July 13, 2021

I ran a .exe that was later detected as Malware by Malwarebytes. After running, it showed as accessing a number of system32 directories. I uploaded the .exe to Virustotal and got this report. What should I do please?

[https://www.virustotal.com/gui/file/f6501a5b7612d10d3fd6594e730c07e0f9384e182e2682b4f752cfb6ddb6a56e/details](https://www.virustotal.com/gui/file/f6501a5b7612d10d3fd6594e730c07e0f9384e182e2682b4f752cfb6ddb6a56e/details)

text version –

27 security vendors flagged this file as malicious f6501a5b7612d10d3fd6594e730c07e0f9384e182e2682b4f752cfb6ddb6a56e installproject.exe 140.50 KB Size 2021-07-12 03:54:15 UTC 23 hours ago assembly detect-debug-environment direct-cpu-clock-access long-sleeps peexe runtime-modules via-tor

Basic Properties MD5 378e021cdd0ce052595061b0d32370ab SHA-1 b696abf9b0258d450887e1c79dfeb9e69c1788eb SHA-256 f6501a5b7612d10d3fd6594e730c07e0f9384e182e2682b4f752cfb6ddb6a56e Vhash 2150367515170a1701010 Authentihash e90d38ddb99429e28173d32b33adb6304c14308a4097ae17e8593404ae090cce Imphash f34d5f2d4577ed6d9ceec516c1f5a744 SSDEEP 3072:B5LsidjrajpLEg/h+81+5F6SizKnXg9edMw3J03PJB:kA+9LEg/t7UKE72R TLSH T195E3014076EDD971E62632F84889E6B11221BC580652CA5638F5BF9F3DB8303CE1362F File type Win32 EXE Magic PE32 executable for MS Windows (GUI) Intel 80386 32-bit Mono/.Net assembly TrID Generic CIL Executable (.NET, Mono, etc.) (72.5%) TrID Win64 Executable (generic) (10.4%) TrID Win32 Dynamic Link Library (generic) (6.5%) TrID Win32 Executable (generic) (4.4%) TrID OS/2 Executable (generic) (2%) File size 140.50 KB (143872 bytes) PEiD packer .NET executable History Creation Time 2017-04-17 10:15:14 First Seen In The Wild 2017-04-17 10:15:14 First Submission 2017-04-27 19:47:16 Last Submission 2021-06-12 09:31:19 Last Analysis 2021-07-12 03:54:15 Names installproject.exe

SiMPLEX.exe

SIMPLEX.EXE

694044r04.dll

xdpvpzpzg.dll

con4cvxwn.dll

s5b68a3hj.dll

simplex.exe Signature Info Signature Verification File is not signed File Version Information Copyright SiMPLEX © 2017 Product SiMPLEX Installer Description SiMPLEX Installer Original Name installproject.exe Internal Name installproject.exe File Version 1.0.0.0 Comments SiMPLEX Installer Project Portable Executable Info .NET Details Module Version Id 7f542124-4771-4a71-ad5f-0502996bcb94 TypeLib Id 0a764476-f12a-4607-a789-22c8798192e5 Header Target Machine Intel 386 or later processors and compatible processors Compilation Timestamp 2017-04-17 10:15:14 Entry Point 143038 Contained Sections 3 Sections Name Virtual Address Virtual Size Raw Size Entropy MD5 Chi2 .text 8192 134852 135168 7.95 8c37535469b81d8cf9237d1242b1e9e2 17888.41 .rsrc 147456 7320 7680 2.94 e4abcf2aed773f40a6506d9b319df971 613941.56 .reloc 155648 12 512 0.1 4a840c5dcfd1a58694e218de454e2a86 128015 Imports mscoree.dll Contained Resources By Type RT_ICON 2 RT_MANIFEST 1 RT_VERSION 1 RT_GROUP_ICON 1 Contained Resources By Language NEUTRAL 5 Contained Resources SHA-256 File Type Type Language Entropy Chi2 b3957e4490b08e39dc07ac357a8b646562e0e29d392c4a3962653b69848b4e02 Data RT_ICON NEUTRAL 2.3 112055.71 b356b9ab6dd0a76b1e7c07d30fcfe8ca41f88485fd33a702ba79c74c6b69d33c Data RT_ICON NEUTRAL 1.99 402453.31 b1a9ff73f6a9d486c67f409a629924792ca40aa8966d45e48239863f63629fd0 Data RT_GROUP_ICON NEUTRAL 2.21 2766.94 07dd461d09cb7783d8289439e08e1e8cdb1016c781c79ed3379c46c936a3bdcd Data RT_VERSION NEUTRAL 3.34 74666.26 5914dcc99c9c72cf6377f520bc222576094c8b4fe1e671647a1b2c42d2266a41 Data RT_MANIFEST NEUTRAL 4.95 5853.54 Dot Net Assembly Common Language Runtime metadata version 1.1 CLR version v4.0.30319 Assembly name installproject.exe Metadata header Relative Virtual Address 137280 Assembly flags COMIMAGE_FLAGS_ILONLY, COMIMAGE_FLAGS_32BITREQUIRED Entry point token 100663298 RVA entry point 0 Resources va 0 Strong name va 0 Streams size entropy chi2 md5

GUID 16 3.875 272 338eb8d8eeb2aa3da7b3a8acd5064f27Blob 940 5.473816394805908 8008.021484375 95bef77847b41cd9c1bece46763ebeadUS 12 1.5849623680114746 1438.6668701171875 83efde51cfedcc684b7f215e6974a340~ 2176 4.604434967041016 93318.3125 53b9041025629722282bc15a510f4639Strings 2420 4.82831335067749 29032.87890625 3958c661b061a1a16cf495f964ddfbaa

Manifest Resource installproject.Properties.Resources.resources installproject.installResources.resources installproject.installerForm.resources External Assemblies mscorlib v4.0.0.0 Type Definitions System.Reflection.Assembly System.Reflection.AssemblyTrademarkAttribute System.Reflection.AssemblyCopyrightAttribute System.Reflection.AssemblyProductAttribute System.Reflection.AssemblyFileVersionAttribute System.Reflection.AssemblyTitleAttribute System.Reflection.AssemblyCompanyAttribute System.Reflection.AssemblyConfigurationAttribute System.Reflection.AssemblyDescriptionAttribute System.Reflection.Module External Files koi Exported Types installproject.BASSMOD_BassMusic installproject.BASSMOD_BASSInit installproject.installerForm installproject.installResources

Comments

BucketTea

Delete it immediately, and run a FULL system scan.

Dump-ster-Fire

Are you the administrator of the computer? Or a normal user?

If you are the administrator, format C: Reinstall Windows.

If you are a normal user, login as administrator, delete the user profile, and run full scans with your AV. If you’d like to accept less risk of elevation of privilege attack, format C: and reinstall Windows.

You fucked up. You can no longer trust your user profile (if you are not admin), or you can no longer trust Windows (if you are admin). The only 100% known good way to get back to good is to format and reinstall from KNOWN GOOD MEDIA.

Realize this is the most conservative approach. Ignore it. Accept your risk.

Leave a Reply

Your email address will not be published. Required fields are marked *

Note: By filling this form and submitting your commen, you acknowledge, agree and comply with our terms of service. In addition you acknowledge that you are willingly sharing your email address with AiOWikis and you might receive notification emails from AiOWikis for comment notifications. AiOWiksi guarantees that your email address WILL NOT be used for advertisement or email marketting purposes.

This site uses Akismet to reduce spam. Learn how your comment data is processed.