File name: | setup.exe |
Full analysis: | https://app.any.run/tasks/58bf2e01-d41c-4cb4-aa8c-c0afd79120fa |
Verdict: | Malicious activity |
Analysis date: | January 24, 2022, 20:25:54 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
MD5: | 0171E557093F33929439C2E8EE1743F3 |
SHA1: | F759C5424E00E07CF5A8FF0E9094A9813CD2A734 |
SHA256: | 35DB24CC2DFB0EE2AB233641A193DECC39400BB27DB1B1E2FBBFFFB7D5E1BE2F |
SSDEEP: | 98304:7NHwpkO57QZjB6Ssmh9H9XeYB74P0FyX+p6FG0TH16+/nq5RxnzOQv66i:epkOSNBl74ny6FG0//nq5RxnzOQm |
.exe | | | Win32 Executable MS Visual C++ (generic) (35.8) |
---|---|---|
.exe | | | Win64 Executable (generic) (31.7) |
.scr | | | Windows screen saver (15) |
.dll | | | Win32 Dynamic Link Library (generic) (7.5) |
.exe | | | Win32 Executable (generic) (5.1) |
SpecialBuild: | - |
---|---|
ProductVersion: | 2,0,0,45 |
ProductName: | PopcornRP Launcher Installationsprogramm... |
PrivateBuild: | - |
OriginalFileName: | - |
LegalTrademarks: | - |
LegalCopyright: | - |
InternalName: | - |
FileVersion: | 2,0,0,45 |
FileDescription: | - |
CompanyName: | - |
Comments: | - |
CharacterSet: | Unicode |
LanguageCode: | English (U.S.) |
FileSubtype: | - |
ObjectFileType: | Executable application |
FileOS: | Windows NT 32-bit |
FileFlags: | (none) |
FileFlagsMask: | 0x003f |
ProductVersionNumber: | 2.0.0.45 |
FileVersionNumber: | 2.0.0.45 |
Subsystem: | Windows GUI |
SubsystemVersion: | 4 |
ImageVersion: | - |
OSVersion: | 4 |
EntryPoint: | 0x1b832 |
UninitializedDataSize: | - |
InitializedDataSize: | 81920 |
CodeSize: | 135168 |
LinkerVersion: | 6 |
PEType: | PE32 |
TimeStamp: | 2015:10:02 17:38:34+02:00 |
MachineType: | Intel 386 or later, and compatibles |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3980 | "C:\Users\admin\AppData\Local\Temp\setup.exe" | C:\Users\admin\AppData\Local\Temp\setup.exe | — | Explorer.EXE |
User: admin Integrity Level: MEDIUM Exit code: 3221226540 Version: 2,0,0,45 | ||||
3684 | "C:\Users\admin\AppData\Local\Temp\setup.exe" | C:\Users\admin\AppData\Local\Temp\setup.exe | Explorer.EXE | |
User: admin Integrity Level: HIGH Exit code: 0 Version: 2,0,0,45 | ||||
2144 | "C:\Program Files\PopcornRP Launcher\launcher.exe" | C:\Program Files\PopcornRP Launcher\launcher.exe | Explorer.EXE | |
User: admin Integrity Level: MEDIUM Version: 1.54 |
(PID) Process: | (3684) setup.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\PopcornRP Launcher |
Operation: | write | Name: | DisplayName |
Value: PopcornRP Launcher | |||
(PID) Process: | (3684) setup.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\PopcornRP Launcher |
Operation: | write | Name: | UninstallString |
Value: C:\Program Files\PopcornRP Launcher\Uninstal.exe | |||
(PID) Process: | (2144) launcher.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Direct3D\MostRecentApplication |
Operation: | write | Name: | Name |
Value: launcher.exe | |||
(PID) Process: | (2144) launcher.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION |
Operation: | write | Name: | edrt.exe |
Value: 11111 | |||
(PID) Process: | (2144) launcher.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION |
Operation: | write | Name: | edrt.vhost.exe |
Value: 11111 | |||
(PID) Process: | (2144) launcher.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings |
Operation: | write | Name: | ProxyEnable |
Value: 0 | |||
(PID) Process: | (2144) launcher.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections |
Operation: | write | Name: | SavedLegacySettings |
Value: 460000003B010000090000000000000000000000000000000400000000000000C0E333BBEAB1D3010000000000000000000000000100000002000000C0A80164000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | |||
(PID) Process: | (2144) launcher.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | ProxyBypass |
Value: 1 | |||
(PID) Process: | (2144) launcher.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | IntranetName |
Value: 1 | |||
