File name: | Keygen.exe |
Full analysis: | https://app.any.run/tasks/f19d67b8-cf2b-4949-bd64-0b58d7bad8e7 |
Verdict: | Malicious activity |
Analysis date: | October 05, 2022, 04:00:13 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows |
MD5: | 3025F76F21EB7F7D162F6EF41D76E5F4 |
SHA1: | 63AC89B44C2B79124A92160F0AE219F358E55117 |
SHA256: | ECD1258621BC2A3BBA4F47FD7BB31F62F98F77C6973218574E0D34EB38987C3A |
SSDEEP: | 3072:fpTeTHV14yehiPGjM/KfrXriuE7rQbP4uru0Pu0kyL:f6V1ZehiByDXriV7rOzru0Pu0H |
.exe | | | Generic CIL Executable (.NET, Mono, etc.) (45.1) |
---|---|---|
.exe | | | Win32 Executable MS Visual C++ (generic) (19.2) |
.exe | | | Win64 Executable (generic) (17) |
.scr | | | Windows screen saver (8) |
.dll | | | Win32 Dynamic Link Library (generic) (4) |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Compilation Date: | 2077-Feb-13 18:32:04 |
Debug artifacts: |
|
Comments: | Keygen for MobaXterm Software |
CompanyName: | DeFconX |
FileDescription: | MobaXterm_Keygen |
FileVersion: | 1.5.0.0 |
InternalName: | MobaXterm_Keygen.exe |
LegalCopyright: | Copyright © 2019 |
LegalTrademarks: | DeltaFoX |
OriginalFilename: | MobaXterm_Keygen.exe |
ProductName: | MobaXterm_Keygen |
ProductVersion: | 1.5.0.0 |
Assembly Version: | 1.5.0.0 |
e_magic: | MZ |
---|---|
e_cblp: | 144 |
e_cp: | 3 |
e_crlc: | - |
e_cparhdr: | 4 |
e_minalloc: | - |
e_maxalloc: | 65535 |
e_ss: | - |
e_sp: | 184 |
e_csum: | - |
e_ip: | - |
e_cs: | - |
e_ovno: | - |
e_oemid: | - |
e_oeminfo: | - |
e_lfanew: | 128 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
NumberofSections: | 4 |
TimeDateStamp: | 2077-Feb-13 18:32:04 |
PointerToSymbolTable: | - |
NumberOfSymbols: | - |
SizeOfOptionalHeader: | 224 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
.text | 8192 | 134548 | 134656 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 5.33685 |
.sdata | 147456 | 354 | 512 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 5.99749 |
.rsrc | 155648 | 39408 | 39424 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 3.93202 |
.reloc | 196608 | 12 | 512 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ | 0.10191 |
Title | Entropy | Size | Codepage | Language | Type |
---|---|---|---|---|---|
1 | 3.19256 | 16936 | UNKNOWN | UNKNOWN | RT_ICON |
2 | 3.27987 | 9640 | UNKNOWN | UNKNOWN | RT_ICON |
3 | 3.60944 | 4264 | UNKNOWN | UNKNOWN | RT_ICON |
4 | 3.77446 | 2440 | UNKNOWN | UNKNOWN | RT_ICON |
5 | 4.01242 | 1128 | UNKNOWN | UNKNOWN | RT_ICON |
32512 | 2.79808 | 76 | UNKNOWN | UNKNOWN | RT_GROUP_ICON |
1 (#2) | 3.35641 | 944 | UNKNOWN | UNKNOWN | RT_VERSION |
1 (#3) | 4.988 | 3481 | UNKNOWN | UNKNOWN | RT_MANIFEST |
mscoree.dll |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
2968 | "C:\Users\admin\Desktop\Keygen.exe" | C:\Users\admin\Desktop\Keygen.exe | — | Explorer.EXE | |||||||||||
User: admin Company: DeFconX Integrity Level: MEDIUM Description: MobaXterm_Keygen Exit code: 3221226540 Version: 1.5.0.0 Modules
| |||||||||||||||
3556 | "C:\Users\admin\Desktop\Keygen.exe" | C:\Users\admin\Desktop\Keygen.exe | Explorer.EXE | ||||||||||||
User: admin Company: DeFconX Integrity Level: HIGH Description: MobaXterm_Keygen Exit code: 0 Version: 1.5.0.0 Modules
| |||||||||||||||
2208 | "C:\Program Files\Opera\opera.exe" | C:\Program Files\Opera\opera.exe | Explorer.EXE | ||||||||||||
User: admin Company: Opera Software Integrity Level: MEDIUM Description: Opera Internet Browser Version: 1748 Modules
|
(PID) Process: | (3556) Keygen.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\CIDSizeMRU |
Operation: | write | Name: | 4 |
Value: 4B0065007900670065006E002E006500780065000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000100000000000000 | |||
(PID) Process: | (3556) Keygen.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU |
Operation: | write | Name: | NodeSlots |
Value: 0202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202 | |||
