File name:

Realterm_3.0.1.44_setup.exe

Full analysis: https://app.any.run/tasks/bcee1202-54df-4e5a-9724-611b9874ea3d
Verdict: Malicious activity
Analysis date: September 05, 2024, 02:32:40
OS: Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5:

886E8F77E860744E9AF6DA1EF77314BB

SHA1:

C7FB9A748ED8FD6B0D92027DD9C0373715972F04

SHA256:

67275D8330156546DBFF495259053705AB41E6E0F03CE07E4000F34E4BBAA5A2

SSDEEP:

98304:P66BHFqkxqVRl9aAJ3XrVWqxDTQaGGUznPUkwfUF5aZIF8s6VoetJX02NbQw36Ql:SAFqxsuHBBb

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • The process creates files with name similar to system file names

      • Realterm_3.0.1.44_setup.exe (PID: 5464)

    • Malware-specific behavior (creating "System.dll" in Temp)

      • Realterm_3.0.1.44_setup.exe (PID: 5464)

    • Reads security settings of Internet Explorer

      • Realterm_3.0.1.44_setup.exe (PID: 5464)
      • RegAsm.exe (PID: 6500)
      • realterm.exe (PID: 5504)

    • Executable content was dropped or overwritten

      • Realterm_3.0.1.44_setup.exe (PID: 5464)

    • Creates a software uninstall entry

      • Realterm_3.0.1.44_setup.exe (PID: 5464)

    • Checks Windows Trust Settings

      • RegAsm.exe (PID: 6500)
      • realterm.exe (PID: 5504)

    • Drops a system driver (possible attempt to evade defenses)

      • Realterm_3.0.1.44_setup.exe (PID: 5464)

    • Creates/Modifies COM task schedule object

      • RegAsm.exe (PID: 6500)

    • Adds/modifies Windows certificates

      • realterm.exe (PID: 5504)

  • INFO

    • Create files in a temporary directory

      • Realterm_3.0.1.44_setup.exe (PID: 5464)

    • Checks supported languages

      • Realterm_3.0.1.44_setup.exe (PID: 5464)
      • realterm.exe (PID: 6884)
      • RegAsm.exe (PID: 6500)
      • realterm.exe (PID: 5504)

    • Reads the computer name

      • Realterm_3.0.1.44_setup.exe (PID: 5464)
      • realterm.exe (PID: 6884)
      • RegAsm.exe (PID: 6500)
      • realterm.exe (PID: 5504)

    • Creates files in the program directory

      • Realterm_3.0.1.44_setup.exe (PID: 5464)

    • The process uses the downloaded file

      • Realterm_3.0.1.44_setup.exe (PID: 5464)

    • Creates files or folders in the user directory

      • Realterm_3.0.1.44_setup.exe (PID: 5464)
      • RegAsm.exe (PID: 6500)
      • realterm.exe (PID: 5504)

    • Process checks computer location settings

      • Realterm_3.0.1.44_setup.exe (PID: 5464)

    • Reads the machine GUID from the registry

      • RegAsm.exe (PID: 6500)
      • realterm.exe (PID: 5504)

    • Reads the software policy settings

      • RegAsm.exe (PID: 6500)
      • realterm.exe (PID: 5504)

    • Checks proxy server information

      • RegAsm.exe (PID: 6500)
      • realterm.exe (PID: 5504)

    • Reads CPU info

      • realterm.exe (PID: 5504)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | NSIS - Nullsoft Scriptable Install System (94.8)
.exe | Win32 Executable MS Visual C++ (generic) (3.4)
.dll | Win32 Dynamic Link Library (generic) (0.7)
.exe | Win32 Executable (generic) (0.5)
.exe | Generic Win/DOS Executable (0.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2009:12:05 22:50:46+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 23552
InitializedDataSize: 119808
UninitializedDataSize: 1024
EntryPoint: 0x323c
OSVersion: 4
ImageVersion: 6
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
135
Monitored processes
6
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start realterm_3.0.1.44_setup.exe realterm.exe no specs regasm.exe conhost.exe no specs realterm.exe realterm_3.0.1.44_setup.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2524"C:\Users\admin\AppData\Local\Temp\Realterm_3.0.1.44_setup.exe" C:\Users\admin\AppData\Local\Temp\Realterm_3.0.1.44_setup.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Modules
Images
c:\users\admin\appdata\local\temp\realterm_3.0.1.44_setup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
5464"C:\Users\admin\AppData\Local\Temp\Realterm_3.0.1.44_setup.exe" C:\Users\admin\AppData\Local\Temp\Realterm_3.0.1.44_setup.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\realterm_3.0.1.44_setup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
5504"C:\Program Files (x86)\BEL\Realterm\realterm.exe" installC:\Program Files (x86)\BEL\Realterm\realterm.exe
Realterm_3.0.1.44_setup.exe
User:
admin
Company:
Broadcast Equipment Ltd
Integrity Level:
HIGH
Description:
Realterm Serial Terminal Program
Version:
3.0.1.44
Modules
Images
c:\program files (x86)\bel\realterm\realterm.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\oleaut32.dll
6500"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe" "C:\Program Files (x86)\BEL\Realterm\wrapper\RealtermWrapper.dll" /codebaseC:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
Realterm_3.0.1.44_setup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft .NET Assembly Registration Utility
Exit code:
0
Version:
2.0.50727.9149 (WinRelRS6.050727-9100)
Modules
Images
c:\windows\microsoft.net\framework\v2.0.50727\regasm.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
6868\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeRegAsm.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6884"C:\Program Files (x86)\BEL\Realterm\realterm.exe" /regserverC:\Program Files (x86)\BEL\Realterm\realterm.exeRealterm_3.0.1.44_setup.exe
User:
admin
Company:
Broadcast Equipment Ltd
Integrity Level:
HIGH
Description:
Realterm Serial Terminal Program
Exit code:
0
Version:
3.0.1.44
Modules
Images
c:\program files (x86)\bel\realterm\realterm.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\oleaut32.dll
Total events
10 193
Read events
10 141
Write events
46
Delete events
6

