General Info

File name

1fji.exe

Full analysis
https://app.any.run/tasks/380ad35c-482c-4078-9925-74891b45deba
Verdict
Malicious activity
Analysis date
7/11/2019, 16:33:25
OS:
Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:

trojan

adware

installcore

pup

Indicators:

MIME:
application/x-dosexec
File info:
PE32 executable (GUI) Intel 80386, for MS Windows
MD5

b70427108a549d87761de390b3741b00

SHA1

eca2777d1dd6727000086ad9a48986e41347e578

SHA256

5736b7965b4708122fee9dc967d8aeda531c959e449e82aed24e01092597addc

SSDEEP

24576:S5GZqzGW9FOCLq6ZghOsWhTdSpCtAsTu0HfDv1E75Bg9HkansIE2JmpeGO:HMzZ3d+htyT+2AGu0/qG1kY42JT

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distored by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Software environment set and analysis options

Launch configuration

Task duration
60 seconds
Additional time used
none
Fakenet option
off
Heavy Evaision option
off
MITM proxy
off
Route via Tor
off
Network geolocation
off
Privacy
Public submission
Autoconfirmation of UAC
on

Software preset

  • Internet Explorer 8.0.7601.17514
  • Adobe Acrobat Reader DC MUI (15.023.20070)
  • Adobe Flash Player 26 ActiveX (26.0.0.131)
  • Adobe Flash Player 26 NPAPI (26.0.0.131)
  • Adobe Flash Player 26 PPAPI (26.0.0.131)
  • Adobe Refresh Manager (1.8.0)
  • CCleaner (5.35)
  • FileZilla Client 3.36.0 (3.36.0)
  • Google Chrome (75.0.3770.100)
  • Google Update Helper (1.3.34.7)
  • Java 8 Update 92 (8.0.920.14)
  • Java Auto Updater (2.8.92.14)
  • Microsoft .NET Framework 4.7.2 (4.7.03062)
  • Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Professional 2010 (14.0.6029.1000)
  • Microsoft Office Proof (English) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (French) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
  • Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
  • Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Single Image 2010 (14.0.6029.1000)
  • Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
  • Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
  • Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
  • Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2015-2019 Redistributable (x86) - 14.21.27702 (14.21.27702.2)
  • Microsoft Visual C++ 2019 X86 Additional Runtime - 14.21.27702 (14.21.27702)
  • Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.21.27702 (14.21.27702)
  • Mozilla Firefox 67.0.4 (x86 en-US) (67.0.4)
  • Notepad++ (32-bit x86) (7.5.1)
  • Opera 12.15 (12.15.1748)
  • Skype version 8.29 (8.29)
  • Update for Microsoft .NET Framework 4.7.2 (KB4087364) (1)
  • VLC media player (2.2.6)
  • WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

  • Client LanguagePack Package
  • Client Refresh LanguagePack Package
  • CodecPack Basic Package
  • Foundation Package
  • IE Troubleshooters Package
  • InternetExplorer Optional Package
  • KB2534111
  • KB2999226
  • KB4019990
  • KB976902
  • LocalPack AU Package
  • LocalPack CA Package
  • LocalPack GB Package
  • LocalPack US Package
  • LocalPack ZA Package
  • ProfessionalEdition
  • UltimateEdition

Behavior activities

MALICIOUS SUSPICIOUS INFO
INSTALLCORE was detected
  • 1fji.exe (PID: 3036)
Connects to CnC server
  • 1fji.exe (PID: 3036)
Application launched itself
  • cmd.exe (PID: 3380)
  • cmd.exe (PID: 2820)
Starts CMD.EXE for commands execution
  • cmd.exe (PID: 3380)
  • 1fji.exe (PID: 3036)
  • cmd.exe (PID: 2820)
Reads internet explorer settings
  • 1fji.exe (PID: 3036)
Reads Environment values
  • 1fji.exe (PID: 3036)
Starts CMD.EXE for self-deleting
  • 1fji.exe (PID: 3036)

No info indicators.

