5E8ADB405F274A829938A0A9AA11468310E4E21D2E305B38E9BF463C9D8C25EC
This report is generated from a file or URL submitted to this webservice on May 28th 2019 13:23:15 (UTC)
Guest System: Windows 7 32 bit, Professional, 6.1 (build 7601), Service Pack 1
Report generated by
Falcon Sandbox v8.30 © Hybrid Analysis
Incident Response
Risk Assessment
- Remote Access
- Reads terminal service related keys (often RDP related)
- Fingerprint
-
Queries kernel debugger information
Queries sensitive IE security settings
Queries the internet cache settings (often used to hide footprints in index.dat or internet cache)
Reads the active computer name
Reads the cryptographic machine GUID - Evasive
- Marks file for deletion
MITRE ATT&CK™ Techniques Detection
Indicators
Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.
-
Malicious Indicators 2
-
External Systems
-
Sample was identified as malicious by at least one Antivirus engine
- details
- 3/72 Antivirus vendors marked sample as malicious (4% detection rate)
- source
- External System
- relevance
- 8/10
-
Sample was identified as malicious by at least one Antivirus engine
-
Unusual Characteristics
-
Checks for a resource fork (ADS) file
- details
- "<Input Sample>.exe" checked file "C:"
- source
- API Call
- relevance
- 5/10
-
Checks for a resource fork (ADS) file
-
Suspicious Indicators 23
-
Anti-Detection/Stealthyness
-
Queries kernel debugger information
- details
- "<Input Sample>.exe" at 00027480-00001076-00000105-7516255669
- source
- API Call
- relevance
- 6/10
-
Queries the internet cache settings (often used to hide footprints in index.dat or internet cache)
- details
- "<Input Sample>.exe" (Access type: "QUERYVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS"; Key: "DISABLECACHINGOFSSLPAGES"; Value: "00000000040000000400000000000000")
- source
- Registry Access
- relevance
- 3/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Queries kernel debugger information
-
Environment Awareness
-
Reads the active computer name
- details
- "<Input Sample>.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\COMPUTERNAME\ACTIVECOMPUTERNAME"; Key: "COMPUTERNAME")
- source
- Registry Access
- relevance
- 5/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Reads the cryptographic machine GUID
- details
- "<Input Sample>.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\CRYPTOGRAPHY"; Key: "MACHINEGUID")
- source
- Registry Access
- relevance
- 10/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Reads the active computer name
-
General
-
Contains ability to find and load resources of a specific module
- details
- FindResourceA@KERNEL32.DLL from 5e8adb405f274a829938a0a9aa11468310e4e21d2e305b38e9bf463c9d8c25ec.exe (PID: 1076) (Show Stream)
- source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Reads configuration files
- details
- "<Input Sample>.exe" read file "%WINDIR%\win.ini"
- source
- API Call
- relevance
- 4/10
-
Contains ability to find and load resources of a specific module
-
Installation/Persistance
-
Drops executable files
- details
-
"CCDOS.EXE" has type "MS-DOS executable LE executable for MS Windows (VxD)"
"SETUP.EXE" has type "MS-DOS executable MZ for MS-DOS"
"QUIT.EXE" has type "MS-DOS executable MZ for MS-DOS"
"FOXGB.EXE" has type "DOS executable (COM)"
"Py.com" has type "COM executable for DOS"
"CIZU.EXE" has type "MS-DOS executable MZ for MS-DOS"
"PY.COM" has type "MS-DOS executable MZ for MS-DOS diet compressed"
"CCEDCC.EXE" has type "MS-DOS executable MZ for MS-DOS WWPACK compressed"
"wb.com" has type "MS-DOS executable MZ for MS-DOS diet compressed"
"GB5.EXE" has type "MS-DOS executable MZ for MS-DOS"
"STRIP.EXE" has type "MS-DOS executable MZ for MS-DOS"
"GBALL!.EXE" has type "MS-DOS executable MZ for MS-DOS"
"IMDMNG.EXE" has type "MS-DOS executable MZ for MS-DOS Self-extracting PKZIP archive"
"GB5W.EXE" has type "PE32 executable (GUI) Intel 80386 for MS Windows"
"DBFEditor.exe" has type "PE32 executable (GUI) Intel 80386 for MS Windows"
"README.COM" has type "COM executable for DOS"
"pbdy.exe" has type "PE32 executable (GUI) Intel 80386 for MS Windows"
"NB2007.EXE" has type "MS-DOS executable MZ for MS-DOS"
"TW.EXE" has type "MS-DOS executable MZ for MS-DOS Self-extracting PKZIP archive"
"UCCDOS97.EXE" has type "MS-DOS executable MZ for MS-DOS WWPACK compressed" - source
- Binary File
- relevance
- 10/10
-
Drops executable files
-
Network Related
-
Found potential IP address in binary/memory
- details
- Heuristic match: ".............. .#./.1.3.4.5.7.9.;.<.>.@.A.B.D.E.H.R.T.V.W.X.Z.\.^._.a.c.d.e.g.h.k.u.w.y.z.{.}......................................................................//////"
- source
- File/Memory
- relevance
- 3/10
-
Found potential IP address in binary/memory
-
Remote Access Related
-
Reads terminal service related keys (often RDP related)
- details
- "<Input Sample>.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\TERMINAL SERVER"; Key: "TSUSERENABLED")
- source
- Registry Access
- relevance
- 10/10
- ATT&CK ID
- T1076 (Show technique in the MITRE ATT&CK™ matrix)
-
Reads terminal service related keys (often RDP related)
-
System Destruction
-
Marks file for deletion
- details
- "C:\5e8adb405f274a829938a0a9aa11468310e4e21d2e305b38e9bf463c9d8c25ec.exe" marked "C:\__tmp_rar_sfx_access_check_4121890" for deletion
- source
- API Call
- relevance
- 10/10
- ATT&CK ID
- T1107 (Show technique in the MITRE ATT&CK™ matrix)
-
Opens file with deletion access rights
- details
- "<Input Sample>.exe" opened "C:\__tmp_rar_sfx_access_check_4121890" with delete access
- source
- API Call
- relevance
- 7/10
-
Marks file for deletion
-
System Security
-
Modifies proxy settings
- details
-
"<Input Sample>.exe" (Access type: "SETVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS"; Key: "PROXYENABLE"; Value: "00000000")
"<Input Sample>.exe" (Access type: "DELETEVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS"; Key: "PROXYSERVER")
"<Input Sample>.exe" (Access type: "DELETEVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS"; Key: "PROXYOVERRIDE")
"<Input Sample>.exe" (Access type: "DELETEVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP"; Key: "PROXYBYPASS")
"<Input Sample>.exe" (Access type: "DELETEVAL"; Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP"; Key: "PROXYBYPASS") - source
- Registry Access
- relevance
- 10/10
- ATT&CK ID
- T1112 (Show technique in the MITRE ATT&CK™ matrix)
-
Queries sensitive IE security settings
- details
- "<Input Sample>.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SECURITY"; Key: "DISABLESECURITYSETTINGSCHECK")
- source
- Registry Access
- relevance
- 8/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Modifies proxy settings
-
Unusual Characteristics
-
CRC value set in PE header does not match actual value
- details
- "GB5W.EXE" claimed CRC 88022 while the actual is CRC 4603885
- source
- Static Parser
- relevance
- 10/10
-
Imports suspicious APIs
- details
-
RegCloseKey
OpenProcessToken
RegCreateKeyExA
RegOpenKeyExA
GetFileAttributesA
LoadLibraryA
FindNextFileA
GetVersionExA
GetFileAttributesW
GetModuleFileNameA
CreateDirectoryA
DeleteFileA
CreateDirectoryW
GetCommandLineA
GetProcAddress
GetTempPathA
GetModuleHandleA
FindNextFileW
WriteFile
FindFirstFileA
DeleteFileW
FindFirstFileW
CreateFileW
Sleep
CreateFileA
GetTickCount
FindResourceA
ShellExecuteExA
FindWindowExA
UnhandledExceptionFilter
CreateThread
GetStartupInfoA
ExitThread
TerminateProcess
VirtualAlloc
ShellExecuteA
FindWindowA
GetDriveTypeA
LoadLibraryExA
LockResource
GetFileSize
GetCursorPos
SetKeyboardState
GetLastActivePopup
SetWindowsHookExA
GetWindowThreadProcessId
RegOpenKeyA - source
- Static Parser
- relevance
- 1/10
-
Installs hooks/patches the running process
- details
-
"<Input Sample>.exe" wrote bytes "75dc9a75273e9a7551c19875ee9c9875949898750fb39e7510999875909798750000000042c6aa76152eaa76c0d9aa761bf7aa76c108ac76e0c2aa7636daaa7630c6aa76d5d9aa7686c4aa7600000000" to virtual address "0x7005E000" (part of module "MSLS31.DLL")
