File name: | 8d1fb56fdca56d32a2583326fdf26a52 |
Full analysis: | https://app.any.run/tasks/ffe0584d-7b73-4d8b-bbf6-5c65bba5a13d |
Verdict: | Malicious activity |
Analysis date: | March 14, 2019, 08:42:51 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
MD5: | 8D1FB56FDCA56D32A2583326FDF26A52 |
SHA1: | DCE020E1327433CFAF6378BEE64E8E9CA49A2C0B |
SHA256: | 8D53C67D05995565BDFF9692F8E2D9F56686C1C2E92F864D5306AB4DC09BA91A |
SSDEEP: | 12288:2dBdpJ16Gna4K6REllPaa5LiIU/fsh4V6jnB0KJFx+I3IxAOzK6+44EwgwIVM12w:2dBdpJxZkllk9WWL8bX2WDb1IwWLvE7 |
.exe | | | Win32 Executable MS Visual C++ (generic) (67.4) |
---|---|---|
.dll | | | Win32 Dynamic Link Library (generic) (14.2) |
.exe | | | Win32 Executable (generic) (9.7) |
.exe | | | Generic Win/DOS Executable (4.3) |
.exe | | | DOS Executable Generic (4.3) |
ProductVersion: | 5.03.2600.5512 |
---|---|
ProductName: | Microsoft® Windows® Operating System |
OriginalFileName: | dxdiag.exe |
LegalCopyright: | © Microsoft Corporation. All rights reserved. |
InternalName: | dxdiag.exe |
FileVersion: | 5.03.2600.5512 (xpsp.080413-0845) |
FileDescription: | Microsoft DirectX Diagnostic Tool |
CompanyName: | Microsoft Corporation |
CharacterSet: | Unicode |
LanguageCode: | Arabic |
FileSubtype: | - |
ObjectFileType: | Executable application |
FileOS: | Windows NT 32-bit |
FileFlags: | (none) |
FileFlagsMask: | 0x003f |
ProductVersionNumber: | 5.3.2600.5512 |
FileVersionNumber: | 5.3.2600.5512 |
Subsystem: | Windows GUI |
SubsystemVersion: | 4 |
ImageVersion: | 5.1 |
OSVersion: | 5.1 |
EntryPoint: | 0x26b1d |
UninitializedDataSize: | - |
InitializedDataSize: | 1601536 |
CodeSize: | 217088 |
LinkerVersion: | 7.1 |
PEType: | PE32 |
TimeStamp: | 2008:04:13 20:33:35+02:00 |
MachineType: | Intel 386 or later, and compatibles |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Compilation Date: | 13-Apr-2008 18:33:35 |
Detected languages: |
|
CompanyName: | Microsoft Corporation |
FileDescription: | Microsoft DirectX Diagnostic Tool |
FileVersion: | 5.03.2600.5512 (xpsp.080413-0845) |
InternalName: | dxdiag.exe |
LegalCopyright: | © Microsoft Corporation. All rights reserved. |
OriginalFilename: | dxdiag.exe |
ProductName: | Microsoft® Windows® Operating System |
ProductVersion: | 5.03.2600.5512 |
Magic number: | MZ |
---|---|
Bytes on last page of file: | 0x0090 |
Pages in file: | 0x0003 |
Relocations: | 0x0000 |
Size of header: | 0x0004 |
Min extra paragraphs: | 0x0000 |
Max extra paragraphs: | 0xFFFF |
Initial SS value: | 0x0000 |
Initial SP value: | 0x00B8 |
Checksum: | 0x0000 |
Initial IP value: | 0x0000 |
Initial CS value: | 0x0000 |
Overlay number: | 0x0000 |
OEM identifier: | 0x0000 |
OEM information: | 0x0000 |
Address of NE header: | 0x000000E8 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
Number of sections: | 3 |
Time date stamp: | 13-Apr-2008 18:33:35 |
Pointer to Symbol Table: | 0x00000000 |
Number of symbols: | 0 |
Size of Optional Header: | 0x00E0 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
.text | 0x00001000 | 0x00034ED6 | 0x00035000 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 6.51065 |
.data | 0x00036000 | 0x00002A94 | 0x00001000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 3.34693 |
.rsrc | 0x00039000 | 0x00185AB8 | 0x00186000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 6.03307 |
Title | Entropy | Size | Codepage | Language | Type |
---|---|---|---|---|---|
1 | 4.9239 | 636 | Latin 1 / Western European | Spanish - Spain (International sort) | RT_MANIFEST |
2 | 4.45055 | 744 | Latin 1 / Western European | Hebrew - Israel | RT_ICON |
3 | 4.38998 | 296 | Latin 1 / Western European | Hebrew - Israel | RT_ICON |
4 | 6.1386 | 3752 | Latin 1 / Western European | Hebrew - Israel | RT_ICON |
