| File name: | One-armed robber (Steam) Trainer Setup.exe |
| Full analysis: | https://app.any.run/tasks/efd9124e-2532-4a0d-89cf-fc64489dd4fe |
| Verdict: | Malicious activity |
| Analysis date: | December 25, 2023, 22:42:13 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| MIME: | application/x-dosexec |
| File info: | PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows |
| MD5: | 4562236A3E10B3C90DA1525D355AB15D |
| SHA1: | 4E6185B6E10C8A8040302DDA7EC9E680B2A7C621 |
| SHA256: | BC5EDC1E5FB3FB9AA0A6550C31E834AA9103BDBB1676B1B61B28EFB685760153 |
| SSDEEP: | 1536:mBll12iut9nk7RBog5KG6JkOiVPL+09ME5LBtJD64uQgCANR9HEdOyJkNRBog5KZ:Q12ioE57miVj+J6pHdokdOp57N/ |
MALICIOUS
No malicious indicators.SUSPICIOUS
Reads the Internet Settings
- One-armed robber (Steam) Trainer Setup.exe (PID: 120)
Reads Microsoft Outlook installation path
- One-armed robber (Steam) Trainer Setup.exe (PID: 120)
Checks Windows Trust Settings
- One-armed robber (Steam) Trainer Setup.exe (PID: 120)
Reads security settings of Internet Explorer
- One-armed robber (Steam) Trainer Setup.exe (PID: 120)
Reads settings of System Certificates
- One-armed robber (Steam) Trainer Setup.exe (PID: 120)
Reads Internet Explorer settings
- One-armed robber (Steam) Trainer Setup.exe (PID: 120)
INFO
Reads the computer name
- One-armed robber (Steam) Trainer Setup.exe (PID: 120)
Checks supported languages
- One-armed robber (Steam) Trainer Setup.exe (PID: 120)
Drops the executable file immediately after the start
- One-armed robber (Steam) Trainer Setup.exe (PID: 120)
Reads the machine GUID from the registry
- One-armed robber (Steam) Trainer Setup.exe (PID: 120)
Checks proxy server information
- One-armed robber (Steam) Trainer Setup.exe (PID: 120)
Creates files or folders in the user directory
- One-armed robber (Steam) Trainer Setup.exe (PID: 120)
Reads Environment values
- One-armed robber (Steam) Trainer Setup.exe (PID: 120)
Create files in a temporary directory
- One-armed robber (Steam) Trainer Setup.exe (PID: 120)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Win64 Executable (generic) (64.6) |
|---|---|---|
| .dll | | | Win32 Dynamic Link Library (generic) (15.4) |
| .exe | | | Win32 Executable (generic) (10.5) |
| .exe | | | Generic Win/DOS Executable (4.6) |
| .exe | | | DOS Executable Generic (4.6) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2059:09:10 16:56:13+02:00 |
| ImageFileCharacteristics: | Executable, 32-bit |
| PEType: | PE32 |
| LinkerVersion: | 8 |
| CodeSize: | 105472 |
| InitializedDataSize: | 28160 |
| UninitializedDataSize: | - |
| EntryPoint: | 0x1ba0e |
| OSVersion: | 4 |
| ImageVersion: | - |
| SubsystemVersion: | 4 |
| Subsystem: | Windows GUI |
| FileVersionNumber: | 8.0.0.0 |
| ProductVersionNumber: | 8.0.0.0 |
| FileFlagsMask: | 0x003f |
| FileFlags: | (none) |
| FileOS: | Win32 |
| ObjectFileType: | Executable application |
| FileSubtype: | - |
| LanguageCode: | Neutral |
| CharacterSet: | Unicode |
| Comments: | WeMod Setup |
| CompanyName: | WeMod LLC |
| FileDescription: | WeMod Setup |
| FileVersion: | 8.0.0.0 |
| InternalName: | WeMod-Setup.exe |
| LegalCopyright: | Copyright © WeMod LLC 2022 |
| LegalTrademarks: | - |
| OriginalFileName: | WeMod-Setup.exe |
| ProductName: | WeMod |
| ProductVersion: | 8.0.0.0 |
| AssemblyVersion: | 8.0.0.0 |
Total processes
34
Monitored processes
1
Malicious processes
1
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 120 | "C:\Users\admin\AppData\Local\Temp\One-armed robber (Steam) Trainer Setup.exe" | C:\Users\admin\AppData\Local\Temp\One-armed robber (Steam) Trainer Setup.exe | explorer.exe | ||||||||||||
User: admin Company: WeMod LLC Integrity Level: MEDIUM Description: WeMod Setup Exit code: 0 Version: 8.0.0.0 Modules
| |||||||||||||||
Total events
4 370
Read events
4 344
Write events
26
Delete events
0
Modification events
| (PID) Process: | (120) One-armed robber (Steam) Trainer Setup.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | ProxyBypass |
Value: 1 | |||
