File name: | d2049157980b7ee0a54948d4def4ab62303ca51cadaada06fb51c583ecbce1a2.exe |
Full analysis: | https://app.any.run/tasks/621d9c3b-db0e-495f-b683-3fe3baccaee0 |
Verdict: | Malicious activity |
Threats: | A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. |
Analysis date: | January 11, 2025, 00:26:09 |
OS: | Windows 10 Professional (build: 19045, 64 bit) |
Tags: | |
Indicators: | |
MIME: | application/vnd.microsoft.portable-executable |
File info: | PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive, 5 sections |
MD5: | 0799756F104A70CB6CE0CFC422DE25DB |
SHA1: | CCEC79B6300F8E86C3BEFF86BAC01362F71E7715 |
SHA256: | D2049157980B7EE0A54948D4DEF4AB62303CA51CADAADA06FB51C583ECBCE1A2 |
SSDEEP: | 98304:f0S48XA1HN4rI1yz6ywKhnp8TsDFwccqVdUor0yR53IMxcBmC6S4Srw0TjcKrtJP:zsY2ubEKZE2p73+nSJ+ |
.exe | | | Win32 Executable MS Visual C++ (generic) (67.4) |
---|---|---|
.dll | | | Win32 Dynamic Link Library (generic) (14.2) |
.exe | | | Win32 Executable (generic) (9.7) |
.exe | | | Generic Win/DOS Executable (4.3) |
.exe | | | DOS Executable Generic (4.3) |
Subsystem: | Windows GUI |
---|---|
SubsystemVersion: | 4 |
ImageVersion: | 6 |
OSVersion: | 4 |
EntryPoint: | 0x352d |
UninitializedDataSize: | 2048 |
InitializedDataSize: | 186880 |
CodeSize: | 27136 |
LinkerVersion: | 6 |
PEType: | PE32 |
ImageFileCharacteristics: | No relocs, Executable, No line numbers, No symbols, 32-bit |
TimeStamp: | 2021:09:25 21:57:46+00:00 |
MachineType: | Intel 386 or later, and compatibles |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
6508 | "C:\Users\admin\AppData\Local\Temp\d2049157980b7ee0a54948d4def4ab62303ca51cadaada06fb51c583ecbce1a2.exe" | C:\Users\admin\AppData\Local\Temp\d2049157980b7ee0a54948d4def4ab62303ca51cadaada06fb51c583ecbce1a2.exe | — | explorer.exe | |||||||||||
User: admin Integrity Level: MEDIUM Exit code: 3221226540 Modules
| |||||||||||||||
6668 | "C:\Users\admin\AppData\Local\Temp\d2049157980b7ee0a54948d4def4ab62303ca51cadaada06fb51c583ecbce1a2.exe" | C:\Users\admin\AppData\Local\Temp\d2049157980b7ee0a54948d4def4ab62303ca51cadaada06fb51c583ecbce1a2.exe | explorer.exe | ||||||||||||
User: admin Integrity Level: HIGH Exit code: 0 Modules
| |||||||||||||||
6716 | cmd /c start /min powershell -windowstyle hidden -ExecutionPolicy Bypass .\init.ps1 | C:\Windows\System32\cmd.exe | — | d2049157980b7ee0a54948d4def4ab62303ca51cadaada06fb51c583ecbce1a2.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
6724 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
6776 | powershell -windowstyle hidden -ExecutionPolicy Bypass .\init.ps1 | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | cmd.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows PowerShell Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
6792 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | powershell.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Console Window Host Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
7060 | "C:\Program Files (x86)\ArmyPlus\ArmyPlus.exe" | C:\Program Files (x86)\ArmyPlus\ArmyPlus.exe | — | d2049157980b7ee0a54948d4def4ab62303ca51cadaada06fb51c583ecbce1a2.exe | |||||||||||
User: admin Integrity Level: HIGH Description: ArmyPlus Exit code: 0 Version: 0.9.6.0 Modules
| |||||||||||||||
7116 | "C:\ProgramData\OneDriveData\Tor\tor.exe" --service install -options -f C:\ProgramData\OneDriveData\Data\Tor\conf | C:\ProgramData\OneDriveData\Tor\tor.exe | — | powershell.exe | |||||||||||
User: admin Integrity Level: HIGH Exit code: 0 Modules
| |||||||||||||||
7148 | "C:\ProgramData\OneDriveData\Tor\tor.exe" --nt-service "-f" "C:\ProgramData\OneDriveData\Data\Tor\conf" | C:\ProgramData\OneDriveData\Tor\tor.exe | services.exe | ||||||||||||
User: LOCAL SERVICE Integrity Level: SYSTEM Modules
| |||||||||||||||
6156 | "C:\WINDOWS\System32\OpenSSH\ssh-keygen.exe" -b 2048 -t rsa -f defaultssh -q -N "" | C:\Windows\System32\OpenSSH\ssh-keygen.exe | — | powershell.exe | |||||||||||
