| File name: | PROD_Start_DriverPack.hta.zip |
| Full analysis: | https://app.any.run/tasks/5c3d0f40-2702-4301-bd04-d93c9866c2cd |
| Verdict: | Malicious activity |
| Threats: | Adware is a form of malware that targets users with unwanted advertisements, often disrupting their browsing experience. It typically infiltrates systems through software bundling, malicious websites, or deceptive downloads. Once installed, it may track user activity, collect sensitive data, and display intrusive ads, including pop-ups or banners. Some advanced adware variants can bypass security measures and establish persistence on devices, making removal challenging. Additionally, adware can create vulnerabilities that other malware can exploit, posing a significant risk to user privacy and system security. |
| Analysis date: | April 30, 2024, 08:59:32 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/zip |
| File info: | Zip archive data, at least v2.0 to extract, compression method=deflate |
| MD5: | F9E5B8C4B36D9AD6E85D4D4B46D642C6 |
| SHA1: | 8D91D7BFE52A10EBC18680730A39490153D890CD |
| SHA256: | EB593312D7A731CF576CA065B5EF3EB44FBEF84C5BE6ED95D3C0E4FD896A116C |
| SSDEEP: | 24:JC+zC0IKLdOgZI6zgQDWKHrBR697HbT0E0baAFfQdCpddp:JCmHXocIwaK9ofybaA6CpN |
MALICIOUS
Downloads files via BITSADMIN.EXE
- cmd.exe (PID: 1284)
Bypass execution policy to execute commands
- powershell.exe (PID: 2684)
- powershell.exe (PID: 3100)
Changes powershell execution policy (Bypass)
- mshta.exe (PID: 4028)
- cmd.exe (PID: 3056)
Drops the executable file immediately after the start
- 7za.exe (PID: 2700)
- csc.exe (PID: 3068)
- mshta.exe (PID: 3136)
- aria2c.exe (PID: 2592)
Request from PowerShell that ran from MSHTA.EXE
- powershell.exe (PID: 2684)
Starts Visual C# compiler
- powershell.exe (PID: 3100)
Actions looks like stealing of personal data
- mshta.exe (PID: 3136)
SUSPICIOUS
Reads security settings of Internet Explorer
- WinRAR.exe (PID: 3980)
Using 'findstr.exe' to search for text patterns in files and output
- cmd.exe (PID: 1960)
- cmd.exe (PID: 1284)
- cmd.exe (PID: 856)
- cmd.exe (PID: 600)
- cmd.exe (PID: 2536)
- cmd.exe (PID: 2432)
- cmd.exe (PID: 2760)
- cmd.exe (PID: 2860)
- cmd.exe (PID: 3480)
- cmd.exe (PID: 3280)
- cmd.exe (PID: 3576)
- cmd.exe (PID: 3928)
- cmd.exe (PID: 2040)
- cmd.exe (PID: 3688)
- cmd.exe (PID: 3376)
- cmd.exe (PID: 3860)
- cmd.exe (PID: 2172)
- cmd.exe (PID: 2172)
- cmd.exe (PID: 372)
- cmd.exe (PID: 1960)
- cmd.exe (PID: 2640)
- cmd.exe (PID: 2188)
- cmd.exe (PID: 2416)
- cmd.exe (PID: 2504)
- cmd.exe (PID: 2544)
- cmd.exe (PID: 2828)
- cmd.exe (PID: 3008)
- cmd.exe (PID: 3084)
- cmd.exe (PID: 368)
- cmd.exe (PID: 3408)
- cmd.exe (PID: 3556)
- cmd.exe (PID: 3888)
- cmd.exe (PID: 3152)
- cmd.exe (PID: 3816)
- cmd.exe (PID: 3536)
- cmd.exe (PID: 2016)
- cmd.exe (PID: 3860)
- cmd.exe (PID: 3336)
- cmd.exe (PID: 3596)
- cmd.exe (PID: 3356)
- cmd.exe (PID: 1212)
- cmd.exe (PID: 2324)
- cmd.exe (PID: 2640)
- cmd.exe (PID: 2676)
- cmd.exe (PID: 972)
- cmd.exe (PID: 2416)
- cmd.exe (PID: 2544)
- cmd.exe (PID: 2948)
- cmd.exe (PID: 3052)
- cmd.exe (PID: 1248)
- cmd.exe (PID: 1412)
- cmd.exe (PID: 3264)
- cmd.exe (PID: 3252)
- cmd.exe (PID: 3808)
- cmd.exe (PID: 3944)
- cmd.exe (PID: 3824)
- cmd.exe (PID: 2116)
- cmd.exe (PID: 3040)
- cmd.exe (PID: 3664)
- cmd.exe (PID: 2628)
- cmd.exe (PID: 3780)
- cmd.exe (PID: 2256)
- cmd.exe (PID: 1008)
- cmd.exe (PID: 1028)
- cmd.exe (PID: 2988)
- cmd.exe (PID: 2868)
- cmd.exe (PID: 3068)
- cmd.exe (PID: 1568)
- cmd.exe (PID: 188)
- cmd.exe (PID: 2412)
- cmd.exe (PID: 2340)
- cmd.exe (PID: 1644)
- cmd.exe (PID: 1240)
- cmd.exe (PID: 3828)
- cmd.exe (PID: 3344)
- cmd.exe (PID: 3556)
- cmd.exe (PID: 3576)
- cmd.exe (PID: 820)
- cmd.exe (PID: 3784)
- cmd.exe (PID: 3336)
- cmd.exe (PID: 1588)
- cmd.exe (PID: 1072)
- cmd.exe (PID: 560)
- cmd.exe (PID: 960)
- cmd.exe (PID: 2380)
- cmd.exe (PID: 2368)
- cmd.exe (PID: 2376)
- cmd.exe (PID: 3732)
- cmd.exe (PID: 2984)
- cmd.exe (PID: 2360)
- cmd.exe (PID: 3176)
- cmd.exe (PID: 3016)
- cmd.exe (PID: 3832)
- cmd.exe (PID: 2024)
- cmd.exe (PID: 2032)
- cmd.exe (PID: 3072)
- cmd.exe (PID: 2936)
- cmd.exe (PID: 3472)
- cmd.exe (PID: 3772)
- cmd.exe (PID: 2476)
- cmd.exe (PID: 2468)
- cmd.exe (PID: 2560)
- cmd.exe (PID: 2712)
- cmd.exe (PID: 2400)
- cmd.exe (PID: 752)
- cmd.exe (PID: 3168)
- cmd.exe (PID: 3336)
- cmd.exe (PID: 2444)
- cmd.exe (PID: 2368)
- cmd.exe (PID: 2936)
- cmd.exe (PID: 3112)
- cmd.exe (PID: 3176)
- cmd.exe (PID: 3652)