| (PID) Process: | (120) One-armed robber (Steam) Trainer Setup.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | IntranetName |
Value: 1 | |||
| (PID) Process: | (120) One-armed robber (Steam) Trainer Setup.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | UNCAsIntranet |
Value: 1 | |||
| (PID) Process: | (120) One-armed robber (Steam) Trainer Setup.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | AutoDetect |
Value: 0 | |||
| (PID) Process: | (120) One-armed robber (Steam) Trainer Setup.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings |
| Operation: | write | Name: | ProxyEnable |
Value: 0 | |||
| (PID) Process: | (120) One-armed robber (Steam) Trainer Setup.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections |
| Operation: | write | Name: | SavedLegacySettings |
Value: 460000005B010000090000000000000000000000000000000400000000000000C0E333BBEAB1D3010000000000000000000000000100000002000000C0A8016B000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | |||
| (PID) Process: | (120) One-armed robber (Steam) Trainer Setup.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies |
| Operation: | write | Name: | CachePrefix |
Value: Cookie: | |||
| (PID) Process: | (120) One-armed robber (Steam) Trainer Setup.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History |
| Operation: | write | Name: | CachePrefix |
Value: Visited: | |||
| (PID) Process: | (120) One-armed robber (Steam) Trainer Setup.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E |
| Operation: | write | Name: | LanguageList |
Value: en-US | |||
Executable files
0
Suspicious files
25
Text files
2
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 120 | One-armed robber (Steam) Trainer Setup.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 | binary | |
MD5:810E05EDF7AC575636AB6E6C8EB6401D | SHA256:7043BBAB14E20628FB7AC5FE3E54C1023EF0FC580CC6AF3BB305D5CFCE449A07 | |||
| 120 | One-armed robber (Steam) Trainer Setup.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2DDCD2B5F37625B82E81F4976CEE400_BB0E5383BB6E3CF78C8AC8388DB6A7BF | binary | |
MD5:05178CEA1ED068A01E38D634707A8EF0 | SHA256:C9CF9E672CE867253B6A3C2EBEFBB660A64B2DB3C1490093C089B58FF077CD8F | |||
| 120 | One-armed robber (Steam) Trainer Setup.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA | binary | |
MD5:AC89A852C2AAA3D389B2D2DD312AD367 | SHA256:0B720E19270C672F9B6E0EC40B468AC49376807DE08A814573FE038779534F45 | |||
| 120 | One-armed robber (Steam) Trainer Setup.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA | binary | |
MD5:E16AADCC1FF15DD971AC043B830C12AE | SHA256:BBD97955ECD332AD60B2B3A4CD5891F9AE5B2C377DAC24B077CC4F1C1C4D91F2 | |||
| 120 | One-armed robber (Steam) Trainer Setup.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F2DDCD2B5F37625B82E81F4976CEE400_BB0E5383BB6E3CF78C8AC8388DB6A7BF | binary | |
MD5:F9B9ABC7DAD25E5E66B24B87C834A276 | SHA256:63718F815114B60476988D01062B3564C6C3A1836596B93C05A0383994D1BE44 | |||
| 120 | One-armed robber (Steam) Trainer Setup.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\Inter-Regular-14d1275c67[1].woff | binary | |
MD5:14D1275C67676CC5D911232D0C890D97 | SHA256:3710E2CE073EC0EB39274DECC63768B52091A27E35F5C28D6ABB7A5FCEF0B7FC | |||
| 120 | One-armed robber (Steam) Trainer Setup.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\78RFYB7Z\Inter-Bold-45e58f4054[1].woff | binary | |
MD5:45E58F4054A3AD886E4582E1D43056FE | SHA256:57027B1C72507C75CF9FC21DCBBBD4366F01901B598764CB8703DFA4988A60CA | |||
| 120 | One-armed robber (Steam) Trainer Setup.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\Inter-Medium-5ce3e4db96[1].woff | binary | |
MD5:5CE3E4DB9634913232403F166B2447DE | SHA256:68D52E74E8171DDB2C94CA60A2596DC8A46407320449881FD09369DBC317624C | |||
| 120 | One-armed robber (Steam) Trainer Setup.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\78RFYB7Z\Inter-SemiBold-1d5bb5c64d[1].woff | binary | |
MD5:1D5BB5C64DC15405BDB04145DAB7B436 | SHA256:807D56B95FCC04CD1C26FCA043DDF19E300C8AE156747458BD025A2B21CF54B4 | |||