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Static information

TRiD
.exe
|   Win32 Executable Delphi generic (45.2%)
.dll
|   Win32 Dynamic Link Library (generic) (20.9%)
.exe
|   Win32 Executable (generic) (14.3%)
.exe
|   Win16/32 Executable Delphi generic (6.6%)
.exe
|   Generic Win/DOS Executable (6.3%)
EXIF
EXE
MachineType:
Intel 386 or later, and compatibles
TimeStamp:
2015:12:28 13:39:51+01:00
PEType:
PE32
LinkerVersion:
2.25
CodeSize:
65024
InitializedDataSize:
53248
UninitializedDataSize:
null
EntryPoint:
0x113bc
OSVersion:
5
ImageVersion:
6
SubsystemVersion:
5
Subsystem:
Windows GUI
FileVersionNumber:
1.1.5.2
ProductVersionNumber:
0.0.0.0
FileFlagsMask:
0x003f
FileFlags:
(none)
FileOS:
Win32
ObjectFileType:
Executable application
FileSubtype:
null
LanguageCode:
Neutral
CharacterSet:
Unicode
Comments:
This installation was built with Inno Setup.
CompanyName:
FileDescription:
Minomem Setup
FileVersion:
1.1.5.2
LegalCopyright:
ProductName:
Minomem
ProductVersion:
1.4
Summary
Architecture:
IMAGE_FILE_MACHINE_I386
Subsystem:
IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date:
28-Dec-2015 12:39:51
Detected languages
Dutch - Netherlands
English - United States
Comments:
This installation was built with Inno Setup.
CompanyName:
null
FileDescription:
Minomem Setup
FileVersion:
1.1.5.2
LegalCopyright:
null
ProductName:
Minomem
ProductVersion:
1.4
DOS Header
Magic number:
MZ
Bytes on last page of file:
0x0050
Pages in file:
0x0002
Relocations:
0x0000
Size of header:
0x0004
Min extra paragraphs:
0x000F
Max extra paragraphs:
0xFFFF
Initial SS value:
0x0000
Initial SP value:
0x00B8
Checksum:
0x0000
Initial IP value:
0x0000
Initial CS value:
0x0000
Overlay number:
0x001A
OEM identifier:
0x0000
OEM information:
0x0000
Address of NE header:
0x00000100
PE Headers
Signature:
PE
Machine:
IMAGE_FILE_MACHINE_I386
Number of sections:
8
Time date stamp:
28-Dec-2015 12:39:51
Pointer to Symbol Table:
0x00000000
Number of symbols:
0
Size of Optional Header:
0x00E0
Characteristics
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_BYTES_REVERSED_HI
IMAGE_FILE_BYTES_REVERSED_LO
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_RELOCS_STRIPPED
Sections
Name Virtual Address Virtual Size Raw Size Charateristics Entropy
.text 0x00001000 0x0000F134 0x0000F200 IMAGE_SCN_CNT_CODE,IMAGE_SCN_MEM_EXECUTE,IMAGE_SCN_MEM_READ 6.42566
.itext 0x00011000 0x00000B44 0x00000C00 IMAGE_SCN_CNT_CODE,IMAGE_SCN_MEM_EXECUTE,IMAGE_SCN_MEM_READ 5.74659
.data 0x00012000 0x00000C88 0x00000E00 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ,IMAGE_SCN_MEM_WRITE 2.24753
.bss 0x00013000 0x000056B8 0x00000000 IMAGE_SCN_MEM_READ,IMAGE_SCN_MEM_WRITE 0
.idata 0x00019000 0x00000DD0 0x00000E00 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ,IMAGE_SCN_MEM_WRITE 4.97188
.tls 0x0001A000 0x00000008 0x00000000 IMAGE_SCN_MEM_READ,IMAGE_SCN_MEM_WRITE 0
.rdata 0x0001B000 0x00000018 0x00000200 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ 0.204488
.rsrc 0x0001C000 0x0000B200 0x0000B200 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ 4.13978
Resources
1

2

3

4

4091

4092

4093

4094

4095

4096

11111

CHARTABLE

DVCLAL

PACKAGEINFO

MAINICON

Imports
    oleaut32.dll

    advapi32.dll

    user32.dll

    kernel32.dll

    comctl32.dll

Exports

    No exports.

