File name:

LGgGQc88xaXZrqiug.exe

Full analysis: https://app.any.run/tasks/a182b7a2-1c9e-4627-8215-9850d703effe
Verdict: Malicious activity
Analysis date: June 04, 2023, 20:41:03
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (console) Intel 80386, for MS Windows
MD5:

28CB217D6565BE3D524C85C081F3D2AB

SHA1:

20F33AD5CA5F1101987A9A950E538BF22EDA174F

SHA256:

AB4BE240A98C7BC132723842274182D5595F79B7C08CDF53DE7107DFFBC381A5

SSDEEP:

98304:Y/EiBPOgoT1ZkG3Y8S9bkcW15ExuBPy7DrabFgmgdF9ibOp7Uw9pBRPwhw:Y/E2O6p8S2NCey7a9gLEpqRPY

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Disables Windows Defender

      • LGgGQc88xaXZrqiug.exe (PID: 2336)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • LGgGQc88xaXZrqiug.exe (PID: 2336)

    • Checks Windows Trust Settings

      • LGgGQc88xaXZrqiug.exe (PID: 2336)

    • Reads the Internet Settings

      • LGgGQc88xaXZrqiug.exe (PID: 2336)

    • Reads settings of System Certificates

      • LGgGQc88xaXZrqiug.exe (PID: 2336)

  • INFO

    • Checks proxy server information

      • LGgGQc88xaXZrqiug.exe (PID: 2336)

    • Creates files or folders in the user directory

      • LGgGQc88xaXZrqiug.exe (PID: 2336)

    • Create files in a temporary directory

      • iexplore.exe (PID: 2772)
      • iexplore.exe (PID: 2216)

    • Reads the computer name

      • LGgGQc88xaXZrqiug.exe (PID: 2336)

    • Reads Windows Product ID

      • LGgGQc88xaXZrqiug.exe (PID: 2336)

    • Modifies the phishing filter of IE

      • iexplore.exe (PID: 2216)

    • The process checks LSA protection

      • LGgGQc88xaXZrqiug.exe (PID: 2336)

    • Write to the desktop.ini file (may be used to cloak folders)

      • iexplore.exe (PID: 2216)

    • Application launched itself

      • iexplore.exe (PID: 2216)

    • Checks supported languages

      • LGgGQc88xaXZrqiug.exe (PID: 2336)

    • Reads Environment values

      • LGgGQc88xaXZrqiug.exe (PID: 2336)

    • Reads the machine GUID from the registry

      • LGgGQc88xaXZrqiug.exe (PID: 2336)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (61.6)
.dll | Win32 Dynamic Link Library (generic) (14.6)
.exe | Win32 Executable (generic) (10)
.exe | Win16/32 Executable Delphi generic (4.6)
.exe | Generic Win/DOS Executable (4.4)

EXIF

EXE

Subsystem: Windows command line
SubsystemVersion: 6
ImageVersion: -
OSVersion: 6
EntryPoint: 0x7952ca
UninitializedDataSize: -
InitializedDataSize: 1466880
CodeSize: 2412032
LinkerVersion: 14.29
PEType: PE32
ImageFileCharacteristics: No relocs, Executable, 32-bit
TimeStamp: 2023:03:21 02:18:05+00:00
MachineType: Intel 386 or later, and compatibles

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_CUI
Compilation Date: 21-Mar-2023 02:18:05

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x00000080

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 6
Time date stamp: 21-Mar-2023 02:18:05
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_RELOCS_STRIPPED

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00001000
0x0024CC80
0x00000000
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
0
.rdata
0x0024E000
0x0008C49C
0x00000000
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
0
.data
0x002DB000
0x000BE92C
0x00000000
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
0
.10
0x0039A000
0x00314DA6
0x00000000
IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
0
.11
0x006AF000
0x005BB6A0
0x005BB800
IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
7.96058
.rsrc
0x00C6B000
0x000001E0
0x00000200
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
4.77204

Imports

ADVAPI32.dll
CRYPT32.dll
KERNEL32.dll
MSWSOCK.dll
Normaliz.dll
SHELL32.dll
SHLWAPI.dll
USER32.dll
WININET.dll
WLDAP32.dll
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
47
Monitored processes
5
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start lgggqc88xaxzrqiug.exe iexplore.exe iexplore.exe iexplore.exe lgggqc88xaxzrqiug.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1248"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2216 CREDAT:209936 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Internet Explorer
Exit code:
0
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
c:\windows\system32\version.dll
2028"C:\Users\admin\AppData\Local\Temp\LGgGQc88xaXZrqiug.exe" C:\Users\admin\AppData\Local\Temp\LGgGQc88xaXZrqiug.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Modules
Images
c:\users\admin\appdata\local\temp\lgggqc88xaxzrqiug.exe
c:\windows\system32\ntdll.dll
2216"C:\Program Files\Internet Explorer\iexplore.exe" https://artecore.xyz/C:\Program Files\Internet Explorer\iexplore.exe
LGgGQc88xaXZrqiug.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Internet Explorer
Exit code:
0
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
2336"C:\Users\admin\AppData\Local\Temp\LGgGQc88xaXZrqiug.exe" C:\Users\admin\AppData\Local\Temp\LGgGQc88xaXZrqiug.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\lgggqc88xaxzrqiug.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\nsi.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
2772"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2216 CREDAT:275457 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Internet Explorer
Exit code:
0
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iertutil.dll
Total events
38 174
Read events
37 890
Write events
264
Delete events
20

Modification events

(PID) Process:(2336) LGgGQc88xaXZrqiug.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Direct3D\MostRecentApplication
Operation:writeName:Name
Value:
Explorer.EXE
(PID) Process:(2336) LGgGQc88xaXZrqiug.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender
Operation:writeName:DisableAntiSpyware
Value:
1
(PID) Process:(2336) LGgGQc88xaXZrqiug.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection
Operation:writeName:DisableRealtimeMonitoring
Value:
1
(PID) Process:(2336) LGgGQc88xaXZrqiug.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\MountedDevices
Operation:delete keyName:(default)
Value:
(PID) Process:(2336) LGgGQc88xaXZrqiug.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Dfrg\Statistics\Volume{e1a82db4-a9f0-11e7-b142-806e6f6e6963}
Operation:delete keyName:(default)
Value:
(PID) Process:(2336) LGgGQc88xaXZrqiug.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Dfrg\Statistics\Volume{e1a82db3-a9f0-11e7-b142-806e6f6e6963}
Operation:delete keyName:(default)
Value:
(PID) Process:(2336) LGgGQc88xaXZrqiug.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Dfrg\Statistics
Operation:delete keyName:(default)
Value:
(PID) Process:(2336) LGgGQc88xaXZrqiug.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{e1a82db4-a9f0-11e7-b142-806e6f6e6963}
Operation:delete keyName:(default)
Value:
(PID) Process:(2336) LGgGQc88xaXZrqiug.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume
Operation:delete keyName:(default)
Value:
(PID) Process:(2336) LGgGQc88xaXZrqiug.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{e1a82db4-a9f0-11e7-b142-806e6f6e6963}
Operation:delete keyName:(default)
Value:
Executable files
2
Suspicious files
49
Text files
67
Unknown types
3

Dropped files

PID
Process
Filename
Type
2336LGgGQc88xaXZrqiug.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04binary
MD5:29E12077C9460CA83A3BA3E4B3534CA8
SHA256:8AB2DD06E4569674A3C4A6F99CE9AB6D50735F3EF9DC22560C59039E741C8A0E
2772iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506binary
MD5:4192218605080AC36D9335AFDC27419E
SHA256:87FC1915350E94CB2D44086F71A0AE66C432A43F63D43EFA4A5DC0C7D97E20F5
2336LGgGQc88xaXZrqiug.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04binary
MD5:C2D13AF21F53B48C62DF686AF33298B2
SHA256:63ABB352A76E2264005316709CAD9710186FAF380B90C6C6F16158908778EC99
2772iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506compressed
MD5:3AC860860707BAAF32469FA7CC7C0192
SHA256:D015145D551ECD14916270EFAD773BBC9FD57FAD2228D2C24559F696C961D904
2772iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157binary
MD5:790B96AA13B96B7006D0912205FB6408
SHA256:5469E81C456464966AC55775DA948F7DAD164107974253A305232B30BD778E77
2772iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\bootstrap-reboot.min[1].csstext
MD5:F4BB20280E13EE6DC0D67BB75D999671
SHA256:2FF8C41B99B922A7904F5F50BD69925F1E1CD88B9E641CD66134FC0173FE6358
2772iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\2UWDHMHG.htmhtml
MD5:D9788E334776DC671B395C77228EF738
SHA256:6C14B278CCEA9ABD38E3E64DF67B3857807B81E79C33EB3C0C20407C078CD760
2772iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6Z2BCOUL\owl.carousel.min[1].csstext
MD5:B2752A850D44F50036628EEAEF3BFCFA
SHA256:521410E1FC44780061E09ADC980275FB5EA277FD5D9E538454214EC4379FF4BC
2772iexplore.exeC:\Users\admin\AppData\Local\Temp\Tar9808.tmpcat
MD5:4FF65AD929CD9A367680E0E5B1C08166
SHA256:C8733C93CC5AAF5CA206D06AF22EE8DBDEC764FB5085019A6A9181FEB9DFDEE6
2772iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\magnific-popup[1].csstext
MD5:30B593B71D7672658F89BFEA0AB360C9
SHA256:45D1F5F6CF913746C45DD697B1A8F3B719C02D8B3F678DC7FC2766D54E1AAF6E
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
18
TCP/UDP connections
54
DNS requests
22
Threats
6

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2336
LGgGQc88xaXZrqiug.exe
GET
301
185.199.109.133:80
http://raw.githubusercontent.com/ripped0/hRoot/main/sinsiatak.nw
NL
shared
2772
iexplore.exe
GET
200
23.201.254.55:80
http://x2.c.lencr.org/
CH
der
300 b
whitelisted
2772
iexplore.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
US
der
471 b
whitelisted
2772
iexplore.exe
GET
200
142.250.181.227:80
http://ocsp.pki.goog/gts1c3/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTHLnmK3f9hNLO67UdCuLvGwCQHYwQUinR%2Fr4XN7pXNPZzQ4kYU83E1HScCEA%2FXuFd5oikuCkm38HpoB%2BU%3D
US
der
471 b
whitelisted
2772
iexplore.exe
GET
200
142.250.181.227:80
http://ocsp.pki.goog/gts1c3/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTHLnmK3f9hNLO67UdCuLvGwCQHYwQUinR%2Fr4XN7pXNPZzQ4kYU83E1HScCEGiKnXCJIkKUErtB3cBGUhA%3D
US
der
471 b
whitelisted
2216
iexplore.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEALnkXH7gCHpP%2BLZg4NMUMA%3D
US
binary
471 b
whitelisted
2336
LGgGQc88xaXZrqiug.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAbY2QTVWENG9oovp1QifsQ%3D
US
der
471 b
whitelisted
2772
iexplore.exe
GET
200
142.250.181.227:80
http://ocsp.pki.goog/gtsr1/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBQwkcLWD4LqGJ7bE7B1XZsEbmfwUAQU5K8rJnEaK0gnhS9SZizv8IkTcT4CDQIDvFNZazTHGPUBUGY%3D
US
der
724 b
whitelisted
2772
iexplore.exe
GET
200
142.250.181.227:80
http://ocsp.pki.goog/gsr1/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS3V7W2nAf4FiMTjpDJKg6%2BMgGqMQQUYHtmGkUNl8qJUC99BM00qP%2F8%2FUsCEHe9DWzbNvka6iEPxPBY0w0%3D
US
der
1.41 Kb
whitelisted
2772
iexplore.exe
GET
200
93.184.221.240:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?eaa4a059cf1eaa57
US
compressed
62.3 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1076
svchost.exe
224.0.0.252:5355
unknown
4
System
192.168.100.255:138
whitelisted
3624
svchost.exe
239.255.255.250:1900
whitelisted
4
System
192.168.100.255:137
whitelisted
2336
LGgGQc88xaXZrqiug.exe
185.199.108.133:80
raw.githubusercontent.com
FASTLY
US
malicious
2336
LGgGQc88xaXZrqiug.exe
185.199.109.133:80
raw.githubusercontent.com
FASTLY
US
malicious
2336
LGgGQc88xaXZrqiug.exe
185.199.109.133:443
raw.githubusercontent.com
FASTLY
US
malicious
2336
LGgGQc88xaXZrqiug.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
2772
iexplore.exe
188.114.96.3:443
artecore.xyz
CLOUDFLARENET
NL
malicious
2336
LGgGQc88xaXZrqiug.exe
93.184.221.240:80
ctldl.windowsupdate.com
EDGECAST
GB
whitelisted

DNS requests

Domain
IP
Reputation
raw.githubusercontent.com
  • 185.199.108.133
  • 185.199.109.133
  • 185.199.110.133
  • 185.199.111.133
shared
ctldl.windowsupdate.com
  • 93.184.221.240
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
artecore.xyz
  • 188.114.96.3
  • 188.114.97.3
malicious
x1.c.lencr.org
  • 23.201.254.55
whitelisted
x2.c.lencr.org
  • 23.201.254.55
whitelisted
www.google.com
  • 142.250.186.68
malicious
ocsp.pki.goog
  • 142.250.181.227
whitelisted
fonts.googleapis.com
  • 142.250.185.138
whitelisted
www.gstatic.com
  • 172.217.16.195
whitelisted

Threats

PID
Process
Class
Message
Potentially Bad Traffic
ET HUNTING Observed Let's Encrypt Certificate for Suspicious TLD (.xyz)
Potentially Bad Traffic
ET HUNTING Observed Let's Encrypt Certificate for Suspicious TLD (.xyz)
Potentially Bad Traffic
ET HUNTING Observed Let's Encrypt Certificate for Suspicious TLD (.xyz)
Potentially Bad Traffic
ET HUNTING Observed Let's Encrypt Certificate for Suspicious TLD (.xyz)
Potentially Bad Traffic
ET HUNTING Observed Let's Encrypt Certificate for Suspicious TLD (.xyz)
Potentially Bad Traffic
ET HUNTING Observed Let's Encrypt Certificate for Suspicious TLD (.xyz)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
LGgGQc88xaXZrqiug.exe