General Info

File name

sample.exe

Full analysis
https://app.any.run/tasks/fd4de94a-758f-4b1e-9413-479a5351e82f
Verdict
Malicious activity
Analysis date
5/15/2019, 18:01:18
OS:
Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:

installer

Indicators:

MIME:
application/x-dosexec
File info:
PE32 executable (GUI) Intel 80386, for MS Windows
MD5

0b45f2bfe96d10fe21fe16cda4e9c5eb

SHA1

c2751e72bd5a8593f4eb4ebd000ace791db0a9c7

SHA256

68ed565438e206e805f81980374e6439e6f4f60f63a3fcb6f0840c8a8de189da

SSDEEP

49152:KCd6LaUWF/9jKxuB6kXlLp4by6GkixB/dShTKlH8m2gkc8ApOhgbEOWI:KCMmFVjKITXxp4by6Pi7Y4SvgEjkr

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distored by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Software environment set and analysis options

Launch configuration

Task duration
180 seconds
Additional time used
120 seconds
Fakenet option
off
Heavy Evaision option
off
MITM proxy
off
Route via Tor
off
Network geolocation
off
Privacy
Public submission
Autoconfirmation of UAC
on

Software preset

  • Internet Explorer 8.0.7601.17514
  • Adobe Acrobat Reader DC MUI (15.023.20070)
  • Adobe Flash Player 26 ActiveX (26.0.0.131)
  • Adobe Flash Player 26 NPAPI (26.0.0.131)
  • Adobe Flash Player 26 PPAPI (26.0.0.131)
  • Adobe Refresh Manager (1.8.0)
  • CCleaner (5.35)
  • FileZilla Client 3.36.0 (3.36.0)
  • Google Chrome (73.0.3683.75)
  • Google Update Helper (1.3.33.23)
  • Java 8 Update 92 (8.0.920.14)
  • Java Auto Updater (2.8.92.14)
  • Microsoft .NET Framework 4.6.1 (4.6.01055)
  • Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Professional 2010 (14.0.6029.1000)
  • Microsoft Office Proof (English) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (French) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
  • Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
  • Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Single Image 2010 (14.0.6029.1000)
  • Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
  • Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
  • Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
  • Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2017 Redistributable (x86) - 14.15.26706 (14.15.26706.0)
  • Microsoft Visual C++ 2017 x86 Additional Runtime - 14.15.26706 (14.15.26706)
  • Microsoft Visual C++ 2017 x86 Minimum Runtime - 14.15.26706 (14.15.26706)
  • Mozilla Firefox 65.0.2 (x86 en-US) (65.0.2)
  • Notepad++ (32-bit x86) (7.5.1)
  • Opera 12.15 (12.15.1748)
  • Skype version 8.29 (8.29)
  • VLC media player (2.2.6)
  • WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

  • Client LanguagePack Package
  • Client Refresh LanguagePack Package
  • CodecPack Basic Package
  • Foundation Package
  • IE Troubleshooters Package
  • InternetExplorer Optional Package
  • KB2534111
  • KB2999226
  • KB976902
  • LocalPack AU Package
  • LocalPack CA Package
  • LocalPack GB Package
  • LocalPack US Package
  • LocalPack ZA Package
  • ProfessionalEdition
  • UltimateEdition

Behavior activities

MALICIOUS SUSPICIOUS INFO
Application was dropped or rewritten from another process
  • SuperOrca.exe (PID: 2832)
  • Engine.exe (PID: 2636)
Creates COM task schedule object
  • Engine.exe (PID: 2636)
Creates files in the program directory
  • Engine.exe (PID: 2636)
Executable content was dropped or overwritten
  • Engine.exe (PID: 2636)
  • sample.exe (PID: 3480)
Creates a software uninstall entry
  • Engine.exe (PID: 2636)
Creates files in the user directory
  • Engine.exe (PID: 2636)

No info indicators.

