Malware analysis dism_9kD-Ik1.bin Malicious activity | ANY.RUN

Add for printing

File name:	dism_9kD-Ik1.bin
Full analysis:	https://app.any.run/tasks/0241219a-ec6d-4c4e-adc7-c15a47f22ba5
Verdict:	Malicious activity
Threats:	Adware is a form of malware that targets users with unwanted advertisements, often disrupting their browsing experience. It typically infiltrates systems through software bundling, malicious websites, or deceptive downloads. Once installed, it may track user activity, collect sensitive data, and display intrusive ads, including pop-ups or banners. Some advanced adware variants can bypass security measures and establish persistence on devices, making removal challenging. Additionally, adware can create vulnerabilities that other malware can exploit, posing a significant risk to user privacy and system security. MetaStealer is an info-stealing malware primarily targeting sensitive data like login credentials, payment details, and browser history. It typically infects systems via phishing emails or malicious downloads and can exfiltrate data to a command and control (C2) server. MetaStealer is known for its stealthy techniques, including evasion and persistence mechanisms, which make it difficult to detect. This malware has been actively used in various cyberattacks, particularly for financial theft and credential harvesting from individuals and organizations. Crypto mining malware is a resource-intensive threat that infiltrates computers with the purpose of mining cryptocurrencies. This type of threat can be deployed either on an infected machine or a compromised website. In both cases the miner will utilize the computing power of the device and its network bandwidth. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	July 31, 2024, 03:42:46
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	installer adware innosetup stealer netreactor miner metastealer
Indicators:
MIME:	application/x-dosexec
File info:	PE32 executable (GUI) Intel 80386, for MS Windows
MD5:	4CEF35CB56164E4427C8890CF5CDFD85
SHA1:	242815E66819F32D46C37A57ED707030F57CA2C2
SHA256:	564B8E327A13C948CEA21587245B7B0005F786EA57F62BD602EF4ECEC66171C6
SSDEEP:	98304:b+cD4dno/Kiy69v/P4IzQ0eHJIsm/SK2gyGGnWfA/3nWAs1XnY/QI5QHpsisd:Uz

