File name: | DCSB_4.0.0.9.exe |
Full analysis: | https://app.any.run/tasks/71572480-646d-426b-8b2b-c5235b48022b |
Verdict: | Malicious activity |
Analysis date: | January 11, 2025, 00:06:15 |
OS: | Windows 10 Professional (build: 19045, 64 bit) |
Tags: | |
Indicators: | |
MIME: | application/vnd.microsoft.portable-executable |
File info: | PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive, 5 sections |
MD5: | 08249B3F3D1623717D28E072094CCAD9 |
SHA1: | 58E0E645E96B2D7D7F2B5F78DFE51DAF035510CC |
SHA256: | D39DB773D0D16D73E170E4F7A0C5FE2EBE4C93AB605A36F52FF3FB2D0F4B7104 |
SSDEEP: | 24576:YyuyCQHKa7Qo2OY470pg04SlZz+Uic8/g3WwpqpCdCTGuZhK2OLDdg:1jCWKa7Qo2OY470pg04SlZz+Uic8/g3g |
.exe | | | Win32 Executable MS Visual C++ (generic) (42.2) |
---|---|---|
.exe | | | Win64 Executable (generic) (37.3) |
.dll | | | Win32 Dynamic Link Library (generic) (8.8) |
.exe | | | Win32 Executable (generic) (6) |
.exe | | | Generic Win/DOS Executable (2.7) |
MachineType: | Intel 386 or later, and compatibles |
---|---|
TimeStamp: | 2019:12:16 00:50:56+00:00 |
ImageFileCharacteristics: | No relocs, Executable, No line numbers, No symbols, 32-bit |
PEType: | PE32 |
LinkerVersion: | 6 |
CodeSize: | 25600 |
InitializedDataSize: | 162816 |
UninitializedDataSize: | 1024 |
EntryPoint: | 0x326b |
OSVersion: | 4 |
ImageVersion: | 6 |
SubsystemVersion: | 4 |
Subsystem: | Windows GUI |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
5432 | "C:\Users\admin\AppData\Local\Temp\DCSB_4.0.0.9.exe" | C:\Users\admin\AppData\Local\Temp\DCSB_4.0.0.9.exe | — | explorer.exe | |||||||||||
User: admin Integrity Level: MEDIUM Exit code: 3221226540 Modules
| |||||||||||||||
6428 | "C:\Users\admin\AppData\Local\Temp\DCSB_4.0.0.9.exe" | C:\Users\admin\AppData\Local\Temp\DCSB_4.0.0.9.exe | explorer.exe | ||||||||||||
User: admin Integrity Level: HIGH Exit code: 0 Modules
| |||||||||||||||
6984 | "C:\Program Files (x86)\Deathcounter and Soundboard\DCSB.exe" | C:\Program Files (x86)\Deathcounter and Soundboard\DCSB.exe | DCSB_4.0.0.9.exe | ||||||||||||
User: admin Company: Kalejin Integrity Level: HIGH Description: DCSB Exit code: 0 Version: 4.0.0.9 Modules
| |||||||||||||||
6452 | "C:\Program Files\Mozilla Firefox\firefox.exe" | C:\Program Files\Mozilla Firefox\firefox.exe | — | explorer.exe | |||||||||||
User: admin Company: Mozilla Corporation Integrity Level: MEDIUM Description: Firefox Exit code: 0 Version: 123.0 Modules
| |||||||||||||||
1224 | "C:\Program Files\Mozilla Firefox\firefox.exe" | C:\Program Files\Mozilla Firefox\firefox.exe | firefox.exe | ||||||||||||
User: admin Company: Mozilla Corporation Integrity Level: MEDIUM Description: Firefox Version: 123.0 Modules
| |||||||||||||||
520 | "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1900 -parentBuildID 20240213221259 -prefsHandle 1840 -prefMapHandle 1836 -prefsLen 31031 -prefMapSize 244583 -appDir "C:\Program Files\Mozilla Firefox\browser" - {507ece9b-9e4b-43b6-8d63-36cb21f3e3b5} 1224 "\\.\pipe\gecko-crash-server-pipe.1224" 22a516eab10 gpu | C:\Program Files\Mozilla Firefox\firefox.exe | — | firefox.exe | |||||||||||
User: admin Company: Mozilla Corporation Integrity Level: MEDIUM Description: Firefox Version: 123.0 Modules
| |||||||||||||||
3144 | "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2060 -parentBuildID 20240213221259 -prefsHandle 2152 -prefMapHandle 2148 -prefsLen 31031 -prefMapSize 244583 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {514ea78b-5fc5-4e3f-b4e9-97672c3b3391} 1224 "\\.\pipe\gecko-crash-server-pipe.1224" 22a44680710 socket | C:\Program Files\Mozilla Firefox\firefox.exe | — | firefox.exe | |||||||||||
User: admin Company: Mozilla Corporation Integrity Level: MEDIUM Description: Firefox Version: 123.0 Modules
| |||||||||||||||
4388 | "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2784 -childID 1 -isForBrowser -prefsHandle 2720 -prefMapHandle 2800 -prefsLen 31447 -prefMapSize 244583 -jsInitHandle 1540 -jsInitLen 235124 -parentBuildID 20240213221259 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {50ad8594-476f-4e27-9283-b0851ce9cdaf} 1224 "\\.\pipe\gecko-crash-server-pipe.1224" 22a5623af50 tab | C:\Program Files\Mozilla Firefox\firefox.exe | — | firefox.exe | |||||||||||