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Static information

TRiD
.exe
|   InstallShield setup (49.2%)
.exe
|   Win32 Executable Delphi generic (16.2%)
.scr
|   Windows screen saver (14.9%)
.dll
|   Win32 Dynamic Link Library (generic) (7.5%)
.exe
|   Win32 Executable (generic) (5.1%)
EXIF
EXE
MachineType:
Intel 386 or later, and compatibles
TimeStamp:
1992:06:20 00:22:17+02:00
PEType:
PE32
LinkerVersion:
2.25
CodeSize:
162816
InitializedDataSize:
31232
UninitializedDataSize:
null
EntryPoint:
0x28a6c
OSVersion:
4
ImageVersion:
null
SubsystemVersion:
4
Subsystem:
Windows GUI
FileVersionNumber:
11.0.0.1
ProductVersionNumber:
11.0.0.1
FileFlagsMask:
0x0002
FileFlags:
Pre-release
FileOS:
Windows NT 32-bit
ObjectFileType:
Executable application
FileSubtype:
null
LanguageCode:
English (U.S.)
CharacterSet:
Windows, Latin1
CompanyName:
Pantaray Research Ltd.
FileDescription:
SuperOrca - Setup File
FileVersion:
11.0.0.1
InternalName:
SuperOrca
LegalCopyright:
Copyright © 2002-2008 Pantaray Research Ltd.
OriginalFileName:
SuperOrca.exe
ProductName:
SuperOrca
ProductVersion:
11.0.0.1

Screenshots

Processes

Total processes
47
Monitored processes
8
Malicious processes
2
Suspicious processes
0

Behavior graph

+
drop and start start drop and start sample.exe no specs sample.exe engine.exe cacls.exe no specs regedit.exe no specs cacls.exe no specs cacls.exe no specs superorca.exe no specs
Specs description
Program did not start
Integrity level elevation
Task сontains an error or was rebooted
Process has crashed
Task contains several apps running
Executable file was dropped
Debug information is available
Process was injected
Network attacks were detected
Application downloaded the executable file
Actions similar to stealing personal data
Behavior similar to exploiting the vulnerability
Inspected object has sucpicious PE structure
File is detected by antivirus software
CPU overrun
RAM overrun
Process starts the services
Process was added to the startup
Behavior similar to spam
Low-level access to the HDD
Probably Tor was used
System was rebooted
Connects to the network
Known threat

Process information

Click at the process to see the details.

PID
3128
CMD
"C:\Users\admin\AppData\Local\Temp\sample.exe"
Path
C:\Users\admin\AppData\Local\Temp\sample.exe
Indicators
No indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
3221226540
Version:
Company
Pantaray Research Ltd.
Description
SuperOrca - Setup File
Version
11.0.0.1
Modules
Image
c:\systemroot\system32\ntdll.dll

PID
3480
CMD
"C:\Users\admin\AppData\Local\Temp\sample.exe"
Path
C:\Users\admin\AppData\Local\Temp\sample.exe
Indicators
Parent process
––
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
Pantaray Research Ltd.
Description
SuperOrca - Setup File
Version
11.0.0.1
Modules
Image
c:\users\admin\appdata\local\temp\sample.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\version.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\wininet.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\iertutil.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\msls31.dll
c:\windows\system32\riched32.dll
c:\windows\system32\riched20.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\apphelp.dll
c:\users\admin\appdata\local\temp\setup_34866\engine.exe

PID
2636
CMD
C:\Users\admin\AppData\Local\Temp\SETUP_34866\Engine.exe /TH_ID=_3496 /OriginExe="C:\Users\admin\AppData\Local\Temp\sample.exe"
Path
C:\Users\admin\AppData\Local\Temp\SETUP_34866\Engine.exe
Indicators
Parent process
sample.exe
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
Pantaray Research Ltd.
Description
Setup/Uninstall Engine
Version
11.0.0.1
Modules
Image
c:\users\admin\appdata\local\temp\setup_34866\engine.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cabinet.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\imagehlp.dll
c:\windows\system32\mpr.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\version.dll
c:\windows\system32\wininet.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\winmm.dll
c:\windows\system32\winspool.drv
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\msls31.dll
c:\windows\system32\riched32.dll
c:\windows\system32\riched20.dll
c:\windows\system32\psapi.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\shfolder.dll
c:\windows\system32\profapi.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\cacls.exe
c:\windows\system32\propsys.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\linkinfo.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\slc.dll
c:\program files\pantaray\superorca\superorca.exe
c:\program files\pantaray\superorcasetup_21233.exe
c:\windows\system32\netutils.dll

