File name: | Dexpot v1614 r2439.exe |
Full analysis: | https://app.any.run/tasks/e27919a8-e1cf-4846-8899-38b4ce1baf85 |
Verdict: | Malicious activity |
Analysis date: | December 06, 2018, 16:14:58 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive |
MD5: | 77D59E8AFFCDC1355883DA895CD32B35 |
SHA1: | B37BE0AAB31A8EE5B370333F08A76C50A3DEC31E |
SHA256: | 34DE9036D0D16EF10129962BE5EBB4F6D001D1FF6677C0AEC6FF530322EA099C |
SSDEEP: | 98304:LUeOU72+G79pndMEvVp89qzk900Oz+k6+OVCXOmPnaOoIcQvLThoc0sJ:1OU7U7j+EvVcqzk900W6BsXPaOoULThL |
.exe | | | NSIS - Nullsoft Scriptable Install System (94.8) |
---|---|---|
.exe | | | Win32 Executable MS Visual C++ (generic) (3.4) |
.dll | | | Win32 Dynamic Link Library (generic) (0.7) |
.exe | | | Win32 Executable (generic) (0.5) |
.exe | | | Generic Win/DOS Executable (0.2) |
ProductName: | Dexpot 1.6 Setup |
---|---|
LegalCopyright: | © 2001-2014 Dexpot GbR |
FileVersion: | 1.6.14 |
FileDescription: | Installer for Dexpot 1.6 |
CompanyName: | Dexpot GbR |
CharacterSet: | Windows, Latin1 |
LanguageCode: | Neutral |
FileSubtype: | - |
ObjectFileType: | Executable application |
FileOS: | Win32 |
FileFlags: | (none) |
FileFlagsMask: | 0x0000 |
ProductVersionNumber: | 1.6.14.0 |
FileVersionNumber: | 1.6.14.0 |
Subsystem: | Windows GUI |
SubsystemVersion: | 4 |
ImageVersion: | 6 |
OSVersion: | 4 |
EntryPoint: | 0x30fa |
UninitializedDataSize: | 1024 |
InitializedDataSize: | 164864 |
CodeSize: | 24064 |
LinkerVersion: | 6 |
PEType: | PE32 |
TimeStamp: | 2009:12:05 23:50:52+01:00 |
MachineType: | Intel 386 or later, and compatibles |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Compilation Date: | 05-Dec-2009 22:50:52 |
Detected languages: |
|
CompanyName: | Dexpot GbR |
FileDescription: | Installer for Dexpot 1.6 |
FileVersion: | 1.6.14 |
LegalCopyright: | © 2001-2014 Dexpot GbR |
ProductName: | Dexpot 1.6 Setup |
Magic number: | MZ |
---|---|
Bytes on last page of file: | 0x0090 |
Pages in file: | 0x0003 |
Relocations: | 0x0000 |
Size of header: | 0x0004 |
Min extra paragraphs: | 0x0000 |
Max extra paragraphs: | 0xFFFF |
Initial SS value: | 0x0000 |
Initial SP value: | 0x00B8 |
Checksum: | 0x0000 |
Initial IP value: | 0x0000 |
Initial CS value: | 0x0000 |
Overlay number: | 0x0000 |
OEM identifier: | 0x0000 |
OEM information: | 0x0000 |
Address of NE header: | 0x000000D8 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
Number of sections: | 5 |
Time date stamp: | 05-Dec-2009 22:50:52 |
Pointer to Symbol Table: | 0x00000000 |
Number of symbols: | 0 |
Size of Optional Header: | 0x00E0 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
.text | 0x00001000 | 0x00005C4C | 0x00005E00 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 6.44011 |
.rdata | 0x00007000 | 0x0000129C | 0x00001400 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 5.04684 |
.data | 0x00009000 | 0x00025C58 | 0x00000400 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 4.801 |
.ndata | 0x0002F000 | 0x0001D000 | 0x00000000 | IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 0 |
.rsrc | 0x0004C000 | 0x0000F9B0 | 0x0000FA00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 6.91124 |
Title | Entropy | Size | Codepage | Language | Type |
---|---|---|---|---|---|
1 | 5.22437 | 947 | UNKNOWN | English - United States | RT_MANIFEST |
2 | 4.99175 | 9640 | UNKNOWN | English - United States | RT_ICON |
3 | 5.21855 | 4264 | UNKNOWN | English - United States | RT_ICON |
4 | 5.66663 | 1128 | UNKNOWN | English - United States | RT_ICON |
102 | 2.71813 | 180 | UNKNOWN | English - United States | RT_DIALOG |
103 | 2.44608 | 62 | UNKNOWN | English - United States | RT_GROUP_ICON |
105 | 2.68372 | 512 | UNKNOWN | English - United States | RT_DIALOG |
106 | 2.91148 | 248 | UNKNOWN | English - United States | RT_DIALOG |
107 | 2.52183 | 160 | UNKNOWN | English - United States | RT_DIALOG |
111 | 2.92787 | 238 | UNKNOWN | English - United States | RT_DIALOG |
ADVAPI32.dll |
COMCTL32.dll |
GDI32.dll |
KERNEL32.dll |
SHELL32.dll |
USER32.dll |
VERSION.dll |
ole32.dll |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3156 | "C:\Users\admin\AppData\Local\Temp\Dexpot v1614 r2439.exe" | C:\Users\admin\AppData\Local\Temp\Dexpot v1614 r2439.exe | explorer.exe | |
User: admin Company: Dexpot GbR Integrity Level: MEDIUM Description: Installer for Dexpot 1.6 Exit code: 0 Version: 1.6.14 | ||||
2976 | "C:\Users\admin\AppData\Local\Temp\Dexpot v1614 r2439.exe" /UAC:30110 /NCRC | C:\Users\admin\AppData\Local\Temp\Dexpot v1614 r2439.exe | Dexpot v1614 r2439.exe | |
