File name:

decacopy-1.2.5.2.exe

Full analysis: https://app.any.run/tasks/6d52ec79-0fc9-4808-9ab9-ebcadc6b255c
Verdict: Malicious activity
Analysis date: February 20, 2024, 18:17:08
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
decacopy
pua
globalhop
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

AAE68E4B8614540EF68134FCA3532BF1

SHA1:

02E8CEF3DF4D009C07B3A3B7E24A3DDEBBBF6157

SHA256:

EC8D51AD6E5CBD9B807350299346EC6D9D1813E11B6A9E14FDADC885625CCCA4

SSDEEP:

98304:0bUZZ5ETGCaWqpBKQ+nyEHsZfuDZht1q9wtOG+/NmT28IqLBRU6qBxinH8zltmQF:GVdq+ZW4ro

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • decacopy-1.2.5.2.exe (PID: 3652)
      • decacopy-1.2.5.2.tmp (PID: 3536)

    • Changes the autorun value in the registry

      • decacopy-1.2.5.2.tmp (PID: 3536)

  • SUSPICIOUS

    • Reads settings of System Certificates

      • decacopy-1.2.5.2.tmp (PID: 3536)
      • Decacopy.exe (PID: 2332)

    • Executable content was dropped or overwritten

      • decacopy-1.2.5.2.exe (PID: 3652)
      • decacopy-1.2.5.2.tmp (PID: 3536)

    • Reads the Windows owner or organization settings

      • decacopy-1.2.5.2.tmp (PID: 3536)

    • Uses TASKKILL.EXE to kill process

      • decacopy-1.2.5.2.tmp (PID: 3536)

    • Reads Internet Explorer settings

      • Decacopy.exe (PID: 2332)

    • Reads the Internet Settings

      • Decacopy.exe (PID: 2332)

    • Reads security settings of Internet Explorer

      • Decacopy.exe (PID: 2332)

    • Changes Internet Explorer settings (feature browser emulation)

      • Decacopy.exe (PID: 2332)

    • Reads Microsoft Outlook installation path

      • Decacopy.exe (PID: 2332)

  • INFO

    • Checks supported languages

      • decacopy-1.2.5.2.exe (PID: 3652)
      • decacopy-1.2.5.2.tmp (PID: 3536)
      • Decacopy.exe (PID: 2332)

    • Reads the computer name

      • decacopy-1.2.5.2.tmp (PID: 3536)
      • Decacopy.exe (PID: 2332)

    • Reads the software policy settings

      • decacopy-1.2.5.2.tmp (PID: 3536)
      • Decacopy.exe (PID: 2332)

    • Create files in a temporary directory

      • decacopy-1.2.5.2.exe (PID: 3652)
      • Decacopy.exe (PID: 2332)

    • Reads the machine GUID from the registry

      • decacopy-1.2.5.2.tmp (PID: 3536)
      • Decacopy.exe (PID: 2332)

    • Creates files or folders in the user directory

      • decacopy-1.2.5.2.tmp (PID: 3536)

    • Creates a software uninstall entry

      • decacopy-1.2.5.2.tmp (PID: 3536)

    • Checks proxy server information

      • Decacopy.exe (PID: 2332)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Inno Setup installer (51.8)
.exe | InstallShield setup (20.3)
.exe | Win32 EXE PECompact compressed (generic) (19.6)
.dll | Win32 Dynamic Link Library (generic) (3.1)
.exe | Win32 Executable (generic) (2.1)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2019:04:27 08:22:11+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType: PE32
LinkerVersion: 2.25
CodeSize: 682496
InitializedDataSize: 38912
UninitializedDataSize: -
EntryPoint: 0xa7ed0
OSVersion: 6
ImageVersion: 6
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 0.0.0.0
ProductVersionNumber: 0.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: This installation was built with Inno Setup.
CompanyName: Globalhop
FileDescription: Decacopy Lite Setup
FileVersion:
LegalCopyright:
OriginalFileName:
ProductName: Decacopy Lite
ProductVersion: 1.2.5.2
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
40
Monitored processes
4
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start decacopy-1.2.5.2.exe decacopy-1.2.5.2.tmp taskkill.exe no specs decacopy.exe

