File name: | aa5f7b300c974c5932e5a05f2f4bf1a9e11471187e1d303e6f932c41bc3ca849 |
Full analysis: | https://app.any.run/tasks/d6fad88d-4ebe-4410-8a32-9a17c115b694 |
Verdict: | Malicious activity |
Analysis date: | December 06, 2022, 04:47:22 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
MD5: | C25A3C97B272F681149194AA7D34C646 |
SHA1: | DCBE06AABEDB22438A7E6F696219DA570226C6E6 |
SHA256: | AA5F7B300C974C5932E5A05F2F4BF1A9E11471187E1D303E6F932C41BC3CA849 |
SSDEEP: | 3072:MYOqQr9HIwt8Sgd3+AaWmk7m8sPN8i7g1QUojsDoemee:MrFrZYpa/N8iMiUojsDm1 |
.exe | | | Win32 Executable MS Visual C++ (generic) (42.2) |
---|---|---|
.exe | | | Win64 Executable (generic) (37.3) |
.dll | | | Win32 Dynamic Link Library (generic) (8.8) |
.exe | | | Win32 Executable (generic) (6) |
.exe | | | Generic Win/DOS Executable (2.7) |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Compilation Date: | 2011-Apr-26 13:24:37 |
e_magic: | MZ |
---|---|
e_cblp: | 144 |
e_cp: | 3 |
e_crlc: | - |
e_cparhdr: | 4 |
e_minalloc: | - |
e_maxalloc: | 65535 |
e_ss: | - |
e_sp: | 184 |
e_csum: | - |
e_ip: | - |
e_cs: | - |
e_ovno: | - |
e_oemid: | - |
e_oeminfo: | - |
e_lfanew: | 232 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
NumberofSections: | 3 |
TimeDateStamp: | 2011-Apr-26 13:24:37 |
PointerToSymbolTable: | - |
NumberOfSymbols: | - |
SizeOfOptionalHeader: | 224 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
.text | 4096 | 75780 | 76288 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 7.98776 |
.idata | 81920 | 154244 | 2560 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 4.8497 |
.rsrc | 237568 | 58908 | 59392 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 7.84611 |
Title | Entropy | Size | Codepage | Language | Type |
---|---|---|---|---|---|
1 | 7.99469 | 31279 | UNKNOWN | UNKNOWN | PNG |
2 | 7.99231 | 21909 | UNKNOWN | UNKNOWN | PNG |
95 | 3.75988 | 296 | UNKNOWN | UNKNOWN | RT_ICON |
1 (#2) | 3.54888 | 2216 | UNKNOWN | UNKNOWN | RT_ICON |
2 (#2) | 3.57696 | 1384 | UNKNOWN | UNKNOWN | RT_ICON |
1 (#3) | 2.32824 | 34 | UNKNOWN | UNKNOWN | RT_GROUP_ICON |
1 (#4) | 3.50124 | 800 | UNKNOWN | UNKNOWN | RT_VERSION |
kernel32.dll |
user32.dll |
Title | Ordinal | Address |
---|---|---|
Kvnljlkqvre | 1 | 5135 |
Wmfsdccmd | 2 | 7754 |
Ydkhgpq | 3 | 7869 |
IsLtdyyqt | 4 | 6885 |
CreateAfludarpqks | 5 | 4434 |
Aihcwvbw | 6 | 7073 |
Ngejluw | 7 | 5946 |
GetMhltrcerlxb | 8 | 5177 |
BeginWbulfhv | 9 | 5536 |
IsRxagbwuuuo | 10 | 7077 |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
1872 | "C:\Users\admin\AppData\Local\Temp\aa5f7b300c974c5932e5a05f2f4bf1a9e11471187e1d303e6f932c41bc3ca849.exe" | C:\Users\admin\AppData\Local\Temp\aa5f7b300c974c5932e5a05f2f4bf1a9e11471187e1d303e6f932c41bc3ca849.exe | Explorer.EXE | ||||||||||||
User: admin Integrity Level: MEDIUM Modules
| |||||||||||||||
