File name: | c870025f693df5311e58f7213b426f7ec204e21255a4737723bf5efe24ff72de |
Full analysis: | https://app.any.run/tasks/58a2ca5c-6422-447a-a05d-35d3b56a963e |
Verdict: | Malicious activity |
Analysis date: | December 06, 2022, 05:14:48 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
MD5: | 61494A835CE331D776C27FC6584930C7 |
SHA1: | B8C85F0CFB217441608E7019F193579E03047082 |
SHA256: | C870025F693DF5311E58F7213B426F7EC204E21255A4737723BF5EFE24FF72DE |
SSDEEP: | 49152:O2Jd3BBHWSCVaUMmKaEahivTVLW2Rx0fC+jeE6N:O2j3BzCVVFKa+7I5fC+S7N |
.exe | | | InstallShield setup (49.2) |
---|---|---|
.exe | | | Win32 Executable Delphi generic (16.2) |
.scr | | | Windows screen saver (14.9) |
.dll | | | Win32 Dynamic Link Library (generic) (7.5) |
.exe | | | Win32 Executable (generic) (5.1) |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Compilation Date: | 1992-Jun-19 22:22:17 |
Detected languages: |
|
Comments: | Roof Insured Games Pope |
CompanyName: | One Underlying Ours Qkp. |
FileDescription: | Webcast College Safely |
FileVersion: | 2.1.1.7 |
InternalName: | - |
LegalCopyright: | Copyright (C) Llc In Come Igy. |
LegalTrademarks: | Memories Hosts |
ProductName: | Booty Automated |
ProductVersion: | 2.1.1.7 |
e_magic: | MZ |
---|---|
e_cblp: | 80 |
e_cp: | 2 |
e_crlc: | - |
e_cparhdr: | 4 |
e_minalloc: | 15 |
e_maxalloc: | 65535 |
e_ss: | - |
e_sp: | 184 |
e_csum: | - |
e_ip: | - |
e_cs: | - |
e_ovno: | 26 |
e_oemid: | - |
e_oeminfo: | - |
e_lfanew: | 256 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
NumberofSections: | 8 |
TimeDateStamp: | 1992-Jun-19 22:22:17 |
PointerToSymbolTable: | - |
NumberOfSymbols: | - |
SizeOfOptionalHeader: | 224 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
CODE | 4096 | 149628 | 150016 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 6.49182 |
DATA | 155648 | 7936 | 8192 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 3.2617 |
BSS | 163840 | 2313 | 0 | IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | |
.idata | 167936 | 4408 | 4608 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 4.77365 |
.tls | 176128 | 8 | 0 | IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | |
.rdata | 180224 | 24 | 512 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_SHARED | 0.200582 |
.reloc | 184320 | 8448 | 8704 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_SHARED | 6.69588 |
.rsrc | 196608 | 10876 | 11264 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_SHARED | 4.93017 |
Title | Entropy | Size | Codepage | Language | Type |
---|---|---|---|---|---|
1 | 4.67967 | 4264 | Latin 1 / Western European | UNKNOWN | RT_ICON |
4091 | 2.39 | 120 | Latin 1 / Western European | UNKNOWN | RT_STRING |
4092 | 2.94341 | 244 | Latin 1 / Western European | UNKNOWN | RT_STRING |
4093 | 2.8794 | 196 | Latin 1 / Western European | UNKNOWN | RT_STRING |
4094 | 3.19303 | 748 | Latin 1 / Western European | UNKNOWN | RT_STRING |
4095 | 3.27138 | 832 | Latin 1 / Western European | UNKNOWN | RT_STRING |
4096 | 3.16152 | 704 | Latin 1 / Western European | UNKNOWN | RT_STRING |
1 (#2) | 3.45462 | 744 | Latin 1 / Western European | Hebrew - Israel | RT_ICON |
DVCLAL | 4 | 16 | Latin 1 / Western European | UNKNOWN | RT_RCDATA |
PACKAGEINFO | 5.34155 | 348 | Latin 1 / Western European | UNKNOWN | RT_RCDATA |
advapi32.dll |
advapi32.dll (#2) |
comctl32.dll |
gdi32.dll |
kernel32.dll |
kernel32.dll (#2) |
kernel32.dll (#3) |
kernel32.dll (#4) |
oleaut32.dll |
shell32.dll |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