User: admin Company: Mozilla Corporation Integrity Level: MEDIUM Description: Firefox Version: 123.0 Modules
| |||||||||||||||
6704 | "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2292 -childID 2 -isForBrowser -prefsHandle 4324 -prefMapHandle 4320 -prefsLen 36588 -prefMapSize 244583 -jsInitHandle 1540 -jsInitLen 235124 -parentBuildID 20240213221259 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c6b44dbe-e79f-402b-80e6-5c28a72036b2} 1224 "\\.\pipe\gecko-crash-server-pipe.1224" 22a586d44d0 tab | C:\Program Files\Mozilla Firefox\firefox.exe | — | firefox.exe | |||||||||||
User: admin Company: Mozilla Corporation Integrity Level: MEDIUM Description: Firefox Version: 123.0 Modules
| |||||||||||||||
7116 | "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2656 -parentBuildID 20240213221259 -sandboxingKind 0 -prefsHandle 2652 -prefMapHandle 2236 -prefsLen 37989 -prefMapSize 244583 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9964dc93-9932-4e86-bb7a-d8f4da95fd05} 1224 "\\.\pipe\gecko-crash-server-pipe.1224" 22a599c8910 utility | C:\Program Files\Mozilla Firefox\firefox.exe | — | firefox.exe | |||||||||||
User: admin Company: Mozilla Corporation Integrity Level: MEDIUM Description: Firefox Version: 123.0 Modules
|
(PID) Process: | (6428) DCSB_4.0.0.9.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\DCSB |
Operation: | write | Name: | DisplayName |
Value: Deathcounter and Soundboard | |||
(PID) Process: | (6428) DCSB_4.0.0.9.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\DCSB |
Operation: | write | Name: | UninstallString |
Value: "C:\Program Files (x86)\Deathcounter and Soundboard\uninstall.exe" | |||
(PID) Process: | (6428) DCSB_4.0.0.9.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\DCSB |
Operation: | write | Name: | QuietUninstallString |
Value: "C:\Program Files (x86)\Deathcounter and Soundboard\uninstall.exe" /S | |||
(PID) Process: | (6428) DCSB_4.0.0.9.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\DCSB |
Operation: | write | Name: | Publisher |
Value: Kalejin | |||
(PID) Process: | (6428) DCSB_4.0.0.9.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\DCSB |
Operation: | write | Name: | DisplayVersion |
Value: 4.0.0.9 | |||
(PID) Process: | (6428) DCSB_4.0.0.9.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\DCSB |
Operation: | write | Name: | DisplayIcon |
Value: C:\Program Files (x86)\Deathcounter and Soundboard\DCSB.exe | |||
(PID) Process: | (6428) DCSB_4.0.0.9.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\DCSB |
Operation: | write | Name: | EstimatedSize |
Value: 1697 | |||
(PID) Process: | (6428) DCSB_4.0.0.9.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\DCSB |
Operation: | write | Name: | InstallLocation |
Value: "C:\Program Files (x86)\Deathcounter and Soundboard" | |||
(PID) Process: | (6984) DCSB.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\DCSB_RASAPI32 |
Operation: | write | Name: | EnableFileTracing |
Value: 0 | |||
(PID) Process: | (6984) DCSB.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\DCSB_RASAPI32 |
Operation: | write | Name: | EnableAutoFileTracing |
Value: 0 |
PID | Process | Filename | Type | |
---|---|---|---|---|
6428 | DCSB_4.0.0.9.exe | C:\Users\admin\AppData\Local\Temp\nsf56FE.tmp\InstallOptions.dll | executable | |
MD5:5D425526856CBDB7B14C75DF417B6EF3 | SHA256:AAACC7EF5CB2BAF2338AC8E8479227E0A6336A6509119543680EFA1DCDBAE6A6 | |||
6428 | DCSB_4.0.0.9.exe | C:\Program Files (x86)\Deathcounter and Soundboard\DCSB.Utils.dll | executable | |
MD5:AFC7148A94B0ADDFF7258579CCBC4268 | SHA256:F8EAD606BACB4FBF4C777A09CF50275210020EE4102A6E1C191521474A2E09C0 | |||
6428 | DCSB_4.0.0.9.exe | C:\Program Files (x86)\Deathcounter and Soundboard\DCSB.SoundPlayer.dll | executable | |
