Malware analysis EqualizerAPO-x64-1.4.2.exe Malicious activity

Add for printing

File name:	EqualizerAPO-x64-1.4.2.exe
Full analysis:	https://app.any.run/tasks/b32de29f-ec0c-467f-9fbf-44fa248793eb
Verdict:	Malicious activity
Analysis date:	July 28, 2025, 11:19:07
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	auto generic
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive, 5 sections
MD5:	410AAB9749AE4673B950BC29A4EB226F
SHA1:	F599C3A16D27864D330529A012FC23A37ABDD06D
SHA256:	7403BE7427BBE1936A40DDED082829B6E217FC4F5990FEE5CBA501F0AE055AFA
SSDEEP:	98304:wLx/lQN+aQQv/62AhnWyGcMrNGtPk8c3qTMo90kFbS6kDl3p/BhUyReqdWO8GLHQ:Oz1eGSnvNIj3PN0rsuAwdXE9

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 60 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: none
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (133.0.6943.127)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (133.0.3065.92)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (136.0)
Mozilla Maintenance Service (136.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- GENERIC has been found (auto)
  - EqualizerAPO-x64-1.4.2.exe (PID: 1300)
- Registers / Runs the DLL via REGSVR32.EXE
  - EqualizerAPO-x64-1.4.2.exe (PID: 1300)
SUSPICIOUS
- Malware-specific behavior (creating "System.dll" in Temp)
  - EqualizerAPO-x64-1.4.2.exe (PID: 1300)
- The process creates files with name similar to system file names
  - EqualizerAPO-x64-1.4.2.exe (PID: 1300)
- Process drops legitimate windows executable
  - EqualizerAPO-x64-1.4.2.exe (PID: 1300)
- Creates a software uninstall entry
  - EqualizerAPO-x64-1.4.2.exe (PID: 1300)
- The process drops C-runtime libraries
  - EqualizerAPO-x64-1.4.2.exe (PID: 1300)
- Executable content was dropped or overwritten
  - EqualizerAPO-x64-1.4.2.exe (PID: 1300)
- Creates/Modifies COM task schedule object
  - regsvr32.exe (PID: 4196)
- There is functionality for taking screenshot (YARA)
  - EqualizerAPO-x64-1.4.2.exe (PID: 1300)
INFO
- Checks supported languages
  - EqualizerAPO-x64-1.4.2.exe (PID: 1300)
  - DeviceSelector.exe (PID: 4552)
  - UpdateChecker.exe (PID: 4912)
  - Editor.exe (PID: 6176)
  - DeviceSelector.exe (PID: 3504)
- Reads the computer name
  - EqualizerAPO-x64-1.4.2.exe (PID: 1300)
  - DeviceSelector.exe (PID: 4552)
  - UpdateChecker.exe (PID: 4912)
  - DeviceSelector.exe (PID: 3504)
  - Editor.exe (PID: 6176)
- Creates files in the program directory
  - EqualizerAPO-x64-1.4.2.exe (PID: 1300)
  - DeviceSelector.exe (PID: 4552)
- The sample compiled with english language support
  - EqualizerAPO-x64-1.4.2.exe (PID: 1300)
- Creates files or folders in the user directory
  - EqualizerAPO-x64-1.4.2.exe (PID: 1300)
- Create files in a temporary directory
  - EqualizerAPO-x64-1.4.2.exe (PID: 1300)
- Manual execution by a user
  - DeviceSelector.exe (PID: 1096)
  - Editor.exe (PID: 6176)
  - DeviceSelector.exe (PID: 3504)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	Win32 Executable MS Visual C++ (generic) (42.2)
.exe	\|	Win64 Executable (generic) (37.3)
.dll	\|	Win32 Dynamic Link Library (generic) (8.8)
.exe	\|	Win32 Executable (generic) (6)
.exe	\|	Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2020:08:01 02:43:48+00:00
ImageFileCharacteristics:	No relocs, Executable, No line numbers, No symbols, 32-bit
PEType:	PE32
LinkerVersion:	6
CodeSize:	25600
InitializedDataSize:	118784
UninitializedDataSize:	1024
EntryPoint:	0x3461
OSVersion:	4
ImageVersion:	6
SubsystemVersion:	4
Subsystem:	Windows GUI

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

156

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

1096

"C:\Program Files\EqualizerAPO\DeviceSelector.exe"

