analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

https://www.safer-networking.org/products/spybot-free-edition/download-mirror-1/

Full analysis: https://app.any.run/tasks/87bb12eb-85f5-4aa1-ad50-85d512813177
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: May 07, 2020, 21:46:57
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
loader
Indicators:
MD5:

BCF70F11BA63737FE7329E43AE39A214

SHA1:

4E28E6903ABDFF514BE30C4A8AE76BA2A3A5160B

SHA256:

F06F9C0894FC0612E387819931D9283DAA10754C3A1729B0A29A7B6D9941A29D

SSDEEP:

3:N8DSLK24oxRWNVRtABMRjIMn:2OLHjRWNVRtA6R0M

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Downloads executable files from the Internet

      • spybotsd-2.8.68.0.tmp (PID: 3024)

    • Changes the autorun value in the registry

      • spybotsd-2.8.68.0.tmp (PID: 3024)

    • Application was dropped or rewritten from another process

      • SDUpdSvc.exe (PID: 2412)
      • SDUpdate.exe (PID: 2116)
      • SDSpybotLab.exe (PID: 2072)
      • SDUpdate.exe (PID: 1784)
      • SDTray.exe (PID: 2696)
      • SDSpybotLab.exe (PID: 2700)
      • SDFSSvc.exe (PID: 1848)
      • spybotsd2-install-bdcore-update-2020a.exe (PID: 3896)
      • SDImmunize.exe (PID: 1356)
      • SDWelcome.exe (PID: 2640)
      • SDImmunize.exe (PID: 3292)

    • Actions looks like stealing of personal data

      • spybotsd-2.8.68.0.tmp (PID: 3024)
      • SDUpdSvc.exe (PID: 2412)
      • SDSpybotLab.exe (PID: 2700)
      • SDSpybotLab.exe (PID: 2072)
      • SDUpdate.exe (PID: 1784)
      • SDWelcome.exe (PID: 2640)
      • SDTray.exe (PID: 2696)
      • SDUpdate.exe (PID: 2116)
      • SDFSSvc.exe (PID: 1848)
      • SDImmunize.exe (PID: 3292)

    • Changes settings of System certificates

      • SDFSSvc.exe (PID: 1848)
      • SDTray.exe (PID: 2696)

    • Loads dropped or rewritten executable

      • SDUpdSvc.exe (PID: 2412)
      • SDUpdate.exe (PID: 2116)
      • SDUpdate.exe (PID: 1784)
      • SDFSSvc.exe (PID: 1848)
      • SDTray.exe (PID: 2696)
      • WerFault.exe (PID: 3156)
      • SDSpybotLab.exe (PID: 2072)
      • SDSpybotLab.exe (PID: 2700)
      • spybotsd2-install-bdcore-update-2020a.tmp (PID: 440)
      • SDImmunize.exe (PID: 3292)
      • SDWelcome.exe (PID: 2640)

    • Loads the Task Scheduler COM API

      • spybotsd-2.8.68.0.tmp (PID: 3024)

    • Loads the Task Scheduler DLL interface

      • spybotsd-2.8.68.0.tmp (PID: 3024)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • spybotsd-2.8.68.0.exe (PID: 3016)
      • spybotsd-2.8.68.0.exe (PID: 3728)
      • spybotsd-2.8.68.0.tmp (PID: 3024)
      • SDUpdSvc.exe (PID: 2412)
      • spybotsd2-install-bdcore-update-2020a.tmp (PID: 440)

    • Reads the Windows organization settings

      • spybotsd-2.8.68.0.tmp (PID: 3024)
      • spybotsd2-install-bdcore-update-2020a.tmp (PID: 440)

    • Reads Internet Cache Settings

      • spybotsd-2.8.68.0.tmp (PID: 3024)
      • SDTray.exe (PID: 2696)
      • SDUpdate.exe (PID: 1784)
      • SDImmunize.exe (PID: 3292)
      • SDWelcome.exe (PID: 2640)

    • Creates files in the Windows directory

      • spybotsd-2.8.68.0.tmp (PID: 3024)
      • SDFSSvc.exe (PID: 1848)
      • SDUpdate.exe (PID: 2116)
      • SDUpdSvc.exe (PID: 2412)
      • spybotsd2-install-bdcore-update-2020a.exe (PID: 3896)
      • WerFault.exe (PID: 3156)

    • Creates executable files which already exist in Windows

      • spybotsd-2.8.68.0.tmp (PID: 3024)

    • Creates files in the driver directory

      • spybotsd-2.8.68.0.tmp (PID: 3024)

    • Creates or modifies windows services

      • spybotsd-2.8.68.0.tmp (PID: 3024)
      • SDTray.exe (PID: 2696)
      • SDUpdSvc.exe (PID: 2412)

    • Modifies the open verb of a shell class

      • spybotsd-2.8.68.0.tmp (PID: 3024)

    • Creates COM task schedule object

      • spybotsd-2.8.68.0.tmp (PID: 3024)

    • Reads Windows owner or organization settings

      • spybotsd-2.8.68.0.tmp (PID: 3024)
      • spybotsd2-install-bdcore-update-2020a.tmp (PID: 440)

    • Adds / modifies Windows certificates

      • SDTray.exe (PID: 2696)
      • SDFSSvc.exe (PID: 1848)

    • Executed as Windows Service

      • SDUpdSvc.exe (PID: 2412)
      • SDFSSvc.exe (PID: 1848)

    • Removes files from Windows directory

      • SDFSSvc.exe (PID: 1848)
      • SDUpdate.exe (PID: 2116)
      • SDUpdSvc.exe (PID: 2412)
      • WerFault.exe (PID: 3156)
      • spybotsd2-install-bdcore-update-2020a.tmp (PID: 440)
      • spybotsd2-install-bdcore-update-2020a.exe (PID: 3896)

    • Reads Environment values

      • SDTray.exe (PID: 2696)
      • spybotsd-2.8.68.0.tmp (PID: 3024)
      • SDFSSvc.exe (PID: 1848)
      • SDUpdate.exe (PID: 1784)
      • SDUpdate.exe (PID: 2116)
      • SDUpdSvc.exe (PID: 2412)
      • SDImmunize.exe (PID: 3292)
      • SDWelcome.exe (PID: 2640)

    • Creates files in the program directory

      • SDTray.exe (PID: 2696)
      • SDUpdSvc.exe (PID: 2412)
      • spybotsd2-install-bdcore-update-2020a.tmp (PID: 440)
      • WerFault.exe (PID: 3156)
      • SDImmunize.exe (PID: 3292)

    • Executed via Task Scheduler

      • SDUpdate.exe (PID: 2116)

    • Creates files in the user directory

      • SDUpdate.exe (PID: 1784)
      • SDWelcome.exe (PID: 2640)
      • SDImmunize.exe (PID: 3292)

    • Reads the cookies of Mozilla Firefox

      • SDImmunize.exe (PID: 3292)

  • INFO

    • Loads dropped or rewritten executable

      • spybotsd-2.8.68.0.tmp (PID: 3024)

    • Reads Internet Cache Settings

      • iexplore.exe (PID: 3448)
      • iexplore.exe (PID: 3336)

    • Creates files in the program directory

      • spybotsd-2.8.68.0.tmp (PID: 3024)
      • setup-signatures.exe (PID: 2728)

    • Application was dropped or rewritten from another process

      • spybotsd-2.8.68.0.tmp (PID: 3024)
      • spybotsd-2.8.68.0.tmp (PID: 2068)
      • setup-signatures.exe (PID: 2728)

    • Application launched itself

      • iexplore.exe (PID: 3448)

    • Modifies the phishing filter of IE

      • iexplore.exe (PID: 3448)

    • Reads settings of System Certificates

      • iexplore.exe (PID: 3336)
      • iexplore.exe (PID: 3448)

    • Creates files in the user directory

      • iexplore.exe (PID: 3448)
      • iexplore.exe (PID: 3336)

    • Creates a software uninstall entry

      • spybotsd-2.8.68.0.tmp (PID: 3024)

    • Changes internet zones settings

      • iexplore.exe (PID: 3448)

    • Reads internet explorer settings

      • iexplore.exe (PID: 3336)

    • Reads the hosts file

      • SDImmunize.exe (PID: 3292)

    • Adds / modifies Windows certificates

      • iexplore.exe (PID: 3448)

    • Changes settings of System certificates

      • iexplore.exe (PID: 3448)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
73
Monitored processes
20
Malicious processes
18
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start drop and start drop and start drop and start drop and start iexplore.exe iexplore.exe spybotsd-2.8.68.0.exe spybotsd-2.8.68.0.tmp no specs spybotsd-2.8.68.0.exe spybotsd-2.8.68.0.tmp sdtray.exe setup-signatures.exe no specs sdfssvc.exe sdupdsvc.exe sdupdate.exe sdupdate.exe sdspybotlab.exe sdspybotlab.exe werfault.exe no specs spybotsd2-install-bdcore-update-2020a.exe no specs spybotsd2-install-bdcore-update-2020a.tmp sdwelcome.exe sdimmunize.exe no specs sdimmunize.exe

