download: | Launcher_x64.zip |
Full analysis: | https://app.any.run/tasks/b8651c6f-afa5-485d-a1ab-f8672fcb03f0 |
Verdict: | Malicious activity |
Analysis date: | January 17, 2020, 18:25:59 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/zip |
File info: | Zip archive data, at least v1.0 to extract |
MD5: | C63DB239AC50A871475EC8F77F5CEC6E |
SHA1: | 0602A9459A41172AC18EC08F37E9EF5F9E536B91 |
SHA256: | 0813F9C1C8E128E4DF002A8DECD23EE65A37ED6AAA4A8AA98F2743587F5430A4 |
SSDEEP: | 98304:vq72XgABrSzxYkvEFKOV/vgvpsQrEEY8mrYZLuaPwzN9WFSfwXaCx87IW:vJXAzxFvrORmsCG8WyLuaPwzLf9L7IW |
.xpi | | | Mozilla Firefox browser extension (66.6) |
---|---|---|
.zip | | | ZIP compressed archive (33.3) |
ZipRequiredVersion: | 10 |
---|---|
ZipBitFlag: | - |
ZipCompression: | None |
ZipModifyDate: | 2019:11:09 21:47:21 |
ZipCRC: | 0x00000000 |
ZipCompressedSize: | - |
ZipUncompressedSize: | - |
ZipFileName: | en-US/ |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3980 | "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\admin\Desktop\Launcher_x64.zip.xpi | C:\Windows\system32\rundll32.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows host process (Rundll32) Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2580 | "C:\Program Files\WinRAR\WinRAR.exe" x -iext -ow -ver -- "C:\Users\admin\Desktop\Launcher_x64.zip" C:\Users\admin\Desktop\Launcher_x64\ | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.60.0 | ||||
3352 | "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" | C:\Windows\System32\SearchProtocolHost.exe | — | SearchIndexer.exe |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Microsoft Windows Search Protocol Host Version: 7.00.7600.16385 (win7_rtm.090713-1255) | ||||
1012 | "C:\Users\admin\Desktop\Launcher_x64\Install.exe" | C:\Users\admin\Desktop\Launcher_x64\Install.exe | — | explorer.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
3156 | "C:\Users\admin\Desktop\Launcher_x64\Install.exe" | C:\Users\admin\Desktop\Launcher_x64\Install.exe | Install.exe | |
User: admin Integrity Level: MEDIUM Exit code: 0 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3156 | Install.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@mywps[1].txt | text | |
MD5:7C3CA7E42331B6EFFFBA06D7C7E425EC | SHA256:678BC639314C03956FB832AB3C774DDADC853FF863A1C470764B63F4DCE18869 | |||
2580 | WinRAR.exe | C:\Users\admin\Desktop\Launcher_x64\en-US\lan-eng.lg | executable | |
MD5:A0013AD05AC0ECB1C2245C9766208DB7 | SHA256:8EDC34711B37FFCE64E8591C1696AFB175E091D241523E0CF5187B4B1FC3CB0D | |||
2580 | WinRAR.exe | C:\Users\admin\Desktop\Launcher_x64\xperm.dll | executable | |
MD5:1B8F236C551EF8ED2CDE51ADAB838A87 | SHA256:A0BA71E322FBCE81FE792B4ABE09CB6D46A26CB38757018184B0346942AA9C54 | |||
2580 | WinRAR.exe | C:\Users\admin\Desktop\Launcher_x64\Install.exe | executable | |
MD5:C31AF634CBB863567F1E57EA55778944 | SHA256:2C35DFBB09631EE37FF89AF9A4E47062C13EAA2E017000E6B750CBE1D47566E8 | |||
2580 | WinRAR.exe | C:\Users\admin\Desktop\Launcher_x64\inc\bin.dll | executable | |
MD5:E567AEE9682F4DBE9251C68EFB5E00E1 | SHA256:05AB975ECD6F278AEDEC586485152334C6AB967F0497D2ECB65EB5226AAA57C5 | |||
3156 | Install.exe | C:\Users\admin\AppData\Local\Temp\9622D276\api-ms-win-core-localization-l1-2-0.dll | executable | |
MD5:EFF11130BFE0D9C90C0026BF2FB219AE | SHA256:03AD57C24FF2CF895B5F533F0ECBD10266FD8634C6B9053CC9CB33B814AD5D97 | |||
3156 | Install.exe | C:\Users\admin\AppData\Local\Temp\9622D276\api-ms-win-core-handle-l1-1-0.dll | executable | |
MD5:6DB54065B33861967B491DD1C8FD8595 | SHA256:945CC64EE04B1964C1F9FCDC3124DD83973D332F5CFB696CDF128CA5C4CBD0E5 | |||
3156 | Install.exe | C:\Users\admin\AppData\Local\Temp\9622D276\api-ms-win-core-namedpipe-l1-1-0.dll | executable | |
MD5:6F6796D1278670CCE6E2D85199623E27 | SHA256:C4F60F911068AB6D7F578D449BA7B5B9969F08FC683FD0CE8E2705BBF061F507 | |||
3156 | Install.exe | C:\Users\admin\AppData\Local\Temp\9622D276\api-ms-win-core-datetime-l1-1-0.dll | executable | |
MD5:CB978304B79EF53962408C611DFB20F5 | SHA256:90FAE0E7C3644A6754833C42B0AC39B6F23859F9A7CF4B6C8624820F59B9DAD3 | |||
3156 | Install.exe | C:\Users\admin\AppData\Local\Temp\9622D276\api-ms-win-core-interlocked-l1-1-0.dll | executable | |
MD5:D97A1CB141C6806F0101A5ED2673A63D | SHA256:DECCD75FC3FC2BB31338B6FE26DEFFBD7914C6CD6A907E76FD4931B7D141718C |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3156 | Install.exe | GET | 200 | 208.95.112.1:80 | http://ip-api.com/json | unknown | text | 264 b | shared |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3156 | Install.exe | 208.95.112.1:80 | ip-api.com | IBURST | — | malicious |
3156 | Install.exe | 104.18.56.40:443 | fiasyfssa.mywps.me | Cloudflare Inc | US | suspicious |
Domain | IP | Reputation |
---|---|---|
fiasyfssa.mywps.me |
| suspicious |
ip-api.com |
| shared |
PID | Process | Class | Message |
---|---|---|---|
3156 | Install.exe | Potential Corporate Privacy Violation | ET POLICY External IP Lookup ip-api.com |
3156 | Install.exe | Potential Corporate Privacy Violation | AV POLICY Internal Host Retrieving External IP Address (ip-api. com) |