download:

/kevinhosting/PcDocPro_Setup.exe

Full analysis: https://app.any.run/tasks/7d6578fe-8f33-44f3-8d37-04991bf4e048
Verdict: Malicious activity
Analysis date: December 24, 2023, 02:31:34
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

439977B067B5A4C3A99B60FE61EDFBE6

SHA1:

4DA09B1C1BF611473DAAA667A53054CF91ED307F

SHA256:

32F17D029190B977F69B108D6BDA35B6D13EA97A63B7CF675475912E5C432315

SSDEEP:

98304:F9Jpz4gMNjlFccuF6/wFT96zPimnU9gBCYcCulXyP0RPDLruRV9gJt0kJU9HamRB:kezAeapMmb

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Registers / Runs the DLL via REGSVR32.EXE

      • d_PcDocPro_Setup.tmp (PID: 784)

    • Actions looks like stealing of personal data

      • PC Doc Pro.exe (PID: 1236)

  • SUSPICIOUS

    • Reads the Internet Settings

      • PcDocPro_Setup.exe (PID: 2408)
      • PC Doc Pro.exe (PID: 1236)

    • Reads the Windows owner or organization settings

      • d_PcDocPro_Setup.tmp (PID: 784)

    • Detected use of alternative data streams (AltDS)

      • PC Doc Pro.exe (PID: 1236)

    • Searches for installed software

      • PC Doc Pro.exe (PID: 1236)

    • Reads Microsoft Outlook installation path

      • PC Doc Pro.exe (PID: 1236)

    • Check the default browser

      • PC Doc Pro.exe (PID: 1236)

    • Checks for Java to be installed

      • PC Doc Pro.exe (PID: 1236)

    • Reads the BIOS version

      • PC Doc Pro.exe (PID: 1236)

    • Reads Mozilla Firefox installation path

      • PC Doc Pro.exe (PID: 1236)

  • INFO

    • Checks supported languages

      • PcDocPro_Setup.exe (PID: 2408)
      • d_PcDocPro_Setup.exe (PID: 668)
      • d_PcDocPro_Setup.tmp (PID: 784)
      • PC Doc Pro.exe (PID: 1236)

    • Drops the executable file immediately after the start

      • PcDocPro_Setup.exe (PID: 2408)
      • d_PcDocPro_Setup.exe (PID: 668)
      • d_PcDocPro_Setup.tmp (PID: 784)

    • Reads the computer name

      • PcDocPro_Setup.exe (PID: 2408)
      • d_PcDocPro_Setup.tmp (PID: 784)
      • PC Doc Pro.exe (PID: 1236)

    • Checks proxy server information

      • PcDocPro_Setup.exe (PID: 2408)
      • PC Doc Pro.exe (PID: 1236)

    • Creates files or folders in the user directory

      • PcDocPro_Setup.exe (PID: 2408)
      • d_PcDocPro_Setup.tmp (PID: 784)

    • Create files in a temporary directory

      • PcDocPro_Setup.exe (PID: 2408)
      • d_PcDocPro_Setup.exe (PID: 668)
      • d_PcDocPro_Setup.tmp (PID: 784)

    • Process drops legitimate windows executable

      • d_PcDocPro_Setup.tmp (PID: 784)

    • Creates files in the program directory

      • d_PcDocPro_Setup.tmp (PID: 784)

    • Reads the machine GUID from the registry

      • PC Doc Pro.exe (PID: 1236)

    • Process checks computer location settings

      • PC Doc Pro.exe (PID: 1236)

    • Reads mouse settings

      • PC Doc Pro.exe (PID: 1236)

    • Reads CPU info

      • PC Doc Pro.exe (PID: 1236)

