Windows
Analysis Report
PoP8Setup.exe
Overview
General Information
Detection
Score: | 24 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 60% |
Compliance
Score: | 50 |
Range: | 0 - 100 |
Signatures
Classification
Analysis Advice
Sample drops PE files which have not been started, submit dropped PE samples for a secondary analysis to Joe Sandbox |
Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior |
- System is w10x64_ra
- PoP8Setup.exe (PID: 7028 cmdline:
"C:\Users\ user\Deskt op\PoP8Set up.exe" MD5: 31BBC34F3CE51AB1C28A63202DB9860D)
- pop8win.exe (PID: 7128 cmdline:
"C:\Progra m Files\Ha rzing's Pu blish or P erish 8\po p8win.exe" MD5: 13F9E2E97A2A22721124E3567F550344)
- cleanup
System Summary |
---|
Source: | Author: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): |
Click to jump to signature section
Source: | Registry value created: |
Compliance |
---|
Source: | Static PE information: |
Source: | Directory created: | ||
Source: | Directory created: | ||
Source: | Directory created: | ||
Source: | Directory created: | ||
Source: | Directory created: | ||
Source: | Directory created: | ||
Source: | Directory created: | ||
Source: | Directory created: |
Source: | Registry value created: |
Source: | File created: |
Source: | File created: | ||
Source: | File created: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Classification label: |
Source: | File created: |
Source: | File created: |
Source: | Mutant created: |
Source: | File created: |
Source: | Static PE information: |
Source: | File read: |
Source: | Key opened: |
Source: | File read: |
Source: | Process created: | ||
Source: | Process created: |
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: |
Source: | Key value queried: |
Source: | File opened: |
Source: | Key opened: |
Source: | Directory created: | ||
Source: | Directory created: | ||
Source: | Directory created: | ||
Source: | Directory created: | ||
Source: | Directory created: | ||
Source: | Directory created: | ||
Source: | Directory created: | ||
Source: | Directory created: |
Source: | Registry value created: |
Source: | Static PE information: |
Source: | Static file information: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file |
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file |
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file |
Source: | File created: |
Source: | File created: | ||
Source: | File created: |
Source: | File created: |
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: |
Source: | Dropped PE file which has not been started: | Jump to dropped file | ||
Source: | Dropped PE file which has not been started: | Jump to dropped file | ||
Source: | Dropped PE file which has not been started: | Jump to dropped file | ||
Source: | Dropped PE file which has not been started: | Jump to dropped file | ||
Source: | Dropped PE file which has not been started: | Jump to dropped file | ||
Source: | Dropped PE file which has not been started: | Jump to dropped file | ||
Source: | Dropped PE file which has not been started: | Jump to dropped file | ||
Source: | Dropped PE file which has not been started: | Jump to dropped file |
Source: | File Volume queried: | ||
