File name: | DCSB_4.0.0.9.exe |
Full analysis: | https://app.any.run/tasks/71572480-646d-426b-8b2b-c5235b48022b |
Verdict: | Malicious activity |
Analysis date: | January 11, 2025, 00:06:15 |
OS: | Windows 10 Professional (build: 19045, 64 bit) |
Tags: | |
Indicators: | |
MIME: | application/vnd.microsoft.portable-executable |
File info: | PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive, 5 sections |
MD5: | 08249B3F3D1623717D28E072094CCAD9 |
SHA1: | 58E0E645E96B2D7D7F2B5F78DFE51DAF035510CC |
SHA256: | D39DB773D0D16D73E170E4F7A0C5FE2EBE4C93AB605A36F52FF3FB2D0F4B7104 |
SSDEEP: | 24576:YyuyCQHKa7Qo2OY470pg04SlZz+Uic8/g3WwpqpCdCTGuZhK2OLDdg:1jCWKa7Qo2OY470pg04SlZz+Uic8/g3g |
.exe | | | Win32 Executable MS Visual C++ (generic) (42.2) |
---|---|---|
.exe | | | Win64 Executable (generic) (37.3) |
.dll | | | Win32 Dynamic Link Library (generic) (8.8) |
.exe | | | Win32 Executable (generic) (6) |
.exe | | | Generic Win/DOS Executable (2.7) |
Subsystem: | Windows GUI |
---|---|
SubsystemVersion: | 4 |
ImageVersion: | 6 |
OSVersion: | 4 |
EntryPoint: | 0x326b |
UninitializedDataSize: | 1024 |
InitializedDataSize: | 162816 |
CodeSize: | 25600 |
LinkerVersion: | 6 |
PEType: | PE32 |
ImageFileCharacteristics: | No relocs, Executable, No line numbers, No symbols, 32-bit |
TimeStamp: | 2019:12:16 00:50:56+00:00 |
MachineType: | Intel 386 or later, and compatibles |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
5432 | "C:\Users\admin\AppData\Local\Temp\DCSB_4.0.0.9.exe" | C:\Users\admin\AppData\Local\Temp\DCSB_4.0.0.9.exe | — | explorer.exe | |||||||||||
User: admin Integrity Level: MEDIUM Exit code: 3221226540 Modules
| |||||||||||||||
6428 | "C:\Users\admin\AppData\Local\Temp\DCSB_4.0.0.9.exe" | C:\Users\admin\AppData\Local\Temp\DCSB_4.0.0.9.exe | explorer.exe | ||||||||||||
User: admin Integrity Level: HIGH Exit code: 0 Modules
| |||||||||||||||
6984 | "C:\Program Files (x86)\Deathcounter and Soundboard\DCSB.exe" | C:\Program Files (x86)\Deathcounter and Soundboard\DCSB.exe | DCSB_4.0.0.9.exe | ||||||||||||
User: admin Company: Kalejin Integrity Level: HIGH Description: DCSB Exit code: 0 Version: 4.0.0.9 Modules
| |||||||||||||||
6452 | "C:\Program Files\Mozilla Firefox\firefox.exe" | C:\Program Files\Mozilla Firefox\firefox.exe | — | explorer.exe | |||||||||||
User: admin Company: Mozilla Corporation Integrity Level: MEDIUM Description: Firefox Exit code: 0 Version: 123.0 Modules
| |||||||||||||||
1224 | "C:\Program Files\Mozilla Firefox\firefox.exe" | C:\Program Files\Mozilla Firefox\firefox.exe | firefox.exe | ||||||||||||
User: admin Company: Mozilla Corporation Integrity Level: MEDIUM Description: Firefox Version: 123.0 Modules
| |||||||||||||||
520 | "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1900 -parentBuildID 20240213221259 -prefsHandle 1840 -prefMapHandle 1836 -prefsLen 31031 -prefMapSize 244583 -appDir "C:\Program Files\Mozilla Firefox\browser" - {507ece9b-9e4b-43b6-8d63-36cb21f3e3b5} 1224 "\\.\pipe\gecko-crash-server-pipe.1224" 22a516eab10 gpu | C:\Program Files\Mozilla Firefox\firefox.exe | — | firefox.exe | |||||||||||
User: admin Company: Mozilla Corporation Integrity Level: MEDIUM Description: Firefox Version: 123.0 Modules
| |||||||||||||||
3144 | "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2060 -parentBuildID 20240213221259 -prefsHandle 2152 -prefMapHandle 2148 -prefsLen 31031 -prefMapSize 244583 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {514ea78b-5fc5-4e3f-b4e9-97672c3b3391} 1224 "\\.\pipe\gecko-crash-server-pipe.1224" 22a44680710 socket | C:\Program Files\Mozilla Firefox\firefox.exe | — | firefox.exe | |||||||||||
User: admin Company: Mozilla Corporation Integrity Level: MEDIUM Description: Firefox Version: 123.0 Modules
| |||||||||||||||
4388 | "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2784 -childID 1 -isForBrowser -prefsHandle 2720 -prefMapHandle 2800 -prefsLen 31447 -prefMapSize 244583 -jsInitHandle 1540 -jsInitLen 235124 -parentBuildID 20240213221259 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {50ad8594-476f-4e27-9283-b0851ce9cdaf} 1224 "\\.\pipe\gecko-crash-server-pipe.1224" 22a5623af50 tab | C:\Program Files\Mozilla Firefox\firefox.exe | — | firefox.exe | |||||||||||
User: admin Company: Mozilla Corporation Integrity Level: MEDIUM Description: Firefox Version: 123.0 Modules
| |||||||||||||||
6704 | "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2292 -childID 2 -isForBrowser -prefsHandle 4324 -prefMapHandle 4320 -prefsLen 36588 -prefMapSize 244583 -jsInitHandle 1540 -jsInitLen 235124 -parentBuildID 20240213221259 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c6b44dbe-e79f-402b-80e6-5c28a72036b2} 1224 "\\.\pipe\gecko-crash-server-pipe.1224" 22a586d44d0 tab | C:\Program Files\Mozilla Firefox\firefox.exe | — | firefox.exe | |||||||||||
User: admin Company: Mozilla Corporation Integrity Level: MEDIUM Description: Firefox Version: 123.0 Modules
| |||||||||||||||
7116 | "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2656 -parentBuildID 20240213221259 -sandboxingKind 0 -prefsHandle 2652 -prefMapHandle 2236 -prefsLen 37989 -prefMapSize 244583 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9964dc93-9932-4e86-bb7a-d8f4da95fd05} 1224 "\\.\pipe\gecko-crash-server-pipe.1224" 22a599c8910 utility | C:\Program Files\Mozilla Firefox\firefox.exe | — | firefox.exe | |||||||||||
User: admin Company: Mozilla Corporation Integrity Level: MEDIUM Description: Firefox Version: 123.0 Modules
|
(PID) Process: | (6428) DCSB_4.0.0.9.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\DCSB |
Operation: | write | Name: | DisplayName |
Value: Deathcounter and Soundboard | |||
(PID) Process: | (6428) DCSB_4.0.0.9.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\DCSB |
Operation: | write | Name: | UninstallString |
Value: "C:\Program Files (x86)\Deathcounter and Soundboard\uninstall.exe" | |||
(PID) Process: | (6428) DCSB_4.0.0.9.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\DCSB |
Operation: | write | Name: | QuietUninstallString |
Value: "C:\Program Files (x86)\Deathcounter and Soundboard\uninstall.exe" /S | |||
(PID) Process: | (6428) DCSB_4.0.0.9.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\DCSB |
Operation: | write | Name: | Publisher |
Value: Kalejin | |||
(PID) Process: | (6428) DCSB_4.0.0.9.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\DCSB |
Operation: | write | Name: | DisplayVersion |
Value: 4.0.0.9 | |||
(PID) Process: | (6428) DCSB_4.0.0.9.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\DCSB |
Operation: | write | Name: | DisplayIcon |
Value: C:\Program Files (x86)\Deathcounter and Soundboard\DCSB.exe | |||
(PID) Process: | (6428) DCSB_4.0.0.9.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\DCSB |
Operation: | write | Name: | EstimatedSize |
Value: 1697 | |||
(PID) Process: | (6428) DCSB_4.0.0.9.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\DCSB |
Operation: | write | Name: | InstallLocation |
Value: "C:\Program Files (x86)\Deathcounter and Soundboard" | |||
(PID) Process: | (6984) DCSB.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\DCSB_RASAPI32 |
Operation: | write | Name: | EnableFileTracing |
Value: 0 | |||
(PID) Process: | (6984) DCSB.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\DCSB_RASAPI32 |
Operation: | write | Name: | EnableAutoFileTracing |
Value: 0 |
PID | Process | Filename | Type | |
---|---|---|---|---|
6428 | DCSB_4.0.0.9.exe | C:\Users\admin\AppData\Local\Temp\nsf56FE.tmp\modern-wizard.bmp | image | |
MD5:CBE40FD2B1EC96DAEDC65DA172D90022 | SHA256:3AD2DC318056D0A2024AF1804EA741146CFC18CC404649A44610CBF8B2056CF2 | |||
6428 | DCSB_4.0.0.9.exe | C:\Program Files (x86)\Deathcounter and Soundboard\DCSB.Models.dll | executable | |
MD5:4789A95AE263346E177D290CABECDFED | SHA256:2F932429A33881C4BCF201E5708871434E8378B8405F870683A079E53390342D | |||
6428 | DCSB_4.0.0.9.exe | C:\Program Files (x86)\Deathcounter and Soundboard\DCSB.Controls.dll | executable | |
MD5:AB7A0F7402D2158D2346AE67DE463165 | SHA256:845438603F97F53A5B70486BA5EB1C26BEDD644F18FD663FB6FF072A8EABB7F5 | |||
6428 | DCSB_4.0.0.9.exe | C:\Program Files (x86)\Deathcounter and Soundboard\GalaSoft.MvvmLight.dll | executable | |
MD5:AF04687248DA9E95A7FF65AB538D0BCF | SHA256:B097FCA120A9E76FA870D82662BDD233ADBF08FC34A3C509F31CC5CED0AC1ECF | |||
6428 | DCSB_4.0.0.9.exe | C:\Program Files (x86)\Deathcounter and Soundboard\GalaSoft.MvvmLight.Extras.dll | executable | |
MD5:810E42E2BBFB536BDC01ABF882A24938 | SHA256:CB4D844434A8FFBD33531470E094524BE27B88CA42B2C2197492BBE8246EA1BB | |||
6428 | DCSB_4.0.0.9.exe | C:\Users\admin\AppData\Local\Temp\nsf56FE.tmp\InstallOptions.dll | executable | |
MD5:5D425526856CBDB7B14C75DF417B6EF3 | SHA256:AAACC7EF5CB2BAF2338AC8E8479227E0A6336A6509119543680EFA1DCDBAE6A6 | |||
6428 | DCSB_4.0.0.9.exe | C:\Program Files (x86)\Deathcounter and Soundboard\DCSB.Business.dll | executable | |
MD5:E2B07011A7086D487A8839BB324422F2 | SHA256:E823A85AE706240167A75BDAE6D025B388FAD7E1F835CFDB330F01CDDAB058CE | |||
6428 | DCSB_4.0.0.9.exe | C:\Program Files (x86)\Deathcounter and Soundboard\DCSB.Converters.dll | executable | |
MD5:2D293FF6036F5D766598AA9E9C8527A5 | SHA256:251B07D2FE46F625352F2298DF57642E859468AC635B420CA42F68C509D50745 | |||
6428 | DCSB_4.0.0.9.exe | C:\Program Files (x86)\Deathcounter and Soundboard\DCSB.Views.dll | executable | |
MD5:707F63E8A4BC8736B0C19418726F61BD | SHA256:F2C43F2ACB1CAE618BE2D18514CEA190B309098C2A10DA4FB1F8F0BC6EFE4287 | |||
6428 | DCSB_4.0.0.9.exe | C:\Program Files (x86)\Deathcounter and Soundboard\uninstall.exe | executable | |
MD5:90900A4C8850CB765C00D1A8B0BA4CE2 | SHA256:BB65474C574300F34E8B505CA8EAFC7C1A3EA92CC2C6175686EE7A3F637ED45C |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
4712 | MoUsoCoreWorker.exe | GET | 200 | 23.35.229.160:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
— | — | GET | 200 | 192.229.221.95:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D | unknown | — | — | whitelisted |
1224 | firefox.exe | POST | 200 | 184.24.77.48:80 | http://r10.o.lencr.org/ | unknown | — | — | whitelisted |
1176 | svchost.exe | GET | 200 | 192.229.221.95:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D | unknown | — | — | whitelisted |
1224 | firefox.exe | POST | 200 | 142.250.185.67:80 | http://o.pki.goog/s/wr3/jLM | unknown | — | — | whitelisted |
1224 | firefox.exe | POST | 200 | 184.24.77.48:80 | http://r10.o.lencr.org/ | unknown | — | — | whitelisted |
4712 | MoUsoCoreWorker.exe | GET | 200 | 23.48.23.156:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
1224 | firefox.exe | POST | 200 | 184.24.77.48:80 | http://r10.o.lencr.org/ | unknown | — | — | whitelisted |
1224 | firefox.exe | POST | 200 | 184.24.77.48:80 | http://r11.o.lencr.org/ | unknown | — | — | whitelisted |
1224 | firefox.exe | GET | 200 | 34.107.221.82:80 | http://detectportal.firefox.com/canonical.html | unknown | — | — | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
— | — | 20.73.194.208:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
4712 | MoUsoCoreWorker.exe | 23.48.23.156:80 | crl.microsoft.com | Akamai International B.V. | DE | whitelisted |
4712 | MoUsoCoreWorker.exe | 23.35.229.160:80 | www.microsoft.com | AKAMAI-AS | DE | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
5064 | SearchApp.exe | 92.123.104.31:443 | www.bing.com | Akamai International B.V. | DE | whitelisted |
— | — | 192.229.221.95:80 | ocsp.digicert.com | EDGECAST | US | whitelisted |
1176 | svchost.exe | 20.190.160.20:443 | login.live.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
1176 | svchost.exe | 192.229.221.95:80 | ocsp.digicert.com | EDGECAST | US | whitelisted |
1076 | svchost.exe | 23.35.238.131:443 | go.microsoft.com | AKAMAI-AS | DE | whitelisted |
Domain | IP | Reputation |
---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
google.com |
| whitelisted |
www.bing.com |
| whitelisted |
ocsp.digicert.com |
| whitelisted |
login.live.com |
| whitelisted |
go.microsoft.com |
| whitelisted |
api.github.com |
| whitelisted |
detectportal.firefox.com |
| whitelisted |