File name: | FindingFormsPro-24881230[1].exe |
Full analysis: | https://app.any.run/tasks/493abb98-df3d-4a31-8913-828cbf197211 |
Verdict: | Malicious activity |
Analysis date: | September 18, 2019, 22:33:32 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
MD5: | B2232A2F74BF2D599F57A0380B62FC16 |
SHA1: | 3F1715B7266A540EBE00A9337A04B70DE4360447 |
SHA256: | 3C1C9AA01DD4381D0AB8587D4D14DDFD30886CABEC2275CDC0080963509777C5 |
SSDEEP: | 24576:OCwe5cwDRP7kXOooyWDHfEaW54VhhXbn7:4w97kwQadjhXbn7 |
.exe | | | Win64 Executable (generic) (64.6) |
---|---|---|
.dll | | | Win32 Dynamic Link Library (generic) (15.4) |
.exe | | | Win32 Executable (generic) (10.5) |
.exe | | | Generic Win/DOS Executable (4.6) |
.exe | | | DOS Executable Generic (4.6) |
ProductVersion: | 5.2.0.9 |
---|---|
ProductName: | IENewTab |
OriginalFileName: | IENewTab |
LegalCopyright: | Copyright (C) 2017 SpringTech Ltd. |
InternalName: | IENewTab |
FileVersion: | 5.2.0.9 |
CompanyName: | SpringTech Ltd. |
CharacterSet: | Unicode |
LanguageCode: | English (U.S.) |
FileSubtype: | - |
ObjectFileType: | Unknown |
FileOS: | Win32 |
FileFlags: | (none) |
FileFlagsMask: | 0x0017 |
ProductVersionNumber: | 5.2.0.9 |
FileVersionNumber: | 5.2.0.9 |
Subsystem: | Windows GUI |
SubsystemVersion: | 5.1 |
ImageVersion: | - |
OSVersion: | 5.1 |
EntryPoint: | 0x31309 |
UninitializedDataSize: | - |
InitializedDataSize: | 876544 |
CodeSize: | 340992 |
LinkerVersion: | 14.16 |
PEType: | PE32 |
TimeStamp: | 2019:09:09 10:16:40+02:00 |
MachineType: | Intel 386 or later, and compatibles |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Compilation Date: | 09-Sep-2019 08:16:40 |
Detected languages: |
|
CompanyName: | SpringTech Ltd. |
FileVersion: | 5.2.0.9 |
InternalName: | IENewTab |
LegalCopyright: | Copyright (C) 2017 SpringTech Ltd. |
OriginalFilename: | IENewTab |
ProductName: | IENewTab |
ProductVersion: | 5.2.0.9 |
Magic number: | MZ |
---|---|
Bytes on last page of file: | 0x0090 |
Pages in file: | 0x0003 |
Relocations: | 0x0000 |
Size of header: | 0x0004 |
Min extra paragraphs: | 0x0000 |
Max extra paragraphs: | 0xFFFF |
Initial SS value: | 0x0000 |
Initial SP value: | 0x00B8 |
Checksum: | 0x0000 |
Initial IP value: | 0x0000 |
Initial CS value: | 0x0000 |
Overlay number: | 0x0000 |
OEM identifier: | 0x0000 |
OEM information: | 0x0000 |
Address of NE header: | 0x00000110 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
Number of sections: | 5 |
Time date stamp: | 09-Sep-2019 08:16:40 |
Pointer to Symbol Table: | 0x00000000 |
Number of symbols: | 0 |
Size of Optional Header: | 0x00E0 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
.text | 0x00001000 | 0x00053387 | 0x00053400 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 6.57614 |
.rdata | 0x00055000 | 0x0002DC8A | 0x0002DE00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 4.33922 |