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- Drops the executable file immediately after the start
  - dism_9kD-Ik1.bin.exe (PID: 4288)
  - dism_9kD-Ik1.bin.exe (PID: 6412)
  - dism_9kD-Ik1.bin.tmp (PID: 5812)
  - prod0.exe (PID: 3968)
  - xczfml1m.exe (PID: 7720)
  - UnifiedStub-installer.exe (PID: 7908)
- INNOSETUP has been detected (SURICATA)
  - dism_9kD-Ik1.bin.tmp (PID: 5812)
- Actions looks like stealing of personal data
  - UnifiedStub-installer.exe (PID: 7908)
  - rsEngineSvc.exe (PID: 5192)
  - rsVPNSvc.exe (PID: 6412)
  - rsDNSSvc.exe (PID: 7884)
- Changes the autorun value in the registry
  - rundll32.exe (PID: 5028)
  - rundll32.exe (PID: 9032)
- METASTEALER has been detected (YARA)
  - rsAppUI.exe (PID: 3580)
SUSPICIOUS
- Executable content was dropped or overwritten
  - dism_9kD-Ik1.bin.exe (PID: 4288)
  - dism_9kD-Ik1.bin.exe (PID: 6412)
  - dism_9kD-Ik1.bin.tmp (PID: 5812)
  - prod0.exe (PID: 3968)
  - xczfml1m.exe (PID: 7720)
  - UnifiedStub-installer.exe (PID: 7908)
- Reads security settings of Internet Explorer
  - dism_9kD-Ik1.bin.tmp (PID: 2116)
  - dism_9kD-Ik1.bin.tmp (PID: 5812)
  - prod0.exe (PID: 3968)
  - UnifiedStub-installer.exe (PID: 7908)
  - rsWSC.exe (PID: 8120)
  - rsEngineSvc.exe (PID: 7388)
  - rsEDRSvc.exe (PID: 6504)
  - rsEngineSvc.exe (PID: 5192)
  - rsVPNSvc.exe (PID: 5860)
  - rsDNSSvc.exe (PID: 8784)
  - Dism++x64.exe (PID: 8840)
- Reads the date of Windows installation
  - dism_9kD-Ik1.bin.tmp (PID: 2116)
  - dism_9kD-Ik1.bin.tmp (PID: 5812)
  - prod0.exe (PID: 3968)
  - rsEDRSvc.exe (PID: 3632)
  - rsEngineSvc.exe (PID: 5192)
- Reads the Windows owner or organization settings
  - dism_9kD-Ik1.bin.tmp (PID: 5812)
- Process drops legitimate windows executable
  - dism_9kD-Ik1.bin.tmp (PID: 5812)
  - xczfml1m.exe (PID: 7720)
  - UnifiedStub-installer.exe (PID: 7908)
  - WinRAR.exe (PID: 6232)
- Access to an unwanted program domain was detected
  - dism_9kD-Ik1.bin.tmp (PID: 5812)
- Executes application which crashes
  - dism_9kD-Ik1.bin.tmp (PID: 5812)
- Searches for installed software
  - UnifiedStub-installer.exe (PID: 7908)
  - rsVPNSvc.exe (PID: 6412)
  - Dism++x64.exe (PID: 8840)
- Executes as Windows Service
  - rsSyncSvc.exe (PID: 8164)
  - rsWSC.exe (PID: 4340)
  - rsClientSvc.exe (PID: 7324)
  - rsEngineSvc.exe (PID: 5192)
  - rsEDRSvc.exe (PID: 3632)
  - WmiApSrv.exe (PID: 7988)
  - rsVPNClientSvc.exe (PID: 7948)
  - rsVPNSvc.exe (PID: 6412)
  - WmiApSrv.exe (PID: 5876)
  - rsDNSClientSvc.exe (PID: 4192)
  - rsDNSResolver.exe (PID: 8688)
  - rsDNSSvc.exe (PID: 7884)
  - WmiApSrv.exe (PID: 6176)
- Creates a software uninstall entry
  - UnifiedStub-installer.exe (PID: 7908)
- Drops a system driver (possible attempt to evade defenses)
  - UnifiedStub-installer.exe (PID: 7908)
  - WinRAR.exe (PID: 6232)
- Drops 7-zip archiver for unpacking
  - UnifiedStub-installer.exe (PID: 7908)
- The process creates files with name similar to system file names
  - UnifiedStub-installer.exe (PID: 7908)
  - WinRAR.exe (PID: 6232)
- The process drops C-runtime libraries
  - UnifiedStub-installer.exe (PID: 7908)
- Creates files in the driver directory
  - UnifiedStub-installer.exe (PID: 7908)
- Uses RUNDLL32.EXE to load library
  - UnifiedStub-installer.exe (PID: 7908)
- Creates or modifies Windows services
  - UnifiedStub-installer.exe (PID: 7908)
  - rundll32.exe (PID: 5028)
- Adds/modifies Windows certificates
  - UnifiedStub-installer.exe (PID: 7908)
  - rsWSC.exe (PID: 8120)
  - rsEngineSvc.exe (PID: 5192)
- Checks Windows Trust Settings
  - UnifiedStub-installer.exe (PID: 7908)
  - rsWSC.exe (PID: 8120)
  - rsEngineSvc.exe (PID: 7388)
  - rsWSC.exe (PID: 4340)
  - rsEDRSvc.exe (PID: 6504)
  - rsEDRSvc.exe (PID: 3632)
  - rsEngineSvc.exe (PID: 5192)
  - rsVPNSvc.exe (PID: 5860)
  - rsDNSSvc.exe (PID: 8784)
- Uses WEVTUTIL.EXE to install publishers and event logs from the manifest
  - UnifiedStub-installer.exe (PID: 7908)
- Dropped object may contain URLs of mainers pools
  - rsEngineSvc.exe (PID: 5192)
- Reads the BIOS version
  - rsEDRSvc.exe (PID: 3632)
  - rsEngineSvc.exe (PID: 5192)
- The process checks if it is being run in the virtual environment
  - rsEngineSvc.exe (PID: 5192)
  - rsVPNSvc.exe (PID: 6412)
  - rsDNSSvc.exe (PID: 7884)
- Process checks is Powershell's Script Block Logging on
  - rsEDRSvc.exe (PID: 3632)
- Application launched itself
  - rsAppUI.exe (PID: 3580)
