File name:

netmarble_sololv_A_installer_80946.exe

Full analysis: https://app.any.run/tasks/81c95355-c89e-4773-b414-999fcb53e061
Verdict: Malicious activity
Analysis date: September 06, 2024, 23:48:48
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
evasion
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5:

98C2E745ADE2D1C1960CB2AE96D0246D

SHA1:

CCD4E48F86AE18AB8BD4B7D8283B83C93874C32F

SHA256:

B6BD2AFA22C41C1CAD9E6CD0C8AFFF369F471BE8A9CE3C0756F2938A79FE8EF7

SSDEEP:

6144:n0wiXMlrOY8PZ5frVtvgy4oTDPwZoIRMWmdmWtHXXq9Y:eXsEZ5frVtvgQPPwNRkXp

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes powershell execution policy (Unrestricted)

      • Netmarble Launcher.exe (PID: 5212)

    • Uses Task Scheduler to autorun other applications

      • cmd.exe (PID: 6292)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • netmarble_sololv_A_installer_80946.exe (PID: 3672)
      • Netmarble_Launcher_Setup_sololv_A.exe (PID: 3112)

    • Reads security settings of Internet Explorer

      • netmarble_sololv_A_installer_80946.exe (PID: 3672)
      • Netmarble_Launcher_Setup_sololv_A.exe (PID: 3112)
      • Netmarble Launcher.exe (PID: 5212)

    • Checks Windows Trust Settings

      • netmarble_sololv_A_installer_80946.exe (PID: 3672)

    • Drops 7-zip archiver for unpacking

      • Netmarble_Launcher_Setup_sololv_A.exe (PID: 3112)

    • Process drops legitimate windows executable

      • Netmarble_Launcher_Setup_sololv_A.exe (PID: 3112)

    • Creates a software uninstall entry

      • Netmarble_Launcher_Setup_sololv_A.exe (PID: 3112)

    • Starts CMD.EXE for commands execution

      • Netmarble Launcher.exe (PID: 5212)

    • Starts application with an unusual extension

      • cmd.exe (PID: 2904)

    • Application launched itself

      • Netmarble Launcher.exe (PID: 5212)

    • Uses REG/REGEDIT.EXE to modify registry

      • Netmarble Launcher.exe (PID: 5212)

    • Starts POWERSHELL.EXE for commands execution

      • Netmarble Launcher.exe (PID: 5212)

    • The process hides Powershell's copyright startup banner

      • Netmarble Launcher.exe (PID: 5212)

    • Lists all scheduled tasks

      • schtasks.exe (PID: 2264)

    • Detected use of alternative data streams (AltDS)

      • powershell.exe (PID: 3984)

    • Suspicious use of NETSH.EXE

      • cmd.exe (PID: 6176)

    • Checks for external IP

      • svchost.exe (PID: 2256)
      • Netmarble Launcher.exe (PID: 5212)

    • Uses NETSH.EXE to add a firewall rule or allowed programs

      • cmd.exe (PID: 3116)

    • Malware-specific behavior (creating "System.dll" in Temp)

      • Netmarble_Launcher_Setup_sololv_A.exe (PID: 3112)

    • The process creates files with name similar to system file names

      • Netmarble_Launcher_Setup_sololv_A.exe (PID: 3112)

  • INFO

    • Checks supported languages

      • netmarble_sololv_A_installer_80946.exe (PID: 3672)
      • Netmarble Launcher.exe (PID: 5212)
      • Netmarble Launcher.exe (PID: 6480)
      • Netmarble Launcher.exe (PID: 4068)
      • chcp.com (PID: 2636)
      • Netmarble Launcher.exe (PID: 1280)
      • Netmarble Launcher.exe (PID: 2640)
      • Netmarble Launcher.exe (PID: 3180)
      • Netmarble_Launcher_Setup_sololv_A.exe (PID: 3112)

    • Creates files or folders in the user directory

      • netmarble_sololv_A_installer_80946.exe (PID: 3672)
      • Netmarble_Launcher_Setup_sololv_A.exe (PID: 3112)
      • Netmarble Launcher.exe (PID: 4068)
      • Netmarble Launcher.exe (PID: 5212)
      • Netmarble Launcher.exe (PID: 2640)
      • Netmarble Launcher.exe (PID: 3180)

    • Reads the machine GUID from the registry

      • netmarble_sololv_A_installer_80946.exe (PID: 3672)
      • Netmarble Launcher.exe (PID: 5212)
      • Netmarble Launcher.exe (PID: 3180)

