General Info

File name

w1x.exe

Full analysis
https://app.any.run/tasks/9cd2b7ac-401b-4b54-9685-aca0cc879cfd
Verdict
Malicious activity
Analysis date
4/15/2019, 11:27:57
OS:
Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:

installer

trojan

adware

installcore

pup

Indicators:

MIME:
application/x-dosexec
File info:
PE32 executable (GUI) Intel 80386, for MS Windows
MD5

3c598c7d3f584b0e06550b83bfa72cc7

SHA1

4c1c9204bc41556aa3c8dacb248a7e578210b11c

SHA256

ea4e3e513226d6211551bdcef1680b0d80612e19f8d401eed46f1e1677422c45

SSDEEP

24576:mnp4JHQNKGPCSZgnK09Mqvg+Yj0SPaZsVugux2TrhbICm:mp4wNKMZQhgESPTvq2TdbICm

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distored by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Software environment set and analysis options

Launch configuration

Task duration
180 seconds
Additional time used
120 seconds
Fakenet option
off
Heavy Evaision option
off
MITM proxy
off
Route via Tor
off
Network geolocation
off
Privacy
Public submission
Autoconfirmation of UAC
on

Software preset

  • Internet Explorer 8.0.7601.17514
  • Adobe Acrobat Reader DC MUI (15.023.20070)
  • Adobe Flash Player 26 ActiveX (26.0.0.131)
  • Adobe Flash Player 26 NPAPI (26.0.0.131)
  • Adobe Flash Player 26 PPAPI (26.0.0.131)
  • Adobe Refresh Manager (1.8.0)
  • CCleaner (5.35)
  • FileZilla Client 3.36.0 (3.36.0)
  • Google Chrome (73.0.3683.75)
  • Google Update Helper (1.3.33.23)
  • Java 8 Update 92 (8.0.920.14)
  • Java Auto Updater (2.8.92.14)
  • Microsoft .NET Framework 4.6.1 (4.6.01055)
  • Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Professional 2010 (14.0.6029.1000)
  • Microsoft Office Proof (English) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (French) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
  • Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
  • Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Single Image 2010 (14.0.6029.1000)
  • Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
  • Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
  • Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
  • Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2017 Redistributable (x86) - 14.15.26706 (14.15.26706.0)
  • Microsoft Visual C++ 2017 x86 Additional Runtime - 14.15.26706 (14.15.26706)
  • Microsoft Visual C++ 2017 x86 Minimum Runtime - 14.15.26706 (14.15.26706)
  • Mozilla Firefox 65.0.2 (x86 en-US) (65.0.2)
  • Notepad++ (32-bit x86) (7.5.1)
  • Opera 12.15 (12.15.1748)
  • Skype version 8.29 (8.29)
  • VLC media player (2.2.6)
  • WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

  • Client LanguagePack Package
  • Client Refresh LanguagePack Package
  • CodecPack Basic Package
  • Foundation Package
  • IE Troubleshooters Package
  • InternetExplorer Optional Package
  • KB2534111
  • KB2999226
  • KB976902
  • LocalPack AU Package
  • LocalPack CA Package
  • LocalPack GB Package
  • LocalPack US Package
  • LocalPack ZA Package
  • ProfessionalEdition
  • UltimateEdition

Behavior activities

MALICIOUS SUSPICIOUS INFO
Connects to CnC server
  • w1x.exe (PID: 3528)
INSTALLCORE was detected
  • w1x.exe (PID: 3528)
Application launched itself
  • cmd.exe (PID: 2616)
  • cmd.exe (PID: 2132)
Starts CMD.EXE for commands execution
  • cmd.exe (PID: 2616)
  • w1x.exe (PID: 3528)
  • cmd.exe (PID: 2132)
Reads internet explorer settings
  • w1x.exe (PID: 3528)
Reads Environment values
  • w1x.exe (PID: 3528)

No info indicators.