MD5:5C624D955270CF4C6BF8A7E376065271 | SHA256:E2F8766931F4C81B59B79990720ED11C52B42AFBB19DB9DD4A957AD33D84DFCC | |||
6428 | DCSB_4.0.0.9.exe | C:\Program Files (x86)\Deathcounter and Soundboard\DCSB.ViewModels.dll | executable | |
MD5:8E1062C7174BF620B011976C24F1C6E3 | SHA256:9420C5964D1C20EBAA603A9A1658AC11F007D5B741B1AF98AE7010C3C5687393 | |||
6428 | DCSB_4.0.0.9.exe | C:\Program Files (x86)\Deathcounter and Soundboard\DCSB.Models.dll | executable | |
MD5:4789A95AE263346E177D290CABECDFED | SHA256:2F932429A33881C4BCF201E5708871434E8378B8405F870683A079E53390342D | |||
6428 | DCSB_4.0.0.9.exe | C:\Program Files (x86)\Deathcounter and Soundboard\uninstall.exe | executable | |
MD5:90900A4C8850CB765C00D1A8B0BA4CE2 | SHA256:BB65474C574300F34E8B505CA8EAFC7C1A3EA92CC2C6175686EE7A3F637ED45C | |||
6428 | DCSB_4.0.0.9.exe | C:\Users\admin\AppData\Local\Temp\nsf56FE.tmp\modern-wizard.bmp | image | |
MD5:CBE40FD2B1EC96DAEDC65DA172D90022 | SHA256:3AD2DC318056D0A2024AF1804EA741146CFC18CC404649A44610CBF8B2056CF2 | |||
6428 | DCSB_4.0.0.9.exe | C:\Users\admin\AppData\Local\Temp\nsf56FE.tmp\ioSpecial.ini | text | |
MD5:E2D5070BC28DB1AC745613689FF86067 | SHA256:D95AED234F932A1C48A2B1B0D98C60CA31F962310C03158E2884AB4DDD3EA1E0 | |||
6428 | DCSB_4.0.0.9.exe | C:\Program Files (x86)\Deathcounter and Soundboard\DCSB.Input.dll | executable | |
MD5:FD056420A06D194EEF19BBFC5E611F6C | SHA256:76F66B5ADCCFBBA9C810234331B3FBC08460CBF38FC2B4B357C1E1B342410ADA | |||
6428 | DCSB_4.0.0.9.exe | C:\Program Files (x86)\Deathcounter and Soundboard\DCSB.Icons.dll | executable | |
MD5:6310704D43D121C3ACBD5281F4716BE0 | SHA256:445337C0768DF9D2EB5408EEDEC739C66E67CFFA261775F4478CFFABEA832D35 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
1224 | firefox.exe | POST | 200 | 142.250.185.67:80 | http://o.pki.goog/wr2 | unknown | — | — | whitelisted |
1224 | firefox.exe | GET | 200 | 34.107.221.82:80 | http://detectportal.firefox.com/canonical.html | unknown | — | — | whitelisted |
1224 | firefox.exe | POST | 200 | 184.24.77.48:80 | http://r10.o.lencr.org/ | unknown | — | — | whitelisted |
1224 | firefox.exe | POST | 200 | 184.24.77.48:80 | http://r10.o.lencr.org/ | unknown | — | — | whitelisted |
1224 | firefox.exe | GET | 200 | 34.107.221.82:80 | http://detectportal.firefox.com/success.txt?ipv4 | unknown | — | — | whitelisted |
1176 | svchost.exe | GET | 200 | 192.229.221.95:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D | unknown | — | — | whitelisted |
1224 | firefox.exe | POST | 200 | 184.24.77.48:80 | http://r10.o.lencr.org/ | unknown | — | — | whitelisted |
1224 | firefox.exe | POST | 200 | 184.24.77.48:80 | http://r11.o.lencr.org/ | unknown | — | — | whitelisted |
1224 | firefox.exe | POST | — | 142.250.185.67:80 | http://o.pki.goog/wr2 | unknown | — | — | whitelisted |
1224 | firefox.exe | POST | 200 | 184.24.77.48:80 | http://r11.o.lencr.org/ | unknown | — | — | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
— | — | 20.73.194.208:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
4712 | MoUsoCoreWorker.exe | 23.48.23.156:80 | crl.microsoft.com | Akamai International B.V. | DE | whitelisted |
4712 | MoUsoCoreWorker.exe | 23.35.229.160:80 | www.microsoft.com | AKAMAI-AS | DE | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
5064 | SearchApp.exe | 92.123.104.31:443 | www.bing.com | Akamai International B.V. | DE | whitelisted |
— | — | 192.229.221.95:80 | ocsp.digicert.com | EDGECAST | US | whitelisted |
1176 | svchost.exe | 20.190.160.20:443 | login.live.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
1176 | svchost.exe | 192.229.221.95:80 | ocsp.digicert.com | EDGECAST | US | whitelisted |
1076 | svchost.exe | 23.35.238.131:443 | go.microsoft.com | AKAMAI-AS | DE | whitelisted |
Domain | IP | Reputation |
---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
google.com |
| whitelisted |
www.bing.com |
| whitelisted |
ocsp.digicert.com |
| whitelisted |
login.live.com |
| whitelisted |
go.microsoft.com |
| whitelisted |
api.github.com |
| whitelisted |
detectportal.firefox.com |
| whitelisted |