File name: | 30a531daa107c2ac749e111d5f8f7ce4c4dfe9ca6e36b7ef26ff1e7048219cd3 |
Full analysis: | https://app.any.run/tasks/e200dfbb-acbe-4443-980a-fbf091ac5b1f |
Verdict: | Malicious activity |
Analysis date: | October 05, 2022, 07:24:27 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive |
MD5: | CC2501714328E4103A82FD9A0585855C |
SHA1: | A9B6B96B24BF5983B9BF67DF165CA2ABCF221CBF |
SHA256: | 30A531DAA107C2AC749E111D5F8F7CE4C4DFE9CA6E36B7EF26FF1E7048219CD3 |
SSDEEP: | 6144:/OB+pgUtGGGGGGbGGGGGzGGGGGRGGGGGGUGGGGGGG+GGGGGGzGGGGGGBGGGGGGGI:WgYJToCI54QCdMo |
.exe | | | Win32 Executable MS Visual C++ (generic) (42.2) |
---|---|---|
.exe | | | Win64 Executable (generic) (37.3) |
.dll | | | Win32 Dynamic Link Library (generic) (8.8) |
.exe | | | Win32 Executable (generic) (6) |
.exe | | | Generic Win/DOS Executable (2.7) |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Compilation Date: | 2016-Jul-09 04:21:41 |
Detected languages: |
|
Comments: | Duchies Traumatiserede Skags |
CompanyName: | Finanskoncerner Epiblemata |
LegalCopyright: | magtapparaternes |
OriginalFilename: | Quentise.exe |
e_magic: | MZ |
---|---|
e_cblp: | 144 |
e_cp: | 3 |
e_crlc: | - |
e_cparhdr: | 4 |
e_minalloc: | - |
e_maxalloc: | 65535 |
e_ss: | - |
e_sp: | 184 |
e_csum: | - |
e_ip: | - |
e_cs: | - |
e_ovno: | - |
e_oemid: | - |
e_oeminfo: | - |
e_lfanew: | 200 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
NumberofSections: | 5 |
TimeDateStamp: | 2016-Jul-09 04:21:41 |
PointerToSymbolTable: | - |
NumberOfSymbols: | - |
SizeOfOptionalHeader: | 224 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
.text | 4096 | 24925 | 25088 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 6.45023 |
.rdata | 32768 | 5028 | 5120 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 5.163 |
.data | 40960 | 131896 | 1536 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 3.9824 |
.ndata | 176128 | 212992 | 0 | IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | |
.rsrc | 389120 | 95384 | 95744 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 4.09142 |
Title | Entropy | Size | Codepage | Language | Type |
---|---|---|---|---|---|
1 | 3.82668 | 67624 | UNKNOWN | English - United States | RT_ICON |
2 | 4.10893 | 9640 | UNKNOWN | English - United States | RT_ICON |
3 | 4.42221 | 4264 | UNKNOWN | English - United States | RT_ICON |
4 | 5.11785 | 3752 | UNKNOWN | English - United States | RT_ICON |
5 | 4.57498 | 2440 | UNKNOWN | English - United States | RT_ICON |
6 | 5.69865 | 2216 | UNKNOWN | English - United States | RT_ICON |
7 | 3.52983 | 1384 | UNKNOWN | English - United States | RT_ICON |
8 | 4.86078 | 1128 | UNKNOWN | English - United States | RT_ICON |
103 | 2.89179 | 118 | UNKNOWN | English - United States | RT_GROUP_ICON |
105 | 2.66174 | 256 | UNKNOWN | English - United States | RT_DIALOG |
ADVAPI32.dll |
COMCTL32.dll |
GDI32.dll |
KERNEL32.dll |
SHELL32.dll |
USER32.dll |
ole32.dll |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
