Malware analysis 9af7915a980b3ba7a89b8e00b08cfe257ba767910d7c486ff7af085dc85a23be.exe Malicious activity

Add for printing

File name:	9af7915a980b3ba7a89b8e00b08cfe257ba767910d7c486ff7af085dc85a23be.exe
Full analysis:	https://app.any.run/tasks/5c51156e-f26b-4426-9bda-e01b7e5424cd
Verdict:	Malicious activity
Analysis date:	June 09, 2024, 19:04:53
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	evasion
Indicators:
MIME:	application/x-dosexec
File info:	PE32 executable (GUI) Intel 80386, for MS Windows
MD5:	C89DDB4A4A1C1ED7928B9A1DD8D8FCB6
SHA1:	0A158C1B36C932A5CA8E1E024B018455190CE0D5
SHA256:	9AF7915A980B3BA7A89B8E00B08CFE257BA767910D7C486FF7AF085DC85A23BE
SSDEEP:	196608:ZVf+Gc5hL5KKovq7OdMm09SfDFNCEMY+0d:ZJsJgvOOd69SfJNB+a

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 120 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: none
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- Drops the executable file immediately after the start
  - 9af7915a980b3ba7a89b8e00b08cfe257ba767910d7c486ff7af085dc85a23be.exe (PID: 6240)
  - Update.exe (PID: 6260)
  - Whether�Definitely.exe (PID: 6644)
- Application was injected by another process
  - explorer.exe (PID: 4352)
- Runs injected code in another process
  - MpDlpCmd.exe (PID: 5700)
SUSPICIOUS
- Executable content was dropped or overwritten
  - 9af7915a980b3ba7a89b8e00b08cfe257ba767910d7c486ff7af085dc85a23be.exe (PID: 6240)
  - Update.exe (PID: 6260)
  - Whether�Definitely.exe (PID: 6644)
- Process drops legitimate windows executable
  - 9af7915a980b3ba7a89b8e00b08cfe257ba767910d7c486ff7af085dc85a23be.exe (PID: 6240)
  - Update.exe (PID: 6260)
  - Whether�Definitely.exe (PID: 6644)
- Reads security settings of Internet Explorer
  - Update.exe (PID: 6260)
  - Whether�Definitely.exe (PID: 6644)
  - Whether�Definitely.exe (PID: 6440)
- Reads the date of Windows installation
  - Update.exe (PID: 6260)
  - Whether�Definitely.exe (PID: 6440)
  - Whether�Definitely.exe (PID: 6644)
- Searches for installed software
  - Update.exe (PID: 6260)
- Creates a software uninstall entry
  - Update.exe (PID: 6260)
- The executable file from the user directory is run by the CMD process
  - Whether�Definitely.exe (PID: 6644)
- The process creates files with name similar to system file names
  - Whether�Definitely.exe (PID: 6644)
  - WerFault.exe (PID: 5924)
- Starts CMD.EXE for commands execution
  - Whether�Definitely.exe (PID: 6440)
  - Whether�Definitely.exe (PID: 6644)
- Drops a system driver (possible attempt to evade defenses)
  - Whether�Definitely.exe (PID: 6644)
- The system shut down or reboot
  - cmd.exe (PID: 6768)
- Starts SC.EXE for service management
  - cmd.exe (PID: 6768)
- The process executes via Task Scheduler
  - PLUGScheduler.exe (PID: 3228)
- Found strings related to reading or modifying Windows Defender settings
  - Whether�Definitely.exe (PID: 6644)
- Executes application which crashes
  - explorer.exe (PID: 4352)
INFO
- Checks supported languages
  - 9af7915a980b3ba7a89b8e00b08cfe257ba767910d7c486ff7af085dc85a23be.exe (PID: 6240)
  - Update.exe (PID: 6260)
  - Whether�Definitely.exe (PID: 6440)
  - Whether�Definitely.exe (PID: 6644)
  - PLUGScheduler.exe (PID: 3228)
  - MpDlpCmd.exe (PID: 5700)
- Reads the computer name
  - Update.exe (PID: 6260)
  - Whether�Definitely.exe (PID: 6440)
  - Whether�Definitely.exe (PID: 6644)
  - PLUGScheduler.exe (PID: 3228)
- Creates files or folders in the user directory
  - Update.exe (PID: 6260)
  - 9af7915a980b3ba7a89b8e00b08cfe257ba767910d7c486ff7af085dc85a23be.exe (PID: 6240)
  - explorer.exe (PID: 4352)
  - WerFault.exe (PID: 5924)
- Create files in a temporary directory
  - Update.exe (PID: 6260)
- Reads the machine GUID from the registry
  - Update.exe (PID: 6260)
  - Whether�Definitely.exe (PID: 6644)
  - Whether�Definitely.exe (PID: 6440)
- Process checks computer location settings
  - Update.exe (PID: 6260)
  - Whether�Definitely.exe (PID: 6440)
  - Whether�Definitely.exe (PID: 6644)
- Reads Environment values
  - Whether�Definitely.exe (PID: 6440)
- Creates files in the program directory
  - Whether�Definitely.exe (PID: 6644)
  - PLUGScheduler.exe (PID: 3228)
- Reads Microsoft Office registry keys
  - explorer.exe (PID: 4352)
- Reads security settings of Internet Explorer
  - explorer.exe (PID: 4352)
- Checks proxy server information
  - explorer.exe (PID: 4352)
- Manual execution by a user
  - WerFault.exe (PID: 5924)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	Win64 Executable (generic) (64.6)
.dll	\|	Win32 Dynamic Link Library (generic) (15.4)
.exe	\|	Win32 Executable (generic) (10.5)
.exe	\|	Generic Win/DOS Executable (4.6)
.exe	\|	DOS Executable Generic (4.6)

