File name:

pds-excel-pwd-demo.exe

Full analysis: https://app.any.run/tasks/e604661d-a11f-47d9-bc30-3724d7ffb135
Verdict: Malicious activity
Analysis date: May 26, 2024, 15:30:14
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

1CB9E3E59B191298988555739CDDBDDA

SHA1:

C2468F97E5E6AC2C792D047F2D55594329BC87B6

SHA256:

BC75D30EA36E0F7356AF1AC3208C2ACE84044C49F5EEB5E5053902DBBBAF9991

SSDEEP:

98304:ZfCwDM9/qvA3yKjp7/qi74IExaMWGjgLnp1qaUIcqnuvOtQHEpq8VGZmLF4No7Ea:g6MD

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • pds-excel-pwd-demo.exe (PID: 3972)
      • pds-excel-pwd-demo.exe (PID: 1116)
      • pds-excel-pwd-demo.tmp (PID: 748)

    • Registers / Runs the DLL via REGSVR32.EXE

      • pds-excel-pwd-demo.tmp (PID: 748)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • pds-excel-pwd-demo.exe (PID: 3972)
      • pds-excel-pwd-demo.exe (PID: 1116)
      • pds-excel-pwd-demo.tmp (PID: 748)

    • Process drops legitimate windows executable

      • pds-excel-pwd-demo.tmp (PID: 748)

    • Reads the Windows owner or organization settings

      • pds-excel-pwd-demo.tmp (PID: 748)

    • Creates/Modifies COM task schedule object

      • regsvr32.exe (PID: 1872)
      • regsvr32.exe (PID: 328)

  • INFO

    • Create files in a temporary directory

      • pds-excel-pwd-demo.exe (PID: 3972)
      • pds-excel-pwd-demo.exe (PID: 1116)
      • pds-excel-pwd-demo.tmp (PID: 748)
      • Demoxlsunlocker.exe (PID: 2316)

    • Checks supported languages

      • pds-excel-pwd-demo.exe (PID: 3972)
      • pds-excel-pwd-demo.tmp (PID: 3988)
      • pds-excel-pwd-demo.exe (PID: 1116)
      • pds-excel-pwd-demo.tmp (PID: 748)
      • Demoxlsunlocker.exe (PID: 2316)

    • Reads the computer name

      • pds-excel-pwd-demo.tmp (PID: 3988)
      • pds-excel-pwd-demo.tmp (PID: 748)
      • Demoxlsunlocker.exe (PID: 2316)

    • Creates files in the program directory

      • pds-excel-pwd-demo.tmp (PID: 748)

    • Reads mouse settings

      • regsvr32.exe (PID: 328)
      • Demoxlsunlocker.exe (PID: 2316)

    • Reads Microsoft Office registry keys

      • Demoxlsunlocker.exe (PID: 2316)

    • Creates a software uninstall entry

      • pds-excel-pwd-demo.tmp (PID: 748)

    • Reads the machine GUID from the registry

      • Demoxlsunlocker.exe (PID: 2316)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Inno Setup installer (81.5)
.exe | Win32 Executable Delphi generic (10.5)
.exe | Win32 Executable (generic) (3.3)
.exe | Win16/32 Executable Delphi generic (1.5)
.exe | Generic Win/DOS Executable (1.4)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 1992:06:19 22:22:17+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType: PE32
LinkerVersion: 2.25
CodeSize: 37888
InitializedDataSize: 197120
UninitializedDataSize: -
EntryPoint: 0x9c40
OSVersion: 1
ImageVersion: 6
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 0.0.0.0
ProductVersionNumber: 0.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: This installation was built with Inno Setup.
CompanyName: Perfect Data Solutions Excel Password Recovery
FileDescription: Perfect Data Solutions Excel Password Recovery Setup
FileVersion:
LegalCopyright:
ProductName: Perfect Data Solutions Excel Password Recovery
ProductVersion:
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
43
Monitored processes
7
Malicious processes
4
Suspicious processes
1

Behavior graph

Click at the process to see the details
start pds-excel-pwd-demo.exe pds-excel-pwd-demo.tmp no specs pds-excel-pwd-demo.exe pds-excel-pwd-demo.tmp regsvr32.exe no specs regsvr32.exe no specs demoxlsunlocker.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
328"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\PDS Excel Password Recovery\MSCOMCTL.OCX"C:\Windows\System32\regsvr32.exepds-excel-pwd-demo.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft(C) Register Server
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\regsvr32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
748"C:\Users\admin\AppData\Local\Temp\is-GG5MO.tmp\pds-excel-pwd-demo.tmp" /SL5="$2013A,2232219,236032,C:\Users\admin\Desktop\pds-excel-pwd-demo.exe" /SPAWNWND=$20134 /NOTIFYWND=$20138 C:\Users\admin\AppData\Local\Temp\is-GG5MO.tmp\pds-excel-pwd-demo.tmp
pds-excel-pwd-demo.exe
User:
admin
Integrity Level:
HIGH
Description:
Setup/Uninstall
Exit code:
0
Version:
51.52.0.0
Modules
Images
c:\users\admin\appdata\local\temp\is-gg5mo.tmp\pds-excel-pwd-demo.tmp
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
1116"C:\Users\admin\Desktop\pds-excel-pwd-demo.exe" /SPAWNWND=$20134 /NOTIFYWND=$20138 C:\Users\admin\Desktop\pds-excel-pwd-demo.exe
pds-excel-pwd-demo.tmp
User:
admin
Company:
Perfect Data Solutions Excel Password Recovery
Integrity Level:
HIGH
Description:
Perfect Data Solutions Excel Password Recovery Setup
Exit code:
0
Version:
Modules
Images
c:\users\admin\desktop\pds-excel-pwd-demo.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
1872"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\PDS Excel Password Recovery\COMDLG32.OCX"C:\Windows\System32\regsvr32.exepds-excel-pwd-demo.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft(C) Register Server
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\regsvr32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
2316"C:\Program Files\PDS Excel Password Recovery\Demoxlsunlocker.exe"C:\Program Files\PDS Excel Password Recovery\Demoxlsunlocker.exepds-excel-pwd-demo.tmp
User:
admin
Company:
Perfect Data Solutions
Integrity Level:
MEDIUM
Version:
5.00.0021
Modules
Images
c:\program files\pds excel password recovery\demoxlsunlocker.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvbvm60.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
3972"C:\Users\admin\Desktop\pds-excel-pwd-demo.exe" C:\Users\admin\Desktop\pds-excel-pwd-demo.exe
explorer.exe
User:
admin
Company:
Perfect Data Solutions Excel Password Recovery
Integrity Level:
MEDIUM
Description:
Perfect Data Solutions Excel Password Recovery Setup
Exit code:
0
Version:
Modules
Images
c:\users\admin\desktop\pds-excel-pwd-demo.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
3988"C:\Users\admin\AppData\Local\Temp\is-G646H.tmp\pds-excel-pwd-demo.tmp" /SL5="$20138,2232219,236032,C:\Users\admin\Desktop\pds-excel-pwd-demo.exe" C:\Users\admin\AppData\Local\Temp\is-G646H.tmp\pds-excel-pwd-demo.tmppds-excel-pwd-demo.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Setup/Uninstall
Exit code:
0
Version:
51.52.0.0
Modules
Images
c:\users\admin\appdata\local\temp\is-g646h.tmp\pds-excel-pwd-demo.tmp
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
Total events
6 894
Read events
6 787
Write events
44
Delete events
63

Modification events

(PID) Process:(1872) regsvr32.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F9043C85-F6F2-101A-A3C9-08002B2F49FB}
Operation:delete keyName:(default)
Value:
(PID) Process:(1872) regsvr32.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F9043C85-F6F2-101A-A3C9-08002B2F49FB}\InprocServer32
Operation:writeName:ThreadingModel
Value:
Apartment
(PID) Process:(1872) regsvr32.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7629CFA2-3FE5-101B-A3C9-08002B2F49FB}
Operation:delete keyName:(default)
Value:
(PID) Process:(1872) regsvr32.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7629CFA2-3FE5-101B-A3C9-08002B2F49FB}\InprocServer32
Operation:delete valueName:ThreadingModel
Value:
(PID) Process:(1872) regsvr32.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7629CFA4-3FE5-101B-A3C9-08002B2F49FB}
Operation:delete keyName:(default)
Value:
(PID) Process:(1872) regsvr32.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7629CFA4-3FE5-101B-A3C9-08002B2F49FB}\InprocServer32
Operation:delete valueName:ThreadingModel
Value:
(PID) Process:(1872) regsvr32.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3C4F3BE5-47EB-101B-A3C9-08002B2F49FB}
Operation:delete keyName:(default)
Value:
(PID) Process:(1872) regsvr32.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3C4F3BE5-47EB-101B-A3C9-08002B2F49FB}\InprocServer32
Operation:delete valueName:ThreadingModel
Value:
(PID) Process:(1872) regsvr32.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3C4F3BE3-47EB-101B-A3C9-08002B2F49FB}
Operation:delete keyName:(default)
Value:
(PID) Process:(1872) regsvr32.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3C4F3BE3-47EB-101B-A3C9-08002B2F49FB}\InprocServer32
Operation:delete valueName:ThreadingModel
Value:
Executable files
12
Suspicious files
6
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
748pds-excel-pwd-demo.tmpC:\Program Files\PDS Excel Password Recovery\is-ANH0C.tmp
MD5:
SHA256:
748pds-excel-pwd-demo.tmpC:\Program Files\PDS Excel Password Recovery\english.dic
MD5:
SHA256:
748pds-excel-pwd-demo.tmpC:\Users\admin\AppData\Local\Temp\is-DSHM3.tmp\_isetup\_RegDLL.tmpexecutable
MD5:0EE914C6F0BB93996C75941E1AD629C6
SHA256:4DC09BAC0613590F1FAC8771D18AF5BE25A1E1CB8FDBF4031AA364F3057E74A2
748pds-excel-pwd-demo.tmpC:\Program Files\PDS Excel Password Recovery\is-VQSRJ.tmpexecutable
MD5:F7BBB7D79ADB9E3ADC13F3B3C33D3D4D
SHA256:18A83D7A420A17FCB6F56EB3BA5362C975D32E5DED7553C6FD407F07BDB7B006
748pds-excel-pwd-demo.tmpC:\Program Files\PDS Excel Password Recovery\is-5FKA3.tmpexecutable
MD5:2DD2C20867DCB6A0D54D237651C5D65D
SHA256:213188BCFF4293249D3ED1367F8549F5F681F55FD2A35873C0FDB8A2C53C7132
748pds-excel-pwd-demo.tmpC:\Program Files\PDS Excel Password Recovery\MSCOMCTL.OCXexecutable
MD5:F7BBB7D79ADB9E3ADC13F3B3C33D3D4D
SHA256:18A83D7A420A17FCB6F56EB3BA5362C975D32E5DED7553C6FD407F07BDB7B006
748pds-excel-pwd-demo.tmpC:\ProgramData\Microsoft\Windows\Start Menu\Programs\PDS Excel Password Recovery\PDS Excel Password Recovery(Demo version).lnkbinary
MD5:162699D081AE58363D30C0D434C3C8F7
SHA256:2DCA9F78CD784EB15F965C6DA18DE203FFF068162291877C7374660712257EEE
748pds-excel-pwd-demo.tmpC:\Users\admin\Desktop\PDS Excel Password Recovery(Demo version).lnklnk
MD5:1054ADC1DA6C79B394E8015393A4BE81
SHA256:1F269999238CD899895342797FF0721130447EC19F2EC024B299028BA4DF3033
748pds-excel-pwd-demo.tmpC:\Users\admin\AppData\Local\Temp\is-DSHM3.tmp\_isetup\_shfoldr.dllexecutable
MD5:92DC6EF532FBB4A5C3201469A5B5EB63
SHA256:9884E9D1B4F8A873CCBD81F8AD0AE257776D2348D027D811A56475E028360D87
748pds-excel-pwd-demo.tmpC:\Program Files\PDS Excel Password Recovery\unins000.datdat
MD5:AB9D86327A4EF879540BDEC4E589F02C
SHA256:E5E7F06DB8DE854B7887C9730BA0429AC7B918D785918FB6182F3157BE5090FA
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
5
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
224.0.0.252:5355
unknown
4
System
192.168.100.255:138
whitelisted
1088
svchost.exe
224.0.0.252:5355
unknown

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
pds-excel-pwd-demo.exe