Edit tour

Windows Analysis Report
ac-11_30b-portable.exe

Overview

General Information

Sample name:ac-11_30b-portable.exe
Analysis ID:1453802
MD5:c7798bfeafb401fe181a74cfe97491ef
SHA1:3b176bb5c405745ce1dabe19c28cb0d9f9ed747d
SHA256:67fc023df9d0acf6d5fe51e0ff29a5eba13e9b97f204719f4e60c11819d6e700
Infos:

Detection

Score:1
Range:0 - 100
Whitelisted:false
Confidence:40%

Signatures

Drops PE files
Found dropped PE file which has not been started or loaded
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Sample file is different than original file name gathered from version info
Uses 32bit PE files

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
  • System is w10x64
  • ac-11_30b-portable.exe (PID: 6256 cmdline: "C:\Users\user\Desktop\ac-11_30b-portable.exe" MD5: C7798BFEAFB401FE181A74CFE97491EF)
    • ac-11_30b-portable.tmp (PID: 1264 cmdline: "C:\Users\user\AppData\Local\Temp\is-USGG0.tmp\ac-11_30b-portable.tmp" /SL5="$1048C,4527329,800256,C:\Users\user\Desktop\ac-11_30b-portable.exe" MD5: CB3426626292D82DC9B56785E63EB135)
  • cleanup
No configs have been found
No yara matches
No Sigma rule has matched
No Snort rule has matched

