File name:

rsload.net.EASERA.SysTune.Pro.v1.3.7.CE.exe

Full analysis: https://app.any.run/tasks/892e0833-1265-49c0-a11f-d08034748ab9
Verdict: Malicious activity
Analysis date: May 15, 2024, 18:26:37
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

4CB945C7742D8BE2E123129156A3238C

SHA1:

8B38C383B02251B235CF8BABD7E9305433D8CB4A

SHA256:

49661AF76B4F466A04ACDF6363841CF25E1FB485E732334FF76C20727F810FFF

SSDEEP:

98304:Egy8j3xzcFwGr/7U2Qh71sMJa1mgC0RxgwJpzG2GDhctMDK8HzyY8dhyYUxPqTcI:+px/kf8pogqRF98RAp1pi

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • rsload.net.EASERA.SysTune.Pro.v1.3.7.CE.exe (PID: 4012)
      • rsload.net.EASERA.SysTune.Pro.v1.3.7.CE.exe (PID: 748)
      • rsload.net.EASERA.SysTune.Pro.v1.3.7.CE.tmp (PID: 1064)

  • SUSPICIOUS

    • Reads the Windows owner or organization settings

      • rsload.net.EASERA.SysTune.Pro.v1.3.7.CE.tmp (PID: 1064)

    • Executable content was dropped or overwritten

      • rsload.net.EASERA.SysTune.Pro.v1.3.7.CE.exe (PID: 748)
      • rsload.net.EASERA.SysTune.Pro.v1.3.7.CE.tmp (PID: 1064)

    • Changes default file association

      • rsload.net.EASERA.SysTune.Pro.v1.3.7.CE.tmp (PID: 1064)

    • Blank space has been found in the path

      • rsload.net.EASERA.SysTune.Pro.v1.3.7.CE.tmp (PID: 1064)

  • INFO

    • Checks supported languages

      • rsload.net.EASERA.SysTune.Pro.v1.3.7.CE.exe (PID: 4012)
      • rsload.net.EASERA.SysTune.Pro.v1.3.7.CE.tmp (PID: 4032)
      • rsload.net.EASERA.SysTune.Pro.v1.3.7.CE.exe (PID: 748)
      • rsload.net.EASERA.SysTune.Pro.v1.3.7.CE.tmp (PID: 1064)
      • EASERA SysTune.exe (PID: 1764)

    • Create files in a temporary directory

      • rsload.net.EASERA.SysTune.Pro.v1.3.7.CE.exe (PID: 4012)
      • rsload.net.EASERA.SysTune.Pro.v1.3.7.CE.tmp (PID: 1064)
      • rsload.net.EASERA.SysTune.Pro.v1.3.7.CE.exe (PID: 748)

    • Reads the computer name

      • rsload.net.EASERA.SysTune.Pro.v1.3.7.CE.tmp (PID: 4032)
      • EASERA SysTune.exe (PID: 1764)
      • rsload.net.EASERA.SysTune.Pro.v1.3.7.CE.tmp (PID: 1064)

    • Creates a software uninstall entry

      • rsload.net.EASERA.SysTune.Pro.v1.3.7.CE.tmp (PID: 1064)

    • Manual execution by a user

      • EASERA SysTune.exe (PID: 1764)

    • Reads the machine GUID from the registry

      • EASERA SysTune.exe (PID: 1764)