Source: | File Volume queried: | ||
Source: | File Volume queried: | ||
Source: | File Volume queried: |
Source: | Queries volume information: |
Source: | Registry value created: |
Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Gather Victim Identity Information | 1 Scripting | Valid Accounts | Windows Management Instrumentation | 1 Windows Service | 1 Windows Service | 13 Masquerading | OS Credential Dumping | 1 File and Directory Discovery | Remote Services | Data from Local System | Data Obfuscation | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
Credentials | Domains | Default Accounts | Scheduled Task/Job | 1 Scripting | 1 Process Injection | 1 Modify Registry | LSASS Memory | 13 System Information Discovery | Remote Desktop Protocol | Data from Removable Media | Junk Data | Exfiltration Over Bluetooth | Network Denial of Service |
Email Addresses | DNS Server | Domain Accounts | At | 1 DLL Side-Loading | 1 DLL Side-Loading | 1 Software Packing | Security Account Manager | Query Registry | SMB/Windows Admin Shares | Data from Network Shared Drive | Steganography | Automated Exfiltration | Data Encrypted for Impact |
Employee Names | Virtual Private Server | Local Accounts | Cron | 1 Registry Run Keys / Startup Folder | 1 Registry Run Keys / Startup Folder | 1 Process Injection | NTDS | System Network Configuration Discovery | Distributed Component Object Model | Input Capture | Protocol Impersonation | Traffic Duplication | Data Destruction |
Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | 1 DLL Side-Loading | LSA Secrets | Internet Connection Discovery | SSH | Keylogging | Fallback Channels | Scheduled Transfer | Data Encrypted for Impact |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | ReversingLabs | |||
0% | Virustotal | Browse |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | ReversingLabs | |||
0% | Virustotal | Browse | ||
0% | ReversingLabs | |||
0% | Virustotal | Browse | ||
0% | ReversingLabs | |||
4% | Virustotal | Browse | ||
0% | ReversingLabs | |||
0% | Virustotal | Browse | ||
0% | ReversingLabs | |||
0% | Virustotal | Browse | ||
0% | ReversingLabs | |||
0% | Virustotal | Browse | ||
0% | ReversingLabs | |||
0% | Virustotal | Browse | ||
0% | ReversingLabs | |||
0% | Virustotal | Browse | ||
0% | ReversingLabs | |||
3% | Virustotal | Browse |
Joe Sandbox version: | 40.0.0 Tourmaline |
Analysis ID: | 1431805 |
Start date and time: | 2024-04-25 20:00:04 +02:00 |
Joe Sandbox product: | CloudBasic |
Overall analysis duration: | |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Cookbook file name: | defaultwindowsinteractivecookbook.jbs |
Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
Number of analysed new started processes analysed: | 15 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | stream |
Analysis stop reason: | Timeout |
Sample name: | PoP8Setup.exe |
Detection: | SUS |
Classification: | sus24.winEXE@2/15@0/0 |
Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): dllhost.exe
- Excluded domains from analysis (whitelisted): ctldl.windowsupdate.com
- Not all processes where analyzed, report is missing behavior information
