File name:

30a531daa107c2ac749e111d5f8f7ce4c4dfe9ca6e36b7ef26ff1e7048219cd3

Full analysis: https://app.any.run/tasks/e200dfbb-acbe-4443-980a-fbf091ac5b1f
Verdict: Malicious activity
Analysis date: October 05, 2022, 07:24:27
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5:

CC2501714328E4103A82FD9A0585855C

SHA1:

A9B6B96B24BF5983B9BF67DF165CA2ABCF221CBF

SHA256:

30A531DAA107C2AC749E111D5F8F7CE4C4DFE9CA6E36B7EF26FF1E7048219CD3

SSDEEP:

6144:/OB+pgUtGGGGGGbGGGGGzGGGGGRGGGGGGUGGGGGGG+GGGGGGzGGGGGGBGGGGGGGI:WgYJToCI54QCdMo

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Loads dropped or rewritten executable

      • 30a531daa107c2ac749e111d5f8f7ce4c4dfe9ca6e36b7ef26ff1e7048219cd3.exe (PID: 3068)

    • Drops the executable file immediately after the start

      • 30a531daa107c2ac749e111d5f8f7ce4c4dfe9ca6e36b7ef26ff1e7048219cd3.exe (PID: 3068)

  • SUSPICIOUS

    • Drops a file with too old compile date

      • 30a531daa107c2ac749e111d5f8f7ce4c4dfe9ca6e36b7ef26ff1e7048219cd3.exe (PID: 3068)

    • Executes PowerShell scripts

      • nsBF1D.tmp (PID: 1116)
      • nsC076.tmp (PID: 1616)
      • nsC6E4.tmp (PID: 2596)
      • nsC82D.tmp (PID: 2372)
      • nsC1BF.tmp (PID: 2464)
      • nsC308.tmp (PID: 3116)
      • nsC451.tmp (PID: 2432)
      • nsC59A.tmp (PID: 2188)
      • nsCC08.tmp (PID: 552)
      • nsCD51.tmp (PID: 1968)
      • nsD12D.tmp (PID: 2900)
      • nsCE9A.tmp (PID: 3876)
      • nsD3BF.tmp (PID: 3872)
      • nsCFE3.tmp (PID: 420)
      • nsD276.tmp (PID: 3312)
      • nsD508.tmp (PID: 3852)
      • nsC976.tmp (PID: 3664)
      • nsCABF.tmp (PID: 2340)
      • nsD79A.tmp (PID: 3048)
      • nsD651.tmp (PID: 2472)
      • nsDA2C.tmp (PID: 2880)
      • nsD8E3.tmp (PID: 4024)
      • nsDB76.tmp (PID: 3700)
      • nsDCBF.tmp (PID: 1260)
      • nsDE08.tmp (PID: 672)
      • nsDF51.tmp (PID: 680)
      • nsE09A.tmp (PID: 1712)
      • nsE32C.tmp (PID: 684)
      • nsE475.tmp (PID: 2356)
      • nsE708.tmp (PID: 2560)
      • nsE851.tmp (PID: 3748)
      • nsE99A.tmp (PID: 2888)
      • nsEAE3.tmp (PID: 3556)
      • nsEC2C.tmp (PID: 832)
      • nsED75.tmp (PID: 2192)
      • nsE1E3.tmp (PID: 3712)
      • nsE5BF.tmp (PID: 3248)
      • nsEEBE.tmp (PID: 2696)
      • nsF008.tmp (PID: 1096)
      • nsF151.tmp (PID: 2268)
      • nsF3E3.tmp (PID: 2960)
      • nsF29A.tmp (PID: 1240)
      • nsF675.tmp (PID: 2312)
      • nsF52C.tmp (PID: 860)
      • nsF7BE.tmp (PID: 2008)
      • nsF907.tmp (PID: 3244)
      • ns5E3.tmp (PID: 2164)
      • ns350.tmp (PID: 1388)
      • nsBE.tmp (PID: 3876)
      • nsFE2C.tmp (PID: 2408)
      • ns207.tmp (PID: 2976)
      • nsFF75.tmp (PID: 1996)
      • nsFCE3.tmp (PID: 2260)
      • nsFB9A.tmp (PID: 2388)
      • nsFA51.tmp (PID: 3920)
      • ns49A.tmp (PID: 4076)
      • ns875.tmp (PID: 2512)
      • ns9BE.tmp (PID: 3504)
      • nsB07.tmp (PID: 508)
      • nsC50.tmp (PID: 872)
      • nsD99.tmp (PID: 3104)
      • nsEE3.tmp (PID: 452)
      • ns102C.tmp (PID: 420)
      • ns72C.tmp (PID: 3072)
      • ns1175.tmp (PID: 676)
      • ns1407.tmp (PID: 3660)
      • ns1699.tmp (PID: 1400)
      • ns1550.tmp (PID: 2220)
      • ns17E2.tmp (PID: 2476)
      • ns192C.tmp (PID: 3804)
      • ns1A75.tmp (PID: 3800)
      • ns1D07.tmp (PID: 1264)
      • ns12BE.tmp (PID: 3312)
      • ns1BBE.tmp (PID: 2212)

