analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

ImageLine_Keygen.exe

Full analysis: https://app.any.run/tasks/8cd38a19-49bb-4ced-a0ad-2ba3732ac461
Verdict: Malicious activity
Analysis date: February 22, 2020, 12:09:01
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
installer
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5:

55D60D8B7CE85238E6C44E3E7C5C08F7

SHA1:

D6817E516242DA2C0846B0805E61A6EFE7994C9C

SHA256:

5A857CB79032F902826103C0EA0E9A3FB8151909834C91B87F0FE55C2118BC99

SSDEEP:

6144:bs92nA8P9tlASRzKW38d3R2IRoczuWxE2R9FxhoEGoYHclMuZdFvgS+vyOTuZQ/M:4c9t2Sll4XeguWWAvGoY8yS+vX/zqn

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • keygen.exe (PID: 3480)

    • Loads dropped or rewritten executable

      • keygen.exe (PID: 3480)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • ImageLine_Keygen.exe (PID: 3020)

    • Creates files in the user directory

      • notepad++.exe (PID: 2904)
      • MsSpellCheckingFacility.exe (PID: 2508)

    • Executed via COM

      • MsSpellCheckingFacility.exe (PID: 2508)

  • INFO

    • Application launched itself

      • iexplore.exe (PID: 1064)

    • Changes internet zones settings

      • iexplore.exe (PID: 1064)

    • Reads Internet Cache Settings

      • iexplore.exe (PID: 2012)
      • iexplore.exe (PID: 1064)

    • Manual execution by user

      • iexplore.exe (PID: 1064)
      • notepad++.exe (PID: 2904)

    • Reads internet explorer settings

      • iexplore.exe (PID: 2012)

    • Reads settings of System Certificates

      • iexplore.exe (PID: 2012)
      • iexplore.exe (PID: 1064)

    • Creates files in the user directory

      • iexplore.exe (PID: 2012)

    • Adds / modifies Windows certificates

      • iexplore.exe (PID: 1064)

    • Changes settings of System certificates

      • iexplore.exe (PID: 1064)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | NSIS - Nullsoft Scriptable Install System (94.8)
.exe | Win32 Executable MS Visual C++ (generic) (3.4)
.dll | Win32 Dynamic Link Library (generic) (0.7)
.exe | Win32 Executable (generic) (0.5)
.exe | Generic Win/DOS Executable (0.2)

EXIF

EXE

Subsystem: Windows GUI
SubsystemVersion: 4
ImageVersion: 6
OSVersion: 4
EntryPoint: 0x323c
UninitializedDataSize: 1024
InitializedDataSize: 119808
CodeSize: 23552
LinkerVersion: 6
PEType: PE32
TimeStamp: 2009:12:05 23:50:46+01:00
MachineType: Intel 386 or later, and compatibles

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 05-Dec-2009 22:50:46
Detected languages:
  • English - United States

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x000000D8

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 5
Time date stamp: 05-Dec-2009 22:50:46
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_LINE_NUMS_STRIPPED
  • IMAGE_FILE_LOCAL_SYMS_STRIPPED
  • IMAGE_FILE_RELOCS_STRIPPED

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00001000
0x00005A5A
0x00005C00
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.4177
.rdata
0x00007000
0x00001190
0x00001200
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
5.18163
.data
0x00009000
0x0001AF98
0x00000400
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
4.70903
.ndata
0x00024000
0x00008000
0x00000000
IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
0
.rsrc
0x0002C000
0x00022578
0x00022600
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
6.05286

Resources

Title
Entropy
Size
Codepage
Language
Type
1
4.24511
67624
UNKNOWN
English - United States
RT_ICON
2
7.92764
54264
UNKNOWN
English - United States
RT_ICON
3
4.51849
9640
UNKNOWN
English - United States
RT_ICON
4
4.75617
4264
UNKNOWN
English - United States
RT_ICON
5
4.93004
2440
UNKNOWN
English - United States
RT_ICON
6
5.08765
1128
UNKNOWN
English - United States
RT_ICON
103
2.8213
90
UNKNOWN
English - United States
RT_GROUP_ICON
105
2.66174
256
UNKNOWN
English - United States
RT_DIALOG
106
2.88094
284
UNKNOWN
English - United States
RT_DIALOG
111
2.48825
96
UNKNOWN
English - United States
RT_DIALOG

Imports

ADVAPI32.dll
COMCTL32.dll
GDI32.dll
KERNEL32.dll
SHELL32.dll
USER32.dll
VERSION.dll
ole32.dll
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
48
Monitored processes
8
Malicious processes
0
Suspicious processes
1

