analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Sеtup.exe

Full analysis: https://app.any.run/tasks/84942d4e-7a89-4e95-92e0-7fb31def226a
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Analysis date: April 01, 2023, 13:11:48
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
raccoon
recordbreaker
trojan
loader
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

549CF309B90146D2B01878C3BBCA057E

SHA1:

A59229F8B6A8AA6E83036A2D4006FF6F2C208EF6

SHA256:

14447A72F645404A9E69055BAC9BAAD9BA0070C8DA4260FC66B12E7B130BAC63

SSDEEP:

196608:+6sLJWCXG46Ya9YvbfV0p7pNd5TAQGnnRVYAywKIgEdtH2d6Qi4Vp:Tg324gez+3NdsRVJywKQHoiOp

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • RACCOON was detected

      • Sеtup.exe (PID: 1048)
    • Connects to the CnC server

      • Sеtup.exe (PID: 1048)
    • Application was dropped or rewritten from another process

      • WXl241wg.exe (PID: 1848)
      • DocumentsDesktop-type5.8.3.5.exe (PID: 3168)
    • Actions looks like stealing of personal data

      • Sеtup.exe (PID: 1048)
    • Uses Task Scheduler to run other applications

      • WXl241wg.exe (PID: 1848)
  • SUSPICIOUS

    • Searches for installed software

      • Sеtup.exe (PID: 1048)
    • Reads browser cookies

      • Sеtup.exe (PID: 1048)
    • Reads the Internet Settings

      • Sеtup.exe (PID: 1048)
      • WXl241wg.exe (PID: 1848)
    • Process requests binary or script from the Internet

      • Sеtup.exe (PID: 1048)
    • Connects to the server without a host name

      • Sеtup.exe (PID: 1048)
    • Executable content was dropped or overwritten

      • Sеtup.exe (PID: 1048)
      • WXl241wg.exe (PID: 1848)
    • Uses ICACLS.EXE to modify access control lists

      • WXl241wg.exe (PID: 1848)
    • The process executes via Task Scheduler

      • DocumentsDesktop-type5.8.3.5.exe (PID: 3168)
  • INFO

    • Reads the machine GUID from the registry

      • Sеtup.exe (PID: 1048)
    • Checks supported languages

      • Sеtup.exe (PID: 1048)
      • WXl241wg.exe (PID: 1848)
      • DocumentsDesktop-type5.8.3.5.exe (PID: 3168)
    • Reads Environment values

      • Sеtup.exe (PID: 1048)
    • Reads the computer name

      • Sеtup.exe (PID: 1048)
      • WXl241wg.exe (PID: 1848)
    • Reads product name

      • Sеtup.exe (PID: 1048)
    • The process checks LSA protection

      • Sеtup.exe (PID: 1048)
      • icacls.exe (PID: 2844)
      • icacls.exe (PID: 2120)
      • WXl241wg.exe (PID: 1848)
      • icacls.exe (PID: 1504)
    • Checks proxy server information

      • Sеtup.exe (PID: 1048)
    • Creates files or folders in the user directory

      • Sеtup.exe (PID: 1048)
    • Create files in a temporary directory

      • Sеtup.exe (PID: 1048)
      • chrome.exe (PID: 616)
    • Manual execution by a user

      • chrome.exe (PID: 616)
    • Creates files in the program directory

      • WXl241wg.exe (PID: 1848)
    • Application launched itself

      • chrome.exe (PID: 616)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (76.4)
.exe | Win32 Executable (generic) (12.4)
.exe | Generic Win/DOS Executable (5.5)
.exe | DOS Executable Generic (5.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2023:03:11 14:53:06+00:00
ImageFileCharacteristics: No relocs, Executable, 32-bit
PEType: PE32
LinkerVersion: 14.29
CodeSize: 100352
InitializedDataSize: 468992
UninitializedDataSize: -
EntryPoint: 0x7359c0
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 11-Mar-2023 14:53:06
Detected languages:
  • English - United States

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x000000E0

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 7
Time date stamp: 11-Mar-2023 14:53:06
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_RELOCS_STRIPPED

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00001000
0x000187F8
0x00000000
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
0
.rdata
0x0001A000
0x0000298A
0x00002A00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
5.81825
.data
0x0001D000
0x000005DC
0x00000200
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
0.0203931
.nFf
0x0001E000
0x006FD1A9
0x00000000
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
0
.77*
0x0071C000
0x00000374
0x00000400
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
3.49188
.h,{
0x0071D000
0x00992FF0
0x00993000
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
7.98668
.rsrc
0x010B0000
0x0006F7E9
0x0006F800
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
5.37523

