File name:

LSRP.exe

Full analysis: https://app.any.run/tasks/e33e8664-f12e-4674-a4fb-82d1c53db16b
Verdict: Malicious activity
Analysis date: January 07, 2024, 17:08:34
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

02A8FC64CE50C2594163580DCE9C5B37

SHA1:

BDA4BD8AED17024B1974E626DB98FDE0550AF036

SHA256:

5F180F2B06400A24DC4A77DE281D3A493C30A5E5E5ECA2C256472E144A829D44

SSDEEP:

98304:Qs9w7LxKbLcFQO1NsZDtoGqB1Xg95Oqu97OzPH+rPz9nCfaPBYMBBfsBnp88HNDz:V/aDWEyn76E

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Reads the Internet Settings

      • autorun.exe (PID: 1072)

    • Checks Windows Trust Settings

      • autorun.exe (PID: 1072)

    • Reads settings of System Certificates

      • autorun.exe (PID: 1072)

    • Reads security settings of Internet Explorer

      • autorun.exe (PID: 1072)

  • INFO

    • Drops the executable file immediately after the start

      • LSRP.exe (PID: 116)

    • Checks supported languages

      • LSRP.exe (PID: 116)
      • autorun.exe (PID: 1072)

    • Create files in a temporary directory

      • LSRP.exe (PID: 116)
      • autorun.exe (PID: 1072)

    • Reads the computer name

      • autorun.exe (PID: 1072)

    • Creates files or folders in the user directory

      • autorun.exe (PID: 1072)

    • Checks proxy server information

      • autorun.exe (PID: 1072)

    • Reads the machine GUID from the registry

      • autorun.exe (PID: 1072)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (56.1)
.scr | Windows screen saver (26.6)
.exe | Win32 Executable (generic) (9.1)
.exe | Generic Win/DOS Executable (4)
.exe | DOS Executable Generic (4)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2012:06:14 21:11:00+02:00
ImageFileCharacteristics: No relocs, Executable, 32-bit
PEType: PE32
LinkerVersion: 9
CodeSize: 259584
InitializedDataSize: 307712
UninitializedDataSize: -
EntryPoint: 0x2cbbc
OSVersion: 5
ImageVersion: -
SubsystemVersion: 5
Subsystem: Windows GUI
FileVersionNumber: 0.1.5.0
ProductVersionNumber: 0.1.5.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: ASCII
Comments: -
CompanyName: By Nexus
FileDescription: LS-RP.com
FileVersion: 0.1.5.0
InternalName: ams_launch
LegalTrademarks: By Nexus
OriginalFileName: LSRP+.exe
ProductName: Los Santos Roleplay+
ProductVersion: 0.1.5.0
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
38
Monitored processes
2
Malicious processes
1
Suspicious processes
1

Behavior graph

Click at the process to see the details
start lsrp.exe no specs autorun.exe

Process information

PID
CMD
Path
Indicators
Parent process
116"C:\Users\admin\AppData\Local\Temp\LSRP.exe" C:\Users\admin\AppData\Local\Temp\LSRP.exeexplorer.exe
User:
admin
Company:
By Nexus
Integrity Level:
MEDIUM
Description:
LS-RP.com
Exit code:
0
Version:
0.1.5.0
Modules
Images
c:\users\admin\appdata\local\temp\lsrp.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
1072"C:\Users\admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe" "SFXSOURCE:C:\Users\admin\AppData\Local\Temp\LSRP.exe"C:\Users\admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe
LSRP.exe
User:
admin
Company:
By Nexus
Integrity Level:
MEDIUM
Description:
LS-RP.com
Exit code:
0
Version:
0.1.5.0
Modules
Images
c:\users\admin\appdata\local\temp\ir_ext_temp_0\autorun.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\users\admin\appdata\local\temp\ir_ext_temp_0\lua5.1.dll
c:\windows\system32\winmm.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
Total events
6 032
Read events
5 892
Write events
139
Delete events
1

Modification events

(PID) Process:(1072) autorun.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(1072) autorun.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(1072) autorun.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:writeName:ProxyEnable
Value:
0
(PID) Process:(1072) autorun.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Operation:writeName:SavedLegacySettings
Value:
460000005B010000090000000000000000000000000000000400000000000000C0E333BBEAB1D3010000000000000000000000000100000002000000C0A8016B000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(1072) autorun.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(1072) autorun.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(1072) autorun.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(1072) autorun.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(1072) autorun.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{FCC67766-6201-4AD1-A6B8-2F4553C93D47}
Operation:writeName:WpadDecisionReason
Value:
1
(PID) Process:(1072) autorun.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{FCC67766-6201-4AD1-A6B8-2F4553C93D47}
Operation:writeName:WpadDecisionTime
Value:
1D442A308C41DA01
Executable files
11
Suspicious files
15
Text files
5
Unknown types
0

