Malware analysis setup.exe Malicious activity | ANY.RUN

Add for printing

File name:	setup.exe
Full analysis:	https://app.any.run/tasks/a46cca20-b001-4b4c-9c44-10dd5ef1302e
Verdict:	Malicious activity
Threats:	Crypto mining malware is a resource-intensive threat that infiltrates computers with the purpose of mining cryptocurrencies. This type of threat can be deployed either on an infected machine or a compromised website. In both cases the miner will utilize the computing power of the device and its network bandwidth. Malware Trends Tracker >>>
Analysis date:	November 29, 2024, 12:00:49
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	miner
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows, 11 sections
MD5:	1274CBCD6329098F79A3BE6D76AB8B97
SHA1:	53C870D62DCD6154052445DC03888CDC6CFFD370
SHA256:	BBE5544C408A6EB95DD9980C61A63C4EBC8CCBEECADE4DE4FAE8332361E27278
SSDEEP:	98304:0CsB9YZJpGuRfsGbGidDdKGLTXBBqJmdMZJsIBliwwcXUyoPtgreunvM81MD4+m2:R2vXTUZwuAt8vT

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- Adds path to the Windows Defender exclusion list
  - explorer.exe (PID: 4488)
- Application was injected by another process
  - dwm.exe (PID: 912)
  - svchost.exe (PID: 1076)
  - lsass.exe (PID: 760)
  - winlogon.exe (PID: 684)
  - svchost.exe (PID: 1276)
  - svchost.exe (PID: 1068)
  - svchost.exe (PID: 1364)
  - svchost.exe (PID: 320)
  - svchost.exe (PID: 1424)
  - svchost.exe (PID: 1500)
  - svchost.exe (PID: 1564)
  - svchost.exe (PID: 1776)
  - svchost.exe (PID: 1880)
  - svchost.exe (PID: 1784)
  - svchost.exe (PID: 1660)
  - svchost.exe (PID: 2192)
  - svchost.exe (PID: 1972)
  - svchost.exe (PID: 1908)
  - svchost.exe (PID: 1980)
  - svchost.exe (PID: 2064)
  - svchost.exe (PID: 2272)
  - svchost.exe (PID: 2340)
  - svchost.exe (PID: 2816)
  - spoolsv.exe (PID: 2652)
  - svchost.exe (PID: 2364)
  - svchost.exe (PID: 2748)
  - svchost.exe (PID: 2944)
  - svchost.exe (PID: 2372)
  - svchost.exe (PID: 3016)
  - svchost.exe (PID: 2892)
  - svchost.exe (PID: 2256)
  - svchost.exe (PID: 2852)
  - svchost.exe (PID: 2920)
  - svchost.exe (PID: 3164)
  - svchost.exe (PID: 2500)
  - OfficeClickToRun.exe (PID: 2884)
  - svchost.exe (PID: 2288)
  - svchost.exe (PID: 2660)
  - svchost.exe (PID: 2360)
  - svchost.exe (PID: 3824)
  - svchost.exe (PID: 3600)
  - svchost.exe (PID: 3704)
  - svchost.exe (PID: 3592)
  - svchost.exe (PID: 2952)
  - sihost.exe (PID: 1712)
  - dasHost.exe (PID: 3896)
  - svchost.exe (PID: 4168)
  - svchost.exe (PID: 4000)
  - svchost.exe (PID: 3160)
  - svchost.exe (PID: 3668)
  - svchost.exe (PID: 4176)
  - explorer.exe (PID: 4488)
  - svchost.exe (PID: 4696)
  - RuntimeBroker.exe (PID: 4960)
  - RuntimeBroker.exe (PID: 4676)
  - svchost.exe (PID: 4436)
  - dllhost.exe (PID: 5164)
  - ctfmon.exe (PID: 4268)
  - dllhost.exe (PID: 5904)
  - ApplicationFrameHost.exe (PID: 6108)
  - UserOOBEBroker.exe (PID: 3004)
  - MoUsoCoreWorker.exe (PID: 4712)
  - svchost.exe (PID: 3976)
  - uhssvc.exe (PID: 2908)
  - svchost.exe (PID: 4456)
  - svchost.exe (PID: 1340)
  - svchost.exe (PID: 1768)
  - svchost.exe (PID: 1260)
  - svchost.exe (PID: 1268)
  - RuntimeBroker.exe (PID: 5820)
  - svchost.exe (PID: 1764)
  - dllhost.exe (PID: 1816)
  - svchost.exe (PID: 376)
  - svchost.exe (PID: 1572)
  - svchost.exe (PID: 1536)
  - svchost.exe (PID: 5980)
  - svchost.exe (PID: 1176)
  - RuntimeBroker.exe (PID: 6444)
  - taskhostw.exe (PID: 4976)
  - WmiPrvSE.exe (PID: 6852)
  - MusNotification.exe (PID: 3832)
  - svchost.exe (PID: 4648)
  - svchost.exe (PID: 1452)
  - svchost.exe (PID: 1316)
  - svchost.exe (PID: 4200)
  - WmiPrvSE.exe (PID: 7060)
  - svchost.exe (PID: 812)
  - svchost.exe (PID: 3056)
- Runs injected code in another process
  - dialer.exe (PID: 7104)
  - dialer.exe (PID: 6552)
- Uses Task Scheduler to run other applications
  - explorer.exe (PID: 4488)
- MINER has been detected (SURICATA)
  - svchost.exe (PID: 2192)
SUSPICIOUS
- Manipulates environment variables
  - powershell.exe (PID: 6652)
  - powershell.exe (PID: 7096)
- Starts POWERSHELL.EXE for commands execution
  - explorer.exe (PID: 4488)
- Script adds exclusion path to Windows Defender
  - explorer.exe (PID: 4488)
- Executable content was dropped or overwritten
  - setup.exe (PID: 6220)
  - updater.exe (PID: 6692)
- Starts CMD.EXE for commands execution
  - explorer.exe (PID: 4488)
- Starts SC.EXE for service management
  - cmd.exe (PID: 3092)
- Drops a system driver (possible attempt to evade defenses)
  - updater.exe (PID: 6692)
- Crypto Currency Mining Activity Detected
  - svchost.exe (PID: 2192)
INFO
- Reads security settings of Internet Explorer
  - explorer.exe (PID: 4488)
  - RuntimeBroker.exe (PID: 6444)
- Reads the software policy settings
  - lsass.exe (PID: 760)
- Manual execution by a user
  - powershell.exe (PID: 6652)
  - powershell.exe (PID: 7096)
  - cmd.exe (PID: 3092)
  - dialer.exe (PID: 6552)
  - schtasks.exe (PID: 6328)
  - dialer.exe (PID: 6916)
  - dialer.exe (PID: 6304)
- Checks if a key exists in the options dictionary (POWERSHELL)
  - powershell.exe (PID: 6652)
  - powershell.exe (PID: 7096)
- Script raised an exception (POWERSHELL)
  - powershell.exe (PID: 6652)
  - powershell.exe (PID: 7096)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	Generic Win/DOS Executable (50)
.exe	\|	DOS Executable Generic (49.9)

