File name:

LANDR FX Suite OSX.exe

Full analysis: https://app.any.run/tasks/e35b66c4-5f04-4c5d-945d-bbf6255cc310
Verdict: Malicious activity
Threats:

Adware is a form of malware that targets users with unwanted advertisements, often disrupting their browsing experience. It typically infiltrates systems through software bundling, malicious websites, or deceptive downloads. Once installed, it may track user activity, collect sensitive data, and display intrusive ads, including pop-ups or banners. Some advanced adware variants can bypass security measures and establish persistence on devices, making removal challenging. Additionally, adware can create vulnerabilities that other malware can exploit, posing a significant risk to user privacy and system security.

Malware Trends Tracker     >>>
Analysis date: November 13, 2023, 08:29:30
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
adware
loader
netsupport
remote
unwanted
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

1385E2F1EDCD8B2209254689A4943634

SHA1:

2EBA8519FB8197A387C0228B68E74067DD8CF199

SHA256:

CC0D1323F5748133751648E7FF3F9F0EF3268EEFF75D526F2C5E6930A1DA6876

SSDEEP:

49152:+7HecD4dnbibBlOYZjsbmLApne0Fop4R2uXB3iyLT/ex4XrL7P42DpJXWZn80cwJ:m+cD4dnTYZIkWnXFopLQ3iUrex4vkY7W

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • LANDR FX Suite OSX.exe (PID: 3468)
      • LANDR FX Suite OSX.exe (PID: 3416)
      • LANDR FX Suite OSX.tmp (PID: 3480)
      • setup.exe (PID: 3664)
      • setup.tmp (PID: 3656)
      • a1.exe (PID: 3908)
      • a1.tmp (PID: 3896)

    • Connects to the CnC server

      • wmiprvse.exe (PID: 3960)

    • NETSUPPORT has been detected (SURICATA)

      • wmiprvse.exe (PID: 3960)

  • SUSPICIOUS

    • Reads the Internet Settings

      • LANDR FX Suite OSX.tmp (PID: 3480)
      • setup.tmp (PID: 3656)
      • cmd.exe (PID: 4072)
      • wmiprvse.exe (PID: 3960)
      • a2.exe (PID: 1884)

    • Reads the Windows owner or organization settings

      • LANDR FX Suite OSX.tmp (PID: 3480)
      • setup.tmp (PID: 3656)
      • a1.tmp (PID: 3896)

    • Reads security settings of Internet Explorer

      • setup.tmp (PID: 3656)

    • Checks Windows Trust Settings

      • setup.tmp (PID: 3656)

    • Adds/modifies Windows certificates

      • setup.exe (PID: 3664)

    • Reads settings of System Certificates

      • setup.tmp (PID: 3656)

    • Process drops legitimate windows executable

      • expand.exe (PID: 3752)

    • Starts CMD.EXE for commands execution

      • a1.tmp (PID: 3896)

    • The process drops C-runtime libraries

      • expand.exe (PID: 3752)

    • Searches for installed software

      • setup.tmp (PID: 3656)

    • Uses REG/REGEDIT.EXE to modify registry

      • cmd.exe (PID: 4020)

    • Connects to the server without a host name

      • wmiprvse.exe (PID: 3960)

    • Connects to unusual port

      • wmiprvse.exe (PID: 3960)

    • Process requests binary or script from the Internet

      • setup.tmp (PID: 3656)

  • INFO

    • Checks supported languages

      • LANDR FX Suite OSX.exe (PID: 3416)
      • LANDR FX Suite OSX.exe (PID: 3468)
      • LANDR FX Suite OSX.tmp (PID: 3128)
      • wmpnscfg.exe (PID: 3400)
      • setup.exe (PID: 3664)
      • setup.tmp (PID: 3656)
      • a1.exe (PID: 3908)
      • LANDR FX Suite OSX.tmp (PID: 3480)
      • wmiprvse.exe (PID: 3960)
      • a2.exe (PID: 1884)
      • a1.tmp (PID: 3896)
      • wmpnscfg.exe (PID: 3840)

    • Create files in a temporary directory

      • LANDR FX Suite OSX.exe (PID: 3416)
      • LANDR FX Suite OSX.exe (PID: 3468)
      • LANDR FX Suite OSX.tmp (PID: 3480)
      • setup.exe (PID: 3664)
      • setup.tmp (PID: 3656)
      • a1.exe (PID: 3908)
      • a1.tmp (PID: 3896)
      • a2.exe (PID: 1884)