Resources

Title
Entropy
Size
Codepage
Language
Type
1
4.8858
145
UNKNOWN
English - United States
RT_MANIFEST
2
5.11946
2440
UNKNOWN
UNKNOWN
RT_ICON
3
4.95993
4264
UNKNOWN
UNKNOWN
RT_ICON
4
4.72675
9640
UNKNOWN
UNKNOWN
RT_ICON
5
4.67205
16936
UNKNOWN
UNKNOWN
RT_ICON
6
4.54676
67624
UNKNOWN
UNKNOWN
RT_ICON
7
4.51192
270376
UNKNOWN
UNKNOWN
RT_ICON
8
7.9345
83412
UNKNOWN
UNKNOWN
RT_ICON
GYHFGJFHADGET
2.88376
118
UNKNOWN
UNKNOWN
RT_GROUP_ICON

Imports

GDI32.dll
KERNEL32.dll
USER32.dll
ole32.dll
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
67
Monitored processes
25
Malicious processes
2
Suspicious processes
1

Behavior graph

Click at the process to see the details
drop and start start #RACCOON sеtup.exe wxl241wg.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs schtasks.exe no specs icacls.exe no specs icacls.exe no specs icacls.exe no specs documentsdesktop-type5.8.3.5.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1048"C:\Users\admin\AppData\Local\Temp\Sеtup.exe" C:\Users\admin\AppData\Local\Temp\Sеtup.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\sеtup.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\user32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ole32.dll
c:\windows\system32\rpcrt4.dll
1848"C:\Users\admin\AppData\Roaming\WXl241wg.exe" C:\Users\admin\AppData\Roaming\WXl241wg.exe
Sеtup.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221225547
Modules
Images
c:\windows\system32\ntdll.dll
c:\users\admin\appdata\roaming\wxl241wg.exe
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shlwapi.dll
616"C:\Program Files\Google\Chrome\Application\chrome.exe" C:\Program Files\Google\Chrome\Application\chrome.exeexplorer.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
3221225547
Version:
86.0.4240.198
Modules
Images
c:\windows\system32\ntdll.dll
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\winmm.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
1896"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win32 --annotation=prod=Chrome --annotation=ver=86.0.4240.198 --initial-client-data=0xc8,0xcc,0xd0,0x9c,0xd4,0x6f15d988,0x6f15d998,0x6f15d9a4C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
0
Version:
86.0.4240.198
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\86.0.4240.198\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-shell32-l1-1-0.dll
c:\windows\system32\shell32.dll
2620"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1144,16384125358393731773,8300995231095160660,131072 --enable-features=PasswordImport --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1156 /prefetch:2C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
86.0.4240.198
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\86.0.4240.198\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\api-ms-win-downlevel-shell32-l1-1-0.dll
c:\windows\system32\shell32.dll
3092"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1144,16384125358393731773,8300995231095160660,131072 --enable-features=PasswordImport --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1312 /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exe
chrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
0
Version:
86.0.4240.198
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\86.0.4240.198\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\shell32.dll
c:\windows\system32\api-ms-win-downlevel-shell32-l1-1-0.dll
3400"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1144,16384125358393731773,8300995231095160660,131072 --enable-features=PasswordImport --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1940 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
86.0.4240.198
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\86.0.4240.198\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\api-ms-win-downlevel-shell32-l1-1-0.dll
c:\windows\system32\shell32.dll
3540"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1144,16384125358393731773,8300995231095160660,131072 --enable-features=PasswordImport --lang=en-US --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1952 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
86.0.4240.198
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\86.0.4240.198\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\api-ms-win-downlevel-shell32-l1-1-0.dll
c:\windows\system32\shell32.dll
3728"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1144,16384125358393731773,8300995231095160660,131072 --enable-features=PasswordImport --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2280 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
86.0.4240.198
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\86.0.4240.198\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\api-ms-win-downlevel-shell32-l1-1-0.dll
c:\windows\system32\shell32.dll
3208"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1144,16384125358393731773,8300995231095160660,131072 --enable-features=PasswordImport --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=2704 /prefetch:2C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
86.0.4240.198
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\86.0.4240.198\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\api-ms-win-downlevel-shell32-l1-1-0.dll
c:\windows\system32\shell32.dll
Total events
16 884
Read events
16 630
Write events
250
Delete events
4

