File name:

pseint-w32-20181009.exe

Full analysis: https://app.any.run/tasks/f9a30760-a5ad-4533-82ee-0849091be3d0
Verdict: Malicious activity
Analysis date: October 09, 2018, 18:48:53
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5:

64103520D01FF168717E458B0ABAE53B

SHA1:

7EFEC0D69CB7EB354BBF9E0596F786D83DEBEB7B

SHA256:

EFDFB92D4BC05FF2652F5AEA5DC4B4A577B2651173AE2B6AE48916F5A959CDCD

SSDEEP:

196608:MMpOn9r9sGoRaZeENz6IHU498QXIZVjtr0dJAzv/HSnx:b6V9xcQh0498Oojzv/ynx

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Loads dropped or rewritten executable

      • pseint-w32-20181009.exe (PID: 3748)

    • Application was dropped or rewritten from another process

      • wxPSeInt.exe (PID: 1496)

  • SUSPICIOUS

    • Creates a software uninstall entry

      • pseint-w32-20181009.exe (PID: 3748)

    • Executable content was dropped or overwritten

      • pseint-w32-20181009.exe (PID: 3748)

    • Creates files in the program directory

      • pseint-w32-20181009.exe (PID: 3748)

  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (67.4)
.dll | Win32 Dynamic Link Library (generic) (14.2)
.exe | Win32 Executable (generic) (9.7)
.exe | Generic Win/DOS Executable (4.3)
.exe | DOS Executable Generic (4.3)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2017:08:01 02:33:49+02:00
PEType: PE32
LinkerVersion: 6
CodeSize: 24576
InitializedDataSize: 118784
UninitializedDataSize: 1024
EntryPoint: 0x31bb
OSVersion: 4
ImageVersion: 6
SubsystemVersion: 4
Subsystem: Windows GUI

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 01-Aug-2017 00:33:49
Detected languages:
  • English - United States

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x000000D8

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 5
Time date stamp: 01-Aug-2017 00:33:49
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_LINE_NUMS_STRIPPED
  • IMAGE_FILE_LOCAL_SYMS_STRIPPED
  • IMAGE_FILE_RELOCS_STRIPPED

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00001000
0x00005ED2
0x00006000
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.44218
.rdata
0x00007000
0x00001248
0x00001400
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
5.00765
.data
0x00009000
0x0001A818
0x00000400
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
5.13586
.ndata
0x00024000
0x00009000
0x00000000
IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
0
.rsrc
0x0002D000
0x00004348
0x00004400
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
5.95234

Resources

Title
Entropy
Size
Codepage
Language
Type
1
5.2901
1072
UNKNOWN
English - United States
RT_MANIFEST
2
5.9993
3752
UNKNOWN
English - United States
RT_ICON
3
6.24459
2216
UNKNOWN
English - United States
RT_ICON
4
5.01502
1384
UNKNOWN
English - United States
RT_ICON
5
6.16057
1128
UNKNOWN
English - United States
RT_ICON
6
3.34146
744
UNKNOWN
English - United States
RT_ICON
7
3.04232
296
UNKNOWN
English - United States
RT_ICON
102
2.71813
180
UNKNOWN
English - United States
RT_DIALOG
103
2.6691
104
UNKNOWN
English - United States
RT_GROUP_ICON
105
2.73893
514
UNKNOWN
English - United States
RT_DIALOG

Imports

ADVAPI32.dll
COMCTL32.dll
GDI32.dll
KERNEL32.dll
SHELL32.dll
USER32.dll
ole32.dll
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
38
Monitored processes
3
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start start pseint-w32-20181009.exe wxpseint.exe no specs pseint-w32-20181009.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1496"C:\Program Files\PSeInt\wxPSeInt.exe"C:\Program Files\PSeInt\wxPSeInt.exepseint-w32-20181009.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\program files\pseint\wxpseint.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\gdi32.dll
3464"C:\Users\admin\AppData\Local\Temp\pseint-w32-20181009.exe" C:\Users\admin\AppData\Local\Temp\pseint-w32-20181009.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Modules
Images
c:\users\admin\appdata\local\temp\pseint-w32-20181009.exe
c:\systemroot\system32\ntdll.dll
3748"C:\Users\admin\AppData\Local\Temp\pseint-w32-20181009.exe" C:\Users\admin\AppData\Local\Temp\pseint-w32-20181009.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\pseint-w32-20181009.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
Total events
347
Read events
344
Write events
3
Delete events
0

Modification events

(PID) Process:(3748) pseint-w32-20181009.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PSeInt
Operation:writeName:DisplayName
Value:
PSeInt
(PID) Process:(3748) pseint-w32-20181009.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PSeInt
Operation:writeName:UninstallString
Value:
C:\Program Files\PSeInt\uninstall.exe
(PID) Process:(3748) pseint-w32-20181009.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\PSeInt
Operation:writeName:
Value:
C:\Program Files\PSeInt\wxPSeInt.exe
Executable files
10
Suspicious files
1
Text files
970
Unknown types
2

Dropped files

PID
Process
Filename
Type
3748pseint-w32-20181009.exeC:\Users\admin\AppData\Local\Temp\nsf24A0.tmp\ioSpecial.initext
MD5:
SHA256:
3748pseint-w32-20181009.exeC:\Program Files\PSeInt\psexport.exeexecutable
MD5:996EF5477988CBDF62409A33BA9B6AF1
SHA256:C5944E9831AAF2199DBE85B62EB86FC248FCDC99BF8315653D5853708F122C09
3748pseint-w32-20181009.exeC:\Program Files\PSeInt\updatem.exeexecutable
MD5:DC45F9373596518191B552FB414D5695
SHA256:D7B15FB164E12F2B7AF113EA1A5FBD9030D47AEA3E2B749CE22FD72550330BDC
3748pseint-w32-20181009.exeC:\Users\admin\AppData\Local\Temp\nsf24A0.tmp\modern-wizard.bmpimage
MD5:CBE40FD2B1EC96DAEDC65DA172D90022
SHA256:3AD2DC318056D0A2024AF1804EA741146CFC18CC404649A44610CBF8B2056CF2
3748pseint-w32-20181009.exeC:\Program Files\PSeInt\linux.txttext
MD5:926536359F96826D2F977E8DC4D78FF9
SHA256:7B82B99E84807A1367739F6C64E99C1F265045E404F6721B862A027E5A2D6683
3748pseint-w32-20181009.exeC:\Program Files\PSeInt\psdraw3.exeexecutable
MD5:9B95A1E07B97A6446827D5D60BE2C220
SHA256:5CD95C6C386A459B7948CB7D6D374F3762C14C5B2EB4EC1CB9DD220A35664BA8
3748pseint-w32-20181009.exeC:\Users\admin\AppData\Local\Temp\nsf24A0.tmp\InstallOptions.dllexecutable
MD5:20F3184EFE7EDDDFEF3325EFC25D12A5
SHA256:0E014352B64ABC431D97460D79757CBAFBF6BA997C08B608C294E1F582AF269A
3748pseint-w32-20181009.exeC:\Program Files\PSeInt\psterm.exeexecutable
MD5:6B6EEF342FB3137DA0AF7369DB34EC43
SHA256:38B49B72E1AE07222063E2B2FB223373B80F67ED71C42D25B4ED2C0B68AF1EE3
3748pseint-w32-20181009.exeC:\Program Files\PSeInt\windows.txttext
MD5:0B84B268336BCA1544857EB3B7AC23E3
SHA256:63632EE2F5BE6DFD21550E798C086C93109E3D08F6A4557C2317AF860B1FC599
3748pseint-w32-20181009.exeC:\Program Files\PSeInt\creator.pszcompressed
MD5:41CE8A10D8450E2B94E2613C79E4DAA2
SHA256:3BCD470B160B6ABE898CC8EADE597DF58A97A3E2270C3BD5ACDDB2FA6204A378
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
pseint-w32-20181009.exe