General Info

File name

396a0145a594e4f81dd61a370cd82d1c

Full analysis
https://app.any.run/tasks/7193e14e-3ccb-4842-95b4-89e299be620b
Verdict
Malicious activity
Analysis date
7/11/2019, 15:02:51
OS:
Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:

installer

trojan

amadey

Indicators:

MIME:
application/x-dosexec
File info:
PE32 executable (GUI) Intel 80386, for MS Windows
MD5

396a0145a594e4f81dd61a370cd82d1c

SHA1

09f4c0aebd4f7366ee75162a98efa32f0a1616f1

SHA256

0f7fb5cfdfed45d552c536b852b9fcd1b601efe46752c16c89d074002a63dce4

SSDEEP

24576:pAT8QE+kiOW/mlBKx3NKUsEebap9RhdYM/rn2lEsMv0+49kBre/iD7:pAI+EdBKxsntbap9jiArq3wD+kBZX

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distored by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Software environment set and analysis options

Launch configuration

Task duration
120 seconds
Additional time used
60 seconds
Fakenet option
off
Heavy Evaision option
off
MITM proxy
off
Route via Tor
off
Network geolocation
off
Privacy
Public submission
Autoconfirmation of UAC
on

Software preset

  • Internet Explorer 8.0.7601.17514
  • Adobe Acrobat Reader DC MUI (15.023.20070)
  • Adobe Flash Player 26 ActiveX (26.0.0.131)
  • Adobe Flash Player 26 NPAPI (26.0.0.131)
  • Adobe Flash Player 26 PPAPI (26.0.0.131)
  • Adobe Refresh Manager (1.8.0)
  • CCleaner (5.35)
  • FileZilla Client 3.36.0 (3.36.0)
  • Google Chrome (75.0.3770.100)
  • Google Update Helper (1.3.34.7)
  • Java 8 Update 92 (8.0.920.14)
  • Java Auto Updater (2.8.92.14)
  • Microsoft .NET Framework 4.7.2 (4.7.03062)
  • Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Professional 2010 (14.0.6029.1000)
  • Microsoft Office Proof (English) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (French) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
  • Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
  • Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Single Image 2010 (14.0.6029.1000)
  • Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
  • Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
  • Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
  • Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2015-2019 Redistributable (x86) - 14.21.27702 (14.21.27702.2)
  • Microsoft Visual C++ 2019 X86 Additional Runtime - 14.21.27702 (14.21.27702)
  • Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.21.27702 (14.21.27702)
  • Mozilla Firefox 67.0.4 (x86 en-US) (67.0.4)
  • Notepad++ (32-bit x86) (7.5.1)
  • Opera 12.15 (12.15.1748)
  • Skype version 8.29 (8.29)
  • Update for Microsoft .NET Framework 4.7.2 (KB4087364) (1)
  • VLC media player (2.2.6)
  • WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

  • Client LanguagePack Package
  • Client Refresh LanguagePack Package
  • CodecPack Basic Package
  • Foundation Package
  • IE Troubleshooters Package
  • InternetExplorer Optional Package
  • KB2534111
  • KB2999226
  • KB4019990
  • KB976902
  • LocalPack AU Package
  • LocalPack CA Package
  • LocalPack GB Package
  • LocalPack US Package
  • LocalPack ZA Package
  • ProfessionalEdition
  • UltimateEdition

Behavior activities

MALICIOUS SUSPICIOUS INFO
Application was dropped or rewritten from another process
  • kntd.exe (PID: 3976)
  • digi1007_kos1_6cr11.exe (PID: 2980)
AMADEY was detected
  • digi1007_kos1_6cr11.exe (PID: 2980)
Creates files in the program directory
  • kntd.exe (PID: 3976)
  • digi1007_kos1_6cr11.exe (PID: 2980)
  • 396a0145a594e4f81dd61a370cd82d1c.exe (PID: 3516)
Executable content was dropped or overwritten
  • digi1007_kos1_6cr11.exe (PID: 2980)
  • 396a0145a594e4f81dd61a370cd82d1c.exe (PID: 3516)
Starts itself from another location
  • digi1007_kos1_6cr11.exe (PID: 2980)
Creates a software uninstall entry
  • 396a0145a594e4f81dd61a370cd82d1c.exe (PID: 3516)
Dropped object may contain Bitcoin addresses
  • digi1007_kos1_6cr11.exe (PID: 2980)
  • 396a0145a594e4f81dd61a370cd82d1c.exe (PID: 3516)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Static information