- cmd.exe (PID: 2104)
- cmd.exe (PID: 3472)
- cmd.exe (PID: 960)
- cmd.exe (PID: 2376)
- cmd.exe (PID: 3916)
- cmd.exe (PID: 3168)
- cmd.exe (PID: 2328)
- cmd.exe (PID: 1472)
- cmd.exe (PID: 2620)
- cmd.exe (PID: 2016)
- cmd.exe (PID: 2024)
- cmd.exe (PID: 3704)
- cmd.exe (PID: 1976)
- cmd.exe (PID: 2380)
- cmd.exe (PID: 2992)
- cmd.exe (PID: 2852)
- cmd.exe (PID: 3072)
- cmd.exe (PID: 1568)
- cmd.exe (PID: 1008)
- cmd.exe (PID: 920)
- cmd.exe (PID: 3420)
- cmd.exe (PID: 3832)
- cmd.exe (PID: 1064)
- cmd.exe (PID: 3700)
- cmd.exe (PID: 3268)
- cmd.exe (PID: 3640)
- cmd.exe (PID: 3476)
- cmd.exe (PID: 3596)
- cmd.exe (PID: 2476)
- cmd.exe (PID: 2468)
- cmd.exe (PID: 2116)
- cmd.exe (PID: 3544)
- cmd.exe (PID: 3356)
Reads the Internet Settings
- mshta.exe (PID: 4028)
- powershell.exe (PID: 2256)
- powershell.exe (PID: 2684)
- cmd.exe (PID: 2384)
- mshta.exe (PID: 3380)
- mshta.exe (PID: 3136)
- WMIC.exe (PID: 3092)
Process requests binary or script from the Internet
- mshta.exe (PID: 4028)
- mshta.exe (PID: 3380)
- mshta.exe (PID: 3136)
Found strings related to reading or modifying Windows Defender settings
- mshta.exe (PID: 4028)
Query Microsoft Defender status
- mshta.exe (PID: 4028)
- cmd.exe (PID: 2232)
Cmdlet gets the status of antimalware software installed on the computer
- cmd.exe (PID: 2232)
Using PowerShell to operate with local accounts
- powershell.exe (PID: 2256)
Starts CMD.EXE for commands execution
- mshta.exe (PID: 4028)
- cmd.exe (PID: 2904)
- mshta.exe (PID: 3136)
Starts POWERSHELL.EXE for commands execution
- cmd.exe (PID: 2232)
- mshta.exe (PID: 4028)
- cmd.exe (PID: 3056)
Unusual connection from system programs
- powershell.exe (PID: 2684)
Probably download files using WebClient
- mshta.exe (PID: 4028)
Executable content was dropped or overwritten
- expand.exe (PID: 2564)
- 7za.exe (PID: 2700)
- csc.exe (PID: 3068)
- mshta.exe (PID: 3136)
- aria2c.exe (PID: 2592)
The executable file from the user directory is run by the CMD process
- 7za.exe (PID: 2700)
- driverpack-wget.exe (PID: 3528)
- driverpack-wget.exe (PID: 1064)
- driverpack-wget.exe (PID: 3908)
- driverpack-wget.exe (PID: 3668)
- driverpack-wget.exe (PID: 2712)
- driverpack-wget.exe (PID: 2656)
- driverpack-wget.exe (PID: 2324)
- driverpack-wget.exe (PID: 2684)
- driverpack-wget.exe (PID: 2424)
- driverpack-wget.exe (PID: 1200)
- driverpack-wget.exe (PID: 2816)
- driverpack-wget.exe (PID: 2876)
- driverpack-wget.exe (PID: 2628)
- driverpack-wget.exe (PID: 1292)
- driverpack-wget.exe (PID: 3760)
- driverpack-wget.exe (PID: 2516)
- driverpack-wget.exe (PID: 2708)
- driverpack-wget.exe (PID: 2872)
- driverpack-wget.exe (PID: 1960)
- driverpack-wget.exe (PID: 3800)
- driverpack-wget.exe (PID: 2320)
- driverpack-wget.exe (PID: 2040)
- driverpack-wget.exe (PID: 2416)
- driverpack-wget.exe (PID: 116)
- driverpack-wget.exe (PID: 1868)
- driverpack-wget.exe (PID: 3732)
- driverpack-wget.exe (PID: 3724)
- driverpack-wget.exe (PID: 3464)
- driverpack-wget.exe (PID: 3844)
- driverpack-wget.exe (PID: 2876)
- driverpack-wget.exe (PID: 3908)
- driverpack-wget.exe (PID: 3388)
- driverpack-wget.exe (PID: 2204)
- driverpack-wget.exe (PID: 3656)
- driverpack-wget.exe (PID: 368)
- driverpack-wget.exe (PID: 2468)
- driverpack-wget.exe (PID: 3568)
- driverpack-wget.exe (PID: 3832)
- driverpack-wget.exe (PID: 3328)
- driverpack-wget.exe (PID: 3504)
- driverpack-wget.exe (PID: 952)
- driverpack-wget.exe (PID: 2632)
- driverpack-wget.exe (PID: 3228)
- driverpack-wget.exe (PID: 3216)
- driverpack-wget.exe (PID: 1996)
- driverpack-wget.exe (PID: 3656)
- aria2c.exe (PID: 2820)
- aria2c.exe (PID: 2080)
- driverpack-wget.exe (PID: 4012)
- aria2c.exe (PID: 3152)
- driverpack-wget.exe (PID: 3708)
- aria2c.exe (PID: 2592)
- aria2c.exe (PID: 2632)
- driverpack-wget.exe (PID: 2160)
- driverpack-wget.exe (PID: 116)
- driverpack-wget.exe (PID: 4092)
- driverpack-wget.exe (PID: 916)
- driverpack-wget.exe (PID: 3452)
- driverpack-wget.exe (PID: 4084)
- driverpack-wget.exe (PID: 2732)
- driverpack-wget.exe (PID: 2904)
- driverpack-wget.exe (PID: 3472)
- driverpack-wget.exe (PID: 3820)
- driverpack-wget.exe (PID: 2516)
- driverpack-wget.exe (PID: 1344)
- driverpack-wget.exe (PID: 3740)
- driverpack-wget.exe (PID: 2444)
- driverpack-wget.exe (PID: 2904)
- driverpack-wget.exe (PID: 2252)
- driverpack-wget.exe (PID: 2940)
Process drops legitimate windows executable
- 7za.exe (PID: 2700)
- mshta.exe (PID: 3136)
Drops 7-zip archiver for unpacking
- 7za.exe (PID: 2700)
- expand.exe (PID: 2564)
Executing commands from a ".bat" file
- mshta.exe (PID: 4028)
- cmd.exe (PID: 2904)
Application launched itself
- cmd.exe (PID: 2904)
- mshta.exe (PID: 4028)
The Powershell connects to the Internet
- powershell.exe (PID: 2684)
The process hide an interactive prompt from the user
- cmd.exe (PID: 3056)
Executing commands from ".cmd" file
- mshta.exe (PID: 3136)
Possibly malicious use of IEX has been detected
- cmd.exe (PID: 3056)
Get information on the list of running processes
- cmd.exe (PID: 3056)
The process bypasses the loading of PowerShell profile settings
- cmd.exe (PID: 3056)
The process hides Powershell's copyright startup banner
- cmd.exe (PID: 3056)
Uses RUNDLL32.EXE to load library
- mshta.exe (PID: 3136)
Adds/modifies Windows certificates
- mshta.exe (PID: 3136)
Uses .NET C# to load dll
- powershell.exe (PID: 3100)
Uses NETSH.EXE to delete a firewall rule or allowed programs
- cmd.exe (PID: 3892)
Uses NETSH.EXE to add a firewall rule or allowed programs
- cmd.exe (PID: 3940)
Changes internet zones settings
- mshta.exe (PID: 3136)
Starts application with an unusual extension
- cmd.exe (PID: 2472)
Uses NETSH.EXE to obtain data on the network
- cmd.exe (PID: 2472)
Starts SC.EXE for service management
- cmd.exe (PID: 1200)
Executes as Windows Service
- VSSVC.exe (PID: 1108)
Uses WMIC.EXE to obtain system information
- cmd.exe (PID: 3396)
Searches for installed software
- dllhost.exe (PID: 2304)
Potential Corporate Privacy Violation
- aria2c.exe (PID: 2080)
- aria2c.exe (PID: 2820)
- aria2c.exe (PID: 3152)
- aria2c.exe (PID: 2632)
- aria2c.exe (PID: 2592)
Access to an unwanted program domain was detected
- aria2c.exe (PID: 2820)
- aria2c.exe (PID: 2080)
- aria2c.exe (PID: 2592)
INFO
Reads Internet Explorer settings
- mshta.exe (PID: 4028)
- mshta.exe (PID: 3136)
- mshta.exe (PID: 3380)
Uses BITSADMIN.EXE
- cmd.exe (PID: 1960)
- cmd.exe (PID: 856)
- cmd.exe (PID: 2432)
- cmd.exe (PID: 2760)
- cmd.exe (PID: 2536)
- cmd.exe (PID: 2860)
- cmd.exe (PID: 600)
- cmd.exe (PID: 3280)
- cmd.exe (PID: 3480)
- cmd.exe (PID: 3928)
- cmd.exe (PID: 2040)
- cmd.exe (PID: 3688)
- cmd.exe (PID: 372)
- cmd.exe (PID: 3860)
- cmd.exe (PID: 2172)
- cmd.exe (PID: 3356)
- cmd.exe (PID: 1960)
- cmd.exe (PID: 2188)
- cmd.exe (PID: 2640)
- cmd.exe (PID: 2504)
- cmd.exe (PID: 2416)
- cmd.exe (PID: 2828)
- cmd.exe (PID: 2544)
- cmd.exe (PID: 3008)
- cmd.exe (PID: 3084)
- cmd.exe (PID: 368)
- cmd.exe (PID: 3408)
- cmd.exe (PID: 3556)
- cmd.exe (PID: 3888)
- cmd.exe (PID: 3816)
- cmd.exe (PID: 3536)
- cmd.exe (PID: 3152)
- cmd.exe (PID: 3336)
- cmd.exe (PID: 3596)
- cmd.exe (PID: 3860)
- cmd.exe (PID: 2172)
- cmd.exe (PID: 2016)
- cmd.exe (PID: 2324)
- cmd.exe (PID: 1212)
- cmd.exe (PID: 2640)
- cmd.exe (PID: 2676)
- cmd.exe (PID: 972)
- cmd.exe (PID: 2416)
- cmd.exe (PID: 2544)
- cmd.exe (PID: 2948)
- cmd.exe (PID: 3052)
- cmd.exe (PID: 3376)
- cmd.exe (PID: 1248)
- cmd.exe (PID: 1412)
- cmd.exe (PID: 3264)
- cmd.exe (PID: 3252)
- cmd.exe (PID: 3944)
- cmd.exe (PID: 3808)
- cmd.exe (PID: 3824)
- cmd.exe (PID: 2116)
- cmd.exe (PID: 3576)
- cmd.exe (PID: 3040)
- cmd.exe (PID: 2628)
- cmd.exe (PID: 2340)
- cmd.exe (PID: 1568)
- cmd.exe (PID: 1008)
- cmd.exe (PID: 2256)
- cmd.exe (PID: 2412)
- cmd.exe (PID: 3664)
- cmd.exe (PID: 3780)
- cmd.exe (PID: 1644)
- cmd.exe (PID: 1028)
- cmd.exe (PID: 2988)
- cmd.exe (PID: 2868)
- cmd.exe (PID: 3068)
- cmd.exe (PID: 188)
- cmd.exe (PID: 1240)
- cmd.exe (PID: 3556)
- cmd.exe (PID: 3576)
- cmd.exe (PID: 3344)
- cmd.exe (PID: 820)
- cmd.exe (PID: 3784)
- cmd.exe (PID: 3336)
- cmd.exe (PID: 1588)
- cmd.exe (PID: 3828)
- cmd.exe (PID: 560)
- cmd.exe (PID: 2360)
- cmd.exe (PID: 2380)
- cmd.exe (PID: 960)
- cmd.exe (PID: 2368)
- cmd.exe (PID: 2376)
- cmd.exe (PID: 3732)
- cmd.exe (PID: 2984)
- cmd.exe (PID: 1072)
- cmd.exe (PID: 3472)
- cmd.exe (PID: 2936)
- cmd.exe (PID: 3176)
- cmd.exe (PID: 3016)
- cmd.exe (PID: 2024)
- cmd.exe (PID: 3072)
- cmd.exe (PID: 3832)
- cmd.exe (PID: 2032)
- cmd.exe (PID: 2468)
- cmd.exe (PID: 3336)
- cmd.exe (PID: 2476)
- cmd.exe (PID: 2560)
- cmd.exe (PID: 2712)
- cmd.exe (PID: 960)
- cmd.exe (PID: 2400)
- cmd.exe (PID: 752)
- cmd.exe (PID: 3168)
- cmd.exe (PID: 3772)
- cmd.exe (PID: 2368)
- cmd.exe (PID: 2376)
- cmd.exe (PID: 3112)
- cmd.exe (PID: 2936)
- cmd.exe (PID: 3176)
- cmd.exe (PID: 3472)
- cmd.exe (PID: 3652)
- cmd.exe (PID: 2444)
- cmd.exe (PID: 2104)
- cmd.exe (PID: 2024)
- cmd.exe (PID: 3916)
- cmd.exe (PID: 3168)
- cmd.exe (PID: 2328)
- cmd.exe (PID: 1472)
