File name:

BF2142_Hub_Setup.exe

Full analysis: https://app.any.run/tasks/b5764d10-2b9c-4ea3-baa3-276c5750624a
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: November 27, 2024, 18:28:36
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
loader
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections
MD5:

3203FA8C706C5E67E2BBCD1B8095BF54

SHA1:

773F9BE6C66FDB30827C6285824B357924315DDF

SHA256:

99AB3F45EC0EAC48BEC8F5F9618B1D2C26DD5C74B108C3AEF36B9EC9B4E0E11E

SSDEEP:

49152:Ep4yXG3hGSdBlqECwwO6sq8uTflZEne6ONZ0dE8sjF7Tts+wm/exBcZEZcuivsko:EpDXEHBlfCnJ8YfQevwd0B7Tai+GZec8

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • BF2142_Hub_Setup.exe (PID: 3836)

    • Block-list domains

      • BF2142 Hub.exe (PID: 3524)

    • Starts CMD.EXE for commands execution

      • BF2142_Hub_Setup.exe (PID: 3836)

    • Drops 7-zip archiver for unpacking

      • BF2142_Hub_Setup.exe (PID: 3836)

    • Process requests binary or script from the Internet

      • BF2142 Hub.exe (PID: 3524)

    • Executing commands from a ".bat" file

      • BF2142_Hub_Setup.exe (PID: 3836)

  • INFO

    • Creates files in the program directory

      • BF2142_Hub_Setup.exe (PID: 3836)

    • Checks supported languages

      • BF2142_Hub_Setup.exe (PID: 3836)

    • Creates files or folders in the user directory

      • BF2142_Hub_Setup.exe (PID: 3836)

    • Manual execution by a user

      • BF2142 Hub.exe (PID: 3524)

    • Reads the computer name

      • BF2142_Hub_Setup.exe (PID: 3836)

    • Create files in a temporary directory

      • BF2142_Hub_Setup.exe (PID: 3836)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.dll | Win32 Dynamic Link Library (generic) (43.5)
.exe | Win32 Executable (generic) (29.8)
.exe | Generic Win/DOS Executable (13.2)
.exe | DOS Executable Generic (13.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2011:01:31 17:44:13+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 4096
InitializedDataSize: 114688
UninitializedDataSize: -
EntryPoint: 0x1d20
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 2.0.0.0
ProductVersionNumber: 2.0.0.0
FileFlagsMask: 0x003f
FileFlags: Pre-release
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Windows, Latin1
Comments: -
CompanyName: Lillyishot
FileDescription: BF2142 Hub Setup
FileVersion: 2
InternalName: BF2142 Hub Setup
LegalCopyright: Copyright © 2021 Lillyishot
LegalTrademarks: -
OriginalFileName: BF2142 Hub Setup.exe
PrivateBuild: -
ProductName: BF2142 Hub
ProductVersion: 2
SpecialBuild: -
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
125
Monitored processes
6
Malicious processes
1
Suspicious processes
1

Behavior graph

Click at the process to see the details
start bf2142_hub_setup.exe cmd.exe no specs conhost.exe no specs bf2142 hub.exe svchost.exe bf2142_hub_setup.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2168"C:\Users\admin\Desktop\BF2142_Hub_Setup.exe" C:\Users\admin\Desktop\BF2142_Hub_Setup.exeexplorer.exe
User:
admin
Company:
Lillyishot
Integrity Level:
MEDIUM
Description:
BF2142 Hub Setup
Exit code:
3221226540
Version:
2
Modules
Images
c:\users\admin\desktop\bf2142_hub_setup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
2192C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
2212cmd.exe /c deldll.batC:\Windows\SysWOW64\cmd.exeBF2142_Hub_Setup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
1
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
3524"C:\Program Files (x86)\BF2142 Hub 2\BF2142 Hub.exe" C:\Program Files (x86)\BF2142 Hub 2\BF2142 Hub.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
BF2142_Hub
Version:
2.0.0.0
Modules
Images
c:\program files (x86)\bf2142 hub 2\bf2142 hub.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
3692\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3836"C:\Users\admin\Desktop\BF2142_Hub_Setup.exe" C:\Users\admin\Desktop\BF2142_Hub_Setup.exe
explorer.exe
User:
admin
Company:
Lillyishot
Integrity Level:
HIGH
Description:
BF2142 Hub Setup
Exit code:
0
Version:
2
Modules
Images
c:\users\admin\desktop\bf2142_hub_setup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
Total events
6 780
Read events
6 751
Write events
28
Delete events
1