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Static information

TRiD
.exe
|   Inno Setup installer (77.7%)
.exe
|   Win32 Executable Delphi generic (10%)
.dll
|   Win32 Dynamic Link Library (generic) (4.6%)
.exe
|   Win32 Executable (generic) (3.1%)
.exe
|   Win16/32 Executable Delphi generic (1.4%)
EXIF
EXE
MachineType:
Intel 386 or later, and compatibles
TimeStamp:
1992:06:20 00:22:17+02:00
PEType:
PE32
LinkerVersion:
2.25
CodeSize:
37888
InitializedDataSize:
17920
UninitializedDataSize:
null
EntryPoint:
0x9c40
OSVersion:
1
ImageVersion:
6
SubsystemVersion:
4
Subsystem:
Windows GUI
FileVersionNumber:
4.3.3.2
ProductVersionNumber:
0.0.0.0
FileFlagsMask:
0x003f
FileFlags:
(none)
FileOS:
Win32
ObjectFileType:
Executable application
FileSubtype:
null
LanguageCode:
Neutral
CharacterSet:
Unicode
Comments:
This installation was built with Inno Setup.
CompanyName:
FileDescription:
Lememido Setup
FileVersion:
4.3.3.2
LegalCopyright:
ProductName:
Lememido
ProductVersion:
5.3.6
Summary
Architecture:
IMAGE_FILE_MACHINE_I386
Subsystem:
IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date:
19-Jun-1992 22:22:17
Detected languages
Dutch - Netherlands
English - United States
Comments:
This installation was built with Inno Setup.
CompanyName:
null
FileDescription:
Lememido Setup
FileVersion:
4.3.3.2
LegalCopyright:
null
ProductName:
Lememido
ProductVersion:
5.3.6
DOS Header
Magic number:
MZ
Bytes on last page of file:
0x0050
Pages in file:
0x0002
Relocations:
0x0000
Size of header:
0x0004
Min extra paragraphs:
0x000F
Max extra paragraphs:
0xFFFF
Initial SS value:
0x0000
Initial SP value:
0x00B8
Checksum:
0x0000
Initial IP value:
0x0000
Initial CS value:
0x0000
Overlay number:
0x001A
OEM identifier:
0x0000
OEM information:
0x0000
Address of NE header:
0x00000100
PE Headers
Signature:
PE
Machine:
IMAGE_FILE_MACHINE_I386
Number of sections:
8
Time date stamp:
19-Jun-1992 22:22:17
Pointer to Symbol Table:
0x00000000
Number of symbols:
0
Size of Optional Header:
0x00E0
Characteristics
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_BYTES_REVERSED_HI
IMAGE_FILE_BYTES_REVERSED_LO
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_RELOCS_STRIPPED
Sections
Name Virtual Address Virtual Size Raw Size Charateristics Entropy
CODE 0x00001000 0x00009364 0x00009400 IMAGE_SCN_CNT_CODE,IMAGE_SCN_MEM_EXECUTE,IMAGE_SCN_MEM_READ 6.58251
DATA 0x0000B000 0x0000024C 0x00000400 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ,IMAGE_SCN_MEM_WRITE 2.7391
BSS 0x0000C000 0x00000E88 0x00000000 IMAGE_SCN_MEM_READ,IMAGE_SCN_MEM_WRITE 0
.idata 0x0000D000 0x00000950 0x00000A00 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ,IMAGE_SCN_MEM_WRITE 4.43073
.tls 0x0000E000 0x00000008 0x00000000 IMAGE_SCN_MEM_READ,IMAGE_SCN_MEM_WRITE 0
.rdata 0x0000F000 0x00000018 0x00000200 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ,IMAGE_SCN_MEM_SHARED 0.204488
.reloc 0x00010000 0x000008B4 0x00000000 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ,IMAGE_SCN_MEM_SHARED 0
.rsrc 0x00011000 0x00002C00 0x00002C00 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ,IMAGE_SCN_MEM_SHARED 4.4643
Resources
1

2

3

4

4089

4090

4091

4093

4094

4095

11111

MAINICON

Imports
    kernel32.dll

    user32.dll

    oleaut32.dll

    advapi32.dll

    comctl32.dll

Exports

    No exports.

