File name:

BF2142_Hub_Setup.exe

Full analysis: https://app.any.run/tasks/b5764d10-2b9c-4ea3-baa3-276c5750624a
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: November 27, 2024, 18:28:36
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
loader
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections
MD5:

3203FA8C706C5E67E2BBCD1B8095BF54

SHA1:

773F9BE6C66FDB30827C6285824B357924315DDF

SHA256:

99AB3F45EC0EAC48BEC8F5F9618B1D2C26DD5C74B108C3AEF36B9EC9B4E0E11E

SSDEEP:

49152:Ep4yXG3hGSdBlqECwwO6sq8uTflZEne6ONZ0dE8sjF7Tts+wm/exBcZEZcuivsko:EpDXEHBlfCnJ8YfQevwd0B7Tai+GZec8

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • BF2142_Hub_Setup.exe (PID: 3836)

    • Executing commands from a ".bat" file

      • BF2142_Hub_Setup.exe (PID: 3836)

    • Drops 7-zip archiver for unpacking

      • BF2142_Hub_Setup.exe (PID: 3836)

    • Starts CMD.EXE for commands execution

      • BF2142_Hub_Setup.exe (PID: 3836)

    • Block-list domains

      • BF2142 Hub.exe (PID: 3524)

    • Process requests binary or script from the Internet

      • BF2142 Hub.exe (PID: 3524)

  • INFO

    • Creates files in the program directory

      • BF2142_Hub_Setup.exe (PID: 3836)

    • Reads the computer name

      • BF2142_Hub_Setup.exe (PID: 3836)

    • Checks supported languages

      • BF2142_Hub_Setup.exe (PID: 3836)

    • Create files in a temporary directory

      • BF2142_Hub_Setup.exe (PID: 3836)

    • Manual execution by a user

      • BF2142 Hub.exe (PID: 3524)

    • Creates files or folders in the user directory

      • BF2142_Hub_Setup.exe (PID: 3836)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.dll | Win32 Dynamic Link Library (generic) (43.5)
.exe | Win32 Executable (generic) (29.8)
.exe | Generic Win/DOS Executable (13.2)
.exe | DOS Executable Generic (13.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2011:01:31 17:44:13+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 4096
InitializedDataSize: 114688
UninitializedDataSize: -
EntryPoint: 0x1d20
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 2.0.0.0
ProductVersionNumber: 2.0.0.0
FileFlagsMask: 0x003f
FileFlags: Pre-release
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Windows, Latin1
Comments: -
CompanyName: Lillyishot
FileDescription: BF2142 Hub Setup
FileVersion: 2
InternalName: BF2142 Hub Setup
LegalCopyright: Copyright © 2021 Lillyishot
LegalTrademarks: -
OriginalFileName: BF2142 Hub Setup.exe
PrivateBuild: -
ProductName: BF2142 Hub
ProductVersion: 2
SpecialBuild: -
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
125
Monitored processes
6
Malicious processes
1
Suspicious processes
1

Behavior graph

Click at the process to see the details
start bf2142_hub_setup.exe cmd.exe no specs conhost.exe no specs bf2142 hub.exe svchost.exe bf2142_hub_setup.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2168"C:\Users\admin\Desktop\BF2142_Hub_Setup.exe" C:\Users\admin\Desktop\BF2142_Hub_Setup.exeexplorer.exe
User:
admin
Company:
Lillyishot
Integrity Level:
MEDIUM
Description:
BF2142 Hub Setup
Exit code:
3221226540
Version:
2
Modules
Images
c:\users\admin\desktop\bf2142_hub_setup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
2192C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
2212cmd.exe /c deldll.batC:\Windows\SysWOW64\cmd.exeBF2142_Hub_Setup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
1
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
3524"C:\Program Files (x86)\BF2142 Hub 2\BF2142 Hub.exe" C:\Program Files (x86)\BF2142 Hub 2\BF2142 Hub.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
BF2142_Hub
Version:
2.0.0.0
Modules
Images
c:\program files (x86)\bf2142 hub 2\bf2142 hub.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
3692\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3836"C:\Users\admin\Desktop\BF2142_Hub_Setup.exe" C:\Users\admin\Desktop\BF2142_Hub_Setup.exe
explorer.exe
User:
admin
Company:
Lillyishot
Integrity Level:
HIGH
Description:
BF2142 Hub Setup
Exit code:
0
Version:
2
Modules
Images
c:\users\admin\desktop\bf2142_hub_setup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
Total events
6 780
Read events
6 751
Write events
28
Delete events
1