    • Executes as Windows Service

      • VSSVC.exe (PID: 2448)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2004:09:10 00:10:25+02:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 7.1
CodeSize: 28672
InitializedDataSize: 40960
UninitializedDataSize: -
EntryPoint: 0x3097
OSVersion: 4
ImageVersion: 2884.68
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 0.0.0.0
ProductVersionNumber: 0.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: This installation was built with Inno Setup.
CompanyName: PCDocPro.com
FileDescription: PC Doc Pro v5 Setup
FileVersion:
LegalCopyright: Copyright © 2009-2011 PCDocPro.com
ProductName: PC Doc Pro v5
ProductVersion: 5.0
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
47
Monitored processes
9
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
start pcdocpro_setup.exe d_pcdocpro_setup.exe no specs d_pcdocpro_setup.tmp no specs regsvr32.exe no specs regsvr32.exe no specs pc doc pro.exe vssvc.exe no specs SPPSurrogate no specs pcdocpro_setup.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
128"C:\Users\admin\AppData\Roaming\PcDocPro_Setup.exe" C:\Users\admin\AppData\Roaming\PcDocPro_Setup.exeexplorer.exe
User:
admin
Company:
PCDocPro.com
Integrity Level:
MEDIUM
Description:
PC Doc Pro v5 Setup
Exit code:
3221226540
Version:
Modules
Images
c:\users\admin\appdata\roaming\pcdocpro_setup.exe
c:\windows\system32\ntdll.dll
668C:\Users\admin\AppData\Local\Temp\ESWFC91.tmp\d_PcDocPro_Setup.exeC:\Users\admin\AppData\Local\Temp\ESWFC91.tmp\d_PcDocPro_Setup.exePcDocPro_Setup.exe
User:
admin
Company:
PCDocPro.com
Integrity Level:
HIGH
Description:
PC Doc Pro v5 Setup
Exit code:
0
Version:
Modules
Images
c:\users\admin\appdata\local\temp\eswfc91.tmp\d_pcdocpro_setup.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
784"C:\Users\admin\AppData\Local\Temp\is-FOGUC.tmp\d_PcDocPro_Setup.tmp" /SL5="$401AA,4115786,76288,C:\Users\admin\AppData\Local\Temp\ESWFC91.tmp\d_PcDocPro_Setup.exe" C:\Users\admin\AppData\Local\Temp\is-FOGUC.tmp\d_PcDocPro_Setup.tmpd_PcDocPro_Setup.exe
User:
admin
Integrity Level:
HIGH
Description:
Setup/Uninstall
Exit code:
0
Version:
51.52.0.0
Modules
Images
c:\users\admin\appdata\local\temp\is-foguc.tmp\d_pcdocpro_setup.tmp
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
1236"C:\Program Files\PC Doc Pro v5\PC Doc Pro.exe"C:\Program Files\PC Doc Pro v5\PC Doc Pro.exe
d_PcDocPro_Setup.tmp
User:
admin
Integrity Level:
HIGH
Exit code:
0
Version:
5.0.0.60
Modules
Images
c:\program files\pc doc pro v5\pc doc pro.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\system32\gdi32.dll
1604"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\PC Doc Pro v5\eWebClient.dll"C:\Windows\System32\regsvr32.exed_PcDocPro_Setup.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft(C) Register Server
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\regsvr32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
1772"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\PC Doc Pro v5\eWebControl365.dll"C:\Windows\System32\regsvr32.exed_PcDocPro_Setup.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft(C) Register Server
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\regsvr32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
2408"C:\Users\admin\AppData\Roaming\PcDocPro_Setup.exe" C:\Users\admin\AppData\Roaming\PcDocPro_Setup.exe
explorer.exe
User:
admin
Company:
PCDocPro.com
Integrity Level:
HIGH
Description:
PC Doc Pro v5 Setup
Exit code:
1
Version:
Modules
Images
c:\users\admin\appdata\roaming\pcdocpro_setup.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\wininet.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-user32-l1-1-0.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
2448C:\Windows\system32\vssvc.exeC:\Windows\System32\VSSVC.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft® Volume Shadow Copy Service
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2564C:\Windows\system32\DllHost.exe /Processid:{F32D97DF-E3E5-4CB9-9E3E-0EB5B4E49801}C:\Windows\System32\dllhost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
COM Surrogate
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
612 854
Read events
612 840
Write events
14
Delete events
0

Modification events

(PID) Process:(2408) PcDocPro_Setup.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(2408) PcDocPro_Setup.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(1236) PC Doc Pro.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(1236) PC Doc Pro.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(1236) PC Doc Pro.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(1236) PC Doc Pro.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(1236) PC Doc Pro.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:writeName:ProxyEnable
Value:
0
(PID) Process:(1236) PC Doc Pro.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Operation:writeName:SavedLegacySettings
Value:
460000005B010000090000000000000000000000000000000400000000000000C0E333BBEAB1D3010000000000000000000000000100000002000000C0A8016B000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(1236) PC Doc Pro.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(1236) PC Doc Pro.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
Executable files
22
Suspicious files
8
Text files
22
Unknown types
0

Dropped files

PID
Process
Filename
Type
2408PcDocPro_Setup.exeC:\Users\admin\AppData\Local\Temp\ESWFC91.tmp\d_PcDocPro_Setup.exeexecutable
MD5:338B3BEFEB7EB9032B6EFEC99D45DDB1
SHA256:68BAC357C0802477C5352995B3FD326D066EA43F2F60150EDE4E89A6262CD8A5
2408PcDocPro_Setup.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\SNVS0BVC.txttext
MD5:48701A04E30672BBD81DC14A2E26B741
SHA256:D201CA6274A3551CE84C9E5ADC89CF0F654C6779CDD6A810C05B48C64A60840C
784d_PcDocPro_Setup.tmpC:\Users\admin\AppData\Local\Temp\is-SB51H.tmp\_isetup\_RegDLL.tmpexecutable
MD5:0EE914C6F0BB93996C75941E1AD629C6
SHA256:4DC09BAC0613590F1FAC8771D18AF5BE25A1E1CB8FDBF4031AA364F3057E74A2
784d_PcDocPro_Setup.tmpC:\Users\admin\AppData\Local\Temp\is-SB51H.tmp\_isetup\_shfoldr.dllexecutable
MD5:92DC6EF532FBB4A5C3201469A5B5EB63
SHA256:9884E9D1B4F8A873CCBD81F8AD0AE257776D2348D027D811A56475E028360D87
784d_PcDocPro_Setup.tmpC:\Program Files\PC Doc Pro v5\is-QJLB4.tmpexecutable
MD5:DDE5047B70C4484A010CBF320249897E
SHA256:FA415805BBC52F591E83C539CCAA31BC6A394DACACA524F1BD3722F711AFD166
668d_PcDocPro_Setup.exeC:\Users\admin\AppData\Local\Temp\is-FOGUC.tmp\d_PcDocPro_Setup.tmpexecutable
MD5:DDE5047B70C4484A010CBF320249897E
SHA256:FA415805BBC52F591E83C539CCAA31BC6A394DACACA524F1BD3722F711AFD166
784d_PcDocPro_Setup.tmpC:\Program Files\PC Doc Pro v5\unins000.exeexecutable
MD5:DDE5047B70C4484A010CBF320249897E
SHA256:FA415805BBC52F591E83C539CCAA31BC6A394DACACA524F1BD3722F711AFD166
784d_PcDocPro_Setup.tmpC:\Program Files\PC Doc Pro v5\is-LD7GV.tmpexecutable
MD5:568DDC18DCA2DCF7146F8F8E8C357CD3
SHA256:EE418EB5E14A3CB438F5B822E4E7E50F7FD705ED887D06976E847D841AEE4179
784d_PcDocPro_Setup.tmpC:\Program Files\PC Doc Pro v5\PC Doc Pro.exe.manifestxml
MD5:29D5B1B179C25497AC77DD7BE90E0E44
SHA256:C050D3533A8F639DDB7B75B450C6C87230114FADECFCD4AB3BE6D8E7FD7535A5
784d_PcDocPro_Setup.tmpC:\Program Files\PC Doc Pro v5\is-U1BH8.tmpexecutable
MD5:7879353680BC8E76BE614269E52D3BF8
SHA256:5875B9FA9B362D97F7175F49312B164EA7585944BF2D172FA754F67723C0B774
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
5
DNS requests
3
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1236
PC Doc Pro.exe
GET
404
192.232.249.186:80
http://www.powertips.net/update/pcdocpro/version.dat
unknown
html
462 b
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
4
System
192.168.100.255:137
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown
1236
PC Doc Pro.exe
192.232.249.186:80
www.powertips.net
UNIFIEDLAYER-AS-1
US
unknown

DNS requests

Domain
IP
Reputation
www.powertips.net
  • 192.232.249.186
unknown
dns.msftncsi.com
  • 131.107.255.255
shared
store.esellerate.net
  • 34.218.161.134
unknown

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
/kevinhosting/PcDocPro_Setup.exe