File name:

LovingxApplication.exe

Full analysis: https://app.any.run/tasks/dcddc553-8edd-4a25-a8c4-afe6e57cab52
Verdict: Malicious activity
Analysis date: January 19, 2025, 07:08:06
OS: Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 6 sections
MD5:

181874D01E2E9E3B042179716C962ADC

SHA1:

50B29CA1412D6F75C19500ED84109D82BDD96E37

SHA256:

66687E22492D9F9CC54B06A51845F1B37477BAA840743D4BD0C89FE2AB3A9762

SSDEEP:

98304:d73etOCHWS0y9cwHEUL0Hu9BcBHfQQnlQfkHAqYCU/bTOeEZiasexEHkdJufTlqK:cDrGJ1HgrS3g8Jch7

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executing a file with an untrusted certificate

      • LovingxApplication.exe (PID: 6796)
      • LovingxApplication.exe (PID: 7012)
      • LovingxApplication.exe (PID: 3140)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • LovingxApplication.exe (PID: 6796)
      • LovingxApplication.exe (PID: 7012)
      • LovingxApplication.exe (PID: 3140)
      • setup.exe (PID: 5920)
      • NSIS.exe (PID: 2076)

    • There is functionality for taking screenshot (YARA)

      • setup.exe (PID: 5920)

    • The process creates files with name similar to system file names

      • setup.exe (PID: 5920)
      • NSIS.exe (PID: 2076)

    • Malware-specific behavior (creating "System.dll" in Temp)

      • setup.exe (PID: 5920)
      • NSIS.exe (PID: 2076)

    • Creates a software uninstall entry

      • setup.exe (PID: 5920)

    • Reads Internet Explorer settings

      • hh.exe (PID: 5316)

    • Reads Microsoft Outlook installation path

      • hh.exe (PID: 5316)

  • INFO

    • The sample compiled with english language support

      • LovingxApplication.exe (PID: 6796)
      • LovingxApplication.exe (PID: 7012)
      • LovingxApplication.exe (PID: 3140)
      • setup.exe (PID: 5920)

    • Create files in a temporary directory

      • LovingxApplication.exe (PID: 6796)
      • LovingxApplication.exe (PID: 7012)
      • LovingxApplication.exe (PID: 3140)
      • setup.exe (PID: 5920)
      • NSIS.exe (PID: 2076)
      • hh.exe (PID: 5316)

    • Reads the computer name

      • LovingxApplication.exe (PID: 6796)
      • LovingxApplication.exe (PID: 7012)
      • LovingxApplication.exe (PID: 3140)
      • setup.exe (PID: 5920)
      • NSIS.exe (PID: 2076)

    • Manual execution by a user

      • LovingxApplication.exe (PID: 7012)
      • LovingxApplication.exe (PID: 3140)

    • Checks supported languages

      • LovingxApplication.exe (PID: 6796)
      • LovingxApplication.exe (PID: 7012)
      • LovingxApplication.exe (PID: 3140)
      • NSIS.exe (PID: 2076)
      • setup.exe (PID: 5920)

    • Creates files or folders in the user directory

      • setup.exe (PID: 5920)

    • Creates files in the program directory

      • setup.exe (PID: 5920)

    • Reads security settings of Internet Explorer

      • hh.exe (PID: 5316)

    • Checks proxy server information

      • hh.exe (PID: 5316)

    • The process uses the downloaded file

      • hh.exe (PID: 5316)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (64.6)
.dll | Win32 Dynamic Link Library (generic) (15.4)
.exe | Win32 Executable (generic) (10.5)
.exe | Generic Win/DOS Executable (4.6)
.exe | DOS Executable Generic (4.6)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2025:01:08 03:37:31+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 14.41
CodeSize: 386560
InitializedDataSize: 103424
UninitializedDataSize: -
EntryPoint: 0x1000
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 3.10.0.0
ProductVersionNumber: 3.10.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
FileDescription: NSIS Stp
FileVersion: 3.1
LegalCopyright: http://nsis.sf.net/License
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
137
Monitored processes
8
Malicious processes
2
Suspicious processes
4