3388 | "c:\users\admin\appdata\local\google\chrome\user data\pepperflash\32.0.0.433\playerpepflashplayer.exe" | c:\users\admin\appdata\local\google\chrome\user data\pepperflash\32.0.0.433\playerpepflashplayer.exe | — | aa5f7b300c974c5932e5a05f2f4bf1a9e11471187e1d303e6f932c41bc3ca849.exe | |||||||||||
User: admin Integrity Level: MEDIUM Modules
| |||||||||||||||
3672 | "c:\users\admin\appdata\local\microsoft\feeds\{5588acfd-6436-411b-a5ce-666ae6a92d3d}~\webslices~\sitesfeedsuggested20313.exe" | c:\users\admin\appdata\local\microsoft\feeds\{5588acfd-6436-411b-a5ce-666ae6a92d3d}~\webslices~\sitesfeedsuggested20313.exe | — | aa5f7b300c974c5932e5a05f2f4bf1a9e11471187e1d303e6f932c41bc3ca849.exe | |||||||||||
User: admin Integrity Level: MEDIUM Modules
| |||||||||||||||
3932 | "c:\users\admin\appdata\roaming\mozilla\firefox\profiles\qldyz51w.default\gmp-widevinecdm\4.10.1440.18\decryptioncontent.exe" | c:\users\admin\appdata\roaming\mozilla\firefox\profiles\qldyz51w.default\gmp-widevinecdm\4.10.1440.18\decryptioncontent.exe | — | aa5f7b300c974c5932e5a05f2f4bf1a9e11471187e1d303e6f932c41bc3ca849.exe | |||||||||||
User: admin Integrity Level: MEDIUM Modules
| |||||||||||||||
2560 | "c:\users\admin\appdata\local\microsoft\feeds\microsoft feeds~\microsofthomefeed15639.exe" | c:\users\admin\appdata\local\microsoft\feeds\microsoft feeds~\microsofthomefeed15639.exe | — | aa5f7b300c974c5932e5a05f2f4bf1a9e11471187e1d303e6f932c41bc3ca849.exe | |||||||||||
User: admin Integrity Level: MEDIUM Modules
|
(PID) Process: | (1872) aa5f7b300c974c5932e5a05f2f4bf1a9e11471187e1d303e6f932c41bc3ca849.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | ProxyBypass |
Value: 1 | |||
(PID) Process: | (1872) aa5f7b300c974c5932e5a05f2f4bf1a9e11471187e1d303e6f932c41bc3ca849.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | IntranetName |
Value: 1 | |||
(PID) Process: | (1872) aa5f7b300c974c5932e5a05f2f4bf1a9e11471187e1d303e6f932c41bc3ca849.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 1 | |||
(PID) Process: | (1872) aa5f7b300c974c5932e5a05f2f4bf1a9e11471187e1d303e6f932c41bc3ca849.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | AutoDetect |
Value: 0 | |||
(PID) Process: | (1872) aa5f7b300c974c5932e5a05f2f4bf1a9e11471187e1d303e6f932c41bc3ca849.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings |
Operation: | write | Name: | ProxyEnable |
Value: 0 | |||
(PID) Process: | (1872) aa5f7b300c974c5932e5a05f2f4bf1a9e11471187e1d303e6f932c41bc3ca849.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections |
Operation: | write | Name: | SavedLegacySettings |
Value: 460000003D010000090000000000000000000000000000000400000000000000C0E333BBEAB1D3010000000000000000000000000100000002000000C0A80164000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | |||
(PID) Process: | (1872) aa5f7b300c974c5932e5a05f2f4bf1a9e11471187e1d303e6f932c41bc3ca849.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content |