Screenshots

Processes

Total processes
42
Monitored processes
8
Malicious processes
1
Suspicious processes
0

Behavior graph

+
start #INSTALLCORE 1fji.exe cmd.exe no specs cmd.exe no specs timeout.exe no specs cmd.exe no specs timeout.exe no specs cmd.exe no specs cmd.exe no specs
Specs description
Program did not start
Integrity level elevation
Task сontains an error or was rebooted
Process has crashed
Task contains several apps running
Executable file was dropped
Debug information is available
Process was injected
Network attacks were detected
Application downloaded the executable file
Actions similar to stealing personal data
Behavior similar to exploiting the vulnerability
Inspected object has sucpicious PE structure
File is detected by antivirus software
CPU overrun
RAM overrun
Process starts the services
Process was added to the startup
Behavior similar to spam
Low-level access to the HDD
Probably Tor was used
System was rebooted
Connects to the network
Known threat

Process information

Click at the process to see the details.

PID
3036
CMD
"C:\Users\admin\AppData\Local\Temp\1fji.exe"
Path
C:\Users\admin\AppData\Local\Temp\1fji.exe
Indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Description
Minomem Setup
Version
1.1.5.2
Modules
Image
c:\users\admin\appdata\local\temp\1fji.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\shell32.dll
c:\windows\system32\psapi.dll
c:\windows\system32\mpr.dll
c:\windows\system32\version.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\olepro32.dll
c:\windows\system32\cryptbase.dll
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\sspicli.dll
c:\windows\system32\profapi.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\imagehlp.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\oleacc.dll
c:\windows\system32\sxs.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\winsta.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\sensapi.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\wship6.dll
c:\windows\system32\propsys.dll
c:\windows\system32\mlang.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\msls31.dll
c:\windows\system32\msimtf.dll
c:\windows\system32\jscript.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\imgutil.dll
c:\windows\system32\pngfilt.dll

PID
3380
CMD
C:\Windows\System32\cmd.exe /d /c cmd /d /c TIMEOUT 10 & cmd /d /c del "C:\Users\admin\AppData\Local\Temp\1fji.exe"
Path
C:\Windows\System32\cmd.exe
Indicators
No indicators
Parent process
1fji.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows Command Processor
Version
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Image
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\apphelp.dll

PID
3992
CMD
cmd /d /c TIMEOUT 10
Path
C:\Windows\System32\cmd.exe
Indicators
No indicators
Parent process
cmd.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows Command Processor
Version
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Image
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\timeout.exe

PID
2256
CMD
TIMEOUT 10
Path
C:\Windows\System32\timeout.exe
Indicators
No indicators
Parent process
cmd.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
timeout - pauses command processing
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\timeout.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\nsi.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\version.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll

PID
2820
CMD
/d /c TIMEOUT 3 & cmd /d /c del "C:\Users\admin\AppData\Local\Temp\1fji.exe"
Path
C:\Windows\system32\cmd.exe
Indicators
No indicators
Parent process
1fji.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows Command Processor
Version
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Image
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\apphelp.dll

PID
3552
CMD
TIMEOUT 3
Path
C:\Windows\system32\timeout.exe
Indicators
No indicators
Parent process
cmd.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
timeout - pauses command processing
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\timeout.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\version.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll

PID
388
CMD
cmd /d /c del "C:\Users\admin\AppData\Local\Temp\1fji.exe"
Path
C:\Windows\system32\cmd.exe
Indicators
No indicators
Parent process
cmd.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows Command Processor
Version
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Image
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\user32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll

PID
3172
CMD
cmd /d /c del "C:\Users\admin\AppData\Local\Temp\1fji.exe"
Path
C:\Windows\System32\cmd.exe
Indicators
No indicators
Parent process
cmd.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows Command Processor
Version
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Image
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll

Registry activity

Total events
164
Read events
135
Write events
28
Delete events
1

Modification events

PID
Process
Operation
Key
Name
Value
3036
1fji.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\70\52C64B7E
LanguageList
en-US
3036
1fji.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
3036
1fji.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
3036
1fji.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\1fji_RASAPI32
EnableFileTracing
0
3036
1fji.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\1fji_RASAPI32
EnableConsoleTracing
0
3036
1fji.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\1fji_RASAPI32
FileTracingMask
4294901760
3036
1fji.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\1fji_RASAPI32
ConsoleTracingMask
4294901760
3036
1fji.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\1fji_RASAPI32
MaxFileSize
1048576
3036
1fji.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\1fji_RASAPI32
FileDirectory
%windir%\tracing
3036
1fji.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\1fji_RASMANCS
EnableFileTracing
0
3036
1fji.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\1fji_RASMANCS
EnableConsoleTracing
0
3036
1fji.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\1fji_RASMANCS
FileTracingMask
4294901760
3036
1fji.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\1fji_RASMANCS
ConsoleTracingMask
4294901760
3036
1fji.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\1fji_RASMANCS
MaxFileSize
1048576
3036
1fji.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\1fji_RASMANCS
FileDirectory
%windir%\tracing
3036
1fji.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
ProxyEnable
0
3036
1fji.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
SavedLegacySettings
4600000077000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
3036
1fji.exe
delete key
HKEY_CURRENT_USER

