File name:

porno1.zip

Full analysis: https://app.any.run/tasks/d6707d55-cbdc-44ee-ab62-ec5c64b57a12
Verdict: Malicious activity
Threats:

Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email.

Malware Trends Tracker     >>>
Analysis date: February 03, 2019, 08:23:19
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

438913CFE92DCB6C49815B9569051726

SHA1:

3E6F0A44E95AF0AA67BAB46400096C4CCEEC7218

SHA256:

CDFE19379E080C3C2F41E76C4B253F9AEFEEB6B2F87A348DE0E66ED10991A132

SSDEEP:

24576:JTk7jDDimR/sKYKB3DnmJTk6lKjblYr3TkhII+KTk9heYG4MqvTk1RSyiPFodmA:BkPj/xY3k4O4khdkSYG4Mqrk2Lodz

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • Big tits and deep ass.scr (PID: 3636)
      • Choky Ice And His Best Friend Max A Surprising Us With Great Threesome Action.scr (PID: 3868)
      • Ivana Sugar Dp By Surprise.scr (PID: 2716)
      • Surprise for playful boy.scr (PID: 3100)
      • Big tits and deep ass.scr (PID: 3952)
      • Come Inside.scr (PID: 2220)
      • Choky Ice And His Best Friend Max A Surprising Us With Great Threesome Action.scr (PID: 568)
      • Ivana Sugar Dp By Surprise.scr (PID: 2748)
      • Surprise for playful boy.scr (PID: 3188)
      • Come Inside.scr (PID: 2444)
      • DydxTSap.exe (PID: 3664)
      • DydxTSap.exe (PID: 3724)
      • DydxTSap.exe (PID: 2384)
      • DydxTSap.exe (PID: 3244)
      • DydxTSap.exe (PID: 2588)
      • DydxTSap.exe (PID: 2964)
      • DydxTSap.exe (PID: 1440)
      • DydxTSap.exe (PID: 2304)
      • DydxTSap.exe (PID: 2552)
      • DydxTSap.exe (PID: 3876)
      • DydxTSap.exe (PID: 2464)
      • DydxTSap.exe (PID: 2388)

    • Writes to a start menu file

      • Big tits and deep ass.scr (PID: 3952)

    • Changes the autorun value in the registry

      • Big tits and deep ass.scr (PID: 3952)
      • Choky Ice And His Best Friend Max A Surprising Us With Great Threesome Action.scr (PID: 568)
      • Surprise for playful boy.scr (PID: 3188)
      • Ivana Sugar Dp By Surprise.scr (PID: 2748)
      • Come Inside.scr (PID: 2444)
      • DydxTSap.exe (PID: 3244)
      • DydxTSap.exe (PID: 2304)
      • DydxTSap.exe (PID: 1440)
      • DydxTSap.exe (PID: 2552)
      • DydxTSap.exe (PID: 2464)
      • DydxTSap.exe (PID: 2964)

    • Actions looks like stealing of personal data

      • Surprise for playful boy.scr (PID: 3188)
      • DydxTSap.exe (PID: 3244)
      • DydxTSap.exe (PID: 1440)
      • DydxTSap.exe (PID: 2304)
      • DydxTSap.exe (PID: 2552)
      • DydxTSap.exe (PID: 2464)
      • DydxTSap.exe (PID: 2964)

    • Connects to CnC server

      • DydxTSap.exe (PID: 2964)

    • Changes the login/logoff helper path in the registry

      • DydxTSap.exe (PID: 2464)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 3600)
      • Big tits and deep ass.scr (PID: 3952)
      • Come Inside.scr (PID: 2444)
      • Choky Ice And His Best Friend Max A Surprising Us With Great Threesome Action.scr (PID: 568)
      • Ivana Sugar Dp By Surprise.scr (PID: 2748)
      • Surprise for playful boy.scr (PID: 3188)
      • DydxTSap.exe (PID: 2964)
      • DydxTSap.exe (PID: 3244)
      • DydxTSap.exe (PID: 2552)
      • DydxTSap.exe (PID: 1440)
      • DydxTSap.exe (PID: 2304)
      • DydxTSap.exe (PID: 2464)