User: admin Company: Dexpot GbR Integrity Level: HIGH Description: Installer for Dexpot 1.6 Exit code: 0 Version: 1.6.14 | ||||
3128 | RunDll32.exe "C:\Users\admin\AppData\Local\Temp\nss5FD5.tmp\OCSetupHlp.dll",_OCPID163OpenCandy2@16 2976,F14DFEE9D07947E9988C799538752553,1912D08838694A9E913296095A98FCF7,B3A1A77598C2401BA889E0AC4B2874CF | C:\Windows\system32\RunDll32.exe | — | Dexpot v1614 r2439.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows host process (Rundll32) Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3100 | "C:\Windows\explorer.exe" "C:\Program Files\Dexpot\dexpot.exe" | C:\Windows\explorer.exe | — | Dexpot v1614 r2439.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Explorer Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3044 | C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding | C:\Windows\explorer.exe | — | svchost.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2212 | "C:\Program Files\Dexpot\dexpot.exe" | C:\Program Files\Dexpot\dexpot.exe | — | explorer.exe |
User: admin Company: Dexpot GbR Integrity Level: MEDIUM Description: Dexpot - Virtual desktops for Windows Version: 1.06.0014 | ||||
2028 | C:\Windows\Explorer.EXE | C:\Windows\explorer.exe | — | — |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
1968 | "C:\Windows\system32\Dwm.exe" | C:\Windows\System32\dwm.exe | — | svchost.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Desktop Window Manager Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3188 | "C:\Program Files\Dexpot\plugins\SevenDex.exe" | C:\Program Files\Dexpot\plugins\SevenDex.exe | — | dexpot.exe |
User: admin Company: Dexpot GbR Integrity Level: MEDIUM Description: Dexpot - Virtual Desktops for Windows Version: 1.1.5.0 | ||||
2412 | C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | C:\Windows\system32\DllHost.exe | — | svchost.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: COM Surrogate Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2976 | Dexpot v1614 r2439.exe | C:\Users\admin\AppData\Local\Temp\nss5FD5.tmp\modern-wizard.bmp | image | |
MD5:1FFC4E99EE8F3729FB2CC798AEE225C5 | SHA256:C6D5EA2E0EC5DA8F16E66D1C9D8DD76B2C4A3E969C8E6FA55A03576E3520EF5B | |||
2976 | Dexpot v1614 r2439.exe | C:\Users\admin\AppData\Local\Temp\nss5FD5.tmp\dexpot.ini | text | |
MD5:4040CC17D2AA8C637D24BB5B77B378DC | SHA256:4FA2A862E69F8C55D1D2BDAEA2F3AC350E871C3D1AF7708ADFA7761AD649DB0B | |||
2976 | Dexpot v1614 r2439.exe | C:\Users\admin\AppData\Local\Temp\nss5FD5.tmp\OCSetupHlp.dll | executable | |
MD5:1CE1394BBE176C793D9A79F2C08DCBF9 | SHA256:F5D6CCE548732A4F25E3454B6D8C7333D4440BCCE4D1415530B1B569BFD71CF4 | |||
2976 | Dexpot v1614 r2439.exe | C:\Users\admin\AppData\Local\Temp\nss5FD5.tmp\modern-header.bmp | image | |
MD5:C563F16764A9B69BE0B45EA18D7E3759 | SHA256:4D1E4B11AD2D8BC8C26A8191418BBA7767CB9029F9BBCAFF504938BCE94EF5E6 | |||
3156 | Dexpot v1614 r2439.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Dexpot\Main menu\Desktops\Desktop 4.lnk | lnk | |
MD5:A168CFE8401F377BE2A497F53CAD75C1 | SHA256:225A1E1D3A6E6D5E7D1F9ACE261A51B380F406C4350A3A90A7908606D5FC63AE | |||
3156 | Dexpot v1614 r2439.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Dexpot\Dexpot Homepage.url | text | |
MD5:75E8B725A468E3D7A1C916EFAFCB9D05 | SHA256:F64CDB9C7502918176BB6FFD4B7396E853E4276927E5DC663A742CECEF0F4C25 | |||
3156 | Dexpot v1614 r2439.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Dexpot\Dexpot Uninstall.lnk | lnk | |
MD5:40B4D9450FC5A5BA08753728AD00DB3C | SHA256:8B5629027AE89BD8C76A83E2359C290FA0D45AB2FD2A5B30C55457825BEAA2F2 | |||
3156 | Dexpot v1614 r2439.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Dexpot\Main menu\Desktops\Next desktop.lnk | lnk | |
MD5:51A9F91139BC2BE7D94743C0BFA65B79 | SHA256:211B91FDF56990BAF86954B973AC6B16350A52287D5AE2CBB7D30283B829C43D | |||
3156 | Dexpot v1614 r2439.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Dexpot\Dexpot-Updater.lnk | lnk | |
MD5:362D7A0276F8A7D523DDECD31A00FADF | SHA256:A2B3A7B2179F6E4A5022C44B9F3A05497E0C301FD988E47EA0635FEDA0DA4D7D | |||
3156 | Dexpot v1614 r2439.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Dexpot\Main menu\Desktops\Desktop 1.lnk | lnk | |
MD5:AD10F67E5EAAD989AA74B8AE6406846F | SHA256:EC1969C3549091921708230F60DC2353F541400660C77BC50320CCFD25DB01E2 |
Domain | IP | Reputation |
---|---|---|
api.opencandy.com |
| whitelisted |