download:

/web/webplugin/windows/local-service-components/v1.0.0.0/neutral/LocalServiceComponents.exe

Full analysis: https://app.any.run/tasks/5877bf6e-0361-4d5e-acc1-72063edc0c08
Verdict: Malicious activity
Analysis date: July 15, 2024, 05:20:52
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

41092DB17794AF0230C0C5063F0711A1

SHA1:

1D1170547A3464C7ED209B21F0912F33956C25E2

SHA256:

08BA4B148C9BE050347C1A58599EA067BFFC2CE0DFDDDB8F1391410413FAB8C2

SSDEEP:

98304:TmHhvj5xLvL9hBcb25bgHPf290z8aAW6TgCyOwx12Rd4s83tqzbfhvlNr9D+w78X:YYY6WBGAdywBym+MeP

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • LocalServiceComponents.exe (PID: 3384)
      • LocalServiceComponents.exe (PID: 2936)
      • LocalServiceComponents.tmp (PID: 2960)

    • Changes the autorun value in the registry

      • LocalServiceComponents.tmp (PID: 2960)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • LocalServiceComponents.exe (PID: 3384)
      • LocalServiceComponents.exe (PID: 2936)
      • LocalServiceComponents.tmp (PID: 2960)

    • Reads the Windows owner or organization settings

      • LocalServiceComponents.tmp (PID: 2960)

    • Process drops legitimate windows executable

      • LocalServiceComponents.tmp (PID: 2960)

    • The process drops C-runtime libraries

      • LocalServiceComponents.tmp (PID: 2960)

    • Creates file in the systems drive root

      • LocalServiceControl.exe (PID: 2348)

    • There is functionality for taking screenshot (YARA)

      • LocalServiceControl.exe (PID: 2348)

  • INFO

    • Create files in a temporary directory

      • LocalServiceComponents.exe (PID: 3384)
      • LocalServiceComponents.exe (PID: 2936)
      • LocalServiceComponents.tmp (PID: 2960)

    • Checks supported languages

      • LocalServiceComponents.exe (PID: 3384)
      • LocalServiceComponents.tmp (PID: 3416)
      • LocalServiceComponents.exe (PID: 2936)
      • LocalServiceComponents.tmp (PID: 2960)
      • LocalServiceControl.exe (PID: 2348)

    • Reads the computer name

      • LocalServiceComponents.tmp (PID: 3416)
      • LocalServiceComponents.tmp (PID: 2960)
      • LocalServiceControl.exe (PID: 2348)

    • Creates files in the program directory

      • LocalServiceComponents.tmp (PID: 2960)

    • Creates a software uninstall entry

      • LocalServiceComponents.tmp (PID: 2960)

    • Manual execution by a user

      • WINWORD.EXE (PID: 3716)
      • WINWORD.EXE (PID: 2504)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Inno Setup installer (77.7)
.exe | Win32 Executable Delphi generic (10)
.dll | Win32 Dynamic Link Library (generic) (4.6)
.exe | Win32 Executable (generic) (3.1)
.exe | Win16/32 Executable Delphi generic (1.4)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 1992:06:19 22:22:17+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType: PE32
LinkerVersion: 2.25
CodeSize: 37888
InitializedDataSize: 14848
UninitializedDataSize: -
EntryPoint: 0x9b24
OSVersion: 1
ImageVersion: 6
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.101
ProductVersionNumber: 1.0.0.101
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: This installation was built with Inno Setup.
CompanyName:
FileDescription: LocalServiceComponents Setup
FileVersion: 1.0.0.101
LegalCopyright:
ProductName: LocalServiceComponents
ProductVersion: 1.0.0.101
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
51
Monitored processes
7
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
start localservicecomponents.exe localservicecomponents.tmp no specs localservicecomponents.exe localservicecomponents.tmp THREAT localservicecontrol.exe winword.exe no specs winword.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2348"C:\Program Files\LocalServiceComponents\LocalServiceControl.exe"C:\Program Files\LocalServiceComponents\LocalServiceControl.exe
LocalServiceComponents.tmp
User:
admin
Integrity Level:
HIGH
Modules
Images
c:\program files\localservicecomponents\localservicecontrol.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
2504"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\edmuch.rtf"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Exit code:
0
Version:
14.0.6024.1000
Modules
Images
c:\program files\microsoft office\office14\winword.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.18837_none_ec86b8d6858ec0bc\comctl32.dll
2936"C:\Users\admin\AppData\Local\Temp\LocalServiceComponents.exe" /SPAWNWND=$90144 /NOTIFYWND=$5010A C:\Users\admin\AppData\Local\Temp\LocalServiceComponents.exe
LocalServiceComponents.tmp
User:
admin
Company:
Integrity Level:
HIGH
Description:
LocalServiceComponents Setup
Exit code:
0
Version:
1.0.0.101
Modules
Images
c:\users\admin\appdata\local\temp\localservicecomponents.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
2960"C:\Users\admin\AppData\Local\Temp\is-C3VST.tmp\LocalServiceComponents.tmp" /SL5="$100168,12114969,53760,C:\Users\admin\AppData\Local\Temp\LocalServiceComponents.exe" /SPAWNWND=$90144 /NOTIFYWND=$5010A C:\Users\admin\AppData\Local\Temp\is-C3VST.tmp\LocalServiceComponents.tmp
LocalServiceComponents.exe
User:
admin
Integrity Level:
HIGH
Description:
Setup/Uninstall
Exit code:
0
Version:
51.50.0.0
Modules
Images
c:\users\admin\appdata\local\temp\is-c3vst.tmp\localservicecomponents.tmp
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
3384"C:\Users\admin\AppData\Local\Temp\LocalServiceComponents.exe" C:\Users\admin\AppData\Local\Temp\LocalServiceComponents.exe
explorer.exe
User:
admin
Company:
Integrity Level:
MEDIUM
Description:
LocalServiceComponents Setup
Exit code:
0
Version:
1.0.0.101
Modules
Images
c:\users\admin\appdata\local\temp\localservicecomponents.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
3416"C:\Users\admin\AppData\Local\Temp\is-MTAVH.tmp\LocalServiceComponents.tmp" /SL5="$5010A,12114969,53760,C:\Users\admin\AppData\Local\Temp\LocalServiceComponents.exe" C:\Users\admin\AppData\Local\Temp\is-MTAVH.tmp\LocalServiceComponents.tmpLocalServiceComponents.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Setup/Uninstall
Exit code:
0
Version:
51.50.0.0
Modules
Images
c:\users\admin\appdata\local\temp\is-mtavh.tmp\localservicecomponents.tmp
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
3716"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\testsuccessful.rtf"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Exit code:
0
Version:
14.0.6024.1000
Modules
Images
c:\program files\microsoft office\office14\winword.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.18837_none_ec86b8d6858ec0bc\comctl32.dll
Total events
12 644
Read events
11 809
Write events
271
Delete events
564

