Windows Analysis Report
activation.reg.exe

Overview

General Information

Sample Name: activation.reg.exe (renamed file extension from exe to dll)
Analysis ID: 635341
MD5: e49b92466821b19645b618b6a09a6880
SHA1: b2bbafa02be38b07a4eb61049638ff86f0f8638b
SHA256: 90a0e059cd3f4ed0c9fac00a88ea262988b4cd6635aeb23bb7f5aab64d6aca0a

Detection

Score: 48
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Uses 32bit PE files
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: activation.reg.exe Virustotal: Detection: 8% Perma Link
Uses 32bit PE files
Source: activation.reg.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
Source: activation.reg.exe Static PE information: DYNAMIC_BASE, NX_COMPAT
Uses 32bit PE files
Source: activation.reg.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
Creates files inside the system directory
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Windows\SysWOW64\SyncAppvPublishingServer.vbs
Source: activation.reg.exe Virustotal: Detection: 8%
Source: activation.reg.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll32.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
Source: classification engine Classification label: mal48.winEXE@10/1@0/0
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\alfredo\Desktop\activation.reg.dll,dummy
Source: unknown Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\alfredo\Desktop\activation.reg.dll"
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\alfredo\Desktop\activation.reg.dll",#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\alfredo\Desktop\activation.reg.dll,dummy
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\alfredo\Desktop\activation.reg.dll",#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\alfredo\Desktop\activation.reg.dll",dummy
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\alfredo\Desktop\activation.reg.dll",#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\alfredo\Desktop\activation.reg.dll,dummy
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\alfredo\Desktop\activation.reg.dll",dummy
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\alfredo\Desktop\activation.reg.dll",#1
Source: unknown Process created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
Source: activation.reg.exe Static file information: File size 6035976 > 1048576
Source: activation.reg.exe Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x546400
Source: activation.reg.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: activation.reg.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: activation.reg.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: activation.reg.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: activation.reg.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: activation.reg.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: activation.reg.exe Static PE information: DYNAMIC_BASE, NX_COMPAT
Source: activation.reg.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: activation.reg.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: activation.reg.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: activation.reg.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: activation.reg.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: activation.reg.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 120000
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\alfredo\Desktop\activation.reg.dll",#1
windows-stand
⊘No contacted IP infos