File name: | a1b73bc0982f70bdcb7c2699a41b951a5ecbc5f46edc40dcac564017d5e85bcb |
Full analysis: | https://app.any.run/tasks/179e31ff-d09c-4866-ba20-9f1be2aa496c |
Verdict: | Malicious activity |
Analysis date: | December 06, 2022, 01:38:57 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
MD5: | 57C8491C5085A93A62FADFB4B88AA027 |
SHA1: | 45E0B7C8A5A35136ADB3E4A6D756E73F6A863510 |
SHA256: | A1B73BC0982F70BDCB7C2699A41B951A5ECBC5F46EDC40DCAC564017D5E85BCB |
SSDEEP: | 12288:6+MMnMMMMMq8U649pTI1g/xtjOmPKHJuZ2LxdXi8P:6+MMnMMMMMq8ypC4dUJuZGTX |
.exe | | | Win16/32 Executable Delphi generic (34.1) |
---|---|---|
.exe | | | Generic Win/DOS Executable (32.9) |
.exe | | | DOS Executable Generic (32.9) |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Compilation Date: | 2009-Mar-05 21:48:39 |
Detected languages: |
|
CompanyName: | QNP |
FileDescription: | Cluster analysis |
FileVersion: | 1.3.1.1 |
InternalName: | QCLA |
LegalCopyright: | 37 CFR 1.53(c) |
OriginalFilename: | QCLA.EXE |
ProductName: | CLAnalysis |
ProductVersion: | 1.3.1.1 |
e_magic: | MZ |
---|---|
e_cblp: | 144 |
e_cp: | 3 |
e_crlc: | - |
e_cparhdr: | 4 |
e_minalloc: | - |
e_maxalloc: | 65535 |
e_ss: | - |
e_sp: | 184 |
e_csum: | - |
e_ip: | - |
e_cs: | - |
e_ovno: | - |
e_oemid: | - |
e_oeminfo: | - |
e_lfanew: | 128 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
NumberofSections: | 6 |
TimeDateStamp: | 2009-Mar-05 21:48:39 |
PointerToSymbolTable: | - |
NumberOfSymbols: | - |
SizeOfOptionalHeader: | 224 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
.text | 4096 | 1168 | 1536 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 5.19114 |
.idata | 8192 | 5160 | 5632 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 5.25119 |
.reloc | 16384 | 64 | 512 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ | 0.455376 |
.rsrc | 20480 | 133652 | 134144 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 7.56855 |
.data | 155648 | 1064960 | 157696 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 7.80376 |
.rdata | 1220608 | 209940 | 210432 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 7.80008 |
Title | Entropy | Size | Codepage | Language | Type |
---|---|---|---|---|---|
1 | 5.82653 | 3752 | UNKNOWN | English - United States | RT_ICON |
2 | 6.23219 | 2216 | UNKNOWN | English - United States | RT_ICON |
3 | 5.60454 | 3752 | UNKNOWN | English - United States | RT_ICON |
4 | 5.8986 | 2216 | UNKNOWN | English - United States | RT_ICON |
5 | 5.59354 | 3752 | UNKNOWN | English - United States | RT_ICON |
6 | 3.63414 | 1640 | UNKNOWN | English - United States | RT_ICON |
7 | 3.63414 | 1640 | UNKNOWN | English - United States | RT_ICON |
8 | 2.63595 | 296 | UNKNOWN | English - United States | RT_ICON |
9 | 2.93951 | 296 | UNKNOWN | English - United States | RT_ICON |
10 | 3.01071 | 296 | UNKNOWN | English - United States | RT_ICON |
ADVAPI32.dll |
DDRAW.dll |
KERNEL32.dll |
MSWSOCK.dll |
SAMLIB.dll |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
1328 | "C:\Users\admin\AppData\Local\Temp\a1b73bc0982f70bdcb7c2699a41b951a5ecbc5f46edc40dcac564017d5e85bcb.exe" | C:\Users\admin\AppData\Local\Temp\a1b73bc0982f70bdcb7c2699a41b951a5ecbc5f46edc40dcac564017d5e85bcb.exe | Explorer.EXE | ||||||||||||
User: admin Company: QNP Integrity Level: MEDIUM Description: Cluster analysis Version: 1.3.1.1 Modules
