| File name: | oalinst (1).zip |
| Full analysis: | https://app.any.run/tasks/4d9dc19f-8104-4bb3-862e-0ed57764dfe3 |
| Verdict: | Malicious activity |
| Threats: | A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. |
| Analysis date: | February 22, 2024, 23:27:33 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/zip |
| File info: | Zip archive data, at least v2.0 to extract, compression method=deflate |
| MD5: | 47F53B4B655A9F8124687141B0F94D92 |
| SHA1: | 45E08368C6755C58902B7746FF3E51AD2DF8A8B8 |
| SHA256: | D165BCB7628FD950D14847585468CC11943B2A1DA92A59A839D397C68F9D4B06 |
| SSDEEP: | 24576:9IUamkvZeLROU1fhdX8XV7b+5swOBHWmpwrFIxcbKKSznhbFEtpK2:9IUamkvZeLRD1fhdX8XV7b+57OBHWmpI |
MALICIOUS
Drops the executable file immediately after the start
- InternetHostingToolSetup-v5.5.4.exe (PID: 3936)
- InternetHostingToolSetup-v5.5.4.exe (PID: 3500)
- WinRAR.exe (PID: 3672)
- NordVPNSetup (1).exe (PID: 796)
- NordVPNSetup (1).exe (PID: 3068)
- NordVPNSetup (1).tmp (PID: 2000)
- InternetHostingToolSetup.exe (PID: 2256)
- NordVPNSetup.tmp (PID: 3332)
- NordVPNSetup.exe (PID: 3344)
- NordUpdaterSetup.exe (PID: 3964)
- NordUpdaterSetup.tmp (PID: 2064)
- drvinst.exe (PID: 3164)
- NordVPNTapSetup.exe (PID: 3556)
- HxDSetup.exe (PID: 3560)
- HxDSetup.exe (PID: 2864)
- HxDSetup.tmp (PID: 1832)
Changes the autorun value in the registry
- InternetHostingToolSetup.exe (PID: 2256)
Creates a writable file in the system directory
- drvinst.exe (PID: 3164)
- NordUpdateService.exe (PID: 1624)
SUSPICIOUS
Reads security settings of Internet Explorer
- InternetHostingToolSetup-v5.5.4.exe (PID: 3936)
- NordVPNSetup (1).tmp (PID: 2000)
- gfwlivesetup.exe (PID: 392)
- gfwlivesetup.exe (PID: 3080)
- NordVPNSetup.tmp (PID: 3332)
- NordVPNTapSetup.exe (PID: 3556)
Executable content was dropped or overwritten
- InternetHostingToolSetup-v5.5.4.exe (PID: 3500)
- InternetHostingToolSetup-v5.5.4.exe (PID: 3936)
- NordVPNSetup (1).exe (PID: 796)
- NordVPNSetup (1).exe (PID: 3068)
- NordVPNSetup (1).tmp (PID: 2000)
- InternetHostingToolSetup.exe (PID: 2256)
- NordVPNSetup.tmp (PID: 3332)
- NordVPNSetup.exe (PID: 3344)
- NordUpdaterSetup.exe (PID: 3964)
- NordUpdaterSetup.tmp (PID: 2064)
- NordVPNTapSetup.exe (PID: 3556)
- drvinst.exe (PID: 3164)
- HxDSetup.exe (PID: 2864)
- HxDSetup.exe (PID: 3560)
- HxDSetup.tmp (PID: 1832)
Searches for installed software
- InternetHostingToolSetup.exe (PID: 2256)
- InternetHostingToolSetup-v5.5.4.exe (PID: 3936)
- NordVPNSetup.tmp (PID: 3332)
- HxD.exe (PID: 3356)
- HxD.exe (PID: 3912)
Starts itself from another location
- InternetHostingToolSetup-v5.5.4.exe (PID: 3936)
Reads the Internet Settings
- InternetHostingToolSetup-v5.5.4.exe (PID: 3936)
- NordVPNSetup (1).tmp (PID: 2000)
- gfwlivesetup.exe (PID: 392)
- NordVPNSetup.tmp (PID: 3332)
Reads the Windows owner or organization settings