1328 | "C:\Users\admin\AppData\Local\Temp\c870025f693df5311e58f7213b426f7ec204e21255a4737723bf5efe24ff72de.exe" | C:\Users\admin\AppData\Local\Temp\c870025f693df5311e58f7213b426f7ec204e21255a4737723bf5efe24ff72de.exe | — | Explorer.EXE | |||||||||||
User: admin Company: One Underlying Ours Qkp. Integrity Level: MEDIUM Description: Webcast College Safely Exit code: 0 Version: 2.1.1.7 Modules
| |||||||||||||||
3080 | C:\Users\admin\AppData\Local\Temp\SETUP_10716\Engine.exe /TH_ID=_1580 /OriginExe="C:\Users\admin\AppData\Local\Temp\c870025f693df5311e58f7213b426f7ec204e21255a4737723bf5efe24ff72de.exe" | C:\Users\admin\AppData\Local\Temp\SETUP_10716\Engine.exe | — | c870025f693df5311e58f7213b426f7ec204e21255a4737723bf5efe24ff72de.exe | |||||||||||
User: admin Company: Pantaray Research Ltd. Integrity Level: MEDIUM Description: Setup/UnInstall Engine Exit code: 0 Version: 9.1.0.6 Modules
| |||||||||||||||
1040 | C:\Windows\system32\cmd.exe /c cmd < Translated.cda | C:\Windows\system32\cmd.exe | — | Engine.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
2304 | cmd | C:\Windows\system32\cmd.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
3140 | powershell get-process avastui | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 1 Version: 10.0.14409.1005 (rs1_srvoob.161208-1155) Modules
| |||||||||||||||
860 | powershell get-process avgui | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 1 Version: 10.0.14409.1005 (rs1_srvoob.161208-1155) Modules
| |||||||||||||||
3776 | findstr /V /R "^dMaMf7f81a39-5f63-5b42-9efd-1f13b5431005quot; Thousands.cda | C:\Windows\system32\findstr.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Find String (QGREP) Utility Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
3932 | Maui.exe.pif c | C:\Users\admin\AppData\Local\Temp\npgtkcrh.jvv\Maui.exe.pif | cmd.exe | ||||||||||||
User: admin Company: AutoIt Team Integrity Level: MEDIUM Description: AutoIt v3 Script Version: 3, 3, 14, 5 Modules
| |||||||||||||||
2952 | ping localhost -n 8 | C:\Windows\system32\PING.EXE | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: TCP/IP Ping Command Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
2628 | cmd /c echo [InternetShortcut] > "C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\owokVWCwmi.url" & echo URL="C:\Users\admin\AppData\Local\jucxIOkyRf\TXLYzJN.vbs" >> "C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\owokVWCwmi.url" | C:\Windows\system32\cmd.exe | Explorer.EXE | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
|
(PID) Process: | (3092) jsc.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\jsc_RASAPI32 |
Operation: | write | Name: | EnableFileTracing |
Value: 0 | |||
(PID) Process: | (3092) jsc.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\jsc_RASAPI32 |
Operation: | write | Name: | EnableConsoleTracing |
Value: 0 | |||
(PID) Process: | (3092) jsc.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\jsc_RASAPI32 |
Operation: | write | Name: | FileTracingMask |
Value: | |||
(PID) Process: | (3092) jsc.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\jsc_RASAPI32 |
Operation: | write | Name: | ConsoleTracingMask |
Value: | |||
(PID) Process: | (3092) jsc.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\jsc_RASAPI32 |
Operation: | write | Name: | MaxFileSize |
Value: 1048576 | |||
(PID) Process: | (3092) jsc.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\jsc_RASAPI32 |
Operation: | write | Name: | FileDirectory |
Value: %windir%\tracing | |||
(PID) Process: | (3092) jsc.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\jsc_RASMANCS |
Operation: | write | Name: | EnableFileTracing |
Value: 0 | |||
(PID) Process: | (3092) jsc.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\jsc_RASMANCS |
Operation: | write | Name: | EnableConsoleTracing |
Value: 0 | |||
(PID) Process: | (3092) jsc.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\jsc_RASMANCS |
Operation: | write | Name: | FileTracingMask |
Value: | |||
(PID) Process: | (3092) jsc.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\jsc_RASMANCS |
Operation: | write | Name: | ConsoleTracingMask |
Value: |
PID | Process | Filename | Type | |
---|---|---|---|---|
1328 | c870025f693df5311e58f7213b426f7ec204e21255a4737723bf5efe24ff72de.exe | C:\Users\admin\AppData\Local\Temp\SETUP_10716\00001#Thousands.cda | binary | |
MD5:36F5C4696F54A98E1BF256DF033E34CF | SHA256:656AF4BEE6B89094A6828394BF7EA26058ABF5186AB606B15440AC1B33FDADCD | |||
3932 | Maui.exe.pif | C:\Users\admin\AppData\Local\jucxIOkyRf\T | text | |
MD5:5DD1213377CE2F40B914C5EA22166B55 | SHA256:D7909FD46FABE766CB531A7CB0E23243C40C8F60918C7DD68612734606CE5EC7 | |||
3080 | Engine.exe | C:\Users\admin\AppData\Local\Temp\npgtkcrh.jvv\Thousands.cda | binary | |
MD5:36F5C4696F54A98E1BF256DF033E34CF | SHA256:656AF4BEE6B89094A6828394BF7EA26058ABF5186AB606B15440AC1B33FDADCD | |||
1328 | c870025f693df5311e58f7213b426f7ec204e21255a4737723bf5efe24ff72de.exe | C:\Users\admin\AppData\Local\Temp\SETUP_10716\1.qsp | ini | |
MD5:78BD4C4A2EB54E8AACBEF7272BF98604 | SHA256:374639557505F85EEED45819C510A53C38C0418F21A43C1FE6D7C753E04098F9 | |||
1328 | c870025f693df5311e58f7213b426f7ec204e21255a4737723bf5efe24ff72de.exe | C:\Users\admin\AppData\Local\Temp\SETUP_10716\Setup.txt | text | |
MD5:E143502369BA42EA20E32419536742AA | SHA256:B242BD6554CF480C29129C89B693A49CD37452A796211E8A6B747423C93BCE8F | |||
1328 | c870025f693df5311e58f7213b426f7ec204e21255a4737723bf5efe24ff72de.exe | C:\Users\admin\AppData\Local\Temp\SETUP_10716\00000#Pools.cda | text | |
MD5:5DD1213377CE2F40B914C5EA22166B55 | SHA256:D7909FD46FABE766CB531A7CB0E23243C40C8F60918C7DD68612734606CE5EC7 | |||
1328 | c870025f693df5311e58f7213b426f7ec204e21255a4737723bf5efe24ff72de.exe | C:\Users\admin\AppData\Local\Temp\SETUP_10716\Engine.exe | executable | |
MD5:E57156DAAD46C61A0395DF1FDBADC766 | SHA256:DCA85F4607B1535BD9DAAD75F57646B53D2B7E2A381A2306AB62CCE0E61B1A35 | |||
1328 | c870025f693df5311e58f7213b426f7ec204e21255a4737723bf5efe24ff72de.exe | C:\Users\admin\AppData\Local\Temp\SETUP_10716\00002#Translated.cda | text | |
MD5:FADBCD2FB4BE032FF6145B94EEED068E | SHA256:C288B141D2988401EF472325B601D4EE2B4A16B71E6637A7F252556FABE59412 | |||
3080 | Engine.exe | C:\Users\admin\AppData\Local\Temp\npgtkcrh.jvv\Translated.cda | text | |
MD5:FADBCD2FB4BE032FF6145B94EEED068E | SHA256:C288B141D2988401EF472325B601D4EE2B4A16B71E6637A7F252556FABE59412 | |||
3080 | Engine.exe | C:\Users\admin\AppData\Local\Temp\npgtkcrh.jvv\Pools.cda | text | |
MD5:5DD1213377CE2F40B914C5EA22166B55 | SHA256:D7909FD46FABE766CB531A7CB0E23243C40C8F60918C7DD68612734606CE5EC7 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3092 | jsc.exe | GET | 200 | 5.132.162.27:80 | http://eth0.me/ | AT | text | 13 b | suspicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3092 | jsc.exe | 65.109.85.189:15648 | — | Hetzner Online GmbH | FI | unknown |
3092 | jsc.exe | 5.132.162.27:80 | eth0.me | interneX GmbH | AT | suspicious |
Domain | IP | Reputation |
---|---|---|
dvMkRllBVggUGyO.dvMkRllBVggUGyO |
| unknown |
eth0.me |
| suspicious |