analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

file

Full analysis: https://app.any.run/tasks/c0157d3d-feff-46cc-88ef-bbddfb5f7d84
Verdict: Malicious activity
Analysis date: December 05, 2022, 19:05:15
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

44085873D2D9AD0A6126F752AD80C4E3

SHA1:

A1B8302E4B7A65C4FD62F5F883B4884BB7AB20F9

SHA256:

6B6EB4B5978054AC9EEE21AF78C11667E65AB78E5533D72DBFA420A42DDC7B40

SSDEEP:

196608:91Osam/50vvgbW+iD3IBKI4pZHbzaO+in0g:3OZmh6vyWR35FZHaY0g

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • Install.exe (PID: 3416)
      • HqbAWMO.exe (PID: 2776)
      • gyDVofW.exe (PID: 2452)
    • Loads the Task Scheduler COM API

      • schtasks.exe (PID: 1108)
      • schtasks.exe (PID: 1280)
      • schtasks.exe (PID: 3144)
      • schtasks.exe (PID: 3624)
      • schtasks.exe (PID: 3384)
      • schtasks.exe (PID: 2404)
      • schtasks.exe (PID: 1500)
      • schtasks.exe (PID: 1084)
      • schtasks.exe (PID: 3704)
      • schtasks.exe (PID: 1044)
      • schtasks.exe (PID: 2580)
      • schtasks.exe (PID: 852)
      • schtasks.exe (PID: 3812)
      • schtasks.exe (PID: 2176)
      • schtasks.exe (PID: 2628)
      • schtasks.exe (PID: 592)
      • schtasks.exe (PID: 1336)
      • schtasks.exe (PID: 3404)
    • Uses Task Scheduler to run other applications

      • Install.exe (PID: 3416)
      • HqbAWMO.exe (PID: 2776)
      • gyDVofW.exe (PID: 2452)
      • gyDVofW.exe (PID: 2452)
      • rundll32.EXE (PID: 1500)
    • Loads the Task Scheduler DLL interface

      • schtasks.exe (PID: 3924)
      • schtasks.exe (PID: 408)
      • schtasks.exe (PID: 488)
      • schtasks.exe (PID: 2520)
    • Modifies exclusions in Windows Defender

      • reg.exe (PID: 2004)
      • reg.exe (PID: 3512)
      • reg.exe (PID: 3388)
      • reg.exe (PID: 3024)
      • reg.exe (PID: 3016)
      • reg.exe (PID: 1032)
      • reg.exe (PID: 3348)
      • reg.exe (PID: 2208)
      • reg.exe (PID: 336)
    • Steals credentials from Web Browsers

      • gyDVofW.exe (PID: 2452)
    • Creates a writable file the system directory

      • gyDVofW.exe (PID: 2452)
    • Modifies files in the Chrome extension folder

      • gyDVofW.exe (PID: 2452)
    • Drops the executable file immediately after the start

      • gyDVofW.exe (PID: 2452)
    • Loads dropped or rewritten executable

      • rundll32.EXE (PID: 1500)
  • SUSPICIOUS

    • Starts itself from another location

      • file.exe (PID: 2104)
    • Reads the BIOS version

      • Install.exe (PID: 3416)
    • Reads the Internet Settings

      • Install.exe (PID: 3416)
      • gyDVofW.exe (PID: 2452)
    • Starts CMD.EXE for commands execution

      • forfiles.exe (PID: 1120)
      • forfiles.exe (PID: 3396)
      • HqbAWMO.exe (PID: 2776)
      • gyDVofW.exe (PID: 2452)
    • Uses REG.EXE to modify Windows registry

      • cmd.exe (PID: 3360)
      • cmd.exe (PID: 1936)
      • cmd.exe (PID: 2884)
      • cmd.exe (PID: 1708)
      • cmd.exe (PID: 3092)
      • cmd.exe (PID: 3444)
      • cmd.exe (PID: 3124)
      • cmd.exe (PID: 2668)
    • Executes via Task Scheduler

      • powershell.EXE (PID: 2752)
      • HqbAWMO.exe (PID: 2776)
      • powershell.EXE (PID: 1408)
      • gyDVofW.exe (PID: 2452)
      • rundll32.EXE (PID: 1500)
    • Starts application from unusual location

      • schtasks.exe (PID: 3924)
      • schtasks.exe (PID: 408)
      • schtasks.exe (PID: 488)
      • schtasks.exe (PID: 2520)
    • Executes scripts

      • HqbAWMO.exe (PID: 2776)
    • Creates a directory in Program Files

      • gyDVofW.exe (PID: 2452)
    • Checks Windows Trust Settings

      • gyDVofW.exe (PID: 2452)
    • Reads settings of System Certificates

      • gyDVofW.exe (PID: 2452)
    • Creates files in the Windows directory

      • gyDVofW.exe (PID: 2452)
    • Adds/modifies Windows certificates

      • gyDVofW.exe (PID: 2452)
    • Executable content was dropped or overwritten

      • gyDVofW.exe (PID: 2452)
    • Creates a software uninstall entry

      • gyDVofW.exe (PID: 2452)
  • INFO

    • Checks supported languages

      • file.exe (PID: 2104)
      • Install.exe (PID: 1988)
      • Install.exe (PID: 3416)
      • HqbAWMO.exe (PID: 2776)
      • gyDVofW.exe (PID: 2452)
    • Creates a file in a temporary directory

      • Install.exe (PID: 1988)
      • file.exe (PID: 2104)
      • Install.exe (PID: 3416)
      • powershell.EXE (PID: 2752)
      • powershell.EXE (PID: 1408)
    • Reads the computer name

      • Install.exe (PID: 3416)
      • gyDVofW.exe (PID: 2452)
    • Creates files in the Windows directory

      • schtasks.exe (PID: 3924)
      • schtasks.exe (PID: 408)
      • schtasks.exe (PID: 488)
      • schtasks.exe (PID: 2520)
    • Reads security settings of Internet Explorer

      • powershell.EXE (PID: 2752)
      • powershell.EXE (PID: 1408)
    • Process checks SAM and SYSTEM backups

      • gyDVofW.exe (PID: 2452)
    • Creates files in the program directory

      • gyDVofW.exe (PID: 2452)
    • Process checks computer location settings

      • gyDVofW.exe (PID: 2452)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 2010-Nov-18 16:27:35
Detected languages:
  • English - United States
CompanyName: Igor Pavlov
FileDescription: 7z Setup SFX
FileVersion: 9.20
InternalName: 7zS.sfx
LegalCopyright: Copyright (c) 1999-2010 Igor Pavlov
OriginalFilename: 7zS.sfx.exe
ProductName: 7-Zip
ProductVersion: 9.20

DOS Header

e_magic: MZ
e_cblp: 144
e_cp: 3
e_crlc: -
e_cparhdr: 4
e_minalloc: -
e_maxalloc: 65535
e_ss: -
e_sp: 184
e_csum: -
e_ip: -
e_cs: -
e_ovno: -
e_oemid: -
e_oeminfo: -
e_lfanew: 232

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
NumberofSections: 5
TimeDateStamp: 2010-Nov-18 16:27:35
PointerToSymbolTable: -
NumberOfSymbols: -
SizeOfOptionalHeader: 224
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_LINE_NUMS_STRIPPED
  • IMAGE_FILE_LOCAL_SYMS_STRIPPED
  • IMAGE_FILE_RELOCS_STRIPPED

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
4096
104938
104960
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.60849
.rdata
110592
17556
17920
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
4.36802
.data
131072
23112
12800
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
1.37054
.sxdata
155648
4
512
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_LNK_INFO, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
0.0203931
.rsrc
159744
2656
3072
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
3.30196

Resources

Title
Entropy
Size
Codepage
Language
Type
1
3.75404
744
UNKNOWN
English - United States
RT_ICON
2
3.18403
296
UNKNOWN
English - United States
RT_ICON
5
1.43775
52
UNKNOWN
English - United States
RT_STRING
500
3.09294
184
UNKNOWN
English - United States
RT_DIALOG
1 (#2)
2.78284
148
UNKNOWN
English - United States
RT_STRING
1 (#3)
2.37086
34
UNKNOWN
English - United States
RT_GROUP_ICON
1 (#4)
3.44049
700
UNKNOWN
English - United States
RT_VERSION

Imports

KERNEL32.dll
OLEAUT32.dll
SHELL32.dll
USER32.dll
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
164
Monitored processes
69
Malicious processes
10
Suspicious processes
10

Behavior graph

Click at the process to see the details
start drop and start file.exe no specs file.exe install.exe no specs install.exe no specs forfiles.exe no specs forfiles.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs schtasks.exe no specs schtasks.exe no specs powershell.exe no specs gpupdate.exe no specs schtasks.exe no specs schtasks.exe no specs hqbawmo.exe no specs schtasks.exe no specs schtasks.exe no specs powershell.exe no specs gpupdate.exe no specs schtasks.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs wscript.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs schtasks.exe no specs schtasks.exe no specs gydvofw.exe schtasks.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs rundll32.exe cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs schtasks.exe no specs schtasks.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3516"C:\Users\admin\AppData\Local\Temp\file.exe" C:\Users\admin\AppData\Local\Temp\file.exeExplorer.EXE
User:
admin
Company:
Igor Pavlov
Integrity Level:
MEDIUM
Description:
7z Setup SFX
Exit code:
3221226540
Version:
9.20
Modules
Images
c:\users\admin\appdata\local\temp\file.exe
c:\windows\system32\ntdll.dll
2104"C:\Users\admin\AppData\Local\Temp\file.exe" C:\Users\admin\AppData\Local\Temp\file.exe
Explorer.EXE
User:
admin
Company:
Igor Pavlov
Integrity Level:
HIGH
Description:
7z Setup SFX
Exit code:
0
Version:
9.20
Modules
Images
c:\users\admin\appdata\local\temp\file.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
1988.\Install.exeC:\Users\admin\AppData\Local\Temp\7zSECC3.tmp\Install.exefile.exe
User:
admin
Company:
Igor Pavlov
Integrity Level:
HIGH
Description:
7z Setup SFX
Exit code:
0
Version:
9.20
Modules
Images
c:\users\admin\appdata\local\temp\7zsecc3.tmp\install.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
3416.\Install.exe /S /site_id "525403"C:\Users\admin\AppData\Local\Temp\7zSF02E.tmp\Install.exeInstall.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\7zsf02e.tmp\install.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\user32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
1120"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0&"C:\Windows\System32\forfiles.exeInstall.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
ForFiles - Executes a command on selected files
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\forfiles.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\version.dll
c:\windows\system32\ws2_32.dll
3396"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0&"C:\Windows\System32\forfiles.exeInstall.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
ForFiles - Executes a command on selected files
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\forfiles.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\version.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\ws2_32.dll
3360/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0&C:\Windows\System32\cmd.exeforfiles.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
2636REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0c:\windows\system32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
1936/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0&C:\Windows\System32\cmd.exeforfiles.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
3688REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0c:\windows\system32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\reg.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
Total events
11 525
Read events
11 291
Write events
231
Delete events
3

Modification events

(PID) Process:(3416) Install.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(3416) Install.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(3416) Install.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(3416) Install.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(2636) reg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions
Operation:writeName:exe
Value:
0
(PID) Process:(3688) reg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet
Operation:writeName:SpyNetReporting
Value:
0
(PID) Process:(2752) powershell.EXEKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\16C\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(2752) powershell.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(2752) powershell.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(2752) powershell.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
Executable files
10
Suspicious files
39
Text files
75
Unknown types
11

Dropped files

PID
Process
Filename
Type
2752powershell.EXEC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\YHANP67RUFCO6SS0258D.tempbinary
MD5:DF79ECEE84239B6ED67F46A01767A749
SHA256:4A338A22ACED5DEE19ECF80262B0C994EBC9C68F7D89629C2EE73C9FE6EEC10E
3416Install.exeC:\Users\admin\AppData\Local\Temp\NSAYtBReBeNFnznQr\zYSblTdVstRcyqP\HqbAWMO.exeexecutable
MD5:A642CAB9B19C6F58CFBC6A22C2CD6C11
SHA256:38E5CA7D40BD3598246E945F2CAA0E9D37B5929AB132F2CD67DF29B4C4D05D6B
2104file.exeC:\Users\admin\AppData\Local\Temp\7zSECC3.tmp\__data__\config.txtbinary
MD5:F3026D4D8B6B2F7DB4D82F0668AAEFB2
SHA256:1937867538D805678EF751B941A80563EEDFA220B2C94EA378245A8E86126CE7
1408powershell.EXEC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF1231c6.TMPbinary
MD5:DF79ECEE84239B6ED67F46A01767A749
SHA256:4A338A22ACED5DEE19ECF80262B0C994EBC9C68F7D89629C2EE73C9FE6EEC10E
2752powershell.EXEC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msbinary
MD5:DF79ECEE84239B6ED67F46A01767A749
SHA256:4A338A22ACED5DEE19ECF80262B0C994EBC9C68F7D89629C2EE73C9FE6EEC10E
2776HqbAWMO.exeC:\Windows\Temp\WtMYTPIbSwjziXOH\cWBmzeye\yNytMRqCHQyYntPX.wsfbinary
MD5:A9C8F581F30FBD74DEEC41FD9F470D71
SHA256:A00BACF45F6CEE0C2FCF498C16C69E0DE75EB8C957F4F27A3688516AC68DBBBA
2776HqbAWMO.exeC:\Windows\System32\GroupPolicy\Machine\registry.polbinary
MD5:3ED0466983586B162999C447985E66DB
SHA256:65D8CF7CE5AAAD658AF22F4941BDF632C2E8AC5490F8B6CB52ECB7BB6BE5A326
1988Install.exeC:\Users\admin\AppData\Local\Temp\7zSF02E.tmp\Install.exeexecutable
MD5:A642CAB9B19C6F58CFBC6A22C2CD6C11
SHA256:38E5CA7D40BD3598246E945F2CAA0E9D37B5929AB132F2CD67DF29B4C4D05D6B
2752powershell.EXEC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF110abb.TMPbinary
MD5:CCFCF369F751CE8DA0370D84E52A7EED
SHA256:53922490C3F5A04667EC3605A01AF2A4F4F265782D1BCA519F63ACAD413F2ED9
2104file.exeC:\Users\admin\AppData\Local\Temp\7zSECC3.tmp\Install.exeexecutable
MD5:4538FAD491D85E70AB95147325790664
SHA256:0DF919CAC391DA767D735F3110D2801E7B07940278951BAEA024D4FAD0B171F0
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
9
TCP/UDP connections
8
DNS requests
8
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2452
gyDVofW.exe
GET
200
184.25.51.82:80
http://r3.o.lencr.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBRI2smg%2ByvTLU%2Fw3mjS9We3NfmzxAQUFC6zF7dYVsuuUAlA5h%2BvnYsUwsYCEgO3KnkYkYvzjMTY%2BDHZyvRw3Q%3D%3D
US
der
503 b
shared
2452
gyDVofW.exe
GET
200
142.250.186.163:80
http://ocsp.pki.goog/gsr1/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS3V7W2nAf4FiMTjpDJKg6%2BMgGqMQQUYHtmGkUNl8qJUC99BM00qP%2F8%2FUsCEHe9DWzbNvka6iEPxPBY0w0%3D
US
der
1.41 Kb
whitelisted
2452
gyDVofW.exe
GET
200
8.238.30.254:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?5d9d45c540f279df
US
compressed
61.4 Kb
whitelisted
2452
gyDVofW.exe
GET
200
142.250.186.163:80
http://ocsp.pki.goog/gts1c3/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBTHLnmK3f9hNLO67UdCuLvGwCQHYwQUinR%2Fr4XN7pXNPZzQ4kYU83E1HScCEQDuZCz4OZecyRJCVianxG0K
US
der
472 b
whitelisted
2452
gyDVofW.exe
GET
200
8.238.30.254:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?3c6e9b20dbc99968
US
compressed
4.70 Kb
whitelisted
2452
gyDVofW.exe
GET
200
23.52.55.67:80
http://x1.c.lencr.org/
NL
der
717 b
whitelisted
2452
gyDVofW.exe
GET
200
142.250.186.163:80
http://ocsp.pki.goog/gts1c3/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBTHLnmK3f9hNLO67UdCuLvGwCQHYwQUinR%2Fr4XN7pXNPZzQ4kYU83E1HScCEQDreCS75DAIaRKqvCi%2FvL9c
US
der
472 b
whitelisted
1500
rundll32.EXE
POST
200
52.27.164.166:80
http://api2.check-data.xyz/api2/google_api_ifi
US
malicious
2452
gyDVofW.exe
GET
200
142.250.186.163:80
http://ocsp.pki.goog/gtsr1/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBQwkcLWD4LqGJ7bE7B1XZsEbmfwUAQU5K8rJnEaK0gnhS9SZizv8IkTcT4CDQIDvFNZazTHGPUBUGY%3D
US
der
724 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2452
gyDVofW.exe
3.80.150.121:443
service-domain.xyz
AMAZON-AES
US
suspicious
2452
gyDVofW.exe
142.250.185.78:443
clients2.google.com
GOOGLE
US
whitelisted
2452
gyDVofW.exe
142.250.186.163:80
ocsp.pki.goog
GOOGLE
US
whitelisted
2452
gyDVofW.exe
23.52.55.67:80
x1.c.lencr.org
AKAMAI-AS
NL
unknown
2452
gyDVofW.exe
142.250.186.170:443
www.googleapis.com
GOOGLE
US
whitelisted
2452
gyDVofW.exe
8.238.30.254:80
ctldl.windowsupdate.com
LEVEL3
US
suspicious
2452
gyDVofW.exe
184.25.51.82:80
r3.o.lencr.org
Akamai International B.V.
DE
unknown
1500
rundll32.EXE
52.27.164.166:80
api2.check-data.xyz
AMAZON-02
US
suspicious

DNS requests

Domain
IP
Reputation
service-domain.xyz
  • 3.80.150.121
suspicious
ctldl.windowsupdate.com
  • 8.238.30.254
  • 8.248.143.254
  • 8.241.78.126
  • 8.238.191.126
  • 8.238.28.126
whitelisted
x1.c.lencr.org
  • 23.52.55.67
whitelisted
r3.o.lencr.org
  • 184.25.51.82
  • 184.25.51.75
shared
www.googleapis.com
  • 142.250.186.170
  • 142.250.184.202
  • 142.250.184.234
  • 172.217.23.106
  • 142.250.185.138
  • 142.250.185.74
  • 142.250.185.106
  • 142.250.185.234
  • 142.250.185.170
  • 142.250.185.202
  • 172.217.16.138
  • 142.250.186.42
  • 172.217.18.10
  • 142.250.181.234
  • 142.250.186.138
  • 172.217.16.202
whitelisted
ocsp.pki.goog
  • 142.250.186.163
whitelisted
clients2.google.com
  • 142.250.185.78
whitelisted
api2.check-data.xyz
  • 52.27.164.166
  • 44.233.23.32
malicious

Threats

PID
Process
Class
Message
2452
gyDVofW.exe
Potentially Bad Traffic
ET INFO Observed Let's Encrypt Certificate for Suspicious TLD (.xyz)
1500
rundll32.EXE
Potentially Bad Traffic
AV INFO HTTP Request to a *.xyz domain
No debug info