    • Manual execution by a user

      • wmpnscfg.exe (PID: 3400)
      • msedge.exe (PID: 1232)
      • wmpnscfg.exe (PID: 3840)
      • firefox.exe (PID: 3736)
      • WINWORD.EXE (PID: 2500)

    • Reads the computer name

      • LANDR FX Suite OSX.tmp (PID: 3128)
      • LANDR FX Suite OSX.tmp (PID: 3480)
      • a1.tmp (PID: 3896)
      • wmpnscfg.exe (PID: 3400)
      • setup.tmp (PID: 3656)
      • wmiprvse.exe (PID: 3960)
      • wmpnscfg.exe (PID: 3840)
      • a2.exe (PID: 1884)

    • Creates files in the program directory

      • LANDR FX Suite OSX.tmp (PID: 3480)
      • a1.tmp (PID: 3896)
      • expand.exe (PID: 3752)

    • Reads the machine GUID from the registry

      • wmpnscfg.exe (PID: 3400)
      • setup.tmp (PID: 3656)
      • wmiprvse.exe (PID: 3960)
      • a2.exe (PID: 1884)
      • wmpnscfg.exe (PID: 3840)

    • Checks proxy server information

      • setup.tmp (PID: 3656)
      • wmiprvse.exe (PID: 3960)
      • a2.exe (PID: 1884)

    • Creates files or folders in the user directory

      • setup.tmp (PID: 3656)
      • wmiprvse.exe (PID: 3960)
      • a2.exe (PID: 1884)

    • Drops the executable file immediately after the start

      • expand.exe (PID: 3752)

    • Drop NetSupport executable file

      • expand.exe (PID: 3752)

    • Reads mouse settings

      • a2.exe (PID: 1884)

    • Application launched itself

      • msedge.exe (PID: 3548)
      • msedge.exe (PID: 1232)
      • firefox.exe (PID: 3736)
      • firefox.exe (PID: 3748)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Inno Setup installer (53.5)
.exe | InstallShield setup (21)
.exe | Win32 EXE PECompact compressed (generic) (20.2)
.exe | Win32 Executable (generic) (2.1)
.exe | Win16/32 Executable Delphi generic (1)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2023:02:15 15:54:16+01:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType: PE32
LinkerVersion: 2.25
CodeSize: 741888
InitializedDataSize: 89600
UninitializedDataSize: -
EntryPoint: 0xb5eec
OSVersion: 6.1
ImageVersion: 6
SubsystemVersion: 6.1
Subsystem: Windows GUI
FileVersionNumber: 0.0.0.0
ProductVersionNumber: 0.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: This installation was built with Inno Setup.
CompanyName:
FileDescription: LANDR FX Suite OSX Setup
FileVersion:
LegalCopyright:
OriginalFileName:
ProductName: LANDR FX Suite OSX
ProductVersion: 1.0
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
101
Monitored processes
53
Malicious processes
11
Suspicious processes
0