- NordVPNSetup (1).tmp (PID: 2000)
- NordVPNSetup.tmp (PID: 3332)
- NordUpdaterSetup.tmp (PID: 2064)
- NordVPNTapSetup.exe (PID: 3556)
- HxDSetup.tmp (PID: 1832)
Reads settings of System Certificates
- NordVPNSetup (1).tmp (PID: 2000)
- gfwlivesetup.exe (PID: 3080)
- gfwlivesetup.exe (PID: 392)
- NordVPNSetup.tmp (PID: 3332)
- NordVPNTapSetup.exe (PID: 3556)
- rundll32.exe (PID: 2728)
Adds/modifies Windows certificates
- NordVPNSetup (1).tmp (PID: 2000)
Checks Windows Trust Settings
- NordVPNSetup (1).tmp (PID: 2000)
- gfwlivesetup.exe (PID: 3080)
- gfwlivesetup.exe (PID: 392)
- NordVPNSetup.tmp (PID: 3332)
- NordUpdateService.exe (PID: 1624)
- NordVPNTapSetup.exe (PID: 3556)
- drvinst.exe (PID: 3164)
Executes as Windows Service
- GSv6Fwd.exe (PID: 4084)
- VSSVC.exe (PID: 1112)
- miss.exe (PID: 2560)
- NordUpdateService.exe (PID: 1624)
Creates a software uninstall entry
- InternetHostingToolSetup.exe (PID: 2256)
Starts a Microsoft application from unusual location
- gfwlivesetup.exe (PID: 392)
- gfwlivesetup.exe (PID: 3080)
Application launched itself
- gfwlivesetup.exe (PID: 392)
- HxD.exe (PID: 3912)
Starts CMD.EXE for commands execution
- BRenamerl.exe (PID: 2056)
Uses TASKKILL.EXE to kill process
- NordVPNSetup.tmp (PID: 3332)
Process drops legitimate windows executable
- NordUpdaterSetup.tmp (PID: 2064)
Uses ICACLS.EXE to modify access control lists
- NordUpdaterSetup.tmp (PID: 2064)
Drops a system driver (possible attempt to evade defenses)
- drvinst.exe (PID: 3164)
Creates files in the driver directory
- drvinst.exe (PID: 3164)
INFO
Create files in a temporary directory
- InternetHostingToolSetup-v5.5.4.exe (PID: 3500)
- InternetHostingToolSetup-v5.5.4.exe (PID: 3936)
- NordVPNSetup (1).exe (PID: 796)
- NordVPNSetup (1).exe (PID: 3068)
- NordVPNSetup (1).tmp (PID: 2000)
- InternetHostingToolSetup.exe (PID: 2256)
- NordVPNSetup.exe (PID: 3344)
- NordVPNSetup.tmp (PID: 3332)
- NordUpdaterSetup.exe (PID: 3964)
- NordUpdaterSetup.tmp (PID: 2064)
- NordVPNTapSetup.exe (PID: 3556)
- msiexec.exe (PID: 1628)
- HxDSetup.exe (PID: 2864)
- HxDSetup.exe (PID: 3560)
Manual execution by a user
- InternetHostingToolSetup-v5.5.4.exe (PID: 3500)
- NordVPNSetup (1).exe (PID: 796)
- IPUtility.exe (PID: 3456)
- gfwlivesetup.exe (PID: 392)
- WinRAR.exe (PID: 2996)
- BRenamerl.exe (PID: 2056)
- WinRAR.exe (PID: 2468)
- HxDSetup.exe (PID: 3560)
Reads the computer name
- InternetHostingToolSetup-v5.5.4.exe (PID: 3936)
- InternetHostingToolSetup.exe (PID: 2256)
- NordVPNSetup (1).tmp (PID: 1740)
- NordVPNSetup (1).tmp (PID: 2000)
- miss.exe (PID: 2560)
- GSv6Fwd.exe (PID: 4084)
- gfwlivesetup.exe (PID: 392)
- IPUtility.exe (PID: 3456)
- gfwlivesetup.exe (PID: 3080)
- NordVPNSetup.tmp (PID: 3332)
- NordUpdaterSetup.tmp (PID: 2064)
- NordUpdateService.exe (PID: 1624)
- NordVPNTapSetup.exe (PID: 3556)
- drvinst.exe (PID: 3164)
