analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

file

Full analysis: https://app.any.run/tasks/e4f4bce8-e0dc-4302-842d-1bd0d57f1a7d
Verdict: Malicious activity
Analysis date: December 05, 2022, 17:15:44
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

BFEB50FC297E738DFA963A5F6DA482B0

SHA1:

F5F6FA85B5A11BEEAD6D5E9B1C508934F0AF99CD

SHA256:

FE8F5C79DD2959E556E3A7A85DD04ABD241C40ADD5DF49313E52145875D39AE6

SSDEEP:

196608:91OP1STRs9nnI1z47TrdIDSet4hAthJPfnDlk7bhOEb1Vx:3OtwWhnoe8t4hAJPP5kNNb1L

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • Install.exe (PID: 2576)
      • LFfauDN.exe (PID: 3952)
      • YTusyFT.exe (PID: 3832)
    • Uses Task Scheduler to run other applications

      • Install.exe (PID: 2576)
      • LFfauDN.exe (PID: 3952)
      • YTusyFT.exe (PID: 3832)
      • YTusyFT.exe (PID: 3832)
      • rundll32.EXE (PID: 2184)
    • Loads the Task Scheduler COM API

      • schtasks.exe (PID: 3756)
      • schtasks.exe (PID: 296)
      • schtasks.exe (PID: 3856)
      • schtasks.exe (PID: 1120)
      • schtasks.exe (PID: 3332)
      • schtasks.exe (PID: 3832)
      • schtasks.exe (PID: 3276)
      • schtasks.exe (PID: 2372)
      • schtasks.exe (PID: 1728)
      • schtasks.exe (PID: 1780)
      • schtasks.exe (PID: 4052)
      • schtasks.exe (PID: 3912)
      • schtasks.exe (PID: 2512)
      • schtasks.exe (PID: 1032)
      • schtasks.exe (PID: 2772)
      • schtasks.exe (PID: 1084)
      • schtasks.exe (PID: 3516)
      • schtasks.exe (PID: 3240)
    • Loads the Task Scheduler DLL interface

      • schtasks.exe (PID: 2656)
      • schtasks.exe (PID: 2216)
      • schtasks.exe (PID: 3016)
      • schtasks.exe (PID: 564)
    • Modifies exclusions in Windows Defender

      • reg.exe (PID: 2400)
      • reg.exe (PID: 3916)
      • reg.exe (PID: 3572)
      • reg.exe (PID: 3576)
      • reg.exe (PID: 2012)
      • reg.exe (PID: 1564)
      • reg.exe (PID: 3764)
      • reg.exe (PID: 3048)
      • reg.exe (PID: 2624)
    • Steals credentials from Web Browsers

      • YTusyFT.exe (PID: 3832)
    • Creates a writable file the system directory

      • YTusyFT.exe (PID: 3832)
    • Modifies files in the Chrome extension folder

      • YTusyFT.exe (PID: 3832)
    • Drops the executable file immediately after the start

      • YTusyFT.exe (PID: 3832)
    • Loads dropped or rewritten executable

      • rundll32.EXE (PID: 2184)
  • SUSPICIOUS

    • Starts itself from another location

      • file.exe (PID: 3264)
    • Uses REG.EXE to modify Windows registry

      • cmd.exe (PID: 2892)
      • cmd.exe (PID: 2168)
      • cmd.exe (PID: 744)
      • cmd.exe (PID: 1784)
      • cmd.exe (PID: 1972)
      • cmd.exe (PID: 2676)
      • cmd.exe (PID: 3056)
      • cmd.exe (PID: 2552)
    • Reads the Internet Settings

      • Install.exe (PID: 2576)
      • YTusyFT.exe (PID: 3832)
    • Starts CMD.EXE for commands execution

      • forfiles.exe (PID: 1616)
      • forfiles.exe (PID: 2648)
      • LFfauDN.exe (PID: 3952)
      • YTusyFT.exe (PID: 3832)
    • Reads the BIOS version

