| File name: | One-armed robber (Steam) Trainer Setup.exe |
| Full analysis: | https://app.any.run/tasks/efd9124e-2532-4a0d-89cf-fc64489dd4fe |
| Verdict: | Malicious activity |
| Analysis date: | December 25, 2023, 22:42:13 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| MIME: | application/x-dosexec |
| File info: | PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows |
| MD5: | 4562236A3E10B3C90DA1525D355AB15D |
| SHA1: | 4E6185B6E10C8A8040302DDA7EC9E680B2A7C621 |
| SHA256: | BC5EDC1E5FB3FB9AA0A6550C31E834AA9103BDBB1676B1B61B28EFB685760153 |
| SSDEEP: | 1536:mBll12iut9nk7RBog5KG6JkOiVPL+09ME5LBtJD64uQgCANR9HEdOyJkNRBog5KZ:Q12ioE57miVj+J6pHdokdOp57N/ |
MALICIOUS
No malicious indicators.SUSPICIOUS
Reads the Internet Settings
- One-armed robber (Steam) Trainer Setup.exe (PID: 120)
Reads Microsoft Outlook installation path
- One-armed robber (Steam) Trainer Setup.exe (PID: 120)
Reads security settings of Internet Explorer
- One-armed robber (Steam) Trainer Setup.exe (PID: 120)
Checks Windows Trust Settings
- One-armed robber (Steam) Trainer Setup.exe (PID: 120)
Reads settings of System Certificates
- One-armed robber (Steam) Trainer Setup.exe (PID: 120)
Reads Internet Explorer settings
- One-armed robber (Steam) Trainer Setup.exe (PID: 120)
INFO
Reads the computer name
- One-armed robber (Steam) Trainer Setup.exe (PID: 120)
Drops the executable file immediately after the start
- One-armed robber (Steam) Trainer Setup.exe (PID: 120)
Checks supported languages
- One-armed robber (Steam) Trainer Setup.exe (PID: 120)
Checks proxy server information
- One-armed robber (Steam) Trainer Setup.exe (PID: 120)
Reads the machine GUID from the registry
- One-armed robber (Steam) Trainer Setup.exe (PID: 120)
Creates files or folders in the user directory
- One-armed robber (Steam) Trainer Setup.exe (PID: 120)
Reads Environment values
- One-armed robber (Steam) Trainer Setup.exe (PID: 120)
Create files in a temporary directory
- One-armed robber (Steam) Trainer Setup.exe (PID: 120)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Win64 Executable (generic) (64.6) |
|---|---|---|
| .dll | | | Win32 Dynamic Link Library (generic) (15.4) |
| .exe | | | Win32 Executable (generic) (10.5) |
| .exe | | | Generic Win/DOS Executable (4.6) |
| .exe | | | DOS Executable Generic (4.6) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2059:09:10 16:56:13+02:00 |
| ImageFileCharacteristics: | Executable, 32-bit |
| PEType: | PE32 |
| LinkerVersion: | 8 |
| CodeSize: | 105472 |
| InitializedDataSize: | 28160 |
| UninitializedDataSize: | - |
| EntryPoint: | 0x1ba0e |
| OSVersion: | 4 |
| ImageVersion: | - |
| SubsystemVersion: | 4 |
| Subsystem: | Windows GUI |
| FileVersionNumber: | 8.0.0.0 |
| ProductVersionNumber: | 8.0.0.0 |
| FileFlagsMask: | 0x003f |
| FileFlags: | (none) |
| FileOS: | Win32 |
| ObjectFileType: | Executable application |
| FileSubtype: | - |
| LanguageCode: | Neutral |
| CharacterSet: | Unicode |
| Comments: | WeMod Setup |
| CompanyName: | WeMod LLC |
| FileDescription: | WeMod Setup |
| FileVersion: | 8.0.0.0 |
| InternalName: | WeMod-Setup.exe |
| LegalCopyright: | Copyright © WeMod LLC 2022 |
| LegalTrademarks: | - |
| OriginalFileName: | WeMod-Setup.exe |
| ProductName: | WeMod |
| ProductVersion: | 8.0.0.0 |
| AssemblyVersion: | 8.0.0.0 |
Total processes
34
Monitored processes
1
Malicious processes
1
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 120 | "C:\Users\admin\AppData\Local\Temp\One-armed robber (Steam) Trainer Setup.exe" | C:\Users\admin\AppData\Local\Temp\One-armed robber (Steam) Trainer Setup.exe | explorer.exe | ||||||||||||
User: admin Company: WeMod LLC Integrity Level: MEDIUM Description: WeMod Setup Exit code: 0 Version: 8.0.0.0 Modules
| |||||||||||||||
Total events
4 370
Read events
4 344
Write events
26
Delete events
0
Modification events
| (PID) Process: | (120) One-armed robber (Steam) Trainer Setup.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | ProxyBypass |