Process information

PID
CMD
Path
Indicators
Parent process
3448"C:\Program Files\Internet Explorer\iexplore.exe" "https://www.safer-networking.org/products/spybot-free-edition/download-mirror-1/"C:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
1
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iertutil.dll
3336"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3448 CREDAT:267521 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iertutil.dll
3016"C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6Z2BCOUL\spybotsd-2.8.68.0.exe" C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6Z2BCOUL\spybotsd-2.8.68.0.exe
iexplore.exe
User:
admin
Company:
Safer-Networking Ltd.
Integrity Level:
MEDIUM
Description:
Spybot - Search & Destroy
Exit code:
0
Version:
2.8.68.0
Modules
Images
c:\users\admin\appdata\local\microsoft\windows\temporary internet files\content.ie5\6z2bcoul\spybotsd-2.8.68.0.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
2068"C:\Users\admin\AppData\Local\Temp\is-PQC3G.tmp\spybotsd-2.8.68.0.tmp" /SL5="$C024C,68440474,806912,C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6Z2BCOUL\spybotsd-2.8.68.0.exe" C:\Users\admin\AppData\Local\Temp\is-PQC3G.tmp\spybotsd-2.8.68.0.tmpspybotsd-2.8.68.0.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Setup/Uninstall
Exit code:
0
Version:
51.1052.0.0
Modules
Images
c:\users\admin\appdata\local\temp\is-pqc3g.tmp\spybotsd-2.8.68.0.tmp
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\mpr.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
3728"C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6Z2BCOUL\spybotsd-2.8.68.0.exe" /SPAWNWND=$60160 /NOTIFYWND=$C024C C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6Z2BCOUL\spybotsd-2.8.68.0.exe
spybotsd-2.8.68.0.tmp
User:
admin
Company:
Safer-Networking Ltd.
Integrity Level:
HIGH
Description:
Spybot - Search & Destroy
Exit code:
0
Version:
2.8.68.0
Modules
Images
c:\users\admin\appdata\local\microsoft\windows\temporary internet files\content.ie5\6z2bcoul\spybotsd-2.8.68.0.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
3024"C:\Users\admin\AppData\Local\Temp\is-Q3DLF.tmp\spybotsd-2.8.68.0.tmp" /SL5="$70164,68440474,806912,C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6Z2BCOUL\spybotsd-2.8.68.0.exe" /SPAWNWND=$60160 /NOTIFYWND=$C024C C:\Users\admin\AppData\Local\Temp\is-Q3DLF.tmp\spybotsd-2.8.68.0.tmp
spybotsd-2.8.68.0.exe
User:
admin
Integrity Level:
HIGH
Description:
Setup/Uninstall
Exit code:
0
Version:
51.1052.0.0
Modules
Images
c:\users\admin\appdata\local\temp\is-q3dlf.tmp\spybotsd-2.8.68.0.tmp
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\mpr.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
2696"C:\Program Files\Spybot - Search & Destroy 2\SDTray.exe"C:\Program Files\Spybot - Search & Destroy 2\SDTray.exe
spybotsd-2.8.68.0.tmp
User:
admin
Company:
Safer-Networking Ltd.
Integrity Level:
HIGH
Description:
Spybot - Search & Destroy tray access
Version:
2.8.67.129
Modules
Images
c:\program files\spybot - search & destroy 2\sdtray.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
2728"C:\Users\admin\AppData\Local\Temp\is-R3M9E.tmp\setup-signatures.exe" /S /D=C:\Program Files\Spybot - Search & Destroy 2C:\Users\admin\AppData\Local\Temp\is-R3M9E.tmp\setup-signatures.exespybotsd-2.8.68.0.tmp
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\is-r3m9e.tmp\setup-signatures.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msvcrt.dll
1848"C:\Program Files\Spybot - Search & Destroy 2\SDFSSvc.exe"C:\Program Files\Spybot - Search & Destroy 2\SDFSSvc.exe
services.exe
User:
SYSTEM
Company:
Safer-Networking Ltd.
Integrity Level:
SYSTEM
Description:
Spybot 2 Scanner Service
Exit code:
0
Version:
2.8.68.220
Modules
Images
c:\program files\spybot - search & destroy 2\sdfssvc.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\spybot - search & destroy 2\rtl150.bpl
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
2412"C:\Program Files\Spybot - Search & Destroy 2\SDUpdSvc.exe"C:\Program Files\Spybot - Search & Destroy 2\SDUpdSvc.exe
services.exe
User:
SYSTEM
Company:
Safer-Networking Ltd.
Integrity Level:
SYSTEM
Description:
Spybot 2 Background Update Service
Version:
2.8.68.83
Modules
Images
c:\program files\spybot - search & destroy 2\sdupdsvc.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\spybot - search & destroy 2\rtl150.bpl
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
Total events
9 569
Read events
3 648
Write events
4 192
Delete events
1 729