    • Application launched itself

      • Big tits and deep ass.scr (PID: 3636)
      • Come Inside.scr (PID: 2220)
      • Ivana Sugar Dp By Surprise.scr (PID: 2716)
      • Choky Ice And His Best Friend Max A Surprising Us With Great Threesome Action.scr (PID: 3868)
      • Surprise for playful boy.scr (PID: 3100)
      • DydxTSap.exe (PID: 3664)
      • DydxTSap.exe (PID: 3724)
      • DydxTSap.exe (PID: 2388)
      • DydxTSap.exe (PID: 2384)
      • DydxTSap.exe (PID: 2588)
      • DydxTSap.exe (PID: 3876)

    • Starts application with an unusual extension

      • Choky Ice And His Best Friend Max A Surprising Us With Great Threesome Action.scr (PID: 3868)
      • Come Inside.scr (PID: 2220)
      • Big tits and deep ass.scr (PID: 3636)
      • Ivana Sugar Dp By Surprise.scr (PID: 2716)
      • Surprise for playful boy.scr (PID: 3100)

    • Creates files in the user directory

      • Big tits and deep ass.scr (PID: 3952)
      • DydxTSap.exe (PID: 2964)

    • Starts itself from another location

      • Big tits and deep ass.scr (PID: 3952)
      • Ivana Sugar Dp By Surprise.scr (PID: 2748)
      • Choky Ice And His Best Friend Max A Surprising Us With Great Threesome Action.scr (PID: 568)
      • Come Inside.scr (PID: 2444)
      • Surprise for playful boy.scr (PID: 3188)

    • Starts CMD.EXE for commands execution

      • DydxTSap.exe (PID: 2964)

    • Creates files in the program directory

      • DydxTSap.exe (PID: 2464)

    • Connects to server without host name

      • DydxTSap.exe (PID: 2964)

  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: Deflated
ZipModifyDate: 2013:10:25 11:54:20
ZipCRC: 0x326acdc6
ZipCompressedSize: 522831
ZipUncompressedSize: 534096
ZipFileName: Come Inside.scr
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
59
Monitored processes
24
Malicious processes
18
Suspicious processes
5

Behavior graph

Click at the process to see the details
start drop and start winrar.exe big tits and deep ass.scr no specs choky ice and his best friend max a surprising us with great threesome action.scr no specs come inside.scr no specs ivana sugar dp by surprise.scr no specs surprise for playful boy.scr no specs big tits and deep ass.scr choky ice and his best friend max a surprising us with great threesome action.scr come inside.scr ivana sugar dp by surprise.scr surprise for playful boy.scr dydxtsap.exe no specs dydxtsap.exe no specs dydxtsap.exe no specs dydxtsap.exe no specs dydxtsap.exe no specs dydxtsap.exe dydxtsap.exe dydxtsap.exe dydxtsap.exe dydxtsap.exe cmd.exe dydxtsap.exe no specs dydxtsap.exe

