URL:

https://doc-10-bk-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/jqioc41d63ddgqs53kg0krvou69fs31p/1539108000000/16690226752399005394/*/0B-tVPEHeUWUUOFFkYlU1eUtnZlE?e=download

Full analysis: https://app.any.run/tasks/9ed730da-a8a0-4402-bb33-639560eff6e5
Verdict: Malicious activity
Analysis date: October 09, 2018, 23:04:33
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MD5:

091F6077C9600F782C5A060C4BC4131E

SHA1:

94A84BCB8A744A76FFFAF0893CF320B4B31481F8

SHA256:

FCCB4B3C2E6B9AE8E67AB65F801BEB218E81A1F81123385E1268EEA9D3994FEE

SSDEEP:

6:2SfJcQGNHBTCezTpKDM3GDlYV94cQTCldxM:2+GNHBT5ztFd5Qsy

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • keygen_np9.exe (PID: 2540)
      • AddinSetupTool.exe (PID: 3180)
      • AddinSetupTool.exe (PID: 3652)
      • AddinSetupTool.exe (PID: 676)
      • AddinSetupTool.exe (PID: 2036)
      • ControlActivation.exe (PID: 2380)
      • ControlActivation.exe (PID: 2212)
      • NLSSRV32.EXE (PID: 4060)
      • NitroPDFDriverService9.exe (PID: 1772)
      • keygen.exe (PID: 3552)

    • Changes settings of System certificates

      • msiexec.exe (PID: 544)

    • Starts NET.EXE for service management

      • MsiExec.exe (PID: 600)

    • Low-level write access rights to disk partition

      • NLSSRV32.EXE (PID: 4060)

    • Loads dropped or rewritten executable

      • spoolsv.exe (PID: 1208)
      • keygen.exe (PID: 3552)
      • spoolsv.exe (PID: 3112)
      • ControlActivation.exe (PID: 2212)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 1996)
      • nitro_pro9.exe (PID: 2832)
      • msiexec.exe (PID: 544)
      • MsiExec.exe (PID: 600)
      • spoolsv.exe (PID: 1208)
      • WinRAR.exe (PID: 896)
      • keygen.exe (PID: 3552)
      • msiexec.exe (PID: 2616)

    • Creates files in the user directory

      • nitro_pro9.exe (PID: 2832)

    • Application launched itself

      • WinRAR.exe (PID: 3380)

    • Uses REG.EXE to modify Windows registry

      • MsiExec.exe (PID: 600)

    • Creates files in the Windows directory

      • spoolsv.exe (PID: 1208)
      • MsiExec.exe (PID: 600)
      • msiexec.exe (PID: 2616)
      • NLSSRV32.EXE (PID: 4060)

    • Modifies the open verb of a shell class

      • msiexec.exe (PID: 2616)

    • Removes files from Windows directory

      • msiexec.exe (PID: 2616)
      • spoolsv.exe (PID: 1208)

    • Creates COM task schedule object

      • msiexec.exe (PID: 2616)

    • Low-level read access rights to disk partition

      • NLSSRV32.EXE (PID: 4060)

  • INFO

    • Reads Internet Cache Settings

      • iexplore.exe (PID: 1392)
      • iexplore.exe (PID: 2152)

    • Application launched itself

      • iexplore.exe (PID: 2152)
      • msiexec.exe (PID: 2616)

    • Changes internet zones settings

      • iexplore.exe (PID: 2152)

    • Reads settings of System Certificates

      • iexplore.exe (PID: 2152)

    • Loads dropped or rewritten executable

      • MsiExec.exe (PID: 1476)
      • MsiExec.exe (PID: 600)

    • Searches for installed software

      • msiexec.exe (PID: 2616)

    • Creates or modifies windows services

      • msiexec.exe (PID: 2616)
      • vssvc.exe (PID: 2688)

    • Low-level read access rights to disk partition

      • vssvc.exe (PID: 2688)

    • Dropped object may contain Bitcoin addresses

      • msiexec.exe (PID: 2616)

    • Creates a software uninstall entry

      • msiexec.exe (PID: 2616)

    • Creates files in the program directory

      • msiexec.exe (PID: 2616)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
84
Monitored processes
36
Malicious processes
4
Suspicious processes
2

Behavior graph

Click at the process to see the details
start drop and start drop and start drop and start drop and start drop and start drop and start iexplore.exe iexplore.exe winrar.exe no specs winrar.exe keygen_np9.exe no specs nitro_pro9.exe msiexec.exe msiexec.exe msiexec.exe no specs vssvc.exe no specs drvinst.exe no specs msiexec.exe reg.exe no specs reg.exe no specs reg.exe no specs nlssrv32.exe nitropdfdriverservice9.exe no specs addinsetuptool.exe no specs addinsetuptool.exe no specs addinsetuptool.exe no specs addinsetuptool.exe no specs net.exe no specs net1.exe no specs net.exe no specs net1.exe no specs rundll32.exe no specs net.exe no specs net1.exe no specs spoolsv.exe no specs net.exe no specs net1.exe no specs controlactivation.exe no specs controlactivation.exe spoolsv.exe winrar.exe keygen.exe

