File name: | 34563456.exe |
Full analysis: | https://app.any.run/tasks/b0c6e75e-4bb5-4def-aa8d-6795f8ab57c8 |
Verdict: | Malicious activity |
Analysis date: | May 20, 2022, 20:17:48 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
MD5: | 0287754D98F592525FDF794EF1B711C5 |
SHA1: | 74BE1AECA5F9B09E3E97A42A943A9C12AB66BCB7 |
SHA256: | 148DC8072D8EDB208E14DD2A1D59D9DCC02154A8656A07794A33F706E7D773FA |
SSDEEP: | 196608:+O32m+H8ttVwP+Y3PyBgM2QnnWXazob2ErJCJTDeXR:D33ttAyhWXjb2aiiB |
.scr | | | Windows screen saver (46.4) |
---|---|---|
.dll | | | Win32 Dynamic Link Library (generic) (23.3) |
.exe | | | Win32 Executable (generic) (15.9) |
.exe | | | Generic Win/DOS Executable (7) |
.exe | | | DOS Executable Generic (7) |
Subsystem: | Windows GUI |
---|---|
SubsystemVersion: | 5 |
ImageVersion: | - |
OSVersion: | 5 |
EntryPoint: | 0x690cf9 |
UninitializedDataSize: | - |
InitializedDataSize: | 2156032 |
CodeSize: | 1084416 |
LinkerVersion: | 2.25 |
PEType: | PE32 |
TimeStamp: | 1992:06:20 00:22:17+02:00 |
MachineType: | Intel 386 or later, and compatibles |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Compilation Date: | 19-Jun-1992 22:22:17 |
Magic number: | MZ |
---|---|
Bytes on last page of file: | 0x0050 |
Pages in file: | 0x0002 |
Relocations: | 0x0000 |
Size of header: | 0x0004 |
Min extra paragraphs: | 0x000F |
Max extra paragraphs: | 0xFFFF |
Initial SS value: | 0x0000 |
Initial SP value: | 0x00B8 |
Checksum: | 0x0000 |
Initial IP value: | 0x0000 |
Initial CS value: | 0x0000 |
Overlay number: | 0x001A |
OEM identifier: | 0x0000 |
OEM information: | 0x0000 |
Address of NE header: | 0x00000080 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
Number of sections: | 9 |
Time date stamp: | 19-Jun-1992 22:22:17 |
Pointer to Symbol Table: | 0x00000000 |
Number of symbols: | 0 |
Size of Optional Header: | 0x00E0 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
CODE | 0x00001000 | 0x00108B48 | 0x00108C00 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 6.50988 |
DATA | 0x0010A000 | 0x000044C0 | 0x00004600 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 6.53793 |
BSS | 0x0010F000 | 0x000010FD | 0x00000000 | IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 0 |
.idata | 0x00111000 | 0x00002710 | 0x00002800 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 7.81371 |
.tls | 0x00114000 | 0x00000010 | 0x00000000 | IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 0 |
.rdata | 0x00115000 | 0x00000018 | 0x00000200 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_SHARED | 0.203014 |
.vmp0 | 0x00116000 | 0x0051AF6B | 0x0051B000 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 7.93789 |
.vmp1 | 0x00631000 | 0x00231F50 | 0x00232000 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 7.81193 |
.rsrc | 0x00863000 | 0x000108F0 | 0x00010A00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_SHARED | 5.70663 |
