File name:

8d1fb56fdca56d32a2583326fdf26a52

Full analysis: https://app.any.run/tasks/ffe0584d-7b73-4d8b-bbf6-5c65bba5a13d
Verdict: Malicious activity
Analysis date: March 14, 2019, 08:42:51
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

8D1FB56FDCA56D32A2583326FDF26A52

SHA1:

DCE020E1327433CFAF6378BEE64E8E9CA49A2C0B

SHA256:

8D53C67D05995565BDFF9692F8E2D9F56686C1C2E92F864D5306AB4DC09BA91A

SSDEEP:

12288:2dBdpJ16Gna4K6REllPaa5LiIU/fsh4V6jnB0KJFx+I3IxAOzK6+44EwgwIVM12w:2dBdpJxZkllk9WWL8bX2WDb1IwWLvE7

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Runs injected code in another process

      • 8d1fb56fdca56d32a2583326fdf26a52.exe (PID: 3680)
      • svchost.exe (PID: 3872)

    • Uses SVCHOST.EXE for hidden code execution

      • explorer.exe (PID: 116)
      • svchost.exe (PID: 3260)

    • Application was injected by another process

      • explorer.exe (PID: 116)
      • windanr.exe (PID: 2192)
      • dwm.exe (PID: 1996)

    • Loads dropped or rewritten executable

      • p2phost.exe (PID: 2184)
      • DevicePairingWizard.exe (PID: 3556)

    • Application was dropped or rewritten from another process

      • p2phost.exe (PID: 2184)
      • taskhost.exe (PID: 3548)
      • DevicePairingWizard.exe (PID: 3556)
      • taskhost.exe (PID: 2692)

    • Changes internet zones settings

      • dwm.exe (PID: 1996)

    • Modifies the Internet Explorer registry keys for privacy or tracking

      • dwm.exe (PID: 1996)

    • Changes the autorun value in the registry

      • regedit.exe (PID: 1868)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • DllHost.exe (PID: 2332)
      • DllHost.exe (PID: 1428)
      • svchost.exe (PID: 3872)
      • DllHost.exe (PID: 3636)
      • DllHost.exe (PID: 2868)

  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (67.4)
.dll | Win32 Dynamic Link Library (generic) (14.2)
.exe | Win32 Executable (generic) (9.7)
.exe | Generic Win/DOS Executable (4.3)
.exe | DOS Executable Generic (4.3)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2008:04:13 20:33:35+02:00
PEType: PE32
LinkerVersion: 7.1
CodeSize: 217088
InitializedDataSize: 1601536
UninitializedDataSize: -
EntryPoint: 0x26b1d
OSVersion: 5.1
ImageVersion: 5.1
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 5.3.2600.5512
ProductVersionNumber: 5.3.2600.5512
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Arabic
CharacterSet: Unicode
CompanyName: Microsoft Corporation
FileDescription: Microsoft DirectX Diagnostic Tool
FileVersion: 5.03.2600.5512 (xpsp.080413-0845)
InternalName: dxdiag.exe
LegalCopyright: © Microsoft Corporation. All rights reserved.
OriginalFileName: dxdiag.exe
ProductName: Microsoft® Windows® Operating System
ProductVersion: 5.03.2600.5512

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 13-Apr-2008 18:33:35
Detected languages:
  • Arabic - Saudi Arabia
  • Chinese - PRC
  • Chinese - Taiwan
  • Czech - Czech Republic
  • Danish - Denmark
  • Dutch - Netherlands
  • English - United States
  • Finnish - Finland
  • French - France
  • German - Germany
  • Greek - Greece
  • Hebrew - Israel
  • Hungarian - Hungary
  • Italian - Italy
  • Japanese - Japan
  • Korean - Korea
  • Norwegian - Norway (Bokmal)
  • Polish - Poland
  • Portuguese - Brazil
  • Portuguese - Portugal
  • Russian - Russia
  • Spanish - Spain (International sort)
  • Swedish - Sweden
  • Turkish - Turkey
CompanyName: Microsoft Corporation
FileDescription: Microsoft DirectX Diagnostic Tool
FileVersion: 5.03.2600.5512 (xpsp.080413-0845)
InternalName: dxdiag.exe
LegalCopyright: © Microsoft Corporation. All rights reserved.
OriginalFilename: dxdiag.exe
ProductName: Microsoft® Windows® Operating System
ProductVersion: 5.03.2600.5512

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x000000E8

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 3
Time date stamp: 13-Apr-2008 18:33:35
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_LINE_NUMS_STRIPPED
  • IMAGE_FILE_LOCAL_SYMS_STRIPPED
  • IMAGE_FILE_RELOCS_STRIPPED

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00001000
0x00034ED6
0x00035000
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.51065
.data
0x00036000
0x00002A94
0x00001000
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
3.34693
.rsrc
0x00039000
0x00185AB8
0x00186000
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
6.03307

Resources

Title
Entropy
Size
Codepage
Language
Type
1
4.9239
636
Latin 1 / Western European
Spanish - Spain (International sort)
RT_MANIFEST
2
4.45055
744
Latin 1 / Western European
Hebrew - Israel
RT_ICON
3
4.38998
296
Latin 1 / Western European
Hebrew - Israel
RT_ICON
4
6.1386
3752
Latin 1 / Western European
Hebrew - Israel
RT_ICON
5
6.26858
2216
Latin 1 / Western European
Hebrew - Israel
RT_ICON
6
5.02146
1384
Latin 1 / Western European
Hebrew - Israel
RT_ICON
7
3.38495
3076
Latin 1 / Western European
Spanish - Spain (International sort)
RT_STRING
8
3.22326
1284
Latin 1 / Western European
Spanish - Spain (International sort)
RT_STRING
9
5.79527
1128
Latin 1 / Western European
Hebrew - Israel
RT_ICON
10
2.70223
744
Latin 1 / Western European
Hebrew - Israel
RT_ICON

Imports

ADVAPI32.dll
COMCTL32.dll
GDI32.dll
KERNEL32.dll
OLEAUT32.dll
SHELL32.dll
USER32.dll
comdlg32.dll
ole32.dll
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
51
Monitored processes
16
Malicious processes
7
Suspicious processes
0

Behavior graph

Click at the process to see the details
inject start inject inject 8d1fb56fdca56d32a2583326fdf26a52.exe no specs explorer.exe svchost.exe no specs svchost.exe unsecapp.exe no specs Copy/Move/Rename/Delete/Link Object p2phost.exe no specs Copy/Move/Rename/Delete/Link Object taskhost.exe no specs dwm.exe windanr.exe Copy/Move/Rename/Delete/Link Object devicepairingwizard.exe no specs regedit.exe Copy/Move/Rename/Delete/Link Object taskhost.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
116C:\Windows\Explorer.EXEC:\Windows\explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\winanr.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
1428C:\Windows\system32\DllHost.exe /Processid:{3AD05575-8857-4850-9277-11B85BDB8E09}C:\Windows\system32\DllHost.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
COM Surrogate
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\dllhost.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
1868"C:\Windows\regedit.exe"C:\Windows\regedit.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Editor
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\regedit.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
1996"C:\Windows\system32\Dwm.exe"C:\Windows\System32\dwm.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Desktop Window Manager
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\dwm.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\uxtheme.dll
2184C:\Users\admin\AppData\Local\Olvioztue\p2phost.exeC:\Users\admin\AppData\Local\Olvioztue\p2phost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
People Near Me
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\users\admin\appdata\local\olvioztue\p2phost.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
2192"windanr.exe"C:\Windows\system32\windanr.exe
qemu-ga.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\windows\system32\windanr.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winanr.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\lpk.dll
2332C:\Windows\system32\DllHost.exe /Processid:{3AD05575-8857-4850-9277-11B85BDB8E09}C:\Windows\system32\DllHost.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
COM Surrogate
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\dllhost.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
2636C:\Windows\system32\wbem\unsecapp.exe -EmbeddingC:\Windows\system32\wbem\unsecapp.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Sink to receive asynchronous callbacks for WMI client application
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\wbem\unsecapp.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\wbemcomn.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
2692C:\Users\admin\AppData\Local\Riofohz\taskhost.exeC:\Users\admin\AppData\Local\Riofohz\taskhost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Host Process for Windows Tasks
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\users\admin\appdata\local\riofohz\taskhost.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
2868C:\Windows\system32\DllHost.exe /Processid:{3AD05575-8857-4850-9277-11B85BDB8E09}C:\Windows\system32\DllHost.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
COM Surrogate
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\dllhost.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
Total events
323
Read events
303
Write events
20
Delete events
0

