FA91C3

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

145

DNS requests

152

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
3376	svchost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
5336	SearchApp.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D	unknown	—	—	whitelisted
6272	backgroundTaskHost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D	unknown	—	—	whitelisted
6412	backgroundTaskHost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
3028	svchost.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
1536	RUXIMICS.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
2120	MoUsoCoreWorker.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
—	—	239.255.255.250:1900	—	—	—	whitelisted
—	—	192.168.100.255:138	—	—	—	whitelisted
5336	SearchApp.exe	184.86.251.16:443	www.bing.com	Akamai International B.V.	DE	unknown
5336	SearchApp.exe	192.229.221.95:80	ocsp.digicert.com	EDGECAST	US	whitelisted
3376	svchost.exe	40.126.31.67:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
3260	svchost.exe	40.115.3.253:443	client.wns.windows.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
3376	svchost.exe	192.229.221.95:80	ocsp.digicert.com	EDGECAST	US	whitelisted

DNS requests

Domain	IP	Reputation
google.com	172.217.18.14	whitelisted
settings-win.data.microsoft.com	51.104.136.2 4.231.128.59 51.124.78.146	whitelisted
www.bing.com	184.86.251.16 184.86.251.25 184.86.251.24 184.86.251.20 184.86.251.21 184.86.251.26 184.86.251.8 184.86.251.28 184.86.251.30 104.126.37.178 104.126.37.186 104.126.37.130 104.126.37.176 104.126.37.171 104.126.37.170 104.126.37.177 104.126.37.163 104.126.37.128	whitelisted
ocsp.digicert.com	192.229.221.95	whitelisted
login.live.com	40.126.31.67 20.190.159.0 20.190.159.68 40.126.31.69 20.190.159.75 20.190.159.4 20.190.159.71 20.190.159.23	whitelisted
client.wns.windows.com	40.115.3.253	whitelisted
th.bing.com	184.86.251.16 184.86.251.25 184.86.251.24 184.86.251.21 184.86.251.26 184.86.251.11 184.86.251.9 184.86.251.28 184.86.251.20	whitelisted
fd.api.iris.microsoft.com	20.223.36.55	whitelisted
arc.msn.com	20.103.156.88	whitelisted
slscr.update.microsoft.com	20.114.59.183	whitelisted

Threats

No threats detected

Add for printing

Process	Message
msiexec.exe	UpgradeCheck: Begin...
msiexec.exe	UpgradeCheck: ...End

General Info

spyhunterS.exe

C5129AAED888B5A223A2425464F371FA

2B5689118AF2DC8BF0DF097E01E138336C774C34

E991ECE0625C04C7A7B9753F76CC80A269C1860C809E856376C545419CB5D6DE

98304:NfHO/FzEhrbouPvsiau9ur8v8u6TVaevzm8eO4Rp0bPQ7UzGKYHGLvKmzhKBQ7nw:gkCVbZBhDYZhHuDcjtPVUjZ29qNG3

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Uses Task Scheduler to autorun other applications

SUSPICIOUS

Drops the executable file immediately after the start

Reads security settings of Internet Explorer

Reads the date of Windows installation

Executes as Windows Service

Reads the Windows owner or organization settings

Executable content was dropped or overwritten

Deletes scheduled task without confirmation

Drops a system driver (possible attempt to evade defenses)

INFO

Creates files in the program directory

Reads the computer name

Process checks computer location settings

Checks supported languages

Executable content was dropped or overwritten

Reads Environment values

Create files in a temporary directory

Starts application with an unusual extension

Application launched itself

Manual execution by a user

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Information

Information

Information

Information

Information

Information

Information

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings