File name: | Radtoken Gen.exe |
Full analysis: | https://app.any.run/tasks/838e843d-7220-409f-8f79-611b3f5989d5 |
Verdict: | Malicious activity |
Analysis date: | July 12, 2020, 13:12:43 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows |
MD5: | 3752D5C3A3D2690AF2D1E2492C0EBB54 |
SHA1: | A9E080F6CD011F7D087AB9C53025710F4C62D0E3 |
SHA256: | 3832CC72353D5788A446184BA03A4B849BFB57EAF249BD935F93CC3AC4A55FD4 |
SSDEEP: | 49152:7S0seomRVah9+5pa/ELF0GLIRS5ENQT3zEBHb9:7SqO+7QEJ0CeS5ENsCHb9 |
.exe | | | Generic CIL Executable (.NET, Mono, etc.) (82.9) |
---|---|---|
.dll | | | Win32 Dynamic Link Library (generic) (7.4) |
.exe | | | Win32 Executable (generic) (5.1) |
.exe | | | Generic Win/DOS Executable (2.2) |
.exe | | | DOS Executable Generic (2.2) |
AssemblyVersion: | 1.0.0.0 |
---|---|
ProductVersion: | 1.0.0.0 |
ProductName: | Radtoken Gen |
OriginalFileName: | Radtoken Gen.exe |
LegalTrademarks: | - |
LegalCopyright: | Copyright © HP Inc. 2019 |
InternalName: | Radtoken Gen.exe |
FileVersion: | 1.0.0.0 |
FileDescription: | Radtoken Gen |
CompanyName: | HP Inc. |
Comments: | - |
CharacterSet: | Unicode |
LanguageCode: | Neutral |
FileSubtype: | - |
ObjectFileType: | Executable application |
FileOS: | Win32 |
FileFlags: | (none) |
FileFlagsMask: | 0x003f |
ProductVersionNumber: | 1.0.0.0 |
FileVersionNumber: | 1.0.0.0 |
Subsystem: | Windows GUI |
SubsystemVersion: | 6 |
ImageVersion: | - |
OSVersion: | 4 |
EntryPoint: | 0x3177ce |
UninitializedDataSize: | - |
InitializedDataSize: | 195584 |
CodeSize: | 3233792 |
LinkerVersion: | 48 |
PEType: | PE32 |
TimeStamp: | 2102:03:24 00:03:33+01:00 |
MachineType: | Intel 386 or later, and compatibles |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Compilation Date: | 14-Feb-1966 16:35:17 |
Comments: | - |
CompanyName: | HP Inc. |
FileDescription: | Radtoken Gen |
FileVersion: | 1.0.0.0 |
InternalName: | Radtoken Gen.exe |
LegalCopyright: | Copyright © HP Inc. 2019 |
LegalTrademarks: | - |
OriginalFilename: | Radtoken Gen.exe |
ProductName: | Radtoken Gen |
ProductVersion: | 1.0.0.0 |
Assembly Version: | 1.0.0.0 |
Magic number: | MZ |
---|---|
Bytes on last page of file: | 0x0090 |
Pages in file: | 0x0003 |
Relocations: | 0x0000 |
Size of header: | 0x0004 |
Min extra paragraphs: | 0x0000 |
Max extra paragraphs: | 0xFFFF |
Initial SS value: | 0x0000 |
Initial SP value: | 0x00B8 |
Checksum: | 0x0000 |
Initial IP value: | 0x0000 |
Initial CS value: | 0x0000 |
Overlay number: | 0x0000 |
OEM identifier: | 0x0000 |
OEM information: | 0x0000 |
Address of NE header: | 0x00000080 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
Number of sections: | 3 |
Time date stamp: | 14-Feb-1966 16:35:17 |
Pointer to Symbol Table: | 0x00000000 |
Number of symbols: | 0 |
Size of Optional Header: | 0x00E0 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
.text | 0x00002000 | 0x003157D4 | 0x00315800 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 7.70277 |
.rsrc | 0x00318000 | 0x0002F8B4 | 0x0002FA00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 4.51811 |
.reloc | 0x00348000 | 0x0000000C | 0x00000200 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ | 0.10191 |
Title | Entropy | Size | Codepage | Language | Type |
---|---|---|---|---|---|
1 | 5.00772 | 3168 | UNKNOWN | UNKNOWN | RT_MANIFEST |
2 | 7.89517 | 9013 | UNKNOWN | UNKNOWN | RT_ICON |
3 | 2.67396 | 67624 | UNKNOWN | UNKNOWN | RT_ICON |
4 | 3.44194 | 38056 | UNKNOWN | UNKNOWN | RT_ICON |
5 | 3.45716 | 21640 | UNKNOWN | UNKNOWN | RT_ICON |
6 | 2.88344 | 16936 | UNKNOWN | UNKNOWN | RT_ICON |
7 | 3.74373 | 9640 | UNKNOWN | UNKNOWN | RT_ICON |
8 | 3.44826 | 4264 | UNKNOWN | UNKNOWN | RT_ICON |
9 | 4.1802 | 2440 | UNKNOWN | UNKNOWN | RT_ICON |
10 | 4.45442 | 1128 | UNKNOWN | UNKNOWN | RT_ICON |
mscoree.dll |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2420 | "C:\Users\admin\AppData\Local\Temp\Radtoken Gen.exe" | C:\Users\admin\AppData\Local\Temp\Radtoken Gen.exe | — | explorer.exe |
User: admin Company: HP Inc. Integrity Level: MEDIUM Description: Radtoken Gen Exit code: 3221226540 Version: 1.0.0.0 | ||||
2604 | "C:\Users\admin\AppData\Local\Temp\Radtoken Gen.exe" | C:\Users\admin\AppData\Local\Temp\Radtoken Gen.exe | explorer.exe | |
User: admin Company: HP Inc. Integrity Level: HIGH Description: Radtoken Gen Version: 1.0.0.0 | ||||
3436 | "C:\Program Files\Internet Explorer\iexplore.exe" https://cracked.to/Radcircles | C:\Program Files\Internet Explorer\iexplore.exe | Radtoken Gen.exe | |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Internet Explorer Exit code: 1 Version: 11.00.9600.16428 (winblue_gdr.131013-1700) | ||||
2468 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3436 CREDAT:275457 /prefetch:2 | C:\Program Files\Internet Explorer\iexplore.exe | iexplore.exe | |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Internet Explorer Exit code: 0 Version: 11.00.9600.16428 (winblue_gdr.131013-1700) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2468 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\Cab2BE7.tmp | — | |
MD5:— | SHA256:— | |||
2468 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\Tar2BE8.tmp | — | |
MD5:— | SHA256:— | |||
2468 | iexplore.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\22VB5TDK.txt | — | |
MD5:— | SHA256:— | |||
2468 | iexplore.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\A11N7AWS.txt | — | |
MD5:— | SHA256:— | |||
3436 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico | — | |
MD5:— | SHA256:— | |||
2468 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_74167E25E5476CCA2A5946AAA61BF9E1 | binary | |
MD5:6B82037E6AC0A654A713826316D9B4C0 | SHA256:8F2C9F17364B5F0DEE0CF2104C38656F05733B7726E432CDCA637913C1055043 | |||
2468 | iexplore.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\JQPKAEE8.txt | text | |
MD5:951792F173ED40D7582AAF0CBC14F4CF | SHA256:3E2C677F881880C8E8D25E0B8C04EF3DF02A6B0CCE70494A3438E279AB7BC4DC | |||
2468 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\78RFYB7Z\ripple.min[1].js | text | |
MD5:812341614DD4415C95CD6963AAE67233 | SHA256:41B2AA2570FF293580D19394C1A2569C3FFF81178D33EF034EF2BD98F6AFC8DD | |||
2468 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27 | der | |
MD5:8AFBED9A6BDED237393F46977C0B8CED | SHA256:6D8082BBD613CE2819843B3EAF0A999F164C64B52B4EE50E8B95F2B726EE2D29 | |||
2468 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\78RFYB7Z\Radcircles[1].htm | html | |
MD5:0360DD9B625F8498C1C8D8995CF46297 | SHA256:FCC19A4B3671E3CCDF46FA3E8AB056DFCA1D320ECC2FE73A2022E079414DAD22 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2468 | iexplore.exe | GET | 200 | 172.217.16.131:80 | http://ocsp.pki.goog/gsr2/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBTgXIsxbvr2lBkPpoIEVRE6gHlCnAQUm%2BIHV2ccHsBqBt5ZtJot39wZhi4CDQHjtJqhjYqpgSVpULg%3D | US | der | 468 b | whitelisted |
2468 | iexplore.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQS14tALDViBvqCf47YkiQRtKz1BAQUpc436uuwdQ6UZ4i0RfrZJBCHlh8CEA%2FVhdRLfbN%2FXD5lO%2FSyJvc%3D | US | der | 279 b | whitelisted |
2468 | iexplore.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA%2Fz5hY5qj0aEmX0H4s05bY%3D | US | der | 1.47 Kb | whitelisted |
2468 | iexplore.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA%2Fz5hY5qj0aEmX0H4s05bY%3D | US | der | 1.47 Kb | whitelisted |
2468 | iexplore.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQS14tALDViBvqCf47YkiQRtKz1BAQUpc436uuwdQ6UZ4i0RfrZJBCHlh8CEA%2FVhdRLfbN%2FXD5lO%2FSyJvc%3D | US | der | 279 b | whitelisted |
2468 | iexplore.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAo3h2ReX7SMIk79G%2B0UDDw%3D | US | der | 471 b | whitelisted |
2468 | iexplore.exe | GET | 200 | 172.217.16.131:80 | http://ocsp.pki.goog/gts1o1core/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRCRjDCJxnb3nDwj%2Fxz5aZfZjgXvAQUmNH4bhDrz5vsYJ8YkBug630J%2FSsCEAar2mu0dHehCAAAAABH74o%3D | US | der | 471 b | whitelisted |
2468 | iexplore.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAo3h2ReX7SMIk79G%2B0UDDw%3D | US | der | 471 b | whitelisted |
2468 | iexplore.exe | GET | 200 | 172.217.16.131:80 | http://ocsp.pki.goog/gts1o1core/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRCRjDCJxnb3nDwj%2Fxz5aZfZjgXvAQUmNH4bhDrz5vsYJ8YkBug630J%2FSsCEQDRWV%2BNyD7WkwIAAAAAbwew | US | der | 472 b | whitelisted |
2468 | iexplore.exe | GET | 200 | 172.217.16.131:80 | http://ocsp.pki.goog/gsr2/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBTgXIsxbvr2lBkPpoIEVRE6gHlCnAQUm%2BIHV2ccHsBqBt5ZtJot39wZhi4CDQHjtJqhjYqpgSVpULg%3D | US | der | 468 b | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2468 | iexplore.exe | 93.184.220.29:80 | ocsp.digicert.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
3436 | iexplore.exe | 204.79.197.200:80 | www.bing.com | Microsoft Corporation | US | whitelisted |
2468 | iexplore.exe | 104.16.133.229:443 | cdnjs.cloudflare.com | Cloudflare Inc | US | suspicious |
2468 | iexplore.exe | 104.26.7.55:443 | cracked.to | Cloudflare Inc | US | malicious |
2468 | iexplore.exe | 172.67.74.216:443 | cracked.to | — | US | unknown |
2468 | iexplore.exe | 172.217.18.170:443 | fonts.googleapis.com | Google Inc. | US | whitelisted |
2468 | iexplore.exe | 172.217.22.8:443 | www.googletagmanager.com | Google Inc. | US | whitelisted |
2468 | iexplore.exe | 172.217.16.131:80 | ocsp.pki.goog | Google Inc. | US | whitelisted |
2468 | iexplore.exe | 172.217.22.99:443 | fonts.gstatic.com | Google Inc. | US | whitelisted |
Domain | IP | Reputation |
---|---|---|
cracked.to |
| whitelisted |
api.bing.com |
| whitelisted |
www.bing.com |
| whitelisted |
ocsp.digicert.com |
| whitelisted |
static.cracked.to |
| suspicious |
fonts.googleapis.com |
| whitelisted |
cdnjs.cloudflare.com |
| whitelisted |
www.googletagmanager.com |
| whitelisted |
cache.cracked.to |
| whitelisted |
ocsp.pki.goog |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
— | — | Potentially Bad Traffic | ET DNS Query for .to TLD |
— | — | Potentially Bad Traffic | ET DNS Query for .to TLD |
— | — | Potentially Bad Traffic | ET DNS Query for .to TLD |