File name:

nextrp.exe

Full analysis: https://app.any.run/tasks/eb0e5a5b-21ae-4410-a5e6-d33b6de722c2
Verdict: Malicious activity
Analysis date: May 18, 2024, 18:46:53
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5:

C2B3D43AD2E38430507FA416B91F3B21

SHA1:

BA3D0D190AD9B9E05CBA2E7FC0118950C17BF7A2

SHA256:

562B0434D8F225C6D9696CD62CB4C562598250972AC2EBDE6560DDD75704406E

SSDEEP:

6144:qbjEyARGAAmKDABAnEyALGAAmKDARAWOh5G:C7Ac7A+h5G

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • nextrp.exe (PID: 3984)
      • nextrp-launcher.exe (PID: 1112)

  • SUSPICIOUS

    • Reads the Internet Settings

      • nextrp.exe (PID: 3984)

    • Executable content was dropped or overwritten

      • nextrp-launcher.exe (PID: 1112)

    • Reads security settings of Internet Explorer

      • nextrp.exe (PID: 3984)

    • Drops 7-zip archiver for unpacking

      • nextrp-launcher.exe (PID: 1112)

    • Process drops python dynamic module

      • nextrp-launcher.exe (PID: 1112)

    • Malware-specific behavior (creating "System.dll" in Temp)

      • nextrp-launcher.exe (PID: 1112)

    • Reads settings of System Certificates

      • nextrp.exe (PID: 3984)

    • The process creates files with name similar to system file names

      • nextrp-launcher.exe (PID: 1112)

  • INFO

    • Checks supported languages

      • nextrp.exe (PID: 3984)
      • nextrp-launcher.exe (PID: 1112)
      • wmpnscfg.exe (PID: 4084)

    • Reads the computer name

      • nextrp.exe (PID: 3984)
      • wmpnscfg.exe (PID: 4084)
      • nextrp-launcher.exe (PID: 1112)

    • Create files in a temporary directory

      • nextrp.exe (PID: 3984)
      • nextrp-launcher.exe (PID: 1112)

    • Reads the machine GUID from the registry

      • nextrp.exe (PID: 3984)

    • Reads Environment values

      • nextrp.exe (PID: 3984)

    • Disables trace logs

      • nextrp.exe (PID: 3984)

    • Reads the software policy settings

      • nextrp.exe (PID: 3984)

    • Manual execution by a user

      • wmpnscfg.exe (PID: 4084)

    • Creates files in the program directory

      • nextrp-launcher.exe (PID: 1112)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.dll | Win32 Dynamic Link Library (generic) (43.5)
.exe | Win32 Executable (generic) (29.8)
.exe | Generic Win/DOS Executable (13.2)
.exe | DOS Executable Generic (13.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2051:04:21 13:59:32+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32
LinkerVersion: 48
CodeSize: 137216
InitializedDataSize: 132608
UninitializedDataSize: -
EntryPoint: 0x2368a
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.0
ProductVersionNumber: 1.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: -
CompanyName: -
FileDescription: nextrp
FileVersion: 1.0.0.0
InternalName: NEXTRP.exe
LegalCopyright: Copyright © 2021
LegalTrademarks: -
OriginalFileName: NEXTRP.exe
ProductName: nextrp
ProductVersion: 1.0.0.0
AssemblyVersion: 1.0.0.0
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
37
Monitored processes
3
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start nextrp.exe wmpnscfg.exe no specs nextrp-launcher.exe

Process information

PID
CMD
Path
Indicators
Parent process
1112"C:\Users\admin\AppData\Local\Temp\nextrp-launcher.exe" /nC:\Users\admin\AppData\Local\Temp\nextrp-launcher.exe
nextrp.exe
User:
admin
Company:
IP Lipatnikov Matvey Nikolaevich
Integrity Level:
HIGH
Description:
NEXTRP Launcher
Version:
2023.5.16
Modules
Images
c:\users\admin\appdata\local\temp\nextrp-launcher.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
3984"C:\Users\admin\AppData\Local\Temp\nextrp.exe" C:\Users\admin\AppData\Local\Temp\nextrp.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
nextrp
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\local\temp\nextrp.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
4084"C:\Program Files\Windows Media Player\wmpnscfg.exe"C:\Program Files\Windows Media Player\wmpnscfg.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Media Player Network Sharing Service Configuration Application
Exit code:
0
Version:
12.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\windows media player\wmpnscfg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
Total events
8 689
Read events
8 652
Write events
37
Delete events
0

Modification events

(PID) Process:(3984) nextrp.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Direct3D\MostRecentApplication
Operation:writeName:Name
Value:
nextrp.exe
(PID) Process:(3984) nextrp.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\nextrp_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(3984) nextrp.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\nextrp_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(3984) nextrp.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\nextrp_RASAPI32
Operation:writeName:FileTracingMask
Value:
(PID) Process:(3984) nextrp.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\nextrp_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
(PID) Process:(3984) nextrp.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\nextrp_RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(3984) nextrp.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\nextrp_RASAPI32
Operation:writeName:FileDirectory
Value:
%windir%\tracing
(PID) Process:(3984) nextrp.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\nextrp_RASMANCS
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(3984) nextrp.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\nextrp_RASMANCS
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(3984) nextrp.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\nextrp_RASMANCS
Operation:writeName:FileTracingMask
Value:
Executable files
9
Suspicious files
6
Text files
508
Unknown types
0

Dropped files

PID
Process
Filename
Type
3984nextrp.exeC:\Users\admin\AppData\Local\Temp\nextrp-launcher.exe.temp
MD5:
SHA256:
3984nextrp.exeC:\Users\admin\AppData\Local\Temp\nextrp-launcher.exe
MD5:
SHA256:
1112nextrp-launcher.exeC:\Users\admin\AppData\Local\Temp\nss86A.tmp\app-32.7z
MD5:
SHA256:
1112nextrp-launcher.exeC:\Program Files\NEXTRP Launcher\extras\icons\favicon.png
MD5:
SHA256:
1112nextrp-launcher.exeC:\Users\admin\AppData\Local\Temp\nss86A.tmp\System.dllexecutable
MD5:0D7AD4F45DC6F5AA87F606D0331C6901
SHA256:3EB38AE99653A7DBC724132EE240F6E5C4AF4BFE7C01D31D23FAF373F9F2EACA
1112nextrp-launcher.exeC:\Program Files\NEXTRP Launcher\extras\icons\512x512.pngimage
MD5:53CE6ED7E554FE5B396C0B1FD34CB6BB
SHA256:1479F8CD0F4D630958EA3632687BB8F17F64256039E340B7C83E31AE7F20FA32
1112nextrp-launcher.exeC:\Program Files\NEXTRP Launcher\chrome_100_percent.pakpgc
MD5:A59EA69D64BF4F748401DC5A46A65854
SHA256:F1A935DB8236203CBC1DCBB9672D98E0BD2FA514429A3F2F82A26E0EB23A4FF9
1112nextrp-launcher.exeC:\Program Files\NEXTRP Launcher\extras\icons\64x64.pngimage
MD5:FD69CD1F23840CA76F106B07DB617DC6
SHA256:535933A5EEAF2F80CDAD43DEF271481BEBBCD97B047A8D0A1285FF9F123C1F9E
1112nextrp-launcher.exeC:\Program Files\NEXTRP Launcher\chrome_200_percent.pakbinary
MD5:1985B8FC603DB4D83DF72CFAEEAC7C50
SHA256:7F9DED50D81C50F9C6ED89591FA621FABBD45CEF150C8AABCCEB3B7A9DE5603B
1112nextrp-launcher.exeC:\Users\admin\AppData\Local\Temp\nss86A.tmp\SpiderBanner.dllexecutable
MD5:17309E33B596BA3A5693B4D3E85CF8D7
SHA256:996A259E53CA18B89EC36D038C40148957C978C0FD600A268497D4C92F882A93
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
5
DNS requests
1
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
4
System
192.168.100.255:137
whitelisted
1088
svchost.exe
224.0.0.252:5355
unknown
3984
nextrp.exe
89.248.192.205:443
download.gamecluster.nextrp.ru
OOO Network of data-centers Selectel
RU
unknown

DNS requests

Domain
IP
Reputation
download.gamecluster.nextrp.ru
  • 89.248.192.205
  • 5.182.4.196
unknown

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
nextrp.exe