analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

photoscore-notateme-ultimate-v882-crack-inc_CRACK.zip.zs

Full analysis: https://app.any.run/tasks/68871b3f-fc91-4986-aa9a-28a38bf8c7ff
Verdict: Malicious activity
Analysis date: October 14, 2019, 04:42:48
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
adware
prepscram
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

B96E2D3D4380884E7EE1D37EF3823ECA

SHA1:

66E5418A1604823DFB21DE2316ED90E40A81A497

SHA256:

0D819E43149FB98756D801FB11A08CEBEEB1930100C3E9652F6EF7C9FB81001A

SSDEEP:

49152:m3qBGehIlg6fuSbEWyR4vklrJyst7/L1TDLc70mpgZu9wY5NriXVbLeABbUrkvmZ:m3qBnheTGy4RXJxRT870AgZc59iXdeAA

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • setup.exe (PID: 944)
      • setup.exe (PID: 1908)
      • setup.exe (PID: 3152)
      • setup.exe (PID: 1252)
      • setup (2).exe (PID: 996)
      • setup (2).exe (PID: 324)
      • setup.exe (PID: 1324)
      • setup.exe (PID: 2168)

    • PREPSCRAM was detected

      • setup.exe (PID: 944)
      • setup.exe (PID: 3152)
      • setup (2).exe (PID: 324)
      • setup.exe (PID: 1324)

    • Connects to CnC server

      • setup.exe (PID: 944)
      • setup.exe (PID: 3152)
      • setup (2).exe (PID: 324)
      • setup.exe (PID: 1324)

  • SUSPICIOUS

    • Application launched itself

      • setup.exe (PID: 1908)
      • setup.exe (PID: 1252)
      • WinRAR.exe (PID: 1792)
      • setup (2).exe (PID: 996)
      • setup.exe (PID: 2168)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 1792)
      • WinRAR.exe (PID: 3568)
      • DllHost.exe (PID: 1516)

    • Executed via COM

      • DllHost.exe (PID: 1516)

  • INFO

    • Manual execution by user

      • explorer.exe (PID: 4088)
      • setup (2).exe (PID: 996)
      • setup.exe (PID: 2168)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: Deflated
ZipModifyDate: 2019:10:11 12:55:01
ZipCRC: 0x229e0162
ZipCompressedSize: 2887143
ZipUncompressedSize: 2932736
ZipFileName: setup.exe
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
64
Monitored processes
12
Malicious processes
9
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start drop and start start winrar.exe setup.exe no specs #PREPSCRAM setup.exe setup.exe no specs #PREPSCRAM setup.exe winrar.exe explorer.exe no specs Copy/Move/Rename/Delete/Link Object setup (2).exe no specs #PREPSCRAM setup (2).exe setup.exe no specs #PREPSCRAM setup.exe

Process information

PID
CMD
Path
Indicators
Parent process
1792"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\photoscore-notateme-ultimate-v882-crack-inc_CRACK.zip.zs.zip"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
1908"C:\Users\admin\AppData\Local\Temp\Rar$EXa1792.20137\setup.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa1792.20137\setup.exeWinRAR.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
944"C:\Users\admin\AppData\Local\Temp\Rar$EXa1792.20137\setup.exe" "C:\Users\admin\AppData\Local\Temp\Rar$EXa1792.20137\setup.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa1792.20137\setup.exe
setup.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
1252"C:\Users\admin\AppData\Local\Temp\Rar$EXa1792.21578\setup.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa1792.21578\setup.exeWinRAR.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
3152"C:\Users\admin\AppData\Local\Temp\Rar$EXa1792.21578\setup.exe" "C:\Users\admin\AppData\Local\Temp\Rar$EXa1792.21578\setup.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa1792.21578\setup.exe
setup.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
3568"C:\Program Files\WinRAR\WinRAR.exe" -elevate1792C:\Program Files\WinRAR\WinRAR.exe
WinRAR.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
HIGH
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
4088"C:\Windows\explorer.exe" C:\Windows\explorer.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
1516C:\Windows\system32\DllHost.exe /Processid:{3AD05575-8857-4850-9277-11B85BDB8E09}C:\Windows\system32\DllHost.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
COM Surrogate
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
996"C:\Users\setup (2).exe" C:\Users\setup (2).exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
324"C:\Users\setup (2).exe" "C:\Users\setup (2).exe" C:\Users\setup (2).exe
setup (2).exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Total events
1 392
Read events
1 348
Write events
44
Delete events
0