3068 | "C:\Users\admin\AppData\Local\Temp\30a531daa107c2ac749e111d5f8f7ce4c4dfe9ca6e36b7ef26ff1e7048219cd3.exe" | C:\Users\admin\AppData\Local\Temp\30a531daa107c2ac749e111d5f8f7ce4c4dfe9ca6e36b7ef26ff1e7048219cd3.exe | Explorer.EXE | ||||||||||||
User: admin Company: Finanskoncerner Epiblemata Integrity Level: MEDIUM Modules
| |||||||||||||||
1116 | "C:\Users\admin\AppData\Local\Temp\nsqBF1C.tmp\nsBF1D.tmp" powershell.exe 0xF8008EA4 -bxor -1287267094 | C:\Users\admin\AppData\Local\Temp\nsqBF1C.tmp\nsBF1D.tmp | — | 30a531daa107c2ac749e111d5f8f7ce4c4dfe9ca6e36b7ef26ff1e7048219cd3.exe | |||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
3708 | powershell.exe 0xF8008EA4 -bxor -1287267094 | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | — | nsBF1D.tmp | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 10.0.14409.1005 (rs1_srvoob.161208-1155) Modules
| |||||||||||||||
1616 | "C:\Users\admin\AppData\Local\Temp\nsqBF1C.tmp\nsC076.tmp" powershell.exe 0xF609EFD8 -bxor -1287267094 | C:\Users\admin\AppData\Local\Temp\nsqBF1C.tmp\nsC076.tmp | — | 30a531daa107c2ac749e111d5f8f7ce4c4dfe9ca6e36b7ef26ff1e7048219cd3.exe | |||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
2240 | powershell.exe 0xF609EFD8 -bxor -1287267094 | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | — | nsC076.tmp | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 10.0.14409.1005 (rs1_srvoob.161208-1155) Modules
| |||||||||||||||
2464 | "C:\Users\admin\AppData\Local\Temp\nsqBF1C.tmp\nsC1BF.tmp" powershell.exe 0x897F9F98 -bxor -1287267094 | C:\Users\admin\AppData\Local\Temp\nsqBF1C.tmp\nsC1BF.tmp | — | 30a531daa107c2ac749e111d5f8f7ce4c4dfe9ca6e36b7ef26ff1e7048219cd3.exe | |||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
2668 | powershell.exe 0x897F9F98 -bxor -1287267094 | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | — | nsC1BF.tmp | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 10.0.14409.1005 (rs1_srvoob.161208-1155) Modules
| |||||||||||||||
3116 | "C:\Users\admin\AppData\Local\Temp\nsqBF1C.tmp\nsC308.tmp" powershell.exe 0xD624A88F -bxor -1287267094 | C:\Users\admin\AppData\Local\Temp\nsqBF1C.tmp\nsC308.tmp | — | 30a531daa107c2ac749e111d5f8f7ce4c4dfe9ca6e36b7ef26ff1e7048219cd3.exe | |||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
3188 | powershell.exe 0xD624A88F -bxor -1287267094 | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | — | nsC308.tmp | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 10.0.14409.1005 (rs1_srvoob.161208-1155) Modules
| |||||||||||||||
2432 | "C:\Users\admin\AppData\Local\Temp\nsqBF1C.tmp\nsC451.tmp" powershell.exe 0xF52CB08F -bxor -1287267094 | C:\Users\admin\AppData\Local\Temp\nsqBF1C.tmp\nsC451.tmp | — | 30a531daa107c2ac749e111d5f8f7ce4c4dfe9ca6e36b7ef26ff1e7048219cd3.exe | |||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
|
PID | Process | Filename | Type | |
---|---|---|---|---|
3068 | 30a531daa107c2ac749e111d5f8f7ce4c4dfe9ca6e36b7ef26ff1e7048219cd3.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Templates\Stvnemdernes20\Rajoguna\Seepages.Lut150 | text | |