Process information

PID
CMD
Path
Indicators
Parent process
568"C:\Users\admin\Desktop\Choky Ice And His Best Friend Max A Surprising Us With Great Threesome Action.scr"C:\Users\admin\Desktop\Choky Ice And His Best Friend Max A Surprising Us With Great Threesome Action.scr
Choky Ice And His Best Friend Max A Surprising Us With Great Threesome Action.scr
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\choky ice and his best friend max a surprising us with great threesome action.scr
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
1440"C:\Users\admin\AppData\Local\Temp\DydxTSap.exe"C:\Users\admin\AppData\Local\Temp\DydxTSap.exe
DydxTSap.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\dydxtsap.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
2220"C:\Users\admin\Desktop\Come Inside.scr" /SC:\Users\admin\Desktop\Come Inside.screxplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\come inside.scr
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
2304"C:\Users\admin\AppData\Local\Temp\DydxTSap.exe"C:\Users\admin\AppData\Local\Temp\DydxTSap.exe
DydxTSap.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\dydxtsap.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
2384"C:\Users\admin\AppData\Local\Temp\DydxTSap.exe" C:\Users\admin\AppData\Local\Temp\DydxTSap.exeIvana Sugar Dp By Surprise.scr
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\dydxtsap.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
2388"C:\Users\admin\AppData\Local\Temp\DydxTSap.exe" C:\Users\admin\AppData\Local\Temp\DydxTSap.exeCome Inside.scr
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\dydxtsap.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
2444"C:\Users\admin\Desktop\Come Inside.scr"C:\Users\admin\Desktop\Come Inside.scr
Come Inside.scr
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\come inside.scr
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
2464"C:\Users\admin\AppData\Local\Temp\DydxTSap.exe"C:\Users\admin\AppData\Local\Temp\DydxTSap.exe
DydxTSap.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\dydxtsap.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
2552"C:\Users\admin\AppData\Local\Temp\DydxTSap.exe"C:\Users\admin\AppData\Local\Temp\DydxTSap.exe
DydxTSap.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\dydxtsap.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
2588"C:\Users\admin\AppData\Local\Temp\DydxTSap.exe" C:\Users\admin\AppData\Local\Temp\DydxTSap.exeSurprise for playful boy.scr
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\dydxtsap.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
Total events
2 513
Read events
2 188
Write events
325
Delete events
0

Modification events

(PID) Process:(3600) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(3600) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(3600) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3600) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\porno1.zip
(PID) Process:(3600) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(3600) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(3600) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(3600) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(3600) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
Operation:writeName:@shell32,-10162
Value:
Screen saver
(PID) Process:(3600) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\MainWin
Operation:writeName:Placement
Value:
2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF97FFFFFF36000000570300002B020000
Executable files
25
Suspicious files
0
Text files
0
Unknown types
1

Dropped files

PID
Process
Filename
Type
568Choky Ice And His Best Friend Max A Surprising Us With Great Threesome Action.scrC:\Users\admin\AppData\Local\VirtualStore\SljgzGpc.exe
MD5:
SHA256:
2444Come Inside.scrC:\Users\admin\AppData\Local\Microsoft Help\NFXEhuWO.exe
MD5:
SHA256:
2748Ivana Sugar Dp By Surprise.scrC:\Users\admin\AppData\Local\Microsoft Help\NFXEhuWO.exe
MD5:
SHA256:
3600WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3600.23125\Come Inside.screxecutable
MD5:E5A3B8E0EA5A54FDB1D408FE6A48BFF5
SHA256:93B7E7810A3726A1C2A7F4EADCD8CBAD7202CE9245F818D14C4BD5D2556346FE
3600WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3600.23125\Big tits and deep ass.screxecutable
MD5:3559D4C2042AA3227B2A91144FE37895
SHA256:77814302F158FA09F96657ADF45D2675D07977E93585701DF74A9D70041C54BF
3600WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3600.23125\Surprise for playful boy.screxecutable
MD5:0AA972FCAA5DB5997DA928A83FE621CB
SHA256:F06884E38A06E26F6371523C1EE7BEE5970814832BC6BFCCA9A515E644B9FD01
3952Big tits and deep ass.scrC:\Users\admin\AppData\Local\Microsoft Help\NFXEhuWO.exeexecutable
MD5:3559D4C2042AA3227B2A91144FE37895
SHA256:77814302F158FA09F96657ADF45D2675D07977E93585701DF74A9D70041C54BF
568Choky Ice And His Best Friend Max A Surprising Us With Great Threesome Action.scrC:\{27850A21-9820-09CA-7A55-EBFFAB2B7CA4}\LiaDBxyu.exeexecutable
MD5:0AA972FCAA5DB5997DA928A83FE621CB
SHA256:F06884E38A06E26F6371523C1EE7BEE5970814832BC6BFCCA9A515E644B9FD01
2444Come Inside.scrC:\Users\admin\AppData\Local\Temp\DydxTSap.exeexecutable
MD5:0AA972FCAA5DB5997DA928A83FE621CB
SHA256:F06884E38A06E26F6371523C1EE7BEE5970814832BC6BFCCA9A515E644B9FD01
3952Big tits and deep ass.scrC:\Users\admin\AppData\Local\Temp\DydxTSap.exeexecutable
MD5:0AA972FCAA5DB5997DA928A83FE621CB
SHA256:F06884E38A06E26F6371523C1EE7BEE5970814832BC6BFCCA9A515E644B9FD01
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
23
TCP/UDP connections
23
DNS requests
311
Threats
39