- Report size getting too big, too many NtOpenKeyEx calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
Process: | C:\Users\user\Desktop\PoP8Setup.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 0 |
Entropy (8bit): | 0.0 |
Encrypted: | false |
SSDEEP: | |
MD5: | 577F05CD683ED0577F6C970EA57129E0 |
SHA1: | AEDF54A8976F0F8FF5588447C344595E3C468925 |
SHA-256: | 7127F20DAA0A0A74E120AB7423DD1B30C45908F8EE929F0C6CD2312B41C5BDDF |
SHA-512: | 2D1AEA243938A6A1289CF4EFCD541F28AB370A85EF05ED27B7B6D81CE43CEA671E06A0959994807923B1DFEC3B382EE95BD6F9489B74BBA59239601756082047 |
Malicious: | false |
Antivirus: |
|
Reputation: | unknown |
Preview: |
Process: | C:\Users\user\Desktop\PoP8Setup.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 0 |
Entropy (8bit): | 0.0 |
Encrypted: | false |
SSDEEP: | |
MD5: | 577F05CD683ED0577F6C970EA57129E0 |
SHA1: | AEDF54A8976F0F8FF5588447C344595E3C468925 |
SHA-256: | 7127F20DAA0A0A74E120AB7423DD1B30C45908F8EE929F0C6CD2312B41C5BDDF |
SHA-512: | 2D1AEA243938A6A1289CF4EFCD541F28AB370A85EF05ED27B7B6D81CE43CEA671E06A0959994807923B1DFEC3B382EE95BD6F9489B74BBA59239601756082047 |
Malicious: | false |
Reputation: | unknown |
Preview: |
Process: | C:\Users\user\Desktop\PoP8Setup.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 158648 |
Entropy (8bit): | 6.175093839791051 |
Encrypted: | false |
SSDEEP: | |
MD5: | 577F05CD683ED0577F6C970EA57129E0 |
SHA1: | AEDF54A8976F0F8FF5588447C344595E3C468925 |
SHA-256: | 7127F20DAA0A0A74E120AB7423DD1B30C45908F8EE929F0C6CD2312B41C5BDDF |
SHA-512: | 2D1AEA243938A6A1289CF4EFCD541F28AB370A85EF05ED27B7B6D81CE43CEA671E06A0959994807923B1DFEC3B382EE95BD6F9489B74BBA59239601756082047 |
Malicious: | false |
Reputation: | unknown |
Preview: |
Process: | C:\Users\user\Desktop\PoP8Setup.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 0 |
Entropy (8bit): | 0.0 |
Encrypted: | false |
SSDEEP: | |
MD5: | 3CAEE90CA6C672DAFE79F68693C0C445 |
SHA1: | 4F359802178154AC6CA11A421B9A3CDC6716345C |
SHA-256: | 39F04C3BB4A47DFB1C4E1904EC2F8949146D2EE1659876B4B8066DC8C30B6DDD |
SHA-512: | 5B94DD828E88CBE5F24C8857AC0211F5EBF25268AEF08E93373AD02647452E25725D7EACD486E33393747CF2854FA51D1C175344F3A978173E57B3DB98C3B6AD |
Malicious: | false |
Antivirus: |
|
Reputation: | unknown |
Preview: |
Process: | C:\Users\user\Desktop\PoP8Setup.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 1326104 |
Entropy (8bit): | 6.201339073050438 |
Encrypted: | false |
SSDEEP: | |
MD5: | 3CAEE90CA6C672DAFE79F68693C0C445 |
SHA1: | 4F359802178154AC6CA11A421B9A3CDC6716345C |
SHA-256: | 39F04C3BB4A47DFB1C4E1904EC2F8949146D2EE1659876B4B8066DC8C30B6DDD |
SHA-512: | 5B94DD828E88CBE5F24C8857AC0211F5EBF25268AEF08E93373AD02647452E25725D7EACD486E33393747CF2854FA51D1C175344F3A978173E57B3DB98C3B6AD |
Malicious: | false |
Reputation: | unknown |
Preview: |
Process: | C:\Users\user\Desktop\PoP8Setup.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 0 |
Entropy (8bit): | 0.0 |
Encrypted: | false |
SSDEEP: | |
MD5: | 13F9E2E97A2A22721124E3567F550344 |
SHA1: | B470F1E7FC1AF8199AEE824DDF4E4C238A92F34B |
SHA-256: | FE30220ED25271075352B42B9F938E059AAD1494158BB43529617CE12973EFF4 |
SHA-512: | 99CAD6A2C76B3C98138E327E50DC02F4FFEFA9529F4BD96184056AE1EE330DB389300777DC75DFF7EC1B181ECF94B44726E115619DF3590C97FEF6437E604F0A |