Process information

PID
CMD
Path
Indicators
Parent process
2332"C:\Users\admin\AppData\Roaming\Roaming\decacopy\Decacopy.exe"C:\Users\admin\AppData\Roaming\Roaming\decacopy\Decacopy.exe
decacopy-1.2.5.2.tmp
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Version:
1.2.5.2
Modules
Images
c:\users\admin\appdata\roaming\roaming\decacopy\decacopy.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
3536"C:\Users\admin\AppData\Local\Temp\is-ELCGD.tmp\decacopy-1.2.5.2.tmp" /SL5="$E0170,3173812,722432,C:\Users\admin\AppData\Local\Temp\decacopy-1.2.5.2.exe" C:\Users\admin\AppData\Local\Temp\is-ELCGD.tmp\decacopy-1.2.5.2.tmp
decacopy-1.2.5.2.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Setup/Uninstall
Exit code:
0
Version:
51.1052.0.0
Modules
Images
c:\users\admin\appdata\local\temp\is-elcgd.tmp\decacopy-1.2.5.2.tmp
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\mpr.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
3652"C:\Users\admin\AppData\Local\Temp\decacopy-1.2.5.2.exe" C:\Users\admin\AppData\Local\Temp\decacopy-1.2.5.2.exe
explorer.exe
User:
admin
Company:
Globalhop
Integrity Level:
MEDIUM
Description:
Decacopy Lite Setup
Exit code:
0
Version:
Modules
Images
c:\users\admin\appdata\local\temp\decacopy-1.2.5.2.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
3892"taskkill.exe" /f /im "Decacopy.exe"C:\Windows\System32\taskkill.exedecacopy-1.2.5.2.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Terminates Processes
Exit code:
128
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\taskkill.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\version.dll
c:\windows\system32\user32.dll
Total events
9 635
Read events
9 552
Write events
68
Delete events
15

Modification events

(PID) Process:(3536) decacopy-1.2.5.2.tmpKey:HKEY_CURRENT_USER\Software\decacopy\Settings
Operation:writeName:PSH
Value:
none
(PID) Process:(3536) decacopy-1.2.5.2.tmpKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3536) decacopy-1.2.5.2.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:Decacopy.exe
Value:
C:\Users\admin\AppData\Roaming\Roaming\decacopy\Decacopy.exe
(PID) Process:(3536) decacopy-1.2.5.2.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Decacopy Lite_is1
Operation:writeName:Inno Setup: Setup Version
Value:
6.0.2 (u)
(PID) Process:(3536) decacopy-1.2.5.2.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Decacopy Lite_is1
Operation:writeName:Inno Setup: App Path
Value:
C:\Users\admin\AppData\Roaming\Roaming\decacopy
(PID) Process:(3536) decacopy-1.2.5.2.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Decacopy Lite_is1
Operation:writeName:InstallLocation
Value:
C:\Users\admin\AppData\Roaming\Roaming\decacopy\
(PID) Process:(3536) decacopy-1.2.5.2.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Decacopy Lite_is1
Operation:writeName:Inno Setup: Icon Group
Value:
Decacopy Lite
(PID) Process:(3536) decacopy-1.2.5.2.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Decacopy Lite_is1
Operation:writeName:Inno Setup: User
Value:
admin
(PID) Process:(3536) decacopy-1.2.5.2.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Decacopy Lite_is1
Operation:writeName:Inno Setup: Language
Value:
en
(PID) Process:(3536) decacopy-1.2.5.2.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Decacopy Lite_is1
Operation:writeName:DisplayName
Value:
Decacopy Lite Clipboard Manager 1.2.5.2
Executable files
5
Suspicious files
1
Text files
1
Unknown types
1

