File name:

PO.29477399274_pdf.iso

Full analysis: https://app.any.run/tasks/22ba649c-7532-42c7-99c2-93c207e37e0f
Verdict: Malicious activity
Analysis date: July 18, 2019, 07:26:01
OS: Windows 10 Professional (build: 16299, 64 bit)
Indicators:
MIME: application/x-iso9660-image
File info: ISO 9660 CD-ROM filesystem data 'PO.29477399274_pdf'
MD5:

EEC17BBAF8BB72FE3AA03AAB524B7779

SHA1:

F672A5C2ED7138CE829FAF458F92AEBE084FAA3C

SHA256:

B459B6246CC86A109676BE895C40D83F794449F6274FAFEDE4AB658C0485A8D3

SSDEEP:

12288:18eA4ccTaFNjiHPp5pLmyZZGEuZVPZfVhDbcLKh7pQx:9rVa3Ox5oynuZ5hVJbcg7pQx

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • UAC/LUA settings modification

      • PO.29477399274_pdf.exe (PID: 1284)

    • Changes the autorun value in the registry

      • iexplore.exe (PID: 2760)

    • Application was dropped or rewritten from another process

      • PO.29477399274_pdf.exe (PID: 2916)
      • PO.29477399274_pdf.exe (PID: 5860)
      • PO.29477399274_pdf.exe (PID: 556)
      • PO.29477399274_pdf.exe (PID: 1284)

  • SUSPICIOUS

    • Application launched itself

      • PO.29477399274_pdf.exe (PID: 556)
      • PO.29477399274_pdf.exe (PID: 5860)

    • Creates files in the user directory

      • iexplore.exe (PID: 2760)

    • Executable content was dropped or overwritten

      • iexplore.exe (PID: 2760)

  • INFO

    • Manual execution by user

      • PO.29477399274_pdf.exe (PID: 556)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.iso | ISO 9660 CD image (27.6)
.atn | Photoshop Action (27.1)
.gmc | Game Music Creator Music (6.1)

EXIF

ISO

System: Win32
VolumeName: PO.29477399274_pdf
VolumeBlockCount: 396
VolumeBlockSize: 2048
RootDirectoryCreateDate: 2019:07:04 16:26:10-07:00
Software: PowerISO
VolumeCreateDate: 2019:07:04 16:26:10.00-07:00
VolumeModifyDate: 2019:07:04 16:26:10.00-07:00

Composite

VolumeSize: 792 kB
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
95
Monitored processes
6
Malicious processes
2
Suspicious processes
1

Behavior graph

Click at the process to see the details
start winrar.exe no specs po.29477399274_pdf.exe no specs po.29477399274_pdf.exe no specs po.29477399274_pdf.exe no specs iexplore.exe po.29477399274_pdf.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
556"D:\PO.29477399274_pdf.exe" D:\PO.29477399274_pdf.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
d:\po.29477399274_pdf.exe
c:\systemroot\system32\ntdll.dll
c:\systemroot\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernelbase.dll
1092"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\PO.29477399274_pdf.iso"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
1284"D:\PO.29477399274_pdf.exe" D:\PO.29477399274_pdf.exePO.29477399274_pdf.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
d:\po.29477399274_pdf.exe
c:\systemroot\system32\ntdll.dll
c:\systemroot\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernelbase.dll
2760 D:\PO.29477399274_pdf.exeC:\Program Files (x86)\Internet Explorer\iexplore.exe
PO.29477399274_pdf.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
0
Version:
11.00.16299.15 (WinBuild.160101.0800)
Modules
Images
c:\program files (x86)\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\systemroot\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernelbase.dll
2916"D:\PO.29477399274_pdf.exe"D:\PO.29477399274_pdf.exePO.29477399274_pdf.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
d:\po.29477399274_pdf.exe
c:\systemroot\system32\ntdll.dll
c:\systemroot\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernelbase.dll
5860"D:\PO.29477399274_pdf.exe" 2 1284 1751187D:\PO.29477399274_pdf.exePO.29477399274_pdf.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
d:\po.29477399274_pdf.exe
c:\systemroot\system32\ntdll.dll
c:\systemroot\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernelbase.dll
Total events
675
Read events
648
Write events
27
Delete events
0

Modification events

(PID) Process:(1092) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(1092) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(1092) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\22\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(1092) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\PO.29477399274_pdf.iso
(PID) Process:(1092) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(1092) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(1092) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(1092) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(1092) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\MainWin
Operation:writeName:Placement
Value:
2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF68000000680000002804000051020000
(PID) Process:(1092) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\General
Operation:writeName:LastFolder
Value:
C:\Users\admin\Desktop
Executable files
1
Suspicious files
0
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
1284PO.29477399274_pdf.exeC:\Users\admin\AppData\Local\Temp\~DF301D40E65DBAB007.TMP
MD5:
SHA256:
2760iexplore.exeC:\Users\admin\AppData\Roaming\Y1E5W2H0-W6U4-K5S1-S8J1-Y5X8K0K337V4\Y1E5W2H0-W6U4-K5S1-S8J1-Y5X8K0K337V4.exeexecutable
MD5:
SHA256:
2760iexplore.exeC:\Users\admin\AppData\Roaming\Y1E5W2H0-W6U4-K5S1-S8J1-Y5X8K0K337V4\utimage
MD5:
SHA256:
2760iexplore.exeC:\Users\admin\AppData\Local\Temp\admin.bmpimage
MD5:DC2C42110B7D84F144C6D905A3DDA74E
SHA256:4E07A1A6FBB5F29252A7C7AD7C3C80B32B4CC8BAEB832DBE40C38BBF85D984E7
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
14
DNS requests
3
Threats
2

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2760
iexplore.exe
185.244.31.145:1989
csimich.duckdns.org
malicious

DNS requests

Domain
IP
Reputation
csimich.duckdns.org
  • 185.244.31.145
malicious
nexusrules.officeapps.live.com
  • 52.109.8.20
whitelisted

Threats

PID
Process
Class
Message
1932
svchost.exe
Misc activity
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
1932
svchost.exe
Misc activity
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
PO.29477399274_pdf.iso