Edit tour

Windows Analysis Report
exness4setup.exe

Overview

General Information

Sample name:	exness4setup.exe
Analysis ID:	1671068
MD5:	8b8b5c1578144f36202552c588c20cec
SHA1:	1fbd2b3561929a382177969dce5d430a5771c1c0
SHA256:	3865ab4a9f9ed9aa46f961de0fa66af9f804a2f883422ec3c42117f4b3447a74
Infos:

Detection

Score:	32
Range:	0 - 100
Confidence:	60%

Signatures

Found direct / indirect Syscall (likely to bypass EDR)

Hides threads from debuggers

Joe Sandbox ML detected suspicious sample

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Tries to detect debuggers (CloseHandle check)

Tries to evade analysis by execution special instruction (VM detection)

Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))

Checks if the current process is being debugged

Connects to several IPs in different countries

Contains capabilities to detect virtual machines

Entry point lies outside standard sections

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains an invalid checksum

PE file contains sections with non-standard names

Queries disk information (often used to detect virtual machines)

Queries information about the installed CPU (vendor, model number etc)

Queries the product ID of Windows

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Classification

Process Tree

System is w10x64

exness4setup.exe (PID: 7600 cmdline: "C:\Users\user\Desktop\exness4setup.exe" MD5: 8B8B5C1578144F36202552C588C20CEC)

cleanup

Joe Sandbox Signatures

• AV Detection
• Cryptography
• Compliance
• Networking
• System Summary
• Data Obfuscation
• Hooking and other Techniques for Hiding and Protection
• Malware Analysis System Evasion
• Anti Debugging
• HIPS / PFW / Operating System Protection Evasion
• Language, Device and Operating System Detection

Click to jump to signature section

Show All Signature Results

AV Detection

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Neural Call Log Analysis: 85.0%

Source: exness4setup.exe, 00000000.00000002.1377263144.00007FF71FDB4000.00000002.00000001.01000000.00000003.sdmp

Binary or memory string: -----BEGIN RSA PUBLIC KEY-----

memstr_e1df66a7-7

Source: C:\Users\user\Desktop\exness4setup.exe

Window detected: METAQUOTES LTD. End-User License AgreementPlease read carefully the terms and conditions of this End User License Agreement (referred to collectively as the "Agreement") before proceeding with the installation or utilization of the Product installation.MetaQuotes Ltd is a software development company and does not provide any financial investment brokerage trading or data feed services nor it is involved and/or interfere in any way in any trading operations nor does it open or control real trading accounts. None of the information available in the Product is intended as investment advice. Before using this application for trading you should seek the advice of a qualified and registered securities professional and undertake your own due diligence. Exercise caution when encountering online offers promising easy income or quick money particularly through social media like Tinder WhatsApp WeChat Facebook and similar social networks.The Product may feature brokerage companies or financial institutions which may not have a regulatory license for operating in your country. When choosing a brokerage company be careful and responsible. You acknowledge and agree that MetaQuotes may not have complete and update information regarding the regulatory status of each brokerage company in your country. The Product contains contact details and basic information about each brokerage company enabling users to independently familiarize themselves with and further study the brokerage company's services before using them.MetaQuotes Ltd is not responsible for any investment decision You take. You alone are solely responsible for your investment decisions and your investment research. MetaQuotes Ltd does not guarantee the quality reliability or reputation of any brokerage company or financial organization. It is important to understand that nothing including regulation and publications can guarantee the safety or fairness of a brokerage company. MetaQuotes Ltd does not guarantee the accuracy completeness or timeliness of third-party content including advertising materials. Such content does not reflect our opinions or positions.Risk Warning: Trading with real money involves high risk of losing money rapidly. Most retail investor accounts lose money when trading financial products. You should consider whether you understand how various financial products work and whether you can afford to take the high risk of losing money.In this Agreement unless the content otherwise requires the capitalized terms used herein shall be defined as set forth in paragraph 1 of this Agreement.This Agreement is applicable to both physical persons and legal entities including authorized users representing the employer its employees or other persons using or accessing the Product on behalf of the Business.This Agreement as well as any updates hereof constitutes a legal agreement between You and MetaQuo

Source: C:\Users\user\Desktop\exness4setup.exe

Directory created: C:\Program Files\checkwritepermissions.exe

Source: Joe Sandbox View	IP Address: 27.111.161.152 27.111.161.152
Source: Joe Sandbox View	IP Address: 78.140.180.43 78.140.180.43
Source: Joe Sandbox View	IP Address: 177.154.156.125 177.154.156.125

Source: unknown	TCP traffic detected without corresponding DNS query: 88.212.232.132
Source: unknown	TCP traffic detected without corresponding DNS query: 88.212.232.132
Source: unknown	TCP traffic detected without corresponding DNS query: 88.212.232.132
Source: unknown	TCP traffic detected without corresponding DNS query: 117.20.41.198
Source: unknown	TCP traffic detected without corresponding DNS query: 156.38.206.18
Source: unknown	TCP traffic detected without corresponding DNS query: 156.38.206.18
Source: unknown	TCP traffic detected without corresponding DNS query: 117.20.41.198
Source: unknown	TCP traffic detected without corresponding DNS query: 117.20.41.198
Source: unknown	TCP traffic detected without corresponding DNS query: 156.38.206.18
Source: unknown	TCP traffic detected without corresponding DNS query: 78.140.180.43
Source: unknown	TCP traffic detected without corresponding DNS query: 148.113.1.241
Source: unknown	TCP traffic detected without corresponding DNS query: 78.140.180.43
Source: unknown	TCP traffic detected without corresponding DNS query: 148.113.1.241
Source: unknown	TCP traffic detected without corresponding DNS query: 78.140.180.43
Source: unknown	TCP traffic detected without corresponding DNS query: 148.113.1.241
Source: unknown	TCP traffic detected without corresponding DNS query: 177.154.156.125
Source: unknown	TCP traffic detected without corresponding DNS query: 177.154.156.125
Source: unknown	TCP traffic detected without corresponding DNS query: 177.154.156.125
Source: unknown	TCP traffic detected without corresponding DNS query: 66.203.112.227
Source: unknown	TCP traffic detected without corresponding DNS query: 66.203.112.227
Source: unknown	TCP traffic detected without corresponding DNS query: 66.203.112.227
Source: unknown	TCP traffic detected without corresponding DNS query: 104.166.145.86
Source: unknown	TCP traffic detected without corresponding DNS query: 104.166.145.86
Source: unknown	TCP traffic detected without corresponding DNS query: 104.166.145.86
Source: unknown	TCP traffic detected without corresponding DNS query: 195.201.80.82
Source: unknown	TCP traffic detected without corresponding DNS query: 117.20.41.198
Source: unknown	TCP traffic detected without corresponding DNS query: 195.201.80.82
Source: unknown	TCP traffic detected without corresponding DNS query: 195.201.80.82
Source: unknown	TCP traffic detected without corresponding DNS query: 27.111.161.152
Source: unknown	TCP traffic detected without corresponding DNS query: 27.111.161.152
Source: unknown	TCP traffic detected without corresponding DNS query: 27.111.161.152
Source: unknown	TCP traffic detected without corresponding DNS query: 185.252.31.15
Source: unknown	TCP traffic detected without corresponding DNS query: 185.252.31.15
Source: unknown	TCP traffic detected without corresponding DNS query: 185.252.31.15
Source: unknown	TCP traffic detected without corresponding DNS query: 157.90.219.141
Source: unknown	TCP traffic detected without corresponding DNS query: 148.66.53.10
Source: unknown	TCP traffic detected without corresponding DNS query: 157.90.219.141
Source: unknown	TCP traffic detected without corresponding DNS query: 148.66.53.10
Source: unknown	TCP traffic detected without corresponding DNS query: 157.90.219.141
Source: unknown	TCP traffic detected without corresponding DNS query: 148.66.53.10
Source: unknown	TCP traffic detected without corresponding DNS query: 156.38.206.18
Source: unknown	TCP traffic detected without corresponding DNS query: 177.154.156.125
Source: unknown	TCP traffic detected without corresponding DNS query: 66.203.112.227
Source: unknown	TCP traffic detected without corresponding DNS query: 199.254.199.227
Source: unknown	TCP traffic detected without corresponding DNS query: 199.254.199.227
Source: unknown	TCP traffic detected without corresponding DNS query: 199.254.199.227
Source: unknown	TCP traffic detected without corresponding DNS query: 27.111.161.152
Source: unknown	TCP traffic detected without corresponding DNS query: 185.252.31.15
Source: unknown	TCP traffic detected without corresponding DNS query: 104.166.145.86
Source: unknown	TCP traffic detected without corresponding DNS query: 66.203.112.227

Source: global traffic	DNS traffic detected: DNS query: download.mql5.com
Source: global traffic	DNS traffic detected: DNS query: content.finteza.com
Source: global traffic	DNS traffic detected: DNS query: download.metatrader.com
Source: global traffic	DNS traffic detected: DNS query: content.mql5.com

