File name: | [email protected] |
Full analysis: | https://app.any.run/tasks/9c4e8010-10fb-45d8-bcc8-4b3c3ac03be6 |
Verdict: | Malicious activity |
Analysis date: | January 25, 2022, 00:15:14 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive |
MD5: | 35B22C54BA95C491DCFDB74B9D16ABAB |
SHA1: | E5A9181BEAF501F624E31E7F94DA117D8F8F5CF9 |
SHA256: | 30DF06B21645E742CE545C54D6203B629A47E58F300D25E40ACEBBFF37288FDA |
SSDEEP: | 3072:ygXdZt9P6D3XJoxRedyTe/wjDwrKEFUYbRjqSKXD80sNzQw:ye34+xRtAG+3JRjeD80sNz |
.exe | | | NSIS - Nullsoft Scriptable Install System (94.8) |
---|---|---|
.exe | | | Win32 Executable MS Visual C++ (generic) (3.4) |
.dll | | | Win32 Dynamic Link Library (generic) (0.7) |
.exe | | | Win32 Executable (generic) (0.5) |
.exe | | | Generic Win/DOS Executable (0.2) |
MachineType: | Intel 386 or later, and compatibles |
---|---|
TimeStamp: | 2009:12:05 23:50:52+01:00 |
PEType: | PE32 |
LinkerVersion: | 6 |
CodeSize: | 24064 |
InitializedDataSize: | 164864 |
UninitializedDataSize: | 1024 |
EntryPoint: | 0x30fa |
OSVersion: | 4 |
ImageVersion: | 6 |
SubsystemVersion: | 4 |
Subsystem: | Windows GUI |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Compilation Date: | 05-Dec-2009 22:50:52 |
Detected languages: |
|
Magic number: | MZ |
---|---|
Bytes on last page of file: | 0x0090 |
Pages in file: | 0x0003 |
Relocations: | 0x0000 |
Size of header: | 0x0004 |
Min extra paragraphs: | 0x0000 |
Max extra paragraphs: | 0xFFFF |
Initial SS value: | 0x0000 |
Initial SP value: | 0x00B8 |
Checksum: | 0x0000 |
Initial IP value: | 0x0000 |
Initial CS value: | 0x0000 |
Overlay number: | 0x0000 |
OEM identifier: | 0x0000 |
OEM information: | 0x0000 |
Address of NE header: | 0x000000D8 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
Number of sections: | 5 |
Time date stamp: | 05-Dec-2009 22:50:52 |
Pointer to Symbol Table: | 0x00000000 |
Number of symbols: | 0 |
Size of Optional Header: | 0x00E0 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
.text | 0x00001000 | 0x00005C4C | 0x00005E00 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 6.44011 |
.rdata | 0x00007000 | 0x0000129C | 0x00001400 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 5.04684 |
.data | 0x00009000 | 0x00025C58 | 0x00000400 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 4.801 |
.ndata | 0x0002F000 | 0x00009000 | 0x00000000 | IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 0 |
.rsrc | 0x00038000 | 0x000056E0 | 0x00005800 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 4.61355 |
Title | Entropy | Size | Codepage | Language | Type |
---|---|---|---|---|---|
1 | 5.10394 | 533 | UNKNOWN | English - United States | RT_MANIFEST |
2 | 4.92004 | 4264 | UNKNOWN | English - United States | RT_ICON |
3 | 3.53063 | 2216 | UNKNOWN | English - United States | RT_ICON |
4 | 0 | 1384 | UNKNOWN | English - United States | RT_ICON |
5 | 0 | 1128 | UNKNOWN | English - United States | RT_ICON |
6 | 0 | 744 | UNKNOWN | English - United States | RT_ICON |
7 | 0 | 296 | UNKNOWN | English - United States | RT_ICON |
102 | 2.71813 | 180 | UNKNOWN | English - United States | RT_DIALOG |
103 | 2.79638 | 104 | UNKNOWN | English - United States | RT_GROUP_ICON |
105 | 2.73893 | 514 | UNKNOWN | English - United States | RT_DIALOG |
ADVAPI32.dll |
COMCTL32.dll |
GDI32.dll |
KERNEL32.dll |
SHELL32.dll |
USER32.dll |
VERSION.dll |
ole32.dll |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3448 | "C:\Users\admin\Desktop\[email protected]" | C:\Users\admin\Desktop\[email protected] | — | Explorer.EXE |
User: admin Integrity Level: MEDIUM Exit code: 3221226540 | ||||
464 | "C:\Users\admin\Desktop\[email protected]" | C:\Users\admin\Desktop\[email protected] | Explorer.EXE | |
User: admin Integrity Level: HIGH Exit code: 0 | ||||
3272 | "C:\Program Files\wemakeppop\wemakeppopmds.exe" /S | C:\Program Files\wemakeppop\wemakeppopmds.exe | [email protected] | |
User: admin Integrity Level: HIGH Description: system wemakeppop Exit code: 0 Version: 1, 0, 0, 1 | ||||
3932 | C:\Windows\system32\cmd.exe /c \DelUS.bat | C:\Windows\system32\cmd.exe | — | [email protected] |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Exit code: 1 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2412 | "C:\Program Files\wemakeppop\wemakeppopmds.exe" | C:\Program Files\wemakeppop\wemakeppopmds.exe | — | [email protected] |