WTSAPI32.dll |
advapi32.dll |
comctl32.dll |
comdlg32.dll |
gdi32.dll |
kernel32.dll |
ole32.dll |
oleaut32.dll |
shell32.dll |
user32.dll |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3224 | "C:\Users\admin\AppData\Local\Temp\34563456.exe.scr" /S | C:\Users\admin\AppData\Local\Temp\34563456.exe.scr | Explorer.EXE | |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
2024 | C:\Users\admin\Desktop\mpress.exe hdfgh.exe | C:\Users\admin\Desktop\mpress.exe | 34563456.exe.scr | |
User: admin Company: MATCODE Software Integrity Level: MEDIUM Description: Matcode comPRESSor Exit code: 0 Version: 2.19 | ||||
632 | "C:\Users\admin\Desktop\hdfgh.exe" | C:\Users\admin\Desktop\hdfgh.exe | — | Explorer.EXE |
User: admin Integrity Level: MEDIUM Exit code: 3221226540 | ||||
4080 | "C:\Users\admin\Desktop\hdfgh.exe" | C:\Users\admin\Desktop\hdfgh.exe | Explorer.EXE | |
User: admin Integrity Level: HIGH |
PID | Process | Filename | Type | |
---|---|---|---|---|
4080 | hdfgh.exe | C:\Users\admin\Desktop\Anti_hook.sys | executable | |
MD5:CE7C250732671AE79F7DE8FA16AA8899 | SHA256:091CD93421E7F15CC5FF46F92B5D3B4A44A3CEBBFDF67F64C88BDC5F3CEC335B | |||
3224 | 34563456.exe.scr | C:\Users\admin\Desktop\hdfgh.exe | executable | |
MD5:662933D02E6727D79B2DD4743C38EB71 | SHA256:631B74C52C7BD77F4AEA5E371569BBE629F60B754DE72DF95CFE9639E3C07AA3 | |||
3224 | 34563456.exe.scr | C:\Users\admin\Desktop\RCXEE4B.tmp | executable | |
MD5:DEC3725DC0236C038E8904596CF012A9 | SHA256:AC58DC0EF0A7589D1E727DF520A9ABF1C2476DEA5EBC668B66BB6E9890A3E826 | |||
3224 | 34563456.exe.scr | C:\Users\admin\Desktop\RCXEE1B.tmp | executable | |
MD5:9A00F940402BD1265E2E8878E8DBA233 | SHA256:F7488B6FD76392DC2C56D551C95F7A4F72D949D73C4774AB6F86B04BE532A7B7 | |||
4080 | hdfgh.exe | C:\Users\admin\Desktop\Service2.sys | executable | |
MD5:DB8E7E3C27FA82935866C26A9D898541 | SHA256:8064B93CDE0046F8FE039100218AB85E86C2ED7652BBCAF323FEC7026A346F40 | |||
2024 | mpress.exe | C:\Users\admin\AppData\Local\Temp\mprEF53.tmp | executable | |
MD5:8354BD464A230BFDE030FE67DA2E7981 | SHA256:DEB7D24EA5019480B961980DFE7C435BE0227C433407E40CF2E09903BC4BC61F | |||
3224 | 34563456.exe.scr | C:\Users\admin\Desktop\RCXEEAA.tmp | executable | |
MD5:5F719F6E95E4B1B0321850C497ADB70E | SHA256:99BAD91CA948E757FFBFC6ECB978A86328FA8060544E861B1286517FAD45A8FC | |||
4080 | hdfgh.exe | C:\Users\admin\Desktop\Service.sys | executable | |
MD5:4BC9EF9D9C53547FFAAEC5E3E1638620 | SHA256:12E3BC25B7E5F6745BC0C4A0AF4E7B09C10E954CBEC69B9D06EA3FF8BC62EFB5 | |||
3224 | 34563456.exe.scr | C:\Users\admin\Desktop\RCXEE7B.tmp | executable | |
MD5:54AA2397100490681FBAE6EDF92713E2 | SHA256:420F9FA8945CF160E1CEF368E8A147C1FF90827FF5BFA832C2B9F669740827A3 | |||
3224 | 34563456.exe.scr | C:\Users\admin\Desktop\RCXEEEA.tmp | executable | |
MD5:ABB06F24A4F3CD673E78A9C5AC2EBD5D | SHA256:7ACD5F4A324C1BCF7A702B75D46AF274589A8CC36C6D0A9A1370C7ECE4D5A9AC |