Source: exness4setup.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: exness4setup.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: exness4setup.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: exness4setup.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: exness4setup.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: exness4setup.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: exness4setup.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: exness4setup.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: exness4setup.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: exness4setup.exe	String found in binary or memory: http://ocsp.digicert.com0
Source: exness4setup.exe	String found in binary or memory: http://ocsp.digicert.com0A
Source: exness4setup.exe	String found in binary or memory: http://ocsp.digicert.com0C
Source: exness4setup.exe	String found in binary or memory: http://ocsp.digicert.com0X
Source: exness4setup.exe	String found in binary or memory: http://www.digicert.com/CPS0
Source: exness4setup.exe, 00000000.00000002.1377263144.00007FF71FDB4000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://api%%u.mql5.net/cdn/files/mt%d%s/cdn.txtGeoCountrymt=5&lang=en&signature=%Shttps://%s/api/us
Source: exness4setup.exe, 00000000.00000002.1377263144.00007FF71FDB4000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://download.mql5.com/cdn/dns/dns.dathttps://download.metatrader.com/cdn/dns/dns.datP
Source: exness4setup.exe, 00000000.00000002.1377263144.00007FF71FDB4000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://download.mql5.com/cdn/web/components/%svalue=%s&unit=fileInstall
Source: exness4setup.exe, 00000000.00000002.1377344821.00007FF71FE90000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: https://my.exness.com/&utm_cookie=5188155476914169406&utm_cookie_expiration=1745323249&model=desktop
Source: exness4setup.exe, 00000000.00000002.1378802395.00007FF720738000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://support.metaquotes.net.
Source: exness4setup.exe, 00000000.00000002.1376619640.0000023BA3546000.00000004.00000020.00020000.00000000.sdmp, exness4setup.exe, 00000000.00000003.1278289380.0000023BA3546000.00000004.00000020.00020000.00000000.sdmp, exness4setup.exe, 00000000.00000003.1269266020.0000023BA3546000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.exness.com
Source: exness4setup.exe	String found in binary or memory: https://www.metaquotes.net
Source: exness4setup.exe, 00000000.00000003.1191336302.0000023BA357D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.metaquotes.net.
Source: exness4setup.exe, 00000000.00000002.1377263144.00007FF71FDB4000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.metaquotes.net/
Source: exness4setup.exe, 00000000.00000003.1278289380.0000023BA3546000.00000004.00000020.00020000.00000000.sdmp, exness4setup.exe, 00000000.00000003.1269266020.0000023BA3546000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.metaquotes.net/en/legal/policiesocal
Source: exness4setup.exe, 00000000.00000003.1278289380.0000023BA3546000.00000004.00000020.00020000.00000000.sdmp, exness4setup.exe, 00000000.00000003.1269266020.0000023BA3546000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.metaquotes.net/en/legal/policiesq
Source: exness4setup.exe, 00000000.00000002.1378802395.00007FF720738000.00000002.00000001.01000000.00000003.sdmp, exness4setup.exe, 00000000.00000003.1256235873.0000023BA3580000.00000004.00000020.00020000.00000000.sdmp, exness4setup.exe, 00000000.00000003.1267039058.0000023BA3585000.00000004.00000020.00020000.00000000.sdmp, exness4setup.exe, 00000000.00000003.1191336302.0000023BA357D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.metaquotes.net/legal/.
Source: exness4setup.exe	String found in binary or memory: https://www.metaquotes.net0
Source: exness4setup.exe, 00000000.00000002.1377263144.00007FF71FDB4000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.metaquotes.netHelpLinkUrlInfoAboutUninstallString5.00DisplayVersion5MajorVersion0MinorVe
Source: exness4setup.exe, 00000000.00000003.1155836930.0000023BA0D18000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.metaquotes.netZ
Source: exness4setup.exe, 00000000.00000002.1377263144.00007FF71FDB4000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.mql5.com/
Source: exness4setup.exe, 00000000.00000002.1377263144.00007FF71FDB4000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.mql5.comhttps://www.mql5.com/?utm_campaign=mql5.welcome.open&utm_medium=special&utm_sour

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49789 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49800 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49781 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49769 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49803 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49795 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 49772 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 49777 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49798 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49787 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49793 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 49774 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49782 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49799
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49798
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49797
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49795
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49793
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49768 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49771 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49789
Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49787
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49786
Source: unknown	Network traffic detected: HTTP traffic on port 49779 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49783
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49782
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49781
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49776 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49799 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49779
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49778
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49777
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49775
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49774
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49773
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49771
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49770
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49802 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49804
Source: unknown	Network traffic detected: HTTP traffic on port 49773 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49803
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49769
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49802
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49768
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49801
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49767
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49800
Source: unknown	Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49783 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49770 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49797 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49801 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 49778 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49786 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49804 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49775 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745

Source: exness4setup.exe, 00000000.00000002.1378802395.00007FF720738000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameSetup, vs exness4setup.exe
Source: exness4setup.exe, 00000000.00000000.1147624787.00007FF720738000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameSetup, vs exness4setup.exe
Source: exness4setup.exe	Binary or memory string: OriginalFilenameSetup, vs exness4setup.exe

Source: C:\Users\user\Desktop\exness4setup.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\exness4setup.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\exness4setup.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\exness4setup.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\exness4setup.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\exness4setup.exe	Section loaded: dbgcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\exness4setup.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\exness4setup.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\exness4setup.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\exness4setup.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\exness4setup.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\exness4setup.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\exness4setup.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\exness4setup.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\exness4setup.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\exness4setup.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\exness4setup.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\exness4setup.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\exness4setup.exe	Section loaded: atlthunk.dll	Jump to behavior
Source: C:\Users\user\Desktop\exness4setup.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\exness4setup.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\exness4setup.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\exness4setup.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\exness4setup.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\exness4setup.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\exness4setup.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\exness4setup.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\exness4setup.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\exness4setup.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\exness4setup.exe	Section loaded: oledlg.dll	Jump to behavior