.data | 0x00083000 | 0x00002CB8 | 0x00001E00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 4.13592 |
.rsrc | 0x00086000 | 0x000A0D48 | 0x000A0E00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 6.21948 |
.reloc | 0x00127000 | 0x0000456C | 0x00004600 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ | 6.58646 |
Title | Entropy | Size | Codepage | Language | Type |
---|---|---|---|---|---|
1 | 5.3298 | 822 | UNKNOWN | English - United States | RT_MANIFEST |
2 | 3.47151 | 1384 | UNKNOWN | English - United States | RT_ICON |
3 | 3.91708 | 744 | UNKNOWN | English - United States | RT_ICON |
4 | 3.91366 | 2216 | UNKNOWN | English - United States | RT_ICON |
5 | 4.02252 | 3752 | UNKNOWN | English - United States | RT_ICON |
6 | 3.62911 | 1640 | UNKNOWN | English - United States | RT_ICON |
7 | 3.25755 | 296 | UNKNOWN | English - United States | RT_ICON |
8 | 3.47151 | 1384 | UNKNOWN | English - United States | RT_ICON |
9 | 3.91708 | 744 | UNKNOWN | English - United States | RT_ICON |
10 | 3.91366 | 2216 | UNKNOWN | English - United States | RT_ICON |
ADVAPI32.dll |
GDI32.dll |
KERNEL32.dll |
OLEACC.dll |
OLEAUT32.dll |
PSAPI.DLL |
SHELL32.dll |
SHLWAPI.dll |
USER32.dll |
VERSION.dll |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3668 | "C:\Users\admin\AppData\Local\Temp\FindingFormsPro-24881230[1].exe" | C:\Users\admin\AppData\Local\Temp\FindingFormsPro-24881230[1].exe | explorer.exe | |
User: admin Company: SpringTech Ltd. Integrity Level: MEDIUM Exit code: 0 Version: 5.2.0.9 | ||||
3128 | "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://search.hdownloadmyinboxhelper.com/?source=-lp0-bb9-iei-dd&uid=9af73fbd-3ce8-4f78-a5ca-5b778f9ec388&uc=20190918&ap=appfocus1&i_id=email_spt__1.30 | C:\Program Files\Internet Explorer\IEXPLORE.EXE | FindingFormsPro-24881230[1].exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Version: 8.00.7600.16385 (win7_rtm.090713-1255) | ||||
3680 | "C:\Program Files\Internet Explorer\IEXPLORE.EXE" SCODEF:3128 CREDAT:71937 | C:\Program Files\Internet Explorer\IEXPLORE.EXE | IEXPLORE.EXE | |
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Version: 8.00.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
3680 | IEXPLORE.EXE | C:\Users\admin\AppData\Local\Temp\Low\CabD4D9.tmp | — | |
MD5:— | SHA256:— | |||
3680 | IEXPLORE.EXE | C:\Users\admin\AppData\Local\Temp\Low\TarD4DA.tmp | — | |
MD5:— | SHA256:— | |||
3680 | IEXPLORE.EXE | C:\Users\admin\AppData\Local\Temp\Low\CabD4EA.tmp | — | |
MD5:— | SHA256:— | |||
3680 | IEXPLORE.EXE | C:\Users\admin\AppData\Local\Temp\Low\TarD4EB.tmp | — | |
MD5:— | SHA256:— | |||
3680 | IEXPLORE.EXE | C:\Users\admin\AppData\Local\Temp\Low\CabD54A.tmp | — | |
MD5:— | SHA256:— | |||
3680 | IEXPLORE.EXE | C:\Users\admin\AppData\Local\Temp\Low\TarD54B.tmp | — | |
MD5:— | SHA256:— | |||
3680 | IEXPLORE.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\admin@hdownloadmyinboxhelper[1].txt | — | |