5 | 6.26858 | 2216 | Latin 1 / Western European | Hebrew - Israel | RT_ICON |
6 | 5.02146 | 1384 | Latin 1 / Western European | Hebrew - Israel | RT_ICON |
7 | 3.38495 | 3076 | Latin 1 / Western European | Spanish - Spain (International sort) | RT_STRING |
8 | 3.22326 | 1284 | Latin 1 / Western European | Spanish - Spain (International sort) | RT_STRING |
9 | 5.79527 | 1128 | Latin 1 / Western European | Hebrew - Israel | RT_ICON |
10 | 2.70223 | 744 | Latin 1 / Western European | Hebrew - Israel | RT_ICON |
ADVAPI32.dll |
COMCTL32.dll |
GDI32.dll |
KERNEL32.dll |
OLEAUT32.dll |
SHELL32.dll |
USER32.dll |
comdlg32.dll |
ole32.dll |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3680 | "C:\Users\admin\AppData\Local\Temp\8d1fb56fdca56d32a2583326fdf26a52.exe" | C:\Users\admin\AppData\Local\Temp\8d1fb56fdca56d32a2583326fdf26a52.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft DirectX Diagnostic Tool Exit code: 0 Version: 5.03.2600.5512 (xpsp.080413-0845) | ||||
116 | C:\Windows\Explorer.EXE | C:\Windows\explorer.exe | — | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3260 | svchost.exe | C:\Windows\system32\svchost.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Host Process for Windows Services Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3872 | svchost.exe | C:\Windows\system32\svchost.exe | svchost.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Host Process for Windows Services Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2636 | C:\Windows\system32\wbem\unsecapp.exe -Embedding | C:\Windows\system32\wbem\unsecapp.exe | — | svchost.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Sink to receive asynchronous callbacks for WMI client application Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2332 | C:\Windows\system32\DllHost.exe /Processid:{3AD05575-8857-4850-9277-11B85BDB8E09} | C:\Windows\system32\DllHost.exe | svchost.exe | |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: COM Surrogate Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2184 | C:\Users\admin\AppData\Local\Olvioztue\p2phost.exe | C:\Users\admin\AppData\Local\Olvioztue\p2phost.exe | — | svchost.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: People Near Me Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
1428 | C:\Windows\system32\DllHost.exe /Processid:{3AD05575-8857-4850-9277-11B85BDB8E09} | C:\Windows\system32\DllHost.exe | svchost.exe | |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: COM Surrogate Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3548 | C:\Users\admin\AppData\Local\Azkecoicny\taskhost.exe | C:\Users\admin\AppData\Local\Azkecoicny\taskhost.exe | — | svchost.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Host Process for Windows Tasks Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
1996 | "C:\Windows\system32\Dwm.exe" | C:\Windows\System32\dwm.exe | svchost.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Desktop Window Manager Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
(PID) Process: | (3872) svchost.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\svchost_RASAPI32 |
Operation: | write | Name: | EnableFileTracing |
Value: 0 | |||
(PID) Process: | (3872) svchost.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\svchost_RASAPI32 |
Operation: | write | Name: | EnableConsoleTracing |
Value: 0 | |||
(PID) Process: | (3872) svchost.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\svchost_RASAPI32 |
Operation: | write | Name: | FileTracingMask |
Value: 4294901760 | |||
(PID) Process: | (3872) svchost.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\svchost_RASAPI32 |
Operation: | write | Name: | ConsoleTracingMask |
Value: 4294901760 | |||