User: admin Integrity Level: HIGH Description: system wemakeppop Exit code: 0 Version: 1, 0, 0, 1 |
(PID) Process: | (464) [email protected] | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run |
Operation: | write | Name: | wemakeppop |
Value: C:\Program Files\wemakeppop\wemakeppop.exe | |||
(PID) Process: | (464) [email protected] | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run |
Operation: | write | Name: | wemakeppopmds |
Value: C:\Program Files\wemakeppop\wemakeppopmds.exe | |||
(PID) Process: | (464) [email protected] | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\wemakeppop.exe |
Operation: | write | Name: | (default) |
Value: C:\Program Files\wemakeppop\wemakeppopmds.exe | |||
(PID) Process: | (464) [email protected] | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Wemakeppopclient service update x86 (remove only) |
Operation: | write | Name: | DisplayName |
Value: Wemakeppopclient service update x86 (remove only) . | |||
(PID) Process: | (464) [email protected] | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Wemakeppopclient service update x86 (remove only) |
Operation: | write | Name: | UninstallString |
Value: C:\Program Files\wemakeppop\uninst.exe | |||
(PID) Process: | (464) [email protected] | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Wemakeppopclient service update x86 (remove only) |
Operation: | write | Name: | DisplayIcon |
Value: C:\Program Files\wemakeppop\wemakeppopmds.exe | |||
(PID) Process: | (464) [email protected] | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Wemakeppopclient service update x86 (remove only) |
Operation: | write | Name: | DisplayVersion |
Value: . | |||
(PID) Process: | (464) [email protected] | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Wemakeppopclient service update x86 (remove only) |
Operation: | write | Name: | Publisher |
Value: | |||
(PID) Process: | (464) [email protected] | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer |
Operation: | write | Name: | GlobalAssocChangedCounter |
Value: 101 | |||
(PID) Process: | (3272) wemakeppopmds.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | ProxyBypass |
Value: 1 |
PID | Process | Filename | Type | |
---|---|---|---|---|
464 | [email protected] | C:\DelUS.bat | text | |
MD5:31C4EDC144EE72C0F8FC4FC44FC8E1CF | SHA256:59E55C060B1025C2B16E169E48636F76E78297551AD0F8F199A590876247BD16 | |||
464 | [email protected] | C:\Program Files\wemakeppop\wemakeppop.exe | executable | |
MD5:FD2652EEA88CBDC1220EC609B95485B8 | SHA256:4409C2EA707C42E6A5E93F054C985DE3624182DCD03A339C2AFE4136BFDFBC5C | |||
464 | [email protected] | C:\Program Files\wemakeppop\uninst.exe | executable | |
MD5:18B06F5E61CCB862077864B67E680167 | SHA256:7E4D330B27F39475B9E9FD4A5C65E5CD018FEA560A8C7E92251DA68046CFD5B8 | |||
464 | [email protected] | C:\Program Files\wemakeppop\wemakeppopmds.exe | executable | |
MD5:15616F4E444C0D3E34487DC8E7F062F3 | SHA256:D8D87C9F13A3AB4F5ABA09DBBAD2D14E27B1A39E0A215170B539129A81FBA07D | |||
464 | [email protected] | C:\Program Files\wemakeppop\cns.dat | text | |
MD5:050D2133089E23568A21888F500246BB | SHA256:F4E56631F89D0C62A914CC26B3BE9D0E74AB373A97232F0581479F9545201B60 | |||
464 | [email protected] | C:\Users\admin\AppData\Local\Temp\nsk4EE9.tmp\InstallOptions.dll | executable | |
MD5:325B008AEC81E5AAA57096F05D4212B5 | SHA256:C9CD5C9609E70005926AE5171726A4142FFBCCCC771D307EFCD195DAFC1E6B4B | |||
464 | [email protected] | C:\Users\admin\AppData\Local\Temp\nsk4EE9.tmp\ioSpecial.ini | ini | |
MD5:E2D5070BC28DB1AC745613689FF86067 | SHA256:D95AED234F932A1C48A2B1B0D98C60CA31F962310C03158E2884AB4DDD3EA1E0 | |||
464 | [email protected] | C:\Users\admin\AppData\Local\Temp\nsk4EE9.tmp\SelfDelete.dll | executable | |
MD5:7BF1BD7661385621C7908E36958F582E | SHA256:C0AD2C13D48C9FE62F898DA822A5F08BE3BF6C4E2C1C7FFDF7634F2CA4A8859E | |||
464 | [email protected] | C:\Users\admin\AppData\Local\Temp\nsk4EE9.tmp\modern-wizard.bmp | image | |
MD5:CBE40FD2B1EC96DAEDC65DA172D90022 | SHA256:3AD2DC318056D0A2024AF1804EA741146CFC18CC404649A44610CBF8B2056CF2 |
Domain | IP | Reputation |
---|---|---|
wemake.adntop.com |
| unknown |
Process | Message |
---|---|
wemakeppopmds.exe | Error (CInternetException) [12007] : The server name or address could not be resolved
|
wemakeppopmds.exe | Error (CInternetException) [12007] : The server name or address could not be resolved
|