Modification events

(PID) Process:(1048) Sеtup.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(1048) Sеtup.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(1048) Sеtup.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:writeName:ProxyEnable
Value:
0
(PID) Process:(1048) Sеtup.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Operation:writeName:SavedLegacySettings
Value:
460000003D010000090000000000000000000000000000000400000000000000C0E333BBEAB1D3010000000000000000000000000100000002000000C0A80164000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(1048) Sеtup.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(1048) Sеtup.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(1048) Sеtup.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(1048) Sеtup.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(616) chrome.exeKey:HKEY_CURRENT_USER\Software\Google\Chrome\BLBeacon
Operation:writeName:failed_count
Value:
0
(PID) Process:(616) chrome.exeKey:HKEY_CURRENT_USER\Software\Google\Chrome\BLBeacon
Operation:writeName:state
Value:
1
Executable files
20
Suspicious files
276
Text files
259
Unknown types
38

Dropped files

PID
Process
Filename
Type
1048Sеtup.exeC:\Users\admin\AppData\LocalLow\Lcn0f5o3C849sqlite
MD5:D02907BE1C995E1E51571EEDB82FA281
SHA256:2189977F6EA58BDAD5883720B099E12B869F223FB9B18AC40E7D37C5954A55DD
1048Sеtup.exeC:\Users\admin\AppData\LocalLow\nss3.dllexecutable
MD5:F67D08E8C02574CBC2F1122C53BFB976
SHA256:C65B7AFB05EE2B2687E6280594019068C3D3829182DFE8604CE4ADF2116CC46E
1048Sеtup.exeC:\Users\admin\AppData\LocalLow\softokn3.dllexecutable
MD5:63A1FE06BE877497C4C2017CA0303537
SHA256:44BE3153C15C2D18F49674A092C135D3482FB89B77A1B2063D01D02985555FE0
1048Sеtup.exeC:\Users\admin\AppData\LocalLow\WzCIx4Dab0iRsqlite
MD5:CC104C4E4E904C3AD7AD5C45FBFA7087
SHA256:321BE844CECC903EF1E7F875B729C96BB3ED0D4986314384CD5944A29A670C9B
1048Sеtup.exeC:\Users\admin\AppData\LocalLow\vcruntime140.dllexecutable
MD5:1B171F9A428C44ACF85F89989007C328
SHA256:9D02E952396BDFF3ABFE5654E07B7A713C84268A225E11ED9A3BF338ED1E424C
1048Sеtup.exeC:\Users\admin\AppData\LocalLow\freebl3.dllexecutable
MD5:15B61E4A910C172B25FB7D8CCB92F754
SHA256:B2AE93D30C8BEB0B26F03D4A8325AC89B92A299E8F853E5CAA51BB32575B06C6
1048Sеtup.exeC:\Users\admin\AppData\LocalLow\6tOViTHG174Hsqlite
MD5:B8E63E7225C9F4E0A81371F29D6456D8
SHA256:35A6919CE60EA8E0A44934F8B267BDE2C5A063C2E32F22D34724F168C43150C8
1048Sеtup.exeC:\Users\admin\AppData\LocalLow\8b36Cys36PrPsqlite
MD5:D02907BE1C995E1E51571EEDB82FA281
SHA256:2189977F6EA58BDAD5883720B099E12B869F223FB9B18AC40E7D37C5954A55DD
1048Sеtup.exeC:\Users\admin\AppData\LocalLow\fU80b82f2jsrsqlite
MD5:49E1E66E8EEFE2553D2ECEC4B7EF1D3E
SHA256:A664C359ACE3BFC149323E5403BB7140A84519043BDBA59B064EBC1BDADD32D4
1048Sеtup.exeC:\Users\admin\AppData\LocalLow\9x0rU9259Tqdtext
MD5:E7CE898AADD69F4E4280010B7808116E
SHA256:C9214BB54F10242AA254F0758372A440C8D8F49934021F8F08B6DF9FB377EB02
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
20
TCP/UDP connections
20
DNS requests
13
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
860
svchost.exe
HEAD
200
34.104.35.123:80
http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dl6iudcrkm7tlleep5b7sio2si_2937/jflookgnkcckhobaglndicnbbgbonegd_2937_all_n6dma56ie7wmbezc4aw6zyp2jq.crx3
US
whitelisted
1048
Sеtup.exe
GET
200
37.220.87.61:80
http://37.220.87.61/Clip1.exe
UZ
executable
6.78 Mb
malicious
860
svchost.exe
GET
206
34.104.35.123:80
http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dl6iudcrkm7tlleep5b7sio2si_2937/jflookgnkcckhobaglndicnbbgbonegd_2937_all_n6dma56ie7wmbezc4aw6zyp2jq.crx3
US
binary
6.48 Kb
whitelisted
860
svchost.exe
GET
206
34.104.35.123:80
http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dl6iudcrkm7tlleep5b7sio2si_2937/jflookgnkcckhobaglndicnbbgbonegd_2937_all_n6dma56ie7wmbezc4aw6zyp2jq.crx3
US
binary
15.0 Kb
whitelisted
860
svchost.exe
GET
206
34.104.35.123:80
http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dl6iudcrkm7tlleep5b7sio2si_2937/jflookgnkcckhobaglndicnbbgbonegd_2937_all_n6dma56ie7wmbezc4aw6zyp2jq.crx3
US
binary
9.95 Kb
whitelisted
860
svchost.exe
GET
206
34.104.35.123:80
http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dl6iudcrkm7tlleep5b7sio2si_2937/jflookgnkcckhobaglndicnbbgbonegd_2937_all_n6dma56ie7wmbezc4aw6zyp2jq.crx3
US
binary
11.4 Kb
whitelisted
1048
Sеtup.exe
GET
200
77.73.134.35:80
http://77.73.134.35/bebra.exe
KZ
executable
13.8 Mb
malicious
1048
Sеtup.exe
POST
200
37.220.87.66:80
http://37.220.87.66/1d34810c45bc06f9f7fc4ab41fcd3f72
UZ
text
8 b
malicious
3092
chrome.exe
GET
200
34.104.35.123:80
http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvNzI0QUFXNV9zT2RvdUwyMERESEZGVmJnQQ/1.0.0.6_nmmhkkegccagdldgiimedpiccmgmieda.crx
US
crx
242 Kb
whitelisted
1048
Sеtup.exe
POST
200
37.220.87.66:80
http://37.220.87.66/1d34810c45bc06f9f7fc4ab41fcd3f72
UZ
text
8 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1048
Sеtup.exe
37.220.87.66:80
LLC Internet Tehnologii
UZ
malicious
1048
Sеtup.exe
77.73.134.35:80
Partner LLC
KZ
malicious
3092
chrome.exe
142.250.184.195:443
clientservices.googleapis.com
GOOGLE
US
whitelisted
3092
chrome.exe
142.250.185.132:443
www.google.com
GOOGLE
US
whitelisted
3092
chrome.exe
34.104.35.123:80
edgedl.me.gvt1.com
GOOGLE
US
whitelisted
3092
chrome.exe
172.217.18.99:443
ssl.gstatic.com
GOOGLE
US
whitelisted
3092
chrome.exe
142.250.185.106:443
fonts.googleapis.com
GOOGLE
US
whitelisted
3092
chrome.exe
142.250.184.193:443
clients2.googleusercontent.com
GOOGLE
US
whitelisted
860
svchost.exe
34.104.35.123:80
edgedl.me.gvt1.com
GOOGLE
US
whitelisted
3092
chrome.exe
216.58.212.131:443
www.gstatic.com
GOOGLE
US
whitelisted