EXIF

EXE

MachineType:	AMD AMD64
TimeStamp:	0000:00:00 00:00:00
ImageFileCharacteristics:	Executable, No line numbers, No symbols, Large address aware, No debug
PEType:	PE32+
LinkerVersion:	2.4
CodeSize:	30208
InitializedDataSize:	5616128
UninitializedDataSize:	6144
EntryPoint:	0x12fd
OSVersion:	4
ImageVersion:	-
SubsystemVersion:	5.2
Subsystem:	Windows GUI

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

157

Monitored processes

121

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

320

C:\WINDOWS\system32\svchost.exe -k DcomLaunch -p -s LSM

C:\Windows\System32\svchost.exe

services.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Host Process for Windows Services

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\lsm.dll
c:\windows\system32\msvcrt.dll

376

C:\WINDOWS\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s WdiSystemHost

C:\Windows\System32\svchost.exe

services.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Host Process for Windows Services

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll

436

sc stop UsoSvc

C:\Windows\System32\sc.exe

—

cmd.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Service Control Manager Configuration Tool

Exit code:

1061

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\sc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll

684

winlogon.exe

C:\Windows\System32\winlogon.exe

—

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Windows Logon Application

Version:

10.0.19041.3636 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\winlogon.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll

760

C:\WINDOWS\system32\lsass.exe

C:\Windows\System32\lsass.exe

wininit.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Local Security Authority Process

Version:

10.0.19041.3636 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\lsass.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\lsasrv.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\sechost.dll

812

C:\WINDOWS\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc

C:\Windows\System32\svchost.exe

services.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Host Process for Windows Services

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll

912

"dwm.exe"

C:\Windows\System32\dwm.exe

winlogon.exe

User:

DWM-1

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Desktop Window Manager

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\dwm.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll

1068

C:\WINDOWS\system32\svchost.exe -k netsvcs -p -s gpsvc

C:\Windows\System32\svchost.exe

services.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Host Process for Windows Services

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll

1076

C:\WINDOWS\system32\svchost.exe -k netsvcs -p -s DsmSvc

C:\Windows\System32\svchost.exe

services.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Host Process for Windows Services

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll

1144

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

—

cmd.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Service Control Manager Configuration Tool

Exit code:

1062

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\sc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll

Add for printing

Total events

35 408

Read events

35 124

Write events

205

Delete events

Modification events


(PID) Process:	(4488) explorer.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Security and Maintenance\Checks\{C8E6F269-B90A-4053-A3BE-499AFCEC98C4}.check.0
Operation:	write	Name:	CheckSetting
Value: 23004100430042006C006F00620000000000000000000000010000000000000000000000
(PID) Process:	(1340) svchost.exe	Key:	HKEY_USERS\S-1-5-21-1693682860-607145093-2874071422-1001\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store
Operation:	write	Name:	C:\Users\admin\AppData\Local\Temp\setup.exe
Value: 534143500100000000000000070000002800000000B65500C3DD550001000000000000000000000A0021000050BB64EDDDACD5010000000000000000
(PID) Process:	(1340) svchost.exe	Key:	\REGISTRY\A\{8579f61e-2c98-2852-34f9-463e9ae3566e}\Root\InventoryApplicationFile
Operation:	write	Name:	WritePermissionsCheck
Value: 1
(PID) Process:	(1340) svchost.exe	Key:	\REGISTRY\A\{8579f61e-2c98-2852-34f9-463e9ae3566e}\Root\InventoryApplicationFile\PermissionsCheckTestKey
Operation:	delete key	Name:	(default)
Value:
(PID) Process:	(1340) svchost.exe	Key:	\REGISTRY\A\{8579f61e-2c98-2852-34f9-463e9ae3566e}\Root\InventoryApplicationFile\setup.exe\|2b03f603f6622c09
Operation:	write	Name:	ProgramId
Value: 0006b66e3afada58774c1373dfb19a08c0490000ffff
(PID) Process:	(1340) svchost.exe	Key:	\REGISTRY\A\{8579f61e-2c98-2852-34f9-463e9ae3566e}\Root\InventoryApplicationFile\setup.exe\|2b03f603f6622c09
Operation:	write	Name:	FileId
Value: 000053c870d62dcd6154052445dc03888cdc6cffd370
(PID) Process:	(1340) svchost.exe	Key:	\REGISTRY\A\{8579f61e-2c98-2852-34f9-463e9ae3566e}\Root\InventoryApplicationFile\setup.exe\|2b03f603f6622c09
Operation:	write	Name:	LowerCaseLongPath
Value: c:\users\admin\appdata\local\temp\setup.exe
(PID) Process:	(1340) svchost.exe	Key:	\REGISTRY\A\{8579f61e-2c98-2852-34f9-463e9ae3566e}\Root\InventoryApplicationFile\setup.exe\|2b03f603f6622c09
Operation:	write	Name:	LongPathHash
Value: setup.exe\|2b03f603f6622c09
(PID) Process:	(1340) svchost.exe	Key:	\REGISTRY\A\{8579f61e-2c98-2852-34f9-463e9ae3566e}\Root\InventoryApplicationFile\setup.exe\|2b03f603f6622c09
Operation:	write	Name:	Name
Value: setup.exe
(PID) Process:	(1340) svchost.exe	Key:	\REGISTRY\A\{8579f61e-2c98-2852-34f9-463e9ae3566e}\Root\InventoryApplicationFile\setup.exe\|2b03f603f6622c09
Operation:	write	Name:	OriginalFileName
Value:

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
1768	svchost.exe	C:\Windows\Prefetch\TASKHOSTW.EXE-3E0B74C8.pf		binary
		MD5:857CB54481AF4C81C25C463D02A97289	SHA256:84B08C4D6BB84E0F40C669EAD5E9190A66EAF73B2CCDE59C662EF96C0E3BEC82
1768	svchost.exe	C:\Windows\Prefetch\CONSENT.EXE-531BD9EA.pf		binary
		MD5:7ECBD3A050DBF98E98274169407E13DA	SHA256:BA9F82472B017B9AD414A25FDCC1C97447CFA794800439D8A66374A1AFFCBFCF
1176	svchost.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776		binary
		MD5:9EBEA6CF9F99BFDCCFC52725DAFBD911	SHA256:076E9209CE44A5D3F1FA13FF56BD300E618D80873FD57EEFB68F4E8E6A64D8C1
1176	svchost.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776		der
		MD5:549AEB864011F0C57644853EC90CBAB9	SHA256:8C2C91480D44C8881A3CDE343916DE69BCDDF67DFF17588E9640C4D7B01437EA
1768	svchost.exe	C:\Windows\Prefetch\UPFC.EXE-BDDF79D6.pf		binary
		MD5:0CD932C834F010FDEB4639618F0576F6	SHA256:A0376408BAFB693549BE9587E7FEFE71B155DBF14E81D0B8E0ABD2D0674975DD
1768	svchost.exe	C:\Windows\Prefetch\SC.EXE-945D79AE.pf		binary
		MD5:29C400D4E16EFCE6348537F176FCFB79	SHA256:048732D908FBC3A389C477956C2307169CE133DCC2408C0CFEA188ECD5C7F71F
6220	setup.exe	C:\Users\admin\AppData\Local\Temp\yntnomxcupkb.xml		xml
		MD5:546D67A48FF2BF7682CEA9FAC07B942E	SHA256:EFF7EDC19E6C430AAECA7EA8A77251C74D1E9ABB79B183A9EE1F58C2934B4B6A
1768	svchost.exe	C:\Windows\Prefetch\SVCHOST.EXE-2E4E3AC7.pf		binary
		MD5:351D316B9C332F8E17AE4E53E04AEF89	SHA256:27A07F2D58A43188C05F5575A68EE8EE59D91DFF258DBBED577078EC44E689D4
760	lsass.exe	C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\Preferred		binary
		MD5:74709CAA892D1FC8D72113E2C657C1EB	SHA256:2FFBC209D64EAC23AEF602DB20D66BD2F42C00CA4722B3EA21965A2E06C1DA38
6220	setup.exe	C:\Users\admin\AppData\Local\Temp\wxyubnjmnlae.tmp		executable
		MD5:1667C96053EAA078109F8B0C9500FC9D	SHA256:F7E1E53A6FB24A2BD9206305C59448A8F99B6F5847A6ACB18EB0FD9F7383FFB4