Modification events

(PID) Process:(3448) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager
Operation:writeName:NextCheckForUpdateLowDateTime
Value:
543499484
(PID) Process:(3448) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager
Operation:writeName:NextCheckForUpdateHighDateTime
Value:
30811321
(PID) Process:(3448) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(3448) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(3448) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(3448) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Operation:writeName:CompatibilityFlags
Value:
0
(PID) Process:(3448) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:writeName:ProxyEnable
Value:
0
(PID) Process:(3448) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Operation:writeName:SavedLegacySettings
Value:
46000000A1000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
(PID) Process:(3448) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
(PID) Process:(3448) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
1
Executable files
116
Suspicious files
126
Text files
164
Unknown types
197

Dropped files

PID
Process
Filename
Type
3336iexplore.exeC:\Users\admin\AppData\Local\Temp\Low\Cab7240.tmp
MD5:
SHA256:
3336iexplore.exeC:\Users\admin\AppData\Local\Temp\Low\Tar7241.tmp
MD5:
SHA256:
3336iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\GCONS4CO.txt
MD5:
SHA256:
3336iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EDC238BFF48A31D55A97E1E93892934B_C31B2498754E340573F1336DE607D619binary
MD5:6FBA8471AEC42435C353B68912174BFF
SHA256:287718F40E09600A354807B4C5DD4C3912F9C3222D126C5EEE30A588A2D059F8
3336iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\A4EHKMRF.txttext
MD5:917BA80E03C92A40443328B5C6130F48
SHA256:64345B7269450C91058D2AB4A6F32992814B020DC3E3831661903132F5A1D9B8
3336iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\MFAQUS6V\style.1553000490[1].csstext
MD5:513064AB57FC81ED2C9AE3AC8B51C412
SHA256:9186DAF4ED10EDB01AA2CEE10E9C1EF8BEDC62FBCC6F7C0FA9183351BAAED171
3336iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\DY534W2X\frontend.1529135204[1].csstext
MD5:0E161E16D789BF14DDA632172D231FDD
SHA256:7E57269BDD2CE18D1CFF1A6D1B8F64411DE43D165B66FE33BB3C1E72C350D0BC
3336iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\DY534W2X\spybot3-shopboxes.1533722477[1].csstext
MD5:AFAF1F290846D2614D3F89D53B7D908B
SHA256:3A720498A50813C5996859C44E525C0C9C0BEAECCE404BFB294EE77FA4F84243
3336iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EDC238BFF48A31D55A97E1E93892934B_C31B2498754E340573F1336DE607D619der
MD5:4FD63C454B64534FD35208E2098F34B7
SHA256:2F53AEF6118DD563A8B3D22269DCE6DA81E4E80E34C455DA65DF89D0E5895DB8
3336iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\MFAQUS6V\download-mirror-1[1].htmhtml
MD5:9B4B369BA995BFD656239151AD1291AD
SHA256:DE329DD4035CADA34905509563F50C4E7437673E19ECB604673BF9CA0046A41E
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
70
TCP/UDP connections
98
DNS requests
31
Threats
4

