| File name: | eyeBeam.exe |
| Full analysis: | https://app.any.run/tasks/328cdf93-6397-40f1-aaa4-c2edfb7c6b41 |
| Verdict: | Malicious activity |
| Analysis date: | December 06, 2023, 10:48:06 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Indicators: | |
| MIME: | application/x-dosexec |
| File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
| MD5: | 4C316518A39D0C4E6FCB38118459B8A7 |
| SHA1: | 73108AF94BFFB9FEB51A7B6347CB6D5EDB742897 |
| SHA256: | FF9003FBE397722FE8CC33DE05A1AE1A6ADB447C313F6DC0E3C07B6532D19857 |
| SSDEEP: | 98304:GDx9EJiIGq0iHMwumO6izjFkCpUFhMISYWyInz62oiTX9OO5YwLcNemrLqLNbnlR:qhB78W4QBGSQK |
MALICIOUS
Drops the executable file immediately after the start
- eyeBeam.exe (PID: 1344)
- is-TDGVI.tmp (PID: 2600)
SUSPICIOUS
Process drops legitimate windows executable
- is-TDGVI.tmp (PID: 2600)
Reads the Windows owner or organization settings
- is-TDGVI.tmp (PID: 2600)
The process drops C-runtime libraries
- is-TDGVI.tmp (PID: 2600)
Creates/Modifies COM task schedule object
- eyeBeam.exe (PID: 3924)
INFO
Checks supported languages
- is-TDGVI.tmp (PID: 2600)
- eyeBeam.exe (PID: 1344)
- eyeBeam.exe (PID: 3924)
- wmpnscfg.exe (PID: 3988)
Create files in a temporary directory
- eyeBeam.exe (PID: 1344)
- is-TDGVI.tmp (PID: 2600)
Reads the computer name
- is-TDGVI.tmp (PID: 2600)
- eyeBeam.exe (PID: 3924)
- wmpnscfg.exe (PID: 3988)
Creates files in the program directory
- is-TDGVI.tmp (PID: 2600)
Manual execution by a user
- eyeBeam.exe (PID: 3924)
- msedge.exe (PID: 3656)
- wmpnscfg.exe (PID: 3988)
Reads the machine GUID from the registry
- eyeBeam.exe (PID: 3924)
Reads CPU info
- eyeBeam.exe (PID: 3924)
Creates files or folders in the user directory
- eyeBeam.exe (PID: 3924)
Drops the executable file immediately after the start
- msedge.exe (PID: 3656)
Application launched itself
- msedge.exe (PID: 3656)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Win32 Executable PowerBASIC/Win 9.x (51.2) |
|---|---|---|
| .exe | | | Inno Setup installer (37.9) |
| .exe | | | Win32 Executable Delphi generic (4.9) |
| .dll | | | Win32 Dynamic Link Library (generic) (2.2) |
| .exe | | | Win32 Executable (generic) (1.5) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 1992:06:20 00:22:17+02:00 |
| ImageFileCharacteristics: | No relocs, Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi |
| PEType: | PE32 |
| LinkerVersion: | 2.25 |
| CodeSize: | 36864 |
| InitializedDataSize: | 16896 |
| UninitializedDataSize: | - |
| EntryPoint: | 0x97f0 |
| OSVersion: | 1 |
| ImageVersion: | - |
| SubsystemVersion: | 4 |
| Subsystem: | Windows GUI |
| FileVersionNumber: | 0.0.0.0 |
| ProductVersionNumber: | 0.0.0.0 |
| FileFlagsMask: | 0x003f |
| FileFlags: | (none) |
| FileOS: | Win32 |
| ObjectFileType: | Executable application |
| FileSubtype: | - |
| LanguageCode: | English (U.S.) |
| CharacterSet: | Windows, Latin1 |
| Comments: | This installation was built with Inno Setup: http://www.innosetup.com |
| CompanyName: | CounterPath Solutions Inc. |
| FileDescription: | eyeBeam Setup |
| FileVersion: | |
| LegalCopyright: | (c) 2006 CounterPath Solutions Inc. All rights reserved. |
Total processes
67
Monitored processes
28
Malicious processes
2
Suspicious processes
1