EXIF

EXE

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2020:09:27 18:20:07+00:00
ImageFileCharacteristics:	Executable, 32-bit
PEType:	PE32
LinkerVersion:	14.16
CodeSize:	119808
InitializedDataSize:	25382912
UninitializedDataSize:	-
EntryPoint:	0xab5c
OSVersion:	6
ImageVersion:	-
SubsystemVersion:	6
Subsystem:	Windows GUI
FileVersionNumber:	1.0.0.0
ProductVersionNumber:	1.0.0.0
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Windows NT 32-bit
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	English (U.S.)
CharacterSet:	Unicode
FileDescription:	-
FileVersion:	1.0.0
InternalName:	Setup.exe
LegalCopyright:	Copyright © 2024
OriginalFileName:	Setup.exe
ProductName:	WhetherDefinitely
ProductVersion:	1.0.0
SquirrelAwareVersion:	1
CompanyName:	WhetherDefinitely

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

251

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

3228

"C:\Program Files\RUXIM\PLUGscheduler.exe"

C:\Program Files\RUXIM\PLUGScheduler.exe

—

svchost.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Windows Update LifeCycle Component Scheduler

Exit code:

Version:

10.0.19041.3623 (WinBuild.160101.0800)

Modules

Images
c:\program files\ruxim\plugscheduler.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll

4352

C:\WINDOWS\Explorer.EXE

C:\Windows\explorer.exe

userinit.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Explorer

Exit code:

1467

Version:

10.0.19041.3758 (WinBuild.160101.0800)

Modules

Images
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\twinapi.dll
c:\windows\system32\aepic.dll

5400

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

MpDlpCmd.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

5700

"C:\Program Files\Publisher Files\en-EN\MpDlpCmd.exe"

C:\Program Files\Publisher Files\en-EN\MpDlpCmd.exe

—

MpDefenderCoreService.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Microsoft Malware Protection DLP Command Line Utility

Exit code:

Version:

4.18.24040.4 (aa69a05caa955e1cebcc4d2dd249082d41b510c2)

Modules

Images
c:\program files\publisher files\en-en\mpdlpcmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll

5924

C:\WINDOWS\system32\WerFault.exe -u -p 4352 -s 6916

C:\Windows\System32\WerFault.exe

—

explorer.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Problem Reporting

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\oleaut32.dll

6240

"C:\Users\admin\AppData\Local\Temp\9af7915a980b3ba7a89b8e00b08cfe257ba767910d7c486ff7af085dc85a23be.exe"