Behavior graph

Click at the process to see the details
drop and start start imageline_keygen.exe no specs imageline_keygen.exe keygen.exe no specs notepad++.exe gup.exe iexplore.exe iexplore.exe msspellcheckingfacility.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3888"C:\Users\admin\AppData\Local\Temp\ImageLine_Keygen.exe" C:\Users\admin\AppData\Local\Temp\ImageLine_Keygen.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
3020"C:\Users\admin\AppData\Local\Temp\ImageLine_Keygen.exe" C:\Users\admin\AppData\Local\Temp\ImageLine_Keygen.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
3480C:\Users\admin\AppData\Local\Temp\keygen.exeC:\Users\admin\AppData\Local\Temp\keygen.exeImageLine_Keygen.exe
User:
admin
Integrity Level:
HIGH
2904"C:\Program Files\Notepad++\notepad++.exe" "C:\Users\admin\Desktop\FLRegKey.reg"C:\Program Files\Notepad++\notepad++.exe
explorer.exe
User:
admin
Company:
Don HO [email protected]
Integrity Level:
MEDIUM
Description:
Notepad++ : a free (GNU) source code editor
Version:
7.51
3148"C:\Program Files\Notepad++\updater\gup.exe" -v7.51C:\Program Files\Notepad++\updater\gup.exe
notepad++.exe
User:
admin
Company:
Don HO [email protected]
Integrity Level:
MEDIUM
Description:
GUP : a free (LGPL) Generic Updater
Exit code:
0
Version:
4.1
1064"C:\Program Files\Internet Explorer\iexplore.exe" C:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
2012"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:1064 CREDAT:267521 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
2508"C:\Windows\System32\MsSpellCheckingFacility.exe" -EmbeddingC:\Windows\System32\MsSpellCheckingFacility.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Spell Checking Facility
Version:
6.3.9600.16428 (winblue_gdr.131013-1700)
Total events
6 413
Read events
1 837
Write events
0
Delete events
0

