» net1.exe
Overview
Analysis
File Details
Behaviors (1)
Downloads (2)

net1.exe

Wipe, Secret Disk, Prevent Restore, Safe Startup

Yury Saprykin

It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘Prevent Restore Maintance’. The file has been seen being downloaded from files.downloadnow.com and multiple other hosts.

File name:

net1.exe

Publisher:

www.privacyroot.com (signed by Yury Saprykin)

Product:

Wipe, Secret Disk, Prevent Restore, Safe Startup

Description:

Application Installer

Version:

2.04.0.0

MD5:

13e1311c0a2400002ea0add362addb93

SHA-1:

402cecb8e2678447f7bfe52a562c8f1cc78373b6

SHA-256:

b7d14f2f49986e618b56ac911e9834cd611e293e9a1089cd67b68c9669c95cf6

Scanner detections:

0 / 68

Status:

Clean (as of last analysis)

Analysis date:

4/26/2024 3:49:15 AM UTC (today)

File size:

531.1 KB (543,896 bytes)

Product version:

2.04.0.0

privacyroot.com 2002 - 2014

Original file name:

NET2.exe

File type:

Executable application (Win32 EXE)

Language:

Language Neutral

Common path:

C:\Program Files\prevent restore\net1.exe

Digital Signature

Signed by:

Yury Saprykin

Authority:

COMODO CA Limited

Valid from:

3/12/2014 8:00:00 PM

Valid to:

3/12/2017 7:59:59 PM

Subject:

CN=Yury Saprykin, O=Yury Saprykin, STREET=Prospekt Revolucii 25, L=Voronezh, S=VO, PostalCode=394000, C=RU

Issuer:

CN=COMODO Code Signing CA 2, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:

00C71956DD75CB37084C7A30D3E4519F3E

File PE Metadata

Compilation timestamp:

10/29/2014 3:21:34 AM

OS version:

4.0

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

8.0

.NET CLR dependent:

Yes

CTPH (ssdeep):

6144:8NS+pq8/bi1hiiBGQn+DAfh+jM0fYoW/Lfp/ylRyrj4WJeSG3Tgb9ncYp8V:Q7Av1hiw+DAp+jbAoW/LBKlAlJM3Tgbm

Entry address:

0x7A0FE

Entry point:

FF, 25, 00, 20, 40, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00... 
[+]

Entropy:

6.7088

Developed / compiled with:

Microsoft Visual C# / Basic .NET

Code size:

480.5 KB (492,032 bytes)

Startup File (User Run)

Registry location:

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:

Prevent Restore Maintance

Command:

"C:\Program Files\prevent restore\net1.exe" windowsstartup

The file net1.exe has been seen being distributed by the following 2 URLs.

http://files.downloadnow.com/s/software/14/24/49/.../setup_prevent_restore.exe

https://privacyroot.com/software/.../setup_prevent_restore.exe

Scan net1.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.