"<Input Sample>.exe" wrote bytes "c04e3c7720543d77e0653d77b5383e770000000000d0aa7600000000c5eaaa760000000088eaaa7600000000e968447582283e77ee293e7700000000d2694475000000007dbbaa760000000009be447500000000ba18aa7600000000" to virtual address "0x75C91000" (part of module "NSI.DLL")
"<Input Sample>.exe" wrote bytes "e7393a77e1a63e772e713e77ee293e7785e239776da03e7790643d773ad5447726e43977d16d3e77003d3c77804b3c7700000000ad37be768b2dbe76b641be7600000000" to virtual address "0x74CE1000" (part of module "WSHIP6.DLL") - source
- Hook Detection
- relevance
- 10/10
- ATT&CK ID
- T1179 (Show technique in the MITRE ATT&CK™ matrix)
-
Reads information about supported languages
- details
- "<Input Sample>.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409")
- source
- Registry Access
- relevance
- 3/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Timestamp in PE header is very old or in the future
- details
- "GB5W.EXE" claims program is from Wed Jun 30 18:57:31 1999
- source
- Static Parser
- relevance
- 10/10
-
CRC value set in PE header does not match actual value
-
Hiding 5 Suspicious Indicators
- All indicators are available only in the private webservice or standalone version
-
Informative 19
-
Anti-Reverse Engineering
-
PE file contains zero-size sections
- details
-
Raw size of "BSS" is zero
Raw size of ".tls" is zero - source
- Static Parser
- relevance
- 10/10
-
PE file contains zero-size sections
-
Environment Awareness
-
Contains ability to query the machine version
- details
-
GetVersionExA@KERNEL32.DLL from 5e8adb405f274a829938a0a9aa11468310e4e21d2e305b38e9bf463c9d8c25ec.exe (PID: 1076) (Show Stream)
GetVersionExA@KERNEL32.DLL from 5e8adb405f274a829938a0a9aa11468310e4e21d2e305b38e9bf463c9d8c25ec.exe (PID: 1076) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Makes a code branch decision directly after an API that is environment aware
- details
-
Found API call GetVersionExA@KERNEL32.DLL directly followed by "cmp dword ptr [004155A0h], 02h" and "jne 004057A8h" from 5e8adb405f274a829938a0a9aa11468310e4e21d2e305b38e9bf463c9d8c25ec.exe (PID: 1076) (Show Stream)
Found API call GetVersionExA@KERNEL32.DLL directly followed by "cmp dword ptr [ebp-000000A4h], 01h" and "jne 00404A46h" from 5e8adb405f274a829938a0a9aa11468310e4e21d2e305b38e9bf463c9d8c25ec.exe (PID: 1076) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 10/10
-
Possibly tries to detect the presence of a debugger
- details
-
GetProcessHeap@KERNEL32.DLL from 5e8adb405f274a829938a0a9aa11468310e4e21d2e305b38e9bf463c9d8c25ec.exe (PID: 1076) (Show Stream)
GetProcessHeap@KERNEL32.DLL from 5e8adb405f274a829938a0a9aa11468310e4e21d2e305b38e9bf463c9d8c25ec.exe (PID: 1076) (Show Stream)
GetProcessHeap@KERNEL32.DLL from 5e8adb405f274a829938a0a9aa11468310e4e21d2e305b38e9bf463c9d8c25ec.exe (PID: 1076) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Queries volume information
- details
-
"<Input Sample>.exe" queries volume information of "%WINDIR%\Fonts\arial.ttf" at 00027480-00001076-0000010C-9446164614
"<Input Sample>.exe" queries volume information of "%WINDIR%\Fonts\arial.ttf" at 00027480-00001076-0000010C-9538707276 - source
- API Call
- relevance
- 2/10
- ATT&CK ID
- T1120 (Show technique in the MITRE ATT&CK™ matrix)
-
Reads the registry for installed applications
- details
-
"<Input Sample>.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\OUTLOOK.EXE")
"<Input Sample>.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\OUTLOOK.EXE"; Key: "PATH"; Value: "00000000010000005800000043003A005C00500072006F006700720061006D002000460069006C00650073005C004D006900630072006F0073006F006600740020004F00660066006900630065005C004F0066006600690063006500310034005C000000") - source
- Registry Access
- relevance
- 10/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Contains ability to query the machine version
-
General
-
Creates mutants
- details
-
"\Sessions\1\BaseNamedObjects\Local\ZonesCacheCounterMutex"
"\Sessions\1\BaseNamedObjects\Local\ZonesLockedCacheCounterMutex"
"\Sessions\1\BaseNamedObjects\!IECompat!Mutex"
"!IECompat!Mutex"
"Local\ZonesCacheCounterMutex"
"Local\ZonesLockedCacheCounterMutex" - source
- Created Mutant
- relevance
- 3/10
-
Drops files marked as clean
- details
- Antivirus vendors marked dropped file "CCDOS.EXE" as clean (type is "MS-DOS executable LE executable for MS Windows (VxD)"), Antivirus vendors marked dropped file "SETUP.EXE" as clean (type is "MS-DOS executable MZ for MS-DOS"), Antivirus vendors marked dropped file "FOXGB.EXE" as clean (type is "DOS executable (COM)"), Antivirus vendors marked dropped file "CIZU.EXE" as clean (type is "MS-DOS executable MZ for MS-DOS"), Antivirus vendors marked dropped file "LIMD.COM" as clean (type is "data"), Antivirus vendors marked dropped file "PY.COM" as clean (type is "MS-DOS executable MZ for MS-DOS diet compressed"), Antivirus vendors marked dropped file "CS.COM" as clean (type is "data"), Antivirus vendors marked dropped file "wb.com" as clean (type is "MS-DOS executable MZ for MS-DOS diet compressed"), Antivirus vendors marked dropped file "GB5.EXE" as clean (type is "MS-DOS executable MZ for MS-DOS"), Antivirus vendors marked dropped file "STRIP.EXE" as clean (type is "MS-DOS executable MZ for MS-DOS"), Antivirus vendors marked dropped file "IMDMNG.EXE" as clean (type is "MS-DOS executable MZ for MS-DOS Self-extracting PKZIP archive"), Antivirus vendors marked dropped file "GB5W.EXE" as clean (type is "PE32 executable (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "pbdy.exe" as clean (type is "PE32 executable (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "TW.EXE" as clean (type is "MS-DOS executable MZ for MS-DOS Self-extracting PKZIP archive"), Antivirus vendors marked dropped file "Ed.exe" as clean (type is "MS-DOS executable MZ for MS-DOS Self-extracting PKZIP archive")
- source
- Binary File
- relevance
- 10/10
-
Loads rich edit control libraries
- details
-
"<Input Sample>.exe" loaded module "%WINDIR%\System32\riched32.dll" at 729E0000
"<Input Sample>.exe" loaded module "%WINDIR%\System32\riched20.dll" at 6E650000 - source
- Loaded Module
- ATT&CK ID
- T1179 (Show technique in the MITRE ATT&CK™ matrix)
-
Overview of unique CLSIDs touched in registry
- details
-
"<Input Sample>.exe" touched "Microsoft Web Browser" (Path: "HKCU\CLSID\{8856F961-340A-11D0-A96B-00C04FD705A2}")
"<Input Sample>.exe" touched "Microsoft HTML About Pluggable Protocol" (Path: "HKCU\CLSID\{3050F406-98B5-11CF-BB82-00AA00BDCE0B}\TREATAS")
"<Input Sample>.exe" touched "HTML Document" (Path: "HKCU\CLSID\{25336920-03F9-11CF-8FD0-00AA00686F13}\TREATAS")
"<Input Sample>.exe" touched "Browser Application State" (Path: "HKCU\CLSID\{E569BDE7-A8DC-47F3-893F-FD2B31B3EEFD}\TREATAS")
"<Input Sample>.exe" touched "UIAutomation Registrar Class" (Path: "HKCU\CLSID\{6E29FABF-9977-42D1-8D0E-CA7E61AD87E6}\TREATAS")
"<Input Sample>.exe" touched "CActiveIMMAppEx_Trident" (Path: "HKCU\CLSID\{50D5107A-D278-4871-8989-F4CEAAF59CFC}\TREATAS") - source
- Registry Access
- relevance
- 3/10
-
Scanning for window names
- details
-
"<Input Sample>.exe" searching for class "EDIT"
"<Input Sample>.exe" searching for class "MS_AutodialMonitor"
"<Input Sample>.exe" searching for class "MS_WebCheckMonitor" - source
- API Call
- relevance
- 10/10
- ATT&CK ID
- T1010 (Show technique in the MITRE ATT&CK™ matrix)
-
The input sample possibly contains the RDTSCP instruction
- details
- Found VM detection artifact "RDTSCP trick" in "5e8adb405f274a829938a0a9aa11468310e4e21d2e305b38e9bf463c9d8c25ec.bin" (Offset: 119399)
- source
- Binary File
- relevance
- 5/10
-
Creates mutants
-
Installation/Persistance
-
Connects to LPC ports
- details
- "<Input Sample>.exe" connecting to "\ThemeApiPort"
- source
- API Call
- relevance
- 1/10
-
Dropped files
- details
-
"CC.BAT" has type "ASCII text with CRLF line terminators"