  - rsAppUI.exe (PID: 320)
  - rsAppUI.exe (PID: 8376)
- Starts CMD.EXE for commands execution
  - rsDNSSvc.exe (PID: 7884)
- Process uses IPCONFIG to clear DNS cache
  - cmd.exe (PID: 9072)
  - cmd.exe (PID: 8068)
- There is functionality for taking screenshot (YARA)
  - rsVPNSvc.exe (PID: 6412)
- Detected use of alternative data streams (AltDS)
  - Dism++x64.exe (PID: 8840)
INFO
- Checks supported languages
  - dism_9kD-Ik1.bin.exe (PID: 4288)
  - dism_9kD-Ik1.bin.tmp (PID: 2116)
  - dism_9kD-Ik1.bin.exe (PID: 6412)
  - dism_9kD-Ik1.bin.tmp (PID: 5812)
  - prod0.exe (PID: 3968)
  - xczfml1m.exe (PID: 7720)
  - UnifiedStub-installer.exe (PID: 7908)
  - rsSyncSvc.exe (PID: 5068)
  - rsSyncSvc.exe (PID: 8164)
  - identity_helper.exe (PID: 8144)
  - identity_helper.exe (PID: 6224)
  - rsWSC.exe (PID: 8120)
  - rsWSC.exe (PID: 4340)
  - rsClientSvc.exe (PID: 7880)
  - rsClientSvc.exe (PID: 7324)
  - rsEngineSvc.exe (PID: 7388)
  - rsEngineSvc.exe (PID: 5192)
  - rsEDRSvc.exe (PID: 6504)
  - rsHelper.exe (PID: 7256)
  - rsEDRSvc.exe (PID: 3632)
  - EPP.exe (PID: 7892)
  - rsAppUI.exe (PID: 3580)
  - rsAppUI.exe (PID: 704)
  - rsAppUI.exe (PID: 7644)
  - rsAppUI.exe (PID: 7276)
  - rsAppUI.exe (PID: 7592)
  - rsLitmus.A.exe (PID: 5732)
  - rsVPNClientSvc.exe (PID: 7948)
  - rsVPNSvc.exe (PID: 5860)
  - rsVPNSvc.exe (PID: 6412)
  - rsVPNClientSvc.exe (PID: 7508)
  - VPN.exe (PID: 3820)
  - rsAppUI.exe (PID: 320)
  - rsAppUI.exe (PID: 1924)
  - rsAppUI.exe (PID: 4660)
  - rsAppUI.exe (PID: 8448)
  - rsAppUI.exe (PID: 7984)
  - Dism++x64.exe (PID: 8840)
  - rsDNSClientSvc.exe (PID: 9188)
  - rsDNSClientSvc.exe (PID: 4192)
  - rsDNSResolver.exe (PID: 8392)
  - rsDNSResolver.exe (PID: 8632)
  - rsDNSResolver.exe (PID: 8688)
  - rsDNSSvc.exe (PID: 8784)
  - rsDNSSvc.exe (PID: 7884)
  - DNS.exe (PID: 7872)
  - rsAppUI.exe (PID: 8376)
  - rsAppUI.exe (PID: 9060)
  - rsAppUI.exe (PID: 8908)
  - rsAppUI.exe (PID: 8940)
  - rsAppUI.exe (PID: 8444)
  - rsAppUI.exe (PID: 3968)
- Create files in a temporary directory
  - dism_9kD-Ik1.bin.exe (PID: 4288)
  - dism_9kD-Ik1.bin.exe (PID: 6412)
  - dism_9kD-Ik1.bin.tmp (PID: 5812)
  - prod0.exe (PID: 3968)
  - xczfml1m.exe (PID: 7720)
  - UnifiedStub-installer.exe (PID: 7908)
  - rsAppUI.exe (PID: 3580)
  - rsAppUI.exe (PID: 320)
  - rsAppUI.exe (PID: 8376)
- Process checks computer location settings
  - dism_9kD-Ik1.bin.tmp (PID: 2116)
  - dism_9kD-Ik1.bin.tmp (PID: 5812)
  - prod0.exe (PID: 3968)
  - rsAppUI.exe (PID: 7644)
  - rsAppUI.exe (PID: 3580)
  - rsAppUI.exe (PID: 7592)
  - rsVPNSvc.exe (PID: 6412)
  - rsAppUI.exe (PID: 4660)
  - rsAppUI.exe (PID: 320)
  - rsAppUI.exe (PID: 8448)
  - rsAppUI.exe (PID: 8908)
  - rsAppUI.exe (PID: 8376)
- Reads the computer name
  - dism_9kD-Ik1.bin.tmp (PID: 2116)
  - dism_9kD-Ik1.bin.tmp (PID: 5812)
  - prod0.exe (PID: 3968)
  - UnifiedStub-installer.exe (PID: 7908)
  - rsSyncSvc.exe (PID: 5068)
  - rsSyncSvc.exe (PID: 8164)
  - identity_helper.exe (PID: 8144)
  - identity_helper.exe (PID: 6224)
  - rsWSC.exe (PID: 8120)
  - rsWSC.exe (PID: 4340)
  - rsClientSvc.exe (PID: 7880)
  - rsClientSvc.exe (PID: 7324)
  - rsEngineSvc.exe (PID: 7388)
  - rsEngineSvc.exe (PID: 5192)
  - rsHelper.exe (PID: 7256)
  - rsEDRSvc.exe (PID: 6504)
  - rsEDRSvc.exe (PID: 3632)
  - rsAppUI.exe (PID: 3580)
  - rsAppUI.exe (PID: 704)
  - rsAppUI.exe (PID: 7276)
  - rsVPNClientSvc.exe (PID: 7508)
  - rsVPNClientSvc.exe (PID: 7948)
  - rsVPNSvc.exe (PID: 5860)
  - rsVPNSvc.exe (PID: 6412)
  - rsAppUI.exe (PID: 320)
  - rsAppUI.exe (PID: 1924)
  - rsAppUI.exe (PID: 7984)
  - Dism++x64.exe (PID: 8840)
  - rsDNSClientSvc.exe (PID: 9188)
  - rsDNSClientSvc.exe (PID: 4192)
  - rsDNSResolver.exe (PID: 8688)
  - rsDNSResolver.exe (PID: 8632)
  - rsDNSSvc.exe (PID: 8784)
  - rsDNSSvc.exe (PID: 7884)
  - rsAppUI.exe (PID: 8376)
  - rsAppUI.exe (PID: 9060)
  - rsAppUI.exe (PID: 8940)
  - rsAppUI.exe (PID: 8444)
  - rsAppUI.exe (PID: 3968)
- Reads the software policy settings
  - dism_9kD-Ik1.bin.tmp (PID: 5812)
  - prod0.exe (PID: 3968)
  - WerFault.exe (PID: 5904)
  - UnifiedStub-installer.exe (PID: 7908)
  - WerFault.exe (PID: 4520)
  - slui.exe (PID: 204)
  - rsWSC.exe (PID: 8120)
  - rsEngineSvc.exe (PID: 7388)
  - rsWSC.exe (PID: 4340)
  - rsEDRSvc.exe (PID: 6504)
  - rsEngineSvc.exe (PID: 5192)
  - rsEDRSvc.exe (PID: 3632)
  - rsVPNSvc.exe (PID: 5860)
  - rsVPNSvc.exe (PID: 6412)
