File name:

nextrp.exe

Full analysis: https://app.any.run/tasks/eb0e5a5b-21ae-4410-a5e6-d33b6de722c2
Verdict: Malicious activity
Analysis date: May 18, 2024, 18:46:53
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5:

C2B3D43AD2E38430507FA416B91F3B21

SHA1:

BA3D0D190AD9B9E05CBA2E7FC0118950C17BF7A2

SHA256:

562B0434D8F225C6D9696CD62CB4C562598250972AC2EBDE6560DDD75704406E

SSDEEP:

6144:qbjEyARGAAmKDABAnEyALGAAmKDARAWOh5G:C7Ac7A+h5G

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • nextrp.exe (PID: 3984)
      • nextrp-launcher.exe (PID: 1112)

  • SUSPICIOUS

    • Reads settings of System Certificates

      • nextrp.exe (PID: 3984)

    • Reads the Internet Settings

      • nextrp.exe (PID: 3984)

    • Reads security settings of Internet Explorer

      • nextrp.exe (PID: 3984)

    • Malware-specific behavior (creating "System.dll" in Temp)

      • nextrp-launcher.exe (PID: 1112)

    • Executable content was dropped or overwritten

      • nextrp-launcher.exe (PID: 1112)

    • The process creates files with name similar to system file names

      • nextrp-launcher.exe (PID: 1112)

    • Drops 7-zip archiver for unpacking

      • nextrp-launcher.exe (PID: 1112)

    • Process drops python dynamic module

      • nextrp-launcher.exe (PID: 1112)

  • INFO

    • Checks supported languages

      • nextrp.exe (PID: 3984)
      • wmpnscfg.exe (PID: 4084)
      • nextrp-launcher.exe (PID: 1112)

    • Reads the computer name

      • nextrp.exe (PID: 3984)
      • wmpnscfg.exe (PID: 4084)
      • nextrp-launcher.exe (PID: 1112)

    • Disables trace logs

      • nextrp.exe (PID: 3984)

    • Reads the machine GUID from the registry

      • nextrp.exe (PID: 3984)

    • Reads the software policy settings

      • nextrp.exe (PID: 3984)

    • Create files in a temporary directory

      • nextrp.exe (PID: 3984)
      • nextrp-launcher.exe (PID: 1112)

    • Reads Environment values

      • nextrp.exe (PID: 3984)

    • Manual execution by a user

      • wmpnscfg.exe (PID: 4084)

    • Creates files in the program directory

      • nextrp-launcher.exe (PID: 1112)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.dll | Win32 Dynamic Link Library (generic) (43.5)
.exe | Win32 Executable (generic) (29.8)
.exe | Generic Win/DOS Executable (13.2)
.exe | DOS Executable Generic (13.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2051:04:21 13:59:32+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32
LinkerVersion: 48
CodeSize: 137216
InitializedDataSize: 132608
UninitializedDataSize: -
EntryPoint: 0x2368a
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.0
ProductVersionNumber: 1.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: -
CompanyName: -
FileDescription: nextrp
FileVersion: 1.0.0.0
InternalName: NEXTRP.exe
LegalCopyright: Copyright © 2021
LegalTrademarks: -
OriginalFileName: NEXTRP.exe
ProductName: nextrp
ProductVersion: 1.0.0.0
AssemblyVersion: 1.0.0.0
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
37
Monitored processes
3
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start nextrp.exe wmpnscfg.exe no specs nextrp-launcher.exe

Process information

PID
CMD
Path
Indicators
Parent process
1112"C:\Users\admin\AppData\Local\Temp\nextrp-launcher.exe" /nC:\Users\admin\AppData\Local\Temp\nextrp-launcher.exe
nextrp.exe
User:
admin
Company:
IP Lipatnikov Matvey Nikolaevich
Integrity Level:
HIGH
Description:
NEXTRP Launcher
Version:
2023.5.16
Modules
Images
c:\users\admin\appdata\local\temp\nextrp-launcher.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
3984"C:\Users\admin\AppData\Local\Temp\nextrp.exe" C:\Users\admin\AppData\Local\Temp\nextrp.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
nextrp
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\local\temp\nextrp.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
4084"C:\Program Files\Windows Media Player\wmpnscfg.exe"C:\Program Files\Windows Media Player\wmpnscfg.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Media Player Network Sharing Service Configuration Application
Exit code:
0
Version:
12.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\windows media player\wmpnscfg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
Total events
8 689
Read events
8 652
Write events
37
Delete events
0