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: ac-11_30b-portable.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
Source: C:\Users\user\AppData\Local\Temp\is-USGG0.tmp\ac-11_30b-portable.tmpWindow detected: License AgreementPlease read the following important information before continuing.Please read the following License Agreement. You must accept the terms of this agreement before continuing with the installation.End-User license agreement for Attribute Changer1. Software installation and useYou may install use access run or otherwise interact with ("Run") one copy of the SOFTWARE on a single or multiple computers. The SOFTWARE may be installed accessed displayed run shared or used concurrently on or from different computers. These rights are applicable for personal and commercial use of the SOFTWARE.2. No consequential or other damagesTo the maximum extent permitted by applicable law the author shall not be liable for any other damages whatsoever (including without limitation damages for loss of business profits business interruption loss of business information or other pecuniary loss) arising out of the use of or inability to use the SOFTWARE) even if the author has been advised of the possibility of such damages. To the extent that you could have avoided damages by taking reasonable care including by backing up your software and other files the author and its suppliers will not be liable for such damages.3. No reverse engineering decompilation and disassemblyYou may not reverse engineer decompile or disassemble the SOFTWARE.4. CopyrightAll title and intellectual property rights in and to the SOFTWARE are owned by the author. 5. No separation of componentsThe SOFTWARE is licensed as a single product and its component parts may not be separated.I &accept the agreementI &do not accept the agreement&NextCancel
Source: C:\Users\user\AppData\Local\Temp\is-USGG0.tmp\ac-11_30b-portable.tmpWindow detected: License AgreementPlease read the following important information before continuing.Please read the following License Agreement. You must accept the terms of this agreement before continuing with the installation.End-User license agreement for Attribute Changer1. Software installation and useYou may install use access run or otherwise interact with ("Run") one copy of the SOFTWARE on a single or multiple computers. The SOFTWARE may be installed accessed displayed run shared or used concurrently on or from different computers. These rights are applicable for personal and commercial use of the SOFTWARE.2. No consequential or other damagesTo the maximum extent permitted by applicable law the author shall not be liable for any other damages whatsoever (including without limitation damages for loss of business profits business interruption loss of business information or other pecuniary loss) arising out of the use of or inability to use the SOFTWARE) even if the author has been advised of the possibility of such damages. To the extent that you could have avoided damages by taking reasonable care including by backing up your software and other files the author and its suppliers will not be liable for such damages.3. No reverse engineering decompilation and disassemblyYou may not reverse engineer decompile or disassemble the SOFTWARE.4. CopyrightAll title and intellectual property rights in and to the SOFTWARE are owned by the author. 5. No separation of componentsThe SOFTWARE is licensed as a single product and its component parts may not be separated.I &accept the agreementI &do not accept the agreement&NextCancel
Source: ac-11_30b-portable.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT
Source: ac-11_30b-portable.exeString found in binary or memory: https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: ac-11_30b-portable.exe, 00000000.00000003.2028242247.0000000002720000.00000004.00001000.00020000.00000000.sdmp, ac-11_30b-portable.exe, 00000000.00000003.2029021236.000000007FB50000.00000004.00001000.00020000.00000000.sdmp, ac-11_30b-portable.tmp, 00000002.00000000.2030812920.0000000000401000.00000020.00000001.01000000.00000004.sdmp, ac-11_30b-portable.tmp.0.drString found in binary or memory: https://www.innosetup.com/
Source: ac-11_30b-portable.tmp, 00000002.00000002.2309315884.000000000018C000.00000004.00000010.00020000.00000000.sdmp, ac-11_30b-portable.tmp, 00000002.00000003.2304795476.0000000005040000.00000004.00001000.00020000.00000000.sdmp, is-11EAM.tmp.2.drString found in binary or memory: https://www.petges.lu/)
Source: ac-11_30b-portable.exe, 00000000.00000003.2027036880.00000000025E0000.00000004.00001000.00020000.00000000.sdmp, ac-11_30b-portable.exe, 00000000.00000003.2310797994.0000000002321000.00000004.00001000.00020000.00000000.sdmp, ac-11_30b-portable.tmp, 00000002.00000003.2307160299.0000000003D10000.00000004.00001000.00020000.00000000.sdmp, ac-11_30b-portable.tmp, 00000002.00000003.2307703455.0000000002431000.00000004.00001000.00020000.00000000.sdmp, ac-11_30b-portable.tmp, 00000002.00000003.2304795476.0000000005040000.00000004.00001000.00020000.00000000.sdmp, ac-11_30b-portable.tmp, 00000002.00000003.2032340088.0000000003480000.00000004.00001000.00020000.00000000.sdmp, is-K86LN.tmp.2.drString found in binary or memory: https://www.petges.lu/donate
Source: ac-11_30b-portable.tmp, 00000002.00000002.2309315884.000000000018C000.00000004.00000010.00020000.00000000.sdmp, ac-11_30b-portable.tmp, 00000002.00000003.2304795476.0000000005040000.00000004.00001000.00020000.00000000.sdmp, is-11EAM.tmp.2.drString found in binary or memory: https://www.petges.lu/donate)
Source: ac-11_30b-portable.tmp, 00000002.00000003.2304795476.0000000005040000.00000004.00001000.00020000.00000000.sdmp, is-K86LN.tmp.2.drString found in binary or memory: https://www.petges.lu/donateopen
Source: ac-11_30b-portable.exe, 00000000.00000003.2028242247.0000000002720000.00000004.00001000.00020000.00000000.sdmp, ac-11_30b-portable.exe, 00000000.00000003.2029021236.000000007FB50000.00000004.00001000.00020000.00000000.sdmp, ac-11_30b-portable.tmp, 00000002.00000000.2030812920.0000000000401000.00000020.00000001.01000000.00000004.sdmp, ac-11_30b-portable.tmp.0.drString found in binary or memory: https://www.remobjects.com/ps
Source: ac-11_30b-portable.tmp.0.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: ac-11_30b-portable.exe, 00000000.00000000.2026675158.00000000004C6000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFileName vs ac-11_30b-portable.exe
Source: ac-11_30b-portable.exe, 00000000.00000003.2029021236.000000007FE36000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFileName vs ac-11_30b-portable.exe
Source: ac-11_30b-portable.exe, 00000000.00000003.2028242247.0000000002A0A000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFileName vs ac-11_30b-portable.exe
Source: ac-11_30b-portable.exe, 00000000.00000003.2310797994.0000000002348000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamekernel32j% vs ac-11_30b-portable.exe
Source: ac-11_30b-portable.exeBinary or memory string: OriginalFileName vs ac-11_30b-portable.exe
Source: ac-11_30b-portable.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
Source: classification engineClassification label: clean1.winEXE@3/9@0/0
Source: is-11EAM.tmp.2.drInitial sample: https://www.petges.lu/
Source: is-11EAM.tmp.2.drInitial sample: https://www.petges.lu/donate
Source: C:\Users\user\AppData\Local\Temp\is-USGG0.tmp\ac-11_30b-portable.tmpFile created: C:\Users\user\AppData\Local\ProgramsJump to behavior
Source: C:\Users\user\Desktop\ac-11_30b-portable.exeFile created: C:\Users\user\AppData\Local\Temp\is-USGG0.tmpJump to behavior
Source: C:\Users\user\Desktop\ac-11_30b-portable.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\Desktop\ac-11_30b-portable.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-USGG0.tmp\ac-11_30b-portable.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-USGG0.tmp\ac-11_30b-portable.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\Desktop\ac-11_30b-portable.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-USGG0.tmp\ac-11_30b-portable.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganizationJump to behavior
Source: ac-11_30b-portable.exeString found in binary or memory: /LOADINF="filename"
Source: C:\Users\user\Desktop\ac-11_30b-portable.exeFile read: C:\Users\user\Desktop\ac-11_30b-portable.exeJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\ac-11_30b-portable.exe "C:\Users\user\Desktop\ac-11_30b-portable.exe"
Source: C:\Users\user\Desktop\ac-11_30b-portable.exeProcess created: C:\Users\user\AppData\Local\Temp\is-USGG0.tmp\ac-11_30b-portable.tmp "C:\Users\user\AppData\Local\Temp\is-USGG0.tmp\ac-11_30b-portable.tmp" /SL5="$1048C,4527329,800256,C:\Users\user\Desktop\ac-11_30b-portable.exe"
Source: C:\Users\user\Desktop\ac-11_30b-portable.exeProcess created: C:\Users\user\AppData\Local\Temp\is-USGG0.tmp\ac-11_30b-portable.tmp "C:\Users\user\AppData\Local\Temp\is-USGG0.tmp\ac-11_30b-portable.tmp" /SL5="$1048C,4527329,800256,C:\Users\user\Desktop\ac-11_30b-portable.exe" Jump to behavior
Source: C:\Users\user\Desktop\ac-11_30b-portable.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\Desktop\ac-11_30b-portable.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Users\user\Desktop\ac-11_30b-portable.exeSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\Desktop\ac-11_30b-portable.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\ac-11_30b-portable.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-USGG0.tmp\ac-11_30b-portable.tmpSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-USGG0.tmp\ac-11_30b-portable.tmpSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-USGG0.tmp\ac-11_30b-portable.tmpSection loaded: netapi32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-USGG0.tmp\ac-11_30b-portable.tmpSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-USGG0.tmp\ac-11_30b-portable.tmpSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-USGG0.tmp\ac-11_30b-portable.tmpSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-USGG0.tmp\ac-11_30b-portable.tmpSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-USGG0.tmp\ac-11_30b-portable.tmpSection loaded: wtsapi32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-USGG0.tmp\ac-11_30b-portable.tmpSection loaded: winsta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-USGG0.tmp\ac-11_30b-portable.tmpSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-USGG0.tmp\ac-11_30b-portable.tmpSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-USGG0.tmp\ac-11_30b-portable.tmpSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-USGG0.tmp\ac-11_30b-portable.tmpSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-USGG0.tmp\ac-11_30b-portable.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-USGG0.tmp\ac-11_30b-portable.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-USGG0.tmp\ac-11_30b-portable.