MD5:— | SHA256:— | |||
3668 | FindingFormsPro-24881230[1].exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\main[1] | html | |
MD5:EF172863DEBAF2FA318EDFE7C6AC5CB2 | SHA256:2A111636FF92DA5E763824AA7E9F3B4B9A966DACD6585A83AC89F9160852CC6E | |||
3668 | FindingFormsPro-24881230[1].exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\script[1] | text | |
MD5:757AA3AA7A8FE348C0C68A241A2DBCCD | SHA256:1D9FFC683471AC3858CEF645CA2E2497EB1DFB977C8C4CD1AE14EE3C42101D16 | |||
3680 | IEXPLORE.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\index.dat | dat | |
MD5:C080A75681429BA640F58112F669DCB7 | SHA256:FCD5E3613C62E791EFA1B8C44DA6CFF1398EA2208FDB01DC8E3EAEA412A9AE4F |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3680 | IEXPLORE.EXE | GET | 302 | 54.86.196.110:80 | http://search.hdownloadmyinboxhelper.com/?source=-lp0-bb9-iei-dd&uid=9af73fbd-3ce8-4f78-a5ca-5b778f9ec388&uc=20190918&ap=appfocus1&i_id=email_spt__1.30 | US | html | 285 b | malicious |
3668 | FindingFormsPro-24881230[1].exe | GET | 500 | 34.192.88.201:80 | http://www.browser-tech.com/advplatform/api.cgi?act=postStat&cx=-1&cy=-1&id=&rf=1&ver=5.2.0.9&proto=1 | US | html | 617 b | shared |
3680 | IEXPLORE.EXE | GET | 200 | 13.107.4.50:80 | http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab | US | compressed | 57.0 Kb | whitelisted |
3668 | FindingFormsPro-24881230[1].exe | GET | 500 | 34.192.88.201:80 | http://www.browser-tech.com/ies/api.cgi?act=getConfig&id=&rf=1&ver=5.2.0.9&proto=1&ihp=&nto= | US | html | 617 b | shared |
3668 | FindingFormsPro-24881230[1].exe | GET | 200 | 54.87.172.192:80 | http://imp.hdownloadmyinboxhelper.com/impression.do?implementation_id=email_spt__1.30&source=-lp0-bb9-iei-dd&sub_id=20190918&traffic_source=appfocus1&user_id=9af73fbd-3ce8-4f78-a5ca-5b778f9ec388&useragent=Mozilla%2F5.0+(Windows+NT+10.0%3B+WOW64%3B+Trident%2F7.0%3B+rv%3A11.0)+like+Gecko&subid2=8.0.7601.17514&event=ex_executed | US | image | 109 b | malicious |
3668 | FindingFormsPro-24881230[1].exe | GET | 200 | 54.87.172.192:80 | http://imp.hdownloadmyinboxhelper.com/impression.do?implementation_id=email_spt__1.30&source=-lp0-bb9-iei-dd&sub_id=20190918&traffic_source=appfocus1&user_id=9af73fbd-3ce8-4f78-a5ca-5b778f9ec388&useragent=Mozilla%2F5.0+(Windows+NT+10.0%3B+WOW64%3B+Trident%2F7.0%3B+rv%3A11.0)+like+Gecko&subid2=8.0.7601.17514&event=ex_shown_ds | US | image | 109 b | malicious |
3668 | FindingFormsPro-24881230[1].exe | GET | 200 | 54.87.172.192:80 | http://imp.hdownloadmyinboxhelper.com/impression.do?implementation_id=email_spt__1.30&source=-lp0-bb9-iei-dd&sub_id=20190918&traffic_source=appfocus1&user_id=9af73fbd-3ce8-4f78-a5ca-5b778f9ec388&useragent=Mozilla%2F5.0+(Windows+NT+10.0%3B+WOW64%3B+Trident%2F7.0%3B+rv%3A11.0)+like+Gecko&subid2=8.0.7601.17514&event=ex_set_ds | US | image | 109 b | malicious |
