File name:

C:\Users\admin\AppData\LocalLow\DmnzQvBb.tmp

Full analysis: https://app.any.run/tasks/67a5da93-090f-4d44-9815-9638026f4654
Verdict: Malicious activity
Analysis date: February 09, 2020, 15:00:37
OS: Windows 10 Professional (build: 16299, 64 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

3674B3A7C77EB110FD56405D4497AC45

SHA1:

6762E279A1023768AEA0B1BF9920E75E3E9884F7

SHA256:

90F2A19D6EF682EC0ACB373BDB689A1BFC07F28091905F75B0D5C401D273E70F

SSDEEP:

1536:P2zZ6WjYLmXcgnXScO82CTy8zgQ8OiuaFkU3yKnoYqVIZiO6qFmrxOWqMGL:P2zxNnXSz82CTyALaifKntGqF6OxM

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Loads dropped or rewritten executable

      • DmnzQvBb.tmp.exe (PID: 3100)

    • Runs injected code in another process

      • DmnzQvBb.tmp.exe (PID: 3100)

    • Loads the Task Scheduler COM API

      • explorer.exe (PID: 3444)
      • mmc.exe (PID: 1696)

    • Application was injected by another process

      • explorer.exe (PID: 3444)

    • Loads the Task Scheduler DLL interface

      • explorer.exe (PID: 3444)
      • mmc.exe (PID: 1696)

  • SUSPICIOUS

    • Reads the machine GUID from the registry

      • explorer.exe (PID: 3444)
      • mmc.exe (PID: 1696)

    • Executable content was dropped or overwritten

      • explorer.exe (PID: 3444)
      • DmnzQvBb.tmp.exe (PID: 3100)

    • Creates files in the user directory

      • explorer.exe (PID: 3444)

    • Executed via COM

      • RuntimeBroker.exe (PID: 4988)

    • Checks supported languages

      • explorer.exe (PID: 3444)

  • INFO

    • Manual execution by user

      • runonce.exe (PID: 5872)
      • mmc.exe (PID: 4896)
      • mmc.exe (PID: 1696)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2019:05:13 06:15:53+02:00
PEType: PE32
LinkerVersion: 10
CodeSize: 66560
InitializedDataSize: 39424
UninitializedDataSize: -
EntryPoint: 0x109f0
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
FileVersionNumber: 28.0.0.0
ProductVersionNumber: 28.0.0.0
FileFlagsMask: 0x003f
FileFlags: Debug
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 13-May-2019 04:15:53
Detected languages:
  • Norwegian - Norway (Bokmal)
Debug artifacts:
  • C:\yakefijuhi.pdb

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x000000F0

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 5
Time date stamp: 13-May-2019 04:15:53
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_LARGE_ADDRESS_AWARE

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00001000
0x000103DE
0x00010400
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
7.5201
.data
0x00012000
0x00002F88
0x00001000
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
2.23332
.dija
0x00015000
0x00003800
0x00002A00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
0
.rsrc
0x00019000
0x00003398
0x00003400
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
5.11195
.reloc
0x0001D000
0x00000A4C
0x00000C00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
4.02814

Resources

Title
Entropy
Size
Codepage
Language
Type
1
3.01405
264
UNKNOWN
UNKNOWN
RT_VERSION
9
3.08281
470
UNKNOWN
UNKNOWN
RT_STRING
10
3.19587
610
UNKNOWN
UNKNOWN
RT_STRING
11
3.29312
2040
UNKNOWN
UNKNOWN
RT_STRING
12
3.28279
1714
UNKNOWN
UNKNOWN
RT_STRING
119
1.7815
20
UNKNOWN
Norwegian - Norway (Bokmal)
RT_GROUP_ICON
153
4.6063
1180
UNKNOWN
UNKNOWN
XAF
295
1
2
UNKNOWN
UNKNOWN
AFX_DIALOG_LAYOUT
730
4.63173
1889
UNKNOWN
UNKNOWN
MAG

Imports

ADVAPI32.dll
KERNEL32.dll
USER32.dll
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
206
Monitored processes
6
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
inject start dmnzqvbb.tmp.exe explorer.exe runtimebroker.exe no specs runonce.exe no specs mmc.exe no specs mmc.exe

Process information

PID
CMD
Path
Indicators
Parent process
1696"C:\WINDOWS\system32\mmc.exe" "C:\WINDOWS\system32\taskschd.msc" /sC:\WINDOWS\system32\mmc.exe
Explorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft Management Console
Exit code:
0
Version:
10.0.16299.15 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\mmc.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\acgenral.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shlwapi.dll
3100"C:\Users\admin\AppData\Local\Temp\DmnzQvBb.tmp.exe" C:\Users\admin\AppData\Local\Temp\DmnzQvBb.tmp.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\dmnzqvbb.tmp.exe
c:\systemroot\system32\ntdll.dll
c:\systemroot\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernelbase.dll
3444C:\WINDOWS\Explorer.EXEC:\Windows\explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
1073807364
Version:
10.0.16299.15 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\winanr.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\ime\imejp\imjplmp.dll
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
4896"C:\WINDOWS\system32\mmc.exe" "C:\WINDOWS\system32\taskschd.msc" /sC:\WINDOWS\system32\mmc.exeExplorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Management Console
Exit code:
3221226540
Version:
10.0.16299.15 (WinBuild.160101.0800)
Modules
Images
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mmc.exe
4988C:\Windows\System32\RuntimeBroker.exe -EmbeddingC:\Windows\System32\RuntimeBroker.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Runtime Broker
Exit code:
1073807364
Version:
10.0.16299.15 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\runtimebroker.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\sechost.dll
5872C:\WINDOWS\SysWOW64\runonce.exe /Run6432C:\WINDOWS\SysWOW64\runonce.exeExplorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Run Once Wrapper
Exit code:
0
Version:
10.0.16299.15 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\runonce.exe
c:\systemroot\system32\ntdll.dll
c:\systemroot\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernelbase.dll
Total events
850
Read events
818
Write events
32
Delete events
0

Modification events

(PID) Process:(3444) explorer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shutdown
Operation:writeName:CleanShutdown
Value:
1
(PID) Process:(3444) explorer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\IME\15.0\IMEJP
Operation:writeName:LastLogDate
Value:
981664FE59DFD501
(PID) Process:(3444) explorer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell\Bags\1\Desktop
Operation:writeName:FFlags
Value:
1075839524
(PID) Process:(3444) explorer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell\Bags\1\Desktop
Operation:writeName:Mode
Value:
1
(PID) Process:(3444) explorer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell\Bags\1\Desktop
Operation:writeName:LogicalViewMode
Value:
3
(PID) Process:(3444) explorer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell\Bags\1\Desktop
Operation:writeName:IconSize
Value:
48
(PID) Process:(3444) explorer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell\Bags\1\Desktop
Operation:writeName:Sort
Value:
000000000000000000000000000000000100000030F125B7EF471A10A5F102608C9EEBAC0A00000001000000
(PID) Process:(3444) explorer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell\Bags\1\Desktop
Operation:writeName:GroupView
Value:
0
(PID) Process:(3444) explorer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell\Bags\1\Desktop
Operation:writeName:GroupByKey:FMTID
Value:
{00000000-0000-0000-0000-000000000000}
(PID) Process:(3444) explorer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell\Bags\1\Desktop
Operation:writeName:GroupByKey:PID
Value:
0
Executable files
2
Suspicious files
0
Text files
1
Unknown types
1