(PID) Process: | (2144) launcher.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 1 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3684 | setup.exe | C:\Program Files\PopcornRP Launcher\assets\version.$A | text | |
MD5:D0E5F27655754425719BAE64B4186DCE | SHA256:AF3266E6D0F3BBA206C2E954C21FF72182E440557702A3F79F4C6BDFB577FED5 | |||
3684 | setup.exe | C:\Program Files\PopcornRP Launcher\Uninstal.$A | executable | |
MD5:E08E06A7DBBED5BA47AD6FA35666768D | SHA256:338D5AF6DA40FD02010F06DAA507BE7808E523144CB229205313050DC168539B | |||
3684 | setup.exe | C:\Program Files\PopcornRP Launcher\data\launch.$A | binary | |
MD5:AD02117F6321607AA55620D32839BA65 | SHA256:3A80E8F9D84DFE89901A514E4CF90D957E0F6B56DDC8E827833805109FD8F12B | |||
3684 | setup.exe | C:\Program Files\PopcornRP Launcher\data\p1_button0a.$A | image | |
MD5:B57CCF83C06678F56A81C1879DC715A2 | SHA256:EF8B8E4661D246C5340276CB91F4AAD32A65B4FBD15C023CB74E095AB0E730F8 | |||
3684 | setup.exe | C:\Program Files\PopcornRP Launcher\data\p1_bg.$A | image | |
MD5:2804D588961FF82DF690F521A67B301A | SHA256:D9C3925B7047FA789FB3AC30E01E6291A420D8BFC614435EFF752547F29B62D9 | |||
3684 | setup.exe | C:\Program Files\PopcornRP Launcher\assets\popcorn.ico | image | |
MD5:A0D94438665566E0B5146D528914AA58 | SHA256:BE81A6E3884936C502DE168952191A9B99E78A4445D31DA2B2B01AFFC0C60F73 | |||
3684 | setup.exe | C:\Program Files\PopcornRP Launcher\data\p1_button0c.$A | image | |
MD5:C6007754E9626DF49BC5372B202C0B0F | SHA256:2EA76AB883790739D688D115861F2058967C557AAD1331035B7D6B2CAE1282A7 | |||
3684 | setup.exe | C:\Program Files\PopcornRP Launcher\data\DISCORD | image | |
MD5:CEFABDB04A0B6EE9809BCEB5269923B6 | SHA256:7445202270BEC64E7CBD522C4759846EFF380A0CD54667D6D8ABF5CBFBFDA482 | |||
3684 | setup.exe | C:\Program Files\PopcornRP Launcher\data\DISCORD.$A | image | |
MD5:CEFABDB04A0B6EE9809BCEB5269923B6 | SHA256:7445202270BEC64E7CBD522C4759846EFF380A0CD54667D6D8ABF5CBFBFDA482 | |||
3684 | setup.exe | C:\Program Files\PopcornRP Launcher\Uninstal.exe | executable | |
MD5:E08E06A7DBBED5BA47AD6FA35666768D | SHA256:338D5AF6DA40FD02010F06DAA507BE7808E523144CB229205313050DC168539B |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2144 | launcher.exe | GET | 200 | 23.45.105.185:80 | http://x1.c.lencr.org/ | NL | der | 717 b | whitelisted |
2144 | launcher.exe | GET | 200 | 23.32.238.51:80 | http://r3.o.lencr.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBRI2smg%2ByvTLU%2Fw3mjS9We3NfmzxAQUFC6zF7dYVsuuUAlA5h%2BvnYsUwsYCEgMWm9uThZJ1f5R%2FlPJMRQ2scQ%3D%3D | US | der | 503 b | shared |
2144 | launcher.exe | GET | 200 | 92.123.194.108:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?4195ccf5bc654096 | unknown | compressed | 59.9 Kb | whitelisted |
2144 | launcher.exe | GET | 200 | 92.123.194.108:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?952a1e9d4ec0bf97 | unknown | compressed | 4.70 Kb | whitelisted |
2144 | launcher.exe | GET | 200 | 92.123.194.108:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?d2123cdb36abc3e4 | unknown | compressed | 59.9 Kb | whitelisted |
2144 | launcher.exe | GET | 200 | 92.123.194.108:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?ae014e30d38085cb | unknown | compressed | 4.70 Kb | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2144 | launcher.exe | 23.32.238.51:80 | r3.o.lencr.org | XO Communications | US | unknown |
2144 | launcher.exe | 91.216.248.21:443 | popcornrp.com | 23media GmbH | DE | malicious |
2144 | launcher.exe | 23.45.105.185:80 | x1.c.lencr.org | Akamai International B.V. | NL | unknown |
2144 | launcher.exe | 92.123.194.108:80 | ctldl.windowsupdate.com | Akamai International B.V. | — | suspicious |
Domain | IP | Reputation |
---|---|---|
popcornrp.com |
| malicious |
ctldl.windowsupdate.com |
| whitelisted |
x1.c.lencr.org |
| whitelisted |
r3.o.lencr.org |
| shared |
Process | Message |
---|---|
launcher.exe | Start app
|
launcher.exe | Start app
|
launcher.exe | Start app
|
launcher.exe | Start app
|
launcher.exe | End app
|
launcher.exe | End app
|