  - rsDNSSvc.exe (PID: 7884)
  - rsDNSSvc.exe (PID: 8784)
- Reads the machine GUID from the registry
  - dism_9kD-Ik1.bin.tmp (PID: 5812)
  - prod0.exe (PID: 3968)
  - UnifiedStub-installer.exe (PID: 7908)
  - rsWSC.exe (PID: 8120)
  - rsWSC.exe (PID: 4340)
  - rsEngineSvc.exe (PID: 7388)
  - rsEngineSvc.exe (PID: 5192)
  - rsHelper.exe (PID: 7256)
  - rsEDRSvc.exe (PID: 6504)
  - rsEDRSvc.exe (PID: 3632)
  - rsAppUI.exe (PID: 3580)
  - rsVPNSvc.exe (PID: 5860)
  - rsVPNSvc.exe (PID: 6412)
  - rsAppUI.exe (PID: 320)
  - Dism++x64.exe (PID: 8840)
  - rsDNSSvc.exe (PID: 8784)
  - rsDNSSvc.exe (PID: 7884)
  - rsAppUI.exe (PID: 8376)
  - rsAppUI.exe (PID: 8444)
  - rsAppUI.exe (PID: 3968)
- Checks proxy server information
  - dism_9kD-Ik1.bin.tmp (PID: 5812)
  - prod0.exe (PID: 3968)
  - WerFault.exe (PID: 5904)
  - UnifiedStub-installer.exe (PID: 7908)
  - WerFault.exe (PID: 4520)
  - slui.exe (PID: 204)
  - rsWSC.exe (PID: 8120)
  - rsAppUI.exe (PID: 3580)
  - rsAppUI.exe (PID: 320)
  - rsAppUI.exe (PID: 8376)
  - Dism++x64.exe (PID: 8840)
- Reads Environment values
  - prod0.exe (PID: 3968)
  - UnifiedStub-installer.exe (PID: 7908)
  - identity_helper.exe (PID: 8144)
  - identity_helper.exe (PID: 6224)
  - rsEngineSvc.exe (PID: 5192)
  - rsEDRSvc.exe (PID: 3632)
  - rsAppUI.exe (PID: 3580)
  - rsVPNSvc.exe (PID: 6412)
  - rsAppUI.exe (PID: 320)
  - rsDNSSvc.exe (PID: 7884)
  - rsAppUI.exe (PID: 8376)
  - Dism++x64.exe (PID: 8840)
- Disables trace logs
  - prod0.exe (PID: 3968)
  - UnifiedStub-installer.exe (PID: 7908)
  - rsEngineSvc.exe (PID: 5192)
  - rsEDRSvc.exe (PID: 3632)
  - rsVPNSvc.exe (PID: 6412)
  - rsDNSSvc.exe (PID: 7884)
- Reads Microsoft Office registry keys
  - dism_9kD-Ik1.bin.tmp (PID: 5812)
  - msedge.exe (PID: 7076)
  - msedge.exe (PID: 1108)
  - msedge.exe (PID: 3124)
- Manual execution by a user
  - msedge.exe (PID: 1108)
  - WinRAR.exe (PID: 6232)
  - Dism++x64.exe (PID: 8840)
  - Taskmgr.exe (PID: 6076)
  - Taskmgr.exe (PID: 8036)
- Application launched itself
  - msedge.exe (PID: 7076)
  - msedge.exe (PID: 1108)
  - msedge.exe (PID: 3124)
- Creates files or folders in the user directory
  - WerFault.exe (PID: 5904)
  - WerFault.exe (PID: 4520)
  - UnifiedStub-installer.exe (PID: 7908)
  - rsWSC.exe (PID: 8120)
  - rsEngineSvc.exe (PID: 5192)
  - rsAppUI.exe (PID: 3580)
  - rsAppUI.exe (PID: 7276)
  - rsVPNSvc.exe (PID: 6412)
  - rsAppUI.exe (PID: 320)
  - rsAppUI.exe (PID: 1924)
  - rsDNSSvc.exe (PID: 7884)
  - rsAppUI.exe (PID: 8376)
  - rsAppUI.exe (PID: 8940)
  - rsAppUI.exe (PID: 8444)
- Creates files in the program directory
  - UnifiedStub-installer.exe (PID: 7908)
  - rsWSC.exe (PID: 8120)
  - rsEngineSvc.exe (PID: 7388)
  - rsEngineSvc.exe (PID: 5192)
  - rsEDRSvc.exe (PID: 6504)
  - rsEDRSvc.exe (PID: 3632)
  - rsVPNSvc.exe (PID: 5860)
  - rsVPNSvc.exe (PID: 6412)
  - rsDNSResolver.exe (PID: 8688)
  - rsDNSResolver.exe (PID: 8632)
  - rsDNSSvc.exe (PID: 8784)
  - rsDNSSvc.exe (PID: 7884)
- .NET Reactor protector has been detected
  - UnifiedStub-installer.exe (PID: 7908)
  - rsWSC.exe (PID: 4340)
  - rsEngineSvc.exe (PID: 5192)
  - rsHelper.exe (PID: 7256)
  - rsEDRSvc.exe (PID: 3632)
  - rsAppUI.exe (PID: 3580)
  - rsVPNSvc.exe (PID: 6412)
- Reads security settings of Internet Explorer
  - runonce.exe (PID: 7924)
  - runonce.exe (PID: 9084)
  - Taskmgr.exe (PID: 8036)
- Reads the time zone
  - runonce.exe (PID: 7924)
  - rsEngineSvc.exe (PID: 5192)
  - rsEDRSvc.exe (PID: 3632)
  - rsVPNSvc.exe (PID: 6412)
  - runonce.exe (PID: 9084)
  - rsDNSSvc.exe (PID: 7884)
- Reads CPU info
  - rsEngineSvc.exe (PID: 5192)
  - rsEDRSvc.exe (PID: 3632)
  - rsVPNSvc.exe (PID: 6412)
  - rsDNSSvc.exe (PID: 7884)
- Reads product name
  - rsEDRSvc.exe (PID: 3632)
  - rsAppUI.exe (PID: 3580)
  - rsEngineSvc.exe (PID: 5192)
  - rsAppUI.exe (PID: 320)
  - rsAppUI.exe (PID: 8376)
- Drops the executable file immediately after the start
  - WinRAR.exe (PID: 6232)
- Executable content was dropped or overwritten
  - WinRAR.exe (PID: 6232)
- Process checks whether UAC notifications are on
  - rsEDRSvc.exe (PID: 3632)
- Checks Windows language
  - Dism++x64.exe (PID: 8840)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	Inno Setup installer (53.5)
.exe	\|	InstallShield setup (21)
.exe	\|	Win32 EXE PECompact compressed (generic) (20.2)
.exe	\|	Win32 Executable (generic) (2.1)
.exe	\|	Win16/32 Executable Delphi generic (1)