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-USGG0.tmp\ac-11_30b-portable.tmpSection loaded: textshaping.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-USGG0.tmp\ac-11_30b-portable.tmpSection loaded: dwmapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-USGG0.tmp\ac-11_30b-portable.tmpSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-USGG0.tmp\ac-11_30b-portable.tmpSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-USGG0.tmp\ac-11_30b-portable.tmpSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-USGG0.tmp\ac-11_30b-portable.tmpSection loaded: shfolder.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-USGG0.tmp\ac-11_30b-portable.tmpSection loaded: msftedit.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-USGG0.tmp\ac-11_30b-portable.tmpSection loaded: windows.globalization.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-USGG0.tmp\ac-11_30b-portable.tmpSection loaded: bcp47langs.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-USGG0.tmp\ac-11_30b-portable.tmpSection loaded: bcp47mrm.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-USGG0.tmp\ac-11_30b-portable.tmpSection loaded: globinputhost.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-USGG0.tmp\ac-11_30b-portable.tmpSection loaded: windows.ui.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-USGG0.tmp\ac-11_30b-portable.tmpSection loaded: windowmanagementapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-USGG0.tmp\ac-11_30b-portable.tmpSection loaded: inputhost.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-USGG0.tmp\ac-11_30b-portable.tmpSection loaded: twinapi.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-USGG0.tmp\ac-11_30b-portable.tmpSection loaded: twinapi.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-USGG0.tmp\ac-11_30b-portable.tmpSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-USGG0.tmp\ac-11_30b-portable.tmpSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-USGG0.tmp\ac-11_30b-portable.tmpSection loaded: sfc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-USGG0.tmp\ac-11_30b-portable.tmpSection loaded: sfc_os.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-USGG0.tmp\ac-11_30b-portable.tmpSection loaded: explorerframe.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-USGG0.tmp\ac-11_30b-portable.tmpKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-USGG0.tmp\ac-11_30b-portable.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwnerJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-USGG0.tmp\ac-11_30b-portable.tmpWindow found: window name: TSelectLanguageFormJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-USGG0.tmp\ac-11_30b-portable.tmpAutomated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-USGG0.tmp\ac-11_30b-portable.tmpAutomated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-USGG0.tmp\ac-11_30b-portable.tmpAutomated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-USGG0.tmp\ac-11_30b-portable.tmpAutomated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-USGG0.tmp\ac-11_30b-portable.tmpAutomated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-USGG0.tmp\ac-11_30b-portable.tmpAutomated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-USGG0.tmp\ac-11_30b-portable.tmpAutomated click: Install
Source: C:\Users\user\AppData\Local\Temp\is-USGG0.tmp\ac-11_30b-portable.tmpAutomated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-USGG0.tmp\ac-11_30b-portable.tmpFile opened: C:\Windows\SysWOW64\MSFTEDIT.DLLJump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Users\user\AppData\Local\Temp\is-USGG0.tmp\ac-11_30b-portable.tmpWindow detected: License AgreementPlease read the following important information before continuing.Please read the following License Agreement. You must accept the terms of this agreement before continuing with the installation.End-User license agreement for Attribute Changer1. Software installation and useYou may install use access run or otherwise interact with ("Run") one copy of the SOFTWARE on a single or multiple computers. The SOFTWARE may be installed accessed displayed run shared or used concurrently on or from different computers. These rights are applicable for personal and commercial use of the SOFTWARE.2. No consequential or other damagesTo the maximum extent permitted by applicable law the author shall not be liable for any other damages whatsoever (including without limitation damages for loss of business profits business interruption loss of business information or other pecuniary loss) arising out of the use of or inability to use the SOFTWARE) even if the author has been advised of the possibility of such damages. To the extent that you could have avoided damages by taking reasonable care including by backing up your software and other files the author and its suppliers will not be liable for such damages.3. No reverse engineering decompilation and disassemblyYou may not reverse engineer decompile or disassemble the SOFTWARE.4. CopyrightAll title and intellectual property rights in and to the SOFTWARE are owned by the author. 5. No separation of componentsThe SOFTWARE is licensed as a single product and its component parts may not be separated.I &accept the agreementI &do not accept the agreement&NextCancel
Source: C:\Users\user\AppData\Local\Temp\is-USGG0.tmp\ac-11_30b-portable.tmpWindow detected: License AgreementPlease read the following important information before continuing.Please read the following License Agreement. You must accept the terms of this agreement before continuing with the installation.End-User license agreement for Attribute Changer1. Software installation and useYou may install use access run or otherwise interact with ("Run") one copy of the SOFTWARE on a single or multiple computers. The SOFTWARE may be installed accessed displayed run shared or used concurrently on or from different computers. These rights are applicable for personal and commercial use of the SOFTWARE.2. No consequential or other damagesTo the maximum extent permitted by applicable law the author shall not be liable for any other damages whatsoever (including without limitation damages for loss of business profits business interruption loss of business information or other pecuniary loss) arising out of the use of or inability to use the SOFTWARE) even if the author has been advised of the possibility of such damages. To the extent that you could have avoided damages by taking reasonable care including by backing up your software and other files the author and its suppliers will not be liable for such damages.3. No reverse engineering decompilation and disassemblyYou may not reverse engineer decompile or disassemble the SOFTWARE.4. CopyrightAll title and intellectual property rights in and to the SOFTWARE are owned by the author. 5. No separation of componentsThe SOFTWARE is licensed as a single product and its component parts may not be separated.I &accept the agreementI &do not accept the agreement&NextCancel
Source: ac-11_30b-portable.exeStatic file information: File size 5404248 > 1048576
Source: ac-11_30b-portable.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT
Source: ac-11_30b-portable.exeStatic PE information: section name: .didata
Source: ac-11_30b-portable.tmp.0.drStatic PE information: section name: .didata
Source: C:\Users\user\AppData\Local\Temp\is-USGG0.tmp\ac-11_30b-portable.tmpFile created: C:\Users\user\AppData\Local\Temp\is-N269D.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-USGG0.tmp\ac-11_30b-portable.tmpFile created: C:\Users\user\Desktop\Attribute Changer Portable\is-K86LN.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-USGG0.tmp\ac-11_30b-portable.tmpFile created: C:\Users\user\Desktop\Attribute Changer Portable\acmain.exe (copy)Jump to dropped file
Source: C:\Users\user\Desktop\ac-11_30b-portable.exeFile created: C:\Users\user\AppData\Local\Temp\is-USGG0.tmp\ac-11_30b-portable.tmpJump to dropped file
Source: C:\Users\user\Desktop\ac-11_30b-portable.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-USGG0.tmp\ac-11_30b-portable.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-USGG0.tmp\ac-11_30b-portable.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-USGG0.tmp\ac-11_30b-portable.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-USGG0.tmp\ac-11_30b-portable.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-USGG0.tmp\ac-11_30b-portable.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-USGG0.tmp\ac-11_30b-portable.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-USGG0.tmp\ac-11_30b-portable.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-USGG0.tmp\ac-11_30b-portable.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-USGG0.tmp\ac-11_30b-portable.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-USGG0.tmp\ac-11_30b-portable.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-USGG0.tmp\ac-11_30b-portable.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-USGG0.tmp\ac-11_30b-portable.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-N269D.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-USGG0.tmp\ac-11_30b-portable.tmpDropped PE file which has not been started: C:\Users\user\Desktop\Attribute Changer Portable\is-K86LN.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-USGG0.tmp\ac-11_30b-portable.tmpDropped PE file which has not been started: C:\Users\user\Desktop\Attribute Changer Portable\acmain.exe (copy)Jump to dropped file
Source: ac-11_30b-portable.tmp, 00000002.00000003.2304795476.0000000005040000.00000004.00001000.00020000.00000000.sdmp, is-K86LN.tmp.2.drBinary or memory string: Shell_TrayWnd
Source: ac-11_30b-portable.tmp, 00000002.00000003.2304795476.0000000005040000.00000004.00001000.00020000.00000000.sdmp, is-K86LN.tmp.2.drBinary or memory string: DateTimeShell_TrayWnd
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire Infrastructure1
Spearphishing Link
2
Command and Scripting Interpreter
1
DLL Side-Loading
2
Process Injection
1
Masquerading
OS Credential Dumping1
Process Discovery
Remote ServicesData from Local SystemData ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading
2
Process Injection
LSASS Memory2
System Owner/User Discovery
Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
DLL Side-Loading
Security Account Manager1
System Information Discovery
SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 1453802 Sample: ac-11_30b-portable.exe Startdate: 07/06/2024 Architecture: WINDOWS Score: 1 5 ac-11_30b-portable.exe 2 2->5         started        file3 11 C:\Users\user\...\ac-11_30b-portable.tmp, PE32 5->11 dropped 8 ac-11_30b-portable.tmp 17 5->8         started        process4 file5 13 C:\Users\user\Desktop\...\is-K86LN.tmp, PE32+ 8->13 dropped 15 C:\Users\user\Desktop\...\acmain.exe (copy), PE32+ 8->15 dropped 17 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 8->17 dropped