- HxDSetup.tmp (PID: 2836)
- HxD.exe (PID: 3912)
- HxDSetup.tmp (PID: 1832)
Reads the machine GUID from the registry
- InternetHostingToolSetup-v5.5.4.exe (PID: 3936)
- InternetHostingToolSetup.exe (PID: 2256)
- NordVPNSetup (1).tmp (PID: 2000)
- IPUtility.exe (PID: 3456)
- gfwlivesetup.exe (PID: 392)
- gfwlivesetup.exe (PID: 3080)
- NordVPNSetup.tmp (PID: 3332)
- NordUpdateService.exe (PID: 1624)
- NordVPNTapSetup.exe (PID: 3556)
- drvinst.exe (PID: 3164)
Executable content was dropped or overwritten
- WinRAR.exe (PID: 3672)
- WinRAR.exe (PID: 2996)
- WinRAR.exe (PID: 2468)
Checks supported languages
- InternetHostingToolSetup.exe (PID: 2256)
- InternetHostingToolSetup-v5.5.4.exe (PID: 3500)
- InternetHostingToolSetup-v5.5.4.exe (PID: 3936)
- NordVPNSetup (1).exe (PID: 796)
- NordVPNSetup (1).tmp (PID: 1740)
- NordVPNSetup (1).exe (PID: 3068)
- NordVPNSetup (1).tmp (PID: 2000)
- GSv6Fwd.exe (PID: 4084)
- miss.exe (PID: 2560)
- gfwlivesetup.exe (PID: 392)
- IPUtility.exe (PID: 3456)
- gfwlivesetup.exe (PID: 3080)
- NordVPNSetup.tmp (PID: 3332)
- NordVPNSetup.exe (PID: 3344)
- BRenamerl.exe (PID: 2056)
- NordUpdaterSetup.exe (PID: 3964)
- NordUpdaterSetup.tmp (PID: 2064)
- NordUpdateService.exe (PID: 1624)
- NordVPNTapSetup.exe (PID: 3556)
- drvinst.exe (PID: 3164)
- HxDSetup.tmp (PID: 2836)
- HxDSetup.exe (PID: 2864)
- HxDSetup.tmp (PID: 1832)
- HxDSetup.exe (PID: 3560)
- HxD.exe (PID: 3912)
- HxD.exe (PID: 3356)
Reads the software policy settings
- NordVPNSetup (1).tmp (PID: 2000)
- gfwlivesetup.exe (PID: 3080)
- gfwlivesetup.exe (PID: 392)
- NordVPNSetup.tmp (PID: 3332)
- NordUpdateService.exe (PID: 1624)
- NordVPNTapSetup.exe (PID: 3556)
- rundll32.exe (PID: 2728)
- drvinst.exe (PID: 3164)
Reads Environment values
- NordVPNSetup (1).tmp (PID: 2000)
- NordVPNSetup.tmp (PID: 3332)
- NordVPNTapSetup.exe (PID: 3556)
- NordUpdateService.exe (PID: 1624)
Creates files in the program directory
- GSv6Fwd.exe (PID: 4084)
- InternetHostingToolSetup.exe (PID: 2256)
- miss.exe (PID: 2560)
- gfwlivesetup.exe (PID: 3080)
- NordUpdaterSetup.tmp (PID: 2064)
- NordUpdateService.exe (PID: 1624)
- HxDSetup.tmp (PID: 1832)
Checks proxy server information
- gfwlivesetup.exe (PID: 392)
Creates files or folders in the user directory
- gfwlivesetup.exe (PID: 392)
- NordVPNSetup (1).tmp (PID: 2000)
- HxD.exe (PID: 3356)
Drops the executable file immediately after the start
- WinRAR.exe (PID: 2996)
- WinRAR.exe (PID: 2468)
Creates a software uninstall entry
- NordUpdaterSetup.tmp (PID: 2064)
- HxDSetup.tmp (PID: 1832)
Reads security settings of Internet Explorer
- rundll32.exe (PID: 2728)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .zip | | | ZIP compressed archive (100) |
|---|
EXIF
ZIP
| ZipRequiredVersion: | 20 |
|---|---|
| ZipBitFlag: | - |
| ZipCompression: | Deflated |
| ZipModifyDate: | 2009:06:03 11:25:14 |
| ZipCRC: | 0x154bebc3 |