      • Install.exe (PID: 2576)
    • Executes via Task Scheduler

      • powershell.EXE (PID: 3052)
      • LFfauDN.exe (PID: 3952)
      • powershell.EXE (PID: 3248)
      • YTusyFT.exe (PID: 3832)
      • rundll32.EXE (PID: 2184)
    • Starts application from unusual location

      • schtasks.exe (PID: 2656)
      • schtasks.exe (PID: 2216)
      • schtasks.exe (PID: 3016)
      • schtasks.exe (PID: 564)
    • Executes scripts

      • LFfauDN.exe (PID: 3952)
    • Creates a directory in Program Files

      • YTusyFT.exe (PID: 3832)
    • Reads settings of System Certificates

      • YTusyFT.exe (PID: 3832)
    • Checks Windows Trust Settings

      • YTusyFT.exe (PID: 3832)
    • Adds/modifies Windows certificates

      • YTusyFT.exe (PID: 3832)
    • Creates files in the Windows directory

      • YTusyFT.exe (PID: 3832)
    • Creates a software uninstall entry

      • YTusyFT.exe (PID: 3832)
    • Executable content was dropped or overwritten

      • YTusyFT.exe (PID: 3832)
  • INFO

    • Checks supported languages

      • file.exe (PID: 3264)
      • Install.exe (PID: 868)
      • Install.exe (PID: 2576)
      • LFfauDN.exe (PID: 3952)
      • YTusyFT.exe (PID: 3832)
    • Creates a file in a temporary directory

      • file.exe (PID: 3264)
      • Install.exe (PID: 868)
      • powershell.EXE (PID: 3052)
      • Install.exe (PID: 2576)
      • powershell.EXE (PID: 3248)
    • Reads the computer name

      • Install.exe (PID: 2576)
      • YTusyFT.exe (PID: 3832)
    • Reads security settings of Internet Explorer

      • powershell.EXE (PID: 3052)
      • powershell.EXE (PID: 3248)
    • Creates files in the Windows directory

      • schtasks.exe (PID: 2656)
      • schtasks.exe (PID: 2216)
      • schtasks.exe (PID: 3016)
      • schtasks.exe (PID: 564)
    • Process checks SAM and SYSTEM backups

      • YTusyFT.exe (PID: 3832)
    • Creates files in the program directory

      • YTusyFT.exe (PID: 3832)
    • Process checks computer location settings

      • YTusyFT.exe (PID: 3832)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 2010-Nov-18 16:27:35
Detected languages:
  • English - United States
CompanyName: Igor Pavlov
FileDescription: 7z Setup SFX
FileVersion: 9.20
InternalName: 7zS.sfx
LegalCopyright: Copyright (c) 1999-2010 Igor Pavlov
OriginalFilename: 7zS.sfx.exe
ProductName: 7-Zip
ProductVersion: 9.20

DOS Header

e_magic: MZ
e_cblp: 144
e_cp: 3
e_crlc: -
e_cparhdr: 4
e_minalloc: -
e_maxalloc: 65535
e_ss: -
e_sp: 184
e_csum: -
e_ip: -
e_cs: -
e_ovno: -
e_oemid: -
e_oeminfo: -
e_lfanew: 232

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
NumberofSections: 5
TimeDateStamp: 2010-Nov-18 16:27:35
PointerToSymbolTable: -
NumberOfSymbols: -
SizeOfOptionalHeader: 224
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_LINE_NUMS_STRIPPED
  • IMAGE_FILE_LOCAL_SYMS_STRIPPED
  • IMAGE_FILE_RELOCS_STRIPPED

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
4096
104938
104960
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.60849
.rdata
110592
17556
17920
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
4.36802
.data
131072
23112
12800
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
1.37054
.sxdata
155648
4
512
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_LNK_INFO, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
0.0203931
.rsrc
159744
2656
3072
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
3.30196