Modification events

(PID) Process:(2960) LocalServiceComponents.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\LocalServiceControl
Operation:writeName:URL Protocol
Value:
(PID) Process:(2960) LocalServiceComponents.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:LocalServiceControl
Value:
C:\Program Files\LocalServiceComponents\LocalServiceControl.exe
(PID) Process:(2960) LocalServiceComponents.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers
Operation:writeName:C:\Program Files\LocalServiceComponents\LocalServiceControl.exe
Value:
HIGHDPIAWARE
(PID) Process:(2960) LocalServiceComponents.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{80DDB8B4-9C6F-44A2-81AD-155EE6917A9A}_is1
Operation:writeName:Inno Setup: Setup Version
Value:
5.3.5 (a)
(PID) Process:(2960) LocalServiceComponents.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{80DDB8B4-9C6F-44A2-81AD-155EE6917A9A}_is1
Operation:writeName:Inno Setup: App Path
Value:
C:\Program Files\LocalServiceComponents
(PID) Process:(2960) LocalServiceComponents.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{80DDB8B4-9C6F-44A2-81AD-155EE6917A9A}_is1
Operation:writeName:InstallLocation
Value:
C:\Program Files\LocalServiceComponents\
(PID) Process:(2960) LocalServiceComponents.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{80DDB8B4-9C6F-44A2-81AD-155EE6917A9A}_is1
Operation:writeName:Inno Setup: Icon Group
Value:
LocalServiceComponents
(PID) Process:(2960) LocalServiceComponents.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{80DDB8B4-9C6F-44A2-81AD-155EE6917A9A}_is1
Operation:writeName:Inno Setup: User
Value:
admin
(PID) Process:(2960) LocalServiceComponents.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{80DDB8B4-9C6F-44A2-81AD-155EE6917A9A}_is1
Operation:writeName:DisplayName
Value:
LocalServiceComponents
(PID) Process:(2960) LocalServiceComponents.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{80DDB8B4-9C6F-44A2-81AD-155EE6917A9A}_is1
Operation:writeName:UninstallString
Value:
"C:\Program Files\LocalServiceComponents\unins000.exe"
Executable files
80
Suspicious files
11
Text files
4
Unknown types
1