| ZipCompressedSize: | 590314 |
| ZipUncompressedSize: | 809496 |
| ZipFileName: | oalinst.exe |
Total processes
111
Monitored processes
38
Malicious processes
17
Suspicious processes
1
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 392 | "C:\Users\admin\Desktop\gfwlivesetup.exe" | C:\Users\admin\Desktop\gfwlivesetup.exe | explorer.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft® Games for Windows® - LIVE Game Setup Exit code: 0 Version: 3.5.0089.0 (WGX_XLIVE_V3.05_RTM(panblder).110411-1052) Modules
| |||||||||||||||
| 796 | "C:\Users\admin\Desktop\NordVPNSetup (1).exe" | C:\Users\admin\Desktop\NordVPNSetup (1).exe | explorer.exe | ||||||||||||
User: admin Company: NordVPN Integrity Level: MEDIUM Description: NordVPN Web Installer Exit code: 0 Version: 0.0.4.0 Modules
| |||||||||||||||
| 1112 | C:\Windows\system32\vssvc.exe | C:\Windows\System32\VSSVC.exe | — | services.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Microsoft® Volume Shadow Copy Service Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 1624 | "C:\Program Files\NordUpdater\NordUpdateService.exe" | C:\Program Files\NordUpdater\NordUpdateService.exe | services.exe | ||||||||||||
User: SYSTEM Company: TEFINCOM S.A. Integrity Level: SYSTEM Description: NordSec Update Service Exit code: 0 Version: 1.0.2.26 Modules
| |||||||||||||||
| 1628 | "C:\Windows\system32\msiexec.exe" /i C:\Users\admin\AppData\Local\Temp\{97DEC5D6-2BE9-45BB-BFC5-274B851B486B}\NordVPNTapSetup.msi /qn /norestart AI_SETUPEXEPATH=C:\Users\admin\AppData\Local\Temp\is-OMAJM.tmp\NordVPNTapSetup.exe SETUPEXEDIR=C:\Users\admin\AppData\Local\Temp\is-OMAJM.tmp\ EXE_CMD_LINE="/exenoupdates /forcecleanup /qn /norestart " REBOOT="ReallySuppress" AI_EUIMSI="" | C:\Windows\System32\msiexec.exe | — | NordVPNTapSetup.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows® installer Exit code: 0 Version: 5.0.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 1740 | "C:\Users\admin\AppData\Local\Temp\is-Q81MF.tmp\NordVPNSetup (1).tmp" /SL5="$D01D2,918814,893440,C:\Users\admin\Desktop\NordVPNSetup (1).exe" | C:\Users\admin\AppData\Local\Temp\is-Q81MF.tmp\NordVPNSetup (1).tmp | — | NordVPNSetup (1).exe | |||||||||||
User: admin Company: NordVPN Integrity Level: MEDIUM Description: Setup/Uninstall Exit code: 0 Version: 51.1052.0.0 Modules
| |||||||||||||||
| 1824 | "C:\Windows\system32\icacls.exe" "C:\Program Files\NordUpdater" /grant *S-1-5-18:(OI)(CI)(F) | C:\Windows\System32\icacls.exe | — | NordUpdaterSetup.tmp | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 1832 | "C:\Users\admin\AppData\Local\Temp\is-9RQA1.tmp\HxDSetup.tmp" /SL5="$302AA,2973524,121344,C:\Users\admin\Desktop\HxDSetup\HxDSetup.exe" /SPAWNWND=$202AC /NOTIFYWND=$202C0 | C:\Users\admin\AppData\Local\Temp\is-9RQA1.tmp\HxDSetup.tmp | HxDSetup.exe | ||||||||||||