Value: 1 | |||
| (PID) Process: | (120) One-armed robber (Steam) Trainer Setup.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | IntranetName |
Value: 1 | |||
| (PID) Process: | (120) One-armed robber (Steam) Trainer Setup.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | UNCAsIntranet |
Value: 1 | |||
| (PID) Process: | (120) One-armed robber (Steam) Trainer Setup.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | AutoDetect |
Value: 0 | |||
| (PID) Process: | (120) One-armed robber (Steam) Trainer Setup.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings |
| Operation: | write | Name: | ProxyEnable |
Value: 0 | |||
| (PID) Process: | (120) One-armed robber (Steam) Trainer Setup.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections |
| Operation: | write | Name: | SavedLegacySettings |
Value: 460000005B010000090000000000000000000000000000000400000000000000C0E333BBEAB1D3010000000000000000000000000100000002000000C0A8016B000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | |||
| (PID) Process: | (120) One-armed robber (Steam) Trainer Setup.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies |
| Operation: | write | Name: | CachePrefix |
Value: Cookie: | |||
| (PID) Process: | (120) One-armed robber (Steam) Trainer Setup.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History |
| Operation: | write | Name: | CachePrefix |
Value: Visited: | |||
| (PID) Process: | (120) One-armed robber (Steam) Trainer Setup.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E |
| Operation: | write | Name: | LanguageList |
Value: en-US | |||
Executable files
0
Suspicious files
25
Text files
2
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 120 | One-armed robber (Steam) Trainer Setup.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 | compressed | |
MD5:1BFE591A4FE3D91B03CDF26EAACD8F89 | SHA256:9CF94355051BF0F4A45724CA20D1CC02F76371B963AB7D1E38BD8997737B13D8 | |||
| 120 | One-armed robber (Steam) Trainer Setup.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27 | binary | |
MD5:A5F27621C1383E96AD216AF3494F9176 | SHA256:E5AB08444A457BDEBA7F3F8E7081C2B33676973994BBFE885F13AD386BAC1612 | |||
| 120 | One-armed robber (Steam) Trainer Setup.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6Z2BCOUL\Inter-ExtraLight-7d759358c1[1].woff | binary | |
MD5:7D759358C1372FA6ACAE4CB22F93DEFA | SHA256:07F5B5F734793F48613D8DA246F4DB2B564BFA7149F62526326BE9CB8BB94841 | |||
| 120 | One-armed robber (Steam) Trainer Setup.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\setup[1].htm | html | |
MD5:5CB03D5570F3A52889BF9C5E09B0D97E | SHA256:6A4CB485090061F03A56F722BCDAA0F9C7FD1B0FB399FA9044C20D90CF128BC7 | |||
| 120 | One-armed robber (Steam) Trainer Setup.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\Inter-Thin-0f080c40c6[1].woff | binary | |
MD5:0F080C40C639962E1CAD093AA58192DC | SHA256:E9DA5A64A6A8EB87A2C6D475327F072B5CA25731DF07119F576C10C50AA9554D | |||
| 120 | One-armed robber (Steam) Trainer Setup.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA | binary | |
MD5:9ADAA6F9F8029435BAD6703447940A36 | SHA256:3D775D40AB1D7F65450722B20FD3E9E8AA3D58D2D170AA6DA95B80FD0BCB21BC | |||
| 120 | One-armed robber (Steam) Trainer Setup.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27 | binary | |
MD5:CC2D76E49618AE4F9EACE156DE672120 | SHA256:02262D5431564A2770306980460BA13FF92C4FCFB97F3DB8E6DBFFDD5FF018AA | |||
| 120 | One-armed robber (Steam) Trainer Setup.exe | C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\SBNY5O29\api.wemod[1].xml | text | |
MD5:C1DDEA3EF6BBEF3E7060A1A9AD89E4C5 | SHA256:B71E4D17274636B97179BA2D97C742735B6510EB54F22893D3A2DAFF2CEB28DB | |||
| 120 | One-armed robber (Steam) Trainer Setup.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA | binary | |
MD5:63B05C18AF9BAC40973EC9DEBB8B71EB | SHA256:7284AC498F158F73D12CE5F2FF67E2599CF01F09D588A29E1D69EAF14ED6C6FA | |||
