Malware analysis MEGAvpnSetup64.exe Malicious activity

Add for printing

File name:	MEGAvpnSetup64.exe
Full analysis:	https://app.any.run/tasks/133023ed-0286-4682-ac5e-e875f313dec9
Verdict:	Malicious activity
Threats:	Crypto mining malware is a resource-intensive threat that infiltrates computers with the purpose of mining cryptocurrencies. This type of threat can be deployed either on an infected machine or a compromised website. In both cases the miner will utilize the computing power of the device and its network bandwidth. Malware Trends Tracker >>>
Analysis date:	August 19, 2024, 15:41:43
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	miner pastebin xor-url generic upx
Indicators:
MIME:	application/x-dosexec
File info:	PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
MD5:	1001507ADDB65D5708D79CC0C8E672D6
SHA1:	665B6120A02D9FD7EF09BCB1A80B023B7163E620
SHA256:	0C7D2BA6ABC70DBF020E9A626D0E076F177660A59A7F1131DE7212FF745316AD
SSDEEP:	6144:51HC5XfBlCDl8nnnnn1TbFEUNR7CIghdOClEajW:51HC5XfBlCDl8nnnnnRbF57CIghdO9

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- Adds path to the Windows Defender exclusion list
  - MEGAvpnSetup64.exe (PID: 6900)
- MINER has been detected (SURICATA)
  - svchost.exe (PID: 2256)
- XORed URL has been found (YARA)
  - conhost.exe (PID: 6272)
SUSPICIOUS
- Drops the executable file immediately after the start
  - MEGAvpnSetup64.exe (PID: 6596)
  - MEGAvpnSetup64.exe (PID: 6900)
- Reads security settings of Internet Explorer
  - MEGAvpnSetup64.exe (PID: 6596)
  - MEGAvpnSetup64.exe (PID: 6900)
- Reads the date of Windows installation
  - MEGAvpnSetup64.exe (PID: 6596)
  - MEGAvpnSetup64.exe (PID: 6900)
- Powershell scripting: start process
  - MEGAvpnSetup64.exe (PID: 6596)
- Starts POWERSHELL.EXE for commands execution
  - MEGAvpnSetup64.exe (PID: 6596)
  - MEGAvpnSetup64.exe (PID: 6900)
- The process checks if it is being run in the virtual environment
  - MEGAvpnSetup64.exe (PID: 6900)
- Script adds exclusion path to Windows Defender
  - MEGAvpnSetup64.exe (PID: 6900)
- Checks Windows Trust Settings
  - MEGAvpnSetup64.exe (PID: 6900)
- Starts CMD.EXE for commands execution
  - MEGAvpnSetup64.exe (PID: 6900)
- Executable content was dropped or overwritten
  - WmiPrvSE.exe (PID: 6160)
  - MEGAvpnSetup64.exe (PID: 6900)
- Uses powercfg.exe to modify the power settings
  - WmiPrvSE.exe (PID: 6160)
- Drops a system driver (possible attempt to evade defenses)
  - WmiPrvSE.exe (PID: 6160)
- Potential Corporate Privacy Violation
  - svchost.exe (PID: 2256)
- Connects to unusual port
  - conhost.exe (PID: 6272)
INFO
- Reads the computer name
  - MEGAvpnSetup64.exe (PID: 6596)
  - MEGAvpnSetup64.exe (PID: 6900)
- Checks supported languages
  - MEGAvpnSetup64.exe (PID: 6596)
  - MEGAvpnSetup64.exe (PID: 6900)
- Process checks computer location settings
  - MEGAvpnSetup64.exe (PID: 6596)
  - MEGAvpnSetup64.exe (PID: 6900)
- The executable file from the user directory is run by the Powershell process
  - MEGAvpnSetup64.exe (PID: 6900)
- Creates files in the program directory
  - MEGAvpnSetup64.exe (PID: 6900)
- Checks proxy server information
  - MEGAvpnSetup64.exe (PID: 6900)
- Reads the software policy settings
  - MEGAvpnSetup64.exe (PID: 6900)
- Reads the machine GUID from the registry
  - MEGAvpnSetup64.exe (PID: 6900)
- Checks if a key exists in the options dictionary (POWERSHELL)
  - powershell.exe (PID: 6468)
  - powershell.exe (PID: 7160)
- Creates files or folders in the user directory
  - MEGAvpnSetup64.exe (PID: 6900)
- Create files in a temporary directory
  - WmiPrvSE.exe (PID: 6160)
- UPX packer has been detected
  - conhost.exe (PID: 6272)
- Script raised an exception (POWERSHELL)
  - powershell.exe (PID: 7160)
  - powershell.exe (PID: 400)
- Manual execution by a user
  - regedit.exe (PID: 6884)
  - powershell.exe (PID: 400)
  - regedit.exe (PID: 6664)
- Checks current location (POWERSHELL)
  - powershell.exe (PID: 400)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

