File name:

easpi.exe

Full analysis: https://app.any.run/tasks/4be6effc-ac3a-4697-b611-fa4bc1c4c56a
Verdict: Malicious activity
Analysis date: October 03, 2024, 10:40:54
OS: Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5:

7C7682297145B07DA60CF6A24CED364A

SHA1:

CF6A291BFACCBE7C2D0F6C7E0254CD1FAB3E11A6

SHA256:

24AC4DFFEBDF73068483BDE3D7E201FDC46957811B0C9CCB5235C6C60452BC17

SSDEEP:

96:rPbCiO97IPEqdXl+bcX6eTc0z0RMLfiigwteC6ynXGIahizszOhCU7zNtr:z4Ihdhd0CLgi2xhigSh9dV

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • easpi.exe (PID: 2248)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • easpi.exe (PID: 2248)

    • Application launched itself

      • easpi.exe (PID: 2248)

    • Reads security settings of Internet Explorer

      • easpi.exe (PID: 2248)

    • Starts itself from another location

      • easpi.exe (PID: 2248)

    • Creates file in the systems drive root

      • lzkkz.exe (PID: 7164)

    • Executes application which crashes

      • lzkkz.exe (PID: 7164)

  • INFO

    • Create files in a temporary directory

      • easpi.exe (PID: 2248)
      • lzkkz.exe (PID: 7164)

    • Checks supported languages

      • easpi.exe (PID: 4644)
      • easpi.exe (PID: 2248)
      • lzkkz.exe (PID: 7164)

    • Process checks computer location settings

      • easpi.exe (PID: 2248)

    • Reads the computer name

      • easpi.exe (PID: 2248)
      • easpi.exe (PID: 4644)
      • lzkkz.exe (PID: 7164)

    • The process uses the downloaded file

      • easpi.exe (PID: 2248)

    • Reads the machine GUID from the registry

      • lzkkz.exe (PID: 7164)

    • Disables trace logs

      • lzkkz.exe (PID: 7164)

    • Checks proxy server information

      • lzkkz.exe (PID: 7164)

    • Reads the software policy settings

      • lzkkz.exe (PID: 7164)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Generic CIL Executable (.NET, Mono, etc.) (63.1)
.exe | Win64 Executable (generic) (23.8)
.dll | Win32 Dynamic Link Library (generic) (5.6)
.exe | Win32 Executable (generic) (3.8)
.exe | Generic Win/DOS Executable (1.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2093:08:09 09:07:04+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32
LinkerVersion: 48
CodeSize: 5632
InitializedDataSize: 2048
UninitializedDataSize: -
EntryPoint: 0x35c2
OSVersion: 4
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.0
ProductVersionNumber: 1.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: -
CompanyName: -
FileDescription: TestSample4EDRO
FileVersion: 1.0.0.0
InternalName: sw_test.exe
LegalCopyright: Copyright © 2020
LegalTrademarks: -
OriginalFileName: sw_test.exe
ProductName: TestSample4EDRO
ProductVersion: 1.0.0.0
AssemblyVersion: 1.0.0.0
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
136
Monitored processes
6
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start easpi.exe easpi.exe no specs lzkkz.exe werfault.exe sppextcomobj.exe no specs slui.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2248"C:\Users\admin\AppData\Local\Temp\easpi.exe" C:\Users\admin\AppData\Local\Temp\easpi.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
TestSample4EDRO
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\local\temp\easpi.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
2384C:\WINDOWS\SysWOW64\WerFault.exe -u -p 7164 -s 1724C:\Windows\SysWOW64\WerFault.exe
lzkkz.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
3728C:\WINDOWS\system32\SppExtComObj.exe -EmbeddingC:\Windows\System32\SppExtComObj.Exesvchost.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
KMS Connection Broker
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\sppextcomobj.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\oleaut32.dll
4644"C:\Users\admin\AppData\Local\Temp\easpi.exe" goodC:\Users\admin\AppData\Local\Temp\easpi.exeeaspi.exe
User:
admin
Integrity Level:
MEDIUM
Description:
TestSample4EDRO
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\local\temp\easpi.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
4892"C:\WINDOWS\System32\SLUI.exe" RuleId=3482d82e-ca2c-4e1f-8864-da0267b484b2;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c;NotificationInterval=1440;Trigger=TimerEventC:\Windows\System32\slui.exeSppExtComObj.Exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Activation Client
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
7164"C:\Users\admin\AppData\Local\Temp\lzkkz.exe" evilC:\Users\admin\AppData\Local\Temp\lzkkz.exe
easpi.exe
User:
admin
Integrity Level:
MEDIUM
Description:
TestSample4EDRO
Exit code:
3762504530
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\local\temp\lzkkz.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
Total events
4 253
Read events
4 238
Write events
15
Delete events
0

