File name:

C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HJdyTuap.exe

Full analysis: https://app.any.run/tasks/f6c12130-1a14-494d-a88c-09930f447540
Verdict: Malicious activity
Analysis date: October 18, 2019, 13:23:43
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5:

EFC3D078D687093B45052F52F98FE9EF

SHA1:

C38EEAA690A4422DA1401B78EFCBE39147854CAB

SHA256:

679C5D3642B435B23FBF65C838A636B45C798F64B783547105162E3B58AB22DB

SSDEEP:

24576:qSi4V8BfEEvDnI7AxbyhLJPFdjUdgzcHJbMEwnjNnjhKsHEfld:qSi4eBsEvcc1yhLJPFdjUdgzcHJbMEwW

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Writes to a start menu file

      • HJdyTuap.exe (PID: 2692)

    • Actions looks like stealing of personal data

      • RegAsm.exe (PID: 2484)

  • SUSPICIOUS

    • Creates files in the user directory

      • HJdyTuap.exe (PID: 2692)

    • Reads Windows Product ID

      • RegAsm.exe (PID: 2484)

    • Executable content was dropped or overwritten

      • HJdyTuap.exe (PID: 2692)

    • Reads Environment values

      • RegAsm.exe (PID: 2484)

  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Generic CIL Executable (.NET, Mono, etc.) (63.1)
.exe | Win64 Executable (generic) (23.8)
.dll | Win32 Dynamic Link Library (generic) (5.6)
.exe | Win32 Executable (generic) (3.8)
.exe | Generic Win/DOS Executable (1.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2019:09:01 07:01:12+02:00
PEType: PE32
LinkerVersion: 8
CodeSize: 1147904
InitializedDataSize: 2048
UninitializedDataSize: -
EntryPoint: 0x11a39e
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 0.0.0.0
ProductVersionNumber: 0.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
FileDescription: Lesson
FileVersion: 0.0.0.0
InternalName: Lesson.exe
LegalCopyright: Lesson
OriginalFileName: Lesson.exe
ProductVersion: 0.0.0.0
AssemblyVersion: 0.0.0.0
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
36
Monitored processes
2
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start hjdytuap.exe regasm.exe

Process information

PID
CMD
Path
Indicators
Parent process
2484"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
HJdyTuap.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft .NET Assembly Registration Utility
Exit code:
0
Version:
4.7.3062.0 built by: NET472REL1
Modules
Images
c:\windows\microsoft.net\framework\v4.0.30319\regasm.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\acgenral.dll
c:\windows\system32\sechost.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
2692"C:\Users\admin\Downloads\HJdyTuap.exe" C:\Users\admin\Downloads\HJdyTuap.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Lesson
Exit code:
0
Version:
0.0.0.0
Modules
Images
c:\users\admin\downloads\hjdytuap.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
Total events
55
Read events
55
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
2692HJdyTuap.exeC:\Users\admin\AppData\Roaming\doceditor.exeexecutable
MD5:
SHA256:
2692HJdyTuap.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HJdyTuap.exeexecutable
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
1
DNS requests
1
Threats
1

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2484
RegAsm.exe
198.54.115.194:26
mail.tendertradeforex.co.uk
Namecheap, Inc.
US
malicious

DNS requests

Domain
IP
Reputation
mail.tendertradeforex.co.uk
  • 198.54.115.194
malicious

Threats

PID
Process
Class
Message
2484
RegAsm.exe
Generic Protocol Command Decode
SURICATA Applayer Detect protocol only one direction
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HJdyTuap.exe