C:\Program Files\EqualizerAPO\DeviceSelector.exe

—

explorer.exe

User:

admin

Integrity Level:

MEDIUM

Description:

Equalizer APO Device Selector

Exit code:

3221226540

Version:

1.4.2.0

Modules

Images
c:\program files\equalizerapo\deviceselector.exe
c:\windows\system32\ntdll.dll

1300

"C:\Users\admin\AppData\Local\Temp\EqualizerAPO-x64-1.4.2.exe"

C:\Users\admin\AppData\Local\Temp\EqualizerAPO-x64-1.4.2.exe

explorer.exe

User:

admin

Integrity Level:

HIGH

Exit code:

Modules

Images
c:\users\admin\appdata\local\temp\equalizerapo-x64-1.4.2.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll

3504

"C:\Program Files\EqualizerAPO\DeviceSelector.exe"

C:\Program Files\EqualizerAPO\DeviceSelector.exe

explorer.exe

User:

admin

Integrity Level:

HIGH

Description:

Equalizer APO Device Selector

Exit code:

Version:

1.4.2.0

Modules

Images
c:\program files\equalizerapo\deviceselector.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll

4160

"C:\WINDOWS\system32\regsvr32.exe" /s "C:\Program Files\EqualizerAPO\EqualizerAPO.dll"

C:\Windows\SysWOW64\regsvr32.exe

—

EqualizerAPO-x64-1.4.2.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Microsoft(C) Register Server

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\regsvr32.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll

4196

/s "C:\Program Files\EqualizerAPO\EqualizerAPO.dll"

C:\Windows\System32\regsvr32.exe

—

regsvr32.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Microsoft(C) Register Server

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\regsvr32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll

4552

"C:\Program Files\EqualizerAPO\DeviceSelector.exe" /i

C:\Program Files\EqualizerAPO\DeviceSelector.exe

—

EqualizerAPO-x64-1.4.2.exe

User:

admin

Integrity Level:

HIGH

Description:

Equalizer APO Device Selector

Exit code:

Version:

1.4.2.0

Modules

Images
c:\program files\equalizerapo\deviceselector.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll

4724

"C:\Users\admin\AppData\Local\Temp\EqualizerAPO-x64-1.4.2.exe"

C:\Users\admin\AppData\Local\Temp\EqualizerAPO-x64-1.4.2.exe

—

explorer.exe

User:

admin

Integrity Level:

MEDIUM

Exit code:

3221226540

Modules

Images
c:\users\admin\appdata\local\temp\equalizerapo-x64-1.4.2.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll

4912

"C:\Program Files\EqualizerAPO\UpdateChecker.exe" -i

C:\Program Files\EqualizerAPO\UpdateChecker.exe

—

EqualizerAPO-x64-1.4.2.exe

User:

admin

Integrity Level:

HIGH

Description:

Equalizer APO Update Checker

Exit code:

Version:

1.4.2.0

Modules

Images
c:\program files\equalizerapo\updatechecker.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ole32.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\secur32.dll
c:\windows\system32\combase.dll

6176

"C:\Program Files\EqualizerAPO\Editor.exe"

C:\Program Files\EqualizerAPO\Editor.exe

explorer.exe

User:

admin

Integrity Level:

MEDIUM

Description:

Equalizer APO Configuration Editor

Exit code:

Version:

1.4.2.0

Modules

Images
c:\program files\equalizerapo\editor.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll

7044

C:\WINDOWS\System32\slui.exe -Embedding

C:\Windows\System32\slui.exe

—

svchost.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Activation Client

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll

Add for printing

Total events

4 235

Read events

4 097

Write events

134

Delete events

Modification events


(PID) Process:	(1300) EqualizerAPO-x64-1.4.2.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\EqualizerAPO
Operation:	write	Name:	InstallPath
Value: C:\Program Files\EqualizerAPO
(PID) Process:	(1300) EqualizerAPO-x64-1.4.2.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\EqualizerAPO
Operation:	write	Name:	ConfigPath
Value: C:\Program Files\EqualizerAPO\config
(PID) Process:	(1300) EqualizerAPO-x64-1.4.2.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\EqualizerAPO
Operation:	write	Name:	EnableTrace
Value: false
(PID) Process:	(1300) EqualizerAPO-x64-1.4.2.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\EqualizerAPO
Operation:	write	Name:	Start Menu Folder
Value: Equalizer APO 1.4.2
(PID) Process:	(1300) EqualizerAPO-x64-1.4.2.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\EqualizerAPO
Operation:	write	Name:	DisplayName
Value: Equalizer APO
(PID) Process:	(1300) EqualizerAPO-x64-1.4.2.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\EqualizerAPO
Operation:	write	Name:	DisplayVersion
Value: 1.4.2
(PID) Process:	(1300) EqualizerAPO-x64-1.4.2.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\EqualizerAPO
Operation:	write	Name:	UninstallString
Value: "C:\Program Files\EqualizerAPO\Uninstall.exe"
(PID) Process:	(1300) EqualizerAPO-x64-1.4.2.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\EqualizerAPO
Operation:	write	Name:	NoModify
Value: 1
(PID) Process:	(1300) EqualizerAPO-x64-1.4.2.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\EqualizerAPO
Operation:	write	Name:	NoRepair
Value: 1
(PID) Process:	(4196) regsvr32.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AudioEngine\AudioProcessingObjects\{EC1CC9CE-FAED-4822-828A-82A81A6F018F}
Operation:	write	Name:	FriendlyName
Value: EqualizerAPO

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
1300	EqualizerAPO-x64-1.4.2.exe	C:\Users\admin\AppData\Local\Temp\nsiD31C.tmp\System.dll		executable
		MD5:FCCFF8CB7A1067E23FD2E2B63971A8E1	SHA256:6FCEA34C8666B06368379C6C402B5321202C11B00889401C743FB96C516C679E
1300	EqualizerAPO-x64-1.4.2.exe	C:\Program Files\EqualizerAPO\msvcp140.dll		executable
		MD5:72F3D84384E888BF0D38852EB863026B	SHA256:A4C2229BDC2A2A630ACDC095B4D86008E5C3E3BC7773174354F3DA4F5BEB9CDE
1300	EqualizerAPO-x64-1.4.2.exe	C:\Program Files\EqualizerAPO\fftw3f.dll		executable
		MD5:6FCB132C57764F84FF8D597FAF24F184	SHA256:6C5DF497751D694E9C617F4C931A7F870B64784CB1A0EF09FCCC155BC86D1232
1300	EqualizerAPO-x64-1.4.2.exe	C:\Program Files\EqualizerAPO\Qt6Svg.dll		executable
		MD5:C9A0285BF33B8BAF5E21C54CF152B1A1	SHA256:88194A929933800EAC26BF9F9E06489F71FFB8A56E5F9A184C2EB2D820A0D4C8
1300	EqualizerAPO-x64-1.4.2.exe	C:\Users\admin\AppData\Local\Temp\nsiD31C.tmp\modern-wizard.bmp		image
		MD5:CBE40FD2B1EC96DAEDC65DA172D90022	SHA256:3AD2DC318056D0A2024AF1804EA741146CFC18CC404649A44610CBF8B2056CF2
1300	EqualizerAPO-x64-1.4.2.exe	C:\Users\admin\AppData\Local\Temp\nsiD31C.tmp\NSISpcre.dll		executable
		MD5:BFE060C22B44914E05D3F5367DE6C9FE	SHA256:43041F8540DCCBC33268BFBEF53037D17170B037F6393E77C21429F303AE828F
1300	EqualizerAPO-x64-1.4.2.exe	C:\Users\admin\AppData\Local\Temp\nsiD31C.tmp\StartMenu.dll		executable
		MD5:26836307758E048D1CE0AFE754D6A972	SHA256:A6919F5F3B53A9C8C015413BABE7A9872491A2583E49BB3C261E60785C3C3534
1300	EqualizerAPO-x64-1.4.2.exe	C:\Program Files\EqualizerAPO\EqualizerAPO.dll		executable
		MD5:57058B608040688FB46294B1228B4DF6	SHA256:F25078EF9D71F12D3D6224FB6F720CAA5B54320F795D7BC10E2926C2EE1D480C
1300	EqualizerAPO-x64-1.4.2.exe	C:\Users\admin\AppData\Local\Temp\nsiD31C.tmp\nsDialogs.dll		executable
		MD5:1C8B2B40C642E8B5A5B3FF102796FB37	SHA256:8780095AA2F49725388CDDF00D79A74E85C9C4863B366F55C39C606A5FB8440C
1300	EqualizerAPO-x64-1.4.2.exe	C:\Program Files\EqualizerAPO\VoicemeeterClient.exe		executable
		MD5:9EBB57D4C75C7CC43AC6FF1BF346B233	SHA256:45F524866CD2A8767C4AE4B443DE9AE570FE3712B0A395FE075F6D87B0BD853D

