File name:

npcryco_esep.exe

Full analysis: https://app.any.run/tasks/d7a807cd-c818-4219-abc5-d8f072df0dba
Verdict: Malicious activity
Analysis date: May 07, 2024, 16:05:10
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

167F04681946086462575B3936F17EDF

SHA1:

2F8C0FEC301D0D334DF4B216E9D6DF327EB8E4B0

SHA256:

7149B131979484B6BE8A9DB442E9410554FA4F7ABC70B1925CC513317BF1D15C

SSDEEP:

98304:VkBvNkRfCuOGCChcoQ36SCpEE9LQBHotL2u/AsqMYt5l3y5erZaykRzmW2JgbUV9:lqjyz4nWswm

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • npcryco_esep.exe (PID: 3968)
      • npcryco_esep.exe (PID: 928)
      • npcryco_esep.tmp (PID: 1120)

    • Registers / Runs the DLL via REGSVR32.EXE

      • npcryco_esep.tmp (PID: 1120)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • npcryco_esep.exe (PID: 3968)
      • npcryco_esep.exe (PID: 928)
      • npcryco_esep.tmp (PID: 1120)

    • Reads the Windows owner or organization settings

      • npcryco_esep.tmp (PID: 1120)

    • The process drops C-runtime libraries

      • npcryco_esep.tmp (PID: 1120)

    • Process drops legitimate windows executable

      • npcryco_esep.tmp (PID: 1120)

    • Adds/modifies Windows certificates

      • CertMgr.Exe (PID: 2236)

    • Reads settings of System Certificates

      • CertMgr.Exe (PID: 2236)

    • Creates/Modifies COM task schedule object

      • regsvr32.exe (PID: 1132)
      • regsvr32.exe (PID: 1948)

  • INFO

    • Checks supported languages

      • npcryco_esep.tmp (PID: 3984)
      • npcryco_esep.exe (PID: 3968)
      • npcryco_esep.exe (PID: 928)
      • npcryco_esep.tmp (PID: 1120)
      • processviewer.exe (PID: 820)
      • processviewer.exe (PID: 112)
      • processviewer.exe (PID: 1652)
      • processviewer.exe (PID: 116)
      • processviewer.exe (PID: 1292)
      • processviewer.exe (PID: 1768)
      • processviewer.exe (PID: 660)
      • processviewer.exe (PID: 1592)
      • processviewer.exe (PID: 1080)
      • CryptoPluginUpdaterHost.exe (PID: 1788)
      • CertMgr.Exe (PID: 2236)
      • ChromeCryptoHost.exe (PID: 1816)

    • Reads the computer name

      • npcryco_esep.tmp (PID: 3984)
      • npcryco_esep.tmp (PID: 1120)
      • processviewer.exe (PID: 820)
      • processviewer.exe (PID: 112)
      • processviewer.exe (PID: 116)
      • processviewer.exe (PID: 1768)
      • processviewer.exe (PID: 1292)
      • processviewer.exe (PID: 1652)
      • processviewer.exe (PID: 660)
      • processviewer.exe (PID: 1080)
      • processviewer.exe (PID: 1592)

    • Create files in a temporary directory

      • npcryco_esep.exe (PID: 3968)
      • npcryco_esep.exe (PID: 928)
      • npcryco_esep.tmp (PID: 1120)

    • Creates files or folders in the user directory

      • npcryco_esep.tmp (PID: 1120)
      • ChromeCryptoHost.exe (PID: 1816)
      • CryptoPluginUpdaterHost.exe (PID: 1788)

    • Creates a software uninstall entry

      • npcryco_esep.tmp (PID: 1120)

    • Reads the machine GUID from the registry

      • CertMgr.Exe (PID: 2236)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Inno Setup installer (77.7)
.exe | Win32 Executable Delphi generic (10)
.dll | Win32 Dynamic Link Library (generic) (4.6)
.exe | Win32 Executable (generic) (3.1)
.exe | Win16/32 Executable Delphi generic (1.4)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 1992:06:19 22:22:17+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType: PE32
LinkerVersion: 2.25
CodeSize: 41472
InitializedDataSize: 17920
UninitializedDataSize: -
EntryPoint: 0xaa98
OSVersion: 1
ImageVersion: 6
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 2.2.0.0
ProductVersionNumber: 2.2.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: This installation was built with Inno Setup.
CompanyName: ТОП КЕЙС
FileDescription: Крипто компонента Setup
FileVersion: 2.2.0.0
LegalCopyright:
ProductName: Крипто компонента
ProductVersion: 2.2.0.0
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
64
Monitored processes
18
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
start npcryco_esep.exe npcryco_esep.tmp no specs npcryco_esep.exe npcryco_esep.tmp processviewer.exe no specs processviewer.exe no specs processviewer.exe no specs processviewer.exe no specs processviewer.exe no specs processviewer.exe no specs processviewer.exe no specs processviewer.exe no specs processviewer.exe no specs regsvr32.exe no specs regsvr32.exe no specs chromecryptohost.exe no specs cryptopluginupdaterhost.exe no specs certmgr.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
112"C:\Users\admin\AppData\Local\Temp\is-RC75A.tmp\processviewer.exe" iexplore.exeC:\Users\admin\AppData\Local\Temp\is-RC75A.tmp\processviewer.exenpcryco_esep.tmp
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\is-rc75a.tmp\processviewer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
116"C:\Users\admin\AppData\Local\Temp\is-RC75A.tmp\processviewer.exe" opera.exeC:\Users\admin\AppData\Local\Temp\is-RC75A.tmp\processviewer.exenpcryco_esep.tmp
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\is-rc75a.tmp\processviewer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
660"C:\Users\admin\AppData\Local\Temp\is-RC75A.tmp\processviewer.exe" maxthon.exeC:\Users\admin\AppData\Local\Temp\is-RC75A.tmp\processviewer.exenpcryco_esep.tmp
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\is-rc75a.tmp\processviewer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
820"C:\Users\admin\AppData\Local\Temp\is-RC75A.tmp\processviewer.exe" chrome.exeC:\Users\admin\AppData\Local\Temp\is-RC75A.tmp\processviewer.exenpcryco_esep.tmp
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\is-rc75a.tmp\processviewer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
928"C:\Users\admin\AppData\Local\Temp\npcryco_esep.exe" /SPAWNWND=$20134 /NOTIFYWND=$20138 C:\Users\admin\AppData\Local\Temp\npcryco_esep.exe
npcryco_esep.tmp
User:
admin
Company:
ТОП КЕЙС
Integrity Level:
HIGH
Description:
Крипто компонента Setup
Exit code:
0
Version:
2.2.0.0
Modules
Images
c:\users\admin\appdata\local\temp\npcryco_esep.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
1080"C:\Users\admin\AppData\Local\Temp\is-RC75A.tmp\processviewer.exe" avantvw.exeC:\Users\admin\AppData\Local\Temp\is-RC75A.tmp\processviewer.exenpcryco_esep.tmp
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\is-rc75a.tmp\processviewer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
1120"C:\Users\admin\AppData\Local\Temp\is-CTIPL.tmp\npcryco_esep.tmp" /SL5="$30130,2707984,57856,C:\Users\admin\AppData\Local\Temp\npcryco_esep.exe" /SPAWNWND=$20134 /NOTIFYWND=$20138 C:\Users\admin\AppData\Local\Temp\is-CTIPL.tmp\npcryco_esep.tmp
npcryco_esep.exe
User:
admin
Integrity Level:
HIGH
Description:
Setup/Uninstall
Exit code:
0
Version:
51.52.0.0
Modules
Images
c:\users\admin\appdata\local\temp\is-ctipl.tmp\npcryco_esep.tmp
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
1132"regsvr32.exe" /s "C:\Users\admin\AppData\Local\TOPCASE\Êðèïòî êîìïîíåíòà\npcryco.dll"C:\Windows\System32\regsvr32.exenpcryco_esep.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft(C) Register Server
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\regsvr32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
1292"C:\Users\admin\AppData\Local\Temp\is-RC75A.tmp\processviewer.exe" firefox.exeC:\Users\admin\AppData\Local\Temp\is-RC75A.tmp\processviewer.exenpcryco_esep.tmp
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\is-rc75a.tmp\processviewer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
1592"C:\Users\admin\AppData\Local\Temp\is-RC75A.tmp\processviewer.exe" avant.exeC:\Users\admin\AppData\Local\Temp\is-RC75A.tmp\processviewer.exenpcryco_esep.tmp
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\is-rc75a.tmp\processviewer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
Total events
3 179
Read events
3 128
Write events
43
Delete events
8