Behavior graph

Click at the process to see the details
start landr fx suite osx.exe no specs landr fx suite osx.tmp no specs landr fx suite osx.exe landr fx suite osx.tmp wmpnscfg.exe no specs setup.exe no specs setup.tmp a1.exe no specs a1.tmp no specs cmd.exe no specs expand.exe no specs cmd.exe no specs reg.exe no specs #NETSUPPORT wmiprvse.exe cmd.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe a2.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs ntvdm.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs wmpnscfg.exe no specs firefox.exe no specs firefox.exe firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs winword.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
304"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3748.12.1229769124\375952633" -childID 9 -isForBrowser -prefsHandle 4736 -prefMapHandle 4576 -prefsLen 31135 -prefMapSize 244195 -jsInitHandle 840 -jsInitLen 240908 -parentBuildID 20230710165010 -appDir "C:\Program Files\Mozilla Firefox\browser" - {67149722-8ec2-4acb-a81b-f0aa478b6cb4} 3748 "\\.\pipe\gecko-crash-server-pipe.3748" 1960 18c5b280 tabC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
LOW
Description:
Firefox
Exit code:
0
Version:
115.0.2
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\msasn1.dll
c:\program files\mozilla firefox\msvcp140.dll
c:\program files\mozilla firefox\vcruntime140.dll
668"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3748.8.273829821\1567760670" -childID 7 -isForBrowser -prefsHandle 4548 -prefMapHandle 4552 -prefsLen 31054 -prefMapSize 244195 -jsInitHandle 840 -jsInitLen 240908 -parentBuildID 20230710165010 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6312e1fb-8ac1-4318-a48b-cc84aa06849a} 3748 "\\.\pipe\gecko-crash-server-pipe.3748" 4456 1523cb20 tabC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
LOW
Description:
Firefox
Exit code:
0
Version:
115.0.2
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\msasn1.dll
c:\program files\mozilla firefox\msvcp140.dll
c:\program files\mozilla firefox\vcruntime140.dll
968"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2600 --field-trial-handle=1340,i,15902890132698940750,15422121909355177820,131072 /prefetch:8C:\Program Files\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
109.0.1518.115
Modules
Images
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edge\application\109.0.1518.115\msedge_elf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
1232"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --flag-switches-begin --flag-switches-end --do-not-de-elevate https://axsboe-campaign.com/pixel?pmhzmq=fhoohvpn6e7i&c=60705572&pl=0x01&pb=1&px=2666C:\Program Files\Microsoft\Edge\Application\msedge.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Exit code:
0
Version:
109.0.1518.115
Modules
Images
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edge\application\109.0.1518.115\msedge_elf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
1460"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=renderer --first-renderer-process --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2264 --field-trial-handle=1340,i,15902890132698940750,15422121909355177820,131072 /prefetch:1C:\Program Files\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
109.0.1518.115
Modules
Images
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edge\application\109.0.1518.115\msedge_elf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
1576"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=109.0.5414.149 "--annotation=exe=C:\Program Files\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win32 "--annotation=prod=Microsoft Edge" --annotation=ver=109.0.1518.115 --initial-client-data=0xc8,0xcc,0xd0,0x9c,0xd8,0x6dadf598,0x6dadf5a8,0x6dadf5b4C:\Program Files\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft Edge
Exit code:
0
Version:
109.0.1518.115
Modules
Images
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edge\application\109.0.1518.115\msedge_elf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
1612"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=109.0.5414.149 "--annotation=exe=C:\Program Files\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win32 "--annotation=prod=Microsoft Edge" --annotation=ver=109.0.1518.115 --initial-client-data=0xc8,0xcc,0xd0,0x9c,0xf8,0x6dadf598,0x6dadf5a8,0x6dadf5b4C:\Program Files\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Exit code:
0
Version:
109.0.1518.115
Modules
Images
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edge\application\109.0.1518.115\msedge_elf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
1664"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3748.10.1451569176\790591247" -parentBuildID 20230710165010 -sandboxingKind 1 -prefsHandle 4712 -prefMapHandle 4708 -prefsLen 36429 -prefMapSize 244195 -appDir "C:\Program Files\Mozilla Firefox\browser" - {cfc92bc4-b929-4ceb-8eae-d45bad5f81f0} 3748 "\\.\pipe\gecko-crash-server-pipe.3748" 4824 1a288710 utilityC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
LOW
Description:
Firefox
Exit code:
1
Version:
115.0.2
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\msasn1.dll
c:\program files\mozilla firefox\msvcp140.dll
c:\program files\mozilla firefox\vcruntime140.dll
1668"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3748.11.2058301880\183551941" -childID 8 -isForBrowser -prefsHandle 5028 -prefMapHandle 5024 -prefsLen 31054 -prefMapSize 244195 -jsInitHandle 840 -jsInitLen 240908 -parentBuildID 20230710165010 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9b5ce5b7-3dc3-4b58-b3dd-b8b89f13852b} 3748 "\\.\pipe\gecko-crash-server-pipe.3748" 5040 1c590560 tabC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
LOW
Description:
Firefox
Exit code:
0
Version:
115.0.2
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\msasn1.dll
c:\program files\mozilla firefox\msvcp140.dll
c:\program files\mozilla firefox\vcruntime140.dll
1828"C:\Windows\system32\ntvdm.exe" -i1 C:\Windows\System32\ntvdm.exea2.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
NTVDM.EXE
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\ntvdm.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
Total events
30 285
Read events
29 648
Write events
477
Delete events
160

Modification events

(PID) Process:(3400) wmpnscfg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Media Player NSS\3.0\Events\{6A942B72-E663-4FE9-B608-EFAFEDEBEF11}\{80B3E3AB-0F14-4AC8-B72E-35464A236074}
Operation:delete keyName:(default)
Value:
(PID) Process:(3400) wmpnscfg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Media Player NSS\3.0\Events\{6A942B72-E663-4FE9-B608-EFAFEDEBEF11}
Operation:delete keyName:(default)
Value:
(PID) Process:(3400) wmpnscfg.exeKey:HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Health\{250BA96C-01F6-47F9-BA15-A830C0915FB0}
Operation:delete keyName:(default)
Value:
(PID) Process:(3656) setup.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:writeName:ProxyEnable
Value:
0
(PID) Process:(3656) setup.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Operation:writeName:SavedLegacySettings
Value:
4600000059010000090000000000000000000000000000000400000000000000C0E333BBEAB1D3010000000000000000000000000100000002000000C0A8016B000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(3656) setup.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(3656) setup.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(3656) setup.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(3656) setup.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(3656) setup.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
Executable files
44
Suspicious files
656
Text files
114
Unknown types
0