| 120 | One-armed robber (Steam) Trainer Setup.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6Z2BCOUL\Inter-Light-0f0118feb7[1].woff | binary | |
MD5:0F0118FEB71664927EA7FB8015778795 | SHA256:CB671D0DBC9A61EC80BFC91D5879E8635A09B7F309F5EE57810D4C6B7A26EE0C | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
9
TCP/UDP connections
17
DNS requests
8
Threats
0
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
120 | One-armed robber (Steam) Trainer Setup.exe | GET | 200 | 93.184.221.240:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?69e75cc372bd463a | unknown | compressed | 4.66 Kb | unknown |
120 | One-armed robber (Steam) Trainer Setup.exe | GET | 200 | 192.229.221.95:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAo3h2ReX7SMIk79G%2B0UDDw%3D | unknown | binary | 1.47 Kb | unknown |
120 | One-armed robber (Steam) Trainer Setup.exe | GET | 200 | 172.217.18.99:80 | http://ocsp.pki.goog/gsr1/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS3V7W2nAf4FiMTjpDJKg6%2BMgGqMQQUYHtmGkUNl8qJUC99BM00qP%2F8%2FUsCEHe9DWzbNvka6iEPxPBY0w0%3D | unknown | binary | 1.41 Kb | unknown |
120 | One-armed robber (Steam) Trainer Setup.exe | GET | 200 | 172.217.18.99:80 | http://ocsp.pki.goog/gtsr1/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBQwkcLWD4LqGJ7bE7B1XZsEbmfwUAQU5K8rJnEaK0gnhS9SZizv8IkTcT4CDQIDvFNZazTHGPUBUGY%3D | unknown | binary | 724 b | unknown |
120 | One-armed robber (Steam) Trainer Setup.exe | GET | 200 | 172.217.18.99:80 | http://ocsp.pki.goog/gts1c3/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBTHLnmK3f9hNLO67UdCuLvGwCQHYwQUinR%2Fr4XN7pXNPZzQ4kYU83E1HScCEQCZXmpIP%2Bo%2BHhJmodADfw%2Fc | unknown | binary | 472 b | unknown |
120 | One-armed robber (Steam) Trainer Setup.exe | GET | 200 | 172.64.149.23:80 | http://ocsp.comodoca.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRTtU9uFqgVGHhJwXZyWCNXmVR5ngQUoBEKIz6W8Qfs4q8p74Klf9AwpLQCEGfe9D7xe9riT%2FWUBgbSwIQ%3D | unknown | binary | 1.42 Kb | unknown |
120 | One-armed robber (Steam) Trainer Setup.exe | GET | 200 | 172.64.149.23:80 | http://ocsp.comodoca.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBReAhtobFzTvhaRmVeJ38QUchY9AwQUu69%2BAj36pvE8hI6t7jiY7NkyMtQCECsuburZdTZsFIpu26N8jAc%3D | unknown | binary | 2.18 Kb | unknown |
120 | One-armed robber (Steam) Trainer Setup.exe | GET | 200 | 172.64.149.23:80 | http://ocsp.comodoca.com/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBR64T7ooMQqLLQoy%2BemBUYZQOKh6QQUkK9qOpRaC9iQ6hJWc99DtDoo2ucCEQC1yHFEAZznSpAqtnZXvuqa | unknown | binary | 472 b | unknown |
1080 | svchost.exe | GET | 304 | 93.184.221.240:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?3e412f7b4eff0943 | unknown | — | — | unknown |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
120 | One-armed robber (Steam) Trainer Setup.exe | 172.67.25.118:443 | api.wemod.com | CLOUDFLARENET | US | unknown |
1080 | svchost.exe | 224.0.0.252:5355 | — | — | — | unknown |
120 | One-armed robber (Steam) Trainer Setup.exe | 93.184.221.240:80 | ctldl.windowsupdate.com | EDGECAST | GB | whitelisted |
120 | One-armed robber (Steam) Trainer Setup.exe | 192.229.221.95:80 | ocsp.digicert.com | EDGECAST | US | whitelisted |
120 | One-armed robber (Steam) Trainer Setup.exe | 142.250.185.174:443 | www.google-analytics.com | GOOGLE | US | whitelisted |
120 | One-armed robber (Steam) Trainer Setup.exe | 34.213.168.224:443 | api2.amplitude.com | AMAZON-02 | US | unknown |
120 | One-armed robber (Steam) Trainer Setup.exe | 172.217.18.99:80 | ocsp.pki.goog | GOOGLE | US | whitelisted |
120 | One-armed robber (Steam) Trainer Setup.exe | 172.64.149.23:80 | ocsp.comodoca.com | CLOUDFLARENET | US | unknown |
DNS requests
Domain | IP | Reputation |
|---|---|---|
api.wemod.com |
| unknown |
ctldl.windowsupdate.com |
| whitelisted |
ocsp.digicert.com |
| whitelisted |
www.google-analytics.com |
| whitelisted |
api2.amplitude.com |
| whitelisted |
ocsp.pki.goog |
| whitelisted |
ocsp.comodoca.com |
| whitelisted |
storage-cdn.wemod.com |
| unknown |