C:\Users\admin\AppData\Local\Temp\9af7915a980b3ba7a89b8e00b08cfe257ba767910d7c486ff7af085dc85a23be.exe

explorer.exe

User:

admin

Company:

WhetherDefinitely

Integrity Level:

MEDIUM

Exit code:

Version:

1.0.0

Modules

Images
c:\users\admin\appdata\local\temp\9af7915a980b3ba7a89b8e00b08cfe257ba767910d7c486ff7af085dc85a23be.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\shlwapi.dll

6260

"C:\Users\admin\AppData\Local\SquirrelTemp\Update.exe" --install .

C:\Users\admin\AppData\Local\SquirrelTemp\Update.exe

9af7915a980b3ba7a89b8e00b08cfe257ba767910d7c486ff7af085dc85a23be.exe

User:

admin

Company:

GitHub

Integrity Level:

MEDIUM

Description:

Update

Exit code:

Version:

2.0.1.1

Modules

Images
c:\users\admin\appdata\local\squirreltemp\update.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll

6440

"C:\Users\admin\AppData\Local\WhetherDefinitely\app-1.0.0\Whether�Definitely.exe" --squirrel-firstrun

C:\Users\admin\AppData\Local\WhetherDefinitely\app-1.0.0\Whether�Definitely.exe

—

Update.exe

User:

admin

Integrity Level:

MEDIUM

Description:

ACCOUNTMANAGEMENT

Exit code:

Version:

1.0.0.0

Modules

Images
c:\users\admin\appdata\local\whetherdefinitely\app-1.0.0\whether�definitely.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll

6584

"C:\Windows\System32\cmd.exe" /C cd "C:\Users\admin\AppData\Local\WhetherDefinitely\app-1.0.0" & start Whether�Definitely.exe

C:\Windows\System32\cmd.exe

Whether�Definitely.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Windows Command Processor

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll

6596

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

Add for printing

Total events

26 515

Read events

26 334

Write events

170

Delete events

Modification events


(PID) Process:	(6260) Update.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	ProxyBypass
Value: 1
(PID) Process:	(6260) Update.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	IntranetName
Value: 1
(PID) Process:	(6260) Update.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	UNCAsIntranet
Value: 1
(PID) Process:	(6260) Update.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	AutoDetect
Value: 0
(PID) Process:	(6260) Update.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WhetherDefinitely
Operation:	write	Name:	DisplayName
Value:
(PID) Process:	(6260) Update.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WhetherDefinitely
Operation:	write	Name:	DisplayVersion
Value: 1.0.0
(PID) Process:	(6260) Update.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WhetherDefinitely
Operation:	write	Name:	InstallDate
Value: 20240609
(PID) Process:	(6260) Update.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WhetherDefinitely
Operation:	write	Name:	InstallLocation
Value: C:\Users\admin\AppData\Local\WhetherDefinitely
(PID) Process:	(6260) Update.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WhetherDefinitely
Operation:	write	Name:	Publisher
Value: WhetherDefinitely
(PID) Process:	(6260) Update.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WhetherDefinitely
Operation:	write	Name:	QuietUninstallString
Value: "C:\Users\admin\AppData\Local\WhetherDefinitely\Update.exe" --uninstall -s