    • Reads the computer name

      • netmarble_sololv_A_installer_80946.exe (PID: 3672)
      • Netmarble_Launcher_Setup_sololv_A.exe (PID: 3112)
      • Netmarble Launcher.exe (PID: 5212)
      • Netmarble Launcher.exe (PID: 6480)
      • Netmarble Launcher.exe (PID: 2640)
      • Netmarble Launcher.exe (PID: 3180)

    • Create files in a temporary directory

      • netmarble_sololv_A_installer_80946.exe (PID: 3672)
      • Netmarble_Launcher_Setup_sololv_A.exe (PID: 3112)
      • Netmarble Launcher.exe (PID: 5212)

    • Checks proxy server information

      • netmarble_sololv_A_installer_80946.exe (PID: 3672)
      • Netmarble Launcher.exe (PID: 5212)
      • slui.exe (PID: 6208)

    • Manual execution by a user

      • WINWORD.EXE (PID: 6716)
      • Netmarble Launcher.exe (PID: 6108)
      • Netmarble Launcher.exe (PID: 5212)

    • Reads the software policy settings

      • netmarble_sololv_A_installer_80946.exe (PID: 3672)
      • slui.exe (PID: 6000)
      • Netmarble Launcher.exe (PID: 5212)
      • slui.exe (PID: 6208)

    • The process uses the downloaded file

      • WINWORD.EXE (PID: 6716)
      • powershell.exe (PID: 3984)
      • powershell.exe (PID: 6440)

    • Sends debugging messages

      • WINWORD.EXE (PID: 6716)

    • Creates files in the program directory

      • Netmarble_Launcher_Setup_sololv_A.exe (PID: 3112)
      • Netmarble Launcher.exe (PID: 5212)

    • Reads Environment values

      • Netmarble Launcher.exe (PID: 5212)

    • Reads product name

      • Netmarble Launcher.exe (PID: 5212)

    • Changes the display of characters in the console

      • cmd.exe (PID: 2904)

    • Process checks computer location settings

      • Netmarble Launcher.exe (PID: 5212)
      • Netmarble Launcher.exe (PID: 1280)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (67.4)
.dll | Win32 Dynamic Link Library (generic) (14.2)
.exe | Win32 Executable (generic) (9.7)
.exe | Generic Win/DOS Executable (4.3)
.exe | DOS Executable Generic (4.3)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2021:09:25 21:57:46+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 27136
InitializedDataSize: 186880
UninitializedDataSize: 2048
EntryPoint: 0x352d
OSVersion: 4
ImageVersion: 6
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
190
Monitored processes
51
Malicious processes
3
Suspicious processes
1

Behavior graph

Click at the process to see the details
start netmarble_sololv_a_installer_80946.exe sppextcomobj.exe no specs slui.exe winword.exe ai.exe no specs slui.exe netmarble_launcher_setup_sololv_a.exe netmarble launcher.exe no specs netmarble launcher.exe cmd.exe no specs conhost.exe no specs chcp.com no specs netmarble launcher.exe no specs reg.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs powershell.exe no specs schtasks.exe no specs netmarble launcher.exe no specs netmarble launcher.exe cmd.exe no specs conhost.exe no specs conhost.exe no specs netmarble launcher.exe no specs cmd.exe reg.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs conhost.exe no specs netsh.exe no specs conhost.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs netsh.exe no specs cmd.exe no specs conhost.exe no specs fsutil.exe no specs cmd.exe no specs conhost.exe no specs fsutil.exe no specs svchost.exe powershell.exe no specs conhost.exe no specs netmarble launcher.exe no specs netmarble_sololv_a_installer_80946.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1076\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1104\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1280"C:\Program Files\Netmarble\Netmarble Launcher\Netmarble Launcher.exe" --type=renderer --user-data-dir="C:\Users\admin\AppData\Roaming\Netmarble Launcher" --standard-schemes=app --secure-schemes=app --bypasscsp-schemes --cors-schemes --fetch-schemes --service-worker-schemes --streaming-schemes --app-user-model-id="Netmarble Launcher" --app-path="C:\Program Files\Netmarble\Netmarble Launcher\resources\app.asar" --enable-sandbox --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=2668 --field-trial-handle=1980,i,15988421360520503607,12559960281842645695,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1C:\Program Files\Netmarble\Netmarble Launcher\Netmarble Launcher.exeNetmarble Launcher.exe
User:
admin
Company:
Netmarble Corporation
Integrity Level:
LOW
Description:
Netmarble Launcher
Version:
0.4.8.5129
Modules
Images
c:\program files\netmarble\netmarble launcher\netmarble launcher.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1556netsh advfirewall firewall add rule name="Netmarble Launcher" dir=in action=allow program="C:\Program Files\Netmarble\Netmarble Launcher\Netmarble Launcher.exe" enable=yesC:\Windows\System32\netsh.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Network Command Shell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\netsh.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
1688C:\WINDOWS\system32\reg.exe ADD "HKCU\Software\Netmarble Corp" /v AppDrive /t REG_SZ /d "C:\Program Files\Netmarble\Netmarble Launcher" /fC:\Windows\System32\reg.exeNetmarble Launcher.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
2208"C:\Users\admin\AppData\Local\Temp\netmarble_sololv_A_installer_80946.exe" C:\Users\admin\AppData\Local\Temp\netmarble_sololv_A_installer_80946.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Modules
Images
c:\users\admin\appdata\local\temp\netmarble_sololv_a_installer_80946.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
2256C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
2264SCHTASKS /query /TN "Netmarble Launcher"C:\Windows\System32\schtasks.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Task Scheduler Configuration Tool
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
2636chcpC:\Windows\System32\chcp.comcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Change CodePage Utility
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\chcp.com
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ulib.dll
c:\windows\system32\fsutilext.dll
2640"C:\Program Files\Netmarble\Netmarble Launcher\Netmarble Launcher.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\admin\AppData\Roaming\Netmarble Launcher" --standard-schemes=app --secure-schemes=app --bypasscsp-schemes --cors-schemes --fetch-schemes --service-worker-schemes --streaming-schemes --mojo-platform-channel-handle=2320 --field-trial-handle=1980,i,15988421360520503607,12559960281842645695,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8C:\Program Files\Netmarble\Netmarble Launcher\Netmarble Launcher.exe
Netmarble Launcher.exe
User:
admin
Company:
Netmarble Corporation
Integrity Level:
HIGH
Description:
Netmarble Launcher
Version:
0.4.8.5129
Modules
Images
c:\program files\netmarble\netmarble launcher\netmarble launcher.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
27 597
Read events
27 231
Write events
318
Delete events
48