User: admin Integrity Level: HIGH Exit code: 0 Version: 8.1.0.1 Modules
|
(PID) Process: | (6668) d2049157980b7ee0a54948d4def4ab62303ca51cadaada06fb51c583ecbce1a2.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ArmyPlus |
Operation: | write | Name: | DisplayName |
Value: ArmyPlus | |||
(PID) Process: | (6668) d2049157980b7ee0a54948d4def4ab62303ca51cadaada06fb51c583ecbce1a2.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ArmyPlus |
Operation: | write | Name: | UninstallString |
Value: C:\Program Files (x86)\ArmyPlus\uninstall.exe | |||
(PID) Process: | (3224) TiWorker.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing |
Operation: | write | Name: | SessionIdHigh |
Value: 31155135 | |||
(PID) Process: | (3224) TiWorker.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing |
Operation: | write | Name: | SessionIdLow |
Value: | |||
(PID) Process: | (3224) TiWorker.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing |
Operation: | write | Name: | DoqTime |
Value: 0 | |||
(PID) Process: | (3224) TiWorker.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing |
Operation: | write | Name: | DoqCount |
Value: 0 | |||
(PID) Process: | (3224) TiWorker.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing |
Operation: | write | Name: | PoqTime |
Value: 0 | |||
(PID) Process: | (3224) TiWorker.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing |
Operation: | write | Name: | PoqCount |
Value: 0 | |||
(PID) Process: | (3224) TiWorker.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing |
Operation: | write | Name: | RptTime |
Value: 0 | |||
(PID) Process: | (3224) TiWorker.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing |
Operation: | write | Name: | RptCount |
Value: 0 |
PID | Process | Filename | Type | |
---|---|---|---|---|
6776 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_azcq4j2d.zdf.ps1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
6668 | d2049157980b7ee0a54948d4def4ab62303ca51cadaada06fb51c583ecbce1a2.exe | C:\Program Files (x86)\ArmyPlus\ArmyPlus.exe | executable | |
MD5:A2F355057ADE20D32AFC5C4192CE3986 | SHA256:B663E08CC267CDB7A02D5131CB04B8B05CB6AD13AC1D571C6AAFE69E06BF8F80 | |||
6668 | d2049157980b7ee0a54948d4def4ab62303ca51cadaada06fb51c583ecbce1a2.exe | C:\Program Files (x86)\ArmyPlus\guid.txt | text | |
MD5:ED0C7C1925AC23BD8B4D09E77AABB0EE | SHA256:8BA4C3EDE1ED05A3AD7075FEE503215648EC078A13523492E2E91A59FA40C8DA | |||
6776 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF136370.TMP | binary | |
MD5:D040F64E9E7A2BB91ABCA5613424598E | SHA256:D04E0A6940609BD6F3B561B0F6027F5CA4E8C5CF0FB0D0874B380A0374A8D670 | |||
6668 | d2049157980b7ee0a54948d4def4ab62303ca51cadaada06fb51c583ecbce1a2.exe | C:\Users\admin\AppData\Local\Temp\nso5FF7.tmp\modern-wizard.bmp | image | |
MD5:3D8B4E018E8A1FB5EBC07DD31A4E2C82 | SHA256:7A391C5C367DED68E6078C908261B9AB817FFA3B052DBE618227D3FEE71D4D8A | |||
6668 | d2049157980b7ee0a54948d4def4ab62303ca51cadaada06fb51c583ecbce1a2.exe | C:\Program Files (x86)\ArmyPlus\init.ps1 | text | |
MD5:52853B39922251A4166A5B032E577E7A | SHA256:86039BC8B1A6BB823F5CBF27D1A4A3B319B83D242F09FFCD96F38BBDBBAAA78F | |||
6776 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_1drbszgt.sfo.psm1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
6776 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms | binary | |
MD5:C46BBEF559F8E1C9BC3EBDE423B1209A | SHA256:B92AFF01E65536EF93FA572DBF4315C07551F81D0B39C49202153BBEF0EEC749 | |||
6668 | d2049157980b7ee0a54948d4def4ab62303ca51cadaada06fb51c583ecbce1a2.exe | C:\Program Files (x86)\ArmyPlus\tor-win32-0.4.7.11.zip | compressed | |
MD5:53E566693EDAD254C72EBDE361F0E6B0 | SHA256:C9494749F02493BF3D53C849F9672FDA5426F90B1C34D81237A0BC24C0C6993A | |||
6668 | d2049157980b7ee0a54948d4def4ab62303ca51cadaada06fb51c583ecbce1a2.exe | C:\Program Files (x86)\ArmyPlus\DLLs\_ctypes.pyd | executable | |
MD5:92276F41FF9C856F4DBFA6508614E96C | SHA256:9AB1F8CBB50DB3D9A00F74447A2275A89EC52D1139FC0A93010E59C412C2C850 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
4712 | MoUsoCoreWorker.exe | GET | 200 | 23.48.23.156:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
— | — | GET | 200 | 192.229.221.95:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D | unknown | — | — | whitelisted |
— | — | GET | 200 | 184.30.21.171:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
1704 | SIHClient.exe | GET | 200 | 2.23.246.101:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl | unknown | — | — | whitelisted |
4712 | MoUsoCoreWorker.exe | GET | 200 | 184.30.21.171:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
— | — | GET | 200 | 192.229.221.95:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D | unknown | — | — | whitelisted |
3040 | backgroundTaskHost.exe | GET | 200 | 192.229.221.95:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D | unknown | — | — | whitelisted |
1704 | SIHClient.exe | GET | 200 | 2.23.246.101:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl | unknown | — | — | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
716 | svchost.exe | 20.73.194.208:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
— | — | 20.73.194.208:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
4712 | MoUsoCoreWorker.exe | 23.48.23.156:80 | crl.microsoft.com | Akamai International B.V. | DE | whitelisted |
4712 | MoUsoCoreWorker.exe | 184.30.21.171:80 | www.microsoft.com | AKAMAI-AS | DE | whitelisted |
— | — | 184.30.21.171:80 | www.microsoft.com | AKAMAI-AS | DE | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
5064 | SearchApp.exe | 104.126.37.145:443 | www.bing.com | Akamai International B.V. | DE | whitelisted |
1176 | svchost.exe | 40.126.32.74:443 | login.live.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
— | — | 192.229.221.95:80 | ocsp.digicert.com | EDGECAST | US | whitelisted |
Domain | IP | Reputation |
---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
google.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
www.bing.com |
| whitelisted |
login.live.com |
| whitelisted |
ocsp.digicert.com |
| whitelisted |
go.microsoft.com |
| whitelisted |
arc.msn.com |
| whitelisted |
fd.api.iris.microsoft.com |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
— | — | Misc Attack | ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 301 |
— | — | Misc Attack | ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 850 |
— | — | Misc Attack | ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 822 |
— | — | Misc Attack | ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 301 |
— | — | Misc Attack | ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 822 |
— | — | Misc Attack | ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 850 |
Process | Message |
---|---|
powershell.exe | PID=6776 TID=6916 DismApi.dll: - DismInitializeInternal
|
powershell.exe | PID=6776 TID=6916 DismApi.dll: Host machine information: OS Version=10.0.19045, Running architecture=amd64, Number of processors=4 - DismInitializeInternal
|
powershell.exe | PID=6776 TID=6916 Lookup in table by path failed for: DummyPath-2BA51B78-C7F7-4910-B99D-BB7345357CDC - CTransactionalImageTable::LookupImagePath
|
powershell.exe | PID=6776 TID=6916 DismApi.dll: - DismInitializeInternal
|
powershell.exe | PID=6776 TID=6916 DismApi.dll: <----- Starting DismApi.dll session -----> - DismInitializeInternal
|
powershell.exe | PID=6776 TID=6916 DismApi.dll: API Version 10.0.19041.3758 - DismInitializeInternal
|
powershell.exe | PID=6776 TID=6916 DismApi.dll: Parent process command line: powershell -windowstyle hidden -ExecutionPolicy Bypass .\init.ps1 - DismInitializeInternal
|
powershell.exe | PID=6776 TID=6916 Waiting for m_pInternalThread to start - CCommandThread::Start
|
powershell.exe | PID=6776 TID=6916 Input parameters: LogLevel: 2, LogFilePath: C:\WINDOWS\Logs\DISM\dism.log, ScratchDirectory: (null) - DismInitializeInternal
|
powershell.exe | PID=6776 TID=3060 Enter CCommandThread::CommandThreadProcedureStub - CCommandThread::CommandThreadProcedureStub
|