DNS requests

Domain
IP
Reputation
clientservices.googleapis.com
  • 142.250.184.195
whitelisted
accounts.google.com
  • 142.250.185.109
shared
clients2.google.com
  • 142.250.185.110
whitelisted
www.google.com
  • 142.250.185.132
whitelisted
clients2.googleusercontent.com
  • 142.250.184.193
whitelisted
fonts.googleapis.com
  • 142.250.185.106
whitelisted
www.gstatic.com
  • 216.58.212.131
whitelisted
fonts.gstatic.com
  • 142.250.185.227
whitelisted
apis.google.com
  • 172.217.16.142
whitelisted
ssl.gstatic.com
  • 172.217.18.99
whitelisted

Threats

PID
Process
Class
Message
1048
Sеtup.exe
A Network Trojan was detected
ET MALWARE Win32/RecordBreaker CnC Checkin M1
1048
Sеtup.exe
A Network Trojan was detected
ET MALWARE Win32/RecordBreaker CnC Checkin - Server Response
1048
Sеtup.exe
Potentially Bad Traffic
ET INFO Dotted Quad Host DLL Request
1048
Sеtup.exe
A suspicious filename was detected
ET HUNTING HTTP GET Request for nss3.dll - Possible Infostealer Activity
1048
Sеtup.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
1048
Sеtup.exe
Potentially Bad Traffic
ET INFO Dotted Quad Host DLL Request
1048
Sеtup.exe
Potentially Bad Traffic
ET INFO Dotted Quad Host DLL Request
1048
Sеtup.exe
A suspicious filename was detected
ET HUNTING HTTP GET Request for vcruntime140.dll - Possible Infostealer Activity
1048
Sеtup.exe
Potentially Bad Traffic
ET INFO Dotted Quad Host DLL Request
1048
Sеtup.exe
A suspicious filename was detected
ET HUNTING HTTP GET Request for mozglue.dll - Possible Infostealer Activity
No debug info