| 120 | One-armed robber (Steam) Trainer Setup.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\Inter-ExtraBold-45ce9384f5[1].woff | binary | |
MD5:45CE9384F5D829596586A3B2FA1224A4 | SHA256:91F9BF5099A041220C21B5A089D54449ED4F04D7792A532BA17A8A5BFB9E5A61 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
9
TCP/UDP connections
17
DNS requests
8
Threats
0
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
120 | One-armed robber (Steam) Trainer Setup.exe | GET | 200 | 172.217.18.99:80 | http://ocsp.pki.goog/gsr1/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS3V7W2nAf4FiMTjpDJKg6%2BMgGqMQQUYHtmGkUNl8qJUC99BM00qP%2F8%2FUsCEHe9DWzbNvka6iEPxPBY0w0%3D | US | binary | 1.41 Kb | unknown |
120 | One-armed robber (Steam) Trainer Setup.exe | GET | 200 | 93.184.221.240:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?69e75cc372bd463a | GB | compressed | 4.66 Kb | unknown |
120 | One-armed robber (Steam) Trainer Setup.exe | GET | 200 | 192.229.221.95:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAo3h2ReX7SMIk79G%2B0UDDw%3D | US | binary | 1.47 Kb | unknown |
120 | One-armed robber (Steam) Trainer Setup.exe | GET | 200 | 172.217.18.99:80 | http://ocsp.pki.goog/gtsr1/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBQwkcLWD4LqGJ7bE7B1XZsEbmfwUAQU5K8rJnEaK0gnhS9SZizv8IkTcT4CDQIDvFNZazTHGPUBUGY%3D | US | binary | 724 b | unknown |
120 | One-armed robber (Steam) Trainer Setup.exe | GET | 200 | 172.217.18.99:80 | http://ocsp.pki.goog/gts1c3/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBTHLnmK3f9hNLO67UdCuLvGwCQHYwQUinR%2Fr4XN7pXNPZzQ4kYU83E1HScCEQCZXmpIP%2Bo%2BHhJmodADfw%2Fc | US | binary | 472 b | unknown |
120 | One-armed robber (Steam) Trainer Setup.exe | GET | 200 | 172.64.149.23:80 | http://ocsp.comodoca.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRTtU9uFqgVGHhJwXZyWCNXmVR5ngQUoBEKIz6W8Qfs4q8p74Klf9AwpLQCEGfe9D7xe9riT%2FWUBgbSwIQ%3D | US | binary | 1.42 Kb | unknown |
120 | One-armed robber (Steam) Trainer Setup.exe | GET | 200 | 172.64.149.23:80 | http://ocsp.comodoca.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBReAhtobFzTvhaRmVeJ38QUchY9AwQUu69%2BAj36pvE8hI6t7jiY7NkyMtQCECsuburZdTZsFIpu26N8jAc%3D | US | binary | 2.18 Kb | unknown |
120 | One-armed robber (Steam) Trainer Setup.exe | GET | 200 | 172.64.149.23:80 | http://ocsp.comodoca.com/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBR64T7ooMQqLLQoy%2BemBUYZQOKh6QQUkK9qOpRaC9iQ6hJWc99DtDoo2ucCEQC1yHFEAZznSpAqtnZXvuqa | US | binary | 472 b | unknown |
1080 | svchost.exe | GET | 304 | 93.184.221.240:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?3e412f7b4eff0943 | GB | — | — | unknown |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
120 | One-armed robber (Steam) Trainer Setup.exe | 172.67.25.118:443 | api.wemod.com | CLOUDFLARENET | US | unknown |
1080 | svchost.exe | 224.0.0.252:5355 | — | — | — | unknown |
120 | One-armed robber (Steam) Trainer Setup.exe | 93.184.221.240:80 | ctldl.windowsupdate.com | EDGECAST | GB | whitelisted |
120 | One-armed robber (Steam) Trainer Setup.exe | 192.229.221.95:80 | ocsp.digicert.com | EDGECAST | US | whitelisted |
120 | One-armed robber (Steam) Trainer Setup.exe | 142.250.185.174:443 | www.google-analytics.com | GOOGLE | US | whitelisted |
120 | One-armed robber (Steam) Trainer Setup.exe | 34.213.168.224:443 | api2.amplitude.com | AMAZON-02 | US | unknown |
120 | One-armed robber (Steam) Trainer Setup.exe | 172.217.18.99:80 | ocsp.pki.goog | GOOGLE | US | whitelisted |
120 | One-armed robber (Steam) Trainer Setup.exe | 172.64.149.23:80 | ocsp.comodoca.com | CLOUDFLARENET | US | unknown |
DNS requests
Domain | IP | Reputation |
|---|---|---|
api.wemod.com |
| unknown |
ctldl.windowsupdate.com |
| whitelisted |
ocsp.digicert.com |
| whitelisted |
www.google-analytics.com |
| whitelisted |
api2.amplitude.com |
| whitelisted |
ocsp.pki.goog |
| whitelisted |
ocsp.comodoca.com |
| whitelisted |
storage-cdn.wemod.com |
| unknown |