Modification events

No data
Executable files
3
Suspicious files
209
Text files
139
Unknown types
102

Dropped files

PID
Process
Filename
Type
2012iexplore.exeC:\Users\admin\AppData\Local\Temp\Low\CabECE9.tmp
MD5:
SHA256:
2012iexplore.exeC:\Users\admin\AppData\Local\Temp\Low\TarECEA.tmp
MD5:
SHA256:
1064iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
2012iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\HV92HLZ5.txttext
MD5:A659C39843F286F65123A5320E15757B
SHA256:EAD9D6FB4DF7D08FABE2CF6FCD3C59C539B12534A0BF534E852D0EB755F7D34B
2012iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\5IWPIAR9\pastebin.min.v3[1].jstext
MD5:EB31F0C11DCA3B14AA69EA6567577370
SHA256:C553D405E7A0D873F69083ECB231E12A1123206C612D8FD8C675E9EABB264F3D
2012iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\YTOWV792\select2.min[1].jstext
MD5:20B2763C0B177FE852309949CADD2A88
SHA256:4598A43124DCF116A169DFE92AA176F552ED3DCDF7B2493C719A76A4F65CF377
2012iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\MFAQUS6V\select2.min[1].csstext
MD5:D8E0F13D36D91E52D7B87CB9FBDE723C
SHA256:6825F2517A695B2FC21140D7535076290907CBEAC447008FB598EFEBB10D38C3
2904notepad++.exeC:\Users\admin\AppData\Roaming\Notepad++\shortcuts.xmltext
MD5:AD21A64014891793DD9B21D835278F36
SHA256:C24699C9D00ABDD510140FE1B2ACE97BFC70D8B21BF3462DED85AFC4F73FE52F
2012iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\DY534W2X\NRC7L583.htmhtml
MD5:A905DC8167BF1F9DFDB5426221C3785C
SHA256:E7D8851202F06638D976BB9317CD1578AA45E11234BDFDF103FC8606D4E10803
2012iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\MSIMGSIZ.DATsmt
MD5:CDA584C5EAD2FF0ADCC7206661B0BB9C
SHA256:687E80DD3E94709D21A87D181EC178417DF265A7BBD6C6DD398D98136A8C7F75
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
120
TCP/UDP connections
183
DNS requests
86
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2012
iexplore.exe
GET
301
104.23.98.190:80
http://pastebin.com/
US
shared
2012
iexplore.exe
GET
13.107.5.80:80
http://api.bing.com/qsml.aspx?query=pasteb&maxwidth=32765&rowheight=20&sectionHeight=160&FORM=IE11SS&market=en-US
US
whitelisted
2012
iexplore.exe
GET
13.107.5.80:80
http://api.bing.com/qsml.aspx?query=pastebin&maxwidth=32765&rowheight=20&sectionHeight=160&FORM=IE11SS&market=en-US
US
whitelisted
2012
iexplore.exe
GET
200
216.58.208.35:80
http://ocsp.pki.goog/gts1o1/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRCRjDCJxnb3nDwj%2Fxz5aZfZjgXvAQUmNH4bhDrz5vsYJ8YkBug630J%2FSsCEQCgdZM8AVzzKAgAAAAALnDU
US
der
472 b
whitelisted
2012
iexplore.exe
GET
200
2.21.242.187:80
http://isrg.trustid.ocsp.identrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRv9GhNQxLSSGKBnMArPUcsHYovpgQUxKexpHsscfrb4UuQdf%2FEFWCFiRACEAoBQUIAAAFThXNqC4Xspwg%3D
NL
der
1.37 Kb
whitelisted
GET
200
72.21.91.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA%2Fz5hY5qj0aEmX0H4s05bY%3D
US
der
1.47 Kb
whitelisted
2012
iexplore.exe
GET
200
216.58.208.35:80
http://ocsp.pki.goog/gsr2/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBTgXIsxbvr2lBkPpoIEVRE6gHlCnAQUm%2BIHV2ccHsBqBt5ZtJot39wZhi4CDQHjtJqhjYqpgSVpULg%3D
US
der
468 b
whitelisted
2012
iexplore.exe
GET
200
216.58.208.35:80
http://ocsp.pki.goog/gsr2/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBTgXIsxbvr2lBkPpoIEVRE6gHlCnAQUm%2BIHV2ccHsBqBt5ZtJot39wZhi4CDQHjtJqhjYqpgSVpULg%3D
US
der
468 b
whitelisted
2012
iexplore.exe
GET
200
2.21.242.197:80
http://isrg.trustid.ocsp.identrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRv9GhNQxLSSGKBnMArPUcsHYovpgQUxKexpHsscfrb4UuQdf%2FEFWCFiRACEAoBQUIAAAFThXNqC4Xspwg%3D
NL
der
1.37 Kb
whitelisted
2012
iexplore.exe
GET
200
2.21.242.245:80
http://ocsp.int-x3.letsencrypt.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBR%2B5mrncpqz%2FPiiIGRsFqEtYHEIXQQUqEpqYwR93brm0Tm3pkVl7%2FOo7KECEgTKD08ug1ewuLziNIDJxgY4sg%3D%3D
NL
der
527 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1064
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
2012
iexplore.exe
104.23.98.190:443
pastebin.com
Cloudflare Inc
US
malicious
2012
iexplore.exe
104.23.98.190:80
pastebin.com
Cloudflare Inc
US
malicious
2012
iexplore.exe
13.107.5.80:80
api.bing.com
Microsoft Corporation
US
whitelisted
3148
gup.exe
104.31.88.28:443
notepad-plus-plus.org
Cloudflare Inc
US
shared
72.21.91.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
2012
iexplore.exe
212.124.124.9:443
aj2073.online
True Records Inc.
US
unknown
2012
iexplore.exe
104.26.15.238:443
services.vlitag.com
Cloudflare Inc
US
suspicious
2.21.242.197:80
isrg.trustid.ocsp.identrust.com
Akamai International B.V.
NL
whitelisted
2012
iexplore.exe
216.58.208.35:80
ocsp.pki.goog
Google Inc.
US
whitelisted

DNS requests

Domain
IP
Reputation
notepad-plus-plus.org
  • 104.31.88.28
  • 104.31.89.28
whitelisted
ocsp.digicert.com
  • 72.21.91.29
whitelisted
api.bing.com
  • 13.107.5.80
whitelisted
pastebin.com
  • 104.23.98.190
  • 104.23.99.190
shared
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
www.googletagmanager.com
  • 172.217.22.72
whitelisted
services.vlitag.com
  • 104.26.15.238
  • 104.26.14.238
shared
aj2073.online
  • 212.124.124.9
unknown
ocsp.pki.goog
  • 216.58.208.35
whitelisted
isrg.trustid.ocsp.identrust.com
  • 2.21.242.197
  • 2.21.242.187
whitelisted

Threats

PID
Process
Class
Message
Potentially Bad Traffic
ET INFO Observed DNS Query to .biz TLD
Process
Message
notepad++.exe
VerifyLibrary: certificate revocation checking is disabled
notepad++.exe
VerifyLibrary: certificate revocation checking is disabled
notepad++.exe
42C4C5846BB675C74E2B2C90C69AB44366401093
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
ImageLine_Keygen.exe