Source: exness4setup.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: exness4setup.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: exness4setup.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: exness4setup.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: exness4setup.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: exness4setup.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: exness4setup.exe	Static PE information: section name: .fptable
Source: exness4setup.exe	Static PE information: section name: .cod0
Source: exness4setup.exe	Static PE information: section name: .cod1
Source: exness4setup.exe	Static PE information: section name: .cod2

Source: C:\Users\user\Desktop\exness4setup.exe	Memory written: PID: 7600 base: 7FFCC389000D value: E9 BB CB EC FF			Jump to behavior
Source: C:\Users\user\Desktop\exness4setup.exe	Memory written: PID: 7600 base: 7FFCC375CBC0 value: E9 5A 34 13 00			Jump to behavior

Source: C:\Users\user\Desktop\exness4setup.exe	Window / User API: threadDelayed 1375	Jump to behavior
Source: C:\Users\user\Desktop\exness4setup.exe	Window / User API: threadDelayed 5701	Jump to behavior
Source: C:\Users\user\Desktop\exness4setup.exe	Window / User API: threadDelayed 857	Jump to behavior

Source: exness4setup.exe, 00000000.00000002.1377263144.00007FF71FDB4000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: Windows NT %u.%u.%uWindows Server %u.%u.%ukernel32IsWow64Process2; x64; ARM64HARDWARE\DESCRIPTION\SystemVMWBOCHSAMAZONAWS%S-%S%SXENSRC XenVMware VMwareVirtIO KVMVBOX Hyper-VSystemBiosVersionHardware\Description\SystemVBOXVirtualBox; .
Source: exness4setup.exe, 00000000.00000003.1370354064.0000023BA0CAE000.00000004.00000020.00020000.00000000.sdmp, exness4setup.exe, 00000000.00000003.1373275312.0000023BA0CB8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll#

Source: C:\Users\user\Desktop\exness4setup.exe	Thread information set: HideFromDebugger			Jump to behavior
Source: C:\Users\user\Desktop\exness4setup.exe	Thread information set: HideFromDebugger			Jump to behavior

Source: C:\Users\user\Desktop\exness4setup.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\exness4setup.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Users\user\Desktop\exness4setup.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Users\user\Desktop\exness4setup.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Users\user\Desktop\exness4setup.exe	Process queried: DebugObjectHandle	Jump to behavior

Source: C:\Users\user\Desktop\exness4setup.exe	NtClose: Indirect: 0x7FF72062877E
Source: C:\Users\user\Desktop\exness4setup.exe	NtProtectVirtualMemory: Direct from: 0x7FF720409777	Jump to behavior
Source: C:\Users\user\Desktop\exness4setup.exe	NtProtectVirtualMemory: Direct from: 0x7FF7205D99DC	Jump to behavior
Source: C:\Users\user\Desktop\exness4setup.exe	NtProtectVirtualMemory: Direct from: 0x7FF72051FDC9	Jump to behavior
Source: C:\Users\user\Desktop\exness4setup.exe	NtSetInformationProcess: Direct from: 0x7FF7202566E4	Jump to behavior
Source: C:\Users\user\Desktop\exness4setup.exe	NtProtectVirtualMemory: Direct from: 0x7FF720524CD6	Jump to behavior
Source: C:\Users\user\Desktop\exness4setup.exe	NtSetInformationThread: Direct from: 0x7FF7204CE469	Jump to behavior
Source: C:\Users\user\Desktop\exness4setup.exe	NtProtectVirtualMemory: Direct from: 0x7FF720522CB5	Jump to behavior
Source: C:\Users\user\Desktop\exness4setup.exe	NtQuerySystemInformation: Direct from: 0x7FF72040421E	Jump to behavior
Source: C:\Users\user\Desktop\exness4setup.exe	NtProtectVirtualMemory: Direct from: 0x7FF72026942E	Jump to behavior
Source: C:\Users\user\Desktop\exness4setup.exe	NtProtectVirtualMemory: Direct from: 0x7FF7202623EA	Jump to behavior
Source: C:\Users\user\Desktop\exness4setup.exe	NtProtectVirtualMemory: Direct from: 0x7FF72051DB01	Jump to behavior

Source: C:\Users\user\Desktop\exness4setup.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductId			Jump to behavior
Source: C:\Users\user\Desktop\exness4setup.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductId			Jump to behavior