Dropped files

PID
Process
Filename
Type
3652decacopy-1.2.5.2.exeC:\Users\admin\AppData\Local\Temp\is-ELCGD.tmp\decacopy-1.2.5.2.tmpexecutable
MD5:9741916C580F8663C6E137C52582F0D3
SHA256:53966C86F66CCC1CC0CDE972FF5461C96E5E849F0906168F22E524FA8430EC5F
3536decacopy-1.2.5.2.tmpC:\Users\admin\AppData\Roaming\Roaming\decacopy\is-81JGH.tmpexecutable
MD5:C173B119E951AC2FF52C83B1783703B8
SHA256:8A29D548A2E9BD774587945B4B179501FA786EBC1BB58EEB1A65066146BB715D
3536decacopy-1.2.5.2.tmpC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Decacopy Lite.lnklnk
MD5:2543E4AC044C551872BC637128962028
SHA256:FEF91464CC7D9D30FBCEC2E02A07378F989E950461E6E77AC742F01C97649388
3536decacopy-1.2.5.2.tmpC:\Users\admin\AppData\Roaming\Roaming\decacopy\unins000.datdat
MD5:D149C12D52CB0DC52179DCB574A762B3
SHA256:891E73473771490FE8493015CCE8BECC7001FAB1B6FEE1A91FF6D879B368F219
3536decacopy-1.2.5.2.tmpC:\Users\admin\AppData\Roaming\Roaming\decacopy\unins000.exeexecutable
MD5:AA4E725CF5079E20765AC1C683EA9F19
SHA256:7277125A9B80EFD9E9256B209696B3D6703D79F6DF23185610D6B36E3D2846F5
3536decacopy-1.2.5.2.tmpC:\Users\admin\AppData\Roaming\Roaming\decacopy\is-1K00N.tmpexecutable
MD5:AA4E725CF5079E20765AC1C683EA9F19
SHA256:7277125A9B80EFD9E9256B209696B3D6703D79F6DF23185610D6B36E3D2846F5
3536decacopy-1.2.5.2.tmpC:\Users\admin\AppData\Roaming\Roaming\decacopy\Decacopy.exeexecutable
MD5:C173B119E951AC2FF52C83B1783703B8
SHA256:8A29D548A2E9BD774587945B4B179501FA786EBC1BB58EEB1A65066146BB715D
2332Decacopy.exeC:\Users\admin\AppData\Local\Temp\systray_temp_icon_7360edbec4f8524f539cc4f9a064c7bdimage
MD5:7360EDBEC4F8524F539CC4F9A064C7BD
SHA256:7F6C0F4F739920D68860BA62538B6C45B8FA0476A6BBD7EB69BA2F2E175ACECA
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
7
DNS requests
4
Threats
1

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
3536
decacopy-1.2.5.2.tmp
188.114.97.3:443
track.decacopy.com
CLOUDFLARENET
NL
unknown
3536
decacopy-1.2.5.2.tmp
188.114.96.3:443
track.decacopy.com
CLOUDFLARENET
NL
unknown
2332
Decacopy.exe
188.114.96.3:443
track.decacopy.com
CLOUDFLARENET
NL
unknown
2332
Decacopy.exe
188.114.97.3:443
track.decacopy.com
CLOUDFLARENET
NL
unknown
2332
Decacopy.exe
142.250.186.99:443
www.google.com.br
GOOGLE
US
whitelisted

DNS requests

Domain
IP
Reputation
track.decacopy.com
  • 188.114.97.3
  • 188.114.96.3
unknown
stats.decacopy.com
  • 188.114.96.3
  • 188.114.97.3
unknown
gabbart.nl
  • 188.114.97.3
  • 188.114.96.3
unknown
www.google.com.br
  • 142.250.186.99
whitelisted

Threats

PID
Process
Class
Message
2332
Decacopy.exe
Potentially Bad Traffic
ET JA3 HASH - Possible Rclone Client Response (Mega Storage)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
decacopy-1.2.5.2.exe