Dropped files

PID
Process
Filename
Type
3480LANDR FX Suite OSX.tmpC:\Program Files\LANDR FX Suite OSX\is-LEL1C.tmpexecutable
MD5:AB31159B88AFE3849CB65C51D8EE2306
SHA256:A013D79B1EF5A8553DE074FB991A265DE243F490D0D835A86A3C06FC064E60BB
3468LANDR FX Suite OSX.exeC:\Users\admin\AppData\Local\Temp\is-388DU.tmp\LANDR FX Suite OSX.tmpexecutable
MD5:8F9A6F45A00950ACF2024C6A0E75A1E7
SHA256:B7A7A7E911FDE41A21C7EF2410D0F7D46739E2F14AA234CC520F303E76823E5C
3480LANDR FX Suite OSX.tmpC:\Users\admin\AppData\Local\Temp\is-FA2EO.tmp\is-8GFHE.tmptext
MD5:C4438A8F5D5EE9621E17A6E25C00849F
SHA256:FC3DE8C145C1F7BBEE4B756FD70728F173CA3BCAE58B2BA7757CB628B96DDEC5
3480LANDR FX Suite OSX.tmpC:\Program Files\LANDR FX Suite OSX\unins000.exeexecutable
MD5:AB31159B88AFE3849CB65C51D8EE2306
SHA256:A013D79B1EF5A8553DE074FB991A265DE243F490D0D835A86A3C06FC064E60BB
3656setup.tmpC:\Users\admin\AppData\Local\Temp\is-QTMVQ.tmp\idp.dllexecutable
MD5:55C310C0319260D798757557AB3BF636
SHA256:54E7E0AD32A22B775131A6288F083ED3286A9A436941377FC20F85DD9AD983ED
3656setup.tmpC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506compressed
MD5:F3441B8572AAE8801C04F3060B550443
SHA256:6720349E7D82EE0A8E73920D3C2B7CB2912D9FCF2EDB6FD98F2F12820158B0BF
3480LANDR FX Suite OSX.tmpC:\Users\admin\AppData\Local\Temp\is-FA2EO.tmp\is-U8Q64.tmpexecutable
MD5:A8DF1F2790C0E74926E324FF901D226D
SHA256:3CF16D1737BD7263B293251F9FAFE2D4EAB529FA9BEAA79A7B84E34E857500F6
3664setup.exeC:\Users\admin\AppData\Local\Temp\is-9DGQJ.tmp\setup.tmpexecutable
MD5:6EEC29E158E89BE01B88DDE664C2E65E
SHA256:040613DB969F5968395307E386968C598469855F4C44ECBA71A201F8CCF8CD1F
3480LANDR FX Suite OSX.tmpC:\Users\admin\AppData\Local\Temp\is-FA2EO.tmp\setup.exeexecutable
MD5:A8DF1F2790C0E74926E324FF901D226D
SHA256:3CF16D1737BD7263B293251F9FAFE2D4EAB529FA9BEAA79A7B84E34E857500F6
3656setup.tmpC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157binary
MD5:E91F0C4B226D3505E778C4D88E50296A
SHA256:CBA4EE95814DA6F697F2D25CCC15373EBAF5F5AA574B454B7769FDD862B08D2A
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
56
TCP/UDP connections
139
DNS requests
234
Threats
32