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
6240	9af7915a980b3ba7a89b8e00b08cfe257ba767910d7c486ff7af085dc85a23be.exe	C:\Users\admin\AppData\Local\SquirrelTemp\WhetherDefinitely-1.0.0-full.nupkg		compressed
		MD5:F7A9BC827ADCEAAAA9F60437C3D996EA	SHA256:D4154225C09F76F28A236A3DE394B1470B1950EA7C2042647ACCA741F0040852
6260	Update.exe	C:\Users\admin\AppData\Local\WhetherDefinitely\packages\WhetherDefinitely-1.0.0-full.nupkg		compressed
		MD5:F7A9BC827ADCEAAAA9F60437C3D996EA	SHA256:D4154225C09F76F28A236A3DE394B1470B1950EA7C2042647ACCA741F0040852
6240	9af7915a980b3ba7a89b8e00b08cfe257ba767910d7c486ff7af085dc85a23be.exe	C:\Users\admin\AppData\Local\SquirrelTemp\Update.exe		executable
		MD5:A560BAD9E373EA5223792D60BEDE2B13	SHA256:76359CD4B0349A83337B941332AD042C90351C2BB0A4628307740324C97984CC
6260	Update.exe	C:\Users\admin\AppData\Local\WhetherDefinitely\Update.exe		executable
		MD5:A560BAD9E373EA5223792D60BEDE2B13	SHA256:76359CD4B0349A83337B941332AD042C90351C2BB0A4628307740324C97984CC
6240	9af7915a980b3ba7a89b8e00b08cfe257ba767910d7c486ff7af085dc85a23be.exe	C:\Users\admin\AppData\Local\SquirrelTemp\RELEASES		text
		MD5:C116B46E0C1A7AF376DC32376658EDA3	SHA256:C27B4C0BD79DFB38D98BCD188A2021ACC72538BFDA5DEAB2C543EA71584E9660
6260	Update.exe	C:\Users\admin\AppData\Local\WhetherDefinitely\app-1.0.0\part1.cab		—
		MD5:—	SHA256:—
6260	Update.exe	C:\Users\admin\AppData\Local\WhetherDefinitely\app-1.0.0\MpEvMsg.dll		executable
		MD5:E49B09EAC7BD3C5B71B0F33E72A2CF34	SHA256:E9C233A28F49690339710143FDC146FAA9B73E89A8D828CC026F7246C5CED71E
6260	Update.exe	C:\Users\admin\AppData\Local\WhetherDefinitely\app-1.0.0\ImagingEngine.dll		executable
		MD5:C799531DB6B9C7AECC71B89AFCB6EB7E	SHA256:028F0C77E3705E3AD5387A5EEB5902997E40D983324C2AE44AAFB8AE53A67F6F
6260	Update.exe	C:\Users\admin\AppData\Local\WhetherDefinitely\app-1.0.0\MpDetours.dll		executable
		MD5:F05E8D6365BF5A5218071548F5E687A0	SHA256:657A136378B351C50C2D60D425210021C8FE0BB9E8B998320163CC09339899AC
6260	Update.exe	C:\Users\admin\AppData\Local\WhetherDefinitely\app-1.0.0\MpAzSubmit.dll		executable
		MD5:D6D75D933B8FADA9C4016428EE8266F7	SHA256:7E2D151DB066EDFD958472D5F9B13113BEE2759306A568CA42A1FF0A3E3F4911

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
5548	svchost.exe	GET	200	2.18.244.211:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	unknown
5548	svchost.exe	GET	200	92.122.80.227:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	unknown
2656	OfficeClickToRun.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEApDqVCbATUviZV57HIIulA%3D	unknown	—	—	unknown
5052	SearchApp.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAzlnDD9eoNTLi0BRrMy%2BWU%3D	unknown	—	—	unknown
3976	svchost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	unknown
3068	MpDefenderCoreService.exe	GET	200	95.100.111.208:80	http://r3.o.lencr.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBRI2smg%2ByvTLU%2Fw3mjS9We3NfmzxAQUFC6zF7dYVsuuUAlA5h%2BvnYsUwsYCEgRTXvM6xckdetg7EV1Uw3UvTg%3D%3D	unknown	—	—	unknown
3068	MpDefenderCoreService.exe	GET	200	95.101.193.200:80	http://x1.c.lencr.org/	unknown	—	—	unknown
4852	SIHClient.exe	GET	200	2.17.0.227:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	unknown	—	—	unknown
4852	SIHClient.exe	GET	200	2.17.0.227:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl	unknown	—	—	unknown

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
—	—	239.255.255.250:1900	—	—	—	unknown
—	—	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	unknown
5520	RUXIMICS.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
5140	MoUsoCoreWorker.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
5548	svchost.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
5548	svchost.exe	2.18.244.211:80	crl.microsoft.com	Akamai International B.V.	FR	unknown
5548	svchost.exe	92.122.80.227:80	www.microsoft.com	AKAMAI-AS	DK	unknown
4	System	192.168.100.255:138	—	—	—	whitelisted
—	—	239.255.255.250:3702	—	—	—	unknown
—	—	104.208.16.91:443	self.events.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	unknown