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 280 | "C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3564 --field-trial-handle=1300,i,5370654731686220507,15805151110567994424,131072 /prefetch:8 | C:\Program Files\Microsoft\Edge\Application\msedge.exe | — | msedge.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Edge Exit code: 0 Version: 109.0.1518.115 Modules
| |||||||||||||||
| 684 | "C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4364 --field-trial-handle=1300,i,5370654731686220507,15805151110567994424,131072 /prefetch:8 | C:\Program Files\Microsoft\Edge\Application\msedge.exe | — | msedge.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Edge Exit code: 0 Version: 109.0.1518.115 Modules
| |||||||||||||||
| 1212 | "C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=4532 --field-trial-handle=1300,i,5370654731686220507,15805151110567994424,131072 /prefetch:8 | C:\Program Files\Microsoft\Edge\Application\msedge.exe | — | msedge.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Edge Exit code: 0 Version: 109.0.1518.115 Modules
| |||||||||||||||
| 1248 | "C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1500 --field-trial-handle=1300,i,5370654731686220507,15805151110567994424,131072 /prefetch:2 | C:\Program Files\Microsoft\Edge\Application\msedge.exe | — | msedge.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Edge Exit code: 0 Version: 109.0.1518.115 Modules
| |||||||||||||||
| 1328 | "C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4664 --field-trial-handle=1300,i,5370654731686220507,15805151110567994424,131072 /prefetch:8 | C:\Program Files\Microsoft\Edge\Application\msedge.exe | — | msedge.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Edge Exit code: 0 Version: 109.0.1518.115 Modules
| |||||||||||||||
| 1344 | "C:\Users\admin\AppData\Local\Temp\eyeBeam.exe" | C:\Users\admin\AppData\Local\Temp\eyeBeam.exe | explorer.exe | ||||||||||||
User: admin Company: CounterPath Solutions Inc. Integrity Level: HIGH Description: eyeBeam Setup Exit code: 0 Version: Modules
| |||||||||||||||
| 2108 | "C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4304 --field-trial-handle=1300,i,5370654731686220507,15805151110567994424,131072 /prefetch:8 | C:\Program Files\Microsoft\Edge\Application\msedge.exe | — | msedge.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Edge Exit code: 0 Version: 109.0.1518.115 Modules
| |||||||||||||||
| 2512 | "C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=renderer --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=2824 --field-trial-handle=1300,i,5370654731686220507,15805151110567994424,131072 /prefetch:1 | C:\Program Files\Microsoft\Edge\Application\msedge.exe | — | msedge.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Edge Exit code: 0 Version: 109.0.1518.115 Modules
| |||||||||||||||
| 2600 | "C:\Users\admin\AppData\Local\Temp\is-33OOC.tmp\is-TDGVI.tmp" /SL4 $1C0142 "C:\Users\admin\AppData\Local\Temp\eyeBeam.exe" 6044273 52224 | C:\Users\admin\AppData\Local\Temp\is-33OOC.tmp\is-TDGVI.tmp | — | eyeBeam.exe | |||||||||||
User: admin Integrity Level: HIGH Description: Setup/Uninstall Exit code: 0 Version: 51.42.0.0 Modules
| |||||||||||||||