xor-url

(PID) Process(6272) conhost.exe

Decrypted-URLs (1)https://206.12

No Malware configuration.

Add for printing

TRiD

.exe	\|	Win64 Executable (generic) (87.3)
.exe	\|	Generic Win/DOS Executable (6.3)
.exe	\|	DOS Executable Generic (6.3)

EXIF

EXE

MachineType:	AMD AMD64
TimeStamp:	0000:00:00 00:00:00
ImageFileCharacteristics:	Executable, No line numbers, No symbols, Large address aware, No debug
PEType:	PE32+
LinkerVersion:	2.42
CodeSize:	150528
InitializedDataSize:	496128
UninitializedDataSize:	3584
EntryPoint:	0x12fd
OSVersion:	4
ImageVersion:	-
SubsystemVersion:	5.2
Subsystem:	Windows GUI
FileVersionNumber:	1.0.0.0
ProductVersionNumber:	1.0.0.0
FileFlagsMask:	0x0000
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	English (U.S.)
CharacterSet:	Unicode
CompanyName:	MEGA Limited
FileDescription:	MEGA VPN
FileVersion:	1.0.0.0
LegalCopyright:	MEGA Limited 2024
ProductName:	MEGA VPN
ProductVersion:	1.0.0.0

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

165

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

400

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

—

explorer.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows PowerShell

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\atl.dll

2256

C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s Dnscache

C:\Windows\System32\svchost.exe

services.exe

User:

NETWORK SERVICE

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Host Process for Windows Services

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll

6160

"C:\Windows\System32\wbem\wmiprvse.exe"

C:\Windows\System32\wbem\WmiPrvSE.exe

MEGAvpnSetup64.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

WMI Provider Host

Exit code:

Version:

10.0.19041.3636 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\wbem\wmiprvse.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\wbem\fastprox.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ncobjapi.dll

6172

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

powercfg.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

6200

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\admin\Downloads\MEGAvpnSetup64.exe"

C:\Windows\System32\cmd.exe

—

MEGAvpnSetup64.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Windows Command Processor

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll

6216

C:\WINDOWS\system32\powercfg.exe /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

—

WmiPrvSE.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Power Settings Command-Line Tool

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\powercfg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\powrprof.dll

6224

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

6240

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

powercfg.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

6272

conhost.exe

C:\Windows\System32\conhost.exe

WmiPrvSE.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Console Window Host

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\crypt32.dll

xor-url

(PID) Process(6272) conhost.exe

Decrypted-URLs (1)https://206.12

6284

C:\WINDOWS\system32\powercfg.exe /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

—

WmiPrvSE.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Power Settings Command-Line Tool

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\powercfg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\powrprof.dll