Files activity

Executable files
0
Suspicious files
0
Text files
43
Unknown types
0

Dropped files

PID
Process
Filename
Type
3036
1fji.exe
C:\Users\admin\AppData\Local\Temp\001551D3.log
––
MD5:  ––
SHA256:  ––
3036
1fji.exe
C:\Users\admin\AppData\Local\Temp\inH139521840631\images\Close.png
image
MD5: f12d5a7ed0f79307f51d9200d76793db
SHA256: 60abb86e82cd25f5752c5f210e0a1f5a097fe514f2cedbbb5ac0ba592bf9ec62
3036
1fji.exe
C:\Users\admin\AppData\Local\Temp\inH139521840631\bootstrap_38203.html
html
MD5: 1ea9e5b417811379e874ad4870d5c51a
SHA256: f076773a6e3ae0f1cee3c69232779a1aaaf05202db472040c0c8ea4a70af173a
3036
1fji.exe
C:\Users\admin\AppData\Local\Temp\00154B6A.log
––
MD5:  ––
SHA256:  ––
3036
1fji.exe
C:\Users\admin\AppData\Local\Temp\00154B5A.log
––
MD5:  ––
SHA256:  ––
3036
1fji.exe
C:\Users\admin\AppData\Local\Temp\inH139521840631\images\play_hover.png
image
MD5: 739e4ecfa9ca48cdcab2c02fbb9cac85
SHA256: f2a54da51153eaf2c398944010046b49eca624be67ad1989fa3ca82c6a6fb216
3036
1fji.exe
C:\Users\admin\AppData\Local\Temp\inH139521840631\images\play_disable.png
image
MD5: 5f926f0a9ed3092c65f5a292d734f098
SHA256: 94ca38e1c82ccfde504b4484aa118d0bf8e39b4dccbee63408f63c9bc1d85fa5
3036
1fji.exe
C:\Users\admin\AppData\Local\Temp\inH139521840631\images\Progress.png
image
MD5: 7cfcd85a7e07bc7e9bec5fa4d6115f3b
SHA256: ebaf637228e1516bb4361cbbc9e5244c556826bf452b09231604dcc9fff669a5
3036
1fji.exe
C:\Users\admin\AppData\Local\Temp\inH139521840631\locale\EN.locale
text
MD5: 75bc42d8efd448ec842ed5e5ceaf4329
SHA256: e44b39e28e3063e6cd93401cea25f92cca723783716faccae6503f1d89a578b1
3036
1fji.exe
C:\Users\admin\AppData\Local\Temp\inH139521840631\images\ProgressBar.png
image
MD5: 958719a4b8a12e670ba6aa4864d059de
SHA256: dc63961de56e70f37939159bdbcc4d64388464a5ccc74ca54cfc9d1769e68914
3036
1fji.exe
C:\Users\admin\AppData\Local\Temp\inH139521840631\images\icon.png
image
MD5: 59a354ae38425c5a8f4962e235ee7f99
SHA256: 772f960646ff07f5c3e3d125ec462830a35f824b07567370d64c23db57f2bc49
3036
1fji.exe
C:\Users\admin\AppData\Local\Temp\inH139521840631\images\pause_disable.png
image
MD5: 5549e38f9e4233ad08512bba275d987d
SHA256: 664fda668d50e778fc6ae058150dc2b62c00ea9c8cc15c5b30ec2e1d55e50888
3036
1fji.exe
C:\Users\admin\AppData\Local\Temp\inH139521840631\images\installer.ico
image
MD5: d56f926dc8eba37f018c0abf99c6c5fb
SHA256: 20587aa6ce71bdcd55477f06a5543426243cc9dd0a90805ce7acdc028ebebcaf
3036
1fji.exe
C:\Users\admin\AppData\Local\Temp\inH139521840631\images\Loader.gif
image
MD5: 57ca1a2085d82f0574e3ef740b9a5ead
SHA256: 476a7b1085cc64de1c0eb74a6776fa8385d57eb18774f199df83fc4d7bbcc24e
3036
1fji.exe
C:\Users\admin\AppData\Local\Temp\inH139521840631\images\logoTitle.png
image
MD5: 9eb91707a560704e1017feb65354adce
SHA256: fb0dc9ad1ba9a2c803e353644a25801f4ed561d520580d2a6e0b9b0a3fea8847
3036
1fji.exe
C:\Users\admin\AppData\Local\Temp\inH139521840631\images\header.png
image
MD5: 697e50b016b8de31759b4938e21f7677
SHA256: 833c9895c0287fbfa647d66f3b26eee14dbcb34158033d794bd5ebb765014f00
3036
1fji.exe
C:\Users\admin\AppData\Local\Temp\inH139521840631\images\play.png
image
MD5: 483f1a45b14711e97d0aa21e11b7fb50
SHA256: f43c199e988b99539864b7bc2e70fa9b4d2b0402c8b284240be9b58126b35a49
3036
1fji.exe
C:\Users\admin\AppData\Local\Temp\inH139521840631\images\pause.png
image
MD5: 3709882d489e0338acefea489ac63985
SHA256: 00ea02dde5a7e66b1f125e2a9619ab07f1f321cda163d8fc0e67664d6732fe1a
3036
1fji.exe
C:\Users\admin\AppData\Local\Temp\inH139521840631\images\pause_hover.png
image
MD5: 0185839d7f42fa3b75c41c127523ac2b
SHA256: 717e69457add58dba0a7a37f478748ab1b0b7130e2dab978694bfd087bb0eff4
3036
1fji.exe
C:\Users\admin\AppData\Local\Temp\inH139521840631\images\buttonPlay_Hover.png
image
MD5: 4e9249270cc594a7f788cfadf709e699
SHA256: 1f653fe4fb5915317b04d5b546a7d306f4b084b6c874fb2f27dc3e0758e93057
3036
1fji.exe
C:\Users\admin\AppData\Local\Temp\inH139521840631\images\default_download_image.png
image
MD5: 5a11a0df80b77e1291e8b85eed2437e7
SHA256: 27e9ee0a382978ec10ab0c1e2134c763849078b4d8f84d8e0ef3406b942a1ff1
3036
1fji.exe
C:\Users\admin\AppData\Local\Temp\inH139521840631\images\cancel_disable.png
image
MD5: 835e197d12ecce047bc0a191630582fc
SHA256: f0c2e58075cf1e9ef0539e9ae2c6a2c1b1692524b8d4b79d39933f739e0ef8f0
3036
1fji.exe
C:\Users\admin\AppData\Local\Temp\inH139521840631\images\cancel_hover.png
image
MD5: d369ebcfed2248d79c3373e12d3222c8
SHA256: 7360e2a145622a346e0a89a7ce73d13c99808b239890d75697440289b563c524
3036
1fji.exe
C:\Users\admin\AppData\Local\Temp\inH139521840631\images\downlaodsArea.png
image
MD5: 7cbc5db73ab6006766ee00724744e606
SHA256: 6388c9771497631028fbce0ae9fd9a35fad36cd15ac15c639edb05cec08a44b6
3036
1fji.exe