Screenshots

Processes

Total processes
41
Monitored processes
8
Malicious processes
1
Suspicious processes
0

Behavior graph

+
start #INSTALLCORE w1x.exe cmd.exe no specs cmd.exe no specs timeout.exe no specs cmd.exe no specs cmd.exe no specs timeout.exe no specs cmd.exe no specs
Specs description
Program did not start
Integrity level elevation
Task сontains an error or was rebooted
Process has crashed
Task contains several apps running
Executable file was dropped
Debug information is available
Process was injected
Network attacks were detected
Application downloaded the executable file
Actions similar to stealing personal data
Behavior similar to exploiting the vulnerability
Inspected object has sucpicious PE structure
File is detected by antivirus software
CPU overrun
RAM overrun
Process starts the services
Process was added to the startup
Behavior similar to spam
Low-level access to the HDD
Probably Tor was used
System was rebooted
Connects to the network
Known threat

Process information

Click at the process to see the details.

PID
3528
CMD
"C:\Users\admin\AppData\Local\Temp\w1x.exe"
Path
C:\Users\admin\AppData\Local\Temp\w1x.exe
Indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Description
Lememido Setup
Version
4.3.3.2
Modules
Image
c:\users\admin\appdata\local\temp\w1x.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\shell32.dll
c:\windows\system32\psapi.dll
c:\windows\system32\mpr.dll
c:\windows\system32\version.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\wininet.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\olepro32.dll
c:\windows\system32\cryptbase.dll
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\sspicli.dll
c:\windows\system32\profapi.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\imagehlp.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\winsta.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\oleacc.dll
c:\windows\system32\sxs.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\sensapi.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\wship6.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\mlang.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\msls31.dll
c:\windows\system32\msimtf.dll
c:\windows\system32\jscript.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\imgutil.dll
c:\windows\system32\pngfilt.dll

PID
2132
CMD
C:\Windows\System32\cmd.exe /d /c cmd /d /c TIMEOUT 10 & cmd /d /c del "C:\Users\admin\AppData\Local\Temp\w1x.exe"
Path
C:\Windows\System32\cmd.exe
Indicators
No indicators
Parent process
w1x.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows Command Processor
Version
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Image
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\apphelp.dll

PID
320
CMD
cmd /d /c TIMEOUT 10
Path
C:\Windows\System32\cmd.exe
Indicators
No indicators
Parent process
cmd.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows Command Processor
Version
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Image
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\timeout.exe

PID
1660
CMD
TIMEOUT 10
Path
C:\Windows\System32\timeout.exe
Indicators
No indicators
Parent process
cmd.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
timeout - pauses command processing
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\timeout.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\usp10.dll
c:\windows\system32\nsi.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\version.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll

PID
2992
CMD
cmd /d /c del "C:\Users\admin\AppData\Local\Temp\w1x.exe"
Path
C:\Windows\System32\cmd.exe
Indicators
No indicators
Parent process
cmd.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows Command Processor
Version
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Image
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll

PID
2616
CMD
/d /c TIMEOUT 3 & cmd /d /c del "C:\Users\admin\AppData\Local\Temp\w1x.exe"
Path
C:\Windows\system32\cmd.exe
Indicators
No indicators
Parent process
w1x.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows Command Processor
Version
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Image
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\apphelp.dll

PID
3836
CMD
TIMEOUT 3
Path
C:\Windows\system32\timeout.exe
Indicators
No indicators
Parent process
cmd.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
timeout - pauses command processing
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\timeout.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\version.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll

PID
1952
CMD
cmd /d /c del "C:\Users\admin\AppData\Local\Temp\w1x.exe"
Path
C:\Windows\system32\cmd.exe
Indicators
No indicators
Parent process
cmd.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows Command Processor
Version
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Image
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll

Registry activity

Total events
163
Read events
134
Write events
28
Delete events
1

Modification events

PID
Process
Operation
Key
Name
Value
3528
w1x.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
LanguageList
en-US
3528
w1x.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
3528
w1x.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
3528
w1x.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\w1x_RASAPI32
EnableFileTracing
0
3528
w1x.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\w1x_RASAPI32
EnableConsoleTracing
0
3528
w1x.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\w1x_RASAPI32
FileTracingMask
4294901760
3528
w1x.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\w1x_RASAPI32
ConsoleTracingMask
4294901760
3528
w1x.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\w1x_RASAPI32
MaxFileSize
1048576
3528
w1x.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\w1x_RASAPI32
FileDirectory
%windir%\tracing
3528
w1x.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\w1x_RASMANCS
EnableFileTracing
0
3528
w1x.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\w1x_RASMANCS
EnableConsoleTracing
0
3528
w1x.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\w1x_RASMANCS
FileTracingMask
4294901760
3528
w1x.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\w1x_RASMANCS
ConsoleTracingMask
4294901760
3528
w1x.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\w1x_RASMANCS
MaxFileSize
1048576
3528
w1x.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\w1x_RASMANCS
FileDirectory
%windir%\tracing
3528
w1x.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
ProxyEnable
0
3528
w1x.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
SavedLegacySettings
4600000071000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
3528
w1x.exe
delete key
HKEY_CURRENT_USER

