File name:

AnySign_Installer.exe

Full analysis: https://app.any.run/tasks/c7971b67-45bb-4b1c-9d9f-549cb2a57ede
Verdict: Malicious activity
Analysis date: March 04, 2020, 09:56:29
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
installer
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5:

AE34B7A3BA323386C8805A2BB631F99E

SHA1:

2DA4E751CEC9C0E0A661C072A5F3C376CDBA4BF1

SHA256:

A7EFA5E541E8B58C5B28686633F8A7FDCA6C923B01B9AC95EF7D5275AE5E474D

SSDEEP:

196608:ZI/XEeTMrxDI5zpY9d2mlKqFzkVs2E+JTRzWJDzGuJ44jmINCednNid0QnA+P:Zi0ew9OczKqlAs7+JTdWdK+Nin

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes settings of System certificates

      • Any_setup.exe (PID: 2696)

    • Application was dropped or rewritten from another process

      • certutil.exe (PID: 3852)
      • Any_setup.exe (PID: 2696)
      • certutil.exe (PID: 2744)
      • AnySign4PC.exe (PID: 3312)
      • AnySign4PCLauncher.exe (PID: 984)
      • AnySign4PCLauncher.exe (PID: 1332)
      • AnySign4PCLauncher.exe (PID: 1740)

    • Loads dropped or rewritten executable

      • certutil.exe (PID: 3852)
      • certutil.exe (PID: 2744)
      • AnySign_Installer.exe (PID: 3352)
      • AnySign4PCLauncher.exe (PID: 984)
      • AnySign4PCLauncher.exe (PID: 1740)
      • AnySign4PCLauncher.exe (PID: 1332)
      • AnySign4PC.exe (PID: 3312)

    • Changes the autorun value in the registry

      • AnySign_Installer.exe (PID: 3352)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • AnySign_Installer.exe (PID: 3352)

    • Executed via COM

      • DllHost.exe (PID: 1676)

    • Reads Internet Cache Settings

      • Any_setup.exe (PID: 2696)
      • DllHost.exe (PID: 1676)

    • Creates files in the user directory

      • certutil.exe (PID: 2744)

    • Creates COM task schedule object

      • AnySign_Installer.exe (PID: 3352)

    • Modifies the open verb of a shell class

      • AnySign_Installer.exe (PID: 3352)

    • Creates a software uninstall entry

      • AnySign_Installer.exe (PID: 3352)

    • Uses NETSH.EXE for network configuration

      • Any_setup.exe (PID: 2696)

    • Creates files in the program directory

      • AnySign_Installer.exe (PID: 3352)

    • Creates files in the Windows directory

      • AnySign4PCLauncher.exe (PID: 1740)

    • Executed as Windows Service

      • AnySign4PCLauncher.exe (PID: 1740)

  • INFO

    • Dropped object may contain Bitcoin addresses

      • AnySign_Installer.exe (PID: 3352)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | NSIS - Nullsoft Scriptable Install System (91.9)
.exe | Win32 Executable MS Visual C++ (generic) (3.3)
.exe | Win64 Executable (generic) (3)
.dll | Win32 Dynamic Link Library (generic) (0.7)
.exe | Win32 Executable (generic) (0.4)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2014:10:07 06:40:23+02:00
PEType: PE32
LinkerVersion: 6
CodeSize: 24064
InitializedDataSize: 162816
UninitializedDataSize: 1024
EntryPoint: 0x30e2
OSVersion: 4
ImageVersion: 6
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 1.1.2.0
ProductVersionNumber: 1.1.2.0
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Windows, Latin1
Comments: Hancomsecure AnySign Installer
CompanyName: HancomSecure
FileDescription: AnySign Installer
FileVersion: 1.1.2.0
LegalCopyright: HANCOM SECURE Inc.
ProductName: AnySign

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 07-Oct-2014 04:40:23
Detected languages:
  • English - United States
Comments: Hancomsecure AnySign Installer
CompanyName: HancomSecure
FileDescription: AnySign Installer
FileVersion: 1.1.2.0
LegalCopyright: HANCOM SECURE Inc.
ProductName: AnySign

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x000000C8

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 5
Time date stamp: 07-Oct-2014 04:40:23
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_LINE_NUMS_STRIPPED
  • IMAGE_FILE_LOCAL_SYMS_STRIPPED
  • IMAGE_FILE_RELOCS_STRIPPED

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00001000
0x00005DF4
0x00005E00
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.50963
.rdata
0x00007000
0x000012DA
0x00001400
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
5.10051
.data
0x00009000
0x000254B8
0x00000400
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
5.13022
.ndata
0x0002F000
0x00009000
0x00000000
IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
0
.rsrc
0x00038000
0x0000CB18
0x0000CC00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
5.03564

Resources

Title
Entropy
Size
Codepage
Language
Type
1
5.26047
1013
UNKNOWN
English - United States
RT_MANIFEST
2
5.21004
9640
UNKNOWN
English - United States
RT_ICON
103
2.35044
34
UNKNOWN
English - United States
RT_GROUP_ICON
105
2.73893
514
UNKNOWN
English - United States
RT_DIALOG
106
2.91148
248
UNKNOWN
English - United States
RT_DIALOG
111
2.89887
238
UNKNOWN
English - United States
RT_DIALOG
205
2.68176
494
UNKNOWN
English - United States
RT_DIALOG
206
2.86295
228
UNKNOWN
English - United States
RT_DIALOG
211
2.92694
218
UNKNOWN
English - United States
RT_DIALOG

Imports

ADVAPI32.dll
COMCTL32.dll
GDI32.dll
KERNEL32.dll
SHELL32.dll
USER32.dll
VERSION.dll
ole32.dll
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
50
Monitored processes
11
Malicious processes
8
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start drop and start drop and start drop and start start anysign_installer.exe any_setup.exe certutil.exe no specs certutil.exe no specs WinInetBrokerServer no specs netsh.exe no specs anysign4pc.exe anysign4pclauncher.exe anysign4pclauncher.exe anysign4pclauncher.exe anysign_installer.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
956"C:\Users\admin\AppData\Local\Temp\AnySign_Installer.exe" C:\Users\admin\AppData\Local\Temp\AnySign_Installer.exeexplorer.exe
User:
admin
Company:
HancomSecure
Integrity Level:
MEDIUM
Description:
AnySign Installer
Exit code:
3221226540
Version:
1.1.2.0
Modules
Images
c:\users\admin\appdata\local\temp\anysign_installer.exe
c:\systemroot\system32\ntdll.dll
984AnySign4PCLauncher.exe -installC:\Program Files\SoftForum\XecureWeb\AnySign\dll\AnySign4PCLauncher.exe
AnySign_Installer.exe
User:
admin
Company:
SOFTFORUM
Integrity Level:
HIGH
Description:
AnySign For PC Launcher
Exit code:
0
Version:
1.1.2.0
Modules
Images
c:\program files\softforum\xecureweb\anysign\dll\anysign4pclauncher.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\softforum\xecureweb\anysign\dll\nativemng.dll
c:\program files\softforum\xecureweb\anysign\dll\nativemnguac.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
1332AnySign4PCLauncher.exe -startC:\Program Files\SoftForum\XecureWeb\AnySign\dll\AnySign4PCLauncher.exe
AnySign_Installer.exe
User:
admin
Company:
SOFTFORUM
Integrity Level:
HIGH
Description:
AnySign For PC Launcher
Exit code:
0
Version:
1.1.2.0
Modules
Images
c:\program files\softforum\xecureweb\anysign\dll\anysign4pclauncher.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\softforum\xecureweb\anysign\dll\nativemng.dll
c:\program files\softforum\xecureweb\anysign\dll\nativemnguac.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
1676C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}C:\Windows\system32\DllHost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
COM Surrogate
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\dllhost.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
1740"C:\Program Files\SoftForum\XecureWeb\AnySign\dll\AnySign4PCLauncher.exe"C:\Program Files\SoftForum\XecureWeb\AnySign\dll\AnySign4PCLauncher.exe
services.exe
User:
SYSTEM
Company:
SOFTFORUM
Integrity Level:
SYSTEM
Description:
AnySign For PC Launcher
Exit code:
0
Version:
1.1.2.0
Modules
Images
c:\program files\softforum\xecureweb\anysign\dll\anysign4pclauncher.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\softforum\xecureweb\anysign\dll\nativemng.dll
c:\program files\softforum\xecureweb\anysign\dll\nativemnguac.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
2464netsh advfirewall firewall add rule name = "AnySign4PC" dir=in action=allow program="C:\Program Files\SoftForum\XecureWeb\AnySign\dll\AnySign4PC.exe" enable=yesC:\Windows\system32\netsh.exeAny_setup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Network Command Shell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\netsh.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\credui.dll
c:\windows\system32\user32.dll
2696Any_setup.exe /E /FC:\Program Files\SoftForum\XecureWeb\AnySign\dll\Any_setup.exe
AnySign_Installer.exe
User:
admin
Company:
HANCOM SECURE Inc.
Integrity Level:
HIGH
Description:
setup Application
Exit code:
0
Version:
1, 0, 0, 0
Modules
Images
c:\program files\softforum\xecureweb\anysign\dll\any_setup.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
2744"C:\Program Files\SoftForum\XecureWeb\AnySign\cert\certutil.exe" -A -n "Hancom Secure Root Authority" -t "CT,C,C" -i "C:\Program Files\SoftForum\XecureWeb\AnySign\dll\..\cert\ca_cert_sh2.crt" -d "sql:C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles/qldyz51w.default"C:\Program Files\SoftForum\XecureWeb\AnySign\cert\certutil.exeAny_setup.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\program files\softforum\xecureweb\anysign\cert\certutil.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\softforum\xecureweb\anysign\cert\nssutil3.dll
c:\program files\softforum\xecureweb\anysign\cert\plc4.dll
c:\program files\softforum\xecureweb\anysign\cert\nspr4.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
3312AnySign4PC.exe port=10530;port_s=10531;no_shut=1C:\Program Files\SoftForum\XecureWeb\AnySign\dll\AnySign4PC.exe
AnySign_Installer.exe
User:
admin
Company:
HANCOM SECURE Inc.
Integrity Level:
HIGH
Description:
AnySign For PC
Exit code:
0
Version:
1.1.2.0
Modules
Images
c:\program files\softforum\xecureweb\anysign\dll\anysign4pc.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\softforum\xecureweb\anysign\dll\nativemng.dll
c:\program files\softforum\xecureweb\anysign\dll\nativemnguac.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
3352"C:\Users\admin\AppData\Local\Temp\AnySign_Installer.exe" C:\Users\admin\AppData\Local\Temp\AnySign_Installer.exe
explorer.exe
User:
admin
Company:
HancomSecure
Integrity Level:
HIGH
Description:
AnySign Installer
Exit code:
0
Version:
1.1.2.0
Modules
Images
c:\users\admin\appdata\local\temp\anysign_installer.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
Total events
610
Read events
468
Write events
142
Delete events
0

Modification events

(PID) Process:(2696) Any_setup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\057B9535B8C2D165D65051D01228CACA4E35BC36
Operation:writeName:Blob
Value:
030000000100000014000000057B9535B8C2D165D65051D01228CACA4E35BC36200000000100000078040000308204743082035CA003020102020101300D06092A864886F70D01010B0500307B310B3009060355040613024B52311B3019060355040A0C1248616E636F6D2053656375726520496E632E31283026060355040B0C1F526573656172636820616E6420646576656C6F706D656E74206F66666963653125302306035504030C1C48616E636F6D2053656375726520526F6F7420417574686F72697479301E170D3136303431393131313433315A170D3336303431343131313433315A307B310B3009060355040613024B52311B3019060355040A0C1248616E636F6D2053656375726520496E632E31283026060355040B0C1F526573656172636820616E6420646576656C6F706D656E74206F66666963653125302306035504030C1C48616E636F6D2053656375726520526F6F7420417574686F7269747930820122300D06092A864886F70D01010105000382010F003082010A02820101008E3741E5AD9E7BF2159C59944E8CFC1435319010341102FB380CBEB5A4263FABA3A99C5D2B01BAADAA23FF42C330B036C2EA8A74BE1BC96182F1D1DFEC4238BCB5ACA3C4BB04635DEDCECF598681658B6B9949A0D2DD24E898DFA384CAF9BF84C2F2E2F32EEC4951677E4E124215FCFEF3F4B4D079FA7EC804FEB2BC95783DE3A960E45DE14E857FF1857458E856F4D6BB145984739EB2A4BEE8814A73115E3FAEBBADE2F1AEE37B7DF8A23FC05D94E44A5FC65A9E152CDDF5429B9CE305EC00657017886E7D7B2448BA16C2D3550CB667F0FCAFC9C0B2536AFE85E04DE5BB5129A2454157C401856125962162084F087480B19B7EF2EC077CA51AC03216808B0203010001A38201013081FE3081A50603551D2304819D30819A8014905089C7EB62F5932667F4D9F5DA8F1965D5A89AA17FA47D307B310B3009060355040613024B52311B3019060355040A0C1248616E636F6D2053656375726520496E632E31283026060355040B0C1F526573656172636820616E6420646576656C6F706D656E74206F66666963653125302306035504030C1C48616E636F6D2053656375726520526F6F7420417574686F72697479820101301D0603551D0E04160414905089C7EB62F5932667F4D9F5DA8F1965D5A89A300E0603551D0F0101FF04040302010630120603551D130101FF040830060101FF020101301106096086480186F8420101040403020007300D06092A864886F70D01010B0500038201010040AD61D72B32705A99663D5484215E33AB70FCDE9E1AAFB2F1CFF3A781272A59F4249FA5C4BD01E4DEAC833464139F126EA04CF7F65346A5566AC2560BA29AF7A6682EAF219B22A3277DC72AA7B117D0780F5E10C127B07A41999875BFAF4FC664D6B6D2727B158A1D34427D55E2247A3A9EA4833C4823F7FAE4D5B2E7251E73D84598B5B0CEED7F9FE40D1FD94D774737B4F3AAD09985BD072186247DB2A0ECC1FCBC07A93359DB9481D627B4808C38A004B1395920DCE7E51B8F19B076A110C34C9085C099F2D0C6F275249EE1E7640D758849CAFE472394E70B86E6DA14617A550502C7FAF5E937D2AAF03923DA8DDCEE110F17759BD26904A4F1C9E01029
(PID) Process:(2696) Any_setup.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
(PID) Process:(2696) Any_setup.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
1
(PID) Process:(2696) Any_setup.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:writeName:ProxyEnable
Value:
0
(PID) Process:(2696) Any_setup.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:writeName:ProxyOverride
Value:
localhost
(PID) Process:(2696) Any_setup.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Operation:writeName:SavedLegacySettings
Value:
46000000A10000000100000000000000090000006C6F63616C686F7374000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
(PID) Process:(2696) Any_setup.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Operation:writeName:SavedLegacySettings
Value:
46000000A20000000100000000000000090000006C6F63616C686F7374000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
(PID) Process:(1676) DllHost.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Operation:writeName:DefaultConnectionSettings
Value:
46000000080000000100000000000000090000006C6F63616C686F7374000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
(PID) Process:(2464) netsh.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\12B\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(2464) netsh.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\12B\52C64B7E
Operation:writeName:@%SystemRoot%\system32\dhcpqec.dll,-100
Value:
DHCP Quarantine Enforcement Client
Executable files
55
Suspicious files
0
Text files
110
Unknown types
223

Dropped files

PID
Process
Filename
Type
2744certutil.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\cert9.db-journal
MD5:
SHA256:
2744certutil.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\key4.db-journal
MD5:
SHA256:
2744certutil.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\cert9.dbsqlite
MD5:
SHA256:
3352AnySign_Installer.exeC:\Program Files\SoftForum\XecureWeb\AnySign\cert\nss3.dllexecutable
MD5:54F3932864EED803BD1CB82DF43F0C76
SHA256:96E068E6162A98D212B57C86B14FC539F1BBDCCD363F68EFD8CDFECC90C699D3
3352AnySign_Installer.exeC:\Program Files\SoftForum\XecureWeb\AnySign\cert\nssckbi.dllexecutable
MD5:40483977B63FF6382BA0E4FB03198C8B
SHA256:BFA1DE077F19AFC7B21FEB41891B4200A40B4DDA114F483D4EB92FF7A375926D
3352AnySign_Installer.exeC:\Program Files\SoftForum\XecureWeb\AnySign\certstorage\ca\03fa3e5aa4df9ef779646a2b165bb17c31b0009e\cert.derder
MD5:36E4CF3C664E36B710D0141CEA2C3B19
SHA256:2BCCA8B209DDD583C1967E78862756E282EC697B168700D5BA108494796A1BF8
3352AnySign_Installer.exeC:\Program Files\SoftForum\XecureWeb\AnySign\cert\msvcr120.dllexecutable
MD5:034CCADC1C073E4216E9466B720F9849
SHA256:86E39B5995AF0E042FCDAA85FE2AEFD7C9DDC7AD65E6327BD5E7058BC3AB615F
3352AnySign_Installer.exeC:\Program Files\SoftForum\XecureWeb\AnySign\cert\smime3.dllexecutable
MD5:94624BBAB23A92E0A5F90CCE9A5A340D
SHA256:B0104EA7AAA257B111982BD0763C1C47FFF76BD70249F84DCAD834D50444DF1A
3352AnySign_Installer.exeC:\Program Files\SoftForum\XecureWeb\AnySign\cert\plds4.dllexecutable
MD5:B7ED50495D311CF6E7AD247968DD2079
SHA256:20166E281B31AE60672B9D87CB69FCBA0C38CC5E18A8BA081C5601CCFAB7589F
3352AnySign_Installer.exeC:\Program Files\SoftForum\XecureWeb\AnySign\cert\softokn3.dllexecutable
MD5:6832B9A7AB871D81BE42054F117B8299
SHA256:B1316E04B3BF464906F4E015D3E71B4E06A65CC6E59A20A96984EE1E862DCB0E
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
Process
Message
Any_setup.exe
"C:\Program Files\SoftForum\XecureWeb\AnySign\dll\..\cert\certutil.exe" -L -n "Hancom Secure Root Authority" -d "sql:C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles/qldyz51w.default"
Any_setup.exe
-A -n "Hancom Secure Root Authority" -t "CT,C,C" -i "C:\Program Files\SoftForum\XecureWeb\AnySign\dll\..\cert\ca_cert_sh2.crt" -d "sql:C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles/qldyz51w.default"
Any_setup.exe
netsh advfirewall firewall add rule name = "AnySign4PC" dir=in action=allow program="C:\Program Files\SoftForum\XecureWeb\AnySign\dll\AnySign4PC.exe" enable=yes
AnySign4PC.exe
%s------------------------------------------------ --- Themida Professional --- --- (c)2012 Oreans Technologies --- ------------------------------------------------
AnySign4PCLauncher.exe
%s------------------------------------------------ --- Themida Professional --- --- (c)2012 Oreans Technologies --- ------------------------------------------------
AnySign4PC.exe
[09:56:55.977500] [0x00000efc] [info] integrity measurement point
AnySign4PC.exe
[09:56:56.258750] [0x00000efc] [info] tls_port listen port : 10531
AnySign4PC.exe
[09:56:56.258750] [0x00000efc] [info] no_tls_port listen port : 10530
AnySign4PC.exe
[09:56:56.258750] [0x00000efc] [info] integrity elapsed time : 281 ms
AnySign4PC.exe
[09:56:56.258750] [0x00000efc] [info] no_tls_port listen port : 10530
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
AnySign_Installer.exe