File name: | photoscore-notateme-ultimate-v882-crack-inc_CRACK.zip.zs |
Full analysis: | https://app.any.run/tasks/68871b3f-fc91-4986-aa9a-28a38bf8c7ff |
Verdict: | Malicious activity |
Analysis date: | October 14, 2019, 04:42:48 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/zip |
File info: | Zip archive data, at least v2.0 to extract |
MD5: | B96E2D3D4380884E7EE1D37EF3823ECA |
SHA1: | 66E5418A1604823DFB21DE2316ED90E40A81A497 |
SHA256: | 0D819E43149FB98756D801FB11A08CEBEEB1930100C3E9652F6EF7C9FB81001A |
SSDEEP: | 49152:m3qBGehIlg6fuSbEWyR4vklrJyst7/L1TDLc70mpgZu9wY5NriXVbLeABbUrkvmZ:m3qBnheTGy4RXJxRT870AgZc59iXdeAA |
.zip | | | ZIP compressed archive (100) |
---|
ZipRequiredVersion: | 20 |
---|---|
ZipBitFlag: | - |
ZipCompression: | Deflated |
ZipModifyDate: | 2019:10:11 12:55:01 |
ZipCRC: | 0x229e0162 |
ZipCompressedSize: | 2887143 |
ZipUncompressedSize: | 2932736 |
ZipFileName: | setup.exe |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
1792 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\photoscore-notateme-ultimate-v882-crack-inc_CRACK.zip.zs.zip" | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.60.0 | ||||
1908 | "C:\Users\admin\AppData\Local\Temp\Rar$EXa1792.20137\setup.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXa1792.20137\setup.exe | — | WinRAR.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
944 | "C:\Users\admin\AppData\Local\Temp\Rar$EXa1792.20137\setup.exe" "C:\Users\admin\AppData\Local\Temp\Rar$EXa1792.20137\setup.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXa1792.20137\setup.exe | setup.exe | |
User: admin Integrity Level: HIGH Exit code: 0 | ||||
1252 | "C:\Users\admin\AppData\Local\Temp\Rar$EXa1792.21578\setup.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXa1792.21578\setup.exe | — | WinRAR.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
3152 | "C:\Users\admin\AppData\Local\Temp\Rar$EXa1792.21578\setup.exe" "C:\Users\admin\AppData\Local\Temp\Rar$EXa1792.21578\setup.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXa1792.21578\setup.exe | setup.exe | |
User: admin Integrity Level: HIGH Exit code: 0 | ||||
3568 | "C:\Program Files\WinRAR\WinRAR.exe" -elevate1792 | C:\Program Files\WinRAR\WinRAR.exe | WinRAR.exe | |
User: admin Company: Alexander Roshal Integrity Level: HIGH Description: WinRAR archiver Exit code: 0 Version: 5.60.0 | ||||
4088 | "C:\Windows\explorer.exe" | C:\Windows\explorer.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
1516 | C:\Windows\system32\DllHost.exe /Processid:{3AD05575-8857-4850-9277-11B85BDB8E09} | C:\Windows\system32\DllHost.exe | svchost.exe | |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: COM Surrogate Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
996 | "C:\Users\setup (2).exe" | C:\Users\setup (2).exe | — | explorer.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
324 | "C:\Users\setup (2).exe" "C:\Users\setup (2).exe" | C:\Users\setup (2).exe | setup (2).exe | |
User: admin Integrity Level: HIGH Exit code: 0 |
(PID) Process: | (1792) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
Operation: | write | Name: | ShellExtBMP |
Value: | |||
(PID) Process: | (1792) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
Operation: | write | Name: | ShellExtIcon |
Value: | |||
(PID) Process: | (1792) WinRAR.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\12B\52C64B7E |
Operation: | write | Name: | LanguageList |
Value: en-US | |||
(PID) Process: | (1792) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
Operation: | write | Name: | 0 |
Value: C:\Users\admin\AppData\Local\Temp\photoscore-notateme-ultimate-v882-crack-inc_CRACK.zip.zs.zip | |||
(PID) Process: | (1792) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | name |
Value: 120 | |||
(PID) Process: | (1792) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | size |
Value: 80 | |||
(PID) Process: | (1792) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | type |
Value: 120 | |||
(PID) Process: | (1792) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | mtime |
Value: 100 | |||