Modification events

(PID) Process:(3984) nextrp.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Direct3D\MostRecentApplication
Operation:writeName:Name
Value:
nextrp.exe
(PID) Process:(3984) nextrp.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\nextrp_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(3984) nextrp.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\nextrp_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(3984) nextrp.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\nextrp_RASAPI32
Operation:writeName:FileTracingMask
Value:
(PID) Process:(3984) nextrp.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\nextrp_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
(PID) Process:(3984) nextrp.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\nextrp_RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(3984) nextrp.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\nextrp_RASAPI32
Operation:writeName:FileDirectory
Value:
%windir%\tracing
(PID) Process:(3984) nextrp.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\nextrp_RASMANCS
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(3984) nextrp.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\nextrp_RASMANCS
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(3984) nextrp.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\nextrp_RASMANCS
Operation:writeName:FileTracingMask
Value:
Executable files
9
Suspicious files
6
Text files
508
Unknown types
0

Dropped files

PID
Process
Filename
Type
3984nextrp.exeC:\Users\admin\AppData\Local\Temp\nextrp-launcher.exe.temp
MD5:
SHA256:
3984nextrp.exeC:\Users\admin\AppData\Local\Temp\nextrp-launcher.exe
MD5:
SHA256:
1112nextrp-launcher.exeC:\Users\admin\AppData\Local\Temp\nss86A.tmp\app-32.7z
MD5:
SHA256:
1112nextrp-launcher.exeC:\Program Files\NEXTRP Launcher\extras\icons\favicon.png
MD5:
SHA256:
1112nextrp-launcher.exeC:\Program Files\NEXTRP Launcher\extras\icons\512x512.pngimage
MD5:53CE6ED7E554FE5B396C0B1FD34CB6BB
SHA256:1479F8CD0F4D630958EA3632687BB8F17F64256039E340B7C83E31AE7F20FA32
1112nextrp-launcher.exeC:\Users\admin\AppData\Local\Temp\nss86A.tmp\nsProcess.dllexecutable
MD5:F0438A894F3A7E01A4AAE8D1B5DD0289
SHA256:30C6C3DD3CC7FCEA6E6081CE821ADC7B2888542DAE30BF00E881C0A105EB4D11
1112nextrp-launcher.exeC:\Program Files\NEXTRP Launcher\extras\lt\base_library.zipcompressed
MD5:9CBBC1DCE526EF58878AD7E94AD8BDF2
SHA256:FEACD30B21AD6362E6F7E5C136F0E6DBE220AF8117F9DB773AD9EF7B83466307
1112nextrp-launcher.exeC:\Program Files\NEXTRP Launcher\extras\icons\icon.icoimage
MD5:67C4F70A97147BA21EC179AD186A9C30
SHA256:8F434137B356E81CD17B7DF92EC3EEABBF375275A0E1D9CEF5B8D5E814C89065
1112nextrp-launcher.exeC:\Program Files\NEXTRP Launcher\extras\icons\64x64.pngimage
MD5:FD69CD1F23840CA76F106B07DB617DC6
SHA256:535933A5EEAF2F80CDAD43DEF271481BEBBCD97B047A8D0A1285FF9F123C1F9E
1112nextrp-launcher.exeC:\Users\admin\AppData\Local\Temp\nss86A.tmp\System.dllexecutable
MD5:0D7AD4F45DC6F5AA87F606D0331C6901
SHA256:3EB38AE99653A7DBC724132EE240F6E5C4AF4BFE7C01D31D23FAF373F9F2EACA
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
5
DNS requests
1
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
4
System
192.168.100.255:137
whitelisted
1088
svchost.exe
224.0.0.252:5355
unknown
3984
nextrp.exe
89.248.192.205:443
download.gamecluster.nextrp.ru
OOO Network of data-centers Selectel
RU
unknown

DNS requests

Domain
IP
Reputation
download.gamecluster.nextrp.ru
  • 89.248.192.205
  • 5.182.4.196
unknown

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
nextrp.exe