PID
2888
CMD
C:\Windows\system32\cacls.exe "C:\Program Files\Pantaray\SuperOrcaSetup_21233.exe" /E /C /G Everyone:F
Path
C:\Windows\system32\cacls.exe
Indicators
No indicators
Parent process
Engine.exe
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
Microsoft Corporation
Description
Control ACLs Program
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\cacls.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll

PID
3984
CMD
C:\Windows\regedit.exe /S "C:\Users\admin\AppData\Local\Temp\SETUP_34866\evalcom2.reg"
Path
C:\Windows\regedit.exe
Indicators
No indicators
Parent process
Engine.exe
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
Microsoft Corporation
Description
Registry Editor
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\regedit.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\shlwapi.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\authz.dll
c:\windows\system32\aclui.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ntdsapi.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\ulib.dll
c:\windows\system32\clb.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll

PID
3784
CMD
C:\Windows\system32\cacls.exe "C:\Program Files\Pantaray" /T /E /C /G Everyone:F
Path
C:\Windows\system32\cacls.exe
Indicators
No indicators
Parent process
Engine.exe
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
Microsoft Corporation
Description
Control ACLs Program
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\cacls.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll

PID
2444
CMD
C:\Windows\system32\cacls.exe "C:\Program Files\Common Files" /T /E /C /G Everyone:F
Path
C:\Windows\system32\cacls.exe
Indicators
No indicators
Parent process
Engine.exe
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
Microsoft Corporation
Description
Control ACLs Program
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\cacls.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll

PID
2832
CMD
"C:\Program Files\Pantaray\SuperOrca\SuperOrca.exe"
Path
C:\Program Files\Pantaray\SuperOrca\SuperOrca.exe
Indicators
No indicators
Parent process
Engine.exe
User
admin
Integrity Level
HIGH
Version:
Company
Pantaray Research Ltd.
Description
SuperOrca
Version
11.0.0.0
Modules
Image
c:\program files\pantaray\superorca\superorca.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\version.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\shell32.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\msls31.dll
c:\windows\system32\riched32.dll
c:\windows\system32\riched20.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\uxtheme.dll

Registry activity

Total events
255
Read events
218
Write events
37
Delete events
0

Modification events

PID
Process
Operation
Key
Name
Value
2636
Engine.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SuperOrca
DisplayName
SuperOrca
2636
Engine.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SuperOrca
UnInstallString
"C:\Program Files\Pantaray\SuperOrcaSetup_21233.exe"
2636
Engine.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SuperOrca
QuietUnInstallString
"C:\Program Files\Pantaray\SuperOrcaSetup_21233.exe" /silent
2636
Engine.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SuperOrca
DisplayVersion
11.0.0.1
2636
Engine.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SuperOrca
Publisher
Pantaray
2636
Engine.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SuperOrca
Version
184549376
2636
Engine.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SuperOrca
VersionMajor
11
2636
Engine.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SuperOrca
VersionMinor
0
2636
Engine.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SuperOrca
InstallLocation
"C:\Program Files\Pantaray"
2636
Engine.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SuperOrca
InstallDate
20190515
2636
Engine.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SuperOrca
ModifyPath
"C:\Users\admin\AppData\Local\Temp\sample.exe"
2636
Engine.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SuperOrca
URLInfoAbout
http://www.pantaray.com/qsetup.html
2636
Engine.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SuperOrca
NoModify
1
2636
Engine.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SuperOrca
NoRepair
1
2636
Engine.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SuperOrca
UserCount
1
2636
Engine.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\SuperOrca
Changed
0
2636
Engine.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\SuperOrca
SlowInfoCache
28020000010000000054450000000000E0C3367F370BD5010500000043003A005C00500072006F006700720061006D002000460069006C00650073005C00500061006E00740061007200610079005C00530075007000650072004F007200630061005C00530075007000650072004F007200630061002E0065007800650000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
2636
Engine.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers
C:\Program Files\Pantaray\SuperOrcaSetup_21233.exe
RUNASADMIN
2636
Engine.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers
C:\Program Files\Pantaray\SuperOrcaSetup_21233.exe
RUNASADMIN
2636
Engine.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Pantaray\SuperOrca\11.0.0.1
2636
Engine.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\SuperOrca.exe
C:\Program Files\Pantaray\SuperOrca\SuperOrca.exe
2636
Engine.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\SuperOrca.exe
Path
C:\Program Files\Pantaray\SuperOrca
2636
Engine.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Pantaray\SuperOrca
Version
11.0.0.1
2636
Engine.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Pantaray\SuperOrca
ProgName
SuperOrca
2636
Engine.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Pantaray\SuperOrca
UnInstallString
C:\Program Files\Pantaray\SuperOrcaSetup_21233.exe
2636
Engine.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Pantaray\SuperOrca
InstallDir
C:\Program Files\Pantaray
2636
Engine.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6E5E1910-8053-4660-B795-6B612E29BC58}\InprocServer32
C:\Program Files\Common Files\Microsoft Shared\MSI Tools\evalcom2.dll
2636
Engine.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
2636
Engine.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
3984
regedit.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6E5E1910-8053-4660-B795-6B612E29BC58}
MSI Evaluation COM Object
3984
regedit.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6E5E1910-8053-4660-B795-6B612E29BC58}\InprocServer32
InprocServer32
6YU'[email protected]@5L((.mJUEvalComServer<
3984
regedit.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6E5E1910-8053-4660-B795-6B612E29BC58}\InprocServer32
ThreadingModel
Apartment
3984
regedit.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6E5E1910-8053-4660-B795-6B612E29BC58}\ProgID
MSI.EVALCOM2.1
3984
regedit.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MSI.EVALCOM2.1
Evaluation COM Server
3984
regedit.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MSI.EVALCOM2.1\CLSID
{6E5E1910-8053-4660-B795-6B612E29BC58}

Files activity

Executable files
8
Suspicious files
2
Text files
119
Unknown types
3

Dropped files

PID
Process
Filename
Type
3480
sample.exe
C:\Users\admin\AppData\Local\Temp\SETUP_34866\Engine.exe
executable
MD5: 254a70c60e89c7c71f624016d49110e6
SHA256: ff546dbcf581b01f628b186598a62579a98d77dafa1726b1e21a5374b53c70a4
2636
Engine.exe
C:\Program Files\Common Files\Microsoft Shared\MSI Tools\mergemod.dll
executable
MD5: 2a265494e285b0c5b34d5f60b19b7a65
SHA256: 64183e3814b8418320f9c2215e7f05c6c89e2f5277f5764a6baa00ed5bd73352
2636
Engine.exe
C:\Program Files\Pantaray\SuperOrca\SuperOrca.exe
executable
MD5: 22bbc26b3e1dc6e0fb92bf4c88798af6
SHA256: 7e9e03ddc048db5194eef4552da95822522c64ff5b2c760d73320a5be0545e7e
2636
Engine.exe
C:\Program Files\Pantaray\SuperOrcaSetup_21233.exe
executable
MD5: 254a70c60e89c7c71f624016d49110e6
SHA256: ff546dbcf581b01f628b186598a62579a98d77dafa1726b1e21a5374b53c70a4
3480
sample.exe
C:\Users\admin\AppData\Local\Temp\SETUP_34866\00002#SuperOrca.exe
executable
MD5: 22bbc26b3e1dc6e0fb92bf4c88798af6
SHA256: 7e9e03ddc048db5194eef4552da95822522c64ff5b2c760d73320a5be0545e7e
3480
sample.exe
C:\Users\admin\AppData\Local\Temp\SETUP_34866\00001#mergemod.dll
executable
MD5: 2a265494e285b0c5b34d5f60b19b7a65
SHA256: 64183e3814b8418320f9c2215e7f05c6c89e2f5277f5764a6baa00ed5bd73352
3480
sample.exe
C:\Users\admin\AppData\Local\Temp\SETUP_34866\00000#evalcom2.dll
executable
MD5: a599901d5148cd4d310c6a825f832616
SHA256: 3b4fe00f15c39ce4c80b2a1b29c04a28d8722badc32abab4ec1c0a7d0e32d986
2636
Engine.exe
C:\Program Files\Common Files\Microsoft Shared\MSI Tools\evalcom2.dll
executable
MD5: a599901d5148cd4d310c6a825f832616
SHA256: 3b4fe00f15c39ce4c80b2a1b29c04a28d8722badc32abab4ec1c0a7d0e32d986
2636
Engine.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SuperOrca\SuperOrca web page.url
text
MD5: 8f92a0eb02903b5b30254b7ea0336f65
SHA256: 1b73583ca4952163effd9c9e487ae4acefe7764fb90f18293ed196d4cad30f54
2636
Engine.exe
C:\Program Files\Pantaray\SuperOrcaSetup_21233.txt
text
MD5: 0128c3a78c7e9bad403dfc2bd8514911
SHA256: 36804cff0ff1999ac8ee9270b8c1c3fdc651336040303229a76e56c71a4aebb4
2636
Engine.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SuperOrca\Pantaray Research website.url
text
MD5: e0f94f61676e6bdd6945de778f10542a
SHA256: 361b22e7b172c695a6ed0238480ba294b3ca8b9e9619e8f2544dd68db81822d2
2636
Engine.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SuperOrca\SuperOrca.lnk
lnk
MD5: d5b987a9ff40aa5c2ee8a6cbea314d6d