Behavior graph

Click at the process to see the details
start lovingxapplication.exe setup.exe no specs lovingxapplication.exe setup.exe no specs lovingxapplication.exe setup.exe nsis.exe hh.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2076"C:\Program Files (x86)\NSIS\NSIS.exe"C:\Program Files (x86)\NSIS\NSIS.exe
setup.exe
User:
admin
Integrity Level:
HIGH
Description:
NSIS Menu
Version:
3.10
Modules
Images
c:\program files (x86)\nsis\nsis.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
3140"C:\Users\admin\Desktop\LovingxApplication.exe" C:\Users\admin\Desktop\LovingxApplication.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Description:
NSIS Stp
Exit code:
0
Version:
3.10
Modules
Images
c:\users\admin\desktop\lovingxapplication.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
5316"C:\WINDOWS\hh.exe" mk:@MSITStore:C:\Program Files (x86)\NSIS\NSIS.chm::/SectionF.1.htmlC:\Windows\hh.exesetup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft® HTML Help Executable
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\hh.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
5920.\setup.exeC:\Users\admin\AppData\Local\Temp\7zS44C595A3\setup.exe
LovingxApplication.exe
User:
admin
Integrity Level:
HIGH
Description:
NSIS Setup
Exit code:
0
Version:
3.10
Modules
Images
c:\users\admin\appdata\local\temp\7zs44c595a3\setup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\acgenral.dll
6796"C:\Users\admin\Desktop\LovingxApplication.exe" C:\Users\admin\Desktop\LovingxApplication.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
NSIS Stp
Exit code:
1
Version:
3.10
Modules
Images
c:\users\admin\desktop\lovingxapplication.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
6832.\setup.exeC:\Users\admin\AppData\Local\Temp\7zSC8A48033\setup.exeLovingxApplication.exe
User:
admin
Integrity Level:
MEDIUM
Description:
NSIS Setup
Exit code:
3221226540
Version:
3.10
Modules
Images
c:\users\admin\appdata\local\temp\7zsc8a48033\setup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
7012"C:\Users\admin\Desktop\LovingxApplication.exe" C:\Users\admin\Desktop\LovingxApplication.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
NSIS Stp
Exit code:
1
Version:
3.10
Modules
Images
c:\users\admin\desktop\lovingxapplication.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\win32u.dll
7048.\setup.exeC:\Users\admin\AppData\Local\Temp\7zS46BA65E3\setup.exeLovingxApplication.exe
User:
admin
Integrity Level:
MEDIUM
Description:
NSIS Setup
Exit code:
3221226540
Version:
3.10
Modules
Images
c:\users\admin\appdata\local\temp\7zs46ba65e3\setup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
Total events
907
Read events
859
Write events
48
Delete events
0

Modification events

(PID) Process:(5920) setup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.nsi
Operation:writeName:PerceivedType
Value:
text
(PID) Process:(5920) setup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.nsh
Operation:writeName:PerceivedType
Value:
text
(PID) Process:(5920) setup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\NSIS
Operation:writeName:VersionMajor
Value:
3
(PID) Process:(5920) setup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\NSIS
Operation:writeName:VersionMinor
Value:
10
(PID) Process:(5920) setup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\NSIS
Operation:writeName:VersionRevision
Value:
0
(PID) Process:(5920) setup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\NSIS
Operation:writeName:VersionBuild
Value:
0
(PID) Process:(5920) setup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\NSIS
Operation:writeName:UninstallString
Value:
"C:\Program Files (x86)\NSIS\uninst-nsis.exe"
(PID) Process:(5920) setup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\NSIS
Operation:writeName:QuietUninstallString
Value:
"C:\Program Files (x86)\NSIS\uninst-nsis.exe" /S
(PID) Process:(5920) setup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\NSIS
Operation:writeName:InstallLocation
Value:
C:\Program Files (x86)\NSIS
(PID) Process:(5920) setup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\NSIS
Operation:writeName:DisplayName
Value:
Nullsoft Install System
Executable files
78
Suspicious files
15
Text files
361
Unknown types
0