Malicious: | false |
Antivirus: |
|
Reputation: | unknown |
Preview: |
Process: | C:\Users\user\Desktop\PoP8Setup.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 4117528 |
Entropy (8bit): | 6.386725544082248 |
Encrypted: | false |
SSDEEP: | |
MD5: | 13F9E2E97A2A22721124E3567F550344 |
SHA1: | B470F1E7FC1AF8199AEE824DDF4E4C238A92F34B |
SHA-256: | FE30220ED25271075352B42B9F938E059AAD1494158BB43529617CE12973EFF4 |
SHA-512: | 99CAD6A2C76B3C98138E327E50DC02F4FFEFA9529F4BD96184056AE1EE330DB389300777DC75DFF7EC1B181ECF94B44726E115619DF3590C97FEF6437E604F0A |
Malicious: | false |
Reputation: | unknown |
Preview: |
Process: | C:\Users\user\Desktop\PoP8Setup.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 0 |
Entropy (8bit): | 0.0 |
Encrypted: | false |
SSDEEP: | |
MD5: | 3302B5D28CB943406F12B1474A9557BA |
SHA1: | 1646763E8529D0B1AAE06970F159C9DC5B93507F |
SHA-256: | 45644E11BE37DE79C468E2695CE1EEF26107A2C1EEECCA8ED4A962830303C72E |
SHA-512: | 0584306DCDD78A9EC0ABA8FB24E3E38CCC2DD5642312B2C1149A82B74F900CC568DAAFF107A6FF015B447D7DF78F2D189CD2901A75B32C3F42F7C391DF4D6409 |
Malicious: | false |
Antivirus: |
|
Reputation: | unknown |
Preview: |
Process: | C:\Users\user\Desktop\PoP8Setup.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 142240 |
Entropy (8bit): | 5.673453344725802 |
Encrypted: | false |
SSDEEP: | |
MD5: | 3302B5D28CB943406F12B1474A9557BA |
SHA1: | 1646763E8529D0B1AAE06970F159C9DC5B93507F |
SHA-256: | 45644E11BE37DE79C468E2695CE1EEF26107A2C1EEECCA8ED4A962830303C72E |
SHA-512: | 0584306DCDD78A9EC0ABA8FB24E3E38CCC2DD5642312B2C1149A82B74F900CC568DAAFF107A6FF015B447D7DF78F2D189CD2901A75B32C3F42F7C391DF4D6409 |
Malicious: | false |
Reputation: | unknown |
Preview: |
Process: | C:\Users\user\Desktop\PoP8Setup.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 1005 |
Entropy (8bit): | 4.596269057571052 |
Encrypted: | false |
SSDEEP: | |
MD5: | 2624812EC52C28CA8E2A633E0F4FE333 |
SHA1: | F53242D78B4C13F0A5478AFBC9874A03C2378BF8 |
SHA-256: | 9BDC08F716584BA672410529FBD807C35B66FE636644219CF78CA8B62604D34C |
SHA-512: | AEDAB18D5D4B9B299195DADAD27E29AFAECBB60F70377870D6D666532700B2C8346AD56F28D77D831705DEF79B9D3F0032E7B67F80258E318CE6623DCE3BA1D6 |
Malicious: | false |
Reputation: | unknown |
Preview: |
Process: | C:\Users\user\Desktop\PoP8Setup.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 87058 |
Entropy (8bit): | 5.090017662327696 |
Encrypted: | false |
SSDEEP: | |
MD5: | 859901059B55462FE0D47AAD3AF6A861 |
SHA1: | 263C5A55D7CAF787F113F54993E9637837AB6081 |
SHA-256: | 1A77A4DC0B609B6FEF97C23F1EC71906FD67A612D7844AD423E34649FBB47CEB |
SHA-512: | 46D595DA447542AF73ABFABE6068D59414122F9A9DF9A3C6FC6CF76BDB9DAE9562E87B1AD3D1669B983B0C0D2937D7DDA749473A7C6AA13C16CED13977A54860 |
Malicious: | false |
Reputation: | unknown |
Preview: |
Process: | C:\Users\user\Desktop\PoP8Setup.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 0 |
Entropy (8bit): | 0.0 |
Encrypted: | false |
SSDEEP: | |
MD5: | 91101594328BE6A2804C1E00D5A7E235 |
SHA1: | AF1542372B115D193785E09E4C20C8E9C95D4C70 |
SHA-256: | E0283E063C9BFB800DEC7EAE29B0FEB0D3D5EE89D7F7027076450E1522463FD6 |