Files activity

Executable files
0
Suspicious files
0
Text files
43
Unknown types
0

Dropped files

PID
Process
Filename
Type
3528
w1x.exe
C:\Users\admin\AppData\Local\Temp\000EB801.log
––
MD5:  ––
SHA256:  ––
3528
w1x.exe
C:\Users\admin\AppData\Local\Temp\inH94212563470\images\downlaodsArea.png
image
MD5: 7cbc5db73ab6006766ee00724744e606
SHA256: 6388c9771497631028fbce0ae9fd9a35fad36cd15ac15c639edb05cec08a44b6
3528
w1x.exe
C:\Users\admin\AppData\Local\Temp\inH94212563470\bootstrap_44663.html
html
MD5: 1ea9e5b417811379e874ad4870d5c51a
SHA256: f076773a6e3ae0f1cee3c69232779a1aaaf05202db472040c0c8ea4a70af173a
3528
w1x.exe
C:\Users\admin\AppData\Local\Temp\000E6155.log
––
MD5:  ––
SHA256:  ––
3528
w1x.exe
C:\Users\admin\AppData\Local\Temp\inH94212563470\images\play.png
image
MD5: 483f1a45b14711e97d0aa21e11b7fb50
SHA256: f43c199e988b99539864b7bc2e70fa9b4d2b0402c8b284240be9b58126b35a49
3528
w1x.exe
C:\Users\admin\AppData\Local\Temp\inH94212563470\images\play_disable.png
image
MD5: 5f926f0a9ed3092c65f5a292d734f098
SHA256: 94ca38e1c82ccfde504b4484aa118d0bf8e39b4dccbee63408f63c9bc1d85fa5
3528
w1x.exe
C:\Users\admin\AppData\Local\Temp\inH94212563470\images\ProgressBar.png
image
MD5: 958719a4b8a12e670ba6aa4864d059de
SHA256: dc63961de56e70f37939159bdbcc4d64388464a5ccc74ca54cfc9d1769e68914
3528
w1x.exe
C:\Users\admin\AppData\Local\Temp\inH94212563470\images\Progress.png
image
MD5: 7cfcd85a7e07bc7e9bec5fa4d6115f3b
SHA256: ebaf637228e1516bb4361cbbc9e5244c556826bf452b09231604dcc9fff669a5
3528
w1x.exe
C:\Users\admin\AppData\Local\Temp\inH94212563470\images\play_hover.png
image
MD5: 739e4ecfa9ca48cdcab2c02fbb9cac85
SHA256: f2a54da51153eaf2c398944010046b49eca624be67ad1989fa3ca82c6a6fb216
3528
w1x.exe
C:\Users\admin\AppData\Local\Temp\inH94212563470\locale\EN.locale
text
MD5: 75bc42d8efd448ec842ed5e5ceaf4329
SHA256: e44b39e28e3063e6cd93401cea25f92cca723783716faccae6503f1d89a578b1
3528
w1x.exe
C:\Users\admin\AppData\Local\Temp\inH94212563470\images\Loader.gif
image
MD5: 57ca1a2085d82f0574e3ef740b9a5ead
SHA256: 476a7b1085cc64de1c0eb74a6776fa8385d57eb18774f199df83fc4d7bbcc24e
3528
w1x.exe
C:\Users\admin\AppData\Local\Temp\inH94212563470\images\pause.png
image
MD5: 3709882d489e0338acefea489ac63985
SHA256: 00ea02dde5a7e66b1f125e2a9619ab07f1f321cda163d8fc0e67664d6732fe1a
3528
w1x.exe
C:\Users\admin\AppData\Local\Temp\inH94212563470\images\installer.ico
image
MD5: d56f926dc8eba37f018c0abf99c6c5fb
SHA256: 20587aa6ce71bdcd55477f06a5543426243cc9dd0a90805ce7acdc028ebebcaf
3528
w1x.exe
C:\Users\admin\AppData\Local\Temp\inH94212563470\images\icon.png
image
MD5: 59a354ae38425c5a8f4962e235ee7f99
SHA256: 772f960646ff07f5c3e3d125ec462830a35f824b07567370d64c23db57f2bc49
3528
w1x.exe
C:\Users\admin\AppData\Local\Temp\inH94212563470\images\pause_disable.png
image
MD5: 5549e38f9e4233ad08512bba275d987d
SHA256: 664fda668d50e778fc6ae058150dc2b62c00ea9c8cc15c5b30ec2e1d55e50888
3528
w1x.exe
C:\Users\admin\AppData\Local\Temp\inH94212563470\images\header.png
image
MD5: 697e50b016b8de31759b4938e21f7677
SHA256: 833c9895c0287fbfa647d66f3b26eee14dbcb34158033d794bd5ebb765014f00
3528
w1x.exe
C:\Users\admin\AppData\Local\Temp\inH94212563470\images\pause_hover.png
image
MD5: 0185839d7f42fa3b75c41c127523ac2b
SHA256: 717e69457add58dba0a7a37f478748ab1b0b7130e2dab978694bfd087bb0eff4
3528
w1x.exe
C:\Users\admin\AppData\Local\Temp\inH94212563470\images\logoTitle.png
image
MD5: 9eb91707a560704e1017feb65354adce
SHA256: fb0dc9ad1ba9a2c803e353644a25801f4ed561d520580d2a6e0b9b0a3fea8847
3528
w1x.exe
C:\Users\admin\AppData\Local\Temp\inH94212563470\images\Close.png
image
MD5: f12d5a7ed0f79307f51d9200d76793db
SHA256: 60abb86e82cd25f5752c5f210e0a1f5a097fe514f2cedbbb5ac0ba592bf9ec62
3528
w1x.exe
C:\Users\admin\AppData\Local\Temp\inH94212563470\images\Close_Hover.png
image
MD5: 368457bcd5eab9804e984125ccc11afd
SHA256: ed895d3499636c5051b16963a08da99d39715ec1f0e83ede7c939080a409fa90
3528
w1x.exe
C:\Users\admin\AppData\Local\Temp\inH94212563470\images\cancel_hover.png
image
MD5: d369ebcfed2248d79c3373e12d3222c8
SHA256: 7360e2a145622a346e0a89a7ce73d13c99808b239890d75697440289b563c524
3528
w1x.exe
C:\Users\admin\AppData\Local\Temp\inH94212563470\images\default_download_image.png
image
MD5: 5a11a0df80b77e1291e8b85eed2437e7
SHA256: 27e9ee0a382978ec10ab0c1e2134c763849078b4d8f84d8e0ef3406b942a1ff1
3528
w1x.exe
C:\Users\admin\AppData\Local\Temp\inH94212563470\images\cancel_disable.png
image
MD5: 835e197d12ecce047bc0a191630582fc
SHA256: f0c2e58075cf1e9ef0539e9ae2c6a2c1b1692524b8d4b79d39933f739e0ef8f0
3528
w1x.exe
C:\Users\admin\AppData\Local\Temp\000EB811.log
––
MD5:  ––