"2007#U5e74#U52b3#U52a8#U4eba#U4e8b#U7edf#U8ba1#U5e74#U62a5_#U8868#U6837_.xls" has type "Composite Document File V2 Document Little Endian O%WINDIR%\Version 5.1 Code page: 936 Author: gt Last Saved By: lenovo Name of Creating Application: Microsoft Excel Last Printed: Mon Oct 29 09:12:11 2007 Create Time/Date: Thu Sep 13 04:13:32 2007 Last Saved Time/Date: Mon Nov 19 01:26:35 2007 Security: 0"
"CCDOS.EXE" has type "MS-DOS executable LE executable for MS Windows (VxD)"
"SETUP.EXE" has type "MS-DOS executable MZ for MS-DOS"
"2007#U5e74#U52b3#U52a8#U4eba#U4e8b#U7edf#U8ba1#U5e74#U62a5#U8868#U5185#U8868#U95f4#U5173#U7cfb_#U57fa#U672c#U5b9a#U7a3f_.doc" has type "Composite Document File V2 Document Little Endian Os: Windows Version 5.1 Code page: 936 Title: Author: gt Template: Normal.dot Last Saved By: caozhi Revision Number: 103 Name of Creating Application: Microsoft Office Word Total Editing Time: 21:00:00 Create Time/Date: Tue Oct 23 15:43:00 2007 Last Saved Time/Date: Sat Dec 15 03:03:00 2007 Number of Pages: 1 Number of Words: 4916 Number of Characters: 28024 Security: 0"
"NB2007-98.pif" has type "Windows Program Information File for C:\WINDOWS\COMMAND.COM directory=C:\NB2007 TrueTypeFont=Courier New Windows NT-style"
"CCDOS.PIF" has type "Windows Program Information File for C:\!SUNV\HH\DFKC\ccdos\ccdos.exe TrueTypeFont=Courier New"
"QUIT.EXE" has type "MS-DOS executable MZ for MS-DOS"
"UNINST.BAT" has type "DOS batch file ASCII text with CRLF line terminators"
"#U6253#U5e73#U516c#U5f0f#U95ee#U9898.doc" has type "Composite Document File V2 Document Little Endian Os: Windows Version 5.1 Code page: 936 Title: Author: lenovo Template: Normal.dot Last Saved By: lenovo Revision Number: 17 Name of Creating Application: Microsoft Office Word Total Editing Time: 01:11:00 Create Time/Date: Thu Nov 22 05:30:00 2007 Last Saved Time/Date: Thu Nov 29 09:24:00 2007 Number of Pages: 1 Number of Words: 202 Number of Characters: 1157 Security: 0"
"NB2007 #U64cd#U4f5c#U6307#U5357.doc" has type "Composite Document File V2 Document Little Endian Os: Windows Version 5.1 Code page: 936 Title: NB2007 Author: caozhi Template: Normal.dot Last Saved By: caozhi Revision Number: 3 Name of Creating Application: Microsoft Office Word Total Editing Time: 29:00 Create Time/Date: Thu Nov 15 21:12:00 2007 Last Saved Time/Date: Tue Nov 20 17:36:00 2007 Number of Pages: 1 Number of Words: 799 Number of Characters: 4557 Security: 0"
"2006#U6307#U6807#U8bf4#U660e.doc" has type "Composite Document File V2 Document Little Endian Os: Windows Version 5.1 Code page: 936 Title: Author: YinWei Template: Normal Last Saved By: caozhi Revision Number: 122 Name of Creating Application: Microsoft Office Word Total Editing Time: 17:01:00 Last Printed: Wed Nov 16 09:20:00 2005 Create Time/Date: Fri Nov 17 02:23:00 2006 Last Saved Time/Date: Wed Nov 29 12:59:00 2006 Number of Pages: 1 Number of Words: 8115 Number of Characters: 46261 Security: 0"
"2007#U5e74#U5e74#U62a5#U5bf9#U7167#U8868.xls" has type "Composite Document File V2 Document Little Endian Os: Windows Version 5.1 Code page: 936 Author: gt Last Saved By: caozhi Name of Creating Application: Microsoft Excel Last Printed: Sat Nov 10 17:12:47 2007 Create Time/Date: Tue Sep 25 06:04:07 2007 Last Saved Time/Date: Thu Nov 15 20:34:09 2007 Security: 0"
"FOXGB.EXE" has type "DOS executable (COM)"
"Py.com" has type "COM executable for DOS"
"NB2007-XP.lnk" has type "MS Windows shortcut Item id list present Points to a file or directory Has Relative path Has Working directory Has command line arguments Icon number=114 Archive ctime=Tue Aug 17 04:00:00 2004 mtime=Wed Dec 19 16:00:00 2007 atime=Tue Aug 17 04:00:00 2004 length=470528 window=hide"
"CIZU.EXE" has type "MS-DOS executable MZ for MS-DOS"
"LIMD.COM" has type "data"
"PY.COM" has type "MS-DOS executable MZ for MS-DOS diet compressed" - source
- Binary File
- relevance
- 3/10
-
Touches files in the Windows directory
- details
-
"<Input Sample>.exe" touched file "C:\Windows\Globalization\Sorting\SortDefault.nls"
"<Input Sample>.exe" touched file "C:\Windows\System32\en-US\user32.dll.mui"
"<Input Sample>.exe" touched file "C:\Windows\Fonts\StaticCache.dat"
"<Input Sample>.exe" touched file "C:\Windows\System32\en-US\msctf.dll.mui"
"<Input Sample>.exe" touched file "%LOCALAPPDATA%\Microsoft\Windows\Temporary Internet Files\counters.dat"
"<Input Sample>.exe" touched file "C:\Windows\System32\rsaenh.dll"
"<Input Sample>.exe" touched file "C:\Windows\System32\oleaccrc.dll"
"<Input Sample>.exe" touched file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\Temporary Internet Files"
"<Input Sample>.exe" touched file "C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Windows\Cookies"
"<Input Sample>.exe" touched file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\History"
"<Input Sample>.exe" touched file "C:\Windows\Fonts\arial.ttf"
"<Input Sample>.exe" touched file "C:\WINDOWS\desktop\NB2007-98.pif"
"<Input Sample>.exe" touched file "C:\Windows\desktop"
"<Input Sample>.exe" touched file "C:\Windows\desktop\NB2007-98.pif"
"<Input Sample>.exe" touched file "%LOCALAPPDATA%\Microsoft\Windows\Temporary Internet Files\counters.dat"
"<Input Sample>.exe" touched file "%LOCALAPPDATA%\Microsoft\Windows\Temporary Internet Files"
"<Input Sample>.exe" touched file "%APPDATA%\Microsoft\Windows\Cookies"
"<Input Sample>.exe" touched file "%LOCALAPPDATA%\Microsoft\Windows\History" - source
- API Call
- relevance
- 7/10
-
Connects to LPC ports
-
Network Related
-
Found potential URL in binary/memory
- details
-
Heuristic match: "nb2007\CS.COM"
Heuristic match: "nb2007\PY.COM"
Heuristic match: "nb2007\wb.com"
Heuristic match: "U!\-T5.OM"
Heuristic match: "CCDOS\README.COM"
Heuristic match: "CCDOS\LIMD.COM"
Heuristic match: "CCDOS\CS.COM"
Heuristic match: "CCDOS\Py.com"
Pattern match: "17.ly/eQSONXTQ,gUSMOlQvOiD0"
Pattern match: "18.vQN/eQd/eN/eQ0ly/eQNYvW/eQ0" - source
- File/Memory
- relevance
- 10/10
-
Found potential URL in binary/memory
-
System Security
-
Opens the Kernel Security Device Driver (KsecDD) of Windows
- details
- "<Input Sample>.exe" opened "\Device\KsecDD"
- source
- API Call
- relevance
- 10/10
- ATT&CK ID
- T1215 (Show technique in the MITRE ATT&CK™ matrix)
-
Opens the Kernel Security Device Driver (KsecDD) of Windows
-
Unusual Characteristics
-
Found Delphi 4 - Delphi 2006 artifact
- details
- "DBFEditor.exe" has a PE timestamp using the buggy magic timestamp 0x2A425E19. The real compilation date is probably Wed Jun 30 18:57:31 1999
- source
- Static Parser
- relevance
- 10/10
-
Matched Compiler/Packer signature
- details
-
"5e8adb405f274a829938a0a9aa11468310e4e21d2e305b38e9bf463c9d8c25ec.bin" was detected as "RAR SFX"
"GB5W.EXE" was detected as "Microsoft visual C++ 5.0"
"DBFEditor.exe" was detected as "Borland Delphi"
"pbdy.exe" was detected as "Microsoft visual C++ v7.0" - source
- Static Parser
- relevance
- 10/10
- ATT&CK ID
- T1002 (Show technique in the MITRE ATT&CK™ matrix)
-
Found Delphi 4 - Delphi 2006 artifact
File Details
5E8ADB405F274A829938A0A9AA11468310E4E21D2E305B38E9BF463C9D8C25EC
- Filename
- 5E8ADB405F274A829938A0A9AA11468310E4E21D2E305B38E9BF463C9D8C25EC
- Size
- 4.4MiB (4589177 bytes)
- Type
- peexe executable
- Description
- PE32 executable (GUI) Intel 80386, for MS Windows, RAR self-extracting archive
- Architecture
- WINDOWS
- SHA256
- 5e8adb405f274a829938a0a9aa11468310e4e21d2e305b38e9bf463c9d8c25ec
- MD5
- 6677d8f44ba91564cedcb1b18f336862
- SHA1
- 39c1c213761e0e506dec2693e73e6e89381e3c1e
- ssdeep
- 98304:zM6Q//e1ey5OOs+bwKDdTu1z138Wmyas2j3yFPk6XKC4e:r6/4eUBs+5o1z1fmHs2sTl4e
- imphash
- bc5ce990cf54f8d435a68eb97512f73e
- authentihash
- 480870733bdc27d1c63df570b0836e6343a7003c5e447cac98d6fafc8775bf6f
- Compiler/Packer
- RAR SFX
Classification (TrID)
- 94.0% (.EXE) WinRAR Self Extracting archive
- 2.3% (.SCR) Windows screen saver
- 1.1% (.DLL) Win32 Dynamic Link Library (generic)
- 0.8% (.EXE) Win32 Executable (generic)
- 0.4% (.EXE) Win32 Executable Watcom C++ (generic)
File Sections
Details | ||||||
---|---|---|---|---|---|---|
File Resources
Details | ||||
---|---|---|---|---|
File Imports
Screenshots
Loading content, please wait...
