File name:

file

Full analysis: https://app.any.run/tasks/64b0ba45-e7ce-423b-9a1d-5b4ea59521e6
Verdict: Malicious activity
Analysis date: January 27, 2023, 09:03:56
OS: Windows 7 Professional Service Pack 1 (build: 7601, 64 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

531981FA2658977F0ECDAD58E88F3037

SHA1:

A32FBF450455E965B54506DEA14438E0598A8E08

SHA256:

3ECD4763FFC944FDC67A9027E459CD4F448B1A8D1B36147977AFAF86BBF2A261

SSDEEP:

196608:91OyP3N/E1u7Yz/qped/kgyLPFZRsCu3hOCVci8L4Xt7uhwp1K:3OI3a1u0KeSgIHRsCuwCVciZXRNK

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Drops the executable file immediately after the start

      • Install.exe (PID: 2028)
      • file.exe (PID: 2032)
      • Install.exe (PID: 1988)
      • CiuBamk.exe (PID: 2788)
      • FHYQWsM.exe (PID: 1440)
    • Uses Task Scheduler to run other applications

      • Install.exe (PID: 1988)
      • CiuBamk.exe (PID: 2788)
      • FHYQWsM.exe (PID: 1440)
      • rundll32.exe (PID: 2972)
    • Application was dropped or rewritten from another process

      • Install.exe (PID: 1988)
      • CiuBamk.exe (PID: 2788)
      • FHYQWsM.exe (PID: 1440)
    • Creates a writable file the system directory

      • CiuBamk.exe (PID: 2788)
      • FHYQWsM.exe (PID: 1440)
    • Modifies exclusions in Windows Defender

      • reg.exe (PID: 2652)
      • reg.exe (PID: 620)
      • reg.exe (PID: 1440)
      • reg.exe (PID: 2216)
      • reg.exe (PID: 2168)
      • reg.exe (PID: 2096)
      • reg.exe (PID: 2444)
      • reg.exe (PID: 2992)
      • reg.exe (PID: 2400)
    • Uses Task Scheduler to autorun other applications

      • FHYQWsM.exe (PID: 1440)
    • Steals credentials from Web Browsers

      • FHYQWsM.exe (PID: 1440)
    • Loads dropped or rewritten executable

      • rundll32.exe (PID: 2972)
      • rundll32.exe (PID: 1892)
    • Modifies files in the Chrome extension folder

      • FHYQWsM.exe (PID: 1440)
    • Actions looks like stealing of personal data

      • FHYQWsM.exe (PID: 1440)
  • SUSPICIOUS

    • Reads the BIOS version

      • Install.exe (PID: 1988)
    • Executes via Task Scheduler

      • powershell.EXE (PID: 2192)
      • powershell.EXE (PID: 2548)
      • CiuBamk.exe (PID: 2788)
      • powershell.EXE (PID: 2276)
      • powershell.EXE (PID: 2648)
      • FHYQWsM.exe (PID: 1440)
      • rundll32.EXE (PID: 2480)
      • rundll32.EXE (PID: 1636)
    • Executable content was dropped or overwritten

      • Install.exe (PID: 2028)
      • file.exe (PID: 2032)
      • Install.exe (PID: 1988)
      • CiuBamk.exe (PID: 2788)
      • FHYQWsM.exe (PID: 1440)
    • Starts CMD.EXE for commands execution

      • forfiles.exe (PID: 1672)
      • forfiles.exe (PID: 1768)
      • CiuBamk.exe (PID: 2788)
      • FHYQWsM.exe (PID: 1440)
    • Uses REG/REGEDIT.EXE to modify register

      • cmd.exe (PID: 1960)
      • cmd.exe (PID: 124)
      • cmd.exe (PID: 2544)
      • cmd.exe (PID: 3068)
      • cmd.exe (PID: 1804)
      • cmd.exe (PID: 1708)
      • cmd.exe (PID: 2088)
      • cmd.exe (PID: 2660)
      • wscript.exe (PID: 2480)
      • cmd.exe (PID: 1820)
      • cmd.exe (PID: 2232)
      • cmd.exe (PID: 2748)
      • cmd.exe (PID: 2692)
      • cmd.exe (PID: 1672)
      • cmd.exe (PID: 2748)
    • Starts itself from another location