DNS requests

Domain	IP	Reputation
settings-win.data.microsoft.com	51.124.78.146 51.104.136.2	whitelisted
crl.microsoft.com	2.18.244.211 2.18.244.223	whitelisted
www.microsoft.com	92.122.80.227 2.17.0.227	whitelisted
self.events.data.microsoft.com	104.208.16.91 20.189.173.12	whitelisted
officeclient.microsoft.com	52.109.28.46	whitelisted
ecs.office.com	52.113.194.132	whitelisted
ocsp.digicert.com	192.229.221.95	whitelisted
www.bing.com	2.18.29.187 2.18.29.195 2.18.29.201 2.18.29.186 2.18.29.193 2.18.29.192 2.18.29.216 2.18.29.185 2.18.29.200 2.18.29.227 2.18.29.233 2.18.29.218 2.18.29.217 2.18.29.226 2.18.29.219 2.18.29.234 2.18.29.224 2.18.29.232	whitelisted
r.bing.com	2.18.29.192 2.18.29.200 2.18.29.193 2.18.29.186 2.18.29.201 2.18.29.185 2.18.29.195 2.18.29.216 2.18.29.187	whitelisted
go.microsoft.com	2.18.38.33	whitelisted

Threats

PID	Process	Class	Message
2192	svchost.exe	Misc activity	ET INFO External IP Address Lookup Service in DNS Lookup (invertexto .com)
3068	MpDefenderCoreService.exe	Misc activity	ET INFO External IP Address Lookup Service in TLS SNI (invertexto .com)
2192	svchost.exe	Misc activity	ET INFO External IP Address Lookup Service in DNS Lookup (invertexto .com)
3068	MpDefenderCoreService.exe	Misc activity	ET INFO External IP Address Lookup Service in TLS SNI (invertexto .com)
3068	MpDefenderCoreService.exe	Misc activity	ET INFO External IP Address Lookup Service in TLS SNI (invertexto .com)
3068	MpDefenderCoreService.exe	Misc activity	ET INFO External IP Address Lookup Service in TLS SNI (invertexto .com)
3068	MpDefenderCoreService.exe	Misc activity	ET INFO External IP Address Lookup Service in TLS SNI (invertexto .com)
3068	MpDefenderCoreService.exe	Misc activity	ET INFO External IP Address Lookup Service in TLS SNI (invertexto .com)

Add for printing

No debug info

General Info

9af7915a980b3ba7a89b8e00b08cfe257ba767910d7c486ff7af085dc85a23be.exe

C89DDB4A4A1C1ED7928B9A1DD8D8FCB6

0A158C1B36C932A5CA8E1E024B018455190CE0D5

9AF7915A980B3BA7A89B8E00B08CFE257BA767910D7C486FF7AF085DC85A23BE

196608:ZVf+Gc5hL5KKovq7OdMm09SfDFNCEMY+0d:ZJsJgvOOd69SfJNB+a

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Drops the executable file immediately after the start

Application was injected by another process

Runs injected code in another process

SUSPICIOUS

Executable content was dropped or overwritten

Process drops legitimate windows executable

Reads security settings of Internet Explorer

Reads the date of Windows installation

Searches for installed software

Creates a software uninstall entry

The executable file from the user directory is run by the CMD process

The process creates files with name similar to system file names

Starts CMD.EXE for commands execution

Drops a system driver (possible attempt to evade defenses)

The system shut down or reboot

Starts SC.EXE for service management

The process executes via Task Scheduler

Found strings related to reading or modifying Windows Defender settings

Executes application which crashes

INFO

Checks supported languages

Reads the computer name

Creates files or folders in the user directory

Create files in a temporary directory

Reads the machine GUID from the registry

Process checks computer location settings

Reads Environment values

Creates files in the program directory

Reads Microsoft Office registry keys

Reads security settings of Internet Explorer

Checks proxy server information

Manual execution by a user

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests