File name:

pds-excel-pwd-demo.exe

Full analysis: https://app.any.run/tasks/e604661d-a11f-47d9-bc30-3724d7ffb135
Verdict: Malicious activity
Analysis date: May 26, 2024, 15:30:14
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

1CB9E3E59B191298988555739CDDBDDA

SHA1:

C2468F97E5E6AC2C792D047F2D55594329BC87B6

SHA256:

BC75D30EA36E0F7356AF1AC3208C2ACE84044C49F5EEB5E5053902DBBBAF9991

SSDEEP:

98304:ZfCwDM9/qvA3yKjp7/qi74IExaMWGjgLnp1qaUIcqnuvOtQHEpq8VGZmLF4No7Ea:g6MD

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • pds-excel-pwd-demo.exe (PID: 3972)
      • pds-excel-pwd-demo.exe (PID: 1116)
      • pds-excel-pwd-demo.tmp (PID: 748)

    • Registers / Runs the DLL via REGSVR32.EXE

      • pds-excel-pwd-demo.tmp (PID: 748)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • pds-excel-pwd-demo.exe (PID: 3972)
      • pds-excel-pwd-demo.exe (PID: 1116)
      • pds-excel-pwd-demo.tmp (PID: 748)

    • Process drops legitimate windows executable

      • pds-excel-pwd-demo.tmp (PID: 748)

    • Creates/Modifies COM task schedule object

      • regsvr32.exe (PID: 328)
      • regsvr32.exe (PID: 1872)

    • Reads the Windows owner or organization settings

      • pds-excel-pwd-demo.tmp (PID: 748)

  • INFO

    • Checks supported languages

      • pds-excel-pwd-demo.tmp (PID: 3988)
      • pds-excel-pwd-demo.exe (PID: 3972)
      • pds-excel-pwd-demo.exe (PID: 1116)
      • pds-excel-pwd-demo.tmp (PID: 748)
      • Demoxlsunlocker.exe (PID: 2316)

    • Create files in a temporary directory

      • pds-excel-pwd-demo.exe (PID: 3972)
      • pds-excel-pwd-demo.exe (PID: 1116)
      • Demoxlsunlocker.exe (PID: 2316)
      • pds-excel-pwd-demo.tmp (PID: 748)

    • Reads the computer name

      • pds-excel-pwd-demo.tmp (PID: 3988)
      • Demoxlsunlocker.exe (PID: 2316)
      • pds-excel-pwd-demo.tmp (PID: 748)

    • Reads mouse settings

      • regsvr32.exe (PID: 328)
      • Demoxlsunlocker.exe (PID: 2316)

    • Creates a software uninstall entry

      • pds-excel-pwd-demo.tmp (PID: 748)

    • Reads the machine GUID from the registry

      • Demoxlsunlocker.exe (PID: 2316)

    • Reads Microsoft Office registry keys

      • Demoxlsunlocker.exe (PID: 2316)

    • Creates files in the program directory

      • pds-excel-pwd-demo.tmp (PID: 748)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Inno Setup installer (81.5)
.exe | Win32 Executable Delphi generic (10.5)
.exe | Win32 Executable (generic) (3.3)
.exe | Win16/32 Executable Delphi generic (1.5)
.exe | Generic Win/DOS Executable (1.4)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 1992:06:19 22:22:17+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType: PE32
LinkerVersion: 2.25
CodeSize: 37888
InitializedDataSize: 197120
UninitializedDataSize: -
EntryPoint: 0x9c40
OSVersion: 1
ImageVersion: 6
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 0.0.0.0
ProductVersionNumber: 0.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: This installation was built with Inno Setup.
CompanyName: Perfect Data Solutions Excel Password Recovery
FileDescription: Perfect Data Solutions Excel Password Recovery Setup
FileVersion:
LegalCopyright:
ProductName: Perfect Data Solutions Excel Password Recovery
ProductVersion:
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
43
Monitored processes
7
Malicious processes
4
Suspicious processes
1

Behavior graph

Click at the process to see the details
start pds-excel-pwd-demo.exe pds-excel-pwd-demo.tmp no specs pds-excel-pwd-demo.exe pds-excel-pwd-demo.tmp regsvr32.exe no specs regsvr32.exe no specs demoxlsunlocker.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
328"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\PDS Excel Password Recovery\MSCOMCTL.OCX"C:\Windows\System32\regsvr32.exepds-excel-pwd-demo.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft(C) Register Server
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\regsvr32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
748"C:\Users\admin\AppData\Local\Temp\is-GG5MO.tmp\pds-excel-pwd-demo.tmp" /SL5="$2013A,2232219,236032,C:\Users\admin\Desktop\pds-excel-pwd-demo.exe" /SPAWNWND=$20134 /NOTIFYWND=$20138 C:\Users\admin\AppData\Local\Temp\is-GG5MO.tmp\pds-excel-pwd-demo.tmp
pds-excel-pwd-demo.exe
User:
admin
Integrity Level:
HIGH
Description:
Setup/Uninstall
Exit code:
0
Version:
51.52.0.0
Modules
Images
c:\users\admin\appdata\local\temp\is-gg5mo.tmp\pds-excel-pwd-demo.tmp
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
1116"C:\Users\admin\Desktop\pds-excel-pwd-demo.exe" /SPAWNWND=$20134 /NOTIFYWND=$20138 C:\Users\admin\Desktop\pds-excel-pwd-demo.exe
pds-excel-pwd-demo.tmp
User:
admin
Company:
Perfect Data Solutions Excel Password Recovery
Integrity Level:
HIGH
Description:
Perfect Data Solutions Excel Password Recovery Setup
Exit code:
0
Version:
Modules
Images
c:\users\admin\desktop\pds-excel-pwd-demo.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
1872"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\PDS Excel Password Recovery\COMDLG32.OCX"C:\Windows\System32\regsvr32.exepds-excel-pwd-demo.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft(C) Register Server
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\regsvr32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
2316"C:\Program Files\PDS Excel Password Recovery\Demoxlsunlocker.exe"C:\Program Files\PDS Excel Password Recovery\Demoxlsunlocker.exepds-excel-pwd-demo.tmp
User:
admin
Company:
Perfect Data Solutions
Integrity Level:
MEDIUM
Version:
5.00.0021
Modules
Images
c:\program files\pds excel password recovery\demoxlsunlocker.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvbvm60.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
3972"C:\Users\admin\Desktop\pds-excel-pwd-demo.exe" C:\Users\admin\Desktop\pds-excel-pwd-demo.exe
explorer.exe
User:
admin
Company:
Perfect Data Solutions Excel Password Recovery
Integrity Level:
MEDIUM
Description:
Perfect Data Solutions Excel Password Recovery Setup
Exit code:
0
Version:
Modules
Images
c:\users\admin\desktop\pds-excel-pwd-demo.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
3988"C:\Users\admin\AppData\Local\Temp\is-G646H.tmp\pds-excel-pwd-demo.tmp" /SL5="$20138,2232219,236032,C:\Users\admin\Desktop\pds-excel-pwd-demo.exe" C:\Users\admin\AppData\Local\Temp\is-G646H.tmp\pds-excel-pwd-demo.tmppds-excel-pwd-demo.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Setup/Uninstall
Exit code:
0
Version:
51.52.0.0
Modules
Images
c:\users\admin\appdata\local\temp\is-g646h.tmp\pds-excel-pwd-demo.tmp
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
Total events
6 894
Read events
6 787
Write events
44
Delete events
63

Modification events

(PID) Process:(1872) regsvr32.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F9043C85-F6F2-101A-A3C9-08002B2F49FB}
Operation:delete keyName:(default)
Value:
(PID) Process:(1872) regsvr32.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F9043C85-F6F2-101A-A3C9-08002B2F49FB}\InprocServer32
Operation:writeName:ThreadingModel
Value:
Apartment
(PID) Process:(1872) regsvr32.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7629CFA2-3FE5-101B-A3C9-08002B2F49FB}
Operation:delete keyName:(default)
Value:
(PID) Process:(1872) regsvr32.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7629CFA2-3FE5-101B-A3C9-08002B2F49FB}\InprocServer32
Operation:delete valueName:ThreadingModel
Value:
(PID) Process:(1872) regsvr32.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7629CFA4-3FE5-101B-A3C9-08002B2F49FB}
Operation:delete keyName:(default)
Value:
(PID) Process:(1872) regsvr32.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7629CFA4-3FE5-101B-A3C9-08002B2F49FB}\InprocServer32
Operation:delete valueName:ThreadingModel
Value:
(PID) Process:(1872) regsvr32.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3C4F3BE5-47EB-101B-A3C9-08002B2F49FB}
Operation:delete keyName:(default)
Value:
(PID) Process:(1872) regsvr32.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3C4F3BE5-47EB-101B-A3C9-08002B2F49FB}\InprocServer32
Operation:delete valueName:ThreadingModel
Value:
(PID) Process:(1872) regsvr32.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3C4F3BE3-47EB-101B-A3C9-08002B2F49FB}
Operation:delete keyName:(default)
Value:
(PID) Process:(1872) regsvr32.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3C4F3BE3-47EB-101B-A3C9-08002B2F49FB}\InprocServer32
Operation:delete valueName:ThreadingModel
Value:
Executable files
12
Suspicious files
6
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
748pds-excel-pwd-demo.tmpC:\Program Files\PDS Excel Password Recovery\is-ANH0C.tmp
MD5:
SHA256:
748pds-excel-pwd-demo.tmpC:\Program Files\PDS Excel Password Recovery\english.dic
MD5:
SHA256:
1116pds-excel-pwd-demo.exeC:\Users\admin\AppData\Local\Temp\is-GG5MO.tmp\pds-excel-pwd-demo.tmpexecutable
MD5:E362D1A421E71546FA6E6AFB6C47D9C1
SHA256:D166533B9EE96E7F54CCA994B55EBCBCF7E2EE711FD04E91EADDE4998E2D1D58
748pds-excel-pwd-demo.tmpC:\Program Files\PDS Excel Password Recovery\unins000.exeexecutable
MD5:FE34061E7D013F960B05DFFCECA213AF
SHA256:02344F15CFC2D823583DF81A3262840C1C88A53E54DFC1CBDC701A60EE54EFE4
748pds-excel-pwd-demo.tmpC:\Program Files\PDS Excel Password Recovery\is-7MTKN.tmpexecutable
MD5:FE34061E7D013F960B05DFFCECA213AF
SHA256:02344F15CFC2D823583DF81A3262840C1C88A53E54DFC1CBDC701A60EE54EFE4
748pds-excel-pwd-demo.tmpC:\Users\admin\AppData\Local\Temp\is-DSHM3.tmp\_isetup\_RegDLL.tmpexecutable
MD5:0EE914C6F0BB93996C75941E1AD629C6
SHA256:4DC09BAC0613590F1FAC8771D18AF5BE25A1E1CB8FDBF4031AA364F3057E74A2
748pds-excel-pwd-demo.tmpC:\Program Files\PDS Excel Password Recovery\is-SSNP1.tmpbinary
MD5:95727F9374458FE5A687D8414341D6EF
SHA256:A8E456A447917E7105ED05199B8E3B9B36D11FB1C5FD16975CA8E91A3612C294
748pds-excel-pwd-demo.tmpC:\Program Files\PDS Excel Password Recovery\Demoxlsunlocker.exeexecutable
MD5:203E65D2E5BECD5D5092725B6A111C63
SHA256:FE238173518A52CBE3BA533F6648A5465FF768238449862D8D026D5FE27A5C02
748pds-excel-pwd-demo.tmpC:\Program Files\PDS Excel Password Recovery\pdsexcelpasswordrecovery.chmbinary
MD5:95727F9374458FE5A687D8414341D6EF
SHA256:A8E456A447917E7105ED05199B8E3B9B36D11FB1C5FD16975CA8E91A3612C294
3972pds-excel-pwd-demo.exeC:\Users\admin\AppData\Local\Temp\is-G646H.tmp\pds-excel-pwd-demo.tmpexecutable
MD5:E362D1A421E71546FA6E6AFB6C47D9C1
SHA256:D166533B9EE96E7F54CCA994B55EBCBCF7E2EE711FD04E91EADDE4998E2D1D58
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
5
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
224.0.0.252:5355
unknown
4
System
192.168.100.255:138
whitelisted
1088
svchost.exe
224.0.0.252:5355
unknown

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
pds-excel-pwd-demo.exe