(PID) Process: | (1792) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 0 | |||
(PID) Process: | (1792) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | AutoDetect |
Value: 1 |
PID | Process | Filename | Type | |
---|---|---|---|---|
1792 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa1792.22662\setup.exe | — | |
MD5:— | SHA256:— | |||
1516 | DllHost.exe | C:\Users\setup (2).exe | executable | |
MD5:70C663A2D0ED6179FC1F1D38C3F04835 | SHA256:1E2161B4E2F78A59192E13629C0128A725913B7E763770478BDABF751F98BF05 | |||
1792 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa1792.20137\setup.exe | executable | |
MD5:70C663A2D0ED6179FC1F1D38C3F04835 | SHA256:1E2161B4E2F78A59192E13629C0128A725913B7E763770478BDABF751F98BF05 | |||
3568 | WinRAR.exe | C:\Users\setup.exe | executable | |
MD5:70C663A2D0ED6179FC1F1D38C3F04835 | SHA256:1E2161B4E2F78A59192E13629C0128A725913B7E763770478BDABF751F98BF05 | |||
1792 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa1792.28936\setup.exe | executable | |
MD5:70C663A2D0ED6179FC1F1D38C3F04835 | SHA256:1E2161B4E2F78A59192E13629C0128A725913B7E763770478BDABF751F98BF05 | |||
1792 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa1792.21578\setup.exe | executable | |
MD5:70C663A2D0ED6179FC1F1D38C3F04835 | SHA256:1E2161B4E2F78A59192E13629C0128A725913B7E763770478BDABF751F98BF05 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3152 | setup.exe | GET | 200 | 13.32.222.41:80 | http://d1hq9wbcfo7dcl.cloudfront.net/offer.php?affId=8946&trackingId=428101551&instId=8185&ho_trackingid=HO428101551&cc=US&sb=x86&wv=7sp1&db=InternetExplorer&uac=1&cid=5d979308c3b6ea5ad7e984e628c8cac1&v=3&net=4.7.03062&ie=8%2e0%2e7601%2e17514&res=1280x720&osd=738&kid=hqmrb21bj4f2veet5hh | US | — | — | shared |
324 | setup (2).exe | GET | 200 | 52.222.149.159:80 | http://d1hq9wbcfo7dcl.cloudfront.net/offer.php?affId=8946&trackingId=428101551&instId=8185&ho_trackingid=HO428101551&cc=US&sb=x86&wv=7sp1&db=InternetExplorer&uac=1&cid=5d979308c3b6ea5ad7e984e628c8cac1&v=3&net=4.7.03062&ie=8%2e0%2e7601%2e17514&res=1280x720&osd=738&kid=hqmrb21bj4f2veet5hh | US | — | — | shared |
944 | setup.exe | GET | 200 | 13.32.222.41:80 | http://d1hq9wbcfo7dcl.cloudfront.net/offer.php?affId=8946&trackingId=428101551&instId=8185&ho_trackingid=HO428101551&cc=US&sb=x86&wv=7sp1&db=InternetExplorer&uac=1&cid=5d979308c3b6ea5ad7e984e628c8cac1&v=3&net=4.7.03062&ie=8%2e0%2e7601%2e17514&res=1280x720&osd=738&kid=hqmrb21bj4f2veet5hh | US | — | — | shared |
1324 | setup.exe | GET | 200 | 52.222.149.159:80 | http://d1hq9wbcfo7dcl.cloudfront.net/offer.php?affId=8946&trackingId=428101551&instId=8185&ho_trackingid=HO428101551&cc=US&sb=x86&wv=7sp1&db=InternetExplorer&uac=1&cid=5d979308c3b6ea5ad7e984e628c8cac1&v=3&net=4.7.03062&ie=8%2e0%2e7601%2e17514&res=1280x720&osd=738&kid=hqmrb21bj4f2veet5hh | US | — | — | shared |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
944 | setup.exe | 13.32.222.41:80 | d1hq9wbcfo7dcl.cloudfront.net | Amazon.com, Inc. | US | whitelisted |
3152 | setup.exe | 13.32.222.41:80 | d1hq9wbcfo7dcl.cloudfront.net | Amazon.com, Inc. | US | whitelisted |
324 | setup (2).exe | 52.222.149.159:80 | d1hq9wbcfo7dcl.cloudfront.net | Amazon.com, Inc. | US | whitelisted |
1324 | setup.exe | 52.222.149.159:80 | d1hq9wbcfo7dcl.cloudfront.net | Amazon.com, Inc. | US | whitelisted |
Domain | IP | Reputation |
---|---|---|
d1hq9wbcfo7dcl.cloudfront.net |
| shared |
PID | Process | Class | Message |
---|---|---|---|
944 | setup.exe | Unknown Traffic | ET INFO Suspicious User-Agent (1 space) |
944 | setup.exe | Misc activity | ADWARE [PTsecurity] SoftwareBundler:Win32/Prepscram |
3152 | setup.exe | Unknown Traffic | ET INFO Suspicious User-Agent (1 space) |
3152 | setup.exe | Misc activity | ADWARE [PTsecurity] SoftwareBundler:Win32/Prepscram |
324 | setup (2).exe | Unknown Traffic | ET INFO Suspicious User-Agent (1 space) |
324 | setup (2).exe | Misc activity | ADWARE [PTsecurity] SoftwareBundler:Win32/Prepscram |
1324 | setup.exe | Unknown Traffic | ET INFO Suspicious User-Agent (1 space) |
1324 | setup.exe | Misc activity | ADWARE [PTsecurity] SoftwareBundler:Win32/Prepscram |