Dropped files

PID
Process
Filename
Type
2960LocalServiceComponents.tmpC:\Users\admin\AppData\Local\Temp\is-PIG0A.tmp\ISTask.dllexecutable
MD5:86A1311D51C00B278CB7F27796EA442E
SHA256:E916BDF232744E00CBD8D608168A019C9F41A68A7E8390AA48CFB525276C483D
2960LocalServiceComponents.tmpC:\Program Files\LocalServiceComponents\is-QMIIU.tmpexecutable
MD5:905C6DC64BBC773C4CFF4B6ED21D214C
SHA256:1D7DC226DD83782EACC3F190078F65861B6510AF2D2286164C7348D1C50DC952
2936LocalServiceComponents.exeC:\Users\admin\AppData\Local\Temp\is-C3VST.tmp\LocalServiceComponents.tmpexecutable
MD5:9D321C7096F4BCAEB6F3D8D1636E1744
SHA256:43202B0DE2E718D35CDF7EB8B34DD35BF3FAE85C0ECD2108830230A121284322
3384LocalServiceComponents.exeC:\Users\admin\AppData\Local\Temp\is-MTAVH.tmp\LocalServiceComponents.tmpexecutable
MD5:9D321C7096F4BCAEB6F3D8D1636E1744
SHA256:43202B0DE2E718D35CDF7EB8B34DD35BF3FAE85C0ECD2108830230A121284322
2960LocalServiceComponents.tmpC:\Program Files\LocalServiceComponents\unins000.exeexecutable
MD5:905C6DC64BBC773C4CFF4B6ED21D214C
SHA256:1D7DC226DD83782EACC3F190078F65861B6510AF2D2286164C7348D1C50DC952
2960LocalServiceComponents.tmpC:\Program Files\LocalServiceComponents\is-QDLMB.tmpexecutable
MD5:B713D69F2BA5A9FC813267A7F080AB86
SHA256:4C15E09861AD0B81CD171E6B5B0F64B45CB947EC7078157FDD5B2A36848D7849
2960LocalServiceComponents.tmpC:\Program Files\LocalServiceComponents\is-BQHLM.tmpexecutable
MD5:E7D7AE865376CF7BAC93BADEA4F113D1
SHA256:76ECD4039169639150DF0DF640C213B78DF509F59551DB5CCBD34FD94992392F
2960LocalServiceComponents.tmpC:\Program Files\LocalServiceComponents\is-N91HK.tmpexecutable
MD5:44B73A0305018E29CC8AD8462BB7A872
SHA256:938AAFE5965797CC67280842C8015F6904D1D349EFA3BC259CCFB16654E4FB8F
2960LocalServiceComponents.tmpC:\Program Files\LocalServiceComponents\is-7AT48.tmpexecutable
MD5:964E43768A908D5DCD7D414FE7B4422E
SHA256:BDA8C3A87194409FB51CE72553C78CF3DF61AE4F23700203940B4D0669577229
2960LocalServiceComponents.tmpC:\Program Files\LocalServiceComponents\AudioIntercom.dllexecutable
MD5:964E43768A908D5DCD7D414FE7B4422E
SHA256:BDA8C3A87194409FB51CE72553C78CF3DF61AE4F23700203940B4D0669577229
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
13
DNS requests
7
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1372
svchost.exe
GET
304
23.32.238.210:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?33775f6043c93e33
unknown
whitelisted
1060
svchost.exe
GET
304
199.232.214.172:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?fbe613066ac7852b
unknown
whitelisted
1372
svchost.exe
GET
200
23.216.77.28:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1372
svchost.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
224.0.0.252:5355
whitelisted
4
System
192.168.100.255:137
whitelisted
1060
svchost.exe
224.0.0.252:5355
whitelisted
2564
svchost.exe
239.255.255.250:3702
whitelisted
1372
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
1372
svchost.exe
23.32.238.210:80
ctldl.windowsupdate.com
Akamai International B.V.
DE
unknown
1372
svchost.exe
23.216.77.28:80
crl.microsoft.com
Akamai International B.V.
DE
unknown
1372
svchost.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
unknown
1060
svchost.exe
199.232.214.172:80
ctldl.windowsupdate.com
FASTLY
US
unknown

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.184.206
whitelisted
dns.msftncsi.com
  • 131.107.255.255
whitelisted
settings-win.data.microsoft.com
  • 51.104.136.2
whitelisted
ctldl.windowsupdate.com
  • 23.32.238.210
  • 23.32.238.219
  • 23.32.238.226
  • 23.32.238.218
  • 23.32.238.243
  • 23.32.238.225
  • 23.32.238.242
  • 23.32.238.171
  • 199.232.214.172
  • 199.232.210.172
whitelisted
crl.microsoft.com
  • 23.216.77.28
  • 23.216.77.6
whitelisted
www.microsoft.com
  • 95.101.149.131
whitelisted

Threats

No threats detected
Process
Message
LocalServiceControl.exe
QCoreApplication::applicationDirPath: Please instantiate the QApplication object first
LocalServiceControl.exe
5
LocalServiceControl.exe
"No such file or directory"
LocalServiceControl.exe
WriteLocalFile: "C:\\Users\\admin\\WebComponents\\local.json"
LocalServiceControl.exe
QCoreApplication::applicationDirPath: Please instantiate the QApplication object first
LocalServiceControl.exe
5
LocalServiceControl.exe
"No such file or directory"
LocalServiceControl.exe
WriteLocalFile: "C:\\Users\\admin\\WebComponents\\local.json"
LocalServiceControl.exe
QCoreApplication::applicationDirPath: Please instantiate the QApplication object first
LocalServiceControl.exe
5
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
/web/webplugin/windows/local-service-components/v1.0.0.0/neutral/LocalServiceComponents.exe