TRiD
.exe
|   InstallShield setup (49.2%)
.exe
|   Win32 Executable Delphi generic (16.2%)
.scr
|   Windows screen saver (14.9%)
.dll
|   Win32 Dynamic Link Library (generic) (7.5%)
.exe
|   Win32 Executable (generic) (5.1%)
EXIF
EXE
MachineType:
Intel 386 or later, and compatibles
TimeStamp:
1992:06:20 00:22:17+02:00
PEType:
PE32
LinkerVersion:
2.25
CodeSize:
148992
InitializedDataSize:
31744
UninitializedDataSize:
null
EntryPoint:
0x25468
OSVersion:
4
ImageVersion:
null
SubsystemVersion:
4
Subsystem:
Windows GUI
FileVersionNumber:
1.0.0.0
ProductVersionNumber:
0.0.0.0
FileFlagsMask:
0x003f
FileFlags:
(none)
FileOS:
Win32
ObjectFileType:
Executable application
FileSubtype:
null
LanguageCode:
English (U.S.)
CharacterSet:
Windows, Latin1
Comments:
null
CompanyName:
kos1
FileDescription:
kos1 1.00 Installation
FileVersion:
1.00
LegalCopyright:
kos1
Summary
Architecture:
IMAGE_FILE_MACHINE_I386
Subsystem:
IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date:
19-Jun-1992 22:22:17
Detected languages
English - United States
Russian - Russia
Comments:
null
CompanyName:
kos1
FileDescription:
kos1 1.00 Installation
FileVersion:
1.00
LegalCopyright:
kos1
DOS Header
Magic number:
MZ
Bytes on last page of file:
0x0050
Pages in file:
0x0002
Relocations:
0x0000
Size of header:
0x0004
Min extra paragraphs:
0x000F
Max extra paragraphs:
0xFFFF
Initial SS value:
0x0000
Initial SP value:
0x00B8
Checksum:
0x0000
Initial IP value:
0x0000
Initial CS value:
0x0000
Overlay number:
0x001A
OEM identifier:
0x0000
OEM information:
0x0000
Address of NE header:
0x00000100
PE Headers
Signature:
PE
Machine:
IMAGE_FILE_MACHINE_I386
Number of sections:
8
Time date stamp:
19-Jun-1992 22:22:17
Pointer to Symbol Table:
0x00000000
Number of symbols:
0
Size of Optional Header:
0x00E0
Characteristics
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_BYTES_REVERSED_HI
IMAGE_FILE_BYTES_REVERSED_LO
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
Sections
Name Virtual Address Virtual Size Raw Size Charateristics Entropy
CODE 0x00001000 0x000244CC 0x00024600 IMAGE_SCN_CNT_CODE,IMAGE_SCN_MEM_EXECUTE,IMAGE_SCN_MEM_READ 6.59443
DATA 0x00026000 0x00002894 0x00002A00 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ,IMAGE_SCN_MEM_WRITE 3.79376
BSS 0x00029000 0x000010F5 0x00000000 IMAGE_SCN_MEM_READ,IMAGE_SCN_MEM_WRITE 0
.idata 0x0002B000 0x00001798 0x00001800 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ,IMAGE_SCN_MEM_WRITE 4.88555
.tls 0x0002D000 0x00000008 0x00000000 IMAGE_SCN_MEM_READ,IMAGE_SCN_MEM_WRITE 0
.rdata 0x0002E000 0x00000018 0x00000200 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ,IMAGE_SCN_MEM_SHARED 0.204488
.reloc 0x0002F000 0x00001884 0x00001A00 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ,IMAGE_SCN_MEM_SHARED 6.58665
.rsrc 0x00031000 0x00001CDC 0x00001E00 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ,IMAGE_SCN_MEM_SHARED 4.74565
Resources
1

50

51

52

53

DVCLAL

PACKAGEINFO

MAINICON

Imports
    kernel32.dll

    user32.dll

    advapi32.dll

    oleaut32.dll

    gdi32.dll

    winmm.dll

    ole32.dll

    comctl32.dll

    shell32.dll

    cabinet.dll

Exports

    No exports.