- cmd.exe (PID: 2016)
- cmd.exe (PID: 2620)
- cmd.exe (PID: 3704)
- cmd.exe (PID: 1976)
- cmd.exe (PID: 2380)
- cmd.exe (PID: 2992)
- cmd.exe (PID: 3072)
- cmd.exe (PID: 3268)
- cmd.exe (PID: 1568)
- cmd.exe (PID: 1008)
- cmd.exe (PID: 920)
- cmd.exe (PID: 2852)
- cmd.exe (PID: 3420)
- cmd.exe (PID: 3476)
- cmd.exe (PID: 1064)
- cmd.exe (PID: 3700)
- cmd.exe (PID: 3640)
- cmd.exe (PID: 3832)
- cmd.exe (PID: 2476)
- cmd.exe (PID: 2468)
- cmd.exe (PID: 2116)
- cmd.exe (PID: 3544)
- cmd.exe (PID: 3356)
- cmd.exe (PID: 3596)
Checks proxy server information
- mshta.exe (PID: 4028)
- mshta.exe (PID: 3136)
- mshta.exe (PID: 3380)
Checks supported languages
- wmpnscfg.exe (PID: 2040)
- 7za.exe (PID: 2700)
- csc.exe (PID: 3068)
- cvtres.exe (PID: 368)
- driverpack-wget.exe (PID: 3908)
- driverpack-wget.exe (PID: 3668)
- driverpack-wget.exe (PID: 3528)
- driverpack-wget.exe (PID: 1064)
- driverpack-wget.exe (PID: 2816)
- driverpack-wget.exe (PID: 1200)
- driverpack-wget.exe (PID: 2712)
- driverpack-wget.exe (PID: 2324)
- driverpack-wget.exe (PID: 2656)
- driverpack-wget.exe (PID: 2424)
- driverpack-wget.exe (PID: 2684)
- driverpack-wget.exe (PID: 2876)
- driverpack-wget.exe (PID: 2628)
- driverpack-wget.exe (PID: 3760)
- driverpack-wget.exe (PID: 1292)
- driverpack-wget.exe (PID: 1960)
- driverpack-wget.exe (PID: 2708)
- driverpack-wget.exe (PID: 2516)
- driverpack-wget.exe (PID: 2872)
- driverpack-wget.exe (PID: 2416)
- driverpack-wget.exe (PID: 116)
- driverpack-wget.exe (PID: 3800)
- driverpack-wget.exe (PID: 2320)
- driverpack-wget.exe (PID: 3732)
- driverpack-wget.exe (PID: 1868)
- driverpack-wget.exe (PID: 2040)
- driverpack-wget.exe (PID: 3724)
- driverpack-wget.exe (PID: 3844)
- driverpack-wget.exe (PID: 2876)
- driverpack-wget.exe (PID: 3464)
- driverpack-wget.exe (PID: 3388)
- driverpack-wget.exe (PID: 2204)
- driverpack-wget.exe (PID: 3656)
- driverpack-wget.exe (PID: 3908)
- driverpack-7za.exe (PID: 3384)
- chcp.com (PID: 2328)
- driverpack-wget.exe (PID: 368)
- driverpack-wget.exe (PID: 2468)
- driverpack-wget.exe (PID: 3504)
- driverpack-wget.exe (PID: 3568)
- driverpack-wget.exe (PID: 3328)
- driverpack-wget.exe (PID: 3832)
- driverpack-wget.exe (PID: 952)
- driverpack-wget.exe (PID: 1996)
- driverpack-wget.exe (PID: 2632)
- driverpack-wget.exe (PID: 3656)
- aria2c.exe (PID: 2080)
- aria2c.exe (PID: 2820)
- driverpack-wget.exe (PID: 3216)
- driverpack-wget.exe (PID: 3228)
- aria2c.exe (PID: 3152)
- driverpack-wget.exe (PID: 4012)
- aria2c.exe (PID: 2632)
- driverpack-wget.exe (PID: 3708)
- aria2c.exe (PID: 2592)
- driverpack-wget.exe (PID: 116)
- driverpack-wget.exe (PID: 4092)
- driverpack-wget.exe (PID: 916)
- driverpack-wget.exe (PID: 3452)
- driverpack-wget.exe (PID: 4084)
- driverpack-wget.exe (PID: 2160)
- driverpack-wget.exe (PID: 3820)
- driverpack-wget.exe (PID: 2732)
- driverpack-wget.exe (PID: 3472)
- driverpack-wget.exe (PID: 2516)
- driverpack-wget.exe (PID: 2904)
- driverpack-wget.exe (PID: 1344)
- driverpack-wget.exe (PID: 2444)
- driverpack-wget.exe (PID: 3740)
- driverpack-wget.exe (PID: 2904)
- driverpack-wget.exe (PID: 2252)
- driverpack-wget.exe (PID: 2940)
Manual execution by a user
- wmpnscfg.exe (PID: 2040)
Reads the computer name
- wmpnscfg.exe (PID: 2040)
- 7za.exe (PID: 2700)
- driverpack-wget.exe (PID: 3908)
- driverpack-wget.exe (PID: 3668)
- driverpack-wget.exe (PID: 3528)
- driverpack-wget.exe (PID: 1064)
- driverpack-wget.exe (PID: 2816)
- driverpack-wget.exe (PID: 1200)
- driverpack-wget.exe (PID: 2324)
- driverpack-wget.exe (PID: 2712)
- driverpack-wget.exe (PID: 2656)
- driverpack-wget.exe (PID: 2684)
- driverpack-wget.exe (PID: 2424)
- driverpack-wget.exe (PID: 2876)
- driverpack-wget.exe (PID: 2628)
- driverpack-wget.exe (PID: 3760)
- driverpack-wget.exe (PID: 1292)
- driverpack-wget.exe (PID: 2516)
- driverpack-wget.exe (PID: 2708)
- driverpack-wget.exe (PID: 1960)
- driverpack-wget.exe (PID: 2872)
- driverpack-wget.exe (PID: 2416)
- driverpack-wget.exe (PID: 116)
- driverpack-wget.exe (PID: 2040)
- driverpack-wget.exe (PID: 1868)
- driverpack-wget.exe (PID: 3732)
- driverpack-wget.exe (PID: 3800)
- driverpack-wget.exe (PID: 2320)
- driverpack-wget.exe (PID: 3844)
- driverpack-wget.exe (PID: 3724)
- driverpack-wget.exe (PID: 3464)
- driverpack-wget.exe (PID: 2876)
- driverpack-wget.exe (PID: 3656)
- driverpack-wget.exe (PID: 3388)
- driverpack-wget.exe (PID: 3908)
- driverpack-7za.exe (PID: 3384)
- driverpack-wget.exe (PID: 2204)
- driverpack-wget.exe (PID: 368)