User: admin Integrity Level: HIGH Description: Setup/Uninstall Exit code: 0 Version: 51.1052.0.0 Modules
| |||||||||||||||
| 2000 | "C:\Users\admin\AppData\Local\Temp\is-TNLL7.tmp\NordVPNSetup (1).tmp" /SL5="$1801A4,918814,893440,C:\Users\admin\Desktop\NordVPNSetup (1).exe" /SPAWNWND=$D01E0 /NOTIFYWND=$D01D2 | C:\Users\admin\AppData\Local\Temp\is-TNLL7.tmp\NordVPNSetup (1).tmp | NordVPNSetup (1).exe | ||||||||||||
User: admin Company: NordVPN Integrity Level: HIGH Description: Setup/Uninstall Exit code: 0 Version: 51.1052.0.0 Modules
| |||||||||||||||
| 2056 | "C:\Users\admin\Desktop\BRenamerl\BRenamerl.exe" | C:\Users\admin\Desktop\BRenamerl\BRenamerl.exe | — | explorer.exe | |||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
Total events
61 421
Read events
60 910
Write events
470
Delete events
41
Modification events
| (PID) Process: | (3672) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
| Operation: | write | Name: | ShellExtBMP |
Value: | |||
| (PID) Process: | (3672) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
| Operation: | write | Name: | ShellExtIcon |
Value: | |||
| (PID) Process: | (3672) WinRAR.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E |
| Operation: | write | Name: | LanguageList |
Value: en-US | |||
| (PID) Process: | (3672) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 3 |
Value: C:\Users\admin\Desktop\phacker.zip | |||
| (PID) Process: | (3672) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 2 |
Value: C:\Users\admin\Desktop\Win7-KB3191566-x86.zip | |||
| (PID) Process: | (3672) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 1 |
Value: C:\Users\admin\Desktop\curl-8.5.0_1-win32-mingw.zip | |||
| (PID) Process: | (3672) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 0 |
Value: C:\Users\admin\AppData\Local\Temp\oalinst (1).zip | |||
| (PID) Process: | (3672) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | name |
Value: 120 | |||
| (PID) Process: | (3672) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | size |
Value: 80 | |||
| (PID) Process: | (3672) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | type |
Value: 120 | |||
Executable files
84
Suspicious files
48
Text files
32
Unknown types
14
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 2256 | InternetHostingToolSetup.exe | C:\System Volume Information\SPP\metadata-2 | — | |
MD5:— | SHA256:— | |||
| 3672 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa3672.3221\oalinst.exe | executable | |
MD5:694F54BD227916B89FC3EB1DB53F0685 | SHA256:B8F39714D41E009F75EFB183C37100F2CBABB71784BBD243BE881AC5B42D86FD | |||
| 3936 | InternetHostingToolSetup-v5.5.4.exe | C:\Users\admin\AppData\Local\Temp\{E8F91280-41FB-4495-A788-E3987BE8BE64}\.ba\thm.xml | xml | |
MD5:F62729C6D2540015E072514226C121C7 | SHA256:F13BAE0EC08C91B4A315BB2D86EE48FADE597E7A5440DCE6F751F98A3A4D6916 | |||