      • file.exe (PID: 2032)
    • Reads security settings of Internet Explorer

      • powershell.EXE (PID: 2192)
      • powershell.EXE (PID: 2276)
      • powershell.EXE (PID: 2548)
      • powershell.EXE (PID: 2648)
    • Executes as Windows Service

      • RAServer.exe (PID: 2072)
      • RAServer.exe (PID: 2676)
      • RAServer.exe (PID: 2364)
      • RAServer.exe (PID: 2240)
    • Executes scripts

      • CiuBamk.exe (PID: 2788)
    • Reads settings of System Certificates

      • FHYQWsM.exe (PID: 1440)
    • Creates a software uninstall entry

      • FHYQWsM.exe (PID: 1440)
    • Checks Windows Trust Settings

      • FHYQWsM.exe (PID: 1440)
  • INFO

    • Checks supported languages

      • file.exe (PID: 2032)
      • Install.exe (PID: 1988)
      • Install.exe (PID: 2028)
      • CiuBamk.exe (PID: 2788)
      • FHYQWsM.exe (PID: 1440)
    • Reads the machine GUID from the registry

      • Install.exe (PID: 1988)
      • FHYQWsM.exe (PID: 1440)
    • The process checks LSA protection

      • Install.exe (PID: 1988)
      • powershell.EXE (PID: 2192)
      • powershell.EXE (PID: 2276)
      • powershell.EXE (PID: 2548)
      • wscript.exe (PID: 2480)
      • powershell.EXE (PID: 2648)
      • FHYQWsM.exe (PID: 1440)
      • rundll32.exe (PID: 2972)
    • Reads the computer name

      • Install.exe (PID: 1988)
      • FHYQWsM.exe (PID: 1440)
    • Create files in a temporary directory

      • Install.exe (PID: 2028)
      • file.exe (PID: 2032)
      • powershell.EXE (PID: 2192)
      • Install.exe (PID: 1988)
      • powershell.EXE (PID: 2276)
      • powershell.EXE (PID: 2548)
      • powershell.EXE (PID: 2648)
    • Creates files in the program directory

      • FHYQWsM.exe (PID: 1440)
    • Dropped object may contain Bitcoin addresses

      • FHYQWsM.exe (PID: 1440)
    • Process checks computer location settings

      • FHYQWsM.exe (PID: 1440)
    • Creates files or folders in the user directory

      • FHYQWsM.exe (PID: 1440)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 2010-Nov-18 16:27:35
Detected languages:
  • English - United States
CompanyName: Igor Pavlov
FileDescription: 7z Setup SFX
FileVersion: 9.20
InternalName: 7zS.sfx
LegalCopyright: Copyright (c) 1999-2010 Igor Pavlov
OriginalFilename: 7zS.sfx.exe
ProductName: 7-Zip
ProductVersion: 9.20

DOS Header

e_magic: MZ
e_cblp: 144
e_cp: 3
e_crlc: -
e_cparhdr: 4
e_minalloc: -
e_maxalloc: 65535
e_ss: -
e_sp: 184
e_csum: -
e_ip: -
e_cs: -
e_ovno: -
e_oemid: -
e_oeminfo: -
e_lfanew: 232

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
NumberofSections: 5
TimeDateStamp: 2010-Nov-18 16:27:35
PointerToSymbolTable: -
NumberOfSymbols: -
SizeOfOptionalHeader: 224
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_LINE_NUMS_STRIPPED
  • IMAGE_FILE_LOCAL_SYMS_STRIPPED
  • IMAGE_FILE_RELOCS_STRIPPED

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
4096
104938
104960
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.60849
.rdata
110592
17556
17920
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
4.36802
.data
131072
23112
12800
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
1.37054
.sxdata
155648
4
512
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_LNK_INFO, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
0.0203931
.rsrc
159744
2656
3072
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
3.30196

Resources

Title
Entropy
Size
Codepage
Language
Type
1
3.75404
744
UNKNOWN
English - United States
RT_ICON
2
3.18403
296
UNKNOWN
English - United States
RT_ICON
5
1.43775
52
UNKNOWN
English - United States
RT_STRING
500
3.09294
184
UNKNOWN
English - United States
RT_DIALOG
1 (#2)
2.78284
148
UNKNOWN
English - United States
RT_STRING
1 (#3)
2.37086
34
UNKNOWN
English - United States
RT_GROUP_ICON
1 (#4)
3.44049
700
UNKNOWN
English - United States
RT_VERSION

Imports

KERNEL32.dll
OLEAUT32.dll
SHELL32.dll
USER32.dll
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
237
Monitored processes
116
Malicious processes
21
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start file.exe no specs file.exe install.exe install.exe forfiles.exe no specs forfiles.exe no specs cmd.exe no specs cmd.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs schtasks.exe no specs schtasks.exe no specs powershell.exe no specs gpupdate.exe no specs schtasks.exe no specs schtasks.exe no specs raserver.exe no specs ciubamk.exe schtasks.exe no specs schtasks.exe no specs powershell.exe no specs gpupdate.exe no specs schtasks.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs schtasks.exe no specs schtasks.exe no specs powershell.exe no specs gpupdate.exe no specs raserver.exe no specs schtasks.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs wscript.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs schtasks.exe no specs schtasks.exe no specs powershell.exe no specs gpupdate.exe no specs raserver.exe no specs schtasks.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs schtasks.exe no specs schtasks.exe no specs fhyqwsm.exe schtasks.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs schtasks.exe no specs raserver.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs rundll32.exe no specs rundll32.exe cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs schtasks.exe no specs schtasks.exe no specs rundll32.exe no specs rundll32.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1344"C:\Users\admin\AppData\Local\Temp\file.exe" C:\Users\admin\AppData\Local\Temp\file.exeExplorer.EXE
User:
admin
Company:
Igor Pavlov
Integrity Level:
MEDIUM
Description:
7z Setup SFX
Exit code:
3221226540
Version:
9.20
Modules
Images
c:\users\admin\appdata\local\temp\file.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
2032"C:\Users\admin\AppData\Local\Temp\file.exe" C:\Users\admin\AppData\Local\Temp\file.exe
Explorer.EXE
User:
admin
Company:
Igor Pavlov
Integrity Level:
HIGH
Description:
7z Setup SFX
Exit code:
0
Version:
9.20
Modules
Images
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\users\admin\appdata\local\temp\file.exe
c:\windows\system32\wow64.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\wow64win.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
2028.\Install.exeC:\Users\admin\AppData\Local\Temp\7zS4C1D.tmp\Install.exe
file.exe
User:
admin
Company:
Igor Pavlov
Integrity Level:
HIGH
Description:
7z Setup SFX
Exit code:
0
Version:
9.20
Modules
Images
c:\users\admin\appdata\local\temp\7zs4c1d.tmp\install.exe
c:\windows\syswow64\ntdll.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
1988.\Install.exe /S /site_id "525403"C:\Users\admin\AppData\Local\Temp\7zS4E7E.tmp\Install.exe
Install.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\7zs4e7e.tmp\install.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
1768"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"C:\Windows\SysWOW64\forfiles.exeInstall.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
ForFiles - Executes a command on selected files
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\syswow64\forfiles.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
1672"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"C:\Windows\SysWOW64\forfiles.exeInstall.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
ForFiles - Executes a command on selected files
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\syswow64\forfiles.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\wow64win.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
124/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&C:\Windows\SysWOW64\cmd.exeforfiles.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
1960/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&C:\Windows\SysWOW64\cmd.exeforfiles.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\system32\wow64win.dll
c:\windows\syswow64\kernelbase.dll
2368REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32c:\windows\SysWOW64\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\syswow64\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
2380REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32c:\windows\SysWOW64\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\syswow64\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\kernel32.dll
Total events
18 482
Read events
17 730
Write events
746
Delete events
6

Modification events

(PID) Process:(1988) Install.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(1988) Install.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(1988) Install.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(1988) Install.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(2368) reg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions
Operation:writeName:exe
Value:
0
(PID) Process:(2380) reg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet
Operation:writeName:SpyNetReporting
Value:
0
(PID) Process:(2864) reg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions
Operation:writeName:exe
Value:
0
(PID) Process:(2872) reg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet
Operation:writeName:SpyNetReporting
Value:
0
(PID) Process:(2192) powershell.EXEKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\14C\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(2192) powershell.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
Executable files
20
Suspicious files
95
Text files
150
Unknown types
24

Dropped files

PID
Process
Filename
Type
2032file.exeC:\Users\admin\AppData\Local\Temp\7zS4C1D.tmp\__data__\config.txtbinary
MD5:D251554B249B6EFD4EDE16A6856714BF
SHA256:72EED68238E3741EA36DC941030876B4CD777646C639D4DA8FA8B5073BF77824
2192powershell.EXEC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msbinary
MD5:F6C846D320239C7EF5513019C0EE4A53
SHA256:7CAF7E561AA0BAC5AD5C0D3FC1C8B306AE90B7D7F73DBD19044C0B6FAC804D15
2028Install.exeC:\Users\admin\AppData\Local\Temp\7zS4E7E.tmp\Install.exeexecutable
MD5:641EADD9585299DDDF46D16A91582FBE
SHA256:D66BEAC01580E9F730480D4CC8091DC582E6D22A40106A5A1C7F8A6FB0712BC8
2192powershell.EXEC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\696U1H2VGZ7QUBUI4KZE.tempbinary
MD5:F6C846D320239C7EF5513019C0EE4A53
SHA256:7CAF7E561AA0BAC5AD5C0D3FC1C8B306AE90B7D7F73DBD19044C0B6FAC804D15
2192powershell.EXEC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RFd5fc4.TMPbinary
MD5:D12147D4849A339C8508A67CDAA0F9AD
SHA256:9A4E0139A51B4755DAA7A3F6BA321F4021E17602696176CA40C2D4C2522956F0
2032file.exeC:\Users\admin\AppData\Local\Temp\7zS4C1D.tmp\Install.exeexecutable
MD5:A5BCAFA4B983E40E80CE5F7D195BF91A
SHA256:692474B8B6306906BDB8DAFF57FABA4AAE6BCAE7F36504872EF6084CC8B790BA
2276powershell.EXEC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RFdf146.TMPbinary
MD5:F6C846D320239C7EF5513019C0EE4A53
SHA256:7CAF7E561AA0BAC5AD5C0D3FC1C8B306AE90B7D7F73DBD19044C0B6FAC804D15
2276powershell.EXEC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ALYJ24RTA1KWOY25IJMR.tempbinary
MD5:8FA965D45CEFDF56BA850AAFDA6ADF4C
SHA256:3DA6F1026E01A7CFD579A4162F93FEE1367C23E182A7C6C0FF5923751AEEA87F
1988Install.exeC:\Users\admin\AppData\Local\Temp\exjZpBqMapvjTxaJx\OLDmWeKNMVeurXQ\CiuBamk.exeexecutable
MD5:641EADD9585299DDDF46D16A91582FBE
SHA256:D66BEAC01580E9F730480D4CC8091DC582E6D22A40106A5A1C7F8A6FB0712BC8
2384schtasks.exeC:\Windows\Tasks\baqkzymadDkdbhQsxA.jobbinary
MD5:7FA18054BB1C5D09F6136FB21F1272F4
SHA256:890B7234968534EC2E23998D87066EA65F50758C095C04664CA0AF266D2FC07E
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
11
TCP/UDP connections
9
DNS requests
11
Threats
2

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1440
FHYQWsM.exe
GET
200
184.24.77.52:80
http://r3.o.lencr.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBRI2smg%2ByvTLU%2Fw3mjS9We3NfmzxAQUFC6zF7dYVsuuUAlA5h%2BvnYsUwsYCEgRB7A5ys5XSOpfz0dPt7QOXbw%3D%3D
US
der
503 b
shared
1440
FHYQWsM.exe
GET
200
172.217.18.99:80
http://ocsp.pki.goog/gts1c3/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBTHLnmK3f9hNLO67UdCuLvGwCQHYwQUinR%2Fr4XN7pXNPZzQ4kYU83E1HScCEQDrLFyBxR1WMQr6Mn9JjdU0
US
der
472 b
whitelisted
1440
FHYQWsM.exe
GET
200
172.217.18.99:80
http://ocsp.pki.goog/gsr1/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS3V7W2nAf4FiMTjpDJKg6%2BMgGqMQQUYHtmGkUNl8qJUC99BM00qP%2F8%2FUsCEHe9DWzbNvka6iEPxPBY0w0%3D
US
der
1.41 Kb
whitelisted
1440
FHYQWsM.exe
GET
200
172.217.18.99:80
http://ocsp.pki.goog/gts1c3/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTHLnmK3f9hNLO67UdCuLvGwCQHYwQUinR%2Fr4XN7pXNPZzQ4kYU83E1HScCEFy5J6A6YKVTEoiTk%2FRTejk%3D
US
der
471 b
whitelisted
2972
rundll32.exe
POST
200
54.185.139.178:80
http://api2.check-data.xyz/api2/google_api_ifi
US
malicious
1440
FHYQWsM.exe
GET
200
172.217.18.99:80
http://ocsp.pki.goog/gtsr1/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBQwkcLWD4LqGJ7bE7B1XZsEbmfwUAQU5K8rJnEaK0gnhS9SZizv8IkTcT4CDQIDvFNZazTHGPUBUGY%3D
US
der
724 b
whitelisted
1440
FHYQWsM.exe
GET
200
178.79.242.128:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?9a88ea110ce21994
DE
compressed
61.4 Kb
whitelisted
1440
FHYQWsM.exe
GET
200
178.79.242.128:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?9a13c8621d408546
DE
compressed
4.70 Kb
whitelisted
1440
FHYQWsM.exe
GET
200
23.45.105.185:80
http://x1.c.lencr.org/
NL
der
717 b
whitelisted
1440
FHYQWsM.exe
GET
200
184.24.77.69:80
http://apps.identrust.com/roots/dstrootcax3.p7c
US
cat
893 b
shared
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1440
FHYQWsM.exe
172.217.18.99:80
ocsp.pki.goog
GOOGLE
US
whitelisted
1440
FHYQWsM.exe
184.24.77.52:80
r3.o.lencr.org
Akamai International B.V.
DE
malicious
1440
FHYQWsM.exe
178.79.242.128:80
ctldl.windowsupdate.com
LLNW
DE
malicious
1440
FHYQWsM.exe
172.217.18.14:443
clients2.google.com
GOOGLE
US
whitelisted
1440
FHYQWsM.exe
3.80.150.121:443
service-domain.xyz
AMAZON-AES
US
suspicious
1440
FHYQWsM.exe
184.24.77.69:80
apps.identrust.com
Akamai International B.V.
DE
suspicious
1440
FHYQWsM.exe
142.250.185.138:443
www.googleapis.com
GOOGLE
US
whitelisted
2972
rundll32.exe
54.185.139.178:80
api2.check-data.xyz
AMAZON-02
US
malicious
1440
FHYQWsM.exe
23.45.105.185:80
x1.c.lencr.org
AKAMAI-AS
DE
unknown

DNS requests

Domain
IP
Reputation
teredo.ipv6.microsoft.com
whitelisted
service-domain.xyz
  • 3.80.150.121
suspicious
ctldl.windowsupdate.com
  • 178.79.242.128
whitelisted
apps.identrust.com
  • 184.24.77.69
  • 184.24.77.47
shared
x1.c.lencr.org
  • 23.45.105.185
whitelisted
r3.o.lencr.org
  • 184.24.77.52
  • 184.24.77.79
  • 184.24.77.46
  • 184.24.77.67
  • 184.24.77.54
  • 184.24.77.69
  • 184.24.77.57
  • 184.24.77.56
  • 184.24.77.53
shared
www.googleapis.com
  • 142.250.185.138
  • 142.250.74.202
  • 142.250.185.106
  • 142.250.181.234
  • 142.250.185.170
  • 142.250.185.74
  • 172.217.16.138
  • 172.217.18.10
  • 142.250.185.202
  • 142.250.185.234
  • 172.217.16.202
  • 142.250.186.138
  • 216.58.212.170
  • 172.217.18.106
  • 142.250.186.42
  • 142.250.186.74
whitelisted
ocsp.pki.goog
  • 172.217.18.99
whitelisted
clients2.google.com
  • 172.217.18.14
whitelisted
api2.check-data.xyz
  • 54.185.139.178
  • 54.191.228.37
malicious

Threats

PID
Process
Class
Message
Potentially Bad Traffic
ET INFO Observed Let's Encrypt Certificate for Suspicious TLD (.xyz)
Potentially Bad Traffic
AV INFO HTTP Request to a *.xyz domain
No debug info