Resources

Title
Entropy
Size
Codepage
Language
Type
1
3.75404
744
UNKNOWN
English - United States
RT_ICON
2
3.18403
296
UNKNOWN
English - United States
RT_ICON
5
1.43775
52
UNKNOWN
English - United States
RT_STRING
500
3.09294
184
UNKNOWN
English - United States
RT_DIALOG
1 (#2)
2.78284
148
UNKNOWN
English - United States
RT_STRING
1 (#3)
2.37086
34
UNKNOWN
English - United States
RT_GROUP_ICON
1 (#4)
3.44049
700
UNKNOWN
English - United States
RT_VERSION

Imports

KERNEL32.dll
OLEAUT32.dll
SHELL32.dll
USER32.dll
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
161
Monitored processes
69
Malicious processes
12
Suspicious processes
10

Behavior graph

Click at the process to see the details
start drop and start file.exe no specs file.exe install.exe no specs install.exe no specs forfiles.exe no specs forfiles.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs schtasks.exe no specs schtasks.exe no specs powershell.exe no specs gpupdate.exe no specs schtasks.exe no specs schtasks.exe no specs lffaudn.exe no specs schtasks.exe no specs schtasks.exe no specs powershell.exe no specs gpupdate.exe no specs schtasks.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs wscript.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs schtasks.exe no specs schtasks.exe no specs ytusyft.exe schtasks.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs rundll32.exe cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs schtasks.exe no specs schtasks.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2736"C:\Users\admin\AppData\Local\Temp\file.exe" C:\Users\admin\AppData\Local\Temp\file.exeExplorer.EXE
User:
admin
Company:
Igor Pavlov
Integrity Level:
MEDIUM
Description:
7z Setup SFX
Exit code:
3221226540
Version:
9.20
Modules
Images
c:\users\admin\appdata\local\temp\file.exe
c:\windows\system32\ntdll.dll
3264"C:\Users\admin\AppData\Local\Temp\file.exe" C:\Users\admin\AppData\Local\Temp\file.exe
Explorer.EXE
User:
admin
Company:
Igor Pavlov
Integrity Level:
HIGH
Description:
7z Setup SFX
Exit code:
0
Version:
9.20
Modules
Images
c:\users\admin\appdata\local\temp\file.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
868.\Install.exeC:\Users\admin\AppData\Local\Temp\7zSDD1E.tmp\Install.exefile.exe
User:
admin
Company:
Igor Pavlov
Integrity Level:
HIGH
Description:
7z Setup SFX
Exit code:
0
Version:
9.20
Modules
Images
c:\users\admin\appdata\local\temp\7zsdd1e.tmp\install.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
2576.\Install.exe /S /site_id "525403"C:\Users\admin\AppData\Local\Temp\7zSDFBE.tmp\Install.exeInstall.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\7zsdfbe.tmp\install.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
1616"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0&"C:\Windows\System32\forfiles.exeInstall.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
ForFiles - Executes a command on selected files
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\forfiles.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\version.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\lpk.dll
2648"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0&"C:\Windows\System32\forfiles.exeInstall.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
ForFiles - Executes a command on selected files
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\forfiles.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\version.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
2892/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0&C:\Windows\System32\cmd.exeforfiles.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\lpk.dll
4072REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0c:\windows\system32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
2168/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0&C:\Windows\System32\cmd.exeforfiles.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
3316REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0c:\windows\system32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
Total events
11 538
Read events
11 304
Write events
231
Delete events
3

Modification events

(PID) Process:(2576) Install.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(2576) Install.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(2576) Install.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(2576) Install.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(4072) reg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions
Operation:writeName:exe
Value:
0
(PID) Process:(3316) reg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet
Operation:writeName:SpyNetReporting
Value:
0
(PID) Process:(3052) powershell.EXEKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\16C\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3052) powershell.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(3052) powershell.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(3052) powershell.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
Executable files
10
Suspicious files
39
Text files
75
Unknown types
11

Dropped files

PID
Process
Filename
Type
3264file.exeC:\Users\admin\AppData\Local\Temp\7zSDD1E.tmp\__data__\config.txtbinary
MD5:1C6ECF68529996320C18C5AEA7FC623F
SHA256:E838D819E2E97FB7613BA81C960A8CAF661642DC1D679FA44451A6E9C78BAD4A
3952LFfauDN.exeC:\Windows\Temp\WtMYTPIbSwjziXOH\PhqCyaWzMTzrPYd\YTusyFT.exeexecutable
MD5:A642CAB9B19C6F58CFBC6A22C2CD6C11
SHA256:38E5CA7D40BD3598246E945F2CAA0E9D37B5929AB132F2CD67DF29B4C4D05D6B
3264file.exeC:\Users\admin\AppData\Local\Temp\7zSDD1E.tmp\Install.exeexecutable
MD5:DD042BF074F9EC8443473686D38D202E
SHA256:F006E4711AE85701DC55F525157B7C67A840E94087E3B776B532479C5971F073
3248powershell.EXEC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\9QIMY2UKY4AWQZ11BVRA.tempbinary
MD5:784363B06121148330D8FE56BB3E970D
SHA256:CB801021AFDA3E0E3C14DCE299607B9EF8D7CEA4A3E42A0068D33566D7635B07
3052powershell.EXEC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF11f133.TMPbinary
MD5:CCFCF369F751CE8DA0370D84E52A7EED
SHA256:53922490C3F5A04667EC3605A01AF2A4F4F265782D1BCA519F63ACAD413F2ED9
2656schtasks.exeC:\Windows\Tasks\bWqkINIqDdNMaChISJ.jobbinary
MD5:A0D44BE19AC22DB1CABE29C4EF088728
SHA256:4C690B076707EDE3D42C6D810BCE3CEC633F2DB8CEA1A89D07B8EAD8344E3AFE
3052powershell.EXEC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\BVQSMYA4V5PEFE8U1C6S.tempbinary
MD5:D8483A077F149CF0E48DB97619E2A3E8
SHA256:673F53DC0F7DAECA7076027444EEC7009E951EA0EEF8FA0FBC94DC507349ECBC
868Install.exeC:\Users\admin\AppData\Local\Temp\7zSDFBE.tmp\Install.exeexecutable
MD5:A642CAB9B19C6F58CFBC6A22C2CD6C11
SHA256:38E5CA7D40BD3598246E945F2CAA0E9D37B5929AB132F2CD67DF29B4C4D05D6B
3248powershell.EXEC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msbinary
MD5:784363B06121148330D8FE56BB3E970D
SHA256:CB801021AFDA3E0E3C14DCE299607B9EF8D7CEA4A3E42A0068D33566D7635B07
3052powershell.EXEC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msbinary
MD5:D8483A077F149CF0E48DB97619E2A3E8
SHA256:673F53DC0F7DAECA7076027444EEC7009E951EA0EEF8FA0FBC94DC507349ECBC
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
9
TCP/UDP connections
8
DNS requests
8
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3832
YTusyFT.exe
GET
200
142.250.185.195:80
http://ocsp.pki.goog/gsr1/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS3V7W2nAf4FiMTjpDJKg6%2BMgGqMQQUYHtmGkUNl8qJUC99BM00qP%2F8%2FUsCEHe9DWzbNvka6iEPxPBY0w0%3D
US
der
1.41 Kb
whitelisted
3832
YTusyFT.exe
GET
200
23.32.238.35:80
http://r3.o.lencr.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBRI2smg%2ByvTLU%2Fw3mjS9We3NfmzxAQUFC6zF7dYVsuuUAlA5h%2BvnYsUwsYCEgO3KnkYkYvzjMTY%2BDHZyvRw3Q%3D%3D
US
der
503 b
shared
3832
YTusyFT.exe
GET
200
23.45.105.185:80
http://x1.c.lencr.org/
NL
der
717 b
whitelisted
3832
YTusyFT.exe
GET
200
209.197.3.8:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?95ff6a381d07c45f
US
compressed
4.70 Kb
whitelisted
3832
YTusyFT.exe
GET
200
142.250.185.195:80
http://ocsp.pki.goog/gts1c3/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBTHLnmK3f9hNLO67UdCuLvGwCQHYwQUinR%2Fr4XN7pXNPZzQ4kYU83E1HScCEQDreCS75DAIaRKqvCi%2FvL9c
US
der
472 b
whitelisted
3832
YTusyFT.exe
GET
200
142.250.185.195:80
http://ocsp.pki.goog/gts1c3/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBTHLnmK3f9hNLO67UdCuLvGwCQHYwQUinR%2Fr4XN7pXNPZzQ4kYU83E1HScCEQDuZCz4OZecyRJCVianxG0K
US
der
472 b
whitelisted
3832
YTusyFT.exe
GET
200
142.250.185.195:80
http://ocsp.pki.goog/gtsr1/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBQwkcLWD4LqGJ7bE7B1XZsEbmfwUAQU5K8rJnEaK0gnhS9SZizv8IkTcT4CDQIDvFNZazTHGPUBUGY%3D
US
der
724 b
whitelisted
2184
rundll32.EXE
POST
200
44.233.23.32:80
http://api4.check-data.xyz/api2/google_api_ifi
US
malicious
3832
YTusyFT.exe
GET
200
209.197.3.8:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?d6c9cdcbcbcd3a3a
US
compressed
61.4 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3832
YTusyFT.exe
142.250.186.138:443
www.googleapis.com
GOOGLE
US
whitelisted
3832
YTusyFT.exe
142.250.185.195:80
ocsp.pki.goog
GOOGLE
US
whitelisted
3832
YTusyFT.exe
23.32.238.35:80
r3.o.lencr.org
Akamai International B.V.
DE
malicious
3832
YTusyFT.exe
3.80.150.121:443
service-domain.xyz
AMAZON-AES
US
suspicious
3832
YTusyFT.exe
172.217.18.14:443
clients2.google.com
GOOGLE
US
whitelisted
3832
YTusyFT.exe
209.197.3.8:80
ctldl.windowsupdate.com
STACKPATH-CDN
US
whitelisted
3832
YTusyFT.exe
23.45.105.185:80
x1.c.lencr.org
AKAMAI-AS
DE
unknown
2184
rundll32.EXE
44.233.23.32:80
api4.check-data.xyz
AMAZON-02
US
suspicious