    • Creates files in the program directory

      • EASERA SysTune.exe (PID: 1764)
      • rsload.net.EASERA.SysTune.Pro.v1.3.7.CE.tmp (PID: 1064)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable Delphi generic (45.2)
.dll | Win32 Dynamic Link Library (generic) (20.9)
.exe | Win32 Executable (generic) (14.3)
.exe | Win16/32 Executable Delphi generic (6.6)
.exe | Generic Win/DOS Executable (6.3)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2016:04:06 14:39:04+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType: PE32
LinkerVersion: 2.25
CodeSize: 66560
InitializedDataSize: 49664
UninitializedDataSize: -
EntryPoint: 0x117dc
OSVersion: 5
ImageVersion: 6
SubsystemVersion: 5
Subsystem: Windows GUI
FileVersionNumber: 1.3.7.492
ProductVersionNumber: 1.3.7.492
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: This installation was built with Inno Setup.
CompanyName: AFMG Technologies GmbH
FileDescription: AFMG EASERA SysTune v1.3.7
FileVersion: 1.3.7.492
LegalCopyright: © AFMG Technologies GmbH 2007-2014
ProductName: LevelOne
ProductVersion: 1.3.7.492
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
43
Monitored processes
5
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
start rsload.net.easera.systune.pro.v1.3.7.ce.exe no specs rsload.net.easera.systune.pro.v1.3.7.ce.tmp no specs rsload.net.easera.systune.pro.v1.3.7.ce.exe rsload.net.easera.systune.pro.v1.3.7.ce.tmp easera systune.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
748"C:\Users\admin\Desktop\rsload.net.EASERA.SysTune.Pro.v1.3.7.CE.exe" /SPAWNWND=$1013A /NOTIFYWND=$3012C C:\Users\admin\Desktop\rsload.net.EASERA.SysTune.Pro.v1.3.7.CE.exe
rsload.net.EASERA.SysTune.Pro.v1.3.7.CE.tmp
User:
admin
Company:
AFMG Technologies GmbH
Integrity Level:
HIGH
Description:
AFMG EASERA SysTune v1.3.7
Exit code:
0
Version:
1.3.7.492
Modules
Images
c:\users\admin\desktop\rsload.net.easera.systune.pro.v1.3.7.ce.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
1064"C:\Users\admin\AppData\Local\Temp\is-8POH0.tmp\rsload.net.EASERA.SysTune.Pro.v1.3.7.CE.tmp" /SL5="$2013C,14957451,117248,C:\Users\admin\Desktop\rsload.net.EASERA.SysTune.Pro.v1.3.7.CE.exe" /SPAWNWND=$1013A /NOTIFYWND=$3012C C:\Users\admin\AppData\Local\Temp\is-8POH0.tmp\rsload.net.EASERA.SysTune.Pro.v1.3.7.CE.tmp
rsload.net.EASERA.SysTune.Pro.v1.3.7.CE.exe
User:
admin
Integrity Level:
HIGH
Description:
Setup/Uninstall
Exit code:
0
Version:
51.1052.0.0
Modules
Images
c:\users\admin\appdata\local\temp\is-8poh0.tmp\rsload.net.easera.systune.pro.v1.3.7.ce.tmp
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
1764"C:\Program Files\AFMG\EASERA SysTune\EASERA SysTune.exe" C:\Program Files\AFMG\EASERA SysTune\EASERA SysTune.exeexplorer.exe
User:
admin
Company:
AFMG Technologies GmbH
Integrity Level:
MEDIUM
Description:
EASERA SysTune
Version:
1.3.7.492
Modules
Images
c:\program files\afmg\easera systune\easera systune.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
4012"C:\Users\admin\Desktop\rsload.net.EASERA.SysTune.Pro.v1.3.7.CE.exe" C:\Users\admin\Desktop\rsload.net.EASERA.SysTune.Pro.v1.3.7.CE.exeexplorer.exe
User:
admin
Company:
AFMG Technologies GmbH
Integrity Level:
MEDIUM
Description:
AFMG EASERA SysTune v1.3.7
Exit code:
0
Version:
1.3.7.492
Modules
Images
c:\users\admin\desktop\rsload.net.easera.systune.pro.v1.3.7.ce.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
4032"C:\Users\admin\AppData\Local\Temp\is-BC7SG.tmp\rsload.net.EASERA.SysTune.Pro.v1.3.7.CE.tmp" /SL5="$3012C,14957451,117248,C:\Users\admin\Desktop\rsload.net.EASERA.SysTune.Pro.v1.3.7.CE.exe" C:\Users\admin\AppData\Local\Temp\is-BC7SG.tmp\rsload.net.EASERA.SysTune.Pro.v1.3.7.CE.tmprsload.net.EASERA.SysTune.Pro.v1.3.7.CE.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Setup/Uninstall
Exit code:
0
Version:
51.1052.0.0
Modules
Images
c:\users\admin\appdata\local\temp\is-bc7sg.tmp\rsload.net.easera.systune.pro.v1.3.7.ce.tmp
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
Total events
2 198
Read events
2 156
Write events
36
Delete events
6