Dropped files

PID
Process
Filename
Type
116LSRP.exeC:\Users\admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\autorun.cddcompressed
MD5:3E56603B472EFB878CC93A79F54631D0
SHA256:08E7ABE097B1763650F49A878E80BCBD2CDD76A8464B2B404247626B832948C3
116LSRP.exeC:\Users\admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Plugins\Draw\Draw.lmdexecutable
MD5:6B1CDF960E0ED0F2CD2D049BADB7832A
SHA256:814DF73BA2D1E8BA5F8B6D2B93E5BBEDE5AFA7D725EA0E406258DCEB73E14738
116LSRP.exeC:\Users\admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Images\lsrpp_logo.pngimage
MD5:32F1D544A06CCF907DE4C175B959C2F7
SHA256:4D5A51718F8BB532A18C1482E171F341F8FD7C8BF42CD3105FBE8509DCB1E44F
116LSRP.exeC:\Users\admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Plugins\ListIcon\ListIcon.lmdexecutable
MD5:561109D9FA99C3CF398B7797531623D3
SHA256:0C91DCF3D6FB6CD7CE35A80E6DD3D57EABFB761A068A9CF6F908A5BA00261AF5
116LSRP.exeC:\Users\admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exeexecutable
MD5:A9AA34A0F00130BAC0856E7F6084F50D
SHA256:E370B1C7DC9B0D19414547430011A5AF726204FF1F3119D34C2E59F815EA6228
116LSRP.exeC:\Users\admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Plugins\MemoryEx\MemoryEx.lmdexecutable
MD5:E7C4E26AA905BBFE90416D5421D52C17
SHA256:7D7B5C17794EBF7CD2CED16537F1C74A735F3A86F85F8D3A9EF3A89B0C8E3A5F
116LSRP.exeC:\Users\admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Scripts\luasql\sqlite3.dllexecutable
MD5:9BFE3E9A406BC5A960E656E17DA7E82B
SHA256:2E814B8463379E4D5FC6C36CCB73124A8A7419E5F2C572BFA0DF06948887F805
116LSRP.exeC:\Users\admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Plugins\SHAPE\SHAPE.APOexecutable
MD5:75A9117316FA7CD057AFC78C4859DF4D
SHA256:4386C7BEE62D530E0549862E9EA97DDD9151C055337775AB090487D9DB3EC240
116LSRP.exeC:\Users\admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Plugins\WinApi\WinApi.lmdexecutable
MD5:0194F4B3EA555E5A2EC2C5AA38C3F47A
SHA256:F1166C24279CD83A4BDF7BFE4906113B31DB005608DCF688F62B53467807E65D
116LSRP.exeC:\Users\admin\AppData\Local\Temp\ir_ext_temp_0\lsrpp.icoimage
MD5:23C0741E541BE8220E516BD0C98646E0
SHA256:36FCC21B79B58E26955DDAD6A8066FF10D0CEAE8212516D5072C5DC6E66F16C4
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
10
DNS requests
6
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1072
autorun.exe
POST
301
188.114.97.3:80
http://ls-rp.com/?page=ucplogout
unknown
unknown
1072
autorun.exe
GET
200
184.24.77.179:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?9c35526d3a6ecb8f
unknown
compressed
4.66 Kb
unknown
1072
autorun.exe
GET
200
142.250.186.131:80
http://ocsp.pki.goog/gsr1/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS3V7W2nAf4FiMTjpDJKg6%2BMgGqMQQUYHtmGkUNl8qJUC99BM00qP%2F8%2FUsCEHe9DWzbNvka6iEPxPBY0w0%3D
unknown
binary
1.41 Kb
unknown
1072
autorun.exe
GET
200
142.250.186.131:80
http://ocsp.pki.goog/gtsr1/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBQwkcLWD4LqGJ7bE7B1XZsEbmfwUAQU5K8rJnEaK0gnhS9SZizv8IkTcT4CDQIDvFCjJ1PwkYAi7fE%3D
unknown
binary
724 b
unknown
1080
svchost.exe
GET
304
173.222.108.242:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?eca8823d6d0692d6
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
4
System
192.168.100.255:137
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown
1072
autorun.exe
188.114.97.3:80
ls-rp.com
CLOUDFLARENET
NL
unknown
1072
autorun.exe
188.114.97.3:443
ls-rp.com
CLOUDFLARENET
NL
unknown
1072
autorun.exe
184.24.77.179:80
ctldl.windowsupdate.com
Akamai International B.V.
DE
unknown
1072
autorun.exe
142.250.186.131:80
ocsp.pki.goog
GOOGLE
US
whitelisted
1080
svchost.exe
173.222.108.242:80
ctldl.windowsupdate.com
Akamai International B.V.
CH
unknown

DNS requests

Domain
IP
Reputation
ls-rp.com
  • 188.114.97.3
  • 188.114.96.3
malicious
ctldl.windowsupdate.com
  • 184.24.77.179
  • 184.24.77.172
  • 184.24.77.208
  • 184.24.77.175
  • 184.24.77.209
  • 184.24.77.206
  • 184.24.77.174
  • 184.24.77.205
  • 184.24.77.173
  • 173.222.108.242
  • 173.222.108.210
  • 173.222.108.193
  • 173.222.108.147
  • 173.222.108.243
  • 173.222.108.219
  • 173.222.108.176
  • 173.222.108.201
  • 173.222.108.203
whitelisted
ocsp.pki.goog
  • 142.250.186.131
whitelisted
community.ls-rp.com
  • 188.114.97.3
  • 188.114.96.3
unknown

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
LSRP.exe