Source: C:\Users\user\Desktop\exness4setup.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\exness4setup.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	1 Abuse Elevation Control Mechanism	3 Masquerading	1 Credential API Hooking	1 Query Registry	Remote Services	1 Credential API Hooking	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	14 Virtualization/Sandbox Evasion	LSASS Memory	341 Security Software Discovery	Remote Desktop Protocol	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Disable or Modify Tools	Security Account Manager	14 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Abuse Elevation Control Mechanism	NTDS	1 Process Discovery	Distributed Component Object Model	Input Capture	3 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	Steganography	Cached Domain Credentials	143 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Source	Detection	Scanner	Label
https://api%%u.mql5.net/cdn/files/mt%d%s/cdn.txtGeoCountrymt=5&lang=en&signature=%Shttps://%s/api/us	0%	Avira URL Cloud	safe
https://www.metaquotes.netZ	0%	Avira URL Cloud	safe
https://www.metaquotes.netHelpLinkUrlInfoAboutUninstallString5.00DisplayVersion5MajorVersion0MinorVe	0%	Avira URL Cloud	safe
https://www.metaquotes.net/legal/.	0%	Avira URL Cloud	safe
https://www.metaquotes.net0	0%	Avira URL Cloud	safe
https://www.metaquotes.net/en/legal/policiesq	0%	Avira URL Cloud	safe
https://www.metaquotes.net/en/legal/policiesocal	0%	Avira URL Cloud	safe
https://www.metaquotes.net/	0%	Avira URL Cloud	safe
https://www.metaquotes.net	0%	Avira URL Cloud	safe
https://www.metaquotes.net.	0%	Avira URL Cloud	safe
https://www.mql5.comhttps://www.mql5.com/?utm_campaign=mql5.welcome.open&utm_medium=special&utm_sour	0%	Avira URL Cloud	safe
https://support.metaquotes.net.	0%	Avira URL Cloud	safe

Name	IP	Active	Malicious	Reputation
us.na.cdn.mql5.com	142.215.208.235	true	false	unknown
us.na.content.mql5.com	142.215.208.231	true	false	high
us.na.cdn.metatrader.com	142.215.208.235	true	false	unknown
content.finteza.com	unknown	unknown	false	high
download.mql5.com	unknown	unknown	false	high
content.mql5.com	unknown	unknown	false	high
download.metatrader.com	unknown	unknown	false	high

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report exness4setup.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Roaming\MetaQuotes\Terminal\Community\dns.dat

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTPS Proxied Packets

Windows Analysis Report
exness4setup.exe

Name	Source	Malicious	Antivirus Detection	Reputation
https://www.metaquotes.net/legal/.	exness4setup.exe, 00000000.00000002.1378802395.00007FF720738000.00000002.00000001.01000000.00000003.sdmp, exness4setup.exe, 00000000.00000003.1256235873.0000023BA3580000.00000004.00000020.00020000.00000000.sdmp, exness4setup.exe, 00000000.00000003.1267039058.0000023BA3585000.00000004.00000020.00020000.00000000.sdmp, exness4setup.exe, 00000000.00000003.1191336302.0000023BA357D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.mql5.com/	exness4setup.exe, 00000000.00000002.1377263144.00007FF71FDB4000.00000002.00000001.01000000.00000003.sdmp	false		high
https://api%%u.mql5.net/cdn/files/mt%d%s/cdn.txtGeoCountrymt=5&lang=en&signature=%Shttps://%s/api/us	exness4setup.exe, 00000000.00000002.1377263144.00007FF71FDB4000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
https://www.metaquotes.netZ	exness4setup.exe, 00000000.00000003.1155836930.0000023BA0D18000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.metaquotes.net/en/legal/policiesq	exness4setup.exe, 00000000.00000003.1278289380.0000023BA3546000.00000004.00000020.00020000.00000000.sdmp, exness4setup.exe, 00000000.00000003.1269266020.0000023BA3546000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://download.mql5.com/cdn/web/components/%svalue=%s&unit=fileInstall	exness4setup.exe, 00000000.00000002.1377263144.00007FF71FDB4000.00000002.00000001.01000000.00000003.sdmp	false		high
https://www.metaquotes.net/en/legal/policiesocal	exness4setup.exe, 00000000.00000003.1278289380.0000023BA3546000.00000004.00000020.00020000.00000000.sdmp, exness4setup.exe, 00000000.00000003.1269266020.0000023BA3546000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.metaquotes.netHelpLinkUrlInfoAboutUninstallString5.00DisplayVersion5MajorVersion0MinorVe	exness4setup.exe, 00000000.00000002.1377263144.00007FF71FDB4000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
https://www.metaquotes.net	exness4setup.exe	false	Avira URL Cloud: safe	unknown
https://www.exness.com	exness4setup.exe, 00000000.00000002.1376619640.0000023BA3546000.00000004.00000020.00020000.00000000.sdmp, exness4setup.exe, 00000000.00000003.1278289380.0000023BA3546000.00000004.00000020.00020000.00000000.sdmp, exness4setup.exe, 00000000.00000003.1269266020.0000023BA3546000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.metaquotes.net/	exness4setup.exe, 00000000.00000002.1377263144.00007FF71FDB4000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
https://www.metaquotes.net0	exness4setup.exe	false	Avira URL Cloud: safe	unknown
https://www.metaquotes.net.	exness4setup.exe, 00000000.00000003.1191336302.0000023BA357D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.mql5.comhttps://www.mql5.com/?utm_campaign=mql5.welcome.open&utm_medium=special&utm_sour	exness4setup.exe, 00000000.00000002.1377263144.00007FF71FDB4000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
https://download.mql5.com/cdn/dns/dns.dathttps://download.metatrader.com/cdn/dns/dns.datP	exness4setup.exe, 00000000.00000002.1377263144.00007FF71FDB4000.00000002.00000001.01000000.00000003.sdmp	false		high
https://support.metaquotes.net.	exness4setup.exe, 00000000.00000002.1378802395.00007FF720738000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown

IP	Domain	Country	ASN	ASN Name	Malicious
27.111.161.152	unknown	Hong Kong	17819	ASN-EQUINIX-APEquinixAsiaPacificSG	false
78.140.180.43	unknown	Netherlands	35415	WEBZILLANL	false
177.154.156.125	unknown	Brazil	16397	EQUINIXBRASILBR	false
199.254.199.227	unknown	United States	20001	TWC-20001-PACWESTUS	false
148.113.1.241	unknown	United States	396982	GOOGLE-PRIVATE-CLOUDUS	false
185.252.31.15	unknown	Iran (ISLAMIC Republic Of)	201295	MHOSTIR	false
195.201.80.82	unknown	Germany	24940	HETZNER-ASDE	false
66.203.112.227	unknown	United States	396356	MAXIHOSTUS	false
88.212.232.132	unknown	Russian Federation	7979	SERVERS-COMUS	false
104.166.145.86	unknown	United States	7352	WECOM-INCUS	false
142.215.208.231	us.na.content.mql5.com	Canada	32156	HUMBER-COLLEGECA	false
156.38.206.18	unknown	South Africa	37153	xneeloZA	false
157.90.219.141	unknown	United States	766	REDIRISRedIRISAutonomousSystemES	false
148.66.53.10	unknown	Hong Kong	45753	NETSEC-HKNETSECHK	false
117.20.41.198	unknown	Singapore	14636	INTERNAP-BLK4US	false
142.215.208.235	us.na.cdn.mql5.com	Canada	32156	HUMBER-COLLEGECA	false

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1671068
Start date and time:	2025-04-22 15:27:00 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 40s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	exness4setup.exe
Detection:	SUS
Classification:	sus32.evad.winEXE@1/1@4/16
Cookbook Comments:	Found application associated with file extension: .exe

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
27.111.161.152	2969d69d378d23e301a7c40e4e61bd6b08959913bb658c2d26f01232a505246b.7z	Get hash	malicious	Unknown	Browse
	g8jiNk0ZVv.exe	Get hash	malicious	Unknown	Browse
	https://download.metatrader.com/cdn/web/gvd.markets.capital/mt5/gvdmarkets5setup.exe	Get hash	malicious	LummaC Stealer	Browse
	mt4setup.exe	Get hash	malicious	Unknown	Browse
	mt4setup.exe	Get hash	malicious	Unknown	Browse
78.140.180.43	2969d69d378d23e301a7c40e4e61bd6b08959913bb658c2d26f01232a505246b.7z	Get hash	malicious	Unknown	Browse
	g8jiNk0ZVv.exe	Get hash	malicious	Unknown	Browse
	https://download.metatrader.com/cdn/web/gvd.markets.capital/mt5/gvdmarkets5setup.exe	Get hash	malicious	LummaC Stealer	Browse
	metaeditor.exe	Get hash	malicious	Unknown	Browse
	mt4setup.exe	Get hash	malicious	Unknown	Browse
	mt4setup.exe	Get hash	malicious	Unknown	Browse
177.154.156.125	2969d69d378d23e301a7c40e4e61bd6b08959913bb658c2d26f01232a505246b.7z	Get hash	malicious	Unknown	Browse
	g8jiNk0ZVv.exe	Get hash	malicious	Unknown	Browse
	https://download.metatrader.com/cdn/web/gvd.markets.capital/mt5/gvdmarkets5setup.exe	Get hash	malicious	LummaC Stealer	Browse
	mt4setup.exe	Get hash	malicious	Unknown	Browse
	mt4setup.exe	Get hash	malicious	Unknown	Browse
199.254.199.227	2969d69d378d23e301a7c40e4e61bd6b08959913bb658c2d26f01232a505246b.7z	Get hash	malicious	Unknown	Browse
	g8jiNk0ZVv.exe	Get hash	malicious	Unknown	Browse
	https://download.metatrader.com/cdn/web/gvd.markets.capital/mt5/gvdmarkets5setup.exe	Get hash	malicious	LummaC Stealer	Browse
148.113.1.241	2969d69d378d23e301a7c40e4e61bd6b08959913bb658c2d26f01232a505246b.7z	Get hash	malicious	Unknown	Browse
	g8jiNk0ZVv.exe	Get hash	malicious	Unknown	Browse
	https://download.metatrader.com/cdn/web/gvd.markets.capital/mt5/gvdmarkets5setup.exe	Get hash	malicious	LummaC Stealer	Browse