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand
SourceDetectionScannerLabelLink
ac-11_30b-portable.exe5%ReversingLabs
SourceDetectionScannerLabelLink
C:\Users\user\AppData\Local\Temp\is-N269D.tmp\_isetup\_setup64.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-USGG0.tmp\ac-11_30b-portable.tmp0%ReversingLabs
C:\Users\user\Desktop\Attribute Changer Portable\acmain.exe (copy)0%ReversingLabs
C:\Users\user\Desktop\Attribute Changer Portable\is-K86LN.tmp0%ReversingLabs
No Antivirus matches
No Antivirus matches
SourceDetectionScannerLabelLink
https://www.petges.lu/)0%Avira URL Cloudsafe
https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU0%Avira URL Cloudsafe
https://www.petges.lu/donate)0%Avira URL Cloudsafe
https://www.innosetup.com/0%Avira URL Cloudsafe
https://www.petges.lu/donate0%Avira URL Cloudsafe
https://www.petges.lu/donateopen0%Avira URL Cloudsafe
https://www.remobjects.com/ps0%Avira URL Cloudsafe
No contacted domains info
NameSourceMaliciousAntivirus DetectionReputation
https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupUac-11_30b-portable.exefalse
  • Avira URL Cloud: safe
unknown
https://www.petges.lu/)ac-11_30b-portable.tmp, 00000002.00000002.2309315884.000000000018C000.00000004.00000010.00020000.00000000.sdmp, ac-11_30b-portable.tmp, 00000002.00000003.2304795476.0000000005040000.00000004.00001000.00020000.00000000.sdmp, is-11EAM.tmp.2.drfalse
  • Avira URL Cloud: safe
unknown
https://www.petges.lu/donateac-11_30b-portable.exe, 00000000.00000003.2027036880.00000000025E0000.00000004.00001000.00020000.00000000.sdmp, ac-11_30b-portable.exe, 00000000.00000003.2310797994.0000000002321000.00000004.00001000.00020000.00000000.sdmp, ac-11_30b-portable.tmp, 00000002.00000003.2307160299.0000000003D10000.00000004.00001000.00020000.00000000.sdmp, ac-11_30b-portable.tmp, 00000002.00000003.2307703455.0000000002431000.00000004.00001000.00020000.00000000.sdmp, ac-11_30b-portable.tmp, 00000002.00000003.2304795476.0000000005040000.00000004.00001000.00020000.00000000.sdmp, ac-11_30b-portable.tmp, 00000002.00000003.2032340088.0000000003480000.00000004.00001000.00020000.00000000.sdmp, is-K86LN.tmp.2.drfalse
  • Avira URL Cloud: safe
unknown
https://www.remobjects.com/psac-11_30b-portable.exe, 00000000.00000003.2028242247.0000000002720000.00000004.00001000.00020000.00000000.sdmp, ac-11_30b-portable.exe, 00000000.00000003.2029021236.000000007FB50000.00000004.00001000.00020000.00000000.sdmp, ac-11_30b-portable.tmp, 00000002.00000000.2030812920.0000000000401000.00000020.00000001.01000000.00000004.sdmp, ac-11_30b-portable.tmp.0.drfalse
  • Avira URL Cloud: safe
unknown
https://www.innosetup.com/ac-11_30b-portable.exe, 00000000.00000003.2028242247.0000000002720000.00000004.00001000.00020000.00000000.sdmp, ac-11_30b-portable.exe, 00000000.00000003.2029021236.000000007FB50000.00000004.00001000.00020000.00000000.sdmp, ac-11_30b-portable.tmp, 00000002.00000000.2030812920.0000000000401000.00000020.00000001.01000000.00000004.sdmp, ac-11_30b-portable.tmp.0.drfalse
  • Avira URL Cloud: safe
unknown
https://www.petges.lu/donate)ac-11_30b-portable.tmp, 00000002.00000002.2309315884.000000000018C000.00000004.00000010.00020000.00000000.sdmp, ac-11_30b-portable.tmp, 00000002.00000003.2304795476.0000000005040000.00000004.00001000.00020000.00000000.sdmp, is-11EAM.tmp.2.drfalse
  • Avira URL Cloud: safe
unknown
https://www.petges.lu/donateopenac-11_30b-portable.tmp, 00000002.00000003.2304795476.0000000005040000.00000004.00001000.00020000.00000000.sdmp, is-K86LN.tmp.2.drfalse
  • Avira URL Cloud: safe
unknown
No contacted IP infos
Joe Sandbox version:40.0.0 Tourmaline
Analysis ID:1453802
Start date and time:2024-06-07 18:01:25 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 4m 51s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:default.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:7
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample name:ac-11_30b-portable.exe
Detection:CLEAN
Classification:clean1.winEXE@3/9@0/0
EGA Information:Failed
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 0
  • Number of non-executed functions: 0
Cookbook Comments:
  • Found application associated with file extension: .exe
  • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
  • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
  • VT rate limit hit for: ac-11_30b-portable.exe
No simulations
No context
No context
No context
No context
MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
C:\Users\user\AppData\Local\Temp\is-N269D.tmp\_isetup\_setup64.tmpAnyDesk_new_Soft.exeGet hashmaliciousUnknownBrowse
    AnyDesk_new_Soft.exeGet hashmaliciousEICARBrowse
      InstallRootCert.exeGet hashmaliciousUnknownBrowse
        file.exeGet hashmaliciousUnknownBrowse
          f_0041dcGet hashmaliciousUnknownBrowse
            SecuriteInfo.com.Win32.Malware-gen.15356.26888.exeGet hashmaliciousUnknownBrowse
              SecuriteInfo.com.Win32.Malware-gen.15356.26888.exeGet hashmaliciousUnknownBrowse
                Shift - Recipes_spn7g.exeGet hashmaliciousUnknownBrowse
                  SecuriteInfo.com.Program.Unwanted.4903.10559.20508.exeGet hashmaliciousUnknownBrowse
                    SecuriteInfo.com.Program.Unwanted.4903.10559.20508.exeGet hashmaliciousUnknownBrowse
                      Process:C:\Users\user\AppData\Local\Temp\is-USGG0.tmp\ac-11_30b-portable.tmp
                      File Type:PE32+ executable (console) x86-64, for MS Windows
                      Category:dropped
                      Size (bytes):6144
                      Entropy (8bit):4.720366600008286
                      Encrypted:false
                      SSDEEP:96:sfkcXegaJ/ZAYNzcld1xaX12p+gt1sONA0:sfJEVYlvxaX12C6A0
                      MD5:E4211D6D009757C078A9FAC7FF4F03D4
                      SHA1:019CD56BA687D39D12D4B13991C9A42EA6BA03DA
                      SHA-256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
                      SHA-512:17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E
                      Malicious:false
                      Antivirus:
                      • Antivirus: ReversingLabs, Detection: 0%
                      Joe Sandbox View:
                      • Filename: AnyDesk_new_Soft.exe, Detection: malicious, Browse
                      • Filename: AnyDesk_new_Soft.exe, Detection: malicious, Browse
                      • Filename: InstallRootCert.exe, Detection: malicious, Browse
                      • Filename: file.exe, Detection: malicious, Browse
                      • Filename: f_0041dc, Detection: malicious, Browse
                      • Filename: SecuriteInfo.com.Win32.Malware-gen.15356.26888.exe, Detection: malicious, Browse
                      • Filename: SecuriteInfo.com.Win32.Malware-gen.15356.26888.exe, Detection: malicious, Browse
                      • Filename: Shift - Recipes_spn7g.exe, Detection: malicious, Browse
                      • Filename: SecuriteInfo.com.Program.Unwanted.4903.10559.20508.exe, Detection: malicious, Browse
                      • Filename: SecuriteInfo.com.Program.Unwanted.4903.10559.20508.exe, Detection: malicious, Browse
                      Reputation:high, very likely benign file
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....R..........#............................@.............................`.......,......................................................<!.......P..H....@..0.................................................................... ...............................text............................... ..`.rdata..|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...H....P......................@..@................................................................................................................................................................................................................................................................................................................................
                      Process:C:\Users\user\AppData\Local\Temp\is-USGG0.tmp\ac-11_30b-portable.tmp
                      File Type:PC bitmap, Windows 3.x format, 112 x 26 x 24, resolution 3780 x 3780 px/m, cbSize 8790, bits offset 54
                      Category:dropped
                      Size (bytes):8790
                      Entropy (8bit):3.310217840721585
                      Encrypted:false
                      SSDEEP:48:gml2rppavosdIdMVFkxsbPkNB2sPkp2CIqFJljEiPvS3p7g06M9TrcYEh:gmapav7nVga0tPkLFJljEiPvS3d6x
                      MD5:80E5F46DC234B65DE72748B0345759C2