Modification events

(PID) Process:(3872) svchost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\svchost_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(3872) svchost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\svchost_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(3872) svchost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\svchost_RASAPI32
Operation:writeName:FileTracingMask
Value:
4294901760
(PID) Process:(3872) svchost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\svchost_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
4294901760
(PID) Process:(3872) svchost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\svchost_RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(3872) svchost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\svchost_RASAPI32
Operation:writeName:FileDirectory
Value:
%windir%\tracing
(PID) Process:(3872) svchost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\svchost_RASMANCS
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(3872) svchost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\svchost_RASMANCS
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(3872) svchost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\svchost_RASMANCS
Operation:writeName:FileTracingMask
Value:
4294901760
(PID) Process:(3872) svchost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\svchost_RASMANCS
Operation:writeName:ConsoleTracingMask
Value:
4294901760
Executable files
25
Suspicious files
4
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
3872svchost.exeC:\Users\admin\AppData\Local\Olvioztue\RPCRT4.dllexecutable
MD5:
SHA256:
3872svchost.exeC:\Users\admin\AppData\Local\Azkecoicny\Cyadpeuz.yqvbinary
MD5:
SHA256:
3872svchost.exeC:\Users\admin\AppData\Local\Olvioztue\GDI32.dllexecutable
MD5:
SHA256:
3872svchost.exeC:\Users\admin\AppData\Local\Olvioztue\msvcrt.dllexecutable
MD5:
SHA256:
3872svchost.exeC:\Users\admin\AppData\Local\Olvioztue\P2P.dllexecutable
MD5:
SHA256:
3872svchost.exeC:\Users\admin\AppData\Local\Olvioztue\SHLWAPI.dllexecutable
MD5:
SHA256:
3872svchost.exeC:\Users\admin\AppData\Local\Azkecoicny\RPCRT4.dllexecutable
MD5:
SHA256:
3872svchost.exeC:\Users\admin\AppData\Local\Azkecoicny\ole32.dllexecutable
MD5:
SHA256:
3872svchost.exeC:\Users\admin\AppData\Local\Azkecoicny\msvcrt.dllexecutable
MD5:
SHA256:
3872svchost.exeC:\Users\admin\AppData\Local\Olvioztue\ADVAPI32.dllexecutable
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
1
DNS requests
1
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3872
svchost.exe
POST
200
213.252.245.146:80
http://sync-time.info/
LT
binary
899 Kb
malicious
3872
svchost.exe
POST
200
213.252.245.146:80
http://sync-time.info/
LT
binary
596 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3872
svchost.exe
213.252.245.146:80
sync-time.info
Informacines sistemos ir technologijos, UAB
LT
malicious

DNS requests

Domain
IP
Reputation
sync-time.info
  • 213.252.245.146
malicious

Threats

PID
Process
Class
Message
3872
svchost.exe
A Network Trojan was detected
MALWARE [PTsecurity] Brazilian Banking Trojan
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
8d1fb56fdca56d32a2583326fdf26a52