- driverpack-wget.exe (PID: 3568)
- driverpack-wget.exe (PID: 2468)
- driverpack-wget.exe (PID: 3832)
- driverpack-wget.exe (PID: 3504)
- driverpack-wget.exe (PID: 952)
- driverpack-wget.exe (PID: 2632)
- driverpack-wget.exe (PID: 1996)
- driverpack-wget.exe (PID: 3328)
- driverpack-wget.exe (PID: 3216)
- driverpack-wget.exe (PID: 3228)
- driverpack-wget.exe (PID: 3656)
- aria2c.exe (PID: 2080)
- aria2c.exe (PID: 2632)
- aria2c.exe (PID: 3152)
- aria2c.exe (PID: 2820)
- aria2c.exe (PID: 2592)
- driverpack-wget.exe (PID: 3708)
- driverpack-wget.exe (PID: 4012)
- driverpack-wget.exe (PID: 4092)
- driverpack-wget.exe (PID: 2160)
- driverpack-wget.exe (PID: 916)
- driverpack-wget.exe (PID: 116)
- driverpack-wget.exe (PID: 4084)
- driverpack-wget.exe (PID: 3820)
- driverpack-wget.exe (PID: 3452)
- driverpack-wget.exe (PID: 2732)
- driverpack-wget.exe (PID: 2516)
- driverpack-wget.exe (PID: 2904)
- driverpack-wget.exe (PID: 3472)
- driverpack-wget.exe (PID: 1344)
- driverpack-wget.exe (PID: 2444)
- driverpack-wget.exe (PID: 3740)
- driverpack-wget.exe (PID: 2252)
- driverpack-wget.exe (PID: 2904)
- driverpack-wget.exe (PID: 2940)
Script raised an exception (POWERSHELL)
- powershell.exe (PID: 2256)
Create files in a temporary directory
- expand.exe (PID: 2564)
- 7za.exe (PID: 2700)
- csc.exe (PID: 3068)
- cvtres.exe (PID: 368)
- driverpack-wget.exe (PID: 3528)
- driverpack-wget.exe (PID: 3668)
- driverpack-wget.exe (PID: 3908)
- driverpack-wget.exe (PID: 1064)
- driverpack-wget.exe (PID: 2816)
- driverpack-wget.exe (PID: 2712)
- driverpack-wget.exe (PID: 2656)
- driverpack-wget.exe (PID: 2324)
- driverpack-wget.exe (PID: 1200)
- driverpack-wget.exe (PID: 2424)
- driverpack-wget.exe (PID: 2684)
- driverpack-wget.exe (PID: 2876)
- driverpack-wget.exe (PID: 3760)
- driverpack-wget.exe (PID: 1292)
- driverpack-wget.exe (PID: 2516)
- driverpack-wget.exe (PID: 2628)
- driverpack-wget.exe (PID: 116)
- driverpack-wget.exe (PID: 2416)
- driverpack-wget.exe (PID: 2320)
- driverpack-wget.exe (PID: 3800)
- driverpack-wget.exe (PID: 2040)
- driverpack-wget.exe (PID: 1868)
- driverpack-wget.exe (PID: 3732)
- driverpack-wget.exe (PID: 3724)
- driverpack-wget.exe (PID: 3464)
- driverpack-wget.exe (PID: 3844)
- driverpack-wget.exe (PID: 3908)
- driverpack-wget.exe (PID: 3656)
- driverpack-wget.exe (PID: 2876)
- driverpack-wget.exe (PID: 3388)
- driverpack-wget.exe (PID: 2204)
- driverpack-wget.exe (PID: 3216)
- driverpack-wget.exe (PID: 3228)
- driverpack-wget.exe (PID: 3656)
- driverpack-wget.exe (PID: 3708)
- driverpack-wget.exe (PID: 4012)
- driverpack-wget.exe (PID: 116)
- driverpack-wget.exe (PID: 4092)
- driverpack-wget.exe (PID: 2160)
- driverpack-wget.exe (PID: 916)
- driverpack-wget.exe (PID: 3452)
- driverpack-wget.exe (PID: 4084)
- driverpack-wget.exe (PID: 3820)
- driverpack-wget.exe (PID: 2732)
- driverpack-wget.exe (PID: 2904)
- driverpack-wget.exe (PID: 2516)
- driverpack-wget.exe (PID: 1344)
- driverpack-wget.exe (PID: 3740)
- driverpack-wget.exe (PID: 3472)
- driverpack-wget.exe (PID: 2444)
Drops the executable file immediately after the start
- expand.exe (PID: 2564)
Reads the machine GUID from the registry
- cvtres.exe (PID: 368)
- csc.exe (PID: 3068)
- aria2c.exe (PID: 2820)
- aria2c.exe (PID: 2632)
- aria2c.exe (PID: 3152)
- aria2c.exe (PID: 2080)
- aria2c.exe (PID: 2592)
Creates files or folders in the user directory
- driverpack-wget.exe (PID: 3908)
- driverpack-wget.exe (PID: 3528)
- driverpack-wget.exe (PID: 3668)
- driverpack-wget.exe (PID: 1064)
- driverpack-wget.exe (PID: 1200)
- driverpack-wget.exe (PID: 2324)
- driverpack-wget.exe (PID: 2816)
- driverpack-wget.exe (PID: 2684)
- driverpack-wget.exe (PID: 2424)
- driverpack-wget.exe (PID: 2876)
- driverpack-wget.exe (PID: 2712)
- driverpack-wget.exe (PID: 2656)
- driverpack-wget.exe (PID: 2628)
- driverpack-wget.exe (PID: 1292)
- driverpack-wget.exe (PID: 3760)
- driverpack-wget.exe (PID: 1960)
- driverpack-wget.exe (PID: 2708)
- driverpack-wget.exe (PID: 2872)
- driverpack-wget.exe (PID: 2516)
- driverpack-wget.exe (PID: 2416)
- driverpack-wget.exe (PID: 116)
- driverpack-wget.exe (PID: 3800)
- driverpack-wget.exe (PID: 1868)
- driverpack-wget.exe (PID: 3732)
- driverpack-wget.exe (PID: 2320)
- driverpack-wget.exe (PID: 2040)
- driverpack-wget.exe (PID: 3464)
- driverpack-wget.exe (PID: 3724)
- driverpack-wget.exe (PID: 3844)
- driverpack-wget.exe (PID: 2876)
- driverpack-wget.exe (PID: 3656)
- driverpack-wget.exe (PID: 3388)
- driverpack-wget.exe (PID: 3908)