Modification events

(PID) Process:(6884) realterm.exeKey:HKEY_CURRENT_USER\SOFTWARE\BEL\Realterm
Operation:writeName:Last Update Check
Value:
2542E866833CE640
(PID) Process:(6884) realterm.exeKey:HKEY_CURRENT_USER\SOFTWARE\BEL\Realterm
Operation:writeName:Block Update Checks
Value:
0
(PID) Process:(6884) realterm.exeKey:HKEY_CURRENT_USER\SOFTWARE\BEL\Realterm
Operation:writeName:Run Count
Value:
0
(PID) Process:(6884) realterm.exeKey:HKEY_CURRENT_USER\SOFTWARE\BEL\Realterm
Operation:writeName:Run Days
Value:
0000000000000000
(PID) Process:(6884) realterm.exeKey:HKEY_CURRENT_USER\SOFTWARE\BEL\Realterm
Operation:writeName:Latest Version
Value:
(PID) Process:(6884) realterm.exeKey:HKEY_CURRENT_USER\SOFTWARE\BEL\Realterm
Operation:writeName:IT Version
Value:
(PID) Process:(6884) realterm.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2130F381-39E1-11D7-BA0F-00E018852F5E}\TypeLib
Operation:writeName:Version
Value:
1.3
(PID) Process:(6884) realterm.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{2130F381-39E1-11D7-BA0F-00E018852F5E}\TypeLib
Operation:writeName:Version
Value:
1.3
(PID) Process:(6884) realterm.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2130F382-39E1-11D7-BA0F-00E018852F5E}\TypeLib
Operation:writeName:Version
Value:
1.3
(PID) Process:(6884) realterm.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{2130F382-39E1-11D7-BA0F-00E018852F5E}\TypeLib
Operation:writeName:Version
Value:
1.3
Executable files
19
Suspicious files
35
Text files
162
Unknown types
0