(PID) Process: | (3872) svchost.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\svchost_RASAPI32 |
Operation: | write | Name: | MaxFileSize |
Value: 1048576 | |||
(PID) Process: | (3872) svchost.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\svchost_RASAPI32 |
Operation: | write | Name: | FileDirectory |
Value: %windir%\tracing | |||
(PID) Process: | (3872) svchost.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\svchost_RASMANCS |
Operation: | write | Name: | EnableFileTracing |
Value: 0 | |||
(PID) Process: | (3872) svchost.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\svchost_RASMANCS |
Operation: | write | Name: | EnableConsoleTracing |
Value: 0 | |||
(PID) Process: | (3872) svchost.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\svchost_RASMANCS |
Operation: | write | Name: | FileTracingMask |
Value: 4294901760 | |||
(PID) Process: | (3872) svchost.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\svchost_RASMANCS |
Operation: | write | Name: | ConsoleTracingMask |
Value: 4294901760 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3872 | svchost.exe | C:\Users\admin\AppData\Local\Olvioztue\ADVAPI32.dll | executable | |
MD5:41EEC07619F2AACA94FDA5B5AA65BA36 | SHA256:71B778E5256A8A904A7E6A52EFA2EDF46B4102F0E6270830FC571E28B4A70B67 | |||
3872 | svchost.exe | C:\Users\admin\AppData\Local\Olvioztue\P2P.dll | executable | |
MD5:FBC52E18B6D0A45AD046EB8C6BF9CD20 | SHA256:EF3810E3910D487553743F541C7C2F786C8468EBC56BE1B872968769AA467A4E | |||
3872 | svchost.exe | C:\Users\admin\AppData\Local\Olvioztue\GDI32.dll | executable | |
MD5:C9FF5BCEB1E044DE7EA0B8807FDE656F | SHA256:2CB78A1AD8A712053966621CF1E7ECA9FF92D7F7447641CA2421D76D487CC6CA | |||
3872 | svchost.exe | C:\Users\admin\AppData\Local\Azkecoicny\Cyadpeuz.yqv | binary | |
MD5:468924B098081CD02ABB07E2912C3C11 | SHA256:037B72244E7D98A559EA9F10F14FC800EE0D8949DD99251BB57463250ED42098 | |||
3872 | svchost.exe | C:\Users\admin\AppData\Local\Azkecoicny\RPCRT4.dll | executable | |
MD5:D5EF5E5A1D3A75EA2211F1A43305440C | SHA256:232F086122974DE54B27C91EDD41D450B4BAC547E33F1535604F05DD7EDBCD47 | |||
1428 | DllHost.exe | C:\Users\admin\AppData\Local\Azkecoicny\taskhost.exe | executable | |
MD5:7FA8BA5A780E4757964AC9D4238302B9 | SHA256:65E3D8CE737896647065103FBB4D58E6A34171D0A48662A832CFDAC3CF469701 | |||
3872 | svchost.exe | C:\Users\admin\AppData\Local\Olvioztue\msvcrt.dll | executable | |
MD5:16243BC5FCDA41E79DF712F99D678B43 | SHA256:29C76985548A37E44ABA91A3CAFAFF6D4506CA7212C34D6049D9134BD0F9E65B | |||
3872 | svchost.exe | C:\Users\admin\AppData\Local\Olvioztue\RPCRT4.dll | executable | |
MD5:C716E0F834ABCF58B0719EC2ACA4E733 | SHA256:B25A72417E6B462EC124120BCFA1F1CD811770A279E9C598C04F42183D22E73F | |||
3872 | svchost.exe | C:\Users\admin\AppData\Local\Olvioztue\SHLWAPI.dll | executable | |
MD5:3770ADDF84B850CEF13FE3BA3243D4B0 | SHA256:B54D49421A6F31B290060F3EF315A81A4EC4EB8AE743CB6F97C9E2C4C43DFEFD | |||
3872 | svchost.exe | C:\Users\admin\AppData\Local\Olvioztue\P2PCOLLAB.dll | executable | |
MD5:B2CAE9790A1F41458D557F52BCFB4716 | SHA256:75BF51049141920BD47D8E73D841E226D85CA32A00B62AD21011928346876B16 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3872 | svchost.exe | POST | 200 | 213.252.245.146:80 | http://sync-time.info/ | LT | binary | 596 b | malicious |
3872 | svchost.exe | POST | 200 | 213.252.245.146:80 | http://sync-time.info/ | LT | binary | 899 Kb | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3872 | svchost.exe | 213.252.245.146:80 | sync-time.info | Informacines sistemos ir technologijos, UAB | LT | malicious |
Domain | IP | Reputation |
---|---|---|
sync-time.info |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
3872 | svchost.exe | A Network Trojan was detected | MALWARE [PTsecurity] Brazilian Banking Trojan |