- driverpack-wget.exe (PID: 2204)
- driverpack-7za.exe (PID: 3384)
- driverpack-wget.exe (PID: 2468)
- driverpack-wget.exe (PID: 3568)
- driverpack-wget.exe (PID: 3832)
- driverpack-wget.exe (PID: 368)
- driverpack-wget.exe (PID: 3504)
- driverpack-wget.exe (PID: 952)
- driverpack-wget.exe (PID: 2632)
- driverpack-wget.exe (PID: 1996)
- driverpack-wget.exe (PID: 3328)
- driverpack-wget.exe (PID: 3216)
- driverpack-wget.exe (PID: 3228)
- driverpack-wget.exe (PID: 3656)
- driverpack-wget.exe (PID: 4012)
- driverpack-wget.exe (PID: 3708)
- aria2c.exe (PID: 2080)
- aria2c.exe (PID: 2820)
- aria2c.exe (PID: 2632)
- aria2c.exe (PID: 3152)
- aria2c.exe (PID: 2592)
- driverpack-wget.exe (PID: 4092)
- driverpack-wget.exe (PID: 116)
- driverpack-wget.exe (PID: 2160)
- driverpack-wget.exe (PID: 916)
- driverpack-wget.exe (PID: 3452)
- driverpack-wget.exe (PID: 3820)
- driverpack-wget.exe (PID: 2732)
- driverpack-wget.exe (PID: 4084)
- driverpack-wget.exe (PID: 1344)
- driverpack-wget.exe (PID: 2904)
- driverpack-wget.exe (PID: 3472)
- driverpack-wget.exe (PID: 2516)
- driverpack-wget.exe (PID: 3740)
- driverpack-wget.exe (PID: 2904)
- driverpack-wget.exe (PID: 2252)
- driverpack-wget.exe (PID: 2444)
- driverpack-wget.exe (PID: 2940)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .zip | | | ZIP compressed archive (100) |
|---|
EXIF
ZIP
| ZipRequiredVersion: | 788 |
|---|---|
| ZipBitFlag: | 0x0001 |
| ZipCompression: | Deflated |
| ZipModifyDate: | 2023:07:19 09:54:52 |
| ZipCRC: | 0x26c4cab9 |
| ZipCompressedSize: | 726 |
| ZipUncompressedSize: | 1672 |
| ZipFileName: | PROD_Start_DriverPack.hta |
Total processes
1 031
Monitored processes
758
Malicious processes
9
Suspicious processes
13
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 112 | findstr /R /V "^f7f81a39-5f63-5b42-9efd-1f13b5431005quot; | C:\Windows\System32\findstr.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Find String (QGREP) Utility Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 116 | findstr /R /V "^f7f81a39-5f63-5b42-9efd-1f13b5431005quot; | C:\Windows\System32\findstr.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Find String (QGREP) Utility Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 116 | "tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Users\admin\AppData\Local\Temp\beetle-cab\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/EXPERT-PROGRAMS_CHECKBOX_USED-1.mp3" -o "C:\Users\admin\AppData\Roaming\DRPSu\temp\wget_log_54026.log" | C:\Users\admin\AppData\Local\Temp\beetle-cab\DriverPack\Tools\driverpack-wget.exe | cmd.exe | ||||||||||||
User: admin Integrity Level: HIGH Exit code: 0 Modules
| |||||||||||||||
| 116 | "tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Users\admin\AppData\Local\Temp\beetle-cab\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/ISTART_2.mp3" -o "C:\Users\admin\AppData\Roaming\DRPSu\temp\wget_log_60480.log" | C:\Users\admin\AppData\Local\Temp\beetle-cab\DriverPack\Tools\driverpack-wget.exe | cmd.exe | ||||||||||||
User: admin Integrity Level: HIGH Exit code: 0 Modules
| |||||||||||||||
| 124 | findstr /V /C:"BITSADMIN version" /C:"BITS administration" /C:"(C) Copyright" /C:"BITSAdmin is deprecated" /C:"Administrative tools" | C:\Windows\System32\findstr.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Find String (QGREP) Utility Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 188 | findstr /R /V "^f7f81a39-5f63-5b42-9efd-1f13b5431005quot; | C:\Windows\System32\findstr.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Find String (QGREP) Utility Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 188 | "C:\Windows\System32\cmd.exe" /c bitsadmin /info dwnl-task-55355 | findstr /V /C:"BITSADMIN version" /C:"BITS administration" /C:"(C) Copyright" /C:"BITSAdmin is deprecated" /C:"Administrative tools" | findstr /R /V "^f7f81a39-5f63-5b42-9efd-1f13b5431005quot; > "C:\Users\admin\AppData\Local\Temp\dwnl_55355\log_bits_info.txt" | C:\Windows\System32\cmd.exe | — | mshta.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
