File name: | Windows Loader.exe |
Full analysis: | https://app.any.run/tasks/0a903159-d293-4506-aca5-b1ef56b02877 |
Verdict: | Malicious activity |
Analysis date: | December 02, 2019, 19:40:46 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed |
MD5: | 323C0FD51071400B51EEDB1BE90A8188 |
SHA1: | 0EFC35935957C25193BBE9A83AB6CAA25A487ADA |
SHA256: | 2F2ABA1E074F5F4BAA08B524875461889F8F04D4FFC43972AC212E286022AB94 |
SSDEEP: | 49152:cEYCFEvlmOmTgtFM3uK5m3imrHuiff+puWV355FXw/+zuWV355FXw/+DuWV355FP:cEYzEFTgtFM3ukm3imPnt |
.exe | | | Win32 EXE PECompact compressed (generic) (30.1) |
---|---|---|
.exe | | | Win64 Executable (generic) (20) |
.exe | | | UPX compressed Win32 Executable (19.6) |
.exe | | | Win32 EXE Yoda's Crypter (19.2) |
.dll | | | Win32 Dynamic Link Library (generic) (4.7) |
InternalName: | - |
---|---|
OriginalFileName: | Windows Loader.exe |
ProductName: | - |
ProductVersion: | - |
LegalCopyright: | - |
FileDescription: | - |
Release: | Final |
Country: | - |
FileVersion: | 2.2.2.0 |
CompanyName: | - |
CharacterSet: | Unicode |
LanguageCode: | English (U.S.) |
FileSubtype: | - |
ObjectFileType: | Executable application |
FileOS: | Win32 |
FileFlags: | Pre-release, Private build |
FileFlagsMask: | 0x003f |
ProductVersionNumber: | 2.2.2.0 |
FileVersionNumber: | 2.2.2.0 |
Subsystem: | Windows GUI |
SubsystemVersion: | 4 |
ImageVersion: | - |
OSVersion: | 4 |
EntryPoint: | 0x21a9a0 |
UninitializedDataSize: | 1613824 |
InitializedDataSize: | 28672 |
CodeSize: | 593920 |
LinkerVersion: | 8 |
PEType: | PE32 |
TimeStamp: | 2007:10:31 17:53:19+01:00 |
MachineType: | Intel 386 or later, and compatibles |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2028 | "C:\Users\admin\AppData\Local\Temp\Windows Loader.exe" | C:\Users\admin\AppData\Local\Temp\Windows Loader.exe | — | explorer.exe |
User: admin Integrity Level: MEDIUM Exit code: 3221226540 | ||||
2956 | "C:\Users\admin\AppData\Local\Temp\Windows Loader.exe" | C:\Users\admin\AppData\Local\Temp\Windows Loader.exe | explorer.exe | |
User: admin Integrity Level: HIGH | ||||
2812 | "C:\Windows\explorer.exe" | C:\Windows\explorer.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2480 | cmd.exe /A /C "cmd.exe /c takeown /f C:\ldrscan\bootwin" | C:\Windows\system32\cmd.exe | — | Windows Loader.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Exit code: 1 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3500 | cmd.exe /c takeown /f C:\ldrscan\bootwin | C:\Windows\system32\cmd.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Exit code: 1 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3892 | takeown /f C:\ldrscan\bootwin | C:\Windows\system32\takeown.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Takes ownership of a file Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2564 | cmd.exe /A /C "icacls C:\ldrscan\bootwin /grant *S-1-1-0:(F)" | C:\Windows\system32\cmd.exe | — | Windows Loader.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Exit code: 2 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3116 | icacls C:\ldrscan\bootwin /grant *S-1-1-0:(F) | C:\Windows\system32\icacls.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Exit code: 2 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
408 | cmd.exe /A /C "cmd.exe /c takeown /f C:\ldrscan\bootwin" | C:\Windows\system32\cmd.exe | — | Windows Loader.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Exit code: 1 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
1096 | cmd.exe /c takeown /f C:\ldrscan\bootwin | C:\Windows\system32\cmd.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Exit code: 1 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2956 | Windows Loader.exe | C:\System Volume Information\MountPointManagerRemoteDatabase | binary | |
MD5:00140FEEDF94331812077ECAAA0B4D91 | SHA256:52E1C2907D4B58765F04AE92ED31C294BE31A0A3A9EEF37408182BF079DD4115 | |||
2956 | Windows Loader.exe | C:\Dell.XRM-MS | xml | |
MD5:18B1E45BF56F40C3C4BBE65831178216 | SHA256:D072A059D3ED3E75C98B85B41E4319E8D5CFAE0E0C239B62436A3AD34003AB4A |