Hybrid Analysis
Tip: Click an analysed process below to view more details.
Analysed 1 process in total.
- Input Sample (PID: 1076) 3/72
Network Analysis
DNS Requests
No relevant DNS requests were made.
Contacted Hosts
No relevant hosts were contacted.
HTTP Traffic
No relevant HTTP requests were made.
Extracted Strings
Extracted Files
Displaying 56 extracted file(s). The remaining 79 file(s) are available in the full version and XML/JSON reports.
-
Clean 15
-
-
CCDOS.EXE
- Size
- 70KiB (71908 bytes)
- Type
- neexe executable
- Description
- MS-DOS executable, LE executable for MS Windows (VxD)
- AV Scan Result
- 0/63
- Runtime Process
- 5e8adb405f274a829938a0a9aa11468310e4e21d2e305b38e9bf463c9d8c25ec.exe (PID: 1076)
- MD5
- f5a7cead134b8ca86e5ef8953d0b4fc6
- SHA1
- f0ea474dd3b4ea2292ff23f50d784f8d62882da5
- SHA256
- 44ea1935dc640e20523d3ee75d905dc44817f437c0296d51f128bc5efe05aebd
-
CIZU.EXE
- Size
- 15KiB (15688 bytes)
- Type
- neexe executable
- Description
- MS-DOS executable, MZ for MS-DOS
- AV Scan Result
- 0/58
- Runtime Process
- 5e8adb405f274a829938a0a9aa11468310e4e21d2e305b38e9bf463c9d8c25ec.exe (PID: 1076)
- MD5
- 79343549bf212a271df9bb43b509156a
- SHA1
- 71f71321daf173490f672a6344ee6036176a7543
- SHA256
- 8be79f3c54b8e800b44e933d20669f389b8c575ca8ba8a9a20d6c3d8b0e5f776
-
CS.COM
- Size
- 98B (98 bytes)
- Type
- data
- AV Scan Result
- 0/47
- Runtime Process
- 5e8adb405f274a829938a0a9aa11468310e4e21d2e305b38e9bf463c9d8c25ec.exe (PID: 1076)
- MD5
- b62f747f8c4420c2f57719995ec61648
- SHA1
- 8add1e2ad0ca775c07d8e9b9218852745cc7cecc
- SHA256
- cafbbad78f093dcd2937197f84b29f4b67d72ae42ad218701a77d4b6653bc62d
-
Ed.exe
- Size
- 80KiB (81964 bytes)
- Type
- neexe executable
- Description
- MS-DOS executable, MZ for MS-DOS Self-extracting PKZIP archive
- AV Scan Result
- 0/54
- Runtime Process
- 5e8adb405f274a829938a0a9aa11468310e4e21d2e305b38e9bf463c9d8c25ec.exe (PID: 1076)
- MD5
- 324a52efaa2c32da077c81c6708f6f99
- SHA1
- f8677f5e66a20fff1654bc1894348871b71535cf
- SHA256
- d547e0fc4bc08eb50d6982b20fc392bb011a426b8d3a7a34fc28d27260de68af
-
GB5.EXE
- Size
- 16KiB (15882 bytes)
- Type
- neexe executable
- Description
- MS-DOS executable, MZ for MS-DOS
- AV Scan Result
- 0/63
- Runtime Process
- 5e8adb405f274a829938a0a9aa11468310e4e21d2e305b38e9bf463c9d8c25ec.exe (PID: 1076)
- MD5
- befefd518aa89531371ee604e35a4a85
- SHA1
- a0434771a1c1fefabfcc28cfa185ae20257d4797
- SHA256
- d229954573afa49937d31673d1c3504dcab94e0430ec8f0b929c14ab46066b43
-
GB5W.EXE
- Size
- 53KiB (54019 bytes)
- Type
- peexe executable
- Description
- PE32 executable (GUI) Intel 80386, for MS Windows
- AV Scan Result
- 0/70
- Runtime Process
- 5e8adb405f274a829938a0a9aa11468310e4e21d2e305b38e9bf463c9d8c25ec.exe (PID: 1076)
- MD5
- ba02596a05dddf69861a321de529d5b3
- SHA1
- 997fa13cd25250747fb67ff71754e2287c73443a
- SHA256
- 290c9f446e464b89b5527e23b49565db65ddf60ea04cf083e075813c9f49bad7
-
IMDMNG.EXE
- Size
- 14KiB (14663 bytes)
- Type
- neexe executable
- Description
- MS-DOS executable, MZ for MS-DOS Self-extracting PKZIP archive
- AV Scan Result
- 0/46
- Runtime Process
- 5e8adb405f274a829938a0a9aa11468310e4e21d2e305b38e9bf463c9d8c25ec.exe (PID: 1076)
- MD5
- 06e031b9281f2551b01fd384dd92f0ce
- SHA1
- ffac6bd3c7cbe3eabc5c4a25d74b7f7c8d537f46
- SHA256
- 022428657c888820291302b25b4c6c82397de7a4ab2fad16563ac77bd562df72
-
LIMD.COM
- Size
- 4.8KiB (4905 bytes)
- Type
- data
- AV Scan Result
- 0/45
- Runtime Process
- 5e8adb405f274a829938a0a9aa11468310e4e21d2e305b38e9bf463c9d8c25ec.exe (PID: 1076)
- MD5
- abc4ffbf7c0c470673e4fc3a5fda20fc
- SHA1
- a4bc4398bff57521d7f0e73b050b3b9c85d96cc2
- SHA256
- 6e0bb54eedfa1f6b5d2c9b7a74582c1951697757d975ad08220e7d397fd2c531
-
SETUP.EXE
- Size
- 8.1KiB (8332 bytes)
- Type
- neexe executable
- Description
- MS-DOS executable, MZ for MS-DOS
- AV Scan Result
- 0/41
- Runtime Process
- 5e8adb405f274a829938a0a9aa11468310e4e21d2e305b38e9bf463c9d8c25ec.exe (PID: 1076)
- MD5
- 39ad8d961359565cad2b7c98102a5482
- SHA1
- 50d9d1419b01116caee693658a9c78021b91142a
- SHA256
- 837f4133f097e952e05698adfaa1249d243b78a3c03183ccbb2a8a4de61f7ec0
-
STRIP.EXE
- Size
- 11KiB (11594 bytes)
- Type
- neexe executable
- Description
- MS-DOS executable, MZ for MS-DOS
- AV Scan Result
- 0/40
- Runtime Process
- 5e8adb405f274a829938a0a9aa11468310e4e21d2e305b38e9bf463c9d8c25ec.exe (PID: 1076)
- MD5
- 6eddc90a4f9ce3ee3568df558bdc18aa
- SHA1
- 4d95ea1da148714187eed42e151fa0c4ca08b38d
- SHA256
- 6a4e5f5af534159f1e90764ecb847dcba099d5784812b5c9a62effbadb4febde
-
FOXGB.EXE
- Size
- 5.1KiB (5233 bytes)
- Type
- com executable
- Description
- DOS executable (COM)
- AV Scan Result
- 0/41
- Runtime Process
- 5e8adb405f274a829938a0a9aa11468310e4e21d2e305b38e9bf463c9d8c25ec.exe (PID: 1076)
- MD5
- 1274e96e0d369af07a9a7987235ce168
- SHA1
- c0b40ec00b4ef6e011388aaf1909353f06765b23
- SHA256
- 824f449e6d5b4811f7c1ccc62e3850d79c1bcb5983839d2b7bf773e8f0e0436c
-
PY.COM
- Size
- 54KiB (55238 bytes)
- Type
- neexe executable
- Description
- MS-DOS executable, MZ for MS-DOS, diet compressed
- AV Scan Result
- 0/41
- Runtime Process
- 5e8adb405f274a829938a0a9aa11468310e4e21d2e305b38e9bf463c9d8c25ec.exe (PID: 1076)
- MD5
- 254e799bac70eb91c4176dc39d0cac16
- SHA1
- 8e751e0735d649f5fcf6bf999ad281b50e7918d8
- SHA256
- 2e013f28e6bd89863ab0a6773c6a9054343f98566bcf03771b2a7779d9ec8794
-
TW.EXE
- Size
- 229KiB (234404 bytes)
- Type
- neexe executable
- Description
- MS-DOS executable, MZ for MS-DOS Self-extracting PKZIP archive
- AV Scan Result
- 0/61
- Runtime Process
- 5e8adb405f274a829938a0a9aa11468310e4e21d2e305b38e9bf463c9d8c25ec.exe (PID: 1076)
- MD5
- cbe9c2826814e77cbbc3cebd26dc1717
- SHA1
- 1b5b18cae80dd4d200b6c27fd15a7610a3df693a
- SHA256
- f8b4cb9e1222bf33258ce61f135e8c913c17463ec55a44c8f41158bd2cac4515
-
pbdy.exe
- Size
- 38KiB (39273 bytes)
- Type
- peexe executable
- Description
- PE32 executable (GUI) Intel 80386, for MS Windows
- AV Scan Result
- 0/72
- Runtime Process
- 5e8adb405f274a829938a0a9aa11468310e4e21d2e305b38e9bf463c9d8c25ec.exe (PID: 1076)
- MD5
- 67204fb2591091a88660222766430aa6
- SHA1
- 6b25f530c54314f9c9a2df0e2f4e074bd79e0e17
- SHA256
- afc0318a74e15be6679df3ab4fa6cc521cae9a152b9c90367487b1f20f7c1fbc
-
wb.com
- Size
- 43KiB (43637 bytes)
- Type
- neexe executable
- Description
- MS-DOS executable, MZ for MS-DOS, diet compressed
- AV Scan Result
- 0/61
- Runtime Process
- 5e8adb405f274a829938a0a9aa11468310e4e21d2e305b38e9bf463c9d8c25ec.exe (PID: 1076)
- MD5
- ed5404f29638a6e00528e4f551f7080d
- SHA1
- 0e1538666c48dd62efb647072b9aa4b82c4e22ec
- SHA256
- 2d2e05cc1cd182eb8db4f1e2a094c1ef10da271de0efe70673aad65221cbcd0c
-
-
Informative Selection 1
-
-
2007#U5e74#U52b3#U52a8#U4eba#U4e8b#U7edf#U8ba1#U5e74#U62a5_#U8868#U6837_.xls
- Size
- 2.8MiB (2982400 bytes)
- Type
- xls office
- Description
- Composite Document File V2 Document, Little Endian, Os: Windows, Version 5.1, Code page: 936, Author: gt, Last Saved By: lenovo, Name of Creating Application: Microsoft Excel, Last Printed: Mon Oct 29 09:12:11 2007, Create Time/Date: Thu Sep 13 04:13:32 2007, Last Saved Time/Date: Mon Nov 19 01:26:35 2007, Security: 0
- Runtime Process
- 5e8adb405f274a829938a0a9aa11468310e4e21d2e305b38e9bf463c9d8c25ec.exe (PID: 1076)
- MD5
- 5ab693ec59607dfa4bd70b655e445d88
- SHA1
- a61d83530cfee6918bbe8144b67f6aa208d64515
- SHA256
- f6f9a3f4cdd6576c9cb8c702e90de9d0d857e1759532ce4d741d548ad86ce5da
-
-
Informative 40
-
-
NB2007-XP.lnk
- Size
- 2.1KiB (2159 bytes)
- Type
- lnk
- Description
- MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Aug 17 04:00:00 2004, mtime=Sun Oct 14 16:00:00 2007, atime=Tue Aug 17 04:00:00 2004, length=470528, window=hide
- Runtime Process
- 5e8adb405f274a829938a0a9aa11468310e4e21d2e305b38e9bf463c9d8c25ec.exe (PID: 1076)
- MD5
- 42aacf50eae99d2032274e50c1096204
- SHA1
- b26a18cf0355a5b136a563b74d2002b5014c6086
- SHA256
- 91f530261fb68f48977eb456f61241d5700167122bfe7afe5e973449af584900
-
NB2007-98.pif
- Size
- 2.8KiB (2857 bytes)
- Type
- unknown
- Description
- Windows Program Information File for C:\WINDOWS\COMMAND.COM, directory=C:\NB2007, TrueTypeFont=Courier New, Windows NT-style
- Runtime Process
- 5e8adb405f274a829938a0a9aa11468310e4e21d2e305b38e9bf463c9d8c25ec.exe (PID: 1076)
- MD5
- cc5fedf361fc65c351784e0120a31ae6
- SHA1
- 469200162a6da8caa5dcc57962c336ec027dc5cf
- SHA256
- 596085094231606031820dccfd5de4e06cd6a3af3fc8e05657bd1a293fd6a363
-
CCDOS.INF
- Size
- 1.7KiB (1772 bytes)
- Type
- text
- Description
- Windows setup INFormation, ISO-8859 text, with CRLF line terminators
- Runtime Process
- 5e8adb405f274a829938a0a9aa11468310e4e21d2e305b38e9bf463c9d8c25ec.exe (PID: 1076)
- MD5
- ab280bb46ab06366e7b61fd5051efc05
- SHA1
- bf7779aa25de6939f340eaadb1cfcc50b1c3feb8
- SHA256
- c0a86f58438ff56eee0098eaf12b6ce19a99af712d28cb2ba8285186620565d2
-
CCDOS.INI
- Size
- 3.5KiB (3548 bytes)
- Runtime Process
- 5e8adb405f274a829938a0a9aa11468310e4e21d2e305b38e9bf463c9d8c25ec.exe (PID: 1076)
- MD5
- 30512f1fba311c77c7d71be97d2fa07f
- SHA1
- 1e2c3d50c5a98f897862c4d9a3beb0a4dac02279
- SHA256
- f153525a1f8ef11de72b40c4156d10895f7e337f562e6281627686fe87c7e721
-
CCDOS.PIF
- Size
- 967B (967 bytes)
- Type
- unknown
- Description
- Windows Program Information File for C:\!SUNV\HH\DFKC\ccdos\ccdos.exe, TrueTypeFont=Courier New
- Runtime Process
- 5e8adb405f274a829938a0a9aa11468310e4e21d2e305b38e9bf463c9d8c25ec.exe (PID: 1076)
- MD5
- 2f08839862c43853a61c0be55308c3b6
- SHA1
- c33e29a59ac8988a1f89a8d446e7967777488302
- SHA256
- 66621dc780a144584411d2f15689730db78ed32fbb76d3b968e3b6e6699cee04
-
CCDOS.PKV
- Size
- 215KiB (220032 bytes)
- Runtime Process
- 5e8adb405f274a829938a0a9aa11468310e4e21d2e305b38e9bf463c9d8c25ec.exe (PID: 1076)
- MD5
- 3d5b7d845b5346221bdab39821e168bd
- SHA1
- b727ee36716ad7cee1ece6358511467e41fda93a
- SHA256
- 0a0e5c84e2ebe6657462f148ff460848602ea094f0b7c9a580256e08a5fd4f5c
-
CCDOS.TXT
- Size
- 822B (822 bytes)
- Runtime Process
- 5e8adb405f274a829938a0a9aa11468310e4e21d2e305b38e9bf463c9d8c25ec.exe (PID: 1076)
- MD5
- 3276c609b4dc3f647f273f02bb50fcf7
- SHA1
- f0f349b7547723340a06f990848b516e2d5b13a2
- SHA256
- 73f1c173a5e28c1080a8c3ff660bf2f634c7048f5fab223d2557f074f90dfcc5
-
CCDOS97.BAT
- Size
- 55B (55 bytes)
- Type
- text
- Description
- DOS batch file, ASCII text, with CRLF line terminators
- Runtime Process
- 5e8adb405f274a829938a0a9aa11468310e4e21d2e305b38e9bf463c9d8c25ec.exe (PID: 1076)
- MD5
- 2dc72050357e79fe9185e556ba6d58d1
- SHA1
- 4cdfd18e40ad47da790592c7d80ba099a413a5d9
- SHA256
- 61b8a523724f478c4d6d7ab93ae9ca15fdc61e4b278ef04300c0275fc381f85a
-
CCDOS97.BAT.bak
- Size
- 104B (104 bytes)
- Runtime Process
- 5e8adb405f274a829938a0a9aa11468310e4e21d2e305b38e9bf463c9d8c25ec.exe (PID: 1076)
- MD5
- 1c02d95041c7fba56e8b47d59d68ee82
- SHA1
- 75aa0a3cf5e49b7d28b588a37e7c73bf0e649e26
- SHA256
- e91193045ec3fb9aeaa0302ec29c12371656597613145a33dad7b7afb23d4f10
-
CCUSR.CWD
- Size
- 63KiB (64802 bytes)
- Runtime Process
- 5e8adb405f274a829938a0a9aa11468310e4e21d2e305b38e9bf463c9d8c25ec.exe (PID: 1076)
- MD5
- 8a82ca7060865b786ffcaa279ca83479
- SHA1
- 9479f9c8e4434f9a6532c307226cad187e01e48d
- SHA256
- 200aa07d1b8346ecfb145ac8494630bf14b16999b7d0e68f1fe9d3e3d93351e8
-
CCDOS.CWD
- Size
- 217KiB (222630 bytes)
- Runtime Process
- 5e8adb405f274a829938a0a9aa11468310e4e21d2e305b38e9bf463c9d8c25ec.exe (PID: 1076)
- MD5
- db84090d209ad8d0a54d105a15424467
- SHA1
- cd5d19a421fccdea501765b3ba0793dad319d70c
- SHA256
- eafd5afb1d68538b13d36f70364d0ba4228a4a07b824c707ce0bb0e6ed12537f
-
CCDOS.DAT
- Size
- 138KiB (140817 bytes)
- Runtime Process
- 5e8adb405f274a829938a0a9aa11468310e4e21d2e305b38e9bf463c9d8c25ec.exe (PID: 1076)
- MD5
- f03ef43d59474d07f7a60d02362f325f
- SHA1
- 715458b123ae557a234e9ae874941e7d8c381217
- SHA256
- 8786262c1a41bc5a21539ec79cba3cfec3239cec9ae54f1dd1611f48c67a51a7
-
CCDOS.MB
- Size
- 122KiB (124960 bytes)
- Runtime Process
- 5e8adb405f274a829938a0a9aa11468310e4e21d2e305b38e9bf463c9d8c25ec.exe (PID: 1076)
- MD5
- b291a1a451a0295a1516e0145e5282b2
- SHA1
- 3d1f2621ca962a1dba91d16b62a275f9319610cf
- SHA256
- abb315349c8a34645f038d9f220e6bc8cea3f9b275d5f2d5fb7330b33578bf23
-
CCDOS.TAB
- Size
- 45KiB (45840 bytes)
- Runtime Process
- 5e8adb405f274a829938a0a9aa11468310e4e21d2e305b38e9bf463c9d8c25ec.exe (PID: 1076)
- MD5
- 36343d7d01750c02586b15eb8a91ce6f
- SHA1
- c519843b326aa179dfc3fbdf5b6ec713b7050043
- SHA256
- 690bda1fa5186059ef211757b771c68b9f5f39f38517e06b322f55c17011a3e7
-
FUHAO.MB
- Size
- 1.3KiB (1300 bytes)
- Runtime Process
- 5e8adb405f274a829938a0a9aa11468310e4e21d2e305b38e9bf463c9d8c25ec.exe (PID: 1076)
- MD5
- 80febdba9e5bd317efeb5be543c764cd
- SHA1
- ce543603d44ed4ea440453678c50b4d042897940
- SHA256
- ea3efbe3bce609302f46819938b0735983d8854ae7d1b9917ba738dfcfb76b27
-
BX95.IMD
- Size
- 316KiB (323874 bytes)
- Runtime Process
- 5e8adb405f274a829938a0a9aa11468310e4e21d2e305b38e9bf463c9d8c25ec.exe (PID: 1076)
- MD5
- f580905a142891f556501f05991aee8d
- SHA1
- b5d58f2360c05be5d663d9fb92020e4aee87680d
- SHA256
- 91e307f097fe66cd632cd46023b10bd9e1e8826dac469a9c1f1145ca9266e513
-
Py.ovr
- Size
- 106KiB (108890 bytes)
- Runtime Process
- 5e8adb405f274a829938a0a9aa11468310e4e21d2e305b38e9bf463c9d8c25ec.exe (PID: 1076)
- MD5
- 481336e6f3f4e09054448254c2229fc5
- SHA1
- b037ef32b940c5f94dba0251750bde2987fa3767
- SHA256
- 7a2d4d425db38955e2d9f802f71b1c9039354ae9cf8c190d86737a7a1bbf89a3
-
Py.com
- Size
- 11KiB (10912 bytes)
- Type
- unknown
- Description
- COM executable for DOS
- Runtime Process
- 5e8adb405f274a829938a0a9aa11468310e4e21d2e305b38e9bf463c9d8c25ec.exe (PID: 1076)
- MD5
- 1c08f82b65034ef3ccbdf3ffe41f7c2d
- SHA1
- ea7307502b112ad0983949ecc060f49aa1eba80d
- SHA256
- d72160368169cf921ecdd19a6001675fdd61aaddbbd189cfd65aef271112dcbe
-
QUIT.EXE
- Size
- 4.6KiB (4674 bytes)
- Type
- neexe executable
- Description
- MS-DOS executable, MZ for MS-DOS
- Runtime Process
- 5e8adb405f274a829938a0a9aa11468310e4e21d2e305b38e9bf463c9d8c25ec.exe (PID: 1076)
- MD5
- 80b02cdba15a8ae3dbd751bbf4e57aa0
- SHA1
- c165cb9a0601787f9a36d2d374405784885e022d
- SHA256
- e8e1c5380e2f0d3b682c25944192c2aae0265073b75a3cff43c9c2d2a6b1cc94
-
README.COM
- Size
- 4.1KiB (4217 bytes)
- Type
- unknown
- Description
- COM executable for DOS
- Runtime Process
- 5e8adb405f274a829938a0a9aa11468310e4e21d2e305b38e9bf463c9d8c25ec.exe (PID: 1076)
- MD5
- a679312c47aedea4e4319d22c3c49086
- SHA1
- c152829d31d14ab5abac53716d647de202001d59
- SHA256
- 0424eab73745ebe628da2cfae80936c3585042d1170f761234c7f6e9bf1d4bfe
-
CC.BAT
- Size
- 217B (217 bytes)
- Type
- text
- Description
- ASCII text, with CRLF line terminators
- Runtime Process
- 5e8adb405f274a829938a0a9aa11468310e4e21d2e305b38e9bf463c9d8c25ec.exe (PID: 1076)
- MD5
- 3af2bd9999ba9ef673510bbc97ab8e22
- SHA1
- 04a6cd6bb1e5f608cd20ecd1df30eb2b8542ad0b
- SHA256
- b7c10578418ce0eeea9003001b36be6323f90be1ad31c467416bf0169653a370
-
UCCDOS97.EXE
- Size
- 641B (641 bytes)
- Type
- neexe executable
- Description
- MS-DOS executable, MZ for MS-DOS, WWPACK compressed
- Runtime Process
- 5e8adb405f274a829938a0a9aa11468310e4e21d2e305b38e9bf463c9d8c25ec.exe (PID: 1076)
- MD5
- 87be052b80690abf05cce32b1427e037
- SHA1
- 82cd75e99592e6c873e6af870c66b7c42a7ad268
- SHA256
- 8ae96abb88c44d294af1cacbcec3b5b852372881dfb5100c91ac6484ddc933be
-
UNINST.BAT
- Size
- 282B (282 bytes)
- Type
- text
- Description
- DOS batch file, ASCII text, with CRLF line terminators
- Runtime Process
- 5e8adb405f274a829938a0a9aa11468310e4e21d2e305b38e9bf463c9d8c25ec.exe (PID: 1076)
- MD5
- db5d253ea9a5ddb91ca0323b50c65121
- SHA1
- 1cd6fca7a64d051279e02fac42f9d2ef723e89a2
- SHA256
- 9e9ae62320377234bf4b5bb5de7a0b3d8a9633e02aa7ef4a0355819859d9f0eb
-
CCEDCC.EXE
- Size
- 1.8KiB (1831 bytes)
- Type
- neexe executable
- Description
- MS-DOS executable, MZ for MS-DOS, WWPACK compressed
- Runtime Process
- 5e8adb405f274a829938a0a9aa11468310e4e21d2e305b38e9bf463c9d8c25ec.exe (PID: 1076)
- MD5
- c81e3a29913643c8adae8a59814a4d4c
- SHA1
- f296fb4f7a05732ab177ba31ec7a414cd41f2b19
- SHA256
- d55c6ce2a7225a2aafb3e1fbb5d9c7625789b15b3fc75c43ede97c1d749dfdfe
-
DBFEditor.exe
- Size
- 593KiB (606720 bytes)
- Type
- peexe executable
- Description
- PE32 executable (GUI) Intel 80386, for MS Windows
- Runtime Process
- 5e8adb405f274a829938a0a9aa11468310e4e21d2e305b38e9bf463c9d8c25ec.exe (PID: 1076)
- MD5
- 01ad8e944d3c442f58706c260a241de2
- SHA1
- b7b690e71186248a02fdde06f8895fd600df29af
- SHA256
- 3c90cb5f45b49bf3d92964bb09988ca14cfccc9ee3dbf55ec076dd4493c95814