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
us.na.content.mql5.com	SecuriteInfo.com.FileRepMalware.1008.15763.exe	Get hash	malicious	Unknown	Browse	142.215.208.231
	https://eki.co.jp-longin.qvpo8e.cn/IP:	Get hash	malicious	Unknown	Browse	142.215.208.231
	https://n1h8wf.cn/IP:	Get hash	malicious	Unknown	Browse	142.215.208.231
	https://221d.cn/IP:	Get hash	malicious	Unknown	Browse	142.215.208.231
	https://ellcjcgi.dynv6.net/IP:	Get hash	malicious	Unknown	Browse	142.215.208.231
	https://eapcveme.dynv6.net/IP:	Get hash	malicious	Unknown	Browse	142.215.208.231
	https://www.gxsyq.cn/IP:	Get hash	malicious	Unknown	Browse	142.215.208.231
	https://www.uynef.cn/IP:	Get hash	malicious	Unknown	Browse	142.215.208.231
	https://www.yunfuchu.cn/IP:	Get hash	malicious	Unknown	Browse	142.215.208.231
	https://dzdbmqcs.dynv6.net/IP:	Get hash	malicious	Unknown	Browse	142.215.208.231
us.na.cdn.mql5.com	SecuriteInfo.com.FileRepMalware.1008.15763.exe	Get hash	malicious	Unknown	Browse	142.215.208.235
	SecuriteInfo.com.W32.Agent.AEWP.tr.26761.25767.exe	Get hash	malicious	Unknown	Browse	142.215.208.235
	SecuriteInfo.com.FileRepMalware.11822.21779.exe	Get hash	malicious	Unknown	Browse	142.215.208.235

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
EQUINIXBRASILBR	resgod.arm.elf	Get hash	malicious	Mirai	Browse	200.198.184.55
	1isequal9.arm7.elf	Get hash	malicious	Mirai	Browse	187.0.218.124
	nabsh4.elf	Get hash	malicious	Unknown	Browse	177.47.15.93
	m68k.elf	Get hash	malicious	Mirai, Moobot	Browse	177.154.143.122
	2969d69d378d23e301a7c40e4e61bd6b08959913bb658c2d26f01232a505246b.7z	Get hash	malicious	Unknown	Browse	177.154.156.125
	sh4.elf	Get hash	malicious	Mirai, Moobot	Browse	200.155.10.248
	armv7l.elf	Get hash	malicious	Mirai	Browse	177.47.11.209
	g8jiNk0ZVv.exe	Get hash	malicious	Unknown	Browse	177.154.156.125
	m68k.elf	Get hash	malicious	Mirai	Browse	177.154.143.138
	RIBFTXw15k.exe	Get hash	malicious	Unknown	Browse	200.150.150.50
ASN-EQUINIX-APEquinixAsiaPacificSG	nemil.mips.elf	Get hash	malicious	Mirai	Browse	103.11.4.65
	.Sarm5.elf	Get hash	malicious	Mirai	Browse	202.177.215.200
	sora.arm.elf	Get hash	malicious	Mirai	Browse	133.152.215.245
	splppc.elf	Get hash	malicious	Unknown	Browse	103.11.4.26
	arm7.elf	Get hash	malicious	Unknown	Browse	133.152.215.234
	xd.x86.elf	Get hash	malicious	Mirai	Browse	119.27.204.69
	hgfs.ppc.elf	Get hash	malicious	Unknown	Browse	202.147.70.63
	nabarm5.elf	Get hash	malicious	Unknown	Browse	103.31.20.203
	nabppc.elf	Get hash	malicious	Unknown	Browse	202.147.76.208
	Owari.ppc.elf	Get hash	malicious	Unknown	Browse	133.152.215.241
WEBZILLANL	6549372730.pdf	Get hash	malicious	Unknown	Browse	188.72.236.249
	6499151747.pdf	Get hash	malicious	Unknown	Browse	188.72.236.249
	66e7fc6131f5ccda47ce44ce_kudifosefozo.pdf	Get hash	malicious	Unknown	Browse	188.72.236.249
	66eff1749fcc1c59482cc595_1428835357.pdf	Get hash	malicious	Unknown	Browse	188.72.236.249
	67206033746876a86fcf0b0e_61190934873.pdf	Get hash	malicious	Unknown	Browse	188.72.236.249
	672327232a2b5a0da729714a_62573688605.pdf	Get hash	malicious	Unknown	Browse	188.72.236.249
	6498967915.pdf	Get hash	malicious	Unknown	Browse	188.72.236.249
	6497204366.pdf	Get hash	malicious	Unknown	Browse	188.72.236.249
	6486655377.pdf	Get hash	malicious	Unknown	Browse	188.72.236.249
	https://crazy-moments.com/	Get hash	malicious	Unknown	Browse	185.49.145.45

