File name: | 8f4d94ba5b19307ad971114e7eef016490080320b641f68a96971bf8919706fc |
Full analysis: | https://app.any.run/tasks/65fa14f3-11fc-4da8-a2c3-96cbe79299ac |
Verdict: | Malicious activity |
Analysis date: | September 30, 2020, 12:53:46 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
MD5: | F40EAEDF64A7083F72E50FCFBE1F14B6 |
SHA1: | E5603260946673125B735C6E7202E5720D2187A5 |
SHA256: | 8F4D94BA5B19307AD971114E7EEF016490080320B641F68A96971BF8919706FC |
SSDEEP: | 98304:v5am42m5oiuFLuwmR5+qzwdl4MmbM2Z4YC7YUq7HyFbTFB:vEtFugT+qzjMmbp+Y+YUq7H0 |
.exe | | | Win32 Executable Delphi generic (57.2) |
---|---|---|
.exe | | | Win32 Executable (generic) (18.2) |
.exe | | | Win16/32 Executable Delphi generic (8.3) |
.exe | | | Generic Win/DOS Executable (8) |
.exe | | | DOS Executable Generic (8) |
MachineType: | Intel 386 or later, and compatibles |
---|---|
TimeStamp: | 1992:06:20 00:22:17+02:00 |
PEType: | PE32 |
LinkerVersion: | 2.25 |
CodeSize: | 3463168 |
InitializedDataSize: | 1742848 |
UninitializedDataSize: | - |
EntryPoint: | 0x34e620 |
OSVersion: | 4 |
ImageVersion: | - |
SubsystemVersion: | 4 |
Subsystem: | Windows GUI |
FileVersionNumber: | 1.15.7.0 |
ProductVersionNumber: | 1.15.7.0 |
FileFlagsMask: | 0x003f |
FileFlags: | (none) |
FileOS: | Win32 |
ObjectFileType: | Executable application |
FileSubtype: | - |
LanguageCode: | English (U.S.) |
CharacterSet: | Unicode |
CompanyName: | FileHippo |
FileDescription: | FileHippo Installer |
FileVersion: | 1.15.7.0 |
LegalCopyright: | © 2020 FileHippo All Rights Reserved |
ProductName: | FileHippo - Installer |
ProductVersion: | 1.15.7.0 |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Compilation Date: | 19-Jun-1992 22:22:17 |
Detected languages: |
|
CompanyName: | FileHippo |
FileDescription: | FileHippo Installer |
FileVersion: | 1.15.7.0 |
LegalCopyright: | © 2020 FileHippo All Rights Reserved |
ProductName: | FileHippo - Installer |
ProductVersion: | 1.15.7.0 |
Magic number: | MZ |
---|---|
Bytes on last page of file: | 0x0050 |
Pages in file: | 0x0002 |
Relocations: | 0x0000 |
Size of header: | 0x0004 |
Min extra paragraphs: | 0x000F |
Max extra paragraphs: | 0xFFFF |
Initial SS value: | 0x0000 |
Initial SP value: | 0x00B8 |
Checksum: | 0x0000 |
Initial IP value: | 0x0000 |
Initial CS value: | 0x0000 |
Overlay number: | 0x001A |
OEM identifier: | 0x0000 |
OEM information: | 0x0000 |
Address of NE header: | 0x00000100 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
Number of sections: | 8 |
Time date stamp: | 19-Jun-1992 22:22:17 |
Pointer to Symbol Table: | 0x00000000 |
Number of symbols: | 0 |
Size of Optional Header: | 0x00E0 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
CODE | 0x00001000 | 0x0034D63C | 0x0034D800 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 6.75645 |
DATA | 0x0034F000 | 0x0000C6B0 | 0x0000C800 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 6.24624 |
BSS | 0x0035C000 | 0x00004125 | 0x00000000 | IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 0 |
.idata | 0x00361000 | 0x0000323E | 0x00003400 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 4.95884 |
.tls | 0x00365000 | 0x00000010 | 0x00000000 | IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 0 |
.rdata | 0x00366000 | 0x00000018 | 0x00000200 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_SHARED | 0.201539 |
.reloc | 0x00367000 | 0x00019AD8 | 0x00019C00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_SHARED | 6.73886 |
.rsrc | 0x00381000 | 0x0017FDAE | 0x0017FE00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_SHARED | 7.93642 |
Title | Entropy | Size | Codepage | Language | Type |
---|---|---|---|---|---|
1 | 5.2839 | 986 | Latin 1 / Western European | Hebrew - Israel | RT_MANIFEST |
2 | 4.56237 | 2440 | UNKNOWN | Hebrew - Israel | RT_ICON |
3 | 4.32493 | 4264 | UNKNOWN | Hebrew - Israel | RT_ICON |
4 | 3.96976 | 9640 | UNKNOWN | Hebrew - Israel | RT_ICON |
5 | 7.9694 | 20151 | UNKNOWN | Hebrew - Israel | RT_ICON |