                      SHA1:B33DFEB6E86DD39862064E92FA824B13DEB243A5
                      SHA-256:BA217938924ACCAEA4FA3E840DB108B3C35EAC41DC8EDD821B62647F5DAC73E3
                      SHA-512:FF1C81A5EB55ACF47CA2BDCCD5135E950E87E724A7C315642B08B8F443D267D0233766C74D8F71CB0C7A5B40FF0235379227DFA100C4DBCAD6FF0B96E696A2C8
                      Malicious:false
                      Reputation:low
                      Preview:BMV"......6...(...p.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                      Process:C:\Users\user\Desktop\ac-11_30b-portable.exe
                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                      Category:dropped
                      Size (bytes):3136512
                      Entropy (8bit):6.369490023362895
                      Encrypted:false
                      SSDEEP:49152:tWGtLBcXqFpBR6SVb8kq4pgquLMMji4NYxtJpkxhGjIHTbW333ig:3tLutqgwh4NYxtJpkxhGB333l
                      MD5:CB3426626292D82DC9B56785E63EB135
                      SHA1:1A2FEF223EA9256AEC8C09237C36E5B13ABC8757
                      SHA-256:BAA170DD2BBBF07771EC9EFBC561C6D01CC634049C2A9570BEB79CA5EA3197F9
                      SHA-512:2758AEF1C624701555E893E30957067A4308C44DFC353F7258D60E534C4E9400BCD3A16AD454E7C5514444CC591D778B008D1B8922AFAEBDD50770A3B48C4820
                      Malicious:false
                      Antivirus:
                      • Antivirus: ReversingLabs, Detection: 0%
                      Reputation:low
                      Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L......c.................L,.........hf,......p,...@...........................0...........@......@....................-.......-..9......H............................................................................-.......-......................text.... ,......",................. ..`.itext...(...@,..*...&,............. ..`.data...X....p,......P,.............@....bss.....y....-..........................idata...9....-..:....,.............@....didata.......-.......-.............@....edata........-......*-.............@..@.tls....L.....-..........................rdata..]............,-.............@..@.rsrc...H.............-.............@..@..............1.......0.............@..@........................................................
                      Process:C:\Users\user\AppData\Local\Temp\is-USGG0.tmp\ac-11_30b-portable.tmp
                      File Type:PDF document, version 1.7, 19 pages
                      Category:dropped
                      Size (bytes):224114
                      Entropy (8bit):7.030951692792095
                      Encrypted:false
                      SSDEEP:3072:eLAv8CmDeTwFrk7iA+y7YtFyUoXV+kEEmKtXH23g:ekv8dDegg7u7ylXV+kEEsg
                      MD5:686E1B53CC7AA9B9542B0556CFCDDB8E
                      SHA1:4C24BB2BC85B6005813BFA25191AD184BB75E244
                      SHA-256:A2E31B3F3925CA43F4B94ECF577F529D3B7FF27B17E7336697F76C58806F8C71
                      SHA-512:DC99CAA08AAB8A5848E6EB80CBAB3D32EAD26612A7472891E131C4377B59A3BEDE5596AE35B1DF2F604117F2B4EEC7E79B2C45566F7D56BBF5A1EB0B6C16C188
                      Malicious:false
                      Reputation:low
                      Preview:%PDF-1.7.%.....2 0 obj.<</Length 3 0 R/Filter/FlateDecode>>.stream.x...AK.0.....s...7i..B..vA..X. ..WE..e...$.+.T...t.}....Zt.....~G..z'&6,-5.......}.n....j1=.^.b\\.............5.....6.X.j...62....kv.O..-...%.<& ..t7]T.T].p1...F.I0.~p#..Y......m.^.._..o..vs..,...G..... .c.T....B.Nl...,.-............\........,../[.xs.....*!Dpry.>y....I3.U.....=.j...jU.*t@..q.]..o...)s...v.c.^..Vg...>6......%...6....... .($....4~5.c...Q.9,.]..<%t...w.[.Q.sKW.._..M.endstream.endobj..3 0 obj.405.endobj..33 0 obj.<</Length 34 0 R/Filter/FlateDecode>>.stream.x..[k.F....).}+..37../2m.B.5...!.fCZp......Hr.{fb.P9Ya8.eY3D..........w.............@e.+-..T(J...............v..W..\]~..^.......[......z....ea..FV..Sq...M...S..YS..4*(.B...u.F.+W.`.R.......f.f.....7....1=:.a.nt*...0.9...D.....V....k'U.4hG..5......v0....~.h......X.NOv..f......Up.Q p....I&ME..!......W.+....d.D.._.lV.a,I...c.0A...4.*.fL.-.*..N.i..G...s.+..A...@....#.|.n.k...O..B..)z..Ot....p%$a.3...iqx.6...
                      Process:C:\Users\user\AppData\Local\Temp\is-USGG0.tmp\ac-11_30b-portable.tmp
                      File Type:PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
                      Category:dropped
                      Size (bytes):4306944
                      Entropy (8bit):5.928051041143653
                      Encrypted:false
                      SSDEEP:49152:QPowtVv82A4bGk2DUTzx1qxUDkW7RolIBVkFiUn6WuDgRPmP160S2j8Z5:MowtVJzxA9YHVo3aS24v
                      MD5:F52810F8ED5E52039C6E2E52F2C31960
                      SHA1:C7049F62A6B47A277C22D2598F5130A84FCE258C
                      SHA-256:6BEA3860AC2D0D30DF62791DE2E10BE949A1BB4D816C82267018ABF90E7CD46E
                      SHA-512:84EEA4A745F425956C8AD2862BABA12E3A8546BF61B2BB5B093B21BDB1FEE968122DE3F5307064E2FC8A490968556ED7521397CCE8BA42DC4A4F1BA340EFC1BA
                      Malicious:false
                      Antivirus:
                      • Antivirus: ReversingLabs, Detection: 0%
                      Reputation:low
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................./.....P.#.....Hp............................................B..............................................................`=.......=......`:.0g..........................................p.#.(...................Dp=.h............................text...P.#.......#................. ..`.data.........#.......#.............@....rdata..(.....*.......*.............@..@.pdata..0g...`:..h...<:.............@..@.bss....Hp....<..........................CRT.........P=.......<.............@....idata...@...`=..B....<.............@....rsrc.........=.......<.............@...................................................................................................................................................................................................................................................................................................
                      Process:C:\Users\user\AppData\Local\Temp\is-USGG0.tmp\ac-11_30b-portable.tmp
                      File Type:PDF document, version 1.7, 19 pages
                      Category:dropped
                      Size (bytes):224114
                      Entropy (8bit):7.030951692792095
                      Encrypted:false
                      SSDEEP:3072:eLAv8CmDeTwFrk7iA+y7YtFyUoXV+kEEmKtXH23g:ekv8dDegg7u7ylXV+kEEsg
                      MD5:686E1B53CC7AA9B9542B0556CFCDDB8E
                      SHA1:4C24BB2BC85B6005813BFA25191AD184BB75E244
                      SHA-256:A2E31B3F3925CA43F4B94ECF577F529D3B7FF27B17E7336697F76C58806F8C71
                      SHA-512:DC99CAA08AAB8A5848E6EB80CBAB3D32EAD26612A7472891E131C4377B59A3BEDE5596AE35B1DF2F604117F2B4EEC7E79B2C45566F7D56BBF5A1EB0B6C16C188
                      Malicious:false
                      Reputation:low
                      Preview:%PDF-1.7.%.....2 0 obj.<</Length 3 0 R/Filter/FlateDecode>>.stream.x...AK.0.....s...7i..B..vA..X. ..WE..e...$.+.T...t.}....Zt.....~G..z'&6,-5.......}.n....j1=.^.b\\.............5.....6.X.j...62....kv.O..-...%.<& ..t7]T.T].p1...F.I0.~p#..Y......m.^.._..o..vs..,...G..... .c.T....B.Nl...,.-............\........,../[.xs.....*!Dpry.>y....I3.U.....=.j...jU.*t@..q.]..o...)s...v.c.^..Vg...>6......%...6....... .($....4~5.c...Q.9,.]..<%t...w.[.Q.sKW.._..M.endstream.endobj..3 0 obj.405.endobj..33 0 obj.<</Length 34 0 R/Filter/FlateDecode>>.stream.x..[k.F....).}+..37../2m.B.5...!.fCZp......Hr.{fb.P9Ya8.eY3D..........w.............@e.+-..T(J...............v..W..\]~..^.......[......z....ea..FV..Sq...M...S..YS..4*(.B...u.F.+W.`.R.......f.f.....7....1=:.a.nt*...0.9...D.....V....k'U.4hG..5......v0....~.h......X.NOv..f......Up.Q p....I&ME..!......W.+....d.D.._.lV.a,I...c.0A...4.*.fL.-.*..N.i..G...s.+..A...@....#.|.n.k...O..B..)z..Ot....p%$a.3...iqx.6...
                      Process:C:\Users\user\AppData\Local\Temp\is-USGG0.tmp\ac-11_30b-portable.tmp
                      File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):13497
                      Entropy (8bit):5.096516943587674
                      Encrypted:false
                      SSDEEP:192:VeMYXTSIakX4zGfQQWl5YkUqvvPGeV1LqT1EnPc:VTYXu3kB4QW0kqKWePc
                      MD5:8AC4948149DBFB4F01A31012F0B39C2C
                      SHA1:3A1CFC04C8D1B6FAD2837EA217B84647C22426A6
                      SHA-256:3732C80E2B9BCF93DC6CF5872D5061C70E7693642CB7E34B73B21A3837233AE8
                      SHA-512:DC3DD26ACE0BF43443354D16F57C8D95883759F36602CA30C73DBAC3291BD9F611D73825BD3DBD7F369F674D916C03BE9C7B4F7D625CA47FC8492CF13DC1C9F9
                      Malicious:false
                      Reputation:low
                      Preview:.[MN_Form]....// --------------------------------------------------------..// V11 - ENGLISH message file (Template for translators)..// Main window ..// --------------------------------------------------------....MN_Form.MN_TSProperties.Caption=Properties..MN_Form.MN_TSReporting.Caption=Reporting..MN_Form.MN_TSSettings.Caption=Settings..MN_Form.MN_TSAbout.Caption=About..MN_Form.MN_ButtonCancel.Caption=Cancel..MN_Form.MN_ButtonApply.Caption=Apply..MN_Form.MN_ButtonOK.Caption=OK..MN_Form.MN_Simulate.Caption=Simulation mode....// --------------------------------------------------------..// Properties tab..// --------------------------------------------------------....MN_Form.PR_ReadOnly.Caption=Read-only..MN_Form.PR_Hidden.Caption=Hidden..MN_Form.PR_Archive.Caption=Archive..MN_Form.PR_System.Caption=System..MN_Form.PR_Compress.Caption=Compress..MN_Form.PR_Index.Caption=Index..MN_Form.PR_LName.Caption=Change name..MN_Form.PR_DateTime.Caption=Modify date and time stamps..MN_Form.PR_LProce
                      Process:C:\Users\user\AppData\Local\Temp\is-USGG0.tmp\ac-11_30b-portable.tmp
                      File Type:PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
                      Category:dropped
                      Size (bytes):4306944
                      Entropy (8bit):5.928051041143653
                      Encrypted:false
                      SSDEEP:49152:QPowtVv82A4bGk2DUTzx1qxUDkW7RolIBVkFiUn6WuDgRPmP160S2j8Z5:MowtVJzxA9YHVo3aS24v
                      MD5:F52810F8ED5E52039C6E2E52F2C31960
                      SHA1:C7049F62A6B47A277C22D2598F5130A84FCE258C
                      SHA-256:6BEA3860AC2D0D30DF62791DE2E10BE949A1BB4D816C82267018ABF90E7CD46E
                      SHA-512:84EEA4A745F425956C8AD2862BABA12E3A8546BF61B2BB5B093B21BDB1FEE968122DE3F5307064E2FC8A490968556ED7521397CCE8BA42DC4A4F1BA340EFC1BA
                      Malicious:false
                      Antivirus:
                      • Antivirus: ReversingLabs, Detection: 0%
                      Reputation:low
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................./.....P.#.....Hp............................................B..............................................................`=.......=......`:.0g..........................................p.#.(...................Dp=.h............................text...P.#.......#................. ..`.data.........#.......#.............@....rdata..(.....*.......*.............@..@.pdata..0g...`:..h...<:.............@..@.bss....Hp....<..........................CRT.........P=.......<.............@....idata...@...`=..B....<.............@....rsrc.........=.......<.............@...................................................................................................................................................................................................................................................................................................
                      Process:C:\Users\user\AppData\Local\Temp\is-USGG0.tmp\ac-11_30b-portable.tmp
                      File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):13497
                      Entropy (8bit):5.096516943587674
                      Encrypted:false
                      SSDEEP:192:VeMYXTSIakX4zGfQQWl5YkUqvvPGeV1LqT1EnPc:VTYXu3kB4QW0kqKWePc
                      MD5:8AC4948149DBFB4F01A31012F0B39C2C
                      SHA1:3A1CFC04C8D1B6FAD2837EA217B84647C22426A6
                      SHA-256:3732C80E2B9BCF93DC6CF5872D5061C70E7693642CB7E34B73B21A3837233AE8
                      SHA-512:DC3DD26ACE0BF43443354D16F57C8D95883759F36602CA30C73DBAC3291BD9F611D73825BD3DBD7F369F674D916C03BE9C7B4F7D625CA47FC8492CF13DC1C9F9
                      Malicious:false
                      Reputation:low
                      Preview:.[MN_Form]....// --------------------------------------------------------..// V11 - ENGLISH message file (Template for translators)..// Main window ..// --------------------------------------------------------....MN_Form.MN_TSProperties.Caption=Properties..MN_Form.MN_TSReporting.Caption=Reporting..MN_Form.MN_TSSettings.Caption=Settings..MN_Form.MN_TSAbout.Caption=About..MN_Form.MN_ButtonCancel.Caption=Cancel..MN_Form.MN_ButtonApply.Caption=Apply..MN_Form.MN_ButtonOK.Caption=OK..MN_Form.MN_Simulate.Caption=Simulation mode....// --------------------------------------------------------..// Properties tab..// --------------------------------------------------------....MN_Form.PR_ReadOnly.Caption=Read-only..MN_Form.PR_Hidden.Caption=Hidden..MN_Form.PR_Archive.Caption=Archive..MN_Form.PR_System.Caption=System..MN_Form.PR_Compress.Caption=Compress..MN_Form.PR_Index.Caption=Index..MN_Form.PR_LName.Caption=Change name..MN_Form.PR_DateTime.Caption=Modify date and time stamps..MN_Form.PR_LProce
                      File type:PE32 executable (GUI) Intel 80386, for MS Windows
                      Entropy (8bit):7.91856818229736
                      TrID:
                      • Win32 Executable (generic) a (10002005/4) 98.45%
                      • Inno Setup installer (109748/4) 1.08%
                      • Win32 EXE PECompact compressed (generic) (41571/9) 0.41%
                      • Win16/32 Executable Delphi generic (2074/23) 0.02%
                      • Generic Win/DOS Executable (2004/3) 0.02%
                      File name:ac-11_30b-portable.exe
                      File size:5'404'248 bytes
                      MD5:c7798bfeafb401fe181a74cfe97491ef
                      SHA1:3b176bb5c405745ce1dabe19c28cb0d9f9ed747d
                      SHA256:67fc023df9d0acf6d5fe51e0ff29a5eba13e9b97f204719f4e60c11819d6e700
                      SHA512:99106aaf9c5a0e26bdcc0c24e70ac8a12dc5d5efe9e4309724e1749bd8d74cdc721dba55bf544e0b099a8437b6c67fb51070e76cd8ad15f280cfd79607d52b44
                      SSDEEP:98304:CkLhyaal1oPfQSpB+Jhsq4VQiIVCvB/lA6DoZWwW:NglmH5W3+IVCZ/wK
                      TLSH:2946123FB268653ED57E0B3246B393A09A7B7791740ACC1E07F0494DCF2A4612E3B656
                      File Content Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................
                      Icon Hash:22cdcc28ead23542
                      Entrypoint:0x4b5eec
                      Entrypoint Section:.itext
                      Digitally signed:false
                      Imagebase:0x400000
                      Subsystem:windows gui
                      Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                      DLL Characteristics:DYNAMIC_BASE, NX_COMPAT
                      Time Stamp:0x63ECF218 [Wed Feb 15 14:54:16 2023 UTC]
                      TLS Callbacks:
                      CLR (.Net) Version:
                      OS Version Major:6
                      OS Version Minor:1
                      File Version Major:6
                      File Version Minor:1
                      Subsystem Version Major:6
                      Subsystem Version Minor:1
                      Import Hash:e569e6f445d32ba23766ad67d1e3787f
                      Instruction
                      push ebp
                      mov ebp, esp
                      add esp, FFFFFFA4h
                      push ebx
                      push esi
                      push edi
                      xor eax, eax
                      mov dword ptr [ebp-3Ch], eax
                      mov dword ptr [ebp-40h], eax
                      mov dword ptr [ebp-5Ch], eax
                      mov dword ptr [ebp-30h], eax
                      mov dword ptr [ebp-38h], eax
                      mov dword ptr [ebp-34h], eax
                      mov dword ptr [ebp-2Ch], eax
                      mov dword ptr [ebp-28h], eax
                      mov dword ptr [ebp-14h], eax
                      mov eax, 004B14B8h
                      call 00007F2A645EAAB5h
                      xor eax, eax
                      push ebp
                      push 004B65E2h
                      push dword ptr fs:[eax]
                      mov dword ptr fs:[eax], esp
                      xor edx, edx
                      push ebp
                      push 004B659Eh
                      push dword ptr fs:[edx]
                      mov dword ptr fs:[edx], esp
                      mov eax, dword ptr [004BE634h]
                      call 00007F2A6468D5A7h
                      call 00007F2A6468D0FAh
                      lea edx, dword ptr [ebp-14h]
                      xor eax, eax
                      call 00007F2A64600554h
                      mov edx, dword ptr [ebp-14h]
                      mov eax, 004C1D84h
                      call 00007F2A645E56A7h
                      push 00000002h
                      push 00000000h
                      push 00000001h
                      mov ecx, dword ptr [004C1D84h]
                      mov dl, 01h
                      mov eax, dword ptr [004238ECh]
                      call 00007F2A646016D7h
                      mov dword ptr [004C1D88h], eax
                      xor edx, edx
                      push ebp
                      push 004B654Ah
                      push dword ptr fs:[edx]
                      mov dword ptr fs:[edx], esp
                      call 00007F2A6468D62Fh
                      mov dword ptr [004C1D90h], eax
                      mov eax, dword ptr [004C1D90h]
                      cmp dword ptr [eax+0Ch], 01h
                      jne 00007F2A6469384Ah
                      mov eax, dword ptr [004C1D90h]
                      mov edx, 00000028h
                      call 00007F2A64601FCCh
                      mov edx, dword ptr [004C1D90h]
                      NameVirtual AddressVirtual Size Is in Section
                      IMAGE_DIRECTORY_ENTRY_EXPORT0xc40000x9a.edata
                      IMAGE_DIRECTORY_ENTRY_IMPORT0xc20000xfdc.idata
                      IMAGE_DIRECTORY_ENTRY_RESOURCE0xc70000x9150.rsrc
                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                      IMAGE_DIRECTORY_ENTRY_TLS0xc60000x18.rdata
                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                      IMAGE_DIRECTORY_ENTRY_IAT0xc22f40x254.idata
                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0xc30000x1a4.didata
                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                      .text0x10000xb39e40xb3a0043af0a9476ca224d8e8461f1e22c94daFalse0.34525867693110646data6.357635049994181IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      .itext0xb50000x16880x1800185e04b9a1f554e31f7f848515dc890cFalse0.54443359375data5.971425428435973IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      .data0xb70000x37a40x3800cab2107c933b696aa5cf0cc6c3fd3980False0.36097935267857145data5.048648594372454IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                      .bss0xbb0000x6de80x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                      .idata0xc20000xfdc0x1000e7d1635e2624b124cfdce6c360ac21cdFalse0.3798828125data5.029087481102678IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                      .didata0xc30000x1a40x2008ced971d8a7705c98b173e255d8c9aa7False0.345703125data2.7509822285969876IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                      .edata0xc40000x9a0x2008d4e1e508031afe235bf121c80fd7d5fFalse0.2578125data1.877162954504408IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .tls0xc50000x180x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                      .rdata0xc60000x5d0x2008f2f090acd9622c88a6a852e72f94e96False0.189453125data1.3838943752217987IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .rsrc0xc70000x91500x9200e2b820939fc9bf340552656743c95a01False0.3927921660958904data5.048651521847099IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      NameRVASizeTypeLanguageCountryZLIB Complexity
                      RT_ICON0xc75280x1b9fPNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States0.9315514071559893
                      RT_ICON0xc90c80x1628Device independent bitmap graphic, 64 x 128 x 8, image size 0EnglishUnited States0.21403385049365303
                      RT_ICON0xca6f00xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0EnglishUnited States0.2923773987206823
                      RT_ICON0xcb5980x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishUnited States0.17354596622889307
                      RT_ICON0xcc6400x6b8Device independent bitmap graphic, 20 x 40 x 32, image size 0EnglishUnited States0.26453488372093026
                      RT_ICON0xcccf80x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishUnited States0.24822695035460993
                      RT_STRING0xcd1600x360data0.34375
                      RT_STRING0xcd4c00x260data0.3256578947368421
                      RT_STRING0xcd7200x45cdata0.4068100358422939
                      RT_STRING0xcdb7c0x40cdata0.3754826254826255
                      RT_STRING0xcdf880x2d4data0.39226519337016574
                      RT_STRING0xce25c0xb8data0.6467391304347826
                      RT_STRING0xce3140x9cdata0.6410256410256411
                      RT_STRING0xce3b00x374data0.4230769230769231
                      RT_STRING0xce7240x398data0.3358695652173913
                      RT_STRING0xceabc0x368data0.3795871559633027
                      RT_STRING0xcee240x2a4data0.4275147928994083
                      RT_RCDATA0xcf0c80x10data1.5
                      RT_RCDATA0xcf0d80x2c4data0.6384180790960452
                      RT_RCDATA0xcf39c0x2cdata1.2045454545454546
                      RT_GROUP_ICON0xcf3c80x5adataEnglishUnited States0.8222222222222222
                      RT_VERSION0xcf4240x584dataEnglishUnited States0.30807365439093487
                      RT_MANIFEST0xcf9a80x7a8XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.3377551020408163
                      DLLImport
                      kernel32.dllGetACP, GetExitCodeProcess, LocalFree, CloseHandle, SizeofResource, VirtualProtect, VirtualFree, GetFullPathNameW, ExitProcess, HeapAlloc, GetCPInfoExW, RtlUnwind, GetCPInfo, GetStdHandle, GetModuleHandleW, FreeLibrary, HeapDestroy, ReadFile, CreateProcessW, GetLastError, GetModuleFileNameW, SetLastError, FindResourceW, CreateThread, CompareStringW, LoadLibraryA, ResetEvent, GetVersion, RaiseException, FormatMessageW, SwitchToThread, GetExitCodeThread, GetCurrentThread, LoadLibraryExW, LockResource, GetCurrentThreadId, UnhandledExceptionFilter, VirtualQuery, VirtualQueryEx, Sleep, EnterCriticalSection, SetFilePointer, LoadResource, SuspendThread, GetTickCount, GetFileSize, GetStartupInfoW, GetFileAttributesW, InitializeCriticalSection, GetSystemWindowsDirectoryW, GetThreadPriority, SetThreadPriority, GetCurrentProcess, VirtualAlloc, GetSystemInfo, GetCommandLineW, LeaveCriticalSection, GetProcAddress, ResumeThread, GetVersionExW, VerifyVersionInfoW, HeapCreate, GetWindowsDirectoryW, VerSetConditionMask, GetDiskFreeSpaceW, FindFirstFileW, GetUserDefaultUILanguage, lstrlenW, QueryPerformanceCounter, SetEndOfFile, HeapFree, WideCharToMultiByte, FindClose, MultiByteToWideChar, LoadLibraryW, SetEvent, CreateFileW, GetLocaleInfoW, GetSystemDirectoryW, DeleteFileW, GetLocalTime, GetEnvironmentVariableW, WaitForSingleObject, WriteFile, ExitThread, DeleteCriticalSection, TlsGetValue, GetDateFormatW, SetErrorMode, IsValidLocale, TlsSetValue, CreateDirectoryW, GetSystemDefaultUILanguage, EnumCalendarInfoW, LocalAlloc, GetUserDefaultLangID, RemoveDirectoryW, CreateEventW, SetThreadLocale, GetThreadLocale
                      comctl32.dllInitCommonControls
                      version.dllGetFileVersionInfoSizeW, VerQueryValueW, GetFileVersionInfoW
                      user32.dllCreateWindowExW, TranslateMessage, CharLowerBuffW, CallWindowProcW, CharUpperW, PeekMessageW, GetSystemMetrics, SetWindowLongW, MessageBoxW, DestroyWindow, CharUpperBuffW, CharNextW, MsgWaitForMultipleObjects, LoadStringW, ExitWindowsEx, DispatchMessageW
                      oleaut32.dllSysAllocStringLen, SafeArrayPtrOfIndex, VariantCopy, SafeArrayGetLBound, SafeArrayGetUBound, VariantInit, VariantClear, SysFreeString, SysReAllocStringLen, VariantChangeType, SafeArrayCreate
                      netapi32.dllNetWkstaGetInfo, NetApiBufferFree
                      advapi32.dllConvertStringSecurityDescriptorToSecurityDescriptorW, RegQueryValueExW, AdjustTokenPrivileges, GetTokenInformation, ConvertSidToStringSidW, LookupPrivilegeValueW, RegCloseKey, OpenProcessToken, RegOpenKeyExW
                      NameOrdinalAddress
                      TMethodImplementationIntercept30x4541a8
                      __dbk_fcall_wrapper20x40d0a0
                      dbkFCallWrapperAddr10x4be63c
                      Language of compilation systemCountry where language is spokenMap
                      EnglishUnited States
                      No network behavior found

                      Click to jump to process

                      Click to jump to process

                      • File
                      • Registry

                      Click to dive into process behavior distribution

                      Target ID:0
                      Start time:12:02:14
                      Start date:07/06/2024
                      Path:C:\Users\user\Desktop\ac-11_30b-portable.exe
                      Wow64 process (32bit):true
                      Commandline:"C:\Users\user\Desktop\ac-11_30b-portable.exe"
                      Imagebase:0x400000
                      File size:5'404'248 bytes
                      MD5 hash:C7798BFEAFB401FE181A74CFE97491EF
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:Borland Delphi
                      Reputation:low
                      Has exited:true

                      Target ID:2
                      Start time:12:02:14
                      Start date:07/06/2024
                      Path:C:\Users\user\AppData\Local\Temp\is-USGG0.tmp\ac-11_30b-portable.tmp
                      Wow64 process (32bit):true
                      Commandline:"C:\Users\user\AppData\Local\Temp\is-USGG0.tmp\ac-11_30b-portable.tmp" /SL5="$1048C,4527329,800256,C:\Users\user\Desktop\ac-11_30b-portable.exe"
                      Imagebase:0x400000
                      File size:3'136'512 bytes
                      MD5 hash:CB3426626292D82DC9B56785E63EB135
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:Borland Delphi
                      Antivirus matches:
                      • Detection: 0%, ReversingLabs
                      Reputation:low
                      Has exited:true
                      There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                      There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                      There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                      There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                      No disassembly