    • Starts application with an unusual extension

      • 30a531daa107c2ac749e111d5f8f7ce4c4dfe9ca6e36b7ef26ff1e7048219cd3.exe (PID: 3068)

    • Executable content was dropped or overwritten

      • 30a531daa107c2ac749e111d5f8f7ce4c4dfe9ca6e36b7ef26ff1e7048219cd3.exe (PID: 3068)

  • INFO

    • Process checks LSA protection

      • 30a531daa107c2ac749e111d5f8f7ce4c4dfe9ca6e36b7ef26ff1e7048219cd3.exe (PID: 3068)

    • Reads the computer name

      • 30a531daa107c2ac749e111d5f8f7ce4c4dfe9ca6e36b7ef26ff1e7048219cd3.exe (PID: 3068)

    • Checks supported languages

      • 30a531daa107c2ac749e111d5f8f7ce4c4dfe9ca6e36b7ef26ff1e7048219cd3.exe (PID: 3068)
      • nsBF1D.tmp (PID: 1116)
      • nsC076.tmp (PID: 1616)
      • nsC59A.tmp (PID: 2188)
      • nsC6E4.tmp (PID: 2596)
      • nsC82D.tmp (PID: 2372)
      • nsC1BF.tmp (PID: 2464)
      • nsC308.tmp (PID: 3116)
      • nsC451.tmp (PID: 2432)
      • nsCC08.tmp (PID: 552)
      • nsCD51.tmp (PID: 1968)
      • nsCE9A.tmp (PID: 3876)
      • nsCFE3.tmp (PID: 420)
      • nsD12D.tmp (PID: 2900)
      • nsD276.tmp (PID: 3312)
      • nsD3BF.tmp (PID: 3872)
      • nsC976.tmp (PID: 3664)
      • nsCABF.tmp (PID: 2340)
      • nsD651.tmp (PID: 2472)
      • nsD79A.tmp (PID: 3048)
      • nsD8E3.tmp (PID: 4024)
      • nsDCBF.tmp (PID: 1260)
      • nsDA2C.tmp (PID: 2880)
      • nsDB76.tmp (PID: 3700)
      • nsDF51.tmp (PID: 680)
      • nsDE08.tmp (PID: 672)
      • nsE09A.tmp (PID: 1712)
      • nsD508.tmp (PID: 3852)
      • nsE1E3.tmp (PID: 3712)
      • nsE32C.tmp (PID: 684)
      • nsE708.tmp (PID: 2560)
      • nsE475.tmp (PID: 2356)
      • nsE5BF.tmp (PID: 3248)
      • nsE851.tmp (PID: 3748)
      • nsE99A.tmp (PID: 2888)
      • nsEAE3.tmp (PID: 3556)
      • nsEC2C.tmp (PID: 832)
      • nsED75.tmp (PID: 2192)
      • nsEEBE.tmp (PID: 2696)
      • nsF151.tmp (PID: 2268)
      • nsF008.tmp (PID: 1096)
      • nsF29A.tmp (PID: 1240)
      • nsF675.tmp (PID: 2312)
      • nsF3E3.tmp (PID: 2960)
      • nsF52C.tmp (PID: 860)
      • nsF7BE.tmp (PID: 2008)
      • ns350.tmp (PID: 1388)
      • ns49A.tmp (PID: 4076)
      • ns207.tmp (PID: 2976)
      • nsFF75.tmp (PID: 1996)
      • nsBE.tmp (PID: 3876)
      • nsFE2C.tmp (PID: 2408)
      • nsFCE3.tmp (PID: 2260)
      • nsFB9A.tmp (PID: 2388)
      • nsFA51.tmp (PID: 3920)
      • nsF907.tmp (PID: 3244)
      • ns5E3.tmp (PID: 2164)
      • ns72C.tmp (PID: 3072)
      • ns9BE.tmp (PID: 3504)
      • nsB07.tmp (PID: 508)
      • nsC50.tmp (PID: 872)
      • nsEE3.tmp (PID: 452)
      • nsD99.tmp (PID: 3104)
      • ns102C.tmp (PID: 420)
      • ns1175.tmp (PID: 676)
      • ns875.tmp (PID: 2512)
      • ns1550.tmp (PID: 2220)
      • ns1407.tmp (PID: 3660)
      • ns17E2.tmp (PID: 2476)
      • ns1699.tmp (PID: 1400)
      • ns1A75.tmp (PID: 3800)
      • ns192C.tmp (PID: 3804)
      • ns1BBE.tmp (PID: 2212)
      • ns12BE.tmp (PID: 3312)
      • ns1D07.tmp (PID: 1264)