| 2640 | "C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1288 --field-trial-handle=1300,i,5370654731686220507,15805151110567994424,131072 /prefetch:2 | C:\Program Files\Microsoft\Edge\Application\msedge.exe | — | msedge.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Edge Exit code: 0 Version: 109.0.1518.115 Modules
| |||||||||||||||
Total events
5 313
Read events
5 283
Write events
29
Delete events
1
Modification events
| (PID) Process: | (3924) eyeBeam.exe | Key: | HKEY_CLASSES_ROOT\CLSID\{0087B45F-048A-AEEC-BF49-0D6166004AA6}\InprocServer32 |
| Operation: | write | Name: | ThreadingModel |
Value: Both | |||
| (PID) Process: | (3924) eyeBeam.exe | Key: | HKEY_CLASSES_ROOT\CLSID\{A5EC5A0C-AA08-9356-51D1-76F728E5DA09}\InprocServer32 |
| Operation: | write | Name: | ThreadingModel |
Value: Both | |||
| (PID) Process: | (3924) eyeBeam.exe | Key: | HKEY_CLASSES_ROOT\CLSID\{09CFFE9B-A10F-B66B-00C0-F8EA082F08D6}\InprocServer32 |
| Operation: | write | Name: | ThreadingModel |
Value: Both | |||
| (PID) Process: | (3924) eyeBeam.exe | Key: | HKEY_CLASSES_ROOT\CLSID\{2D190171-8DD6-070A-6DD3-E10F455B7A47}\InprocServer32 |
| Operation: | write | Name: | ThreadingModel |
Value: Both | |||
| (PID) Process: | (3924) eyeBeam.exe | Key: | HKEY_CLASSES_ROOT\CLSID\{5A1CA6CA-4E96-A182-7533-8BC6E1A1BC72}\InprocServer32 |
| Operation: | write | Name: | ThreadingModel |
Value: Both | |||
| (PID) Process: | (3656) msedge.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Edge\BLBeacon |
| Operation: | write | Name: | failed_count |
Value: 0 | |||
| (PID) Process: | (3656) msedge.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Edge\BLBeacon |
| Operation: | write | Name: | state |
Value: 1 | |||
| (PID) Process: | (3656) msedge.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Edge\ThirdParty |
| Operation: | write | Name: | StatusCodes |
Value: 01000000 | |||
| (PID) Process: | (3656) msedge.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Edge\BLBeacon |
| Operation: | write | Name: | state |
Value: 2 | |||
| (PID) Process: | (3656) msedge.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\EdgeUpdate\ClientState\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062} |
| Operation: | write | Name: | dr |
Value: 1 | |||
Executable files
49
Suspicious files
160
Text files
74
Unknown types
2
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 2600 | is-TDGVI.tmp | C:\Users\admin\AppData\Local\Temp\is-GI8RO.tmp\psvince.dll | executable | |
MD5:A4E5C512B047A6D9DC38549161CAC4DE | SHA256:C7F1E7E866834D9024F97C2B145C09D106E447E8ABD65A10A1732116D178E44E | |||
| 2600 | is-TDGVI.tmp | C:\Program Files\CounterPath\eyeBeam 1.5\is-K2DOA.tmp | executable | |
MD5:561FA2ABB31DFA8FAB762145F81667C2 | SHA256:DF96156F6A548FD6FE5672918DE5AE4509D3C810A57BFFD2A91DE45A3ED5B23B | |||
| 1344 | eyeBeam.exe | C:\Users\admin\AppData\Local\Temp\is-33OOC.tmp\is-TDGVI.tmp | executable | |
MD5:036EF63E2F9B138A42D6ADB54EC0CD1E | SHA256:71B487F0523F213004766402B22BF86FA0EF9891E940D2A4CB12EBA6627E7CC6 | |||
| 2600 | is-TDGVI.tmp | C:\Program Files\CounterPath\eyeBeam 1.5\msvcr71.dll | executable | |
MD5:86F1895AE8C5E8B17D99ECE768A70732 | SHA256:8094AF5EE310714CAEBCCAEEE7769FFB08048503BA478B879EDFEF5F1A24FEFE | |||
| 2600 | is-TDGVI.tmp | C:\Program Files\CounterPath\eyeBeam 1.5\msvcp71.dll | executable | |
MD5:561FA2ABB31DFA8FAB762145F81667C2 | SHA256:DF96156F6A548FD6FE5672918DE5AE4509D3C810A57BFFD2A91DE45A3ED5B23B | |||
| 2600 | is-TDGVI.tmp | C:\Program Files\CounterPath\eyeBeam 1.5\is-B9Q0N.tmp | executable | |
MD5:6831E53C1F7AAA8F5F0104E0E0CD6A9E | SHA256:A367BE631C73A8516BEB6F01045100B1DD1C033F7AF0D6F94B44A4F95E70AE46 | |||
| 2600 | is-TDGVI.tmp | C:\Program Files\CounterPath\eyeBeam 1.5\unins000.exe | executable | |
MD5:6831E53C1F7AAA8F5F0104E0E0CD6A9E | SHA256:A367BE631C73A8516BEB6F01045100B1DD1C033F7AF0D6F94B44A4F95E70AE46 | |||
| 2600 | is-TDGVI.tmp | C:\Program Files\CounterPath\eyeBeam 1.5\is-BU1GU.tmp | image | |
MD5:5A77AB01BB917BB0F539B07614A6135F | SHA256:16C1B2FA5AD3D758B51E1757B3AB6A1DD1E79391703010E7793CBC4B8F85E55F | |||
| 2600 | is-TDGVI.tmp | C:\Program Files\CounterPath\eyeBeam 1.5\is-NFAPP.tmp | executable | |
MD5:86F1895AE8C5E8B17D99ECE768A70732 | SHA256:8094AF5EE310714CAEBCCAEEE7769FFB08048503BA478B879EDFEF5F1A24FEFE | |||
| 2600 | is-TDGVI.tmp | C:\Program Files\CounterPath\eyeBeam 1.5\is-1TADS.tmp | executable | |
MD5:0642A05567EFA37A76AA3488DA86CB47 | SHA256:6396C44397F1780F644E9317F3321B18A5CB026DCF751281B35CC4A07D2A3CF1 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
37
DNS requests
58
Threats
2
HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
2588 | svchost.exe | 239.255.255.250:1900 | — | — | — | whitelisted |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
1080 | svchost.exe | 224.0.0.252:5355 | — | — | — | unknown |
3924 | eyeBeam.exe | 141.193.213.20:443 | upgrades.counterpath.com | Cloudflare London, LLC | US | whitelisted |
2900 | msedge.exe | 204.79.197.203:443 | ntp.msn.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
3656 | msedge.exe | 239.255.255.250:1900 | — | — | — | whitelisted |
2900 | msedge.exe | 13.107.42.16:443 | config.edge.skype.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
2900 | msedge.exe | 13.107.22.239:443 | edge.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | unknown |
2900 | msedge.exe | 23.53.42.152:443 | assets.msn.com | Akamai International B.V. | DE | unknown |
DNS requests
Domain | IP | Reputation |
|---|---|---|
upgrades.counterpath.com |
| unknown |
ntp.msn.com |
| whitelisted |
config.edge.skype.com |
| whitelisted |
edge.microsoft.com |
| whitelisted |
assets.msn.com |
| whitelisted |
img-s-msn-com.akamaized.net |
| whitelisted |
sb.scorecardresearch.com |
| shared |
th.bing.com |
| whitelisted |
www.bing.com |
| whitelisted |
c.msn.com |
| whitelisted |
Threats
PID | Process | Class | Message |
|---|---|---|---|
2900 | msedge.exe | Potential Corporate Privacy Violation | ET POLICY Pastebin-style Service (paste .ee) in TLS SNI |
2900 | msedge.exe | Potential Corporate Privacy Violation | ET POLICY Pastebin-style Service (paste .ee) in TLS SNI |
Process | Message |
|---|---|
eyeBeam.exe | |
eyeBeam.exe | Excluding: (default wave out)
|
eyeBeam.exe | Excluding: (default wave in)
|
eyeBeam.exe | Excluding: (default wave out)
|
eyeBeam.exe | Excluding: (default wave in)
|
eyeBeam.exe | Excluding: (default wave in)
|
eyeBeam.exe | Excluding: (default wave out)
|
eyeBeam.exe | Excluding: (default wave out)
|
eyeBeam.exe | Excluding: (default wave in)
|
eyeBeam.exe | Excluding: (default wave in)
|