Add for printing

Total events

37 125

Read events

37 087

Write events

Delete events

Modification events


(PID) Process:	(6596) MEGAvpnSetup64.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	ProxyBypass
Value: 1
(PID) Process:	(6596) MEGAvpnSetup64.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	IntranetName
Value: 1
(PID) Process:	(6596) MEGAvpnSetup64.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	UNCAsIntranet
Value: 1
(PID) Process:	(6596) MEGAvpnSetup64.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	AutoDetect
Value: 0
(PID) Process:	(6688) powershell.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	ProxyBypass
Value: 1
(PID) Process:	(6688) powershell.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	IntranetName
Value: 1
(PID) Process:	(6688) powershell.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	UNCAsIntranet
Value: 1
(PID) Process:	(6688) powershell.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	AutoDetect
Value: 0
(PID) Process:	(6900) MEGAvpnSetup64.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	ProxyBypass
Value: 1
(PID) Process:	(6900) MEGAvpnSetup64.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	IntranetName
Value: 1

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
6900	MEGAvpnSetup64.exe	C:\ProgramData\HK4ascBK6XOWTw\091tWWvcNt8c3Q.exe		executable
		MD5:1001507ADDB65D5708D79CC0C8E672D6	SHA256:0C7D2BA6ABC70DBF020E9A626D0E076F177660A59A7F1131DE7212FF745316AD
6688	powershell.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive		binary
		MD5:58AA4968775D0260D7296ED61E59205D	SHA256:E9E1C3F0E024154BFCA8270F945E8891783AEC44B2CD5365B4E27AD1F3AEEC9E
400	powershell.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt		text
		MD5:25F2360DB2868491A9C7C3699A944C1A	SHA256:D1798CA8B206C594C8F0A3F7FFF571C38372FE0EDD42EE76D03B2C20D4432E61
6900	MEGAvpnSetup64.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8		der
		MD5:971C514F84BBA0785F80AA1C23EDFD79	SHA256:F157ED17FCAF8837FA82F8B69973848C9B10A02636848F995698212A08F31895
6468	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_j2euhfj2.jc4.ps1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6900	MEGAvpnSetup64.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12		binary
		MD5:7FB5FA1534DCF77F2125B2403B30A0EE	SHA256:33A39E9EC2133230533A686EC43760026E014A3828C703707ACBC150FE40FD6F
6160	WmiPrvSE.exe	C:\Users\admin\AppData\Local\Temp\honnresalcnl.sys		executable
		MD5:0C0195C48B6B8582FA6F6373032118DA	SHA256:11BD2C9F9E2397C9A16E0990E4ED2CF0679498FE0FD418A3DFDAC60B5C160EE5
6468	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_d14m5ncn.c2c.psm1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6900	MEGAvpnSetup64.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12		binary
		MD5:BE3A4D128A4172F6BE295D3CADF091F5	SHA256:6218B1C189B1B90DEACA0D5FD02B8C1DBC59C15BA0FB955479F224C051BCB7AD
6900	MEGAvpnSetup64.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8		binary
		MD5:6DAF0848587F3435695381E2C68A3377	SHA256:F121589C148B13F263F33B84D0BDCC8FCD5C1CA8B996161BD6C5B149B8A1EE4F

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
6900	MEGAvpnSetup64.exe	GET	200	142.250.184.227:80	http://c.pki.goog/r/r4.crl	unknown	—	—	whitelisted
6900	MEGAvpnSetup64.exe	GET	200	142.250.184.227:80	http://c.pki.goog/r/gsr1.crl	unknown	—	—	whitelisted
5336	SearchApp.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D	unknown	—	—	whitelisted
5336	SearchApp.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D	unknown	—	—	whitelisted
4292	svchost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
5336	SearchApp.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEApDqVCbATUviZV57HIIulA%3D	unknown	—	—	whitelisted
4100	SIHClient.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl	unknown	—	—	whitelisted
5336	SearchApp.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D	unknown	—	—	whitelisted
5336	SearchApp.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
6400	backgroundTaskHost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
240	svchost.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
1432	RUXIMICS.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
2120	MoUsoCoreWorker.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
6900	MEGAvpnSetup64.exe	172.67.157.59:443	tempfiles.ninja	CLOUDFLARENET	US	unknown
6900	MEGAvpnSetup64.exe	142.250.184.227:80	c.pki.goog	GOOGLE	US	whitelisted
6272	conhost.exe	51.222.12.201:10343	xmr-us-east1.nanopool.org	OVH SAS	CA	unknown
6272	conhost.exe	104.20.4.235:443	pastebin.com	CLOUDFLARENET	—	unknown
6272	conhost.exe	51.79.71.77:10343	xmr-us-east1.nanopool.org	OVH SAS	CA	unknown
2120	MoUsoCoreWorker.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted

DNS requests

Domain	IP	Reputation
settings-win.data.microsoft.com	20.73.194.208 51.104.136.2 40.127.240.158	whitelisted
google.com	142.250.185.78	whitelisted
tempfiles.ninja	172.67.157.59 104.21.56.249	unknown
c.pki.goog	142.250.184.227	whitelisted
xmr-us-east1.nanopool.org	51.222.200.133 51.79.71.77 51.222.106.253 51.222.12.201	whitelisted
pastebin.com	104.20.4.235 172.67.19.24 104.20.3.235	shared
www.bing.com	104.126.37.139 104.126.37.123 104.126.37.131 104.126.37.186 104.126.37.128 104.126.37.138 104.126.37.130 104.126.37.178 104.126.37.184	whitelisted
th.bing.com	104.126.37.160 104.126.37.153 104.126.37.161 104.126.37.146 104.126.37.162 104.126.37.139 104.126.37.130 104.126.37.131 104.126.37.144	whitelisted
ocsp.digicert.com	192.229.221.95	whitelisted
browser.pipe.aria.microsoft.com	13.89.179.9 13.89.179.13	whitelisted

Threats

PID	Process	Class	Message
2256	svchost.exe	Potential Corporate Privacy Violation	ET POLICY Observed DNS Query to Coin Mining Domain (nanopool .org)
2256	svchost.exe	Not Suspicious Traffic	INFO [ANY.RUN] Online Pastebin Text Storage

Add for printing

No debug info

General Info

MEGAvpnSetup64.exe

1001507ADDB65D5708D79CC0C8E672D6

665B6120A02D9FD7EF09BCB1A80B023B7163E620

0C7D2BA6ABC70DBF020E9A626D0E076F177660A59A7F1131DE7212FF745316AD

6144:51HC5XfBlCDl8nnnnn1TbFEUNR7CIghdOClEajW:51HC5XfBlCDl8nnnnnRbF57CIghdO9

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Adds path to the Windows Defender exclusion list

MINER has been detected (SURICATA)

XORed URL has been found (YARA)

SUSPICIOUS

Drops the executable file immediately after the start

Reads security settings of Internet Explorer

Reads the date of Windows installation

Powershell scripting: start process

Starts POWERSHELL.EXE for commands execution

The process checks if it is being run in the virtual environment

Script adds exclusion path to Windows Defender

Checks Windows Trust Settings

Starts CMD.EXE for commands execution

Executable content was dropped or overwritten

Uses powercfg.exe to modify the power settings

Drops a system driver (possible attempt to evade defenses)

Potential Corporate Privacy Violation

Connects to unusual port

INFO

Reads the computer name

Checks supported languages

Process checks computer location settings

The executable file from the user directory is run by the Powershell process

Creates files in the program directory

Checks proxy server information

Reads the software policy settings

Reads the machine GUID from the registry

Checks if a key exists in the options dictionary (POWERSHELL)

Creates files or folders in the user directory

Create files in a temporary directory

UPX packer has been detected

Script raised an exception (POWERSHELL)

Manual execution by a user

Checks current location (POWERSHELL)

Malware configuration

xor-url

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Malware configuration

xor-url

Information

Modules

Registry activity