    • Creates files in the user directory

      • 30a531daa107c2ac749e111d5f8f7ce4c4dfe9ca6e36b7ef26ff1e7048219cd3.exe (PID: 3068)

    • Creates a file in a temporary directory

      • 30a531daa107c2ac749e111d5f8f7ce4c4dfe9ca6e36b7ef26ff1e7048219cd3.exe (PID: 3068)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 2016-Jul-09 04:21:41
Detected languages:
  • English - United States
Comments: Duchies Traumatiserede Skags
CompanyName: Finanskoncerner Epiblemata
LegalCopyright: magtapparaternes
OriginalFilename: Quentise.exe

DOS Header

e_magic: MZ
e_cblp: 144
e_cp: 3
e_crlc: -
e_cparhdr: 4
e_minalloc: -
e_maxalloc: 65535
e_ss: -
e_sp: 184
e_csum: -
e_ip: -
e_cs: -
e_ovno: -
e_oemid: -
e_oeminfo: -
e_lfanew: 200

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
NumberofSections: 5
TimeDateStamp: 2016-Jul-09 04:21:41
PointerToSymbolTable: -
NumberOfSymbols: -
SizeOfOptionalHeader: 224
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_LINE_NUMS_STRIPPED
  • IMAGE_FILE_LOCAL_SYMS_STRIPPED
  • IMAGE_FILE_RELOCS_STRIPPED

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
4096
24925
25088
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.45023
.rdata
32768
5028
5120
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
5.163
.data
40960
131896
1536
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
3.9824
.ndata
176128
212992
0
IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc
389120
95384
95744
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
4.09142

Resources

Title
Entropy
Size
Codepage
Language
Type
1
3.82668
67624
UNKNOWN
English - United States
RT_ICON
2
4.10893
9640
UNKNOWN
English - United States
RT_ICON
3
4.42221
4264
UNKNOWN
English - United States
RT_ICON
4
5.11785
3752
UNKNOWN
English - United States
RT_ICON
5
4.57498
2440
UNKNOWN
English - United States
RT_ICON
6
5.69865
2216
UNKNOWN
English - United States
RT_ICON
7
3.52983
1384
UNKNOWN
English - United States
RT_ICON
8
4.86078
1128
UNKNOWN
English - United States
RT_ICON
103
2.89179
118
UNKNOWN
English - United States
RT_GROUP_ICON
105
2.66174
256
UNKNOWN
English - United States
RT_DIALOG