C:\Users\admin\AppData\Local\Temp\001551E2.log
––
MD5:  ––
SHA256:  ––
3036
1fji.exe
C:\Users\admin\AppData\Local\Temp\inH139521840631\images\buttonPlay_disable.png
image
MD5: 3d7f0f723da1f5501dd4f37ce7d41c22
SHA256: a419d8f5ae7ce7db90151a4d1da0fc21be70f8e88dffced47f1025627ae15999
3036
1fji.exe
C:\Users\admin\AppData\Local\Temp\inH139521840631\images\cancel.png
image
MD5: ee6a94a42eae1876183800dd45d728db
SHA256: c2ce2888e882cb7d01ba8b9e0aa5db455b8568256f465c1eee6d16355ee14812
3036
1fji.exe
C:\Users\admin\AppData\Local\Temp\inH139521840631\images\Close_Hover.png
image
MD5: 368457bcd5eab9804e984125ccc11afd
SHA256: ed895d3499636c5051b16963a08da99d39715ec1f0e83ede7c939080a409fa90
3036
1fji.exe
C:\Users\admin\AppData\Local\Temp\inH139521840631\images\app.png
image
MD5: baf5212f913bd3a48716bf3878b62f6d
SHA256: 2454f98ad12bb22d9a0a1089410a6c6fc515b52a60634b28eff863b5a025a0e5
3036
1fji.exe
C:\Users\admin\AppData\Local\Temp\inH139521840631\images\buttonCancel_Hover.png
image
MD5: eb3ab8162d0d2f30c99a33aed50f067a
SHA256: d0c5194a353e89022ba915a7539774846ef3d46ac8f68be8f9eb4217c466a195
3036
1fji.exe
C:\Users\admin\AppData\Local\Temp\inH139521840631\images\buttonPause_disable.png
image
MD5: f7e4adb668cbf6c4189f7590a5aea7d8
SHA256: 19d00b2cb4d6e806348cafc03fa33187cdba7efb198e7ba8052c80e51353a2be
3036
1fji.exe
C:\Users\admin\AppData\Local\Temp\inH139521840631\images\buttonCancel_disable.png
image
MD5: 62dce28a29fdebc60fa057f5ed1f7720
SHA256: 7ba07a06730d6dae558d871a42ae55568eb14776d74f7fe771ed11609a48a6d1
3036
1fji.exe
C:\Users\admin\AppData\Local\Temp\inH139521840631\images\buttonPlay.png
image
MD5: 1d84c055608b157ad6458a6709f63b29
SHA256: c9913e3dde29933ccf6e8b38349655e4c9ebee6e67a5f7e9951ca2d35408b849
3036
1fji.exe
C:\Users\admin\AppData\Local\Temp\inH139521840631\images\buttonPause.png
image
MD5: bf4933a2f6a63a38cf79c998a7373b39
SHA256: 1733116edfb43d5695f68159d693c49aac1bbe416aac232a7e256f9e7cbf241b
3036
1fji.exe
C:\Users\admin\AppData\Local\Temp\inH139521840631\images\buttonCancel.png
image
MD5: 36be0163a644eee163f6d59f5db59bc2
SHA256: 9452b04e31a7d0b36bb13557ad874bc6cba48692835077b6e358d5df3807141b
3036
1fji.exe
C:\Users\admin\AppData\Local\Temp\inH139521840631\images\BG.png
image
MD5: 6791c64f79bcb6ea5d97206551a75856
SHA256: 41bb296c54c41f18b0a411a83cdba2055a25faf5580c90845714b8ce1d7b7a8b
3036
1fji.exe
C:\Users\admin\AppData\Local\Temp\inH139521840631\images\buttonPause_Hover.png
image
MD5: 5331920bc62f85ad29368d85195e3b4f
SHA256: 12dea3f4bc3d7d0efb9cb480a304ebc499510c09d98bcdb3684f64fb760d1109
3036
1fji.exe
C:\Users\admin\AppData\Local\Temp\inH139521840631\css\sdk-ui\images\progress-bg2.png
image
MD5: b582d9a67bfe77d523ba825fd0b9dae3
SHA256: ab4eeb3ea1eef4e84cb61eccb0ba0998b32108d70b3902df3619f4d9393f74c3
3036
1fji.exe
C:\Users\admin\AppData\Local\Temp\inH139521840631\css\sdk-ui\images\progress-bg.png
image
MD5: e9f12f92a9eeb8ebe911080721446687
SHA256: c1cf449536bc2778e27348e45f0f53d04c284109199fb7a9af7a61016b91f8bc
3036
1fji.exe
C:\Users\admin\AppData\Local\Temp\inH139521840631\css\sdk-ui\checkbox.css
text
MD5: 64773c6b0e3413c81aebc46cce8c9318
SHA256: b09504c1bf0486d3ec46500592b178a3a6c39284672af8815c3687cc3d29560d
3036
1fji.exe
C:\Users\admin\AppData\Local\Temp\inH139521840631\csshover3.htc
html
MD5: 52fa0da50bf4b27ee625c80d36c67941
SHA256: e37e99ddfc73ac7ba774e23736b2ef429d9a0cb8c906453c75b14c029bdd5493
3036
1fji.exe
C:\Users\admin\AppData\Local\Temp\inH139521840631\css\main.css
text
MD5: 15a3bb9d38a0165f0c8b73a4f7039976
SHA256: 1b332d8c69e9c46f396a3eacff17b43d7deeebca8d105621b1d8998f994b17bb
3036
1fji.exe
C:\Users\admin\AppData\Local\Temp\inH139521840631\css\sdk-ui\images\progress-bg-corner.png
image
MD5: 608f1f20cd6ca9936eaa7e8c14f366be
SHA256: 86b6e6826bcde2955d64d4600a4e01693522c1fddf156ce31c4ba45b3653a7bd
3036
1fji.exe
C:\Users\admin\AppData\Local\Temp\inH139521840631\css\sdk-ui\button.css
text
MD5: 37e1ff96e084ec201f0d95feef4d5e94
SHA256: 8e806f5b94fc294e918503c8053ef1284e4f4b1e02c7da4f4635e33ec33e0534
3036
1fji.exe
C:\Users\admin\AppData\Local\Temp\inH139521840631\css\ie6_main.css
text
MD5: 158b9c87f1b5e364b12365b158ce4690
SHA256: 400a3b06de18ba28a95df5c94d787c1a81e10248ab09d7fac0fcd1ce7561e71d
3036
1fji.exe
C:\Users\admin\AppData\Local\Temp\inH139521840631\css\sdk-ui\images\button-bg.png
image
MD5: 98b1de48dfa64dc2aa1e52facfbee3b0
SHA256: 2693930c474fe640e2fe8d6ef98abe2ecd303d2392c3d8b2e006e8942ba8f534
3036
1fji.exe
C:\Users\admin\AppData\Local\Temp\inH139521840631\css\sdk-ui\browse.css
text
MD5: 6009d6e864f60aea980a9df94c1f7e1c
SHA256: 5ef48a8c8c3771b4f233314d50dd3b5afdcd99dd4b74a9745c8fe7b22207056d
3036
1fji.exe
C:\Users\admin\AppData\Local\Temp\00154A12.log
––
MD5:  ––
SHA256:  ––