6 | 2.62527 | 308 | Latin 1 / Western European | UNKNOWN | RT_CURSOR |
7 | 2.91604 | 308 | Latin 1 / Western European | UNKNOWN | RT_CURSOR |
4068 | 3.23376 | 1632 | Latin 1 / Western European | UNKNOWN | RT_STRING |
4069 | 3.12312 | 4432 | Latin 1 / Western European | UNKNOWN | RT_STRING |
4070 | 3.1761 | 2560 | Latin 1 / Western European | UNKNOWN | RT_STRING |
URLMON.DLL |
advapi32.dll |
comctl32.dll |
comdlg32.dll |
gdi32.dll |
kernel32.dll |
mpr.dll |
ole32.dll |
oleaut32.dll |
user32.dll |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
1076 | "C:\Users\admin\AppData\Local\Temp\8f4d94ba5b19307ad971114e7eef016490080320b641f68a96971bf8919706fc.exe" | C:\Users\admin\AppData\Local\Temp\8f4d94ba5b19307ad971114e7eef016490080320b641f68a96971bf8919706fc.exe | — | explorer.exe |
User: admin Company: FileHippo Integrity Level: MEDIUM Description: FileHippo Installer Exit code: 0 Version: 1.15.7.0 | ||||
3244 | "C:\Users\admin\AppData\Local\Temp\8f4d94ba5b19307ad971114e7eef016490080320b641f68a96971bf8919706fc.exe" /XmNGXvA5PA /fUBuLBNGPQ:YyhwYgxaFRAiP211FM5W /mnl | C:\Users\admin\AppData\Local\Temp\8f4d94ba5b19307ad971114e7eef016490080320b641f68a96971bf8919706fc.exe | 8f4d94ba5b19307ad971114e7eef016490080320b641f68a96971bf8919706fc.exe | |
User: admin Company: FileHippo Integrity Level: HIGH Description: FileHippo Installer Version: 1.15.7.0 |
(PID) Process: | (1076) 8f4d94ba5b19307ad971114e7eef016490080320b641f68a96971bf8919706fc.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 0 | |||
(PID) Process: | (1076) 8f4d94ba5b19307ad971114e7eef016490080320b641f68a96971bf8919706fc.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | AutoDetect |
Value: 1 | |||
(PID) Process: | (3244) 8f4d94ba5b19307ad971114e7eef016490080320b641f68a96971bf8919706fc.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\13B\52C64B7E |
Operation: | write | Name: | LanguageList |
Value: en-US | |||
(PID) Process: | (3244) 8f4d94ba5b19307ad971114e7eef016490080320b641f68a96971bf8919706fc.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 0 | |||
(PID) Process: | (3244) 8f4d94ba5b19307ad971114e7eef016490080320b641f68a96971bf8919706fc.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | AutoDetect |
Value: 1 | |||
(PID) Process: | (3244) 8f4d94ba5b19307ad971114e7eef016490080320b641f68a96971bf8919706fc.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content |
Operation: | write | Name: | CachePrefix |
Value: | |||
(PID) Process: | (3244) 8f4d94ba5b19307ad971114e7eef016490080320b641f68a96971bf8919706fc.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies |
Operation: | write | Name: | CachePrefix |
Value: Cookie: | |||
(PID) Process: | (3244) 8f4d94ba5b19307ad971114e7eef016490080320b641f68a96971bf8919706fc.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History |
Operation: | write | Name: | CachePrefix |
Value: Visited: | |||
(PID) Process: | (3244) 8f4d94ba5b19307ad971114e7eef016490080320b641f68a96971bf8919706fc.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication |
Operation: | write | Name: | Name |
Value: 8f4d94ba5b19307ad971114e7eef016490080320b641f68a96971bf8919706fc.exe | |||
(PID) Process: | (3244) 8f4d94ba5b19307ad971114e7eef016490080320b641f68a96971bf8919706fc.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication |
Operation: | write | Name: | ID |
Value: 708992537 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3244 | 8f4d94ba5b19307ad971114e7eef016490080320b641f68a96971bf8919706fc.exe | C:\Users\admin\AppData\Local\Temp\003BC833.log | — | |
MD5:— | SHA256:— | |||
3244 | 8f4d94ba5b19307ad971114e7eef016490080320b641f68a96971bf8919706fc.exe | C:\Users\admin\AppData\Local\Temp\inH391787553647\css\main.css | text | |
MD5:2925E6A2909837514A1AF2D9BE8CEC86 | SHA256:D3F9D93722CE02C9EE2AEB8DDD8B7D5935C93A5D8B063D35CCA8016181EE6B00 | |||
3244 | 8f4d94ba5b19307ad971114e7eef016490080320b641f68a96971bf8919706fc.exe | C:\Users\admin\AppData\Local\Temp\inH391787553647\css\main.scss | text | |