EXIF

EXE

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2023:02:15 14:54:16+00:00
ImageFileCharacteristics:	No relocs, Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType:	PE32
LinkerVersion:	2.25
CodeSize:	741888
InitializedDataSize:	89600
UninitializedDataSize:	-
EntryPoint:	0xb5eec
OSVersion:	6.1
ImageVersion:	6
SubsystemVersion:	6.1
Subsystem:	Windows GUI
FileVersionNumber:	2.2.174.2916
ProductVersionNumber:	2.2.174.2916
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	Neutral
CharacterSet:	Unicode
Comments:	This installation was built with Inno Setup.
CompanyName:
FileDescription:
FileVersion:	2.2.174.2916
LegalCopyright:
OriginalFileName:
ProductName:
ProductVersion:	2.2.174.2916

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

308

Monitored processes

154

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

188

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=1352 --field-trial-handle=2392,i,7880689794581632208,2507363273127084860,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Exit code:

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

204

C:\WINDOWS\System32\slui.exe -Embedding

C:\Windows\System32\slui.exe

svchost.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Activation Client

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll

236

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=5244 --field-trial-handle=2328,i,15789632730151721905,7526233733536147970,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Exit code:

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

320

"C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe" "c:\program files\reasonlabs\VPN\ui\app.asar" --engine-path="c:\program files\reasonlabs\VPN" --minimized --focused --first-run

C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe

—

VPN.exe

User:

admin

Company:

Reason Cybersecurity Ltd.