Operation: | write | Name: | CachePrefix |
Value: | |||
(PID) Process: | (1872) aa5f7b300c974c5932e5a05f2f4bf1a9e11471187e1d303e6f932c41bc3ca849.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies |
Operation: | write | Name: | CachePrefix |
Value: Cookie: | |||
(PID) Process: | (1872) aa5f7b300c974c5932e5a05f2f4bf1a9e11471187e1d303e6f932c41bc3ca849.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History |
Operation: | write | Name: | CachePrefix |
Value: Visited: | |||
(PID) Process: | (1872) aa5f7b300c974c5932e5a05f2f4bf1a9e11471187e1d303e6f932c41bc3ca849.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{FCC67766-6201-4AD1-A6B8-2F4553C93D47} |
Operation: | write | Name: | WpadDecisionReason |
Value: 1 |
PID | Process | Filename | Type | |
---|---|---|---|---|
1872 | aa5f7b300c974c5932e5a05f2f4bf1a9e11471187e1d303e6f932c41bc3ca849.exe | C:\Users\admin\AppData\Local\Adobe\A0A2C719-B8B1-4DC7-B33B-C50E709F20B0\gccheckGoogle.exe | executable | |
MD5:C25A3C97B272F681149194AA7D34C646 | SHA256:AA5F7B300C974C5932E5A05F2F4BF1A9E11471187E1D303E6F932C41BC3CA849 | |||
1872 | aa5f7b300c974c5932e5a05f2f4bf1a9e11471187e1d303e6f932c41bc3ca849.exe | C:\Users\admin\AppData\Local\Microsoft\Feeds\Microsoft Feeds~\MicrosoftHomefeed15639.exe | executable | |
MD5:C25A3C97B272F681149194AA7D34C646 | SHA256:AA5F7B300C974C5932E5A05F2F4BF1A9E11471187E1D303E6F932C41BC3CA849 | |||
1872 | aa5f7b300c974c5932e5a05f2f4bf1a9e11471187e1d303e6f932c41bc3ca849.exe | C:\Users\admin\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~\SitesfeedSuggested20313.exe | executable | |
MD5:C25A3C97B272F681149194AA7D34C646 | SHA256:AA5F7B300C974C5932E5A05F2F4BF1A9E11471187E1D303E6F932C41BC3CA849 | |||
1872 | aa5f7b300c974c5932e5a05f2f4bf1a9e11471187e1d303e6f932c41bc3ca849.exe | C:\Users\admin\AppData\Local\Google\Chrome\User Data\PepperFlash\32.0.0.433\Playerpepflashplayer.exe | executable | |
MD5:C25A3C97B272F681149194AA7D34C646 | SHA256:AA5F7B300C974C5932E5A05F2F4BF1A9E11471187E1D303E6F932C41BC3CA849 | |||
1872 | aa5f7b300c974c5932e5a05f2f4bf1a9e11471187e1d303e6f932c41bc3ca849.exe | C:\Users\admin\AppData\Roaming\Microsoft\Document Building Blocks\1033\14\BuiltInBuilding.exe | executable | |
MD5:C25A3C97B272F681149194AA7D34C646 | SHA256:AA5F7B300C974C5932E5A05F2F4BF1A9E11471187E1D303E6F932C41BC3CA849 | |||
1872 | aa5f7b300c974c5932e5a05f2f4bf1a9e11471187e1d303e6f932c41bc3ca849.exe | C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\gmp-widevinecdm\4.10.1440.18\DecryptionContent.exe | executable | |
MD5:C25A3C97B272F681149194AA7D34C646 | SHA256:AA5F7B300C974C5932E5A05F2F4BF1A9E11471187E1D303E6F932C41BC3CA849 |
Domain | IP | Reputation |
---|---|---|
1670302059.website-usb.us |
| unknown |
1670302065.website-usb.us |
| unknown |
1670302069.website-usb.us |
| unknown |
1670302073.website-usb.us |
| unknown |