-
GBALL!.EXE
- Size
- 11KiB (11392 bytes)
- Type
- neexe executable
- Description
- MS-DOS executable, MZ for MS-DOS
- Runtime Process
- 5e8adb405f274a829938a0a9aa11468310e4e21d2e305b38e9bf463c9d8c25ec.exe (PID: 1076)
- MD5
- d6cc5622ab9e7d8292d5a290ac3455d7
- SHA1
- 19d32432a1439493ac00036b89b9dd2bc1800883
- SHA256
- 48a915b459db12b6740f1a767439e115b864b867ed498d469ad78dcdb80310f5
-
GBALL.BAT
- Size
- 265B (265 bytes)
- Type
- text
- Description
- DOS batch file, ISO-8859 text, with CRLF line terminators
- Runtime Process
- 5e8adb405f274a829938a0a9aa11468310e4e21d2e305b38e9bf463c9d8c25ec.exe (PID: 1076)
- MD5
- 17b25c19613dbc6812116c771b2b6e47
- SHA1
- d91869a3bfb9f99ee19ae67a0c1d6e3c237afa8a
- SHA256
- 5805de6eecaa6ea23e7c1c196b9afa54cabea6591407612b7e76d173631ab73a
-
NB.BAT
- Size
- 213B (213 bytes)
- Type
- text
- Description
- DOS batch file, ASCII text, with CRLF line terminators
- Runtime Process
- 5e8adb405f274a829938a0a9aa11468310e4e21d2e305b38e9bf463c9d8c25ec.exe (PID: 1076)
- MD5
- fa0681b2464dfb77070dd54e98342297
- SHA1
- 0a281197073240acb5478f8975410dd33d587e95
- SHA256
- 0b771a92652aed6dc35ca048b0c9fe00626b508eac2b750c8b32c07bb0ed2c7d
-
NB2007.EXE
- Size
- 226KiB (231766 bytes)
- Type
- neexe executable
- Description
- MS-DOS executable, MZ for MS-DOS
- Runtime Process
- 5e8adb405f274a829938a0a9aa11468310e4e21d2e305b38e9bf463c9d8c25ec.exe (PID: 1076)
- MD5
- c463eed894c873192ecdbc00f4ff2314
- SHA1
- b91a6b5e2af128f8bc352874477b996c13f91d9a
- SHA256
- d104527ced6a86f98906ab3c4529d5d42e361cf1f415804266dbb1064843502a
-
2007#U5e74#U52b3#U52a8#U4eba#U4e8b#U7edf#U8ba1#U5e74#U62a5_#U8868#U6837_.xls
- Size
- 2.8MiB (2982400 bytes)
- Type
- xls office
- Description
- Composite Document File V2 Document, Little Endian, Os: Windows, Version 5.1, Code page: 936, Author: gt, Last Saved By: lenovo, Name of Creating Application: Microsoft Excel, Last Printed: Mon Oct 29 09:12:11 2007, Create Time/Date: Thu Sep 13 04:13:32 2007, Last Saved Time/Date: Mon Nov 19 01:26:35 2007, Security: 0
- Runtime Process
- 5e8adb405f274a829938a0a9aa11468310e4e21d2e305b38e9bf463c9d8c25ec.exe (PID: 1076)
- MD5
- 5ab693ec59607dfa4bd70b655e445d88
- SHA1
- a61d83530cfee6918bbe8144b67f6aa208d64515
- SHA256
- f6f9a3f4cdd6576c9cb8c702e90de9d0d857e1759532ce4d741d548ad86ce5da
-
2007#U5e74#U52b3#U52a8#U4eba#U4e8b#U7edf#U8ba1#U5e74#U62a5#U8868#U5185#U8868#U95f4#U5173#U7cfb_#U57fa#U672c#U5b9a#U7a3f_.doc
- Size
- 233KiB (238080 bytes)
- Type
- doc office
- Description
- Composite Document File V2 Document, Little Endian, Os: Windows, Version 5.1, Code page: 936, Title: , Author: gt, Template: Normal.dot, Last Saved By: caozhi, Revision Number: 103, Name of Creating Application: Microsoft Office Word, Total Editing Time: 21:00:00, Create Time/Date: Tue Oct 23 15:43:00 2007, Last Saved Time/Date: Sat Dec 15 03:03:00 2007, Number of Pages: 1, Number of Words: 4916, Number of Characters: 28024, Security: 0
- Runtime Process
- 5e8adb405f274a829938a0a9aa11468310e4e21d2e305b38e9bf463c9d8c25ec.exe (PID: 1076)
- MD5
- fd83935229ca701a43e6cc6ae1ce4b36
- SHA1
- 528dc9d5d09c1a10f036bc2b4140627684aaef57
- SHA256
- 417f3a5ddd3d5dbcd08db28819c980b4c3b5724d3fc62ad3f25081fe6cb94229
-
#U6253#U5e73#U516c#U5f0f#U95ee#U9898.doc
- Size
- 35KiB (35840 bytes)
- Type
- doc office
- Description
- Composite Document File V2 Document, Little Endian, Os: Windows, Version 5.1, Code page: 936, Title: , Author: lenovo, Template: Normal.dot, Last Saved By: lenovo, Revision Number: 17, Name of Creating Application: Microsoft Office Word, Total Editing Time: 01:11:00, Create Time/Date: Thu Nov 22 05:30:00 2007, Last Saved Time/Date: Thu Nov 29 09:24:00 2007, Number of Pages: 1, Number of Words: 202, Number of Characters: 1157, Security: 0
- Runtime Process
- 5e8adb405f274a829938a0a9aa11468310e4e21d2e305b38e9bf463c9d8c25ec.exe (PID: 1076)
- MD5
- c39892cd2ca7493384955512ed18c8a3
- SHA1
- 0dded00a2ba25efc9976c6e2449f2c6d7036ece6
- SHA256
- 2b1ab7cffd8515725194cbec1a4ec0a36fced28a2c5af85c113b697c0ea32a8e
-
NB2007 #U64cd#U4f5c#U6307#U5357.doc
- Size
- 43KiB (44032 bytes)
- Type
- doc office
- Description
- Composite Document File V2 Document, Little Endian, Os: Windows, Version 5.1, Code page: 936, Title: NB2007 , Author: caozhi, Template: Normal.dot, Last Saved By: caozhi, Revision Number: 3, Name of Creating Application: Microsoft Office Word, Total Editing Time: 29:00, Create Time/Date: Thu Nov 15 21:12:00 2007, Last Saved Time/Date: Tue Nov 20 17:36:00 2007, Number of Pages: 1, Number of Words: 799, Number of Characters: 4557, Security: 0
- Runtime Process
- 5e8adb405f274a829938a0a9aa11468310e4e21d2e305b38e9bf463c9d8c25ec.exe (PID: 1076)
- MD5
- c825170efd61be9cbd8da66d3677164c
- SHA1
- 39c741cf744e2631f9c8e8a5d9d44741ba55df5e
- SHA256
- 122e15b3fdd0c9c50c484118d84ef55ea2f4d2c761f4788580ded661bb238284
-
2006#U6307#U6807#U8bf4#U660e.doc
- Size
- 450KiB (460800 bytes)
- Type
- doc office
- Description
- Composite Document File V2 Document, Little Endian, Os: Windows, Version 5.1, Code page: 936, Title: , Author: YinWei, Template: Normal, Last Saved By: caozhi, Revision Number: 122, Name of Creating Application: Microsoft Office Word, Total Editing Time: 17:01:00, Last Printed: Wed Nov 16 09:20:00 2005, Create Time/Date: Fri Nov 17 02:23:00 2006, Last Saved Time/Date: Wed Nov 29 12:59:00 2006, Number of Pages: 1, Number of Words: 8115, Number of Characters: 46261, Security: 0
- Runtime Process