Dropped files

PID
Process
Filename
Type
5920setup.exeC:\Users\admin\AppData\Local\Temp\nsj9FEF.tmp\System.dllexecutable
MD5:192639861E3DC2DC5C08BB8F8C7260D5
SHA256:23D618A0293C78CE00F7C6E6DD8B8923621DA7DD1F63A070163EF4C0EC3033D6
7012LovingxApplication.exeC:\Users\admin\AppData\Local\Temp\7zS46BA65E3\setup.exeexecutable
MD5:9F987AE9FFA2FB32555BB7283DDEDC0E
SHA256:4313D352E0DAFD1F22B6517126A655CAE3B444FA758D2845EDDFBE72F24F7BDD
5920setup.exeC:\Users\admin\AppData\Local\Temp\nsj9FEF.tmp\modern-wizard.bmpimage
MD5:48992D90BF2B3360D2301802A0C25900
SHA256:411961864A8EDB7CC2BA384E702BBB787040EA47488D2CEFC2EF2C6F0A55A832
6796LovingxApplication.exeC:\Users\admin\AppData\Local\Temp\7zSC8A48033\setup.exeexecutable
MD5:9F987AE9FFA2FB32555BB7283DDEDC0E
SHA256:4313D352E0DAFD1F22B6517126A655CAE3B444FA758D2845EDDFBE72F24F7BDD
5920setup.exeC:\Program Files (x86)\NSIS\Bin\makensis.exeexecutable
MD5:299956DFF56B98CC7FC4BADE0B8ACF93
SHA256:BE8265B2C6705C6451C899C37C49F1F4A6D4592007FBBC420E1E488B57B48B8A
5920setup.exeC:\Users\admin\AppData\Local\Temp\nsj9FEF.tmp\nsDialogs.dllexecutable
MD5:B7D61F3F56ABF7B7FF0D4E7DA3AD783D
SHA256:89A82C4849C21DFE765052681E1FAD02D2D7B13C8B5075880C52423DCA72A912
5920setup.exeC:\Program Files (x86)\NSIS\makensisw.exeexecutable
MD5:AE9EC02041A61200B5C188D4C446866D
SHA256:D5DAEAF1A23CFEA40F65E739C44C2F47CE90C0F1C392D1E0389F20B8BF43B79F
5920setup.exeC:\Program Files (x86)\NSIS\makensis.exeexecutable
MD5:242C6B655F2AE5D8C639A7B1CD416405
SHA256:913AC7636EEC910061C737A120C067CE9A77DBC2E69FAC8D8117761376F271C3
5920setup.exeC:\Program Files (x86)\NSIS\NSIS.exeexecutable
MD5:0CDCB388ACE5E66B70A7E256B1D1FE76
SHA256:86B25FF1B8EF326352E316495E48696E2D61669EF87A8FE134B167936B9683B3
5920setup.exeC:\Program Files (x86)\NSIS\nsisconf.nshtext
MD5:E41FAC04FD0832E49A3EE345C38B5C55
SHA256:52AC64DC88816B74E8285C0B275C951DF45BA6E57D35A1D5F59AD124D0EEDA22
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
31
DNS requests
17
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
23.48.23.156:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
184.30.131.245:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
GET
200
184.30.131.245:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
6380
backgroundTaskHost.exe
GET
200
184.30.131.245:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
5000
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
5000
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
23.48.23.156:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
40.127.240.158:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
4712
MoUsoCoreWorker.exe
40.127.240.158:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
104.126.37.160:443
www.bing.com
Akamai International B.V.
DE
whitelisted
4
System
192.168.100.255:138
whitelisted
184.30.131.245:80
ocsp.digicert.com
AKAMAI-AS
US
whitelisted
1176
svchost.exe
20.190.159.4:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1076
svchost.exe
184.30.18.9:443
go.microsoft.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
crl.microsoft.com
  • 23.48.23.156
  • 23.48.23.143
whitelisted
www.microsoft.com
  • 184.30.21.171
  • 95.101.149.131
whitelisted
google.com
  • 142.250.185.142
whitelisted
www.bing.com
  • 104.126.37.160
  • 104.126.37.155
  • 104.126.37.170
  • 104.126.37.162
  • 104.126.37.163
  • 104.126.37.154
  • 104.126.37.176
  • 104.126.37.153
  • 104.126.37.171
whitelisted
ocsp.digicert.com
  • 184.30.131.245
whitelisted
login.live.com
  • 20.190.159.4
  • 40.126.31.73
  • 20.190.159.75
  • 20.190.159.23
  • 20.190.159.0
  • 40.126.31.71
  • 20.190.159.68
  • 20.190.159.71
whitelisted
go.microsoft.com
  • 184.30.18.9
whitelisted
settings-win.data.microsoft.com
  • 4.231.128.59
  • 20.73.194.208
whitelisted
arc.msn.com
  • 20.199.58.43
whitelisted
fd.api.iris.microsoft.com
  • 20.31.169.57
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
LovingxApplication.exe