Integrity Level:

MEDIUM

Description:

ReasonLabs Application

Version:

1.4.2

Modules

Images
c:\program files\reasonlabs\common\client\v1.4.2\rsappui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ws2_32.dll

456

ipconfig /flushdns

C:\Windows\System32\ipconfig.exe

—

cmd.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

IP Configuration Utility

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\ipconfig.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\dhcpcsvc6.dll

528

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=6036 --field-trial-handle=2392,i,7880689794581632208,2507363273127084860,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Microsoft Edge

Exit code:

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

704

"C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe" --type=gpu-process --user-data-dir="C:\Users\admin\AppData\Roaming\ReasonLabs\EPP" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=2284 --field-trial-handle=2288,i,14246901953858439807,12428568275437415957,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2

C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe

—

rsAppUI.exe

User:

admin

Company:

Reason Cybersecurity Ltd.

Integrity Level:

LOW

Description:

ReasonLabs Application

Version:

1.4.2

Modules

Images
c:\program files\reasonlabs\common\client\v1.4.2\rsappui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ws2_32.dll

756

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=2780 --field-trial-handle=2328,i,15789632730151721905,7526233733536147970,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

788

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=5604 --field-trial-handle=2328,i,15789632730151721905,7526233733536147970,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Exit code:

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

968

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --no-appcompat-clear --mojo-platform-channel-handle=6804 --field-trial-handle=2392,i,7880689794581632208,2507363273127084860,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Exit code:

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

Add for printing

Total events

146 229

Read events

145 504

Write events

499

Delete events

226

Modification events


(PID) Process:	(5812) dism_9kD-Ik1.bin.tmp	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:	write	Name:	Owner
Value: B4160000FC80E4B8FBE2DA01
(PID) Process:	(5812) dism_9kD-Ik1.bin.tmp	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:	write	Name:	SessionHash
Value: FE0672F18B7AA31BE3172C605E1078F8E04625F77D5B11CE092C0ECD1A2AC801
(PID) Process:	(5812) dism_9kD-Ik1.bin.tmp	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:	write	Name:	Sequence
Value: 1
(PID) Process:	(5812) dism_9kD-Ik1.bin.tmp	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	ProxyBypass
Value: 1
(PID) Process:	(5812) dism_9kD-Ik1.bin.tmp	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	IntranetName
Value: 1
(PID) Process:	(5812) dism_9kD-Ik1.bin.tmp	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	UNCAsIntranet
Value: 1
(PID) Process:	(5812) dism_9kD-Ik1.bin.tmp	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	AutoDetect
Value: 0
(PID) Process:	(3968) prod0.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\prod0_RASAPI32
Operation:	write	Name:	EnableFileTracing
Value: 0
(PID) Process:	(3968) prod0.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\prod0_RASAPI32
Operation:	write	Name:	EnableAutoFileTracing
Value: 0
(PID) Process:	(3968) prod0.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\prod0_RASAPI32
Operation:	write	Name:	EnableConsoleTracing
Value: 0