(PID) Process: | (3556) Keygen.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU |
Operation: | write | Name: | MRUListEx |
Value: 02000000010000000D0000000C000000000000000B00000007000000060000000A0000000900000008000000030000000500000004000000FFFFFFFF | |||
(PID) Process: | (3556) Keygen.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\50\ComDlg |
Operation: | write | Name: | TV_FolderType |
Value: {FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9} | |||
(PID) Process: | (3556) Keygen.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\50\ComDlg |
Operation: | write | Name: | TV_TopViewID |
Value: {82BA0782-5B7A-4569-B5D7-EC83085F08CC} | |||
(PID) Process: | (3556) Keygen.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\50\ComDlg |
Operation: | write | Name: | TV_TopViewVersion |
Value: 0 | |||
(PID) Process: | (3556) Keygen.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\16C\52C64B7E |
Operation: | write | Name: | LanguageList |
Value: en-US | |||
(PID) Process: | (3556) Keygen.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC} |
Operation: | write | Name: | Mode |
Value: 4 | |||
(PID) Process: | (3556) Keygen.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC} |
Operation: | write | Name: | LogicalViewMode |
Value: 1 | |||
(PID) Process: | (3556) Keygen.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC} |
Operation: | write | Name: | FFlags |
Value: |
PID | Process | Filename | Type | |
---|---|---|---|---|
3556 | Keygen.exe | C:\Users\admin\Desktop\Custom.mxtpro | compressed | |
MD5:DD6D2CA41A441D11027F91451A856A15 | SHA256:D69FF09E584C3327AEA7BA4562E3A97E1DFD4B8BE0B02E1FB72208C1CE82B2C1 | |||
2208 | opera.exe | C:\Users\admin\AppData\Roaming\Opera\Opera\tasks.xml | xml | |
MD5:08F05F620F9F4049A97610363C6C2DCC | SHA256:868C842FC50C0F0671BCEDE3FC8B977F351A2563816ACB4C26650F6C5EB4FA1B | |||
2208 | opera.exe | C:\Users\admin\AppData\Roaming\Opera\Opera\opssl6.dat | binary | |
MD5:34A47B3F0E13921F4185399BAE9F953A | SHA256:476247F358B2AECB238A84695FDFA5CD8415B36C7590A7381E18DFDFC57487C0 | |||
2208 | opera.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\16ec093b8f51508f.customDestinations-ms | binary | |
MD5:3F7590FD56AC999E0289444034C9CC80 | SHA256:632F80B7AD1F589FE608EF8546E3E7D1B0501A9EC3E38C0140EA1C10ED3E602B | |||
2208 | opera.exe | C:\Users\admin\AppData\Roaming\Opera\Opera\opr25C3.tmp | text | |
MD5:4A64448A88EBCD1FB7871D2794F5769C | SHA256:14F6D535FAB38EE25D2AE94690902A26E5202474EA5B73248808FAFD4ED42884 | |||
2208 | opera.exe | C:\Users\admin\AppData\Roaming\Opera\Opera\opr2613.tmp | xml | |
MD5:08F05F620F9F4049A97610363C6C2DCC | SHA256:868C842FC50C0F0671BCEDE3FC8B977F351A2563816ACB4C26650F6C5EB4FA1B | |||
2208 | opera.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\MCSSJG7K0A7ZCY8VFOPJ.temp | binary | |
MD5:3F7590FD56AC999E0289444034C9CC80 | SHA256:632F80B7AD1F589FE608EF8546E3E7D1B0501A9EC3E38C0140EA1C10ED3E602B | |||
2208 | opera.exe | C:\Users\admin\AppData\Roaming\Opera\Opera\operaprefs.ini | text | |
MD5:4A64448A88EBCD1FB7871D2794F5769C | SHA256:14F6D535FAB38EE25D2AE94690902A26E5202474EA5B73248808FAFD4ED42884 | |||
2208 | opera.exe | C:\Users\admin\AppData\Roaming\Opera\Opera\opcert6.dat | binary | |
MD5:1AA8644C9261DC10F7247F6A145C1DD2 | SHA256:58A8933F65361633C6AB194000D312DC9D566F717B1A16814A0DBEE24A60EBE3 | |||
2208 | opera.exe | C:\Users\admin\AppData\Local\Opera\Opera\icons\www.google.com.idx | text | |
MD5:4F4CA76D4EBCCC01C2AAE012ECB922DA | SHA256:A91C9BD9D991AD4C0CC89AAAAE56597A0D915B05FF117829895D300A50FC1A61 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2208 | opera.exe | GET | 302 | 142.250.186.163:80 | http://www.google.com.ua/search?q=anonfile+upload&sourceid=opera&ie=utf-8&oe=utf-8&channel=suggest | US | html | 411 b | whitelisted |
2208 | opera.exe | GET | 200 | 93.184.220.29:80 | http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl | US | der | 592 b | whitelisted |
2208 | opera.exe | GET | 302 | 142.250.186.163:80 | http://www.google.com.ua/search?q=anonfile+upload&sourceid=opera&ie=utf-8&oe=utf-8&channel=suggest&google_abuse=GOOGLE_ABUSE_EXEMPTION%3DID%3D1250dd52f2868f87:TM%3D1664942482:C%3Dr:IP%3D185.192.70.91-:S%3D44ex6HXd9eiUC3QrMEvuXP0%3B+path%3D/%3B+domain%3Dgoogle.com%3B+expires%3DWed,+05-Oct-2022+07:01:22+GMT | US | html | 311 b | whitelisted |
2208 | opera.exe | GET | 429 | 172.217.16.132:80 | http://www.google.com/sorry/index?continue=http://www.google.com.ua/search%3Fq%3Danonfile%2Bupload%26sourceid%3Dopera%26ie%3Dutf-8%26oe%3Dutf-8%26channel%3Dsuggest&q=EgS5wEZbGIOD9JkGIhABPT9Xmbiqkq_LB-NLhRdMMgFy | US | html | 3.15 Kb | whitelisted |
2208 | opera.exe | GET | 200 | 142.250.186.110:80 | http://clients1.google.com/complete/search?q=anonfil&client=opera-suggest-omnibox&hl=de | US | text | 153 b | whitelisted |
2208 | opera.exe | GET | 200 | 142.250.186.110:80 | http://clients1.google.com/complete/search?q=anonfile+up&client=opera-suggest-omnibox&hl=de | US | text | 83 b | whitelisted |
2208 | opera.exe | GET | 302 | 142.250.186.163:80 | http://www.google.com.ua/search?q=anonfile+upload&sourceid=opera&ie=utf-8&oe=utf-8&channel=suggest | US | html | 327 b | whitelisted |
2208 | opera.exe | GET | 200 | 142.250.185.131:80 | http://ocsp.pki.goog/gts1c3/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBTHLnmK3f9hNLO67UdCuLvGwCQHYwQUinR%2Fr4XN7pXNPZzQ4kYU83E1HScCEQCpbPuMmAsCyAoOaOAsy8qO | US | der | 472 b | whitelisted |
2208 | opera.exe | GET | 200 | 142.250.186.110:80 | http://clients1.google.com/complete/search?q=anonfile&client=opera-suggest-omnibox&hl=de | US | text | 152 b | whitelisted |
2208 | opera.exe | GET | 200 | 142.250.185.131:80 | http://crl.pki.goog/gtsr1/gtsr1.crl | US | der | 760 b | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2208 | opera.exe | 142.250.186.110:80 | clients1.google.com | GOOGLE | US | whitelisted |
2208 | opera.exe | 185.26.182.93:80 | certs.opera.com | Opera Software AS | — | whitelisted |
2208 | opera.exe | 185.26.182.94:443 | certs.opera.com | Opera Software AS | — | whitelisted |
2208 | opera.exe | 93.184.220.29:80 | crl3.digicert.com | EDGECAST | GB | whitelisted |
2208 | opera.exe | 172.217.16.132:443 | www.google.com | GOOGLE | US | whitelisted |
2208 | opera.exe | 142.250.186.163:80 | www.google.com.ua | GOOGLE | US | whitelisted |
2208 | opera.exe | 172.217.16.132:80 | www.google.com | GOOGLE | US | whitelisted |
2208 | opera.exe | 142.250.74.195:443 | www.gstatic.com | GOOGLE | US | whitelisted |
2208 | opera.exe | 142.250.185.131:80 | ocsp.pki.goog | GOOGLE | US | whitelisted |
2208 | opera.exe | 172.217.16.195:443 | fonts.gstatic.com | GOOGLE | US | whitelisted |
Domain | IP | Reputation |
---|---|---|
certs.opera.com |
| whitelisted |
crl3.digicert.com |
| whitelisted |
clients1.google.com |
| whitelisted |
www.google.com.ua |
| whitelisted |
sitecheck2.opera.com |
| whitelisted |
www.google.com |
| whitelisted |
ocsp.pki.goog |
| whitelisted |
crl.pki.goog |
| whitelisted |
www.gstatic.com |
| whitelisted |
fonts.gstatic.com |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
— | — | Potentially Bad Traffic | ET DNS Query for .to TLD |
2208 | opera.exe | Potentially Bad Traffic | ET INFO TLS Handshake Failure |
2208 | opera.exe | Potentially Bad Traffic | ET INFO TLS Handshake Failure |
2208 | opera.exe | Potentially Bad Traffic | ET INFO TLS Handshake Failure |
— | — | Potentially Bad Traffic | ET INFO Commonly Abused File Sharing Domain in DNS Lookup (filetransfer .io) |
2208 | opera.exe | Potentially Bad Traffic | ET INFO TLS Handshake Failure |
2208 | opera.exe | Potentially Bad Traffic | ET INFO Commonly Abused File Sharing Domain (filetransfer .io in TLS SNI) |
2208 | opera.exe | Potentially Bad Traffic | ET INFO TLS Handshake Failure |
2208 | opera.exe | Potentially Bad Traffic | ET INFO Commonly Abused File Sharing Domain (filetransfer .io in TLS SNI) |
2208 | opera.exe | Potentially Bad Traffic | ET INFO TLS Handshake Failure |