Modification events

(PID) Process:(1120) npcryco_esep.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Operation:writeName:Owner
Value:
6004000064A8F05B98A0DA01
(PID) Process:(1120) npcryco_esep.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Operation:writeName:SessionHash
Value:
F37BC0C312AB7F6E8CF1AE60F0766A7C8BAC4C7CA8C3FA5142679664BE848F6C
(PID) Process:(1120) npcryco_esep.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Operation:writeName:Sequence
Value:
1
(PID) Process:(1120) npcryco_esep.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Operation:writeName:RegFiles0000
Value:
C:\Users\admin\AppData\Local\TOPCASE\Êðèïòî êîìïîíåíòà\npcryco.dll
(PID) Process:(1120) npcryco_esep.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Operation:writeName:RegFilesHash
Value:
461BCC97EB8686D007076010EAC0AD96362CD8D74BEE56FADBAD5F0D0601103A
(PID) Process:(1120) npcryco_esep.tmpKey:HKEY_CURRENT_USER\Software\MozillaPlugins\@TOPCASE/Crypto Plugin;version=2/Check
Operation:delete keyName:(default)
Value:
(PID) Process:(1120) npcryco_esep.tmpKey:HKEY_CURRENT_USER\Software\MozillaPlugins\@TOPCASE/Crypto Plugin;version=2
Operation:writeName:Description
Value:
Áðàóçåðíûé ïëàãèí TOP CASE Crypto Plugin
(PID) Process:(1120) npcryco_esep.tmpKey:HKEY_CURRENT_USER\Software\MozillaPlugins\@TOPCASE/Crypto Plugin;version=2
Operation:writeName:Path
Value:
C:\Users\admin\AppData\Local\TOPCASE\Êðèïòî êîìïîíåíòà\npcryco.dll
(PID) Process:(1120) npcryco_esep.tmpKey:HKEY_CURRENT_USER\Software\MozillaPlugins\@TOPCASE/Crypto Plugin;version=2
Operation:writeName:ProductName
Value:
TOP CASE Crypto Plugin
(PID) Process:(1120) npcryco_esep.tmpKey:HKEY_CURRENT_USER\Software\MozillaPlugins\@TOPCASE/Crypto Plugin;version=2
Operation:writeName:Vendor
Value:
ÒÎÏ ÊÅÉÑ
Executable files
31
Suspicious files
7
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
1120npcryco_esep.tmpC:\Users\admin\AppData\Local\TOPCASE\Êðèïòî êîìïîíåíòà\is-G4LIB.tmpexecutable
MD5:543F8C49704541929D39548E1246AE2F
SHA256:0441B762212650FFC9510C8905B3CE15C4E2BA6AE56058ED7DBAE8E7A85A931B
928npcryco_esep.exeC:\Users\admin\AppData\Local\Temp\is-CTIPL.tmp\npcryco_esep.tmpexecutable
MD5:832DAB307E54AA08F4B6CDD9B9720361
SHA256:CC783A04CCBCA4EDD06564F8EC88FE5A15F1E3BB26CEC7DE5E090313520D98F3
1120npcryco_esep.tmpC:\Users\admin\AppData\Local\Temp\is-RC75A.tmp\processviewer.exeexecutable
MD5:5A7564588B432C54F95F9970347D81A4
SHA256:567D353B76DE47355E8A74A2423F18D5CCE78165E8445FD02C85885FBF92DEFB
1120npcryco_esep.tmpC:\Users\admin\AppData\Local\TOPCASE\Êðèïòî êîìïîíåíòà\is-SFUNF.tmpexecutable
MD5:01AA1463D12FF70CEEAF76A969082066
SHA256:95C74FA2F7239CC0CE86B16F7F29F854A4A5073EEACA676FC461EB20695CC882
1120npcryco_esep.tmpC:\Users\admin\AppData\Local\TOPCASE\Êðèïòî êîìïîíåíòà\is-7VCHV.tmpexecutable
MD5:3F5105188FFAFB2DDF3E2467CE94677C
SHA256:703DA1050393FE7498907EC9877B3192E51F6144CFAF59E334E1DA7FB78A9FE5
1120npcryco_esep.tmpC:\Users\admin\AppData\Local\TOPCASE\Êðèïòî êîìïîíåíòà\unins000.exeexecutable
MD5:3F5105188FFAFB2DDF3E2467CE94677C
SHA256:703DA1050393FE7498907EC9877B3192E51F6144CFAF59E334E1DA7FB78A9FE5
1120npcryco_esep.tmpC:\Users\admin\AppData\Local\TOPCASE\Êðèïòî êîìïîíåíòà\is-2SRKT.tmpcat
MD5:8DD0B7846993E84F5109C7F16939C9A6
SHA256:EBE015259069E751804BFEB2F8F23F2E4EDEB20CBA65EF3BC34C35BADE18C925
1120npcryco_esep.tmpC:\Users\admin\AppData\Local\TOPCASE\Êðèïòî êîìïîíåíòà\npcryco.dllexecutable
MD5:01AA1463D12FF70CEEAF76A969082066
SHA256:95C74FA2F7239CC0CE86B16F7F29F854A4A5073EEACA676FC461EB20695CC882
1120npcryco_esep.tmpC:\Users\admin\AppData\Local\TOPCASE\Êðèïòî êîìïîíåíòà\crypto.dllexecutable
MD5:543F8C49704541929D39548E1246AE2F
SHA256:0441B762212650FFC9510C8905B3CE15C4E2BA6AE56058ED7DBAE8E7A85A931B
1120npcryco_esep.tmpC:\Users\admin\AppData\Local\TOPCASE\Êðèïòî êîìïîíåíòà\is-7D5F0.tmptext
MD5:E03859A04A666B82CCE2A36C80BC7172
SHA256:C455C4DF82E17ADCC35E714482F0A37DE3C5DBB89A3A7CA79FB9C7155B8A47A2
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
4
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
224.0.0.252:5355
unknown
4
System
192.168.100.255:137
whitelisted
1088
svchost.exe
224.0.0.252:5355
unknown

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
npcryco_esep.exe