Modification events

(PID) Process:(3836) BF2142_Hub_Setup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\tmp
Operation:delete keyName:(default)
Value:
(PID) Process:(3836) BF2142_Hub_Setup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Electronic Arts\BF2142 Hub
Operation:writeName:Location
Value:
C:\Program Files (x86)\BF2142 Hub 2
(PID) Process:(3836) BF2142_Hub_Setup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Electronic Arts\BF2142 Hub
Operation:writeName:Version
Value:
2
(PID) Process:(3836) BF2142_Hub_Setup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\BF2142 Hub
Operation:writeName:DisplayName
Value:
BF2142 Hub
(PID) Process:(3836) BF2142_Hub_Setup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\BF2142 Hub
Operation:writeName:DisplayIcon
Value:
C:\Program Files (x86)\BF2142 Hub 2\uninstall.exe
(PID) Process:(3836) BF2142_Hub_Setup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\BF2142 Hub
Operation:writeName:DisplayVersion
Value:
2
(PID) Process:(3836) BF2142_Hub_Setup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\BF2142 Hub
Operation:writeName:HelpLink
Value:
https://www.moddb.com/members/lillyishot/downloads
(PID) Process:(3836) BF2142_Hub_Setup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\BF2142 Hub
Operation:writeName:InstallLocation
Value:
C:\Program Files (x86)\BF2142 Hub 2
(PID) Process:(3836) BF2142_Hub_Setup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\BF2142 Hub
Operation:writeName:Publisher
Value:
Lillyishot
(PID) Process:(3836) BF2142_Hub_Setup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\BF2142 Hub
Operation:writeName:URLInfoAbout
Value:
https://www.moddb.com/members/lillyishot/downloads
Executable files
6
Suspicious files
7
Text files
7
Unknown types
0