SHA256:  ––
3528
w1x.exe
C:\Users\admin\AppData\Local\Temp\inH94212563470\images\buttonPlay_Hover.png
image
MD5: 4e9249270cc594a7f788cfadf709e699
SHA256: 1f653fe4fb5915317b04d5b546a7d306f4b084b6c874fb2f27dc3e0758e93057
3528
w1x.exe
C:\Users\admin\AppData\Local\Temp\inH94212563470\images\buttonPlay_disable.png
image
MD5: 3d7f0f723da1f5501dd4f37ce7d41c22
SHA256: a419d8f5ae7ce7db90151a4d1da0fc21be70f8e88dffced47f1025627ae15999
3528
w1x.exe
C:\Users\admin\AppData\Local\Temp\inH94212563470\images\cancel.png
image
MD5: ee6a94a42eae1876183800dd45d728db
SHA256: c2ce2888e882cb7d01ba8b9e0aa5db455b8568256f465c1eee6d16355ee14812
3528
w1x.exe
C:\Users\admin\AppData\Local\Temp\inH94212563470\images\buttonPlay.png
image
MD5: 1d84c055608b157ad6458a6709f63b29
SHA256: c9913e3dde29933ccf6e8b38349655e4c9ebee6e67a5f7e9951ca2d35408b849
3528
w1x.exe
C:\Users\admin\AppData\Local\Temp\inH94212563470\images\buttonPause_Hover.png
image
MD5: 5331920bc62f85ad29368d85195e3b4f
SHA256: 12dea3f4bc3d7d0efb9cb480a304ebc499510c09d98bcdb3684f64fb760d1109
3528
w1x.exe
C:\Users\admin\AppData\Local\Temp\inH94212563470\images\buttonPause.png
image
MD5: bf4933a2f6a63a38cf79c998a7373b39
SHA256: 1733116edfb43d5695f68159d693c49aac1bbe416aac232a7e256f9e7cbf241b
3528
w1x.exe
C:\Users\admin\AppData\Local\Temp\inH94212563470\images\buttonCancel_disable.png
image
MD5: 62dce28a29fdebc60fa057f5ed1f7720
SHA256: 7ba07a06730d6dae558d871a42ae55568eb14776d74f7fe771ed11609a48a6d1
3528
w1x.exe
C:\Users\admin\AppData\Local\Temp\inH94212563470\images\buttonCancel.png
image
MD5: 36be0163a644eee163f6d59f5db59bc2
SHA256: 9452b04e31a7d0b36bb13557ad874bc6cba48692835077b6e358d5df3807141b
3528
w1x.exe
C:\Users\admin\AppData\Local\Temp\inH94212563470\images\buttonCancel_Hover.png
image
MD5: eb3ab8162d0d2f30c99a33aed50f067a
SHA256: d0c5194a353e89022ba915a7539774846ef3d46ac8f68be8f9eb4217c466a195
3528
w1x.exe
C:\Users\admin\AppData\Local\Temp\inH94212563470\images\app.png
image
MD5: baf5212f913bd3a48716bf3878b62f6d
SHA256: 2454f98ad12bb22d9a0a1089410a6c6fc515b52a60634b28eff863b5a025a0e5
3528
w1x.exe
C:\Users\admin\AppData\Local\Temp\inH94212563470\images\buttonPause_disable.png
image
MD5: f7e4adb668cbf6c4189f7590a5aea7d8
SHA256: 19d00b2cb4d6e806348cafc03fa33187cdba7efb198e7ba8052c80e51353a2be
3528
w1x.exe
C:\Users\admin\AppData\Local\Temp\inH94212563470\images\BG.png
image
MD5: 6791c64f79bcb6ea5d97206551a75856
SHA256: 41bb296c54c41f18b0a411a83cdba2055a25faf5580c90845714b8ce1d7b7a8b
3528
w1x.exe
C:\Users\admin\AppData\Local\Temp\inH94212563470\css\sdk-ui\images\progress-bg2.png
image
MD5: b582d9a67bfe77d523ba825fd0b9dae3
SHA256: ab4eeb3ea1eef4e84cb61eccb0ba0998b32108d70b3902df3619f4d9393f74c3
3528
w1x.exe
C:\Users\admin\AppData\Local\Temp\inH94212563470\css\sdk-ui\button.css
text
MD5: 37e1ff96e084ec201f0d95feef4d5e94
SHA256: 8e806f5b94fc294e918503c8053ef1284e4f4b1e02c7da4f4635e33ec33e0534
3528
w1x.exe
C:\Users\admin\AppData\Local\Temp\inH94212563470\css\sdk-ui\images\progress-bg-corner.png
image
MD5: 608f1f20cd6ca9936eaa7e8c14f366be
SHA256: 86b6e6826bcde2955d64d4600a4e01693522c1fddf156ce31c4ba45b3653a7bd
3528
w1x.exe
C:\Users\admin\AppData\Local\Temp\inH94212563470\css\main.css
text
MD5: 15a3bb9d38a0165f0c8b73a4f7039976
SHA256: 1b332d8c69e9c46f396a3eacff17b43d7deeebca8d105621b1d8998f994b17bb
3528
w1x.exe
C:\Users\admin\AppData\Local\Temp\inH94212563470\css\sdk-ui\checkbox.css
text
MD5: 64773c6b0e3413c81aebc46cce8c9318
SHA256: b09504c1bf0486d3ec46500592b178a3a6c39284672af8815c3687cc3d29560d
3528
w1x.exe
C:\Users\admin\AppData\Local\Temp\inH94212563470\css\ie6_main.css
text
MD5: 158b9c87f1b5e364b12365b158ce4690
SHA256: 400a3b06de18ba28a95df5c94d787c1a81e10248ab09d7fac0fcd1ce7561e71d
3528
w1x.exe
C:\Users\admin\AppData\Local\Temp\inH94212563470\css\sdk-ui\browse.css
text
MD5: 6009d6e864f60aea980a9df94c1f7e1c
SHA256: 5ef48a8c8c3771b4f233314d50dd3b5afdcd99dd4b74a9745c8fe7b22207056d
3528
w1x.exe
C:\Users\admin\AppData\Local\Temp\inH94212563470\css\sdk-ui\images\progress-bg.png
image
MD5: e9f12f92a9eeb8ebe911080721446687
SHA256: c1cf449536bc2778e27348e45f0f53d04c284109199fb7a9af7a61016b91f8bc
3528
w1x.exe
C:\Users\admin\AppData\Local\Temp\inH94212563470\css\sdk-ui\images\button-bg.png
image
MD5: 98b1de48dfa64dc2aa1e52facfbee3b0
SHA256: 2693930c474fe640e2fe8d6ef98abe2ecd303d2392c3d8b2e006e8942ba8f534
3528
w1x.exe
C:\Users\admin\AppData\Local\Temp\inH94212563470\csshover3.htc
html
MD5: 52fa0da50bf4b27ee625c80d36c67941
SHA256: e37e99ddfc73ac7ba774e23736b2ef429d9a0cb8c906453c75b14c029bdd5493
3528
w1x.exe
C:\Users\admin\AppData\Local\Temp\000E602D.log
––
MD5:  ––
SHA256:  ––