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2964
DydxTSap.exe
POST
404
208.100.26.251:80
http://rauggyguyp.com/
US
html
580 b
malicious
2964
DydxTSap.exe
POST
200
35.225.160.245:80
http://mluztamhnngwgh.com/
US
text
2 b
malicious
2964
DydxTSap.exe
POST
95.141.37.227:80
http://95.141.37.227/
IT
malicious
2964
DydxTSap.exe
POST
404
208.100.26.251:80
http://rauggyguyp.com/
US
html
580 b
malicious
2964
DydxTSap.exe
POST
200
95.141.37.227:80
http://95.141.37.227/
IT
html
3.21 Kb
malicious
2964
DydxTSap.exe
POST
95.141.37.227:80
http://95.141.37.227/
IT
malicious
2964
DydxTSap.exe
POST
200
95.141.37.227:80
http://95.141.37.227/
IT
html
3.21 Kb
malicious
2964
DydxTSap.exe
POST
200
35.225.160.245:80
http://mluztamhnngwgh.com/
US
text
2 b
malicious
2964
DydxTSap.exe
POST
200
95.141.37.227:80
http://95.141.37.227/
IT
html
3.21 Kb
malicious
2964
DydxTSap.exe
POST
404
208.100.26.251:80
http://rauggyguyp.com/
US
html
580 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2964
DydxTSap.exe
208.100.26.251:80
rauggyguyp.com
Steadfast
US
suspicious
2964
DydxTSap.exe
95.141.37.227:80
Seflow S.N.C. Di Marco Brame' & C.
IT
malicious
2964
DydxTSap.exe
35.225.160.245:80
mluztamhnngwgh.com
US
malicious

DNS requests

Domain
IP
Reputation
mluztamhnngwgh.com
  • 35.225.160.245
malicious
furiararji.com
unknown
rauggyguyp.com
  • 208.100.26.251
malicious
mycojenxktsmozzthdv.com
malicious
inbxvqkegoyapgv.com
unknown
llullzza.com
unknown
zrkdvzjhse.com
unknown
wyuhdsdttczd.com
unknown
hpaxgpkteomjaxywwelr.com
unknown
mydojltbqjnwailyyoa.com
unknown

Threats

PID
Process
Class
Message
2964
DydxTSap.exe
A Network Trojan was detected
MALWARE [PTsecurity] Trojan.Ransom.DirCrypt
2964
DydxTSap.exe
Potentially Bad Traffic
ET INFO GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1
2964
DydxTSap.exe
A Network Trojan was detected
MALWARE [PTsecurity] Trojan.Ransom.DirCrypt
2964
DydxTSap.exe
A Network Trojan was detected
MALWARE [PTsecurity] Trojan.Ransom.DirCrypt
2964
DydxTSap.exe
A Network Trojan was detected
ET TROJAN W32/DirCrypt.Ransomware CnC Checkin
2964
DydxTSap.exe
A Network Trojan was detected
MALWARE [PTsecurity] Trojan.Ransom.DirCrypt
2964
DydxTSap.exe
Potentially Bad Traffic
ET INFO GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1
2964
DydxTSap.exe
A Network Trojan was detected
MALWARE [PTsecurity] Trojan.Ransom.DirCrypt
2964
DydxTSap.exe
Potentially Bad Traffic
ET INFO GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1
2964
DydxTSap.exe
A Network Trojan was detected
MALWARE [PTsecurity] Trojan.Ransom.DirCrypt
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
porno1.zip