Modification events

(PID) Process:(2248) easpi.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:sw_test
Value:
"C:\Users\admin\AppData\Local\Temp\lzkkz.exe" evil
(PID) Process:(7164) lzkkz.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\lzkkz_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(7164) lzkkz.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\lzkkz_RASAPI32
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(7164) lzkkz.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\lzkkz_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(7164) lzkkz.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\lzkkz_RASAPI32
Operation:writeName:FileTracingMask
Value:
(PID) Process:(7164) lzkkz.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\lzkkz_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
(PID) Process:(7164) lzkkz.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\lzkkz_RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(7164) lzkkz.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\lzkkz_RASAPI32
Operation:writeName:FileDirectory
Value:
%windir%\tracing
(PID) Process:(7164) lzkkz.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\lzkkz_RASMANCS
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(7164) lzkkz.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\lzkkz_RASMANCS
Operation:writeName:EnableAutoFileTracing
Value:
0
Executable files
1
Suspicious files
3
Text files
4
Unknown types
1

Dropped files

PID
Process
Filename
Type
2384WerFault.exeC:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_lzkkz.exe_3860c45cb22148bb717ea51dfacdd267ef63d22_05f633b0_b33eb028-ab18-4cd6-84c5-738c481131dc\Report.wer
MD5:
SHA256:
2384WerFault.exeC:\Users\admin\AppData\Local\CrashDumps\lzkkz.exe.7164.dmp
MD5:
SHA256:
7164lzkkz.exeC:\Users\admin\AppData\Local\Temp\droppedfile2text
MD5:F90DF6D224E2EEC26467FB445F8BE449
SHA256:ED07376C6493E19A65BEFFCB63E2775B1EF016BC9839250582AC20E5C7BE086E
2384WerFault.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\21253908F3CB05D51B1C2DA8B681A785der
MD5:1B7FD5177461034E4086724C5845E927
SHA256:065AF18C229898A1C2A8D989911ADCD9B1E2AB14B1953EBF8EAF34AE37EA1627
2248easpi.exeC:\Users\admin\AppData\Local\Temp\lzkkz.exeexecutable
MD5:7C7682297145B07DA60CF6A24CED364A
SHA256:24AC4DFFEBDF73068483BDE3D7E201FDC46957811B0C9CCB5235C6C60452BC17
2384WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WER60CA.tmp.dmpbinary
MD5:CCA786D4F5D0A4ED5FB70864AFADB6D3
SHA256:86366403ACF8B8B3BE1E96A7FAFEC0173C2C92977B7AEEBC8296807CAB619AAB
2384WerFault.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\37C951188967C8EB88D99893D9D191FEbinary
MD5:FB64A9EBEDF48D3895381D5B7D80743D
SHA256:EA21D495930AD76F267A33A0F593DBF0C7EA75E457FCAE49A29DAAD8BD920F42
7164lzkkz.exeC:\Users\admin\AppData\Local\Temp\droppedfile1text
MD5:E00E8EA3D332D9E563A769C4ACCC1093
SHA256:11C4391895C7CEF780CF2909EAC58F76CCB131CFEF26B89E94B2DB323FAE724A
2384WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WER637C.tmp.xmlxml
MD5:02E00AAA6FF9A58EB7FCBB641450A4D1
SHA256:A68419B425721EC0AAEC51614F7AE283F2626D8A278AB8BF77EF1C875C620C60
2384WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WER633C.tmp.WERInternalMetadata.xmlxml
MD5:1A3D16F1AB53F85D7E209D23C58D0894
SHA256:642294CF39D112C9C1CA10C4E94414792DC990F3180C47D1C15D869806FFD152
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
8
TCP/UDP connections
52
DNS requests
21
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
7164
lzkkz.exe
GET
200
93.184.215.14:80
http://example.com/
US
html
1.23 Kb
whitelisted
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
US
binary
471 b
whitelisted
3448
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
DE
binary
419 b
whitelisted
7164
lzkkz.exe
GET
301
185.85.15.34:80
http://kaspersky.com/
DE
html
149 b
whitelisted
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
DE
binary
973 b
whitelisted
2384
WerFault.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
DE
binary
973 b
whitelisted
3448
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
DE
binary
407 b
whitelisted
3800
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
US
binary
471 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
5000
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:137
whitelisted
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
3888
svchost.exe
239.255.255.250:1900
whitelisted
23.213.166.81:443
go.microsoft.com
AKAMAI-AS
DE
whitelisted
20.190.159.2:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
4516
svchost.exe
20.190.159.2:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
40.115.3.253:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
  • 40.127.240.158
  • 51.104.136.2
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
go.microsoft.com
  • 23.213.166.81
whitelisted
login.live.com
  • 20.190.159.2
  • 20.190.159.75
  • 20.190.159.23
  • 40.126.31.67
  • 40.126.31.73
  • 20.190.159.0
  • 20.190.159.68
  • 20.190.159.71
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
google.com
  • 216.58.206.78
whitelisted
client.wns.windows.com
  • 40.115.3.253
whitelisted
example.com
  • 93.184.215.14
whitelisted
kaspersky.com
  • 185.85.15.34
whitelisted
www.kaspersky.com
  • 185.85.15.46
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
easpi.exe