| 188 | bitsadmin /info dwnl-task-55355 | C:\Windows\System32\bitsadmin.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: BITS administration utility Exit code: 0 Version: 7.5.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 284 | findstr /R /V "^f7f81a39-5f63-5b42-9efd-1f13b5431005quot; | C:\Windows\System32\findstr.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Find String (QGREP) Utility Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 284 | "C:\Windows\System32\cmd.exe" /c ""tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Users\admin\AppData\Local\Temp\beetle-cab\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/ANTIVIRUS-3.mp3" -o "C:\Users\admin\AppData\Roaming\DRPSu\temp\wget_log_53464.log" & echo DONE > "C:\Users\admin\AppData\Roaming\DRPSu\temp\wget_finished_53464.txt"" | C:\Windows\System32\cmd.exe | — | mshta.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
Total events
86 646
Read events
85 548
Write events
1 070
Delete events
28
Modification events
| (PID) Process: | (3980) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
| Operation: | write | Name: | ShellExtBMP |
Value: | |||
| (PID) Process: | (3980) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
| Operation: | write | Name: | ShellExtIcon |
Value: | |||
| (PID) Process: | (3980) WinRAR.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E |
| Operation: | write | Name: | LanguageList |
Value: en-US | |||
| (PID) Process: | (3980) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 3 |
Value: C:\Users\admin\Desktop\phacker.zip | |||
| (PID) Process: | (3980) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 2 |
Value: C:\Users\admin\Desktop\Win7-KB3191566-x86.zip | |||
| (PID) Process: | (3980) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 1 |
Value: C:\Users\admin\Desktop\curl-8.5.0_1-win32-mingw.zip | |||
| (PID) Process: | (3980) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 0 |
Value: C:\Users\admin\AppData\Local\Temp\PROD_Start_DriverPack.hta.zip | |||
| (PID) Process: | (3980) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | name |
Value: 120 | |||
| (PID) Process: | (3980) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | size |
Value: 80 | |||
| (PID) Process: | (3980) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | type |
Value: 120 | |||
Executable files
15
Suspicious files
244
Text files
672
Unknown types
27
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 4028 | mshta.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6Z2BCOUL\background[1].jpg | image | |
MD5:127D8C7FA37B2B4DEE77ADC97AA2BCC5 | SHA256:60FDC7731E194240FE1B586290AFD762793625A92E1BB21061B0B47628861160 | |||
| 4028 | mshta.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6Z2BCOUL\lang[1].js | html | |
MD5:3B196A2A5E0875A186EFA1A6101B775D | SHA256:B6EF0302FB7FE71577D6B6AFE104B4C890FC6419FB9A9C4EC359A0CC25EA8885 | |||
| 4028 | mshta.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\style[1].css | text | |
MD5:CE40483E494B033AA4A204080ABB54DA | SHA256:1FC4501622BAFC4560C28442D01F708579F26AFBB88229328B2CE7E83A2D36A8 | |||
| 4028 | mshta.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\step1_av[1].htm | html | |
MD5:1FAE5694001ACA3836F123E1A89AFD3D | SHA256:2240EF798569427F1B37E16BF630D7BD5E415F5835CA9FDF730E1F063721291B | |||
| 4028 | mshta.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\missing-scripts-detector[1].js | text | |
MD5:5BB70933199563BD95A85E9D58D0920B | SHA256:915A03DDD5D887CE43185A21FD9927FFCFC6E8F373D80D6FB0BFE96E65C029CD | |||
| 4028 | mshta.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6Z2BCOUL\3[1].js | text | |
MD5:CC9E168614A8D567352E24F970CA21E0 | SHA256:578820B83CD0244FFC068665C531A8C7D633F890A927A682A1708B84B7A08702 | |||
| 4028 | mshta.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6Z2BCOUL\script[1].js | txt | |
MD5:5E3199E1E9AB11EF8DB27BDC821ECCDC | SHA256:DDF24F928593CF87E0DB0744F8456761089140766A23768D9106BB73EFBD0515 | |||
| 4028 | mshta.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6Z2BCOUL\statistics[1].js | txt | |
MD5:0701E8CE6920DA0050B219769314E144 | SHA256:5D53ECD246441E19CD7B305749C822132476170938E5B7A673856B1FD29708BF | |||
| 4028 | mshta.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\client_ip[1].js | text | |
MD5:5601827A7705D94AED6F08CA8D7D194D | SHA256:04C97CF8C7C2D5040513065A27A0DBC86E5E927179AFB50135B58D8B0BBBF3F6 | |||
| 4028 | mshta.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6Z2BCOUL\1[1].js | text | |
MD5:B2AEEF062DB55284085A863B0FCF48A5 | SHA256:C79C9F0F44CA9EF9E84346BB88C12187C3F0DDE18F6C8FA83A54D1D89CBB0CB7 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
560
TCP/UDP connections
194
DNS requests
42
Threats
348
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
4028 | mshta.exe | GET | 200 | 46.137.15.86:80 | http://dwrapper-prod.herokuapp.com/bin/step1_av.html | unknown | — | — | unknown |