- 5e8adb405f274a829938a0a9aa11468310e4e21d2e305b38e9bf463c9d8c25ec.exe (PID: 1076)
- MD5
- ed4b23fe7328a9886624c1fac4ef051c
- SHA1
- b0240e6382c675720e022de61a5b8e992b7d9f1a
- SHA256
- effe34d2ed3d4c9892d3c4f711e7ca6f18bd5b001bbe4a2b815e36cca3c989c3
-
2007#U5e74#U5e74#U62a5#U5bf9#U7167#U8868.xls
- Size
- 39KiB (39936 bytes)
- Type
- xls office
- Description
- Composite Document File V2 Document, Little Endian, Os: Windows, Version 5.1, Code page: 936, Author: gt, Last Saved By: caozhi, Name of Creating Application: Microsoft Excel, Last Printed: Sat Nov 10 17:12:47 2007, Create Time/Date: Tue Sep 25 06:04:07 2007, Last Saved Time/Date: Thu Nov 15 20:34:09 2007, Security: 0
- Runtime Process
- 5e8adb405f274a829938a0a9aa11468310e4e21d2e305b38e9bf463c9d8c25ec.exe (PID: 1076)
- MD5
- 7f2162d83b42d6547dccda1820788d79
- SHA1
- fc0530bfb5675c3a802ac4438b59280a34204751
- SHA256
- 93a52d79d0e95ba6af13349e998f75b53deab55ce64a42426b4cd53ace932179
-
#U5173#U952e#U6570#U636e#U8868#U4e09.xls
- Size
- 164KiB (167936 bytes)
- Type
- xls office
- Description
- Composite Document File V2 Document, Little Endian, Os: Windows, Version 5.1, Code page: 936, Last Saved By: xiu, Last Printed: Wed Jan 17 19:43:25 2007, Last Saved Time/Date: Wed Jan 17 21:45:47 2007, Security: 0
- Runtime Process
- 5e8adb405f274a829938a0a9aa11468310e4e21d2e305b38e9bf463c9d8c25ec.exe (PID: 1076)
- MD5
- c1caea9b1c1275aee52563389088baa6
- SHA1
- f09b230b763460da40f4ee750deb301e68b9c02c
- SHA256
- 9a29c8ae91d87b77a6835887585b36af1ce28bd8c83ffcee7c35a0b407ccf025
-
#U5173#U952e#U6570#U636e#U8868#U4e00.xls
- Size
- 165KiB (168960 bytes)
- Type
- xls office
- Description
- Composite Document File V2 Document, Little Endian, Os: Windows, Version 5.1, Code page: 936, Last Saved By: xiu, Last Printed: Wed Jan 17 07:23:49 2007, Last Saved Time/Date: Wed Jan 17 21:47:26 2007, Security: 0
- Runtime Process
- 5e8adb405f274a829938a0a9aa11468310e4e21d2e305b38e9bf463c9d8c25ec.exe (PID: 1076)
- MD5
- f088498e55e30ae27aa0c1db43fb6a7a
- SHA1
- a3651fc9f1b750ed0e7edef688a5f26e4cea8276
- SHA256
- 3f9345724cee48ea57d31bf6eacaadfc19544e7e04a1e890d8c63e80b15d2f85
-
#U5173#U952e#U6570#U636e#U8868#U4e8c.xls
- Size
- 163KiB (166400 bytes)
- Type
- xls office
- Description
- Composite Document File V2 Document, Little Endian, Os: Windows, Version 5.1, Code page: 936, Last Saved By: xiu, Last Printed: Mon Jan 15 18:41:59 2007, Last Saved Time/Date: Wed Jan 17 19:37:11 2007, Security: 0
- Runtime Process
- 5e8adb405f274a829938a0a9aa11468310e4e21d2e305b38e9bf463c9d8c25ec.exe (PID: 1076)
- MD5
- 68da22afaed3e768c50362355d5c4261
- SHA1
- 8bd3cd50941c2a962ae40e0008ab3486c8b89500
- SHA256
- c7e451f8bc223f22a22efa039f07898b7edc6160d30a8ea8182554e03d4e4c0c
-
2007#U5e74#U62a5#U5168#U5957_1023#U5b9a#U7a3f_.xls
- Size
- 2.8MiB (2924544 bytes)
- Type
- xls office
- Description
- Composite Document File V2 Document, Little Endian, Os: Windows, Version 5.1, Code page: 936, Author: gt, Last Saved By: Lenovo User, Name of Creating Application: Microsoft Excel, Last Printed: Tue Oct 23 10:26:37 2007, Create Time/Date: Thu Sep 13 04:13:32 2007, Last Saved Time/Date: Tue Oct 23 16:32:37 2007, Security: 0
- Runtime Process
- 5e8adb405f274a829938a0a9aa11468310e4e21d2e305b38e9bf463c9d8c25ec.exe (PID: 1076)
- MD5
- 988868459d8c31cc61806cb40e6af886
- SHA1
- 47f5a4f983fb7dfd54de58f5a2431957538a1fd3
- SHA256
- 537fb8cb0af76441508d0efd0f293cab2a60f4d2d75c31d92281b18249922bf7
-
2007#U5e74#U52b3#U52a8#U4eba#U4e8b#U7edf#U8ba1#U5e74#U62a5#U8868#U5185#U8868#U95f4#U5173#U7cfb.doc
- Size
- 273KiB (279552 bytes)
- Type
- doc office
- Description
- Composite Document File V2 Document, Little Endian, Os: Windows, Version 5.1, Code page: 936, Title: , Author: gt, Template: Normal.dot, Last Saved By: caozhi, Revision Number: 64, Name of Creating Application: Microsoft Office Word, Total Editing Time: 03:10:00, Create Time/Date: Tue Oct 23 15:43:00 2007, Last Saved Time/Date: Sat Dec 15 03:04:00 2007, Number of Pages: 1, Number of Words: 4945, Number of Characters: 28190, Security: 0
- Runtime Process
- 5e8adb405f274a829938a0a9aa11468310e4e21d2e305b38e9bf463c9d8c25ec.exe (PID: 1076)
- MD5
- 56ac94fb033b558b0f02720506709e0e
- SHA1
- 6299afc9f4fd56fab1ef7b55d72064a95cfb1c93
- SHA256
- be7b58d04790aa862d0980f503df27345b4f31f6053cc29c1ff6ffb4f3f29c00
-
Notifications
-
Runtime
- Extracted file "#U5173#U952e#U6570#U636e#U8868#U4e09.xls" was unknown to VirusTotal, submitted file for scanning (Permalink: "https://www.virustotal.com/file/9a29c8ae91d87b77a6835887585b36af1ce28bd8c83ffcee7c35a0b407ccf025/analysis/1559050045/")
- Extracted file "CC.BAT" was unknown to VirusTotal, submitted file for scanning (Permalink: "https://www.virustotal.com/file/8bdce9b8e2e1f2642f3dfec3663fe674cee0d31a31424a8280ca1b00fdaa2903/analysis/1559050044/")
- Extracted file "CC.BAT" was unknown to VirusTotal, submitted file for scanning (Permalink: "https://www.virustotal.com/file/b7c10578418ce0eeea9003001b36be6323f90be1ad31c467416bf0169653a370/analysis/1559050046/")
- Extracted file "NB.BAT" was unknown to VirusTotal, submitted file for scanning (Permalink: "https://www.virustotal.com/file/0b771a92652aed6dc35ca048b0c9fe00626b508eac2b750c8b32c07bb0ed2c7d/analysis/1559050046/")
- Network whitenoise filtering was applied
- Not all sources for indicator ID "binary-0" are available in the report
- Not all sources for indicator ID "binary-1" are available in the report
- Some low-level data is hidden, as this is only a slim report