Imports

ADVAPI32.dll
COMCTL32.dll
GDI32.dll
KERNEL32.dll
SHELL32.dll
USER32.dll
ole32.dll
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
256
Monitored processes
149
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start 30a531daa107c2ac749e111d5f8f7ce4c4dfe9ca6e36b7ef26ff1e7048219cd3.exe nsbf1d.tmp no specs powershell.exe no specs nsc076.tmp no specs powershell.exe no specs nsc1bf.tmp no specs powershell.exe no specs nsc308.tmp no specs powershell.exe no specs nsc451.tmp no specs powershell.exe no specs nsc59a.tmp no specs powershell.exe no specs nsc6e4.tmp no specs powershell.exe no specs nsc82d.tmp no specs powershell.exe no specs nsc976.tmp no specs powershell.exe no specs nscabf.tmp no specs powershell.exe no specs nscc08.tmp no specs powershell.exe no specs nscd51.tmp no specs powershell.exe no specs nsce9a.tmp no specs powershell.exe no specs nscfe3.tmp no specs powershell.exe no specs nsd12d.tmp no specs powershell.exe no specs nsd276.tmp no specs powershell.exe no specs nsd3bf.tmp no specs powershell.exe no specs nsd508.tmp no specs powershell.exe no specs nsd651.tmp no specs powershell.exe no specs nsd79a.tmp no specs powershell.exe no specs nsd8e3.tmp no specs powershell.exe no specs nsda2c.tmp no specs powershell.exe no specs nsdb76.tmp no specs powershell.exe no specs nsdcbf.tmp no specs powershell.exe no specs nsde08.tmp no specs powershell.exe no specs nsdf51.tmp no specs powershell.exe no specs nse09a.tmp no specs powershell.exe no specs nse1e3.tmp no specs powershell.exe no specs nse32c.tmp no specs powershell.exe no specs nse475.tmp no specs powershell.exe no specs nse5bf.tmp no specs powershell.exe no specs nse708.tmp no specs powershell.exe no specs nse851.tmp no specs powershell.exe no specs nse99a.tmp no specs powershell.exe no specs nseae3.tmp no specs powershell.exe no specs nsec2c.tmp no specs powershell.exe no specs nsed75.tmp no specs powershell.exe no specs nseebe.tmp no specs powershell.exe no specs nsf008.tmp no specs powershell.exe no specs nsf151.tmp no specs powershell.exe no specs nsf29a.tmp no specs powershell.exe no specs nsf3e3.tmp no specs powershell.exe no specs nsf52c.tmp no specs powershell.exe no specs nsf675.tmp no specs powershell.exe no specs nsf7be.tmp no specs powershell.exe no specs nsf907.tmp no specs powershell.exe no specs nsfa51.tmp no specs powershell.exe no specs nsfb9a.tmp no specs powershell.exe no specs nsfce3.tmp no specs powershell.exe no specs nsfe2c.tmp no specs powershell.exe no specs nsff75.tmp no specs powershell.exe no specs nsbe.tmp no specs powershell.exe no specs ns207.tmp no specs powershell.exe no specs ns350.tmp no specs powershell.exe no specs ns49a.tmp no specs powershell.exe no specs ns5e3.tmp no specs powershell.exe no specs ns72c.tmp no specs powershell.exe no specs ns875.tmp no specs powershell.exe no specs ns9be.tmp no specs powershell.exe no specs nsb07.tmp no specs powershell.exe no specs nsc50.tmp no specs powershell.exe no specs nsd99.tmp no specs powershell.exe no specs nsee3.tmp no specs powershell.exe no specs ns102c.tmp no specs powershell.exe no specs ns1175.tmp no specs powershell.exe no specs ns12be.tmp no specs powershell.exe no specs ns1407.tmp no specs powershell.exe no specs ns1550.tmp no specs powershell.exe no specs ns1699.tmp no specs powershell.exe no specs ns17e2.tmp no specs powershell.exe no specs ns192c.tmp no specs powershell.exe no specs ns1a75.tmp no specs powershell.exe no specs ns1bbe.tmp no specs powershell.exe no specs ns1d07.tmp no specs powershell.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