| 3936 | InternetHostingToolSetup-v5.5.4.exe | C:\Users\admin\AppData\Local\Temp\{E8F91280-41FB-4495-A788-E3987BE8BE64}\.ba\thm.wxl | xml | |
MD5:5D492AF2E8C9B2AB58CA1A10248C726F | SHA256:ACCF0D8BFCEF21F5F80730D90705446FC0253174A484FD73B6523A092224322D | |||
| 2000 | NordVPNSetup (1).tmp | C:\Users\admin\AppData\Local\Temp\is-3FJK9.tmp\Nord.Setup.dll | executable | |
MD5:0FFAE833B8745FC12DE1009E96815A4A | SHA256:D918AD96533148CF58E10B328FF919B9AE7BC066233DC9F94470224994A1D9D3 | |||
| 796 | NordVPNSetup (1).exe | C:\Users\admin\AppData\Local\Temp\is-Q81MF.tmp\NordVPNSetup (1).tmp | executable | |
MD5:6357969FA5570C096D8BA6350FA5C000 | SHA256:2342E5ADB9B9F0DF2C8560FAAA3AF6612C90C395BC6BFB3A77437C3D43E92D49 | |||
| 3068 | NordVPNSetup (1).exe | C:\Users\admin\AppData\Local\Temp\is-TNLL7.tmp\NordVPNSetup (1).tmp | executable | |
MD5:6357969FA5570C096D8BA6350FA5C000 | SHA256:2342E5ADB9B9F0DF2C8560FAAA3AF6612C90C395BC6BFB3A77437C3D43E92D49 | |||
| 2256 | InternetHostingToolSetup.exe | C:\System Volume Information\SPP\snapshot-2 | binary | |
MD5:A0F9C400B60637013BBF908273FCCF9C | SHA256:17F987B461B3A8747F47786B10576F65980933D9300BC7ADE1C860C802A46EB3 | |||
| 2256 | InternetHostingToolSetup.exe | C:\ProgramData\Package Cache\{210f720b-43b5-4e48-8d2b-e5afc28cddf7}\InternetHostingToolSetup.exe | executable | |
MD5:68F77BB8CC3983B7EE274AC068C42CDC | SHA256:0E5DB58BAADF92FFD0FCE0D0E8D7D4350BAF8DCC9C7E8DEB510B9BCC63C65BED | |||
| 2256 | InternetHostingToolSetup.exe | C:\System Volume Information\SPP\OnlineMetadataCache\{09654d74-e9ba-42d1-8c76-67f8e3843895}_OnDiskSnapshotProp | binary | |
MD5:A0F9C400B60637013BBF908273FCCF9C | SHA256:17F987B461B3A8747F47786B10576F65980933D9300BC7ADE1C860C802A46EB3 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
27
TCP/UDP connections
30
DNS requests
12
Threats
0
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
392 | gfwlivesetup.exe | GET | 302 | 2.19.246.123:80 | http://go.microsoft.com/fwlink/?LinkID=201133 | unknown | — | — | unknown |
392 | gfwlivesetup.exe | GET | 302 | 2.19.246.123:80 | http://go.microsoft.com/fwlink/?LinkID=194359&clcid=0x409 | unknown | — | — | unknown |
2000 | NordVPNSetup (1).tmp | GET | 304 | 93.184.221.240:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?19838b2ae250760d | unknown | — | — | unknown |
392 | gfwlivesetup.exe | GET | 200 | 2.16.164.58:80 | http://download.gfwl.xboxlive.com/content/gfwl-public/redists/production/gfwlivesetup.txt | unknown | text | 10 b | unknown |
392 | gfwlivesetup.exe | GET | 200 | 2.16.164.58:80 | http://download.gfwl.xboxlive.com/content/gfwl-public/redists/production/xliveredist.msi | unknown | executable | 20.6 Mb | unknown |
2000 | NordVPNSetup (1).tmp | GET | 200 | 104.18.21.226:80 | http://ocsp.globalsign.com/rootr1/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBS3V7W2nAf4FiMTjpDJKg6%2BMgGqMQQUYHtmGkUNl8qJUC99BM00qP%2F8%2FUsCDQHuXxad%2F5c1K2Rl1mo%3D | unknown | binary | 1.41 Kb | unknown |
2000 | NordVPNSetup (1).tmp | GET | 200 | 104.18.21.226:80 | http://ocsp.globalsign.com/codesigningrootr45/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQVFZP5vqhCrtRN5SWf40Rn6NM1IAQUHwC%2FRoAK%2FHg5t6W0Q9lWULvOljsCEHe9DgW3WQu2HUdhUx4%2Fde0%3D | unknown | binary | 1.67 Kb | unknown |
2000 | NordVPNSetup (1).tmp | GET | 200 | 104.18.21.226:80 | http://ocsp.globalsign.com/rootr3/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT1nGh%2FJBjWKnkPdZIzB1bqhelHBwQUj%2FBLf6guRSSuTVD6Y5qL3uLdG7wCEHgDGEJFcIpBz28BuO60qVQ%3D | unknown | binary | 1.40 Kb | unknown |
2000 | NordVPNSetup (1).tmp | GET | 200 | 104.18.21.226:80 | http://ocsp.globalsign.com/gsgccr45evcodesignca2020/ME0wSzBJMEcwRTAJBgUrDgMCGgUABBQaCbVYh07WONuW4e63Ydlu4AlbDAQUJZ3Q%2FFkJhmPF7POxEztXHAOSNhECDF2zq5W4nUrgkGCLSg%3D%3D | unknown | binary | 1.65 Kb | unknown |
2000 | NordVPNSetup (1).tmp | GET | 200 | 104.18.20.226:80 | http://ocsp2.globalsign.com/rootr3/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBT1nGh%2FJBjWKnkPdZIzB1bqhelHBwQUj%2FBLf6guRSSuTVD6Y5qL3uLdG7wCDQHyQEJAzv0i2%2Blscfw%3D | unknown | binary | 1.40 Kb | unknown |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
1080 | svchost.exe | 224.0.0.252:5355 | — | — | — | unknown |
2000 | NordVPNSetup (1).tmp | 104.19.159.190:443 | api.nordvpn.com | CLOUDFLARENET | — | unknown |
2000 | NordVPNSetup (1).tmp | 104.19.185.81:443 | applytics.zwyr157wwiu6eior.com | CLOUDFLARENET | — | unknown |
2000 | NordVPNSetup (1).tmp | 104.17.208.237:443 | downloads.nordcdn.com | CLOUDFLARENET | — | unknown |
2560 | miss.exe | 192.168.100.2:5351 | — | — | — | whitelisted |
2560 | miss.exe | 239.255.255.250:1900 | — | — | — | unknown |
3456 | IPUtility.exe | 224.0.0.251:5353 | — | — | — | unknown |
392 | gfwlivesetup.exe | 2.19.246.123:80 | go.microsoft.com | AKAMAI-AS | DE | unknown |
DNS requests
Domain | IP | Reputation |
|---|---|---|
api.nordvpn.com |
| unknown |
applytics.zwyr157wwiu6eior.com |
| unknown |
downloads.nordcdn.com |
| unknown |
moonlight-stream.org |
| unknown |
1.0.0.127.dnsbugtest.1.0.0.127.in-addr.arpa |
| unknown |
191.100.168.192.in-addr.arpa |
| unknown |
go.microsoft.com |
| whitelisted |
download.gfwl.xboxlive.com |
| whitelisted |
ctldl.windowsupdate.com |
| whitelisted |
ocsp.globalsign.com |
| whitelisted |
Threats
Process | Message |
|---|---|
IPUtility.exe | IPUtilityApp
|
IPUtility.exe | Current PATH
|
IPUtility.exe | C:\Users\admin\Desktop |
IPUtility.exe | localPath PATH
|
IPUtility.exe | C:\Users\admin\Desktop |
IPUtility.exe | C:\Windows\system32\UxTheme.dll |
IPUtility.exe | C:\Windows\system32\dwmapi.dll |
IPUtility.exe | C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll |
IPUtility.exe | C:\Windows\system32\SHLWAPI.dll |
IPUtility.exe | C:\Windows\system32\ADVAPI32.dll |