DNS requests

Domain
IP
Reputation
service-domain.xyz
  • 3.80.150.121
suspicious
ctldl.windowsupdate.com
  • 209.197.3.8
whitelisted
x1.c.lencr.org
  • 23.45.105.185
whitelisted
r3.o.lencr.org
  • 23.32.238.35
  • 23.32.238.51
  • 23.32.238.26
shared
www.googleapis.com
  • 142.250.186.138
  • 172.217.16.202
  • 216.58.212.170
  • 172.217.18.106
  • 142.250.74.202
  • 142.250.186.74
  • 142.250.186.106
  • 216.58.212.138
  • 142.250.186.170
  • 142.250.184.202
  • 142.250.184.234
  • 172.217.23.106
  • 142.250.185.138
  • 142.250.185.74
  • 142.250.185.106
  • 142.250.185.234
whitelisted
ocsp.pki.goog
  • 142.250.185.195
whitelisted
clients2.google.com
  • 172.217.18.14
whitelisted
api4.check-data.xyz
  • 44.233.23.32
  • 52.27.164.166
malicious

Threats

PID
Process
Class
Message
3832
YTusyFT.exe
Potentially Bad Traffic
ET INFO Observed Let's Encrypt Certificate for Suspicious TLD (.xyz)
2184
rundll32.EXE
Potentially Bad Traffic
AV INFO HTTP Request to a *.xyz domain
No debug info