Modification events

(PID) Process:(3836) BF2142_Hub_Setup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\tmp
Operation:delete keyName:(default)
Value:
(PID) Process:(3836) BF2142_Hub_Setup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Electronic Arts\BF2142 Hub
Operation:writeName:Location
Value:
C:\Program Files (x86)\BF2142 Hub 2
(PID) Process:(3836) BF2142_Hub_Setup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Electronic Arts\BF2142 Hub
Operation:writeName:Version
Value:
2
(PID) Process:(3836) BF2142_Hub_Setup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\BF2142 Hub
Operation:writeName:DisplayName
Value:
BF2142 Hub
(PID) Process:(3836) BF2142_Hub_Setup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\BF2142 Hub
Operation:writeName:DisplayIcon
Value:
C:\Program Files (x86)\BF2142 Hub 2\uninstall.exe
(PID) Process:(3836) BF2142_Hub_Setup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\BF2142 Hub
Operation:writeName:DisplayVersion
Value:
2
(PID) Process:(3836) BF2142_Hub_Setup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\BF2142 Hub
Operation:writeName:HelpLink
Value:
https://www.moddb.com/members/lillyishot/downloads
(PID) Process:(3836) BF2142_Hub_Setup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\BF2142 Hub
Operation:writeName:InstallLocation
Value:
C:\Program Files (x86)\BF2142 Hub 2
(PID) Process:(3836) BF2142_Hub_Setup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\BF2142 Hub
Operation:writeName:Publisher
Value:
Lillyishot
(PID) Process:(3836) BF2142_Hub_Setup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\BF2142 Hub
Operation:writeName:URLInfoAbout
Value:
https://www.moddb.com/members/lillyishot/downloads
Executable files
6
Suspicious files
7
Text files
7
Unknown types
0