SHA-512: | BD27969555EB1AE191E486E91B89331A82DF85DA2A8EA3A1529CCCF6A7045EA918DDB902D41375DC60005416BE6B9729841CF1BFA29BCCE8C3AE9D9505CA9C85 |
Malicious: | false |
Reputation: | unknown |
Preview: |
Process: | C:\Users\user\Desktop\PoP8Setup.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 30208 |
Entropy (8bit): | 7.256539950295231 |
Encrypted: | false |
SSDEEP: | |
MD5: | 9A0747DE09BC0FDEF4D21198E61B11BE |
SHA1: | 39D54CFCECB911A1E03267BBC36817411C7A6E15 |
SHA-256: | FCA03CE1A4539ED221383FFA44491B066447986679D9F577BD60C8A3B0BDAF28 |
SHA-512: | C9E38E134D1F47051014F4EDDFCF19154E90C22B419C527DDD87A247AFD98C78318C1139C9CE6786F122AFE983CD160228B107BCCF46878ABB5160344ADF0BE5 |
Malicious: | false |
Antivirus: |
|
Reputation: | unknown |
Preview: |
Process: | C:\Users\user\Desktop\PoP8Setup.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 29696 |
Entropy (8bit): | 7.279485169544364 |
Encrypted: | false |
SSDEEP: | |
MD5: | DFD3D98A85AF042144B999FB21AE3234 |
SHA1: | 9C575EB0F71B8C34E07E6E89E1D99D87846E3A5F |
SHA-256: | 74114E66E593460CE7189233E03FFA1DC77EC95E0D5BED50C291363D4CC2C1E9 |
SHA-512: | 1DFFB056E1AD65FEBB5FEE7BAAACBDBDCE07719AE3F7F05A3054EAD02B5A17BC1BD981E107964DF7260137DEE48C5E1B57AB6ADC08C193EB12DEFA9BB9B388C5 |
Malicious: | true |
Antivirus: |
|
Reputation: | unknown |
Preview: |
Process: | C:\Users\user\Desktop\PoP8Setup.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 79371 |
Entropy (8bit): | 4.925607845134666 |
Encrypted: | false |
SSDEEP: | |
MD5: | 7C4C52EA758E6755B20B1AC6D44FB765 |
SHA1: | E55A7B463C8FDEE8D8D846D506CE7EC6B9A0947E |
SHA-256: | 746E6678666B4B50CC4EE561206D34D849840E38E4F5CCB3FA665A9A2B500C9D |
SHA-512: | 4E921C5DE1846CAD7335A202B17E8529BDBC1115A541CBC8F51E4A6C4EB15B667A9332CF97DC1C15CC6C51EE687DAF79D5D84B5DA4EDAB1096C8F67FA566FEDF |
Malicious: | false |
Reputation: | unknown |
Preview: |
Process: | C:\Users\user\Desktop\PoP8Setup.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 1753 |
Entropy (8bit): | 5.143237629684 |
Encrypted: | false |
SSDEEP: | |
MD5: | 290CD5295D502AF868BB235664645C30 |
SHA1: | 0903EA61C093D49B6AFC61642B3D7BC4EEF3800D |
SHA-256: | F6DE9A672943D3E68610198D60EF0404CD1660EF42E01D6E9650D711E09D5BD1 |
SHA-512: | 284D9F0F3C077F8BF2EEA6BDF3BFF1982723FCD28099F3C5A9CB1C4A19BD321B6140DA800F729651AE078B16CFF0B7FCB1A9CFEFF23FEF9400A0E9E4326DF5D5 |
Malicious: | false |
Reputation: | unknown |
Preview: |
Process: | C:\Users\user\Desktop\PoP8Setup.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 58944 |
Entropy (8bit): | 5.84108445959513 |
Encrypted: | false |
SSDEEP: | |
MD5: | F4B5E1B2AC2086D77715EBA140B4D3C1 |
SHA1: | DAB4617227A1242372B71F7B278103A3B0859434 |
SHA-256: | DFDEF70967C48DC7B8692D9C2075F8A06CE482B56E6DD901278B10F4F4B6A738 |
SHA-512: | FE04ABAD45A7C9EF86A2FD794BDB6077588BA632422D0507CC4D5764CC5468FF1C1BBD6001FED9E1F30BBEBBC8B26530D46E99FA11F243430D44A2011BD847BB |
Malicious: | false |
Antivirus: |
|
Reputation: | unknown |
Preview: |
Process: | C:\Users\user\Desktop\PoP8Setup.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 23558 |
Entropy (8bit): | 3.4538759440211932 |
Encrypted: | false |
SSDEEP: | |
MD5: | B90F4266176630002A965362083F5DAA |
SHA1: | 25C4E260A1F7D9FAD00354C97DC414805BC16906 |
SHA-256: | 79DA7C4A1DBD6C0D09C30A2025AEC71BC652241F6BA06D7A90F5B47F963B991A |
SHA-512: | 2A2597684FFA78A5FDE4884A8DB1DD2915EAC734B6CF6A627E99EAF43429B41A636210A5BEBF13B5F4E10A8DD9839C28927A160498F346D0B19C09AD95D99834 |
Malicious: | false |
Reputation: | unknown |
Preview: |
Process: | C:\Users\user\Desktop\PoP8Setup.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 253952 |
Entropy (8bit): | 4.284946210439144 |
Encrypted: | false |
SSDEEP: | |
MD5: | 91101594328BE6A2804C1E00D5A7E235 |
SHA1: | AF1542372B115D193785E09E4C20C8E9C95D4C70 |
SHA-256: | E0283E063C9BFB800DEC7EAE29B0FEB0D3D5EE89D7F7027076450E1522463FD6 |
SHA-512: | BD27969555EB1AE191E486E91B89331A82DF85DA2A8EA3A1529CCCF6A7045EA918DDB902D41375DC60005416BE6B9729841CF1BFA29BCCE8C3AE9D9505CA9C85 |
Malicious: | false |
Antivirus: |
|
Reputation: | unknown |
Preview: |
Process: | C:\Users\user\Desktop\PoP8Setup.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 0 |
Entropy (8bit): | 0.0 |
Encrypted: | false |
SSDEEP: | |
MD5: | 4E3E90DC698025E90D31FC714AFD0326 |
SHA1: | BA61BECA0058E7D380CB1D9C160D3BAC02436BE5 |
SHA-256: | 0C9FA9595A70D0BF7BEDD1396B37483857B0C3127494B1F7B6FEE6350CD2A1AE |
SHA-512: | E28CAAD1D9E2C5E115794378E1A991D7A3DF3740146A6955E4A7DF1A8187DCE74814F6FCFB3DF156E45CEA7D5AC565E7028564B0F144106A1E80499220127A32 |
Malicious: | false |
Reputation: | unknown |
Preview: |
Process: | C:\Users\user\Desktop\PoP8Setup.exe |
File Type: | |
Category: | modified |
Size (bytes): | 156280 |
Entropy (8bit): | 5.3492678812077115 |
Encrypted: | false |
SSDEEP: | |
MD5: | 4E3E90DC698025E90D31FC714AFD0326 |
SHA1: | BA61BECA0058E7D380CB1D9C160D3BAC02436BE5 |
SHA-256: | 0C9FA9595A70D0BF7BEDD1396B37483857B0C3127494B1F7B6FEE6350CD2A1AE |
SHA-512: | E28CAAD1D9E2C5E115794378E1A991D7A3DF3740146A6955E4A7DF1A8187DCE74814F6FCFB3DF156E45CEA7D5AC565E7028564B0F144106A1E80499220127A32 |
Malicious: | false |
Reputation: | unknown |
Preview: |
Process: | C:\Users\user\Desktop\PoP8Setup.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 545272 |
Entropy (8bit): | 6.026003927739149 |
Encrypted: | false |
SSDEEP: | |
MD5: | CADDA490CB6BD2E13C4B6A2806660DA9 |
SHA1: | 1135278A087E556C1F403437312BC9EFC16577C0 |
SHA-256: | 7EFC29CA14038A7A3D2B8DA54FE3D7AD10C258E7CCCAB6F481EDDE082D6ECEBD |
SHA-512: | 641BF84495AAA8D3C25B6766E4061128225319D0AA265068A0AEB12F43B6A28EE9A29AE1A46C1FAC12413A88F4186B71BB98ED606DA311747875B523FBDA43E8 |
Malicious: | false |
Antivirus: |
|
Reputation: | unknown |
Preview: |
File type: | |
Entropy (8bit): | 7.992330851937082 |
TrID: |
|
File name: | PoP8Setup.exe |
File size: | 2'775'616 bytes |
MD5: | 31bbc34f3ce51ab1c28a63202db9860d |
SHA1: | 1ed7495f56baab6a0c7e829be2598f3b10ceadf5 |
SHA256: | 2e76e7677972cd02596456b95cb05964c30890a85a220753b68cbc64643bf7bb |
SHA512: | 1fd2c41b56490ebfdc148344e1370b7e3f3eb50ad2b14d98f02373124b4ba9e3374bcab3545a2b0c0c4ca926d818fd3d1661b9d91a832aca198882623c34878e |
SSDEEP: | 49152://Guw1I73YzKvLuZxukx+3ylqWP1ZrCNaz+ZNwt1hlvRWcTV+qQqZnzbh6:/OuwOrYzKSZUSkWP1ZrCfZujXJdTc4nE |
TLSH: | 89D533ECD89BCE94C8851C7AE0C7913F1FAE391DDAD52D72C4C52E1E0AB166A484436E |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......}.o.9...9...9...0...;.......:...9........#l.:....#}.8...9...8....#y.8...Rich9...................PE..L...A..e................. . |