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3656
setup.tmp
HEAD
200
37.1.198.251:80
http://ambadevgroup.info/load/1893/promo.exe
unknown
unknown
3480
LANDR FX Suite OSX.tmp
GET
200
188.114.97.3:80
http://tripsilver.xyz/pe/buildIN.php?sub=2666&source=3942&s1=47548501&title=TEFORFIgRlggU3VpdGUgT1NY&ti=1699864186
unknown
executable
4.90 Mb
unknown
3480
LANDR FX Suite OSX.tmp
GET
200
104.21.76.176:80
http://cookchildren.online/kis.php
unknown
text
2 b
unknown
3656
setup.tmp
GET
200
95.140.236.0:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?8c9c38131579114d
unknown
compressed
61.6 Kb
unknown
3656
setup.tmp
GET
200
184.24.77.79:80
http://r3.o.lencr.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBRI2smg%2ByvTLU%2Fw3mjS9We3NfmzxAQUFC6zF7dYVsuuUAlA5h%2BvnYsUwsYCEgSXTvDlON1u8XQu8dLEuLAFFA%3D%3D
unknown
binary
503 b
unknown
3960
wmiprvse.exe
GET
200
51.142.119.24:80
http://geo.netsupportsoftware.com/location/loca.asp
unknown
text
15 b
unknown
3656
setup.tmp
GET
200
104.21.90.147:80
http://send.planewool.xyz/track_inl2EU.php?tim=1699864182&poid=2666&p=0.7
unknown
text
3 b
unknown
1884
a2.exe
GET
200
37.1.198.251:80
http://mysoftwareusa.info/archives/5
unknown
html
189 b
unknown
1884
a2.exe
GET
200
37.1.198.251:80
http://mysoftwareusa.info/stats/4/0/0
unknown
html
192 b
unknown
3960
wmiprvse.exe
POST
194.38.21.53:1203
http://194.38.21.53/fakeurl.htm
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown
4
System
192.168.100.255:137
whitelisted
2588
svchost.exe
239.255.255.250:1900
whitelisted
3480
LANDR FX Suite OSX.tmp
104.21.76.176:80
cookchildren.online
CLOUDFLARENET
unknown
3480
LANDR FX Suite OSX.tmp
188.114.97.3:80
tripsilver.xyz
CLOUDFLARENET
NL
unknown
3656
setup.tmp
104.21.9.238:443
x.prosefriend.online
CLOUDFLARENET
unknown
3656
setup.tmp
95.140.236.0:80
ctldl.windowsupdate.com
LLNW
US
whitelisted
3656
setup.tmp
23.212.210.158:80
x1.c.lencr.org
AKAMAI-AS
AU
unknown
3656
setup.tmp
212.86.108.29:443
www.stepklist.cloud
Zomro B.V.
NL
unknown

DNS requests

Domain
IP
Reputation
cookchildren.online
  • 104.21.76.176
  • 172.67.198.98
unknown
tripsilver.xyz
  • 188.114.97.3
  • 188.114.96.3
unknown
x.prosefriend.online
  • 104.21.9.238
  • 172.67.161.180
unknown
ctldl.windowsupdate.com
  • 95.140.236.0
whitelisted
x1.c.lencr.org
  • 23.212.210.158
whitelisted
x2.c.lencr.org
  • 23.212.210.158
whitelisted
www.stepklist.cloud
  • 212.86.108.29
unknown
r3.o.lencr.org
  • 184.24.77.79
  • 184.24.77.52
  • 184.24.77.53
  • 184.24.77.45
  • 184.24.77.54
  • 184.24.77.62
  • 184.24.77.56
  • 184.24.77.47
  • 184.24.77.48
  • 184.24.77.46
  • 184.24.77.75
  • 184.24.77.67
shared
send.planewool.xyz
  • 104.21.90.147
  • 172.67.157.197
unknown
geo.netsupportsoftware.com
  • 51.142.119.24
  • 62.172.138.8
  • 62.172.138.67
unknown

Threats

PID
Process
Class
Message
3480
LANDR FX Suite OSX.tmp
Possibly Unwanted Program Detected
ET ADWARE_PUP Win32/TrojanDownloader Variant Activity (GET)
3480
LANDR FX Suite OSX.tmp
Possibly Unwanted Program Detected
ADWARE [ANY.RUN] InnoSetup Installer
3480
LANDR FX Suite OSX.tmp
Potentially Bad Traffic
AV INFO HTTP Request to a *.xyz domain
3480
LANDR FX Suite OSX.tmp
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
3480
LANDR FX Suite OSX.tmp
Misc activity
ET INFO EXE - Served Attached HTTP
1080
svchost.exe
Potentially Bad Traffic
ET DNS Query to a *.top domain - Likely Hostile
3656
setup.tmp
Potentially Bad Traffic
AV INFO HTTP Request to a *.xyz domain
3960
wmiprvse.exe
Potential Corporate Privacy Violation
ET POLICY NetSupport GeoLocation Lookup Request
3960
wmiprvse.exe
Misc activity
ET INFO NetSupport Remote Admin Checkin
3960
wmiprvse.exe
Misc activity
ET INFO NetSupport Remote Admin Response
14 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
LANDR FX Suite OSX.exe