MD5:8B8D10D0EF083915F157643B0D46F47D | SHA256:FEB68C4FC3B96FAE55DF43063A23B2729E0EB3E8B6829B59F31E9317156C087E | |||
3068 | 30a531daa107c2ac749e111d5f8f7ce4c4dfe9ca6e36b7ef26ff1e7048219cd3.exe | C:\Users\admin\AppData\Roaming\Slippes2.lnk | lnk | |
MD5:7F6F8E648072ABE383E728DB2A162861 | SHA256:53ECEA9458DD8012725BEE3722C8A60E9BADA3AD64C607D0482BADF97B9C0AB3 | |||
3068 | 30a531daa107c2ac749e111d5f8f7ce4c4dfe9ca6e36b7ef26ff1e7048219cd3.exe | C:\Users\admin\AppData\Roaming\anordn.lnk | lnk | |
MD5:686B3279718C57247DAEA7170DF8F102 | SHA256:F9F731EFC139EB50217110AD48A35F479B2B635D4FC6E6FB668469E2C7EACFEA | |||
3068 | 30a531daa107c2ac749e111d5f8f7ce4c4dfe9ca6e36b7ef26ff1e7048219cd3.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Templates\Stvnemdernes20\Rajoguna\albaers\edit-redo-rtl.png | image | |
MD5:48A5B42ABBC493498865087F9D407668 | SHA256:8F99A89C10C819F5A476DE32A247A7BDB89A5751D0516BC75E666BB8A9D6232C | |||
3068 | 30a531daa107c2ac749e111d5f8f7ce4c4dfe9ca6e36b7ef26ff1e7048219cd3.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Templates\Stvnemdernes20\Rajoguna\Ridderbegrebets\Nuncupate\Diskless\Fyringsanlg\SysTool.dll | executable | |
MD5:4C39B55B8E8E26CC515AB8C72460036A | SHA256:456C8625C1211495C02C516589F7F6D655C328E649DF1FE5D42771A82E2C9290 | |||
3068 | 30a531daa107c2ac749e111d5f8f7ce4c4dfe9ca6e36b7ef26ff1e7048219cd3.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Templates\Stvnemdernes20\Rajoguna\Furore.Sam | binary | |
MD5:764B9D76BD551DC7DFEA1FA1CDF86024 | SHA256:F4C155AC15B7C4A073DDD3CC1C86B973346BAA87AF9D8ABE5ED5054B92DE118F | |||
3068 | 30a531daa107c2ac749e111d5f8f7ce4c4dfe9ca6e36b7ef26ff1e7048219cd3.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Templates\Stvnemdernes20\Rajoguna\Adventure_5.bmp | image | |
MD5:7BE64DC3AE1391E20FFCFF3C4C745D85 | SHA256:C8CE3513DDA0A68D3573A33390C7DFA7AEB68D668271FEB455FA4FEAD8494BFC | |||
3068 | 30a531daa107c2ac749e111d5f8f7ce4c4dfe9ca6e36b7ef26ff1e7048219cd3.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Templates\Stvnemdernes20\Rajoguna\krabber\input-dialpad-symbolic.svg | image | |
MD5:5962EAF3FCC1E65C4AAE4FD4BC3C2BDC | SHA256:DA00272A04F9705429148A623720F14CCCD36893AAE1F00D6EA9885922950720 | |||
3068 | 30a531daa107c2ac749e111d5f8f7ce4c4dfe9ca6e36b7ef26ff1e7048219cd3.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Templates\Stvnemdernes20\Rajoguna\Forumets\Dolbysystemerne\Tenderometres\orientation-portrait-left-symbolic.svg | image | |
MD5:E4BF336E381C86A8BE44316CAB4E3FAA | SHA256:F8DD3CE92A43BDC322041F9864608EEC3C4413C8ABE04B14AC4B63F6FBC4F0F0 | |||
3068 | 30a531daa107c2ac749e111d5f8f7ce4c4dfe9ca6e36b7ef26ff1e7048219cd3.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Templates\Stvnemdernes20\Rajoguna\Ridderbegrebets\Nuncupate\Diskless\Fyringsanlg\battery-level-0-symbolic.symbolic.png | image | |
MD5:8126688C9FBFDD9F0959A1435E06F341 | SHA256:E6A5DAC292EEFD8F2644264B020FCB9FDA0F0CBA2AFCC132E15E59D102EEB07B |