Screenshots

Processes

Total processes
39
Monitored processes
4
Malicious processes
2
Suspicious processes
0

Behavior graph

+
drop and start start drop and start 396a0145a594e4f81dd61a370cd82d1c.exe no specs 396a0145a594e4f81dd61a370cd82d1c.exe #AMADEY digi1007_kos1_6cr11.exe kntd.exe no specs
Specs description
Program did not start
Integrity level elevation
Task сontains an error or was rebooted
Process has crashed
Task contains several apps running
Executable file was dropped
Debug information is available
Process was injected
Network attacks were detected
Application downloaded the executable file
Actions similar to stealing personal data
Behavior similar to exploiting the vulnerability
Inspected object has sucpicious PE structure
File is detected by antivirus software
CPU overrun
RAM overrun
Process starts the services
Process was added to the startup
Behavior similar to spam
Low-level access to the HDD
Probably Tor was used
System was rebooted
Connects to the network
Known threat

Process information

Click at the process to see the details.

PID
3056
CMD
"C:\Users\admin\AppData\Local\Temp\396a0145a594e4f81dd61a370cd82d1c.exe"
Path
C:\Users\admin\AppData\Local\Temp\396a0145a594e4f81dd61a370cd82d1c.exe
Indicators
No indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
3221226540
Version:
Company
kos1
Description
kos1 1.00 Installation
Version
1.00
Modules
Image
c:\users\admin\appdata\local\temp\396a0145a594e4f81dd61a370cd82d1c.exe
c:\systemroot\system32\ntdll.dll

PID
3516
CMD
"C:\Users\admin\AppData\Local\Temp\396a0145a594e4f81dd61a370cd82d1c.exe"
Path
C:\Users\admin\AppData\Local\Temp\396a0145a594e4f81dd61a370cd82d1c.exe
Indicators
Parent process
––
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
kos1
Description
kos1 1.00 Installation
Version
1.00
Modules
Image
c:\users\admin\appdata\local\temp\396a0145a594e4f81dd61a370cd82d1c.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\winmm.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\shell32.dll
c:\windows\system32\cabinet.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\msftedit.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\apphelp.dll
c:\program files\kos1\kos1\digi1007_kos1_6cr11.exe

PID
2980
CMD
"C:\Program Files\kos1\kos1\digi1007_kos1_6cr11.exe"
Path
C:\Program Files\kos1\kos1\digi1007_kos1_6cr11.exe
Indicators
Parent process
396a0145a594e4f81dd61a370cd82d1c.exe
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
AVAST Software
Description
Telephoneassistant Really •5
Version
Modules
Image
c:\program files\kos1\kos1\digi1007_kos1_6cr11.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\shlwapi.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msi.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvfw32.dll
c:\windows\system32\winmm.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\nsi.dll
c:\windows\system32\winnsi.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\tapi32.dll
c:\windows\system32\d2d1.dll
c:\windows\system32\dwrite.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\wsock32.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\apphelp.dll
c:\programdata\d0e2b561fe\kntd.exe

PID
3976
CMD
c:\programdata\d0e2b561fe\kntd.exe
Path
c:\programdata\d0e2b561fe\kntd.exe
Indicators
No indicators
Parent process
digi1007_kos1_6cr11.exe
User
admin
Integrity Level
HIGH
Version:
Company
AVAST Software
Description
Telephoneassistant Really •5
Version
Modules
Image
c:\programdata\d0e2b561fe\kntd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\shlwapi.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msi.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvfw32.dll
c:\windows\system32\winmm.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\nsi.dll
c:\windows\system32\winnsi.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\tapi32.dll
c:\windows\system32\d2d1.dll
c:\windows\system32\dwrite.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll

Registry activity

Total events
53
Read events
32
Write events
21
Delete events
0

Modification events

PID
Process
Operation
Key
Name
Value
3516
396a0145a594e4f81dd61a370cd82d1c.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\kos1 1.00
DisplayName
kos1 1.00
3516
396a0145a594e4f81dd61a370cd82d1c.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\kos1 1.00
DisplayVersion
1.00
3516
396a0145a594e4f81dd61a370cd82d1c.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\kos1 1.00
VersionMajor
1
3516
396a0145a594e4f81dd61a370cd82d1c.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\kos1 1.00
VersionMinor
0
3516
396a0145a594e4f81dd61a370cd82d1c.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\kos1 1.00
Publisher
kos1
3516
396a0145a594e4f81dd61a370cd82d1c.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\kos1 1.00
DisplayIcon
C:\Program Files\kos1\kos1\Uninstall.exe
3516
396a0145a594e4f81dd61a370cd82d1c.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\kos1 1.00
UninstallString
C:\Program Files\kos1\kos1\Uninstall.exe
3516
396a0145a594e4f81dd61a370cd82d1c.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\kos1 1.00
URLInfoAbout
http://www.company.com/
3516
396a0145a594e4f81dd61a370cd82d1c.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\kos1 1.00
HelpLink
3516
396a0145a594e4f81dd61a370cd82d1c.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\kos1 1.00
InstallLocation
C:\Program Files\kos1\kos1\
3516
396a0145a594e4f81dd61a370cd82d1c.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\kos1 1.00
InstallSource
C:\Users\admin\AppData\Local\Temp\
3516
396a0145a594e4f81dd61a370cd82d1c.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\kos1 1.00
InstallDate
20190711
3516
396a0145a594e4f81dd61a370cd82d1c.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\kos1 1.00
Language
1049
3516
396a0145a594e4f81dd61a370cd82d1c.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\kos1 1.00
EstimatedSize
4217
3516
396a0145a594e4f81dd61a370cd82d1c.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\kos1 1.00
NoModify
1
3516
396a0145a594e4f81dd61a370cd82d1c.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\kos1 1.00
NoRepair
1
3516
396a0145a594e4f81dd61a370cd82d1c.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
3516
396a0145a594e4f81dd61a370cd82d1c.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
3516
396a0145a594e4f81dd61a370cd82d1c.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
GlobalAssocChangedCounter
62

Files activity

Executable files
6
Suspicious files
0
Text files
32
Unknown types
1

Dropped files

PID
Process
Filename
Type
3516
396a0145a594e4f81dd61a370cd82d1c.exe
C:\Program Files\kos1\kos1\Uninstall.exe
executable
MD5: b23a0e35b4570d760ca1f6dbc6e15d03
SHA256: ee7549e1142b07a1ca58f7759e6e9661b090876360ede5c1a4ca9eae18e7a954
2980
digi1007_kos1_6cr11.exe
C:\programdata\d0e2b561fe\kntd.exe
executable
MD5: 6bab55ce6739b193bad64ce4c9dc32b1
SHA256: dcef36bac785a03a5d9aaeba50e97027bd7a8e1c35c75578fd73f2485e811abe
3516
396a0145a594e4f81dd61a370cd82d1c.exe
C:\Program Files\kos1\kos1\Core Temp.exe
executable
MD5: ace98555c0d4a336af18b5402078f21f
SHA256: 7a0e3fcd8a8c9a703277077ab59bb75f33b1421cd78c8270cc2a0533f9e2e3c9
3516
396a0145a594e4f81dd61a370cd82d1c.exe
C:\Program Files\kos1\kos1\digi1007_kos1_6cr11.exe
executable
MD5: 6bab55ce6739b193bad64ce4c9dc32b1
SHA256: dcef36bac785a03a5d9aaeba50e97027bd7a8e1c35c75578fd73f2485e811abe
3516
396a0145a594e4f81dd61a370cd82d1c.exe
C:\Program Files\kos1\kos1\unins000.exe
executable
MD5: 0dfcccf48855ed1d3f174f90a7a5f046
SHA256: 958cdee7f0bc351af72547e9db3a4181a80a202f4a565dcec30373da5e5fb88a
3516
396a0145a594e4f81dd61a370cd82d1c.exe
C:\Program Files\kos1\kos1\Languages\sk.lng
xml
MD5: 01c13ef56030460a4b5621b06ef18d48
SHA256: c9ecaf755573268a283b896657d93d6aeb29c6efa6331f8a50208de99b8abf5c
3976
kntd.exe
C:\programdata\d0e2b561fe\kntd.ini
text
MD5: aff606c7b162b726561e1bf62c921ae4
SHA256: c9a55de354743819ba5a550cbebb06c4ef2d5baf6a006d2946725c780fddcf2f
2980
digi1007_kos1_6cr11.exe
C:\programdata\d0e2b561fe\kntd.exe:Zone.Identifier
––
MD5:  ––
SHA256:  ––
3516
396a0145a594e4f81dd61a370cd82d1c.exe
C:\Program Files\kos1\kos1\unins000.dat
dat
MD5: 6d255088484eb9a1c6fec8671b6e9c5a
SHA256: 6962855621179bd6fcb9da1b588b0719b1e092bcb8be1e2fb988e8b9d2c68e95
3516
396a0145a594e4f81dd61a370cd82d1c.exe
C:\Program Files\kos1\kos1\Readme.txt
text
MD5: 9ab877751224d96448876f7ecf15559f
SHA256: abb84cf36bd0e8f39248f5477ca0d427da9b7e3c10b6666254b98d6e06b40e7b
3516
396a0145a594e4f81dd61a370cd82d1c.exe
C:\Program Files\kos1\kos1\Languages\zh-TW.lng
xml
MD5: 7a203b28155f78a09cb5057e91dfb5e7
SHA256: 7442989b5e7532084a6253ad910283a3634287a9ef536a31e2793cfe277eeb9f
3516
396a0145a594e4f81dd61a370cd82d1c.exe
C:\Program Files\kos1\kos1\License.txt
text
MD5: 932b5fb4b60bba2dbf7d178518c69670
SHA256: 37c7cc1dee0a655060e37333b4d99e697dad5c197ffdb30bf136e1412c5d70d8
3516
396a0145a594e4f81dd61a370cd82d1c.exe
C:\Program Files\kos1\kos1\Languages\zh-CN.lng
xml
MD5: 3e2b83f48461e2af127fef89b1ae0cf2
SHA256: fa6486b9675bfaf51bda9da23bc958e80937139ea0191d2ebd7ae6ff296eebc5
3516
396a0145a594e4f81dd61a370cd82d1c.exe
C:\Program Files\kos1\kos1\Languages\tr-TR.lng
xml
MD5: 042d9a50f4a5cdc2c6a60cab04a28ad2
SHA256: 8bb3ccc0afe6539a815a16fec1a038738c428399fe0b0c68c7e1f4fd2d604689
3516
396a0145a594e4f81dd61a370cd82d1c.exe
C:\Program Files\kos1\kos1\Languages\ro-RO.lng
xml
MD5: 37a8f10a90bcd34659b2fce922033f72
SHA256: b513c0b8972d656ac365e586d1e0af56292c86ab916726e142027047503823f8
3516
396a0145a594e4f81dd61a370cd82d1c.exe
C:\Program Files\kos1\kos1\Languages\pt-BR.lng
xml
MD5: f60bfa11103f819723d16b5cf254e9be
SHA256: 050010a1bc00e4cb5ebeb3b67ca477f4bbf16eb726ca351b110ac6f57a243795
3516
396a0145a594e4f81dd61a370cd82d1c.exe
C:\Program Files\kos1\kos1\Languages\nl-NL.lng
xml
MD5: 80417e766bc16fc40c8b61b1e2771a2c
SHA256: cf7a28e5538b3900e4d7c278857e2b3eacbadc649cd1cc35d4bea5e8de94c017
3516
396a0145a594e4f81dd61a370cd82d1c.exe
C:\Program Files\kos1\kos1\Languages\pl-PL.lng
xml
MD5: d16eaed15821cb7f13ae0d1576a4d5f9
SHA256: 287001a3c63b15aeca647fcca72640134aeda1db1d23d09c9c26dace92e2aa08
3516
396a0145a594e4f81dd61a370cd82d1c.exe
C:\Program Files\kos1\kos1\Languages\vi-VN.lng
xml
MD5: 8a99441872d4464437d15eca46f1ec7e
SHA256: 4f544b5bbb067f9f3342a949d79116806f2d0976fd298f74159bbbb9e4177ec5
3516
396a0145a594e4f81dd61a370cd82d1c.exe
C:\Program Files\kos1\kos1\Languages\ua-UA.lng
xml
MD5: 2bc7ebd72174b2cd93fa2d2e3a4c9888
SHA256: 3c491c7fb50779c56e7425b6b6000caf0940680926aee26bae70827859400b56
3516
396a0145a594e4f81dd61a370cd82d1c.exe
C:\Program Files\kos1\kos1\Languages\ru-RU.lng
xml
MD5: 2b50f61c5c11b37e630b8323489bd611
SHA256: 682b8c65c9473923017e3d152572d58ef48dedca0e14e62346c8008699bf731f
3516
396a0145a594e4f81dd61a370cd82d1c.exe
C:\Users\admin\AppData\Local\Temp\$inst\2.tmp
––
MD5:  ––
SHA256:  ––
3516
396a0145a594e4f81dd61a370cd82d1c.exe
C:\Program Files\kos1\kos1\Languages\sv-SV.lng
xml
MD5: f487e91eff6ff653e32332f1187d1b3b
SHA256: bb73e10de855b57944c4430e3ff1a5f3fc4defef43f90d4d32abbb1757132b5b
3516
396a0145a594e4f81dd61a370cd82d1c.exe
C:\Program Files\kos1\kos1\Languages\ja-JP.lng
xml
MD5: b53fa720d1c4ce6b27422c61c8a956eb
SHA256: 06ae0924dd073e244e8a84690b0eaaf79f8c27e74c4a09e29f0e02b598238e5a
3516
396a0145a594e4f81dd61a370cd82d1c.exe
C:\Program Files\kos1\kos1\Languages\fr-FR.lng
xml
MD5: 31d11f941fe7600a57695b217a96a562
SHA256: 403e9b48977e38548695c4e8863607658805b191666c0b27b74c084d040191a0
3516
396a0145a594e4f81dd61a370cd82d1c.exe
C:\Program Files\kos1\kos1\Languages\hy-AM.lng
xml
MD5: 6ae7ca65be2eeec1eb5474b1ced25552
SHA256: 08bec6122b7376d93ec6ba2ad3a240c98dc6e6158c01586e4017ea5e486a9588
3516
396a0145a594e4f81dd61a370cd82d1c.exe
C:\Program Files\kos1\kos1\Languages\he-IL.lng
xml
MD5: c7ef223e9f8efeb31d6bf7274fe72653
SHA256: 988fcd5a29ba4311e03918f7911e6031e50c393d88eaaa4de207cb5abd61808f
3516
396a0145a594e4f81dd61a370cd82d1c.exe
C:\Program Files\kos1\kos1\Languages\it-IT.lng
xml
MD5: 13ba31269335b66f0f5efc8087efc9ae
SHA256: 07a7eaca356a99f44055192f70ccde609b1f18a3f03467623f0806d93cd6f666
3516
396a0145a594e4f81dd61a370cd82d1c.exe
C:\Program Files\kos1\kos1\Languages\hu-HU.lng
xml
MD5: ff175475d46928ef814b20d12f5736cf
SHA256: d2fe67d28ac0bd4acaa3345e49aa053c3adcae84a48436e77933a698cb5b9fd0
3516
396a0145a594e4f81dd61a370cd82d1c.exe
C:\Program Files\kos1\kos1\Languages\ko-KR.lng
xml
MD5: f186b60177133e46b49a261371a1ed20
SHA256: 35f5057dec0badca51b293d22e0589a0ba2cd3192a0baf4f9163d998277f670a
3516
396a0145a594e4f81dd61a370cd82d1c.exe
C:\Program Files\kos1\kos1\Languages\fi-Fi.lng
xml
MD5: be49d6c6d8f8b8adbfc33f19604066f2
SHA256: 6fe0454b2b05a36c75e661327333a11a526d21db80dfe0af9c052e8ae2ac5bbf
3516
396a0145a594e4f81dd61a370cd82d1c.exe
C:\Program Files\kos1\kos1\Languages\nb-NO.lng
xml
MD5: c8709e0134675a02b1a3321ed206723c
SHA256: efa9ff69d1bd92f74c6313cb189e86946e2b042bf1478703fcedd4cf782f7743
2980
digi1007_kos1_6cr11.exe
C:\Program Files\kos1\kos1\digi1007_kos1_6cr11.ini
text
MD5: aff606c7b162b726561e1bf62c921ae4
SHA256: c9a55de354743819ba5a550cbebb06c4ef2d5baf6a006d2946725c780fddcf2f
3516
396a0145a594e4f81dd61a370cd82d1c.exe
C:\Program Files\kos1\kos1\Languages\bg-BG.lng
xml
MD5: cd5f77f097e1a6088825eec72ae5a9ce
SHA256: f4c50a53496f91a5627a1cdd53b11a9c51b0c4105e20c08fdfc93811b24afb2e
3516
396a0145a594e4f81dd61a370cd82d1c.exe
C:\Program Files\kos1\kos1\Languages\cs.lng
xml
MD5: 30f897bbde9622e5b29b1e9abeb0147d
SHA256: fa39d085ef8e5614cdbc43ddf07a0dbb48a93dc776037340b7524abe5df0ac74
3516
396a0145a594e4f81dd61a370cd82d1c.exe
C:\Program Files\kos1\kos1\Languages\de-DE.lng
xml
MD5: 8cd92a1c2a7e4103e7540cf03fea7358
SHA256: b896e92a6480f4f0c10c2b44c7106f99faaaff93c776248d8fdd4f3aedbb6a81
3516
396a0145a594e4f81dd61a370cd82d1c.exe
C:\Program Files\kos1\kos1\Languages\el-GR.lng
xml
MD5: a246f5afc122b88b6d2319cd7038addb
SHA256: 794e060d3dc0757c24fa21c696280f342b6f08e280e3442bd3759626d82b9d21
3516
396a0145a594e4f81dd61a370cd82d1c.exe
C:\Program Files\kos1\kos1\Languages\es.lng
xml
MD5: 2bfd369a8b75b7bf49919a4420e52062
SHA256: 918a82636426a2d696bad291c40050754f1492d51a51337d6cf871dd75e53c44
3516
396a0145a594e4f81dd61a370cd82d1c.exe
C:\Program Files\kos1\kos1\Uninstall.ini
text
MD5: 556b5785e81379b431751753d57750c7
SHA256: 8ffa4144a9b4ebfb7fc5f89af9e561d517afd6a7dcc60d37a10269cd90db1412
3516
396a0145a594e4f81dd61a370cd82d1c.exe
C:\Program Files\kos1\kos1\Changes.txt
text
MD5: df991f85f79bcdd2ee984a23d9fe1b8c
SHA256: 7ba48d7210a6cd69d9212ac9982c078704eb0b1fdf9ee58bad77bafecd627651
3516
396a0145a594e4f81dd61a370cd82d1c.exe
C:\Users\admin\AppData\Local\Temp\$inst\temp_0.tmp
––
MD5:  ––
SHA256:  ––
2980
digi1007_kos1_6cr11.exe
C:\ProgramData\0
––
MD5:  ––
SHA256:  ––

Find more information of the staic content and download it at the full report

Network activity

HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

No network activity.

Debug output strings

No debug info.