Modification events

(PID) Process:(3672) netmarble_sololv_A_installer_80946.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(3672) netmarble_sololv_A_installer_80946.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(3672) netmarble_sololv_A_installer_80946.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(6716) WINWORD.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\ClientTelemetry\Sampling
Operation:writeName:0
Value:
017012000000001000B24E9A3E01000000000000000500000000000000
(PID) Process:(6716) WINWORD.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\CrashPersistence\WINWORD\5932
Operation:delete valueName:0
Value:
ซ괐殺ࠆꯞꝅ莼跳⏺䘅헉꾍樁င$梅摝麨…ީ湕湫睯쥮௅賙ᒳ೅肫
(PID) Process:(6716) WINWORD.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\CrashPersistence\WINWORD\5932
Operation:delete keyName:(default)
Value:
(PID) Process:(6716) WINWORD.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\CrashPersistence\WINWORD\6716
Operation:writeName:0
Value:
0B0E1054554D66B7D17341AA2B018395C7A3802300468FA4A1CFF696C0ED016A04102400449A7D64B29D01008500A907556E6B6E6F776EC906022222CA0DC2190000C91003783634C511BC34D2120B770069006E0077006F00720064002E00650078006500C51620C517808004C91808323231322D44656300
(PID) Process:(6716) WINWORD.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:en-US
Value:
2
(PID) Process:(6716) WINWORD.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:de-de
Value:
2
(PID) Process:(6716) WINWORD.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:fr-fr
Value:
2
Executable files
20
Suspicious files
181
Text files
39
Unknown types
4