Process information

PID
CMD
Path
Indicators
Parent process
544"C:\Windows\system32\msiexec.exe" -i "C:\Users\admin\AppData\Roaming\Downloaded Installations\{B89E8CFC-4E44-4F5E-842F-C8D958C08EAC}\{45C15B46-6049-4988-BB03-1357DD75CC15}.msi" MODIFYSOURCELIST=0C:\Windows\system32\msiexec.exe
nitro_pro9.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Exit code:
0
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\msiexec.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
600C:\Windows\system32\MsiExec.exe -Embedding A75E95AD8F510F175E749FCEA33CB21B M Global\MSI0000C:\Windows\system32\MsiExec.exe
msiexec.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows® installer
Exit code:
0
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\msiexec.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
676"C:\Program Files\Nitro\Pro 9\AddinSetupTool.exe" /InstallPowerPointAddin 1C:\Program Files\Nitro\Pro 9\AddinSetupTool.exemsiexec.exe
User:
admin
Company:
Nitro PDF Software
Integrity Level:
MEDIUM
Description:
AddinSetupTool
Exit code:
5
Version:
7.0.0.1
Modules
Images
c:\program files\nitro\pro 9\addinsetuptool.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\msimg32.dll
896"C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\AppData\Local\Temp\Rar$DIa3380.10579\keymaker-CORE.zipC:\Program Files\WinRAR\WinRAR.exe
WinRAR.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
1076C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {995C996E-D918-4a8c-A302-45719A6F4EA7} -EmbeddingC:\Windows\System32\rundll32.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\rundll32.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imagehlp.dll
1208C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Spooler SubSystem App
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\spoolsv.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
1392"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2152 CREDAT:71937C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
1476C:\Windows\system32\MsiExec.exe -Embedding 52D057DCD7F10E1886B2C029F7C147D0 CC:\Windows\system32\MsiExec.exemsiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Exit code:
0
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\msiexec.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
1688"reg.exe" copy HKLM\SOFTWARE\Classes\.fdf HKLM\SOFTWARE\Classes\NitroPDF.fdf\old /fC:\Windows\system32\reg.exeMsiExec.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Registry Console Tool
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\reg.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
1708"C:\Windows\System32\net.exe" stop LPDSVCC:\Windows\System32\net.exeMsiExec.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Net Command
Exit code:
2
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\net.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\netutils.dll
c:\windows\system32\browcli.dll
Total events
4 273
Read events
2 755
Write events
1 502
Delete events
16

Modification events

(PID) Process:(2152) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Operation:writeName:CompatibilityFlags
Value:
0
(PID) Process:(2152) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
(PID) Process:(2152) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
1
(PID) Process:(2152) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
Operation:writeName:SecuritySafe
Value:
1
(PID) Process:(2152) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:writeName:ProxyEnable
Value:
0
(PID) Process:(2152) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Operation:writeName:SavedLegacySettings
Value:
4600000069000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
(PID) Process:(2152) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Recovery\Active
Operation:writeName:{BB250121-CC17-11E8-BFAB-5254004AAD11}
Value:
0
(PID) Process:(2152) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Operation:writeName:Type
Value:
4
(PID) Process:(2152) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Operation:writeName:Count
Value:
3
(PID) Process:(2152) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Operation:writeName:Time
Value:
E2070A00020009001700040036003201
Executable files
150
Suspicious files
30
Text files
180
Unknown types
225

Dropped files

PID
Process
Filename
Type
2152iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RB73MZ6Y\favicon[1].ico
MD5:
SHA256:
2152iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
2152iexplore.exeC:\Users\admin\AppData\Local\Temp\~DFAC16815C271C4CFB.TMP
MD5:
SHA256:
1392iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\OCDM6JB6\Nitro-Pro-9.0.5.9[1].rar
MD5:
SHA256:
2152iexplore.exeC:\Users\admin\AppData\Local\Temp\~DF8CC99D990E0CCE11.TMP
MD5:
SHA256:
2152iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{BB250121-CC17-11E8-BFAB-5254004AAD11}.dat
MD5:
SHA256:
3380WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3380.4919\SinhvienIT.Net----Nitro-Pro-9.0.5.9\nitro_pro9.exe
MD5:
SHA256:
3380WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3380.4919\SinhvienIT.Net----Nitro-Pro-9.0.5.9\nitro_pro9_x64.exe
MD5:
SHA256:
2832nitro_pro9.exeC:\Users\admin\AppData\Roaming\Downloaded Installations\{B89E8CFC-4E44-4F5E-842F-C8D958C08EAC}\{45C15B46-6049-4988-BB03-1357DD75CC15}.msi
MD5:
SHA256:
2616msiexec.exeC:\System Volume Information\SPP\metadata-2
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
2
DNS requests
2
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2152
iexplore.exe
GET
200
204.79.197.229:80
http://www.bing.com/favicon.ico
US
image
237 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1392
iexplore.exe
216.58.214.97:443
doc-10-bk-docs.googleusercontent.com
Google Inc.
US
whitelisted
2152
iexplore.exe
204.79.197.229:80
www.bing.com
Microsoft Corporation
US
whitelisted

DNS requests

Domain
IP
Reputation
doc-10-bk-docs.googleusercontent.com
  • 216.58.214.97
shared
www.bing.com
  • 204.79.197.229
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
https://doc-10-bk-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/jqioc41d63ddgqs53kg0krvou69fs31p/1539108000000/16690226752399005394/*/0B-tVPEHeUWUUOFFkYlU1eUtnZlE?e=download