download: | ob.zip |
Full analysis: | https://app.any.run/tasks/375e1e89-1bb7-4dc0-97ad-ee9037edfdf9 |
Verdict: | Malicious activity |
Analysis date: | April 14, 2019, 22:11:10 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/zip |
File info: | Zip archive data, at least v2.0 to extract |
MD5: | 38650C7F9FF66672F22EEDF991D65FA6 |
SHA1: | 0C43ADCA7C5C56DFE4970F00F23BC5E387B92320 |
SHA256: | 071299FD52EE06AD2467997D37D4091026B7C6C1AE40F9C8A495B305D01FB72C |
SSDEEP: | 196608:G4/RcA7fyxXud7BLlVQ7ZWXRd6KOBZOxmOsjDzP8BW:G4/9LcXuzLQ7ZWXRzOB4szZ |
.zip | | | ZIP compressed archive (100) |
---|
ZipFileName: | bin/ |
---|---|
ZipUncompressedSize: | - |
ZipCompressedSize: | - |
ZipCRC: | 0x00000000 |
ZipModifyDate: | 2019:04:13 11:42:05 |
ZipCompression: | None |
ZipBitFlag: | - |
ZipRequiredVersion: | 20 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
1512 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\ob.zip" | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.60.0 | ||||
2740 | "C:\Users\admin\AppData\Local\Temp\ob\OpenBullet.exe" | C:\Users\admin\AppData\Local\Temp\ob\OpenBullet.exe | — | explorer.exe |
User: admin Integrity Level: MEDIUM Description: OpenBullet Exit code: 0 Version: 1.2.1.0 |
(PID) Process: | (1512) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
Operation: | write | Name: | ShellExtBMP |
Value: | |||
(PID) Process: | (1512) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
Operation: | write | Name: | ShellExtIcon |
Value: | |||
(PID) Process: | (1512) WinRAR.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E |
Operation: | write | Name: | LanguageList |
Value: en-US | |||
(PID) Process: | (1512) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
Operation: | write | Name: | 0 |
Value: C:\Users\admin\AppData\Local\Temp\ob.zip | |||
(PID) Process: | (1512) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | name |
Value: 120 | |||
(PID) Process: | (1512) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | size |
Value: 80 | |||
(PID) Process: | (1512) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | type |
Value: 120 | |||
(PID) Process: | (1512) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | mtime |
Value: 100 | |||
(PID) Process: | (1512) WinRAR.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E |
Operation: | write | Name: | @C:\Windows\System32\msxml3r.dll,-1 |
Value: XML Document | |||
(PID) Process: | (1512) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Extraction\Profile |
Operation: | write | Name: | Overwrite |
Value: 0 |
PID | Process | Filename | Type | |
---|---|---|---|---|
1512 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\ob\bin\Extreme.Net.dll | executable | |
MD5:F647E9A36E0CD58F3F245C34A6953092 | SHA256:53719C10AA023927BE99DB87B200239A8093C9250655076C54A655738011B5F9 | |||
1512 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\ob\bin\BBCX.dll | executable | |
MD5:1EB2C80A082CFE4B869F2516CFE9818E | SHA256:2A178FDAB323844119C2D6A4CFDA2E7DE05A61F85E262CC2FB4D31529DB395DA | |||
1512 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\ob\bin\RuriLib.dll | executable | |
MD5:BE397F1D33F614FCF279062AFD973E1E | SHA256:953F67F35797AD664000A75EF44B530F1E062C9C72FD534AE26A33D3D02A4E16 | |||
1512 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\ob\bin\Leaf.xNet.dll | executable | |
MD5:3F303B19BFF2A4AD3AEFA94C1A897F34 | SHA256:B762310FBDE4B23D9D353998AC8B11292F715659247674352B9411FAC412D246 | |||
1512 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\ob\bin\RuriLibBB.dll | executable | |
MD5:6BEA737F2F9F75EC2532275F22AB6B1E | SHA256:12EEB7C0AF2A1E0BFDA5BD111DBF94A0E24A2F3BED35F4D08B4F5555329CDDAC | |||
1512 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\ob\bin\ICSharpCode.AvalonEdit.dll | executable | |
MD5:B4D5D46E50006E87B30E7D514E95173C | SHA256:058F38F33F3F99F904AB9588447A234346C859718404B4E8A523673ED19CDBE7 | |||
1512 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\ob\bin\IronPython.Modules.dll | executable | |
MD5:621192DB357916F2261989A49FA2C6BD | SHA256:87525121D7826DCFC76963AB8BD7996B9644BF4F148D1296757EB702A43DA51F | |||
1512 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\ob\bin\IronPython.SQLite.dll | executable | |
MD5:B7EFBF654402C78226B8D69AD0011BBB | SHA256:5A6E2EDA86E863E155F67CEBEF095355B7EA7B1DCD97D87E4058F0A5AC60D798 | |||
1512 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\ob\bin\Microsoft.Scripting.dll | executable | |
MD5:0B75B3835BF11D3163EB0798F7C1A89D | SHA256:D8B3CAB5C0F0E9C308C962FA894BC300C75F93537DAEF0E790069CA8CB1C7170 | |||
1512 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\ob\bin\IronPython.dll | executable | |
MD5:9A39A51E6DCB22B80DB481FBFBCD7826 | SHA256:61B809B97DC878F42E85EE2C5D8471853527754E4F53B17C0507334C57E19E04 |