Dropped files

PID
Process
Filename
Type
3836BF2142_Hub_Setup.exeC:\Users\admin\AppData\Local\Temp\gentee08\4hub.jpgimage
MD5:564E2A1E8C41DCB0424962FB881D7C77
SHA256:88907C5C35EC46B90FE630E07EDBD8F218D78F4B5FF93C9CB848782136E0A7C9
3836BF2142_Hub_Setup.exeC:\Program Files (x86)\BF2142 Hub 2\uninstall.exeexecutable
MD5:B5A5BDA5E3BFEAF2E8F6696C6A6A936A
SHA256:17C119B7E280835DA7AF4B27CC0F25FC991EA26D1A3EBA1969E255DB76EC164F
3836BF2142_Hub_Setup.exeC:\Users\admin\AppData\Local\Temp\~DFDF682244DB555686.TMPbinary
MD5:9E462AC04EAB8312701884A5F4D4C28B
SHA256:BCCF845F2F74FFAE10893BCD061ABF9E05FA841B834D3AC658F8ABA9F2313534
3836BF2142_Hub_Setup.exeC:\Users\admin\AppData\Local\Temp\gentee08\setup_temp.geabinary
MD5:98FF940B3C7AE992648A3F0AF8BFB764
SHA256:E3B5535FE26D64CA834DED6A43BEF7F87A8E91DF0EA813D2539E0B25F6AF2547
3836BF2142_Hub_Setup.exeC:\Program Files (x86)\BF2142 Hub 2\uninstall.initext
MD5:CDD9DFB2AEB457ACA286E82AC429C41F
SHA256:268FEE9A940960041FC3690711526C162479E4C70D395BD52D11CBA6030A3671
3836BF2142_Hub_Setup.exeC:\Users\admin\AppData\Local\Temp\gentee08\guig.dllexecutable
MD5:D3F8C0334C19198A109E44D074DAC5FD
SHA256:005C251C21D6A5BA1C3281E7B9F3B4F684D007E0C3486B34A545BB370D8420AA
3836BF2142_Hub_Setup.exeC:\Users\admin\AppData\Local\Temp\genteert.dllexecutable
MD5:6CE814FD1AD7AE07A9E462C26B3A0F69
SHA256:54C0DA1735BB1CB02B60C321DE938488345F8D1D26BF389C8CB2ACAD5D01B831
3836BF2142_Hub_Setup.exeC:\Program Files (x86)\BF2142 Hub 2\7za.exeexecutable
MD5:2E3309647CE678CA313FE3825A57CCB9
SHA256:E6855553350FA6FB23E05839C7F3EF140DAD29D9A0E3495DE4D1B17A9FBF5CA4
3836BF2142_Hub_Setup.exeC:\Program Files (x86)\BF2142 Hub 2\Readme.txttext
MD5:E718E2FFB85F12DD1BAAE0A527501596
SHA256:78B869297F1E80257FAF8A819D92996ADFED7EFB77632B52777D4CE5E6A5524F
3836BF2142_Hub_Setup.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\BF2142 Hub\Uninstall.lnkbinary
MD5:17D5F5E3845114FA4B9C166253B46C99
SHA256:DAB8603A5BCCB444A391E8D4186B0E06A23201EEB4FF53B427EC52D59DA1B4C3
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
23
DNS requests
7
Threats
3

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4652
svchost.exe
GET
200
23.48.23.173:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
23.48.23.173:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4652
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
3524
BF2142 Hub.exe
GET
200
140.82.4.119:80
http://bf2142.ddns.net/_apps/hub.json
unknown
malicious
3524
BF2142 Hub.exe
GET
200
140.82.4.119:80
http://bf2142.ddns.net/_apps/servers.json
unknown
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
4652
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4712
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
104.126.37.185:443
www.bing.com
Akamai International B.V.
DE
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4712
MoUsoCoreWorker.exe
23.48.23.173:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4652
svchost.exe
23.48.23.173:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4712
MoUsoCoreWorker.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
4652
svchost.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
4
System
192.168.100.255:137
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
whitelisted
www.bing.com
  • 104.126.37.185
  • 104.126.37.171
  • 104.126.37.162
  • 104.126.37.153
  • 104.126.37.152
  • 104.126.37.170
  • 104.126.37.155
  • 104.126.37.163
  • 104.126.37.161
whitelisted
google.com
  • 142.250.185.206
whitelisted
crl.microsoft.com
  • 23.48.23.173
  • 23.48.23.194
  • 23.48.23.145
  • 23.48.23.167
  • 23.48.23.143
  • 23.48.23.176
  • 23.48.23.177
  • 23.48.23.166
  • 23.48.23.156
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
bf2142.ddns.net
  • 140.82.4.119
malicious
self.events.data.microsoft.com
  • 13.69.116.104
whitelisted

Threats

PID
Process
Class
Message
2192
svchost.exe
Potentially Bad Traffic
ET POLICY DNS Query to DynDNS Domain *.ddns .net
3524
BF2142 Hub.exe
Potentially Bad Traffic
ET INFO DYNAMIC_DNS HTTP Request to a *.ddns .net Domain
3524
BF2142 Hub.exe
Potentially Bad Traffic
ET INFO DYNAMIC_DNS HTTP Request to a *.ddns .net Domain
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
BF2142_Hub_Setup.exe