Dropped files

PID
Process
Filename
Type
3836BF2142_Hub_Setup.exeC:\Program Files (x86)\BF2142 Hub 2\Readme.txttext
MD5:E718E2FFB85F12DD1BAAE0A527501596
SHA256:78B869297F1E80257FAF8A819D92996ADFED7EFB77632B52777D4CE5E6A5524F
3836BF2142_Hub_Setup.exeC:\Users\admin\AppData\Local\Temp\gentee08\3bf2142hub.jpgimage
MD5:D951CE9DAC279FD2DBE902014BAB0720
SHA256:8AE6C3ACFFD7BBEC4AA65E5DD20A94044DDDFCA808ADC9B36DBCD34B004DFDC6
3836BF2142_Hub_Setup.exeC:\Users\admin\AppData\Local\Temp\gentee08\4hub.jpgimage
MD5:564E2A1E8C41DCB0424962FB881D7C77
SHA256:88907C5C35EC46B90FE630E07EDBD8F218D78F4B5FF93C9CB848782136E0A7C9
3836BF2142_Hub_Setup.exeC:\Program Files (x86)\BF2142 Hub 2\Newtonsoft.Json.xmlxml
MD5:AD1A946CDBE4FC83907CF558FB80A37F
SHA256:E3C9CB0CBF4B3BE20B6030F3A4872EDD81E042048D2D19732EAC3EEB9779DC0B
3836BF2142_Hub_Setup.exeC:\Program Files (x86)\BF2142 Hub 2\uninstall.initext
MD5:CDD9DFB2AEB457ACA286E82AC429C41F
SHA256:268FEE9A940960041FC3690711526C162479E4C70D395BD52D11CBA6030A3671
3836BF2142_Hub_Setup.exeC:\Users\admin\Desktop\BF2142 Hub.lnkbinary
MD5:59336D668FAC47D2C9B8656FFC2556A4
SHA256:F8F58EFEAF97B6C821AD8BABAF4D7DE0806EBBDDED1D0A75DF755494F47DA17B
3836BF2142_Hub_Setup.exeC:\Users\admin\AppData\Local\Temp\~DF02AE0326C0CA945B.TMPbinary
MD5:6207CC51E5B06608AE49D281E58A81B8
SHA256:B77296DCC593928FD244156B4E493377348DC26CB564A16D1D9BBFA30A14AD9C
3836BF2142_Hub_Setup.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\BF2142 Hub\Readme.lnkbinary
MD5:3921C7615793DCA033E6CC98A1D621FF
SHA256:1CE45C7426A74A9BCBC6647FE9E6D3998CCBF12EF74CEDB1BE3F340884E48C74
3836BF2142_Hub_Setup.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\BF2142 Hub\Uninstall.lnkbinary
MD5:17D5F5E3845114FA4B9C166253B46C99
SHA256:DAB8603A5BCCB444A391E8D4186B0E06A23201EEB4FF53B427EC52D59DA1B4C3
3836BF2142_Hub_Setup.exeC:\Program Files (x86)\BF2142 Hub 2\Newtonsoft.Json.dllexecutable
MD5:6815034209687816D8CF401877EC8133
SHA256:7F912B28A07C226E0BE3ACFB2F57F050538ABA0100FA1F0BF2C39F1A1F1DA814
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
23
DNS requests
7
Threats
3

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4652
svchost.exe
GET
200
23.48.23.173:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4652
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
3524
BF2142 Hub.exe
GET
200
140.82.4.119:80
http://bf2142.ddns.net/_apps/hub.json
unknown
malicious
3524
BF2142 Hub.exe
GET
200
140.82.4.119:80
http://bf2142.ddns.net/_apps/servers.json
unknown
malicious
4712
MoUsoCoreWorker.exe
GET
200
23.48.23.173:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
4652
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4712
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
104.126.37.185:443
www.bing.com
Akamai International B.V.
DE
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4712
MoUsoCoreWorker.exe
23.48.23.173:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4652
svchost.exe
23.48.23.173:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4712
MoUsoCoreWorker.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
4652
svchost.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
4
System
192.168.100.255:137
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
whitelisted
www.bing.com
  • 104.126.37.185
  • 104.126.37.171
  • 104.126.37.162
  • 104.126.37.153
  • 104.126.37.152
  • 104.126.37.170
  • 104.126.37.155
  • 104.126.37.163
  • 104.126.37.161
whitelisted
google.com
  • 142.250.185.206
whitelisted
crl.microsoft.com
  • 23.48.23.173
  • 23.48.23.194
  • 23.48.23.145
  • 23.48.23.167
  • 23.48.23.143
  • 23.48.23.176
  • 23.48.23.177
  • 23.48.23.166
  • 23.48.23.156
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
bf2142.ddns.net
  • 140.82.4.119
malicious
self.events.data.microsoft.com
  • 13.69.116.104
whitelisted

Threats

PID
Process
Class
Message
2192
svchost.exe
Potentially Bad Traffic
ET POLICY DNS Query to DynDNS Domain *.ddns .net
3524
BF2142 Hub.exe
Potentially Bad Traffic
ET INFO DYNAMIC_DNS HTTP Request to a *.ddns .net Domain
3524
BF2142 Hub.exe
Potentially Bad Traffic
ET INFO DYNAMIC_DNS HTTP Request to a *.ddns .net Domain
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
BF2142_Hub_Setup.exe