Dropped files

PID
Process
Filename
Type
5464Realterm_3.0.1.44_setup.exeC:\Users\admin\AppData\Local\Temp\nsx9FA5.tmp\UserInfo.dllexecutable
MD5:7579ADE7AE1747A31960A228CE02E666
SHA256:564C80DEC62D76C53497C40094DB360FF8A36E0DC1BDA8383D0F9583138997F5
5464Realterm_3.0.1.44_setup.exeC:\Users\admin\AppData\Local\Temp\nsx9FA5.tmp\StartMenu.dllexecutable
MD5:A4173B381625F9F12AADB4E1CDAEFDB8
SHA256:7755FF2707CA19344D489A5ACEC02D9E310425FA6E100D2F13025761676B875B
5464Realterm_3.0.1.44_setup.exeC:\Users\admin\AppData\Local\Temp\nsx9FA5.tmp\System.dllexecutable
MD5:C17103AE9072A06DA581DEC998343FC1
SHA256:DC58D8AD81CACB0C1ED72E33BFF8F23EA40B5252B5BB55D393A0903E6819AE2F
5464Realterm_3.0.1.44_setup.exeC:\Program Files (x86)\BEL\Realterm\Readme.txttext
MD5:EB69399CDC9B9F1367996E2DCE5E78C6
SHA256:6A8E6F01D2A0D60FD2284FCFC95C14B4434295D53E979A51CCC772700BF91673
5464Realterm_3.0.1.44_setup.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Realterm\Realterm I2C.lnklnk
MD5:20653A43A551F3314DAA70FE20A36CD2
SHA256:BBDC3C8DC526B6C0C7EC44B6542839DC9D41AE9F8FB3AFE713DFD4833594ECC8
5464Realterm_3.0.1.44_setup.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Realterm\Realterm HalfDuplex RTSCTS.lnklnk
MD5:B765EE3FA5DFE52AB9C82BC7ABFBA4E8
SHA256:E220A18350220F897171890B651650C870843898CAE73EB5A68E008C311C4BA4
5464Realterm_3.0.1.44_setup.exeC:\Users\admin\AppData\Roaming\Realterm\realterm_macro1.initext
MD5:A8545311BD9282FAE3FC6BDD1FAF0BF0
SHA256:B79AAC5E6F93A97190B804587414E966DA81B35DCD77743CC9DE74718F86F8D1
5464Realterm_3.0.1.44_setup.exeC:\Program Files (x86)\BEL\Realterm\realterm.exeexecutable
MD5:CB760B5C22BB24E0AD080C4D78E21E3D
SHA256:6B01E516DA366150A495B4B529F5795DB002461160E794CB87520722FC2B774C
5464Realterm_3.0.1.44_setup.exeC:\Program Files (x86)\BEL\Realterm\ThisVersionNumber.txttext
MD5:80E4F08215523D2351EE5E7618CBA119
SHA256:A90CA00B4DB53BEDCA063D7DB17B246F97526C0AB76F350E00398F54A9D78609
5464Realterm_3.0.1.44_setup.exeC:\Users\admin\AppData\Roaming\Realterm\realterm_alwaysXX.initext
MD5:419B8BE88397C3EFF5DE641D3736DA39
SHA256:E3EF22BB619AC6B97A2AA9EF97B9325EA7809C783281EBA8A4CE1F312F1590E8
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
11
TCP/UDP connections
35
DNS requests
18
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
6112
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
6776
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
6500
RegAsm.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfqhLjKLEJQZPin0KCzkdAQpVYowQUsT7DaQP4v0cB1JgmGggC72NkK8MCEALE0eWKSmgMVo2jBH5%2BTV8%3D
unknown
whitelisted
6500
RegAsm.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRm%2FrYSaqNr0YBIv29H4pMHhv2XmQQUl0gD6xUIa7myWCPMlC7xxmXSZI4CEARKoa%2F8q9sh21pD8bZmTow%3D
unknown
whitelisted
5504
realterm.exe
GET
200
104.18.38.233:80
http://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBR8sWZUnKvbRO5iJhat9GV793rVlAQUrb2YejS0Jvf6xCZU7wO94CTLVBoCECdm7lbrSfOOq9dwovyE3iI%3D
unknown
whitelisted
5504
realterm.exe
GET
404
172.64.149.23:80
http://crl.usertrust.com/AddTrustExternalCARoot.crl
unknown
whitelisted
5504
realterm.exe
GET
200
104.18.38.233:80
http://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBR8sWZUnKvbRO5iJhat9GV793rVlAQUrb2YejS0Jvf6xCZU7wO94CTLVBoCECdm7lbrSfOOq9dwovyE3iI%3D
unknown
whitelisted
5504
realterm.exe
GET
200
104.18.38.233:80
http://ocsp.comodoca.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBReAhtobFzTvhaRmVeJ38QUchY9AwQUu69%2BAj36pvE8hI6t7jiY7NkyMtQCEC58h8wOk0pS%2FpT9HLfNNK8%3D
unknown
whitelisted
5504
realterm.exe
GET
200
104.18.38.233:80
http://ocsp.comodoca.com/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBSSdxXdG447ymkRNPVViULv3rkBzQQUKZFg%2F4pN%2Buv5pmq4z%2FnmS71JzhICEQCixwFuiGiCV7ie%2F2XqyMRw
unknown
whitelisted
936
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
6776
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
5796
RUXIMICS.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2120
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6776
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6776
svchost.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
3260
svchost.exe
40.113.103.199:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6112
svchost.exe
40.126.31.73:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6112
svchost.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
6500
RegAsm.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 51.104.136.2
  • 52.140.118.28
whitelisted
google.com
  • 172.217.18.110
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
client.wns.windows.com
  • 40.113.103.199
whitelisted
login.live.com
  • 40.126.31.73
  • 20.190.159.68
  • 20.190.159.73
  • 20.190.159.23
  • 40.126.31.69
  • 20.190.159.4
  • 20.190.159.71
  • 20.190.159.0
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
ocsp.usertrust.com
  • 104.18.38.233
  • 172.64.149.23
whitelisted
crl.usertrust.com
  • 172.64.149.23
  • 104.18.38.233
whitelisted
ocsp.comodoca.com
  • 104.18.38.233
  • 172.64.149.23
whitelisted
slscr.update.microsoft.com
  • 13.85.23.86
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Realterm_3.0.1.44_setup.exe