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
—	—	GET	200	2.16.241.12:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
—	—	GET	200	88.221.169.152:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
6068	SIHClient.exe	GET	200	23.35.229.160:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	unknown	—	—	whitelisted
1176	svchost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
5064	SearchApp.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D	unknown	—	—	whitelisted
6012	backgroundTaskHost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D	unknown	—	—	whitelisted
6068	SIHClient.exe	GET	200	23.35.229.160:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4712	MoUsoCoreWorker.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
900	svchost.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
—	—	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
—	—	2.16.241.12:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
—	—	88.221.169.152:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
5064	SearchApp.exe	2.23.209.176:443	www.bing.com	Akamai International B.V.	GB	whitelisted
1176	svchost.exe	40.126.32.134:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
5064	SearchApp.exe	192.229.221.95:80	ocsp.digicert.com	EDGECAST	US	whitelisted

DNS requests

Domain	IP	Reputation
settings-win.data.microsoft.com	51.104.136.2 4.231.128.59	whitelisted
google.com	216.58.206.46	whitelisted
crl.microsoft.com	2.16.241.12 2.16.241.19	whitelisted
www.microsoft.com	88.221.169.152 23.35.229.160	whitelisted
www.bing.com	2.23.209.176 2.23.209.149 2.23.209.141 2.23.209.177 2.23.209.144 2.23.209.160 2.23.209.161 2.23.209.158 2.23.209.150	whitelisted
ocsp.digicert.com	192.229.221.95	whitelisted
login.live.com	40.126.32.134 40.126.32.68 40.126.32.140 40.126.32.136 20.190.160.14 40.126.32.133 40.126.32.138 20.190.160.20	whitelisted
go.microsoft.com	23.32.186.57	whitelisted
arc.msn.com	20.31.169.57	whitelisted
fd.api.iris.microsoft.com	20.223.36.55	whitelisted

Threats

PID	Process	Class	Message
2192	svchost.exe	Crypto Currency Mining Activity Detected	ET COINMINER CoinMiner Domain in DNS Lookup (pool .hashvault .pro)

Add for printing

No debug info

General Info

setup.exe

1274CBCD6329098F79A3BE6D76AB8B97

53C870D62DCD6154052445DC03888CDC6CFFD370

BBE5544C408A6EB95DD9980C61A63C4EBC8CCBEECADE4DE4FAE8332361E27278

98304:0CsB9YZJpGuRfsGbGidDdKGLTXBBqJmdMZJsIBliwwcXUyoPtgreunvM81MD4+m2:R2vXTUZwuAt8vT

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Adds path to the Windows Defender exclusion list

Application was injected by another process

Runs injected code in another process

Uses Task Scheduler to run other applications

MINER has been detected (SURICATA)

SUSPICIOUS

Manipulates environment variables

Starts POWERSHELL.EXE for commands execution

Script adds exclusion path to Windows Defender

Executable content was dropped or overwritten

Starts CMD.EXE for commands execution

Starts SC.EXE for service management

Drops a system driver (possible attempt to evade defenses)

Crypto Currency Mining Activity Detected

INFO

Reads security settings of Internet Explorer

Reads the software policy settings

Manual execution by a user

Checks if a key exists in the options dictionary (POWERSHELL)

Script raised an exception (POWERSHELL)

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings