File name:

1c749421cff2c00b4d18e08eeacfb970a3d2fe4636b324bec711a172c0a487b0

Full analysis: https://app.any.run/tasks/f641fcbb-b53e-4abe-9e55-ac472aae252a
Verdict: Malicious activity
Analysis date: December 06, 2022, 03:09:50
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
installer
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

519BE4854BF61C1199C50974B74FF3F5

SHA1:

7AE6AB717D2E44FB02F493FBD2ED1DE9FC5D7050

SHA256:

1C749421CFF2C00B4D18E08EEACFB970A3D2FE4636B324BEC711A172C0A487B0

SSDEEP:

12288:pljDkWrnvA1/hEcya1p07k2GNehSQ2okRDVbaehj/CD:pVDjrvwlyaBJsYxouDcehrCD

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • 1c749421cff2c00b4d18e08eeacfb970a3d2fe4636b324bec711a172c0a487b0.tmp (PID: 3204)

    • Changes the autorun value in the registry

      • MonitorFPKPVer.exe (PID: 3200)

    • Application was dropped or rewritten from another process

      • MonitorFPKPVer.exe (PID: 3200)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • 1c749421cff2c00b4d18e08eeacfb970a3d2fe4636b324bec711a172c0a487b0.tmp (PID: 3204)

    • Reads the Windows owner or organization settings

      • 1c749421cff2c00b4d18e08eeacfb970a3d2fe4636b324bec711a172c0a487b0.tmp (PID: 3204)

    • Drops a file with too old compile date

      • 1c749421cff2c00b4d18e08eeacfb970a3d2fe4636b324bec711a172c0a487b0.tmp (PID: 3204)

    • Reads the Internet Settings

      • MonitorFPKPVer.exe (PID: 3200)

  • INFO

    • Checks supported languages

      • 1c749421cff2c00b4d18e08eeacfb970a3d2fe4636b324bec711a172c0a487b0.exe (PID: 2988)
      • 1c749421cff2c00b4d18e08eeacfb970a3d2fe4636b324bec711a172c0a487b0.tmp (PID: 3204)
      • MonitorFPKPVer.exe (PID: 3200)

    • Reads the computer name

      • 1c749421cff2c00b4d18e08eeacfb970a3d2fe4636b324bec711a172c0a487b0.tmp (PID: 3204)
      • MonitorFPKPVer.exe (PID: 3200)

    • Drops a file that was compiled in debug mode

      • 1c749421cff2c00b4d18e08eeacfb970a3d2fe4636b324bec711a172c0a487b0.tmp (PID: 3204)

    • Loads dropped or rewritten executable

      • 1c749421cff2c00b4d18e08eeacfb970a3d2fe4636b324bec711a172c0a487b0.tmp (PID: 3204)

    • Application was dropped or rewritten from another process

      • 1c749421cff2c00b4d18e08eeacfb970a3d2fe4636b324bec711a172c0a487b0.tmp (PID: 3204)

    • Reads Environment values

      • MonitorFPKPVer.exe (PID: 3200)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Inno Setup installer (71.1)
.exe | Win32 Executable Delphi generic (9.1)
.scr | Windows screen saver (8.4)
.dll | Win32 Dynamic Link Library (generic) (4.2)
.exe | Win32 Executable (generic) (2.9)

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 1992-Jun-19 22:22:17
Detected languages:
  • Chinese - PRC
  • Dutch - Netherlands
  • English - United States
Comments: ´Ë°²×°³ÌÐòÓÉ Inno Setup ¹¹½¨¡£
CompanyName: 深圳航天信息有限公司
FileDescription: MonitorFPKPVer.exe
FileVersion: 1.0.21.1230
LegalCopyright: 2018 深圳航信
ProductName: MonitorFPKPVer
ProductVersion: 1.0.21.1230

DOS Header

e_magic: MZ
e_cblp: 80
e_cp: 2
e_crlc: -
e_cparhdr: 4
e_minalloc: 15
e_maxalloc: 65535
e_ss: -
e_sp: 184
e_csum: -
e_ip: -
e_cs: -
e_ovno: 26
e_oemid: -
e_oeminfo: -
e_lfanew: 256

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
NumberofSections: 8
TimeDateStamp: 1992-Jun-19 22:22:17
PointerToSymbolTable: -
NumberOfSymbols: -
SizeOfOptionalHeader: 224
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_BYTES_REVERSED_HI
  • IMAGE_FILE_BYTES_REVERSED_LO
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_LINE_NUMS_STRIPPED
  • IMAGE_FILE_LOCAL_SYMS_STRIPPED
  • IMAGE_FILE_RELOCS_STRIPPED

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
CODE
4096
41828
41984
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.70808
DATA
49152
592
1024
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
2.75232
BSS
53248
3720
0
IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata
57344
2380
2560
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
4.42897
.tls
61440
8
0
IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata
65536
24
512
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_SHARED
0.190489
.reloc
69632
2244
0
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_SHARED
.rsrc
73728
9555
9728
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_SHARED
4.99151

Resources

Title
Entropy
Size
Codepage
Language
Type
1
3.25755
296
UNKNOWN
Dutch - Netherlands
RT_ICON
2
3.47151
1384
UNKNOWN
Dutch - Netherlands
RT_ICON
3
3.91708
744
UNKNOWN
Dutch - Netherlands
RT_ICON
4
3.91366
2216
UNKNOWN
Dutch - Netherlands
RT_ICON
4089
5.50613
322
UNKNOWN
UNKNOWN
RT_STRING
4090
5.62693
278
UNKNOWN
UNKNOWN
RT_STRING
4091
5.87174
254
UNKNOWN
UNKNOWN
RT_STRING
4093
2.86149
104
UNKNOWN
UNKNOWN
RT_STRING
4094
3.20731
180
UNKNOWN
UNKNOWN
RT_STRING
4095
3.04592
174
UNKNOWN
UNKNOWN
RT_STRING

Imports

advapi32.dll
advapi32.dll (#2)
comctl32.dll
kernel32.dll
kernel32.dll (#2)
oleaut32.dll
user32.dll
user32.dll (#2)
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
39
Monitored processes
4
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start start drop and start 1c749421cff2c00b4d18e08eeacfb970a3d2fe4636b324bec711a172c0a487b0.exe 1c749421cff2c00b4d18e08eeacfb970a3d2fe4636b324bec711a172c0a487b0.tmp monitorfpkpver.exe 1c749421cff2c00b4d18e08eeacfb970a3d2fe4636b324bec711a172c0a487b0.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1580"C:\Users\admin\AppData\Local\Temp\1c749421cff2c00b4d18e08eeacfb970a3d2fe4636b324bec711a172c0a487b0.exe" C:\Users\admin\AppData\Local\Temp\1c749421cff2c00b4d18e08eeacfb970a3d2fe4636b324bec711a172c0a487b0.exeExplorer.EXE
User:
admin
Company:
深圳航天信息有限公司
Integrity Level:
MEDIUM
Description:
MonitorFPKPVer.exe
Exit code:
3221226540
Version:
1.0.21.1230
Modules
Images
c:\users\admin\appdata\local\temp\1c749421cff2c00b4d18e08eeacfb970a3d2fe4636b324bec711a172c0a487b0.exe
c:\windows\system32\ntdll.dll
2988"C:\Users\admin\AppData\Local\Temp\1c749421cff2c00b4d18e08eeacfb970a3d2fe4636b324bec711a172c0a487b0.exe" C:\Users\admin\AppData\Local\Temp\1c749421cff2c00b4d18e08eeacfb970a3d2fe4636b324bec711a172c0a487b0.exe
Explorer.EXE
User:
admin
Company:
深圳航天信息有限公司
Integrity Level:
HIGH
Description:
MonitorFPKPVer.exe
Exit code:
0
Version:
1.0.21.1230
Modules
Images
c:\users\admin\appdata\local\temp\1c749421cff2c00b4d18e08eeacfb970a3d2fe4636b324bec711a172c0a487b0.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
3200"C:\MonitorFPKPVer\Run\MonitorFPKPVer.exe" WaitC:\MonitorFPKPVer\Run\MonitorFPKPVer.exe
1c749421cff2c00b4d18e08eeacfb970a3d2fe4636b324bec711a172c0a487b0.tmp
User:
admin
Integrity Level:
HIGH
Description:
MonitorFPKPVer
Exit code:
0
Version:
1.0.21.1230
Modules
Images
c:\monitorfpkpver\run\monitorfpkpver.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
3204"C:\Users\admin\AppData\Local\Temp\is-676AO.tmp\1c749421cff2c00b4d18e08eeacfb970a3d2fe4636b324bec711a172c0a487b0.tmp" /SL5="$60198,258993,56832,C:\Users\admin\AppData\Local\Temp\1c749421cff2c00b4d18e08eeacfb970a3d2fe4636b324bec711a172c0a487b0.exe" C:\Users\admin\AppData\Local\Temp\is-676AO.tmp\1c749421cff2c00b4d18e08eeacfb970a3d2fe4636b324bec711a172c0a487b0.tmp
1c749421cff2c00b4d18e08eeacfb970a3d2fe4636b324bec711a172c0a487b0.exe
User:
admin
Integrity Level:
HIGH
Description:
°²×°/жÔØ
Exit code:
0
Version:
51.52.0.0
Modules
Images
c:\users\admin\appdata\local\temp\is-676ao.tmp\1c749421cff2c00b4d18e08eeacfb970a3d2fe4636b324bec711a172c0a487b0.tmp
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
Total events
524
Read events
500
Write events
18
Delete events
6

Modification events

(PID) Process:(3204) 1c749421cff2c00b4d18e08eeacfb970a3d2fe4636b324bec711a172c0a487b0.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Operation:writeName:Owner
Value:
840C000012C1C2382009D901
(PID) Process:(3204) 1c749421cff2c00b4d18e08eeacfb970a3d2fe4636b324bec711a172c0a487b0.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Operation:writeName:SessionHash
Value:
FBC4213FBA97769CD959B08D92CCA80DE0E462E39F40736F28FB3CC14E094716
(PID) Process:(3204) 1c749421cff2c00b4d18e08eeacfb970a3d2fe4636b324bec711a172c0a487b0.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Operation:writeName:Sequence
Value:
1
(PID) Process:(3204) 1c749421cff2c00b4d18e08eeacfb970a3d2fe4636b324bec711a172c0a487b0.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Operation:writeName:RegFiles0000
Value:
C:\MonitorFPKPVer\Run\MonitorFPKPVer.exe
(PID) Process:(3204) 1c749421cff2c00b4d18e08eeacfb970a3d2fe4636b324bec711a172c0a487b0.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Operation:writeName:RegFilesHash
Value:
30D7D57A3ABBC5CED12BC4C93415754910E30AF648A74D11635A48855799C0B5
(PID) Process:(3204) 1c749421cff2c00b4d18e08eeacfb970a3d2fe4636b324bec711a172c0a487b0.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Operation:delete valueName:RegFilesHash
Value:
30D7D57A3ABBC5CED12BC4C93415754910E30AF648A74D11635A48855799C0B5
(PID) Process:(3204) 1c749421cff2c00b4d18e08eeacfb970a3d2fe4636b324bec711a172c0a487b0.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Operation:delete valueName:RegFiles0000
Value:
C:\MonitorFPKPVer\Run\MonitorFPKPVer.exe
(PID) Process:(3204) 1c749421cff2c00b4d18e08eeacfb970a3d2fe4636b324bec711a172c0a487b0.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Operation:delete valueName:Sequence
Value:
1
(PID) Process:(3204) 1c749421cff2c00b4d18e08eeacfb970a3d2fe4636b324bec711a172c0a487b0.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Operation:delete valueName:SessionHash
Value:
FBC4213FBA97769CD959B08D92CCA80DE0E462E39F40736F28FB3CC14E094716
(PID) Process:(3204) 1c749421cff2c00b4d18e08eeacfb970a3d2fe4636b324bec711a172c0a487b0.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Operation:delete valueName:Owner
Value:
840C000012C1C2382009D901
Executable files
11
Suspicious files
0
Text files
3
Unknown types
0

Dropped files

PID
Process
Filename
Type
32041c749421cff2c00b4d18e08eeacfb970a3d2fe4636b324bec711a172c0a487b0.tmpC:\MonitorFPKPVer\Run\is-3JVR4.tmpexecutable
MD5:
SHA256:
32041c749421cff2c00b4d18e08eeacfb970a3d2fe4636b324bec711a172c0a487b0.tmpC:\Users\admin\AppData\Local\Temp\is-2RUHU.tmp\IsTaskEx.dllexecutable
MD5:
SHA256:
32041c749421cff2c00b4d18e08eeacfb970a3d2fe4636b324bec711a172c0a487b0.tmpC:\MonitorFPKPVer\Run\Interop.IWshRuntimeLibrary.dllexecutable
MD5:
SHA256:
32041c749421cff2c00b4d18e08eeacfb970a3d2fe4636b324bec711a172c0a487b0.tmpC:\MonitorFPKPVer\Run\is-L73BM.tmpexecutable
MD5:
SHA256:
32041c749421cff2c00b4d18e08eeacfb970a3d2fe4636b324bec711a172c0a487b0.tmpC:\MonitorFPKPVer\Run\MonitorFPKPVer.exeexecutable
MD5:
SHA256:
32041c749421cff2c00b4d18e08eeacfb970a3d2fe4636b324bec711a172c0a487b0.tmpC:\MonitorFPKPVer\Run\is-TUMNB.tmpexecutable
MD5:70ECB43C490ED5B16DAFAFF662BF7653
SHA256:B4CBA17E1123333356BF7E80A20E3ADFFD8EC335C14DA1A249D1B10F3D7CFD0B
32041c749421cff2c00b4d18e08eeacfb970a3d2fe4636b324bec711a172c0a487b0.tmpC:\MonitorFPKPVer\Run\is-0UDLL.tmpexecutable
MD5:
SHA256:
32041c749421cff2c00b4d18e08eeacfb970a3d2fe4636b324bec711a172c0a487b0.tmpC:\MonitorFPKPVer\Run\Interop.TaskScheduler.dllexecutable
MD5:
SHA256:
3200MonitorFPKPVer.exeC:\MonitorFPKPVer\Run\MonitorFpkpVer\Log2022-12-06.logtext
MD5:
SHA256:
32041c749421cff2c00b4d18e08eeacfb970a3d2fe4636b324bec711a172c0a487b0.tmpC:\MonitorFPKPVer\Run\MonitorFPKPVer.exe.configxml
MD5:FEB8A12F54CDBCA11133449147E40B28
SHA256:B115CF3BC35C222B952386A332BB3B827C6DCB48FA0A12BB3A8AC4E9B334C5F4
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
1
DNS requests
1
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3200
MonitorFPKPVer.exe
GET
119.147.23.75:80
http://update.szhtxx.com.cn/Upgrade/UpgradeApp/MonitorFPKP/updateVerEx.ini
CN
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3200
MonitorFPKPVer.exe
119.147.23.75:80
update.szhtxx.com.cn
Chinanet
CN
unknown

DNS requests

Domain
IP
Reputation
update.szhtxx.com.cn
  • 119.147.23.75
unknown

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
1c749421cff2c00b4d18e08eeacfb970a3d2fe4636b324bec711a172c0a487b0