File name: | 1Win Clone Script Nuller - Database + Composer Config Files & Tables.exe |
Full analysis: | https://app.any.run/tasks/7b6a77c0-6652-4969-9bf1-c26a6ea3e3e1 |
Verdict: | Malicious activity |
Analysis date: | November 04, 2024, 12:58:38 |
OS: | Windows 10 Professional (build: 19045, 64 bit) |
Tags: | |
Indicators: | |
MIME: | application/vnd.microsoft.portable-executable |
File info: | PE32 executable (GUI) Intel 80386, for MS Windows, 6 sections |
MD5: | 1D2B1644FA37B0ACF1E34ACCEC03AE86 |
SHA1: | 87099A85C748B0EA754A40375765905B34280C66 |
SHA256: | 3512B6BEC64B8C8C680359854769361248137EE7852593B0869C18BB7928D686 |
SSDEEP: | 12288:vcgCzNHJj96xfKJStJkRm3bYXob0AnmFMcaGQx3ZVVVVVVVVVAtVVVUvPV38jPsy:KQKgLIQmFuGQx3lvPV8jPsy |
.exe | | | Win32 Executable (generic) (52.9) |
---|---|---|
.exe | | | Generic Win/DOS Executable (23.5) |
.exe | | | DOS Executable Generic (23.5) |
Subsystem: | Windows GUI |
---|---|
SubsystemVersion: | 5.1 |
ImageVersion: | - |
OSVersion: | 5.1 |
EntryPoint: | 0x21d50 |
UninitializedDataSize: | - |
InitializedDataSize: | 263680 |
CodeSize: | 214528 |
LinkerVersion: | 14.33 |
PEType: | PE32 |
ImageFileCharacteristics: | Executable, 32-bit |
TimeStamp: | 2023:10:03 07:51:19+00:00 |
MachineType: | Intel 386 or later, and compatibles |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
5220 | "C:\Users\admin\AppData\Local\Temp\1Win Clone Script Nuller - Database + Composer Config Files & Tables.exe" | C:\Users\admin\AppData\Local\Temp\1Win Clone Script Nuller - Database + Composer Config Files & Tables.exe | explorer.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
6884 | "C:\Users\admin\AppData\Local\Temp\RarSFX0\Goldsvet Pro sports - 1win.pro Clone Script.exe" | C:\Users\admin\AppData\Local\Temp\RarSFX0\Goldsvet Pro sports - 1win.pro Clone Script.exe | — | 1Win Clone Script Nuller - Database + Composer Config Files & Tables.exe | |||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
6124 | "C:\Users\admin\AppData\Local\Temp\RarSFX0\Goldsvet Pro sports - 1win.pro Clone Script.exe" | C:\Users\admin\AppData\Local\Temp\RarSFX0\Goldsvet Pro sports - 1win.pro Clone Script.exe | Goldsvet Pro sports - 1win.pro Clone Script.exe | ||||||||||||
User: admin Integrity Level: HIGH Exit code: 0 Modules
| |||||||||||||||
3860 | "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\Users\admin\AppData\Local\Temp\RarSFX0\Goldsvet Pro sports - 1win.pro Clone Script.exe', 'C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchostrun.exe', 'C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup'" | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | — | Goldsvet Pro sports - 1win.pro Clone Script.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows PowerShell Exit code: 1 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
6256 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | powershell.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
7448 | "C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchostrun.exe" | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchostrun.exe | — | Goldsvet Pro sports - 1win.pro Clone Script.exe | |||||||||||
User: admin Integrity Level: HIGH Description: Version: 0.0.0.0 Modules
|
PID | Process | Filename | Type | |
---|---|---|---|---|
3860 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_czwznyi4.zr5.psm1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
6124 | Goldsvet Pro sports - 1win.pro Clone Script.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lib.dll | text | |
MD5:A008CE407AA09445D2C22D04AA82C4E1 | SHA256:D5D3877173342F9671781F90B71EA0A9560B77A7A7A311B288675A0E58BEBC89 | |||
6124 | Goldsvet Pro sports - 1win.pro Clone Script.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Settings.enc | binary | |
MD5:217558CC8218D997154D6B5FD5015344 | SHA256:43E7B2A39C0180ECB58138E246816F586581B96B110894921B19F5A4A699B2C1 | |||