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3024
spybotsd-2.8.68.0.tmp
GET
95.217.7.90:80
http://updates3.safer-networking.org/spybot1/spybotsd_includes.exe
DE
suspicious
3024
spybotsd-2.8.68.0.tmp
GET
302
167.114.117.64:80
http://www.safer-networking.org/updallocator.php
CA
whitelisted
3024
spybotsd-2.8.68.0.tmp
GET
302
167.114.117.64:80
http://www.safer-networking.org/updallocator.php
CA
whitelisted
2696
SDTray.exe
GET
304
205.185.216.10:80
http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
US
whitelisted
3024
spybotsd-2.8.68.0.tmp
GET
200
128.199.58.66:80
http://updates5.safer-networking.org/spybot1/spybotsd_includes.exe
NL
executable
7.19 Mb
suspicious
3336
iexplore.exe
GET
200
2.16.186.11:80
http://isrg.trustid.ocsp.identrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRv9GhNQxLSSGKBnMArPUcsHYovpgQUxKexpHsscfrb4UuQdf%2FEFWCFiRACEAoBQUIAAAFThXNqC4Xspwg%3D
unknown
der
1.37 Kb
whitelisted
2696
SDTray.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT3xL4LQLXDRDM9P665TW442vrsUQQUReuir%2FSSy4IxLVGLp6chnfNtyA8CEAb9%2BQOWA63qAArrPye7uhs%3D
US
der
471 b
whitelisted
2696
SDTray.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSFDxAmS5JEAmWxO0Ue9OdQ9z7zPAQUFQASKxOYspkH7R7for5XDStnAs0CEAMBmgI6%2F1ixa9bV6uYX8GY%3D
US
der
471 b
whitelisted
1848
SDFSSvc.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfqhLjKLEJQZPin0KCzkdAQpVYowQUsT7DaQP4v0cB1JgmGggC72NkK8MCEAPxtOFfOoLxFJZ4s9fYR1w%3D
US
der
471 b
whitelisted
1848
SDFSSvc.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSPwl%2BrBFlJbvzLXU1bGW08VysJ2wQUj%2Bh%2B8G0yagAFI8dwl2o6kP9r6tQCEAs%2F0y45skewnIBAVx1q0vM%3D
US
der
471 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3448
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
3336
iexplore.exe
104.111.228.123:443
www.paypal.com
Akamai International B.V.
NL
unknown
3336
iexplore.exe
167.114.117.64:443
www.safer-networking.org
OVH SAS
CA
unknown
3336
iexplore.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
3336
iexplore.exe
151.101.2.133:443
www.paypalobjects.com
Fastly
US
malicious
3448
iexplore.exe
167.114.117.64:443
www.safer-networking.org
OVH SAS
CA
unknown
3336
iexplore.exe
23.45.98.207:443
t.paypal.com
Akamai International B.V.
NL
whitelisted
3336
iexplore.exe
163.172.168.58:443
updates2.safer-networking.org
Online S.a.s.
FR
suspicious
3448
iexplore.exe
204.79.197.200:443
www.bing.com
Microsoft Corporation
US
whitelisted
3336
iexplore.exe
2.16.186.11:80
isrg.trustid.ocsp.identrust.com
Akamai International B.V.
whitelisted

DNS requests

Domain
IP
Reputation
www.safer-networking.org
  • 167.114.117.64
whitelisted
ocsp.digicert.com
  • 93.184.220.29
whitelisted
api.bing.com
  • 13.107.5.80
whitelisted
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
www.paypalobjects.com
  • 151.101.2.133
  • 151.101.66.133
  • 151.101.130.133
  • 151.101.194.133
whitelisted
www.paypal.com
  • 104.111.228.123
whitelisted
t.paypal.com
  • 23.45.98.207
whitelisted
updates2.safer-networking.org
  • 163.172.168.58
suspicious
isrg.trustid.ocsp.identrust.com
  • 2.16.186.11
  • 2.16.186.35
whitelisted
iecvlist.microsoft.com
  • 152.199.19.161
whitelisted

Threats

PID
Process
Class
Message
Potentially Bad Traffic
ET INFO TLS Handshake Failure
Potentially Bad Traffic
ET INFO TLS Handshake Failure
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
Process
Message
SDTray.exe
C:\Program Files\Spybot - Search & Destroy 2\SDLicense.dll: GetCodeSignatureIssuerPE: -1
SDTray.exe
TMemoryMappedFileBase: Handle created,
SDTray.exe
TMemoryMappedFileBase: Handle created,
SDTray.exe
TMemoryMappedFileBase: Handle created,
SDTray.exe
TMemoryMappedFileBase: Handle created,
SDUpdSvc.exe
TMemoryMappedFileBase: Handle created,
SDUpdSvc.exe
TMemoryMappedFileBase: Handle created,
SDUpdSvc.exe
TMemoryMappedFileBase: Handle created,
SDUpdSvc.exe
TMemoryMappedFileBase: Handle created,
SDUpdSvc.exe
TMemoryMappedFileBase: Handle created,
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
https://www.safer-networking.org/products/spybot-free-edition/download-mirror-1/