SHA256: 5132f732ccfe06a9cc7c50da6abd0058c10bc97a37478655723be4325ac2bdef
2636
Engine.exe
C:\Program Files\Pantaray\Setup.log
text
MD5: 3ade51eb2035de7ed69f110113e34bde
SHA256: 24e1da8615dd30f274b26e34340cd84fd7758f1677e491b6ff93533df3ffabeb
2636
Engine.exe
C:\Program Files\Pantaray\Setup.log
text
MD5: c4c74a874a55db7f055c344a42235721
SHA256: fad5ac1e05fe56430233560e666ab8e1aea5355feefc2c269af2af1dab8ddc71
2636
Engine.exe
C:\Program Files\Pantaray\SuperOrcaSetup_21233.txt
text
MD5: a916d49a276ba0f5b57e2f9b88d424c5
SHA256: a7a95593adf3aaf868aec2fbeb63594fd4bd73290a1adcea1ba284802a00ece6
2636
Engine.exe
C:\Program Files\Pantaray\Setup.log
text
MD5: 03b886a24a4f07f6678d166ec0debdf3
SHA256: ce5ad6416cf1b45e7d6196e07d1b5f728ad24d225427f24aa51b679f30906983
2636
Engine.exe
C:\Program Files\Pantaray\SuperOrcaSetup_21233.txt
text
MD5: 08fcb81722f681c66972809e93597f8b
SHA256: 80e49c97d0c8ea0f3b907b8c9f2ae484e81fdfd421175bf67c5967d2094d23f2
2636
Engine.exe
C:\Program Files\Pantaray\Setup.log
text
MD5: d17aba009abf24434ca791f46e1c6481
SHA256: cdb2406f13b32c88ba0d66b003e6dc2c0d319a27fe3ab7a55c1067c17b81dbaf
2636
Engine.exe
C:\Program Files\Pantaray\SuperOrca\SuperOrca_Manual.pdf
pdf
MD5: 9502f533f49adbf0a989f9027509f88d
SHA256: 5e3fc5afe15b102d29df9425df6c91c790f3d4c7c0b601a3d9bbb3af676db029
2636
Engine.exe
C:\Program Files\Pantaray\Setup.log
text
MD5: 1d4bf2ea7348306062da266a09643517
SHA256: 35f261e37381d803dd908684fe104f9914f669e27f78b077e2f0fbb7432b1201
2636
Engine.exe
C:\Program Files\Pantaray\Setup.log
text
MD5: 21a3f228377083a58fa8575d8c689ea5
SHA256: 505d373bc060c402ed1379b2847c642394ff20a081c5f87a9f0d47ef58899cdc
2636
Engine.exe
C:\Program Files\Pantaray\SuperOrcaSetup_21233.txt
text
MD5: ae2f5515b113ff37750fa36d630575d4
SHA256: c77f72edd0f9f75855b6517ab96c27ca1eb100ec40167141c95bcfeec3e5205b
2636
Engine.exe
C:\Program Files\Pantaray\SuperOrcaSetup_21233.txt
text
MD5: 0cb23f0f45c5a2bda4f3dafffa85c6df
SHA256: b6704757a0fd2bdefaafb4247ab6091364b85cafce1dff4deb623fff50b3e54b
2636
Engine.exe
C:\Program Files\Pantaray\SuperOrcaSetup_21233.txt
text
MD5: eea89b82985ac908b8389575a44a456a
SHA256: c4381f59511297af6e1e2b0626505cb186bc8cdeba6616cd6a4bc22ec0662ca5
2636
Engine.exe
C:\Program Files\Pantaray\Setup.log
text
MD5: fc8d4338428e02bf06d21b6c072daad0
SHA256: cdda11f7a4df4be1b898d667912d6d8bf30025dcf5fec780fb844e25e5215061
3480
sample.exe
C:\Users\admin\AppData\Local\Temp\SETUP_34866\00003#SuperOrca_Manual.pdf
pdf
MD5: 9502f533f49adbf0a989f9027509f88d
SHA256: 5e3fc5afe15b102d29df9425df6c91c790f3d4c7c0b601a3d9bbb3af676db029