Process:	C:\Users\user\Desktop\exness4setup.exe
File Type:	data
Category:	dropped
Size (bytes):	16448
Entropy (8bit):	7.9725874757894895
Encrypted:	false
SSDEEP:	384:uhRhbzXLfXxn/NC9VncdLfEqzXLfWTQxqxRRxPhRITDILfNJMk9VYr9YLfprRRHi:uhvd/khcd7iT0qxBhuTkBTcmFnCXp/8y
MD5:	CD93AF93CBC5B33911258BBF0594615A
SHA1:	D2A1B62E6310BF1EAD8FF73FE5F473E1DE3DFA9E
SHA-256:	27432770F7EE8CA1CBDE32A443FA28B9EFB7EF46A975963ED417AA7B2E236627
SHA-512:	469480AB5A88B0C80E07E872B59EB2DEE75C74B2AF76CC0F538869187400F9F813148E1B62FAB4962B8183F61E651EE75376CB6103B2686990DD559DBC800943
Malicious:	false
Reputation:	low
Preview:	....C.o.p.y.r.i.g.h.t. .2.0.0.0.-.2.0.2.3.,. .M.e.t.a.Q.u.o.t.e.s. .L.t.d...........................................................D.N.S...............................................N....F.N.nE.Nd................................................. .2......:sq.w.-..8......J75"..v.m.D\|.x. Ya_.;\|...J.....~.....2s)..8D4a....<.8...^....:s{y.U../.d............L.C..R^N{./75V.R..4.....N.......h...q}Z..;CAb.^...,....`....{..U....&.C.......r.i.@x.t..U][\|7x...F.....z......o%..4@0]....8.4...Z....6owu.Q..+.`............H.?..NZJw.+31R.N...t....P....k..E.z....3.......b.Y.0htd..EMKl'h...6.....j......_...$0 M....(.$\|.s.J..~.&_ge.A....P...........8y/..>J:g..#!B.>...d....@y...[..5.j....#.......R.I. XdT..5=;\.X..&~...Z....u..O.... .=.......l.c.:r~n..OWUv1r...@.....t.....(i....:W....2....}.T....0iqo.K..%.Z...........B.9..HTDq.%-+L.H...n....J....e..?.t....-.......\.S.bn^..?GEf!b.{...>J:g .2......:pn.\.H..A......Q<:/.+..z.Q....-fnl.H..".W...........?.6..EQAn."(I.E...k....G....b..<.q....

File type:	PE32+ executable (GUI) x86-64, for MS Windows
Entropy (8bit):	7.861595648837389
TrID:	Win64 Executable GUI (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	exness4setup.exe
File size:	5'456'736 bytes
MD5:	8b8b5c1578144f36202552c588c20cec
SHA1:	1fbd2b3561929a382177969dce5d430a5771c1c0
SHA256:	3865ab4a9f9ed9aa46f961de0fa66af9f804a2f883422ec3c42117f4b3447a74
SHA512:	85f91d76ddf5326aeddc4915b1f9411ecd6e4018fc5a30a55572a1e1a36ccc8889268c5edd5a5ad275a0338422c2353fbc8dbcfed0fdbfdbae19383ba9ea5974
SSDEEP:	98304:B5HHHZLBcHJFQBrmcFMF+XZJR8zhF8bqeyiSYsPVeMMxRKgV54FRfOLO3DPQHD/:nCJFQlp++pUh/eyAs9ngrCRfOLKDPQHj
TLSH:	A9462342FEA6CEF0C45F4A7070821175588B655BC5FC8DB62E8F64012E29C8A4DAF7F9
File Content Preview:	MZ......................@...........b!Q.....................0...........!..L.!This program cannot be run in DOS mode....$.......QJ.Y.+...+...+..a....+..a....+.......+.......+......%+.......+.......+...u...+..a....+..a....+...+...*..a....+......[+.......+.

Entrypoint:	0x1407e92cd
Entrypoint Section:	.cod2
Digitally signed:	true
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x50A200 [Tue Mar 3 03:52:32 1970 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	99a576e857d857072918fd4f3133a697

Signature Valid:	true
Signature Issuer:	CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
Signature Validation Error:	The operation completed successfully
Error Number:	0
Not Before, Not After	24/02/2023 00:00:00 23/02/2026 23:59:59
Subject Chain	CN=MetaQuotes Ltd, O=MetaQuotes Ltd, L=Limassol, C=CY
Version:	3
Thumbprint MD5:	EE8793570D7F4E5664C8942A3F746D8A
Thumbprint SHA-1:	37580760A59063770A37FAB3E5E49F9F615AF05A
Thumbprint SHA-256:	B0A4CB7CA3902C4D984E794B197554D56BC60D8A9D93509167D3F99E5FC57131
Serial:	04390A4C5F8906A1D7052C1768D45047