Dropped files

PID
Process
Filename
Type
3672netmarble_sololv_A_installer_80946.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04binary
MD5:31EAFC9A4B90FCC4D5C0E7B127537BF5
SHA256:334D7568932F8C16FA1CDA23CCEAC3B869F36943C7F2071CE5D5E0A52BF83441
3672netmarble_sololv_A_installer_80946.exeC:\Users\admin\AppData\Local\Temp\nsr9D62.tmp\INetC.dllexecutable
MD5:40D7ECA32B2F4D29DB98715DD45BFAC5
SHA256:85E03805F90F72257DD41BFDAA186237218BBB0EC410AD3B6576A88EA11DCCB9
3672netmarble_sololv_A_installer_80946.exeC:\Users\admin\AppData\Local\Temp\install_executor_ko.bmpimage
MD5:A0F3AC3BD2F523C5B51A93EF366AEDAA
SHA256:CAAD87B9DD7288BAF7154E7935B42F7AD9A2243B98F5AFB73B29162514298558
3672netmarble_sololv_A_installer_80946.exeC:\Users\admin\AppData\Local\Temp\install_executor.bmpimage
MD5:37F2D2343740B8FE09472EA61569AA74
SHA256:201C4E43041F2A215B76E360D57EFF9BC4B632A6DFB9D5C5379992274DB6BF9D
3672netmarble_sololv_A_installer_80946.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\RR3E01RZ\install_executor[1].bmpimage
MD5:37F2D2343740B8FE09472EA61569AA74
SHA256:201C4E43041F2A215B76E360D57EFF9BC4B632A6DFB9D5C5379992274DB6BF9D
3672netmarble_sololv_A_installer_80946.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\KCV3KQBA\install_executor_ko[1].bmpimage
MD5:A0F3AC3BD2F523C5B51A93EF366AEDAA
SHA256:CAAD87B9DD7288BAF7154E7935B42F7AD9A2243B98F5AFB73B29162514298558
3672netmarble_sololv_A_installer_80946.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\E4DJRUXW\install_executor_cn[1].bmpimage
MD5:A7195998D7F70373FD8389BF5609E37B
SHA256:3F53704EE0FCE9934C547E227D22A371503A4335677F84A3F20D1BC94366E3DD
3672netmarble_sololv_A_installer_80946.exeC:\Users\admin\AppData\Local\Temp\install_executor_cn.bmpimage
MD5:A7195998D7F70373FD8389BF5609E37B
SHA256:3F53704EE0FCE9934C547E227D22A371503A4335677F84A3F20D1BC94366E3DD
3672netmarble_sololv_A_installer_80946.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04der
MD5:335F1410C5FAEC6CCBF6F27CB7C9785E
SHA256:E9CE5F36F5DC5D839D08064A00B4E742F37D99A0E9823D8B66967547F2DAD2B4
3672netmarble_sololv_A_installer_80946.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\RR3E01RZ\install_executor_tw[1].bmpimage
MD5:FE8935E80091A32907EB27C43F68CD99
SHA256:EADD66551D972986C99B5F012C1F593B07F3C6879AFBB794967686F995F0D575
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
8
TCP/UDP connections
64
DNS requests
33
Threats
3

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3672
netmarble_sololv_A_installer_80946.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAbY2QTVWENG9oovp1QifsQ%3D
unknown
whitelisted
3672
netmarble_sololv_A_installer_80946.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAz1vQYrVgL0erhQLCPM8GY%3D
unknown
whitelisted
6416
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
6612
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
2508
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
2508
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
6716
WINWORD.EXE
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEA77flR%2B3w%2FxBpruV2lte6A%3D
unknown
whitelisted
6716
WINWORD.EXE
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
6612
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2120
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4760
RUXIMICS.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3672
netmarble_sololv_A_installer_80946.exe
193.108.153.18:443
sgimage.netmarble.com
Akamai International B.V.
DE
whitelisted
3672
netmarble_sololv_A_installer_80946.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
3260
svchost.exe
20.7.2.167:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
3672
netmarble_sololv_A_installer_80946.exe
108.138.7.69:443
apis.netmarble.com
AMAZON-02
US
whitelisted
6416
svchost.exe
40.126.32.76:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6416
svchost.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 20.73.194.208
  • 51.124.78.146
  • 52.183.220.149
whitelisted
google.com
  • 142.250.184.206
whitelisted
sgimage.netmarble.com
  • 193.108.153.18
  • 193.108.153.28
  • 23.216.77.31
  • 23.216.77.41
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
client.wns.windows.com
  • 20.7.2.167
whitelisted
apis.netmarble.com
  • 108.138.7.69
  • 108.138.7.113
  • 108.138.7.92
  • 108.138.7.2
whitelisted
login.live.com
  • 40.126.32.76
  • 40.126.32.138
  • 40.126.32.136
  • 20.190.160.22
  • 40.126.32.133
  • 40.126.32.134
  • 20.190.160.20
  • 40.126.32.74
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
slscr.update.microsoft.com
  • 20.12.23.50
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 13.85.23.206
whitelisted

Threats

PID
Process
Class
Message
2256
svchost.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup Domain in DNS Lookup (icanhazip .com)
5212
Netmarble Launcher.exe
Device Retrieving External IP Address Detected
ET POLICY External IP Lookup Domain (myip .opendns .com in DNS lookup)
5212
Netmarble Launcher.exe
Device Retrieving External IP Address Detected
ET INFO Observed External IP Lookup Domain (icanhazip .com in TLS SNI)
Process
Message
WINWORD.EXE
WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
WINWORD.EXE
WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
WINWORD.EXE
WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
netmarble_sololv_A_installer_80946.exe