Modification events

(PID) Process:(1064) rsload.net.EASERA.SysTune.Pro.v1.3.7.CE.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Operation:writeName:Owner
Value:
28040000E27BCE73F5A6DA01
(PID) Process:(1064) rsload.net.EASERA.SysTune.Pro.v1.3.7.CE.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Operation:writeName:SessionHash
Value:
A0F76206B31E2BFC3BF43DE686229BA87BCB2F10AD9662740F168712379DC6FD
(PID) Process:(1064) rsload.net.EASERA.SysTune.Pro.v1.3.7.CE.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Operation:writeName:Sequence
Value:
1
(PID) Process:(1064) rsload.net.EASERA.SysTune.Pro.v1.3.7.CE.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Operation:writeName:RegFiles0000
Value:
C:\Program Files\AFMG\AFMG Licence Manager\AFMG Licence Manager.exe
(PID) Process:(1064) rsload.net.EASERA.SysTune.Pro.v1.3.7.CE.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Operation:writeName:RegFilesHash
Value:
A21402A2013303B2A41BE290E68BD5679FB1572F20535820AA538CB0BF7E0F3D
(PID) Process:(1064) rsload.net.EASERA.SysTune.Pro.v1.3.7.CE.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\AFMG\AFMG Licence Manager
Operation:writeName:Program Path
Value:
C:\Program Files\AFMG\AFMG Licence Manager\
(PID) Process:(1064) rsload.net.EASERA.SysTune.Pro.v1.3.7.CE.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\EASERA SysTune.Config\shell\open\command
Operation:writeName:command
Value:
hex(7):34,21,6a,74,3f,31,24,32,40,40,2e,5d,4d,3d,53,4e,60,6a,4a,48,3e,57,58,4e,41,61,2e,7d,28,45,3f,2d,7e,30,37,36,49,30,78,5e,39,20,22,25,31,22,00,00
(PID) Process:(1064) rsload.net.EASERA.SysTune.Pro.v1.3.7.CE.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\AFMG\EASERA SysTune
Operation:writeName:Program Path
Value:
C:\Program Files\AFMG\EASERA SysTune\
(PID) Process:(1064) rsload.net.EASERA.SysTune.Pro.v1.3.7.CE.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\AFMG\EASERA SysTune
Operation:writeName:AppData Path
Value:
C:\ProgramData\AFMG\EASERA SysTune
(PID) Process:(1064) rsload.net.EASERA.SysTune.Pro.v1.3.7.CE.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\AFMG\EASERA SysTune
Operation:writeName:UserData Path
Value:
C:\Users\Public\Documents\AFMG\EASERA SysTune
Executable files
116
Suspicious files
29
Text files
87
Unknown types
0

Dropped files

PID
Process
Filename
Type
4012rsload.net.EASERA.SysTune.Pro.v1.3.7.CE.exeC:\Users\admin\AppData\Local\Temp\is-BC7SG.tmp\rsload.net.EASERA.SysTune.Pro.v1.3.7.CE.tmp
MD5:
SHA256:
1064rsload.net.EASERA.SysTune.Pro.v1.3.7.CE.tmpC:\Program Files\AFMG\EASERA SysTune\is-7TB12.tmp
MD5:
SHA256:
1064rsload.net.EASERA.SysTune.Pro.v1.3.7.CE.tmpC:\Program Files\AFMG\AFMG Licence Manager\is-IF48P.tmp
MD5:
SHA256:
1064rsload.net.EASERA.SysTune.Pro.v1.3.7.CE.tmpC:\Program Files\AFMG\AFMG Licence Manager\is-SDB5H.tmp
MD5:
SHA256:
1064rsload.net.EASERA.SysTune.Pro.v1.3.7.CE.tmpC:\Program Files\AFMG\AFMG Licence Manager\AFMG Licence Manager.XmlSerializers.dll
MD5:
SHA256:
1064rsload.net.EASERA.SysTune.Pro.v1.3.7.CE.tmpC:\Program Files\AFMG\AFMG Licence Manager\AFMG.Licencing.Definitions.dll
MD5:
SHA256:
1064rsload.net.EASERA.SysTune.Pro.v1.3.7.CE.tmpC:\Program Files\AFMG\EASERA SysTune\ADIV.url
MD5:
SHA256:
1064rsload.net.EASERA.SysTune.Pro.v1.3.7.CE.tmpC:\Program Files\AFMG\EASERA SysTune\AFMGInfoSampler.exe
MD5:
SHA256:
1064rsload.net.EASERA.SysTune.Pro.v1.3.7.CE.tmpC:\Program Files\AFMG\EASERA SysTune\is-J9RUM.tmp
MD5:
SHA256:
1064rsload.net.EASERA.SysTune.Pro.v1.3.7.CE.tmpC:\Program Files\AFMG\EASERA SysTune\Crp32dll.dll
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
4
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
224.0.0.252:5355
unknown
4
System
192.168.100.255:138
whitelisted
1088
svchost.exe
224.0.0.252:5355
unknown

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
rsload.net.EASERA.SysTune.Pro.v1.3.7.CE.exe