3668 | FindingFormsPro-24881230[1].exe | GET | 200 | 54.87.172.192:80 | http://imp.hdownloadmyinboxhelper.com/impression.do?implementation_id=email_spt__1.30&source=-lp0-bb9-iei-dd&sub_id=20190918&traffic_source=appfocus1&user_id=9af73fbd-3ce8-4f78-a5ca-5b778f9ec388&useragent=Mozilla%2F5.0+(Windows+NT+10.0%3B+WOW64%3B+Trident%2F7.0%3B+rv%3A11.0)+like+Gecko&subid2=8.0.7601.17514&event=ex_set_hp | US | image | 109 b | malicious |
3668 | FindingFormsPro-24881230[1].exe | GET | 200 | 54.87.172.192:80 | http://imp.hdownloadmyinboxhelper.com/impression.do?implementation_id=email_spt__1.30&source=-lp0-bb9-iei-dd&sub_id=20190918&traffic_source=appfocus1&user_id=9af73fbd-3ce8-4f78-a5ca-5b778f9ec388&useragent=Mozilla%2F5.0+(Windows+NT+10.0%3B+WOW64%3B+Trident%2F7.0%3B+rv%3A11.0)+like+Gecko&subid2=8.0.7601.17514&event=ex_installed | US | image | 109 b | malicious |
3668 | FindingFormsPro-24881230[1].exe | GET | 200 | 54.87.172.192:80 | http://imp.hdownloadmyinboxhelper.com/impression.do?implementation_id=email_spt__1.30&source=-lp0-bb9-iei-dd&sub_id=20190918&traffic_source=appfocus1&user_id=9af73fbd-3ce8-4f78-a5ca-5b778f9ec388&useragent=Mozilla%2F5.0+(Windows+NT+10.0%3B+WOW64%3B+Trident%2F7.0%3B+rv%3A11.0)+like+Gecko&subid2=8.0.7601.17514&event=ex_accepted | US | image | 109 b | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3668 | FindingFormsPro-24881230[1].exe | 34.192.88.201:80 | www.browser-tech.com | Amazon.com, Inc. | US | malicious |
3680 | IEXPLORE.EXE | 216.58.205.227:443 | ssl.gstatic.com | Google Inc. | US | whitelisted |
3680 | IEXPLORE.EXE | 216.58.205.238:443 | apis.google.com | Google Inc. | US | whitelisted |
3680 | IEXPLORE.EXE | 54.86.196.110:80 | search.hdownloadmyinboxhelper.com | Amazon.com, Inc. | US | malicious |
3668 | FindingFormsPro-24881230[1].exe | 54.87.172.192:80 | imp.hdownloadmyinboxhelper.com | Amazon.com, Inc. | US | malicious |
3128 | IEXPLORE.EXE | 54.86.196.110:443 | search.hdownloadmyinboxhelper.com | Amazon.com, Inc. | US | malicious |
3680 | IEXPLORE.EXE | 35.168.129.108:443 | imp.onesearch.org | Amazon.com, Inc. | US | suspicious |
3680 | IEXPLORE.EXE | 13.225.84.17:443 | dap2y8k6nefku.cloudfront.net | — | US | suspicious |
3680 | IEXPLORE.EXE | 54.86.196.110:443 | search.hdownloadmyinboxhelper.com | Amazon.com, Inc. | US | malicious |
3680 | IEXPLORE.EXE | 52.30.52.254:443 | appfocus.go2cloud.org | Amazon.com, Inc. | IE | suspicious |
Domain | IP | Reputation |
---|---|---|
www.browser-tech.com |
| shared |
imp.hdownloadmyinboxhelper.com |
| unknown |
search.hdownloadmyinboxhelper.com |
| unknown |
x.ss2.us |
| whitelisted |
www.download.windowsupdate.com |
| whitelisted |
appfocus.go2cloud.org |
| shared |
imp.onesearch.org |
| whitelisted |
apis.google.com |
| whitelisted |
dap2y8k6nefku.cloudfront.net |
| whitelisted |
accounts.google.com |
| shared |
PID | Process | Class | Message |
---|---|---|---|
3680 | IEXPLORE.EXE | Misc activity | ADWARE [PTsecurity] Application.AdSearch (A) |