2636
Engine.exe
C:\Users\admin\Desktop\SuperOrca.lnk
lnk
MD5: ab991c88b89ea893b91b86a4b778b7f4
SHA256: 193a4572ecbbb35f61f0a578f57b7e1e4382b8d10cb2933b95b626a0cf9299f8
3480
sample.exe
C:\Users\admin\AppData\Local\Temp\SETUP_34866\Setup.txt
text
MD5: c63ea5e629a0e5b409e03822d7f16286
SHA256: 02e486c8152c187c529807d9dac34f4b44885c9eed0194308b095951e8ab2fd1
3480
sample.exe
C:\Users\admin\AppData\Local\Temp\SETUP_34866\SuperOrcaSetup.qsp
text
MD5: 378d0b99027a4e9cfe6d76263d3f2232
SHA256: 97a1d9318607fcd13bc4bae0eb912c565951ef73e4d1318e54c4e397f91d4ee0
3480
sample.exe
C:\Users\admin\AppData\Local\Temp\SETUP_34866\LICENSE.RTF
text
MD5: 7f07e198d42a545555871b44ef101048
SHA256: c6d33ec7d400f6ecc6e63c9ef44301809c014061cc42976e1e53e1839594fc5a
3480
sample.exe
C:\Users\admin\AppData\Local\Temp\SETUP_34866\Modern_Setup.bmp
image
MD5: ded1d8db477cc655b17e16c6fe989707
SHA256: 7a5d14d64ef24cdf895f947700f6e8444940c3cf5b23e868f2b3a14f0fe14206
2636
Engine.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SuperOrca\Uninstall SuperOrca.lnk
lnk
MD5: fce35bddcd3f2bc52a4186750297ac93
SHA256: 57498d8b0b7e677ed021db60c506cb5093ee819111069c21a928a0f4d09021de
3480
sample.exe
C:\Users\admin\AppData\Local\Temp\SETUP_34866\folder_blue_small.bmp
image
MD5: a14a183ce820e0ed7fe33a91a5e4b7df
SHA256: 38dc136c999991e17e9f1b8e151af1a0b04e660371ce879dc20582beccb35ad4
2636
Engine.exe
C:\Program Files\Pantaray\Setup.log
text
MD5: 8551ede9ae7f3939e8f7ff36cf8df7fd
SHA256: 82d1cc62446d1418af8378a5240c80847f3de017fc172b61fb0f122e156e9da5
3480
sample.exe
C:\Users\admin\AppData\Local\Temp\SETUP_34866\evalcom2.reg
text
MD5: 3ad7bf84aff9ab8aed0b7e790e758f32
SHA256: 95d58de1d93151258a3e2e33caf10b3a79e5ce02c931495ffe69a82b0b1b20ea
3480
sample.exe
C:\Users\admin\AppData\Local\Temp\SETUP_34866\folder_blue_large.bmp
image
MD5: 1c1c9ceebf00cb863da9787da07404ec
SHA256: 4f4b8717b45d7314100a7c3bce5d4c6f98e56140f6bf696bef1de430f052b5a7
3480
sample.exe
C:\Users\admin\AppData\Local\Temp\SETUP_34866\Modern_Icon.bmp
image
MD5: 1dd88f67f029710d5c5858a6293a93f1
SHA256: b5dad33ceb6eb1ac2a05fbda76e29a73038403939218a88367925c3a20c05532
2636
Engine.exe
C:\Program Files\Pantaray\Setup.log
text
MD5: 8bc52c774a9386b6a46e32c50bec154b
SHA256: 9333ce8478525f0f5b8a5e720b02480cb1c40a34de384640ff64df4fa88bf35b

Find more information of the staic content and download it at the full report

Network activity

HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

No network activity.

Debug output strings

No debug info.