MD5:E44D7EB463737BF9EEAF952D5D71E3DD | SHA256:6C943D5338E9F0470251701B045D0339747B824003212FC241224DCE51834C77 | |||
3244 | 8f4d94ba5b19307ad971114e7eef016490080320b641f68a96971bf8919706fc.exe | C:\Users\admin\AppData\Local\Temp\inH391787553647\css\swAgent.css | text | |
MD5:2543E3AF757C7D7C8A26C7CF57795F60 | SHA256:C38892A06C8F50C6386ED794AF4F1EA3E1897AD5F0C7E19594D9EA7B20CFB3F1 | |||
3244 | 8f4d94ba5b19307ad971114e7eef016490080320b641f68a96971bf8919706fc.exe | C:\Users\admin\AppData\Local\Temp\inH391787553647\css\helpers\_border-radius.scss | text | |
MD5:6BDF3FD89410E39D33F8137E04AD4A16 | SHA256:2C6B98CB19C3E3A0E37472767C53DF213243AE92BC80EF9A7F5BAA17F7B6FA31 | |||
3244 | 8f4d94ba5b19307ad971114e7eef016490080320b641f68a96971bf8919706fc.exe | C:\Users\admin\AppData\Local\Temp\inH391787553647\css\_helpers.scss | text | |
MD5:5F158DBBD9FC4594A2F6C13854501916 | SHA256:BF12B79F67F1CB9988797F7D81F6F504C8DFE0F0435482E64819A140DBC8DA14 | |||
3244 | 8f4d94ba5b19307ad971114e7eef016490080320b641f68a96971bf8919706fc.exe | C:\Users\admin\AppData\Local\Temp\inH391787553647\css\helpers\_clearfix.scss | text | |
MD5:ADD166BC071472DC105F4734D2DCF0E2 | SHA256:75EBE8B4A4CBBAC0EB4DE35B60972452B4526C56EEFB5186DD40A92C70773377 | |||
3244 | 8f4d94ba5b19307ad971114e7eef016490080320b641f68a96971bf8919706fc.exe | C:\Users\admin\AppData\Local\Temp\inH391787553647\css\_variables.scss | text | |
MD5:07922410C30F0117CBC3C140F14AEA88 | SHA256:AF1999B49C03F5DCBB19466466FAC2D8172C684C0FF18931B85A8D0A06332C73 | |||
3244 | 8f4d94ba5b19307ad971114e7eef016490080320b641f68a96971bf8919706fc.exe | C:\Users\admin\AppData\Local\Temp\inH391787553647\css\helpers\_align.scss | text | |
MD5:BBBBD243F9525ACC7DC6077010627409 | SHA256:1F11B5F53E0AA7DA1A1559A1A5CDD52BF03119EA74E5091462461C550E9288DB | |||
3244 | 8f4d94ba5b19307ad971114e7eef016490080320b641f68a96971bf8919706fc.exe | C:\Users\admin\AppData\Local\Temp\inH391787553647\css\ie6_main.scss | text | |
MD5:D10348D17ADF8A90670696728F54562D | SHA256:E8A3D15CF32009B01B9145B6E62FF6CAA9C2981F81CE063578C73C7ADFF08DFC |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3244 | 8f4d94ba5b19307ad971114e7eef016490080320b641f68a96971bf8919706fc.exe | GET | 200 | 143.204.208.7:80 | http://dnld.icdownloads.com/cust/SDM/Webp.net-resizeimage.png | US | image | 5.18 Kb | malicious |
3244 | 8f4d94ba5b19307ad971114e7eef016490080320b641f68a96971bf8919706fc.exe | POST | 200 | 143.204.201.63:80 | http://reports.protecteddownload.com/ | US | — | — | malicious |
3244 | 8f4d94ba5b19307ad971114e7eef016490080320b641f68a96971bf8919706fc.exe | POST | 200 | 143.204.201.49:80 | http://cdn.protecteddownload.com/ | US | text | 704 b | malicious |
3244 | 8f4d94ba5b19307ad971114e7eef016490080320b641f68a96971bf8919706fc.exe | POST | 200 | 143.204.201.63:80 | http://reports.protecteddownload.com/ | US | — | — | malicious |
3244 | 8f4d94ba5b19307ad971114e7eef016490080320b641f68a96971bf8919706fc.exe | POST | 200 | 143.204.201.93:80 | http://files.protecteddownload.com/ | US | binary | 256 Kb | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3244 | 8f4d94ba5b19307ad971114e7eef016490080320b641f68a96971bf8919706fc.exe | 143.204.201.63:80 | reports.protecteddownload.com | — | US | malicious |
3244 | 8f4d94ba5b19307ad971114e7eef016490080320b641f68a96971bf8919706fc.exe | 143.204.208.7:80 | dnld.icdownloads.com | — | US | unknown |
3244 | 8f4d94ba5b19307ad971114e7eef016490080320b641f68a96971bf8919706fc.exe | 143.204.201.49:80 | cdn.protecteddownload.com | — | US | malicious |
3244 | 8f4d94ba5b19307ad971114e7eef016490080320b641f68a96971bf8919706fc.exe | 143.204.201.93:80 | cdn.protecteddownload.com | — | US | malicious |
Domain | IP | Reputation |
---|---|---|
reports.protecteddownload.com |
| malicious |
cdn.protecteddownload.com |
| malicious |
files.protecteddownload.com |
| malicious |
dnld.icdownloads.com |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
3244 | 8f4d94ba5b19307ad971114e7eef016490080320b641f68a96971bf8919706fc.exe | A Network Trojan was detected | ADWARE [PTsecurity] InstallCore |