Find more information of the staic content and download it at the full report

Network activity

HTTP(S) requests
3
TCP/UDP connections
3
DNS requests
3
Threats
7

HTTP requests

PID Process Method HTTP Code IP URL CN Type Size Reputation
3528 w1x.exe POST 200 52.214.73.247:80 http://rp.downloadagentcdn.com/ IE
binary
––
––
malicious
3528 w1x.exe POST 200 52.214.73.247:80 http://rp.downloadagentcdn.com/ IE
binary
––
––
malicious
3528 w1x.exe POST 200 54.194.149.175:80 http://rp.downloadagentcdn.com/ IE
binary
––
––
malicious

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID Process IP ASN CN Reputation
3528 w1x.exe 52.214.73.247:80 Amazon.com, Inc. IE malicious
3528 w1x.exe 54.194.149.175:80 Amazon.com, Inc. IE malicious

DNS requests

Domain IP Reputation
rp.downloadagentcdn.com 52.214.73.247
54.194.149.175
malicious
dns.msftncsi.com 131.107.255.255
whitelisted

Threats

PID Process Class Message
3528 w1x.exe Misc activity ADWARE [PTsecurity] PUP.Optional.InstallCore Artifact M1
3528 w1x.exe Misc activity ADWARE [PTsecurity] PUP.Optional.InstallCore Artifact M3
3528 w1x.exe Misc activity ADWARE [PTsecurity] PUP.Optional.InstallCore Artifact M2

4 ETPRO signatures available at the full report

Debug output strings

No debug info.