4028 | mshta.exe | GET | 200 | 46.137.15.86:80 | http://dwrapper-prod.herokuapp.com/bin/src/lang.js | unknown | — | — | unknown |
4028 | mshta.exe | GET | 200 | 46.137.15.86:80 | http://dwrapper-prod.herokuapp.com/bin/src/script.js | unknown | — | — | unknown |
4028 | mshta.exe | GET | 200 | 46.137.15.86:80 | http://dwrapper-prod.herokuapp.com/bin/src/statistics.js | unknown | — | — | unknown |
4028 | mshta.exe | GET | 200 | 18.195.235.189:80 | http://exampledd.matomo.cloud/matomo.php?idsite=1&rec=1&rand=78452218&apiv=1&cookie=1&bots=1&res=1280x720&h=10&m=2&s=9&uid=181214173612024430&action_name=Wrapper%20%2F%20Start%20screen%20page&url=https%3A%2F%2Fmy-domain.com%2Fstart_screen.html | unknown | — | — | unknown |
4028 | mshta.exe | GET | 200 | 46.137.15.86:80 | http://dwrapper-prod.herokuapp.com/bin/img/background.jpg | unknown | — | — | unknown |
4028 | mshta.exe | GET | 200 | 46.137.15.86:80 | http://dwrapper-prod.herokuapp.com/bin/src/variables/2.js | unknown | — | — | unknown |
4028 | mshta.exe | GET | 200 | 18.195.235.189:80 | http://exampledd.matomo.cloud/matomo.php?idsite=1&rec=1&rand=63943954&apiv=1&cookie=1&bots=1&res=1280x720&h=10&m=2&s=15&uid=181214173612024430&e_c=Wrapper%20%2F%20Start%20screen%20page&e_a=Download%20button%20clicked&e_n=Start%20screen%20page&e_v=&ca=1 | unknown | — | — | unknown |
4028 | mshta.exe | GET | 200 | 18.195.235.189:80 | http://exampledd.matomo.cloud/matomo.php?idsite=1&rec=1&rand=57305122&apiv=1&cookie=1&bots=1&res=1280x720&h=10&m=2&s=10&uid=181214173612024430&e_c=Wrapper%20%2F%20Errors%20%2F%20Missing%20scripts&e_a=%D0%92%D1%81%D0%B5%20%D1%81%D0%BA%D1%80%D0%B8%D0%BF%D1%82%D1%8B%20%D1%83%D1%81%D0%BF%D0%B5%D1%88%D0%BD%D0%BE%20%D0%B7%D0%B0%D0%B3%D1%80%D1%83%D0%B7%D0%B8%D0%BB%D0%B8%D1%81%D1%8C&e_n=&e_v=&ca=1 | unknown | — | — | unknown |
4028 | mshta.exe | GET | 200 | 18.195.235.189:80 | http://exampledd.matomo.cloud/matomo.php?idsite=1&rec=1&rand=13797599&apiv=1&cookie=1&bots=1&res=1280x720&h=10&m=2&s=21&uid=181214173612024430&e_c=Wrapper%20%2F%20Start%20screen%20page&e_a=Download%20button%20clicked&e_n=Start%20screen%20page&e_v=&ca=1 | unknown | — | — | unknown |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
1088 | svchost.exe | 224.0.0.252:5355 | — | — | — | unknown |
4028 | mshta.exe | 46.137.15.86:80 | dwrapper-prod.herokuapp.com | AMAZON-02 | IE | unknown |
4028 | mshta.exe | 18.195.235.189:80 | exampledd.matomo.cloud | AMAZON-02 | DE | unknown |
1852 | svchost.exe | 239.255.255.250:1900 | — | — | — | unknown |
884 | svchost.exe | 54.73.53.134:80 | dwrapper-prod.herokuapp.com | AMAZON-02 | IE | unknown |
2684 | powershell.exe | 46.137.15.86:80 | dwrapper-prod.herokuapp.com | AMAZON-02 | IE | unknown |
3136 | mshta.exe | 87.117.235.115:80 | auth.drp.su | Iomart Cloud Services Limited | GB | unknown |
3136 | mshta.exe | 37.9.8.75:80 | update.drp.su | OOO Network of data-centers Selectel | RU | unknown |
DNS requests
Domain | IP | Reputation |
|---|---|---|
dwrapper-prod.herokuapp.com |
| unknown |
exampledd.matomo.cloud |
| unknown |
dwrapper-dev.herokuapp.com |
| unknown |
auth.drp.su |
| unknown |
mc.yandex.ru |
| whitelisted |
update.drp.su |
| unknown |
ctldl.windowsupdate.com |
| whitelisted |
ocsp.globalsign.com |
| whitelisted |
ocsp2.globalsign.com |
| whitelisted |
mc.yandex.com |
| whitelisted |
Threats
PID | Process | Class | Message |
|---|---|---|---|
— | — | A Network Trojan was detected | SUSPICIOUS [ANY.RUN] VBS is used to run Shell |
— | — | A Network Trojan was detected | SUSPICIOUS [ANY.RUN] VBS is used to run Shell |
— | — | Potentially Bad Traffic | ET HUNTING PowerShell DownloadFile Command Common In Powershell Stagers |
1088 | svchost.exe | Potentially Bad Traffic | ET DNS Query for .su TLD (Soviet Union) Often Malware Related |
1088 | svchost.exe | Possibly Unwanted Program Detected | ET ADWARE_PUP DriverPack Domain in DNS Query |
1088 | svchost.exe | Possibly Unwanted Program Detected | ET ADWARE_PUP Observed DNS Query to DriverPack Domain ( .drp .su) |
1088 | svchost.exe | Possibly Unwanted Program Detected | ET ADWARE_PUP DriverPack Domain in DNS Query |
1088 | svchost.exe | Potentially Bad Traffic | ET DNS Query for .su TLD (Soviet Union) Often Malware Related |
1088 | svchost.exe | Possibly Unwanted Program Detected | ET ADWARE_PUP Observed DNS Query to DriverPack Domain ( .drp .su) |
3136 | mshta.exe | Potentially Bad Traffic | ET POLICY HTTP Request to .su TLD (Soviet Union) Often Malware Related |
7 ETPRO signatures available at the full report