5220 | 1Win Clone Script Nuller - Database + Composer Config Files & Tables.exe | C:\Users\admin\AppData\Local\Temp\RarSFX0\lib.dll | text | |
MD5:A008CE407AA09445D2C22D04AA82C4E1 | SHA256:D5D3877173342F9671781F90B71EA0A9560B77A7A7A311B288675A0E58BEBC89 | |||
5220 | 1Win Clone Script Nuller - Database + Composer Config Files & Tables.exe | C:\Users\admin\AppData\Local\Temp\RarSFX0\Goldsvet Pro sports - 1win.pro Clone Script.exe | executable | |
MD5:70BD88D3AB10DBCCABFACF7D930377E7 | SHA256:D66D475DC576A50265B21432556873270FC0487AD2073D0A5843ABBE7D3B4F28 | |||
5220 | 1Win Clone Script Nuller - Database + Composer Config Files & Tables.exe | C:\Users\admin\AppData\Local\Temp\RarSFX0\Settings.enc | binary | |
MD5:217558CC8218D997154D6B5FD5015344 | SHA256:43E7B2A39C0180ECB58138E246816F586581B96B110894921B19F5A4A699B2C1 | |||
5220 | 1Win Clone Script Nuller - Database + Composer Config Files & Tables.exe | C:\Users\admin\AppData\Local\Temp\RarSFX0\Module32.dll | executable | |
MD5:041B90750E36E18944765FFD2745D8D2 | SHA256:DFA28796E9046F32FDCC9B382EBD0873ED93DC6F411385372B4A68440E26B169 | |||
3860 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_gokamy5c.i3s.psm1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
6124 | Goldsvet Pro sports - 1win.pro Clone Script.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchostrun.exe | executable | |
MD5:70BD88D3AB10DBCCABFACF7D930377E7 | SHA256:D66D475DC576A50265B21432556873270FC0487AD2073D0A5843ABBE7D3B4F28 | |||
3860 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_e4ocvajj.zb5.ps1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2076 | svchost.exe | GET | 200 | 192.229.221.95:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D | unknown | — | — | unknown |
— | — | GET | 200 | 192.229.221.95:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D | unknown | — | — | unknown |
7572 | SIHClient.exe | GET | 200 | 23.35.229.160:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl | unknown | — | — | unknown |
7572 | SIHClient.exe | GET | 200 | 23.35.229.160:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl | unknown | — | — | unknown |
5488 | MoUsoCoreWorker.exe | GET | 200 | 23.35.229.160:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | unknown |
5488 | MoUsoCoreWorker.exe | GET | 200 | 23.216.77.21:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | unknown |
3276 | backgroundTaskHost.exe | GET | 200 | 192.229.221.95:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D | unknown | — | — | unknown |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
— | — | 4.231.128.59:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | unknown |
4 | System | 192.168.100.255:137 | — | — | — | unknown |
3524 | RUXIMICS.exe | 4.231.128.59:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | unknown |
4360 | SearchApp.exe | 2.16.110.193:443 | www.bing.com | Akamai International B.V. | DE | unknown |
— | — | 192.229.221.95:80 | ocsp.digicert.com | EDGECAST | US | unknown |
5488 | MoUsoCoreWorker.exe | 23.216.77.21:80 | crl.microsoft.com | Akamai International B.V. | DE | unknown |
5488 | MoUsoCoreWorker.exe | 23.35.229.160:80 | www.microsoft.com | AKAMAI-AS | DE | unknown |
4020 | svchost.exe | 239.255.255.250:1900 | — | — | — | unknown |
4 | System | 192.168.100.255:138 | — | — | — | unknown |
2076 | svchost.exe | 20.190.160.22:443 | login.live.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | unknown |
Domain | IP | Reputation |
---|---|---|
settings-win.data.microsoft.com |
| unknown |
www.bing.com |
| unknown |
ocsp.digicert.com |
| unknown |
crl.microsoft.com |
| unknown |
www.microsoft.com |
| unknown |
google.com |
| unknown |
login.live.com |
| unknown |
go.microsoft.com |
| unknown |
th.bing.com |
| unknown |
slscr.update.microsoft.com |
| unknown |