420"C:\Users\admin\AppData\Local\Temp\nsqBF1C.tmp\nsCFE3.tmp" powershell.exe 0x932CFCDE -bxor -1287267094C:\Users\admin\AppData\Local\Temp\nsqBF1C.tmp\nsCFE3.tmp30a531daa107c2ac749e111d5f8f7ce4c4dfe9ca6e36b7ef26ff1e7048219cd3.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\nsqbf1c.tmp\nscfe3.tmp
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
420"C:\Users\admin\AppData\Local\Temp\nsqBF1C.tmp\ns102C.tmp" powershell.exe 0x8077E6D0 -bxor -1287267094C:\Users\admin\AppData\Local\Temp\nsqBF1C.tmp\ns102C.tmp30a531daa107c2ac749e111d5f8f7ce4c4dfe9ca6e36b7ef26ff1e7048219cd3.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\nsqbf1c.tmp\ns102c.tmp
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
452"C:\Users\admin\AppData\Local\Temp\nsqBF1C.tmp\nsEE3.tmp" powershell.exe 0xC636B998 -bxor -1287267094C:\Users\admin\AppData\Local\Temp\nsqBF1C.tmp\nsEE3.tmp30a531daa107c2ac749e111d5f8f7ce4c4dfe9ca6e36b7ef26ff1e7048219cd3.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\nsqbf1c.tmp\nsee3.tmp
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
508"C:\Users\admin\AppData\Local\Temp\nsqBF1C.tmp\nsB07.tmp" powershell.exe 0x8369FC83 -bxor -1287267094C:\Users\admin\AppData\Local\Temp\nsqBF1C.tmp\nsB07.tmp30a531daa107c2ac749e111d5f8f7ce4c4dfe9ca6e36b7ef26ff1e7048219cd3.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\nsqbf1c.tmp\nsb07.tmp
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
552"C:\Users\admin\AppData\Local\Temp\nsqBF1C.tmp\nsCC08.tmp" powershell.exe 0x8369FC83 -bxor -1287267094C:\Users\admin\AppData\Local\Temp\nsqBF1C.tmp\nsCC08.tmp30a531daa107c2ac749e111d5f8f7ce4c4dfe9ca6e36b7ef26ff1e7048219cd3.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\nsqbf1c.tmp\nscc08.tmp
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
672"C:\Users\admin\AppData\Local\Temp\nsqBF1C.tmp\nsDE08.tmp" powershell.exe 0xDC26F483 -bxor -1287267094C:\Users\admin\AppData\Local\Temp\nsqBF1C.tmp\nsDE08.tmp30a531daa107c2ac749e111d5f8f7ce4c4dfe9ca6e36b7ef26ff1e7048219cd3.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\nsqbf1c.tmp\nsde08.tmp
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
676"C:\Users\admin\AppData\Local\Temp\nsqBF1C.tmp\ns1175.tmp" powershell.exe 0xF024B086 -bxor -1287267094C:\Users\admin\AppData\Local\Temp\nsqBF1C.tmp\ns1175.tmp30a531daa107c2ac749e111d5f8f7ce4c4dfe9ca6e36b7ef26ff1e7048219cd3.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\nsqbf1c.tmp\ns1175.tmp
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
680"C:\Users\admin\AppData\Local\Temp\nsqBF1C.tmp\nsDF51.tmp" powershell.exe 0x8369B5CA -bxor -1287267094C:\Users\admin\AppData\Local\Temp\nsqBF1C.tmp\nsDF51.tmp30a531daa107c2ac749e111d5f8f7ce4c4dfe9ca6e36b7ef26ff1e7048219cd3.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\nsqbf1c.tmp\nsdf51.tmp
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\usp10.dll
c:\windows\system32\advapi32.dll
684"C:\Users\admin\AppData\Local\Temp\nsqBF1C.tmp\nsE32C.tmp" powershell.exe 0x9F65B5CA -bxor -1287267094C:\Users\admin\AppData\Local\Temp\nsqBF1C.tmp\nsE32C.tmp30a531daa107c2ac749e111d5f8f7ce4c4dfe9ca6e36b7ef26ff1e7048219cd3.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\nsqbf1c.tmp\nse32c.tmp
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
832"C:\Users\admin\AppData\Local\Temp\nsqBF1C.tmp\nsEC2C.tmp" powershell.exe 0xF609EFD8 -bxor -1287267094C:\Users\admin\AppData\Local\Temp\nsqBF1C.tmp\nsEC2C.tmp30a531daa107c2ac749e111d5f8f7ce4c4dfe9ca6e36b7ef26ff1e7048219cd3.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\nsqbf1c.tmp\nsec2c.tmp
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
Total events
39 705
Read events
39 122
Write events
583
Delete events
0