| |||||||||||||||
2416 | "C:\ProgramData\QNsursDHHhnjS.exe" | C:\ProgramData\QNsursDHHhnjS.exe | — | a1b73bc0982f70bdcb7c2699a41b951a5ecbc5f46edc40dcac564017d5e85bcb.exe | |||||||||||
User: admin Company: QNP Integrity Level: MEDIUM Description: Cluster analysis Version: 1.3.1.1 Modules
|
(PID) Process: | (1328) a1b73bc0982f70bdcb7c2699a41b951a5ecbc5f46edc40dcac564017d5e85bcb.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | ProxyBypass |
Value: 1 | |||
(PID) Process: | (1328) a1b73bc0982f70bdcb7c2699a41b951a5ecbc5f46edc40dcac564017d5e85bcb.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | IntranetName |
Value: 1 | |||
(PID) Process: | (1328) a1b73bc0982f70bdcb7c2699a41b951a5ecbc5f46edc40dcac564017d5e85bcb.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 1 | |||
(PID) Process: | (1328) a1b73bc0982f70bdcb7c2699a41b951a5ecbc5f46edc40dcac564017d5e85bcb.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | AutoDetect |
Value: 0 | |||
(PID) Process: | (1328) a1b73bc0982f70bdcb7c2699a41b951a5ecbc5f46edc40dcac564017d5e85bcb.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run |
Operation: | write | Name: | QNsursDHHhnjS |
Value: C:\ProgramData\QNsursDHHhnjS.exe | |||
(PID) Process: | (1328) a1b73bc0982f70bdcb7c2699a41b951a5ecbc5f46edc40dcac564017d5e85bcb.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings |
Operation: | write | Name: | ProxyEnable |
Value: 0 | |||
(PID) Process: | (1328) a1b73bc0982f70bdcb7c2699a41b951a5ecbc5f46edc40dcac564017d5e85bcb.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections |
Operation: | write | Name: | SavedLegacySettings |
Value: 460000003D010000090000000000000000000000000000000400000000000000C0E333BBEAB1D3010000000000000000000000000100000002000000C0A80164000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | |||
(PID) Process: | (1328) a1b73bc0982f70bdcb7c2699a41b951a5ecbc5f46edc40dcac564017d5e85bcb.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content |
Operation: | write | Name: | CachePrefix |
Value: | |||
(PID) Process: | (1328) a1b73bc0982f70bdcb7c2699a41b951a5ecbc5f46edc40dcac564017d5e85bcb.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies |
Operation: | write | Name: | CachePrefix |
Value: Cookie: | |||
(PID) Process: | (1328) a1b73bc0982f70bdcb7c2699a41b951a5ecbc5f46edc40dcac564017d5e85bcb.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History |
Operation: | write | Name: | CachePrefix |
Value: Visited: |
PID | Process | Filename | Type | |
---|---|---|---|---|
1328 | a1b73bc0982f70bdcb7c2699a41b951a5ecbc5f46edc40dcac564017d5e85bcb.exe | C:\ProgramData\QNsursDHHhnjS.exe | executable | |
MD5:57C8491C5085A93A62FADFB4B88AA027 | SHA256:A1B73BC0982F70BDCB7C2699A41B951A5ECBC5F46EDC40DCAC564017D5E85BCB | |||
1328 | a1b73bc0982f70bdcb7c2699a41b951a5ecbc5f46edc40dcac564017d5e85bcb.exe | C:\Users\admin\AppData\Local\Temp\tmp28F5.tmp | executable | |
MD5:57C8491C5085A93A62FADFB4B88AA027 | SHA256:A1B73BC0982F70BDCB7C2699A41B951A5ECBC5F46EDC40DCAC564017D5E85BCB |
Domain | IP | Reputation |
---|---|---|
searchadventure.org |
| unknown |
clickarrogant.org |
| unknown |
searchas.org |
| unknown |
searchairplane.org |
| unknown |
searchnuse.org |
| unknown |
searchbetsy.org |
| unknown |
searchboth.org |
| unknown |