Icon Hash: | 4d6d26369389094d |
Entrypoint: | 0x4015ad |
Entrypoint Section: | .text |
Digitally signed: | true |
Imagebase: | 0x400000 |
Subsystem: | windows gui |
Image File Characteristics: | EXECUTABLE_IMAGE, 32BIT_MACHINE |
DLL Characteristics: | DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE |
Time Stamp: | 0x65AD0841 [Sun Jan 21 12:04:17 2024 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 4 |
OS Version Minor: | 0 |
File Version Major: | 4 |
File Version Minor: | 0 |
Subsystem Version Major: | 4 |
Subsystem Version Minor: | 0 |
Import Hash: | 20c4b14b5064e66d073d37066475b11c |
Signature Valid: | true |
Signature Issuer: | CN=Sectigo Public Code Signing CA EV R36, O=Sectigo Limited, C=GB |
Signature Validation Error: | The operation completed successfully |
Error Number: | 0 |
Not Before, Not After |
|
Subject Chain |
|
Version: | 3 |
Thumbprint MD5: | 0732A8FB8E2752423978408788DD0652 |
Thumbprint SHA-1: | CB3D15998E0DADA45B7FDE7537CDF3EB0583EC44 |
Thumbprint SHA-256: | CEC82DC72D171809FEAEDDD8C4385B008CBE15982AB9468E5C3C730B1ADC8DBE |
Serial: | 1C6124EDF233584A3C9425DAFC4B02E5 |
Instruction |
---|
push ebp |
mov ebp, esp |
sub esp, 00000740h |
push ebx |
push esi |
xor ebx, ebx |
push edi |
mov word ptr [ebp-00000538h], bx |
mov dword ptr [ebp-0Ch], ebx |
mov dword ptr [ebp-04h], ebx |
call dword ptr [00403070h] |
mov esi, eax |
lea eax, dword ptr [ebp-00000128h] |
push eax |
mov dword ptr [ebp-00000128h], 00000114h |
call dword ptr [0040306Ch] |
cmp dword ptr [ebp-00000118h], 02h |
jne 00007F36B04FD332h |
cmp dword ptr [ebp-00000124h], 06h |
jnbe 00007F36B04FD31Dh |
jne 00007F36B04FD327h |
cmp dword ptr [ebp-00000120h], 02h |
jc 00007F36B04FD31Eh |
mov dword ptr [0040440Ch], 00001100h |
jmp 00007F36B04FD31Ch |
mov dword ptr [0040440Ch], 00000008h |
lea eax, dword ptr [ebp-14h] |
push eax |
call dword ptr [00403068h] |
call dword ptr [00403064h] |
mov edi, eax |
not edi |
xor edi, esi |
call dword ptr [00403060h] |
xor edi, eax |
mov eax, dword ptr [ebp-10h] |
xor eax, dword ptr [ebp-14h] |
push 00000104h |
xor edi, eax |
lea eax, dword ptr [ebp-00000740h] |
push eax |
push ebx |
call dword ptr [0040305Ch] |
test eax, eax |
jne 00007F36B04FD353h |
call dword ptr [00403008h] |
cmp eax, 78h |
jne 00007F36B04FD32Ch |
push 004032FCh |
call 00007F36B04FCD20h |
pop ecx |
mov dword ptr [00404408h], 000000FDh |
Programming Language: |
|
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x3334 | 0x3c | .rdata |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x5000 | 0x8108 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x2a0000 | 0x5a40 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0xe000 | 0xd8 | .reloc |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x30b0 | 0x1c | .rdata |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x3000 | 0xa8 | .rdata |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0x1f24 | 0x2000 | 238be0c23ac787227d3ec82cd803d77b | False | 0.611083984375 | data | 6.407650508595175 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
.rdata | 0x3000 | 0x70f | 0x800 | 774123c0e0989df6de4758c1c8736fcd | False | 0.48388671875 | data | 4.7219381205576685 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.data | 0x4000 | 0x410 | 0x0 | d41d8cd98f00b204e9800998ecf8427e | False | 0 | empty | 0.0 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.rsrc | 0x5000 | 0x8108 | 0x8200 | 554c55809a36daef0867517dfd01a840 | False | 0.28272235576923077 | data | 4.037171789061473 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.reloc | 0xe000 | 0x174 | 0x200 | 0e109f2ae39d20fdea549b1a04660bf8 | False | 0.453125 | data | 3.339167376222123 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
.tsustub | 0xf000 | 0x25ea3 | 0x26000 | ac7d653cf9eb9f6121bac96b1812d76b | False | 0.9983809621710527 | data | 7.997541211940017 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
.tsuarch | 0x35000 | 0x26f000 | 0x26f000 | 1c089f3e3df955108e570608f95c37f1 | unknown | unknown | unknown | unknown | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
---|---|---|---|---|---|---|
RT_ICON | 0x5310 | 0x2e8 | Device independent bitmap graphic, 32 x 64 x 4, image size 640 | 0.4637096774193548 | ||
RT_ICON | 0x55f8 | 0x128 | Device independent bitmap graphic, 16 x 32 x 4, image size 192 | 0.5777027027027027 | ||
RT_ICON | 0x5720 | 0xea8 | Device independent bitmap graphic, 48 x 96 x 8, image size 2688 | 0.26545842217484006 | ||
RT_ICON | 0x65c8 | 0x2e8 | Device independent bitmap graphic, 32 x 64 x 4, image size 640 | 0.3575268817204301 | ||
RT_ICON | 0x68b0 | 0x128 | Device independent bitmap graphic, 16 x 32 x 4, image size 192 | 0.4831081081081081 | ||
RT_ICON | 0x69d8 | 0xea8 | Device independent bitmap graphic, 48 x 96 x 8, image size 2688 | 0.3699360341151386 | ||
RT_ICON | 0x7880 | 0x8a8 | Device independent bitmap graphic, 32 x 64 x 8, image size 1152 | 0.46796028880866425 | ||
RT_ICON | 0x8128 | 0x568 | Device independent bitmap graphic, 16 x 32 x 8, image size 320 | 0.5874277456647399 | ||
RT_ICON | 0x8690 | 0x25a8 | Device independent bitmap graphic, 48 x 96 x 32, image size 9600 | 0.19865145228215766 | ||
RT_ICON | 0xac38 | 0x10a8 | Device independent bitmap graphic, 32 x 64 x 32, image size 4224 | 0.2539868667917448 | ||
RT_ICON | 0xbce0 | 0x468 | Device independent bitmap graphic, 16 x 32 x 32, image size 1088 | 0.42819148936170215 | ||
RT_GROUP_ICON | 0xc148 | 0x76 | data | 0.6864406779661016 | ||
RT_VERSION | 0xc1c0 | 0x920 | data | 0.2902397260273973 | ||
RT_MANIFEST | 0xcae0 | 0x625 | XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators | 0.45581691036236494 |
DLL | Import |
---|---|
KERNEL32.dll | OutputDebugStringA, FreeLibrary, GetLastError, lstrcpynW, GetProcAddress, LoadLibraryExW, GetSystemDirectoryW, UnmapViewOfFile, MultiByteToWideChar, MapViewOfFile, CloseHandle, CreateFileMappingW, GetFileSize, CreateFileW, lstrlenW, GetCommandLineW, ExitProcess, Sleep, DeleteFileW, SetFileAttributesW, GetFileAttributesW, GetTempPathW, GetModuleHandleW, GetModuleFileNameW, GetTickCount, GetCurrentThreadId, GetSystemTimeAsFileTime, GetVersionExW, GetCurrentProcessId, HeapAlloc, GetProcessHeap, HeapFree, ReadFile, WriteFile, SetFileTime, SetFilePointer |
USER32.dll | wvsprintfA, wsprintfW, PostMessageW, MessageBoxA |