Add for printing

Executable files

890

Suspicious files

683

Text files

243

Unknown types

Dropped files

PID	Process	Filename		Type
4288	dism_9kD-Ik1.bin.exe	C:\Users\admin\AppData\Local\Temp\is-E669H.tmp\dism_9kD-Ik1.bin.tmp		executable
		MD5:02B1D8FF84BCD4EBCB01156636269B99	SHA256:A6497DDDDD577CAEFE5A39958A604F9EE4BFE93E9DA285B147BA6FC6788E75CA
6412	dism_9kD-Ik1.bin.exe	C:\Users\admin\AppData\Local\Temp\is-ASO13.tmp\dism_9kD-Ik1.bin.tmp		executable
		MD5:02B1D8FF84BCD4EBCB01156636269B99	SHA256:A6497DDDDD577CAEFE5A39958A604F9EE4BFE93E9DA285B147BA6FC6788E75CA
5812	dism_9kD-Ik1.bin.tmp	C:\Users\admin\AppData\Local\Temp\is-BNJ7P.tmp\dism.zip		compressed
		MD5:86D3F8A73A01FBB6BB985DC9A939FE15	SHA256:9149F635096571CD67A82A2EFA113C819B8B9005E4F29D6F0D6EB26BB15ED41C
5812	dism_9kD-Ik1.bin.tmp	C:\Users\admin\AppData\Local\Temp\is-BNJ7P.tmp\mainlogo.png		image
		MD5:EB49CBD36D07CD5768271767269131F2	SHA256:A2825968B1C18604E678123FED0CCB6011D3CA0B6AB015E0DD84BA5D9F9F447A
5812	dism_9kD-Ik1.bin.tmp	C:\Users\admin\AppData\Local\Temp\is-BNJ7P.tmp\prod0		executable
		MD5:F1B24C502CBA4BA2608A7CD02B22DF60	SHA256:444208A6E64A582BD3B968D935F688BE837B185F13DAB2342F51C55DA109C8D5
5812	dism_9kD-Ik1.bin.tmp	C:\Users\admin\AppData\Local\Temp\is-BNJ7P.tmp\finish.png		image
		MD5:C22FCE016D422F84213A414D01CEE6D7	SHA256:26AAE139966F128AAC4185263E04DD8C7E65F42B3FDC81397EC80CC350E8BB12
5812	dism_9kD-Ik1.bin.tmp	C:\Users\admin\AppData\Local\Temp\is-BNJ7P.tmp\is-U6NBI.tmp		image
		MD5:CD09F361286D1AD2622BA8A57B7613BD	SHA256:B92A31D4853D1B2C4E5B9D9624F40B439856D0C6A517E100978CBDE8D3C47DC8
1108	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\discounts_db\LOG.old~RF1c6d58.TMP		—
		MD5:—	SHA256:—
1108	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\discounts_db\LOG.old		—
		MD5:—	SHA256:—
5812	dism_9kD-Ik1.bin.tmp	C:\Users\admin\AppData\Local\Temp\is-BNJ7P.tmp\RAV_Cross.png		image
		MD5:CD09F361286D1AD2622BA8A57B7613BD	SHA256:B92A31D4853D1B2C4E5B9D9624F40B439856D0C6A517E100978CBDE8D3C47DC8

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

258

DNS requests

185

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
308	svchost.exe	HEAD	200	152.199.19.161:80	http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/8bc315ba-54e5-49f4-9b75-997d7071eb06?P1=1722623250&P2=404&P3=2&P4=VY3ueS%2bV4AqqrNMpkbd7IokTsfa98Nanupz6RT55ksRH%2fc37to1i5b82j%2fRBhzUlmGtwzUa6h7VzodoMRGI%2fDg%3d%3d	unknown	—	—	whitelisted
308	svchost.exe	GET	206	152.199.19.161:80	http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/8bc315ba-54e5-49f4-9b75-997d7071eb06?P1=1722623250&P2=404&P3=2&P4=VY3ueS%2bV4AqqrNMpkbd7IokTsfa98Nanupz6RT55ksRH%2fc37to1i5b82j%2fRBhzUlmGtwzUa6h7VzodoMRGI%2fDg%3d%3d	unknown	—	—	whitelisted
7908	UnifiedStub-installer.exe	GET	200	204.79.197.203:80	http://oneocsp.microsoft.com/ocsp/MFQwUjBQME4wTDAJBgUrDgMCGgUABBTDHsfuqfubd3pihvq4mgQVWgHWNwQUyH7SaoUqG8oZmAQHJ89QEE9oqKICEzMAAAAHh6M0o3uljhwAAAAAAAc%3D	unknown	—	—	whitelisted
308	svchost.exe	GET	206	152.199.19.161:80	http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/8bc315ba-54e5-49f4-9b75-997d7071eb06?P1=1722623250&P2=404&P3=2&P4=VY3ueS%2bV4AqqrNMpkbd7IokTsfa98Nanupz6RT55ksRH%2fc37to1i5b82j%2fRBhzUlmGtwzUa6h7VzodoMRGI%2fDg%3d%3d	unknown	—	—	whitelisted
5812	dism_9kD-Ik1.bin.tmp	GET	200	95.168.168.24:80	http://dl.jalecdn.com/KR/dism.zip	unknown	—	—	unknown
5368	SearchApp.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D	unknown	—	—	whitelisted
4424	svchost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
7908	UnifiedStub-installer.exe	GET	200	204.79.197.203:80	http://oneocsp.microsoft.com/ocsp/MFQwUjBQME4wTDAJBgUrDgMCGgUABBTOQYLFSE5GO%2FpaRVfYu7d9gZEbQAQU2UEpsA8PY2zvadf1zSmepEhqMOYCEzMAAAAHN4xbodlbjNQAAAAAAAc%3D	unknown	—	—	whitelisted
308	svchost.exe	GET	206	152.199.19.161:80	http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/8bc315ba-54e5-49f4-9b75-997d7071eb06?P1=1722623250&P2=404&P3=2&P4=VY3ueS%2bV4AqqrNMpkbd7IokTsfa98Nanupz6RT55ksRH%2fc37to1i5b82j%2fRBhzUlmGtwzUa6h7VzodoMRGI%2fDg%3d%3d	unknown	—	—	whitelisted
308	svchost.exe	GET	206	152.199.19.161:80	http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/8bc315ba-54e5-49f4-9b75-997d7071eb06?P1=1722623250&P2=404&P3=2&P4=VY3ueS%2bV4AqqrNMpkbd7IokTsfa98Nanupz6RT55ksRH%2fc37to1i5b82j%2fRBhzUlmGtwzUa6h7VzodoMRGI%2fDg%3d%3d	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:138	—	—	—	whitelisted
5368	SearchApp.exe	131.253.33.254:443	a-ring-fallback.msedge.net	MICROSOFT-CORP-MSN-AS-BLOCK	US	unknown
6572	svchost.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
5368	SearchApp.exe	2.23.209.149:443	www.bing.com	Akamai International B.V.	GB	unknown
6012	MoUsoCoreWorker.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
5900	slui.exe	20.83.72.98:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
996	RUXIMICS.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
1620	slui.exe	20.83.72.98:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
3952	svchost.exe	239.255.255.250:1900	—	—	—	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted

DNS requests

Domain	IP	Reputation
t-ring-fdv2.msedge.net	13.107.237.254	unknown
a-ring-fallback.msedge.net	131.253.33.254	unknown
www.bing.com	2.23.209.149 2.23.209.140 2.23.209.176 2.23.209.189 2.23.209.185 2.23.209.182 2.23.209.133 2.23.209.179 2.23.209.187 2.23.209.193 2.23.209.177 184.86.251.22 184.86.251.19 184.86.251.7 184.86.251.27	whitelisted
settings-win.data.microsoft.com	51.104.136.2 40.127.240.158	whitelisted
google.com	142.250.184.206	whitelisted
d1e9165hyidvf5.cloudfront.net	18.244.20.154 18.244.20.119 18.244.20.27 18.244.20.193	whitelisted
cdn.download.it	104.22.57.224 104.22.56.224 172.67.26.92	whitelisted
dl.jalecdn.com	95.168.168.24	unknown
fp-afd-nocache-ccp.azureedge.net	13.107.246.60	whitelisted
login.live.com	20.190.159.0 40.126.31.67 40.126.31.69 40.126.31.73 40.126.31.71 20.190.159.64 20.190.159.68 20.190.159.4	whitelisted

Threats

PID	Process	Class	Message
5812	dism_9kD-Ik1.bin.tmp	Possibly Unwanted Program Detected	ADWARE [ANY.RUN] InnoSetup Installer

Add for printing

No debug info

General Info

dism_9kD-Ik1.bin

4CEF35CB56164E4427C8890CF5CDFD85

242815E66819F32D46C37A57ED707030F57CA2C2

564B8E327A13C948CEA21587245B7B0005F786EA57F62BD602EF4ECEC66171C6

98304:b+cD4dno/Kiy69v/P4IzQ0eHJIsm/SK2gyGGnWfA/3nWAs1XnY/QI5QHpsisd:Uz

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Drops the executable file immediately after the start

INNOSETUP has been detected (SURICATA)

Actions looks like stealing of personal data

Changes the autorun value in the registry

METASTEALER has been detected (YARA)

SUSPICIOUS

Executable content was dropped or overwritten

Reads security settings of Internet Explorer

Reads the date of Windows installation

Reads the Windows owner or organization settings

Process drops legitimate windows executable

Access to an unwanted program domain was detected

Executes application which crashes

Searches for installed software

Executes as Windows Service

Creates a software uninstall entry

Drops a system driver (possible attempt to evade defenses)

Drops 7-zip archiver for unpacking

The process creates files with name similar to system file names

The process drops C-runtime libraries

Creates files in the driver directory

Uses RUNDLL32.EXE to load library

Creates or modifies Windows services

Adds/modifies Windows certificates

Checks Windows Trust Settings

Uses WEVTUTIL.EXE to install publishers and event logs from the manifest

Dropped object may contain URLs of mainers pools

Reads the BIOS version

The process checks if it is being run in the virtual environment

Process checks is Powershell's Script Block Logging on

Application launched itself

Starts CMD.EXE for commands execution

Process uses IPCONFIG to clear DNS cache

There is functionality for taking screenshot (YARA)

Detected use of alternative data streams (AltDS)

INFO

Checks supported languages

Create files in a temporary directory

Process checks computer location settings

Reads the computer name

Reads the software policy settings

Reads the machine GUID from the registry

Checks proxy server information

Reads Environment values

Disables trace logs

Reads Microsoft Office registry keys

Manual execution by a user

Application launched itself

Creates files or folders in the user directory

Creates files in the program directory

.NET Reactor protector has been detected

Reads security settings of Internet Explorer

Reads the time zone

Reads CPU info

Reads product name

Drops the executable file immediately after the start

Executable content was dropped or overwritten

Process checks whether UAC notifications are on

Checks Windows language

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description