Dropped files

PID
Process
Filename
Type
5872runonce.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Explorer\ExplorerStartupLog_RunOnce.etletl
MD5:
SHA256:
3444explorer.exeC:\Users\admin\AppData\Roaming\wucgshjexecutable
MD5:
SHA256:
3444explorer.exeC:\Users\admin\AppData\Roaming\dswrigixml
MD5:
SHA256:
3100DmnzQvBb.tmp.exeC:\Users\admin\AppData\Local\Temp\210A.tmpexecutable
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
31
TCP/UDP connections
3
DNS requests
9
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3444
explorer.exe
GET
200
52.169.82.131:443
https://geo-prod.do.dsp.mp.microsoft.com/geo?doClientVersion=10.0.16299.431
IE
text
268 b
whitelisted
3444
explorer.exe
GET
200
2.23.72.245:443
https://kv601.prod.do.dsp.mp.microsoft.com/all?doClientVersion=10.0.16299.431&countryCode=BE
unknown
text
2.06 Kb
whitelisted
2180
OfficeClickToRun.exe
GET
200
13.107.21.200:443
https://www.bing.com/AS/API/WindowsCortanaPane/V2/Init
US
html
58.3 Kb
whitelisted
2180
OfficeClickToRun.exe
GET
200
13.107.21.200:443
https://www.bing.com/rb/17/cir2,ortl,cc,nc/e7f66d12/68a6d54b.css?bu=CcAF_ALPApoGnQXmBJAET08
US
text
19.9 Kb
whitelisted
2180
OfficeClickToRun.exe
GET
200
13.107.21.200:443
https://www.bing.com/rb/6s/cj,nj/c6f1d95f/104e28d4.js?bu=HowCqQGHArICgQKQApMCtAK6ArYCuAKrAa0B7AHuAb0CmQLxAaMCqgKsAtkCvwKDAvwC-gLkAXV1dQ
US
text
223 Kb
whitelisted
2180
OfficeClickToRun.exe
GET
200
13.107.21.200:443
https://www.bing.com/rs/2w/6/cj,nj/7a731726/c679c8b2.js
US
text
120 Kb
whitelisted
2180
OfficeClickToRun.exe
GET
200
13.107.21.200:443
https://www.bing.com/rs/5O/L/cj,nj/7e516373/53c747e0.js
US
text
118 Kb
whitelisted
2180
OfficeClickToRun.exe
GET
200
13.107.21.200:443
https://www.bing.com/rb/6s/cj,nj/ea5aa144/b1059d01.js?bu=B98C9gL4AnV1dXU
US
text
33.3 Kb
whitelisted
2180
OfficeClickToRun.exe
GET
200
13.107.21.200:443
https://www.bing.com/rb/15/cj,nj/b4ab0247/5c8d410a.js?bu=DisYZHB1eG1qZ68BsQEYnAEY
US
text
18.6 Kb
whitelisted
2180
OfficeClickToRun.exe
GET
200
13.107.21.200:443
https://www.bing.com/rs/6s/3r/cj,nj/0b1a1c19/dbef2181.js
US
text
197 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
13.107.21.200:443
www.bing.com
Microsoft Corporation
US
whitelisted
2752
svchost.exe
52.169.82.131:443
geo-prod.do.dsp.mp.microsoft.com
Microsoft Corporation
IE
whitelisted
2752
svchost.exe
2.23.72.245:443
kv601.prod.do.dsp.mp.microsoft.com
Akamai Technologies, Inc.
unknown

DNS requests

Domain
IP
Reputation
infinitydeveloperspes.info
  • 185.9.147.250
suspicious
unverifiedintigoosjai.info
malicious
huivaritaslloa.info
malicious
self.events.data.microsoft.com
  • 52.114.128.43
  • 52.114.7.36
whitelisted
config.edge.skype.com
  • 13.107.3.128
malicious
geo-prod.do.dsp.mp.microsoft.com
  • 52.169.82.131
whitelisted
kv601.prod.do.dsp.mp.microsoft.com
  • 2.23.72.245
whitelisted
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
C:\Users\admin\AppData\LocalLow\DmnzQvBb.tmp