Find more information of the staic content and download it at the full report

Network activity

HTTP(S) requests
3
TCP/UDP connections
1
DNS requests
1
Threats
7

HTTP requests

PID Process Method HTTP Code IP URL CN Type Size Reputation
3036 1fji.exe POST 200 52.214.73.247:80 http://rp.downloadagentcdn.com/ IE
binary
––
––
malicious
3036 1fji.exe POST 200 52.214.73.247:80 http://rp.downloadagentcdn.com/ IE
binary
––
––
malicious
3036 1fji.exe POST 200 52.214.73.247:80 http://rp.downloadagentcdn.com/ IE
binary
––
––
malicious

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID Process IP ASN CN Reputation
3036 1fji.exe 52.214.73.247:80 Amazon.com, Inc. IE malicious

DNS requests

Domain IP Reputation
rp.downloadagentcdn.com 52.214.73.247
54.194.149.175
malicious

Threats

PID Process Class Message
3036 1fji.exe Misc activity ADWARE [PTsecurity] PUP.Optional.InstallCore Artifact M2
3036 1fji.exe Misc activity ADWARE [PTsecurity] PUP.Optional.InstallCore Artifact M1
3036 1fji.exe Misc activity ADWARE [PTsecurity] PUP.Optional.InstallCore Artifact M3

4 ETPRO signatures available at the full report

Debug output strings

No debug info.