Modification events

(PID) Process:(3068) 30a531daa107c2ac749e111d5f8f7ce4c4dfe9ca6e36b7ef26ff1e7048219cd3.exeKey:HKEY_CURRENT_USER\Software\Aphrodision
Operation:writeName:Inaktiv
Value:
177FBB
Executable files
77
Suspicious files
149
Text files
19
Unknown types
3

Dropped files

PID
Process
Filename
Type
306830a531daa107c2ac749e111d5f8f7ce4c4dfe9ca6e36b7ef26ff1e7048219cd3.exeC:\Users\admin\AppData\Roaming\anordn.lnklnk
MD5:
SHA256:
306830a531daa107c2ac749e111d5f8f7ce4c4dfe9ca6e36b7ef26ff1e7048219cd3.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Templates\Stvnemdernes20\Rajoguna\Seepages.Lut150text
MD5:
SHA256:
306830a531daa107c2ac749e111d5f8f7ce4c4dfe9ca6e36b7ef26ff1e7048219cd3.exeC:\Users\admin\AppData\Roaming\Slippes2.lnklnk
MD5:
SHA256:
306830a531daa107c2ac749e111d5f8f7ce4c4dfe9ca6e36b7ef26ff1e7048219cd3.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Templates\Stvnemdernes20\Rajoguna\Furore.Sambinary
MD5:
SHA256:
306830a531daa107c2ac749e111d5f8f7ce4c4dfe9ca6e36b7ef26ff1e7048219cd3.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Templates\Stvnemdernes20\Rajoguna\albaers\edit-cut-symbolic.symbolic.pngimage
MD5:210D66BD3EC2B1C70273BCE31329B704
SHA256:AD2FBD2980BC5BE294AD129586637E00BDF0B12FB4169FDD185F948F1B079BDD
306830a531daa107c2ac749e111d5f8f7ce4c4dfe9ca6e36b7ef26ff1e7048219cd3.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Templates\Stvnemdernes20\Rajoguna\albaers\down_arrow.pngimage
MD5:19138B7C5468614995847BF551B4ABB1
SHA256:B7BA50492D938A0D97577A10865B9303FAE81DBA5E7F122C58AFADBB0A4F3E51
306830a531daa107c2ac749e111d5f8f7ce4c4dfe9ca6e36b7ef26ff1e7048219cd3.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Templates\Stvnemdernes20\Rajoguna\krabber\media-playback-pause.pngimage
MD5:7F30A8FB072E902D6324B3F4927C0DD6
SHA256:CCE1279DA9BE980240C57A2EEB8EE224747E48971CA3013D194EA0E877715C91
306830a531daa107c2ac749e111d5f8f7ce4c4dfe9ca6e36b7ef26ff1e7048219cd3.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Templates\Stvnemdernes20\Rajoguna\krabber\folderviewimpl.dll.muihtml
MD5:5343C1A8B203C162A3BF3870D9F50FD4
SHA256:DC1D54DAB6EC8C00F70137927504E4F222C8395F10760B6BEECFCFA94E08249F
306830a531daa107c2ac749e111d5f8f7ce4c4dfe9ca6e36b7ef26ff1e7048219cd3.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Templates\Stvnemdernes20\Rajoguna\Ridderbegrebets\Nuncupate\Diskless\Fyringsanlg\battery-level-0-symbolic.symbolic.pngimage
MD5:8126688C9FBFDD9F0959A1435E06F341
SHA256:E6A5DAC292EEFD8F2644264B020FCB9FDA0F0CBA2AFCC132E15E59D102EEB07B
306830a531daa107c2ac749e111d5f8f7ce4c4dfe9ca6e36b7ef26ff1e7048219cd3.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Templates\Stvnemdernes20\Rajoguna\krabber\input-dialpad-symbolic.svgimage
MD5:5962EAF3FCC1E65C4AAE4FD4BC3C2BDC
SHA256:DA00272A04F9705429148A623720F14CCCD36893AAE1F00D6EA9885922950720
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
30a531daa107c2ac749e111d5f8f7ce4c4dfe9ca6e36b7ef26ff1e7048219cd3