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
1268	svchost.exe	GET	200	23.216.77.27:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	DE	binary	825 b	whitelisted
1268	svchost.exe	GET	200	95.101.149.131:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	NL	binary	814 b	whitelisted
892	svchost.exe	GET	200	2.17.190.73:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	DE	binary	471 b	whitelisted
5328	SearchApp.exe	GET	200	2.17.190.73:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D	DE	binary	312 b	whitelisted
1632	SIHClient.exe	GET	200	95.101.149.131:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	NL	binary	420 b	whitelisted
1632	SIHClient.exe	GET	200	95.101.149.131:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl	NL	binary	408 b	whitelisted
5328	SearchApp.exe	GET	200	2.17.190.73:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D	DE	binary	471 b	whitelisted
5328	SearchApp.exe	GET	200	2.17.190.73:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEApDqVCbATUviZV57HIIulA%3D	DE	binary	471 b	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
5944	MoUsoCoreWorker.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
7076	RUXIMICS.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
1268	svchost.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
1268	svchost.exe	23.216.77.27:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
1268	svchost.exe	95.101.149.131:80	www.microsoft.com	Akamai International B.V.	NL	whitelisted
5944	MoUsoCoreWorker.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
892	svchost.exe	20.190.160.132:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
892	svchost.exe	2.17.190.73:80	ocsp.digicert.com	AKAMAI-AS	DE	whitelisted

DNS requests

Domain	IP	Reputation
google.com	142.250.184.206	whitelisted
settings-win.data.microsoft.com	51.124.78.146 4.231.128.59	whitelisted
crl.microsoft.com	23.216.77.27 23.216.77.21 23.216.77.32 23.216.77.37 23.216.77.20 23.216.77.29 23.216.77.26 23.216.77.5 23.216.77.11	whitelisted
www.microsoft.com	95.101.149.131	whitelisted
login.live.com	20.190.160.132 40.126.32.134 20.190.160.66 20.190.160.67 20.190.160.20 40.126.32.140 20.190.160.14 20.190.160.128	whitelisted
ocsp.digicert.com	2.17.190.73	whitelisted
client.wns.windows.com	172.211.123.249	whitelisted
www.bing.com	2.16.241.218 2.16.241.205 2.16.241.212 2.16.241.200 2.16.241.206 2.16.241.222 2.16.241.219 2.16.241.224 2.16.241.207	whitelisted
slscr.update.microsoft.com	52.149.20.212	whitelisted
fe3cr.delivery.mp.microsoft.com	20.3.187.198	whitelisted

Threats

PID	Process	Class	Message
—	—	Unknown Traffic	ET USER_AGENTS Microsoft Dr Watson User-Agent (MSDW)

Add for printing

Process	Message
Editor.exe	Analysis took 23.2 ms
Editor.exe	Delete took 0 ms
Editor.exe	Create took 29 ms
Editor.exe	Loading took 46.3 ms
Editor.exe	Analysis took 24.7 ms

General Info

EqualizerAPO-x64-1.4.2.exe

410AAB9749AE4673B950BC29A4EB226F

F599C3A16D27864D330529A012FC23A37ABDD06D

7403BE7427BBE1936A40DDED082829B6E217FC4F5990FEE5CBA501F0AE055AFA

98304:wLx/lQN+aQQv/62AhnWyGcMrNGtPk8c3qTMo90kFbS6kDl3p/BhUyReqdWO8GLHQ:Oz1eGSnvNIj3PN0rsuAwdXE9

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

GENERIC has been found (auto)

Registers / Runs the DLL via REGSVR32.EXE

SUSPICIOUS

Malware-specific behavior (creating "System.dll" in Temp)

The process creates files with name similar to system file names

Process drops legitimate windows executable

Creates a software uninstall entry

The process drops C-runtime libraries

Executable content was dropped or overwritten

Creates/Modifies COM task schedule object

There is functionality for taking screenshot (YARA)

INFO

Checks supported languages

Reads the computer name

Creates files in the program directory

The sample compiled with english language support

Creates files or folders in the user directory

Create files in a temporary directory

Manual execution by a user

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings