Malware analysis RaidSetup.exe Malicious activity | ANY.RUN

Add for printing

File name:	RaidSetup.exe
Full analysis:	https://app.any.run/tasks/d4cc39fc-e816-4475-9665-7c3c847c8abf
Verdict:	Malicious activity
Analysis date:	September 07, 2024, 04:58:16
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	discord
Indicators:
MIME:	application/x-dosexec
File info:	PE32 executable (GUI) Intel 80386, for MS Windows
MD5:	996CE20CE1CDEB6FFA2D5107A7DB9CFD
SHA1:	2EA50ACB019771A20C77DC3767BCBC53F9D03B29
SHA256:	DBD92071D4DEE9BEB38EE5FC6633346E6E3ED6297CF3C0CF24015FF9F0B1BF28
SSDEEP:	98304:lLbkHLWqniKHqvNREMNPpRJVWFogUPICQcMy4B86PTLnsJmk1Fse630h:Ps2

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- Changes the autorun value in the registry
  - PlariumPlaySetup.exe (PID: 6016)
  - windowsdesktop-runtime-6.0.10-win-x64.exe (PID: 3040)
  - RaidSetup.exe (PID: 6212)
SUSPICIOUS
- Executable content was dropped or overwritten
  - RaidSetup.exe (PID: 2180)
  - RaidSetup.exe (PID: 7060)
  - RaidSetup.exe (PID: 6948)
  - RaidSetup.exe (PID: 6212)
  - PlariumPlaySetup.exe (PID: 6016)
  - net6.exe (PID: 5040)
  - net6.exe (PID: 6728)
  - windowsdesktop-runtime-6.0.10-win-x64.exe (PID: 3040)
  - PlariumPlay.exe (PID: 1164)
- The process creates files with name similar to system file names
  - RaidSetup.exe (PID: 7060)
  - msiexec.exe (PID: 4708)
  - RaidSetup.exe (PID: 6212)
- Process drops legitimate windows executable
  - RaidSetup.exe (PID: 7060)
  - RaidSetup.exe (PID: 6212)
  - net6.exe (PID: 5040)
  - net6.exe (PID: 6728)
  - windowsdesktop-runtime-6.0.10-win-x64.exe (PID: 3040)
  - msiexec.exe (PID: 4708)
- Reads security settings of Internet Explorer
  - RaidSetup.exe (PID: 7060)
  - RaidSetup.exe (PID: 6212)
  - net6.exe (PID: 6728)
  - PlariumPlayInfo.exe (PID: 1744)
- Starts itself from another location
  - RaidSetup.exe (PID: 6212)
  - net6.exe (PID: 6728)
- Searches for installed software
  - RaidSetup.exe (PID: 6212)
  - dllhost.exe (PID: 5920)
  - net6.exe (PID: 6728)
  - windowsdesktop-runtime-6.0.10-win-x64.exe (PID: 3040)
- Reads the Windows owner or organization settings
  - msiexec.exe (PID: 4708)
- Starts a Microsoft application from unusual location
  - net6.exe (PID: 5040)
  - net6.exe (PID: 6728)
  - windowsdesktop-runtime-6.0.10-win-x64.exe (PID: 3040)
- Executes as Windows Service
  - VSSVC.exe (PID: 5980)
  - PlariumPlayClientService.exe (PID: 3548)
- Creates a software uninstall entry
  - PlariumPlaySetup.exe (PID: 6016)
  - windowsdesktop-runtime-6.0.10-win-x64.exe (PID: 3040)
- Checks Windows Trust Settings
  - msiexec.exe (PID: 4708)
- The process drops C-runtime libraries
  - msiexec.exe (PID: 4708)
- Creates or modifies Windows services
  - PlariumPlayClientService.exe (PID: 4024)
- Application launched itself
  - PlariumPlay.exe (PID: 1164)
- Reads the date of Windows installation
  - PlariumPlayInfo.exe (PID: 1744)
INFO
- Create files in a temporary directory
  - RaidSetup.exe (PID: 2180)
  - RaidSetup.exe (PID: 7060)
  - RaidSetup.exe (PID: 6212)
  - PlariumPlaySetup.exe (PID: 6016)
  - net6.exe (PID: 6728)
  - windowsdesktop-runtime-6.0.10-win-x64.exe (PID: 3040)
  - PlariumPlay.exe (PID: 1164)
- Checks supported languages
  - RaidSetup.exe (PID: 2180)
  - RaidSetup.exe (PID: 7060)
  - RaidSetup.exe (PID: 6948)
  - RaidSetup.exe (PID: 6212)
  - PlariumPlaySetup.exe (PID: 6016)
  - msiexec.exe (PID: 4708)
  - net6.exe (PID: 5040)
  - windowsdesktop-runtime-6.0.10-win-x64.exe (PID: 3040)
  - net6.exe (PID: 6728)
  - msiexec.exe (PID: 2068)
  - msiexec.exe (PID: 6512)
  - msiexec.exe (PID: 1948)
  - msiexec.exe (PID: 7140)
  - PlariumPlayClientService.exe (PID: 3548)
  - PlariumPlay.exe (PID: 4196)
  - PlariumPlayClientService.exe (PID: 4024)
  - PlariumPlay.exe (PID: 1164)
  - PlariumPlay.NetHost.exe (PID: 6264)
  - PlariumPlay.exe (PID: 6752)
  - PlariumPlay.exe (PID: 5720)
  - PlariumPlayInfo.exe (PID: 1744)
  - PlariumPlay.exe (PID: 7052)
  - PlariumPlay.exe (PID: 5708)
  - PlariumPlay.exe (PID: 6304)
  - PlariumPlay.exe (PID: 6976)
- Reads the computer name
  - RaidSetup.exe (PID: 7060)
  - PlariumPlaySetup.exe (PID: 6016)
  - RaidSetup.exe (PID: 6212)
  - msiexec.exe (PID: 4708)
  - windowsdesktop-runtime-6.0.10-win-x64.exe (PID: 3040)
  - net6.exe (PID: 6728)
  - msiexec.exe (PID: 2068)
  - msiexec.exe (PID: 1948)
  - msiexec.exe (PID: 7140)
  - msiexec.exe (PID: 6512)
  - PlariumPlayClientService.exe (PID: 3548)
  - PlariumPlayClientService.exe (PID: 4024)
  - PlariumPlay.exe (PID: 4196)
  - PlariumPlay.exe (PID: 5720)
  - PlariumPlay.exe (PID: 1164)
  - PlariumPlay.NetHost.exe (PID: 6264)
  - PlariumPlay.exe (PID: 5708)
  - PlariumPlayInfo.exe (PID: 1744)
  - PlariumPlay.exe (PID: 6976)
  - PlariumPlay.exe (PID: 6304)
- Reads the machine GUID from the registry
  - RaidSetup.exe (PID: 7060)
  - RaidSetup.exe (PID: 6212)
  - PlariumPlaySetup.exe (PID: 6016)
  - windowsdesktop-runtime-6.0.10-win-x64.exe (PID: 3040)
  - msiexec.exe (PID: 4708)
  - PlariumPlay.exe (PID: 1164)
- Creates files or folders in the user directory
  - RaidSetup.exe (PID: 7060)
  - RaidSetup.exe (PID: 6212)
  - msiexec.exe (PID: 4708)
  - PlariumPlay.exe (PID: 4196)
  - PlariumPlay.exe (PID: 1164)
  - PlariumPlay.exe (PID: 6752)
  - PlariumPlay.NetHost.exe (PID: 6264)
  - PlariumPlayClientService.exe (PID: 3548)
  - PlariumPlay.exe (PID: 5708)
  - PlariumPlayInfo.exe (PID: 1744)
- Process checks computer location settings
  - RaidSetup.exe (PID: 7060)
  - RaidSetup.exe (PID: 6212)
  - net6.exe (PID: 6728)
  - PlariumPlayClientService.exe (PID: 3548)
  - PlariumPlay.exe (PID: 4196)
  - PlariumPlay.exe (PID: 1164)
  - PlariumPlay.exe (PID: 7052)
  - PlariumPlayInfo.exe (PID: 1744)
- The process uses the downloaded file
  - RaidSetup.exe (PID: 7060)
  - RaidSetup.exe (PID: 6212)
  - net6.exe (PID: 6728)
- Disables trace logs
  - RaidSetup.exe (PID: 6212)
- Checks proxy server information
  - RaidSetup.exe (PID: 6212)
  - PlariumPlay.NetHost.exe (PID: 6264)
  - PlariumPlay.exe (PID: 1164)
- Reads the software policy settings
  - RaidSetup.exe (PID: 6212)
  - msiexec.exe (PID: 4708)
  - PlariumPlay.exe (PID: 1164)
  - PlariumPlay.NetHost.exe (PID: 6264)
- Executable content was dropped or overwritten
  - msiexec.exe (PID: 4708)
- Creates files in the program directory
  - PlariumPlaySetup.exe (PID: 6016)
  - windowsdesktop-runtime-6.0.10-win-x64.exe (PID: 3040)
  - PlariumPlayClientService.exe (PID: 4024)
  - PlariumPlay.exe (PID: 4196)
  - PlariumPlay.NetHost.exe (PID: 6264)
  - PlariumPlayInfo.exe (PID: 1744)
- Creates a software uninstall entry
  - msiexec.exe (PID: 4708)
- Sends debugging messages
  - PlariumPlayClientService.exe (PID: 4024)
  - PlariumPlayClientService.exe (PID: 3548)
  - PlariumPlay.exe (PID: 4196)
  - PlariumPlay.NetHost.exe (PID: 6264)
  - PlariumPlayInfo.exe (PID: 1744)
- Reads product name
  - PlariumPlay.exe (PID: 1164)
- Reads Environment values
  - PlariumPlay.exe (PID: 1164)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	Win64 Executable (generic) (76.4)
.exe	\|	Win32 Executable (generic) (12.4)
.exe	\|	Generic Win/DOS Executable (5.5)
.exe	\|	DOS Executable Generic (5.5)

EXIF

EXE

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2019:09:17 05:33:38+00:00
ImageFileCharacteristics:	Executable, 32-bit, Removable run from swap, Net run from swap
PEType:	PE32
LinkerVersion:	14.16
CodeSize:	299008
InitializedDataSize:	594432
UninitializedDataSize:	-
EntryPoint:	0x2df71
OSVersion:	5.1
ImageVersion:	-
SubsystemVersion:	5.1
Subsystem:	Windows GUI
FileVersionNumber:	9.6.0.0
ProductVersionNumber:	9.6.0.0
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	English (U.S.)
CharacterSet:	Windows, Latin1
CompanyName:	Plarium
FileDescription:	Plarium Play
FileVersion:	9.6.0
InternalName:	setup
LegalCopyright:	Copyright (c) Plarium. All rights reserved.
OriginalFileName:	PlariumPlaySetup.exe
ProductName:	Plarium Play
ProductVersion:	9.6.0

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

166

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

208

C:\WINDOWS\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:11

C:\Windows\System32\SrTasks.exe

—

dllhost.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Microsoft® Windows System Protection background tasks.

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\srtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll

1164

"C:\Users\admin\AppData\Local\PlariumPlay\9.6.0-0.0.3\PlariumPlay.exe" C:\Users\admin\AppData\Local\PlariumPlay\PlariumPlay.dll -setup-file="C:\Users\admin\Desktop\RaidSetup.exe" -launch-point=[Page.InstallConfirmation][Button.Continue] -preloader-id=4196 -psid=6a819fdb-e74f-4f8e-90a4-96567a3e09d5 -playhid=uySDLyc+acY2QsVFJ4HFmBhh5QiPF1lOOy37+01DmNSLtrc8l8mgiSOM9yzMpP1ju3iHkFVH0YaeiPFjMI0Goy7cKhFZDEwCAWDNjj9Z2+w81QNNEz3+nfbWhEU1JDLhjH4WFg7x7OjrgVFDKEUj4Y6wCsSQ8ZwW+sYL1Mxc9JuCQCpyx8ko20srkw4GDG/8OcL4HZtnRlAU/vHttL9/AFBGZ8eGCm3t90st9Ootfos= -preloader-start=1725685314901 -preloader-end=1725685314928

C:\Users\admin\AppData\Local\PlariumPlay\9.6.0-0.0.3\PlariumPlay.exe

PlariumPlay.exe

User:

admin

Company:

Plarium Global Ltd.

Integrity Level:

MEDIUM

Description:

PlariumPlay

Version:

9.6.0

Modules

Images
c:\users\admin\appdata\local\plariumplay\9.6.0-0.0.3\plariumplay.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ws2_32.dll

1744

"info/PlariumPlayInfo.exe" -validation-key=a9013dcb-fa92-4b45-862f-83f52586ee14

C:\Users\admin\AppData\Local\PlariumPlay\9.6.0-0.0.3\dotnet\info\PlariumPlayInfo.exe

PlariumPlay.NetHost.exe

User:

admin

Company:

PlariumPlayInfo

Integrity Level:

MEDIUM

Description:

Plarium Play

Version:

1.0.0.0

Modules

Images
c:\users\admin\appdata\local\plariumplay\9.6.0-0.0.3\dotnet\info\plariumplayinfo.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll

1948

C:\Windows\syswow64\MsiExec.exe -Embedding 45506223F556E28C288D291E0A7BB09F

C:\Windows\SysWOW64\msiexec.exe

—

msiexec.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Windows® installer

Exit code:

Version:

5.0.19041.3636 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll

2068

C:\Windows\syswow64\MsiExec.exe -Embedding D9C46569A0E9D37F8AC913D6615CA23E

C:\Windows\SysWOW64\msiexec.exe

—

msiexec.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Windows® installer

Exit code:

Version:

5.0.19041.3636 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll

2180

"C:\Users\admin\Desktop\RaidSetup.exe"

C:\Users\admin\Desktop\RaidSetup.exe

explorer.exe

User:

admin

Company:

Plarium

Integrity Level:

MEDIUM

Description:

Plarium Play

Exit code:

Version:

9.6.0

Modules

Images
c:\users\admin\desktop\raidsetup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll

3040

"C:\WINDOWS\Temp\{3BAFCB0D-376F-4470-AA57-69AF236162BA}\.be\windowsdesktop-runtime-6.0.10-win-x64.exe" -q -burn.elevated BurnPipe.{8AE7A24E-EDCA-443C-B68C-2FB399A51314} {54162D98-968B-47C1-85FD-48DCDC82D6BC} 6728

C:\Windows\Temp\{3BAFCB0D-376F-4470-AA57-69AF236162BA}\.be\windowsdesktop-runtime-6.0.10-win-x64.exe

net6.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Microsoft Windows Desktop Runtime - 6.0.10 (x64)

Exit code:

Version:

6.0.10.31726

Modules

Images
c:\windows\temp\{3bafcb0d-376f-4470-aa57-69af236162ba}\.be\windowsdesktop-runtime-6.0.10-win-x64.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll

3548

"C:\Users\admin\AppData\Local\PlariumPlay\9.6.0-0.0.3\PlariumPlayClientService\PlariumPlayClientService.exe" -displayname "Plarium Play Client Service" -servicename "Plarium Play Client Service"

C:\Users\admin\AppData\Local\PlariumPlay\9.6.0-0.0.3\PlariumPlayClientService\PlariumPlayClientService.exe

services.exe

User:

SYSTEM

Company:

PlariumPlayClientService

Integrity Level:

SYSTEM

Description:

Plarium Play Client Service

Version:

9.6.0.0

Modules

Images
c:\users\admin\appdata\local\plariumplay\9.6.0-0.0.3\plariumplayclientservice\plariumplayclientservice.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll

3716

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

PlariumPlay.NetHost.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Console Window Host

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

4024

"C:\Users\admin\AppData\Local\PlariumPlay\9.6.0-0.0.3\PlariumPlayClientService\PlariumPlayClientService.exe" install start --sudo

C:\Users\admin\AppData\Local\PlariumPlay\9.6.0-0.0.3\PlariumPlayClientService\PlariumPlayClientService.exe

RaidSetup.exe

User:

admin

Company:

PlariumPlayClientService

Integrity Level:

HIGH

Description:

Plarium Play Client Service

Exit code:

Version:

9.6.0.0

Modules

Images
c:\users\admin\appdata\local\plariumplay\9.6.0-0.0.3\plariumplayclientservice\plariumplayclientservice.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll

Add for printing

Total events

24 694

Read events

23 356

Write events

1 240

Delete events

Modification events


(PID) Process:	(6212) RaidSetup.exe	Key:	HKEY_USERS\.DEFAULT\Software\Plarium\Playhid
Operation:	write	Name:	id
Value: uySDLyc+acY2QsVFJ4HFmBhh5QiPF1lOOy37+01DmNSLtrc8l8mgiSOM9yzMpP1ju3iHkFVH0YaeiPFjMI0Goy7cKhFZDEwCAWDNjj9Z2+w81QNNEz3+nfbWhEU1JDLhjH4WFg7x7OjrgVFDKEUj4Y6wCsSQ8ZwW+sYL1Mxc9JuCQCpyx8ko20srkw4GDG/8OcL4HZtnRlAU/vHttL9/AFBGZ8eGCm3t90st9Ootfos=
(PID) Process:	(6212) RaidSetup.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RaidSetup_RASAPI32
Operation:	write	Name:	EnableFileTracing
Value: 0
(PID) Process:	(6212) RaidSetup.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RaidSetup_RASAPI32
Operation:	write	Name:	EnableAutoFileTracing
Value: 0
(PID) Process:	(6212) RaidSetup.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RaidSetup_RASAPI32
Operation:	write	Name:	EnableConsoleTracing
Value: 0
(PID) Process:	(6212) RaidSetup.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RaidSetup_RASAPI32
Operation:	write	Name:	FileTracingMask
Value:
(PID) Process:	(6212) RaidSetup.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RaidSetup_RASAPI32
Operation:	write	Name:	ConsoleTracingMask
Value:
(PID) Process:	(6212) RaidSetup.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RaidSetup_RASAPI32
Operation:	write	Name:	MaxFileSize
Value: 1048576
(PID) Process:	(6212) RaidSetup.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RaidSetup_RASAPI32
Operation:	write	Name:	FileDirectory
Value: %windir%\tracing
(PID) Process:	(6212) RaidSetup.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RaidSetup_RASMANCS
Operation:	write	Name:	EnableFileTracing
Value: 0
(PID) Process:	(6212) RaidSetup.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RaidSetup_RASMANCS
Operation:	write	Name:	EnableAutoFileTracing
Value: 0

Add for printing

Executable files

625

Suspicious files

665

Text files

444

Unknown types

Dropped files

PID	Process	Filename		Type
7060	RaidSetup.exe	C:\Users\admin\AppData\Local\Temp\{14B016B7-CCC8-4A8D-8A16-D9263A3C4E57}\.ba\mbapreq.wxl		xml
		MD5:4D2C8D10C5DCCA6B938B71C8F02CA8A8	SHA256:C63DE5F309502F9272402587A6BE22624D1BC2FEACD1BD33FB11E44CD6614B96
7060	RaidSetup.exe	C:\Users\admin\AppData\Local\Temp\{14B016B7-CCC8-4A8D-8A16-D9263A3C4E57}\.ba\mbapreq.png		image
		MD5:A356956FD269567B8F4612A33802637B	SHA256:A401A225ADDAF89110B4B0F6E8CF94779E7C0640BCDD2D670FFCF05AAB0DAD03
7060	RaidSetup.exe	C:\Users\admin\AppData\Local\Temp\{14B016B7-CCC8-4A8D-8A16-D9263A3C4E57}\.ba\1028\mbapreq.wxl		xml
		MD5:1D4B831F77EFEC96FFBC70BC4B59B8B5	SHA256:1B93556F07C35AC0564D57E0743CCBA231950962C6506C8D4A74A31CD66FD04C
7060	RaidSetup.exe	C:\Users\admin\AppData\Local\Temp\{14B016B7-CCC8-4A8D-8A16-D9263A3C4E57}\.ba\mbahost.dll		executable
		MD5:C59832217903CE88793A6C40888E3CAE	SHA256:9DFA1BC5D2AB4C652304976978749141B8C312784B05CB577F338A0AA91330DB
7060	RaidSetup.exe	C:\Users\admin\AppData\Local\Temp\{14B016B7-CCC8-4A8D-8A16-D9263A3C4E57}\.ba\mbapreq.dll		executable
		MD5:FE7E0BD53F52E6630473C31299A49FDD	SHA256:2BEA14D70943A42D344E09B7C9DE5562FA7E109946E1C615DD584DA30D06CC80
7060	RaidSetup.exe	C:\Users\admin\AppData\Local\Temp\{14B016B7-CCC8-4A8D-8A16-D9263A3C4E57}\.ba\1030\mbapreq.wxl		xml
		MD5:7C6E4CE87870B3B5E71D3EF4555500F8	SHA256:CAC263E0E90A4087446A290055257B1C39F17E11F065598CB2286DF4332C7696
7060	RaidSetup.exe	C:\Users\admin\AppData\Local\Temp\{14B016B7-CCC8-4A8D-8A16-D9263A3C4E57}\.ba\mbapreq.thm		xml
		MD5:A20778EC90A094A62A6C3A6AB2A6DC7D	SHA256:F8C3A03F47F0B9B3C20F0522A2481DA28C77FECDBB302F8DD8FBED87758CBAEA
7060	RaidSetup.exe	C:\Users\admin\AppData\Local\Temp\{14B016B7-CCC8-4A8D-8A16-D9263A3C4E57}\.ba\1029\mbapreq.wxl		xml
		MD5:CC8C6D04DC707B38E0F0C08BA16FE49B	SHA256:DC445E2457ED31ABF536871F90FF7CC96800A40B6BC033F37D45E3156A3B4FA9
7060	RaidSetup.exe	C:\Users\admin\AppData\Local\Temp\{14B016B7-CCC8-4A8D-8A16-D9263A3C4E57}\.ba\1031\mbapreq.wxl		xml
		MD5:C8E7E0B4E63B3076047B7F49C76D56E1	SHA256:631D46CB048FB6CF0B9A1362F8E5A1854C46E9525A0260C7841A04B2316C8295
7060	RaidSetup.exe	C:\Users\admin\AppData\Local\Temp\{14B016B7-CCC8-4A8D-8A16-D9263A3C4E57}\.ba\BootstrapperCore.dll		executable
		MD5:B0D10A2A622A322788780E7A3CBB85F3	SHA256:F2C2B3CE2DF70A3206F3111391FFC7B791B32505FA97AEF22C0C2DBF6F3B0426

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
6212	RaidSetup.exe	GET	204	142.250.185.110:80	http://google.com/generate_204	unknown	—	—	whitelisted
2120	MoUsoCoreWorker.exe	GET	200	95.101.149.131:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
1084	svchost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
4576	SIHClient.exe	GET	200	95.101.149.131:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl	unknown	—	—	whitelisted
4576	SIHClient.exe	GET	200	95.101.149.131:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	unknown	—	—	whitelisted
—	—	GET	200	95.101.149.131:80	http://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crl	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
7008	svchost.exe	52.140.118.28:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IN	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
2400	RUXIMICS.exe	52.140.118.28:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IN	whitelisted
—	—	52.140.118.28:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IN	whitelisted
2120	MoUsoCoreWorker.exe	95.101.149.131:80	www.microsoft.com	Akamai International B.V.	NL	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
2120	MoUsoCoreWorker.exe	52.140.118.28:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IN	whitelisted
3888	svchost.exe	239.255.255.250:1900	—	—	—	whitelisted
4324	svchost.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
3260	svchost.exe	20.7.1.246:443	client.wns.windows.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted

DNS requests

Domain	IP	Reputation
settings-win.data.microsoft.com	52.140.118.28 51.104.136.2 40.127.240.158	whitelisted
www.microsoft.com	95.101.149.131	whitelisted
google.com	142.250.185.110	whitelisted
client.wns.windows.com	20.7.1.246 20.7.2.167	whitelisted
collector.plarium.com	104.18.17.253 104.18.14.253	whitelisted
desktop.plarium.com	104.18.14.253 104.18.17.253	whitelisted
cdn-gpd.x-plarium.com	34.120.37.77	unknown
login.live.com	40.126.31.73 40.126.31.71 20.190.159.4 20.190.159.23 20.190.159.2 20.190.159.73 40.126.31.69 40.126.31.67	whitelisted
ocsp.digicert.com	192.229.221.95	whitelisted
slscr.update.microsoft.com	40.127.169.103	whitelisted

Threats

PID	Process	Class	Message
2256	svchost.exe	Not Suspicious Traffic	INFO [ANY.RUN] An application monitoring request to sentry .io
2256	svchost.exe	Misc activity	ET INFO Observed Discord Domain in DNS Lookup (discordapp .com)

Add for printing

Process	Message
PlariumPlayClientService.exe	Profiler was prevented from loading notification profiler due to app settings. Process ID (decimal): 4024. Message ID: [0x2509].
PlariumPlayClientService.exe	Topshelf.HostFactory Information: 0 :
PlariumPlayClientService.exe	Configuration Result: [Success] Name Plarium Play Client Service [Success] ServiceName Plarium Play Client Service
PlariumPlayClientService.exe	Topshelf.HostConfigurators.HostConfiguratorImpl Information: 0 :
PlariumPlayClientService.exe	Topshelf v4.3.0.0, .NET 6.0.10 (6.0.10)
PlariumPlayClientService.exe	Topshelf.Runtime.Windows.HostInstaller Information: 0 :
PlariumPlayClientService.exe	Installing Plarium Play Client Service service
PlariumPlayClientService.exe	Profiler was prevented from loading notification profiler due to app settings. Process ID (decimal): 3548. Message ID: [0x2509].
PlariumPlayClientService.exe	Topshelf.HostFactory Information: 0 :
PlariumPlayClientService.exe	Configuration Result: [Success] Name Plarium Play Client Service [Success] ServiceName Plarium Play Client Service

General Info

RaidSetup.exe

996CE20CE1CDEB6FFA2D5107A7DB9CFD

2EA50ACB019771A20C77DC3767BCBC53F9D03B29

DBD92071D4DEE9BEB38EE5FC6633346E6E3ED6297CF3C0CF24015FF9F0B1BF28

98304:lLbkHLWqniKHqvNREMNPpRJVWFogUPICQcMy4B86PTLnsJmk1Fse630h:Ps2

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Changes the autorun value in the registry

SUSPICIOUS

Executable content was dropped or overwritten

The process creates files with name similar to system file names

Process drops legitimate windows executable

Reads security settings of Internet Explorer

Starts itself from another location

Searches for installed software

Reads the Windows owner or organization settings

Starts a Microsoft application from unusual location

Executes as Windows Service

Creates a software uninstall entry

Checks Windows Trust Settings

The process drops C-runtime libraries

Creates or modifies Windows services

Application launched itself

Reads the date of Windows installation

INFO

Create files in a temporary directory

Checks supported languages

Reads the computer name

Reads the machine GUID from the registry

Creates files or folders in the user directory

Process checks computer location settings

The process uses the downloaded file

Disables trace logs

Checks proxy server information

Reads the software policy settings

Executable content was dropped or overwritten

Creates files in the program directory

Creates a software uninstall entry

Sends debugging messages

Reads product name

Reads Environment values

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files