Modification events

(PID) Process:(1792) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(1792) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(1792) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\12B\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(1792) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\photoscore-notateme-ultimate-v882-crack-inc_CRACK.zip.zs.zip
(PID) Process:(1792) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(1792) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(1792) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(1792) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(1792) WinRAR.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
(PID) Process:(1792) WinRAR.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
1
Executable files
5
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
1792WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa1792.22662\setup.exe
MD5:
SHA256:
1516DllHost.exeC:\Users\setup (2).exeexecutable
MD5:70C663A2D0ED6179FC1F1D38C3F04835
SHA256:1E2161B4E2F78A59192E13629C0128A725913B7E763770478BDABF751F98BF05
1792WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa1792.20137\setup.exeexecutable
MD5:70C663A2D0ED6179FC1F1D38C3F04835
SHA256:1E2161B4E2F78A59192E13629C0128A725913B7E763770478BDABF751F98BF05
3568WinRAR.exeC:\Users\setup.exeexecutable
MD5:70C663A2D0ED6179FC1F1D38C3F04835
SHA256:1E2161B4E2F78A59192E13629C0128A725913B7E763770478BDABF751F98BF05
1792WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa1792.28936\setup.exeexecutable
MD5:70C663A2D0ED6179FC1F1D38C3F04835
SHA256:1E2161B4E2F78A59192E13629C0128A725913B7E763770478BDABF751F98BF05
1792WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa1792.21578\setup.exeexecutable
MD5:70C663A2D0ED6179FC1F1D38C3F04835
SHA256:1E2161B4E2F78A59192E13629C0128A725913B7E763770478BDABF751F98BF05
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
4
DNS requests
2
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3152
setup.exe
GET
200
13.32.222.41:80
http://d1hq9wbcfo7dcl.cloudfront.net/offer.php?affId=8946&trackingId=428101551&instId=8185&ho_trackingid=HO428101551&cc=US&sb=x86&wv=7sp1&db=InternetExplorer&uac=1&cid=5d979308c3b6ea5ad7e984e628c8cac1&v=3&net=4.7.03062&ie=8%2e0%2e7601%2e17514&res=1280x720&osd=738&kid=hqmrb21bj4f2veet5hh
US
shared
324
setup (2).exe
GET
200
52.222.149.159:80
http://d1hq9wbcfo7dcl.cloudfront.net/offer.php?affId=8946&trackingId=428101551&instId=8185&ho_trackingid=HO428101551&cc=US&sb=x86&wv=7sp1&db=InternetExplorer&uac=1&cid=5d979308c3b6ea5ad7e984e628c8cac1&v=3&net=4.7.03062&ie=8%2e0%2e7601%2e17514&res=1280x720&osd=738&kid=hqmrb21bj4f2veet5hh
US
shared
944
setup.exe
GET
200
13.32.222.41:80
http://d1hq9wbcfo7dcl.cloudfront.net/offer.php?affId=8946&trackingId=428101551&instId=8185&ho_trackingid=HO428101551&cc=US&sb=x86&wv=7sp1&db=InternetExplorer&uac=1&cid=5d979308c3b6ea5ad7e984e628c8cac1&v=3&net=4.7.03062&ie=8%2e0%2e7601%2e17514&res=1280x720&osd=738&kid=hqmrb21bj4f2veet5hh
US
shared
1324
setup.exe
GET
200
52.222.149.159:80
http://d1hq9wbcfo7dcl.cloudfront.net/offer.php?affId=8946&trackingId=428101551&instId=8185&ho_trackingid=HO428101551&cc=US&sb=x86&wv=7sp1&db=InternetExplorer&uac=1&cid=5d979308c3b6ea5ad7e984e628c8cac1&v=3&net=4.7.03062&ie=8%2e0%2e7601%2e17514&res=1280x720&osd=738&kid=hqmrb21bj4f2veet5hh
US
shared
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
944
setup.exe
13.32.222.41:80
d1hq9wbcfo7dcl.cloudfront.net
Amazon.com, Inc.
US
whitelisted
3152
setup.exe
13.32.222.41:80
d1hq9wbcfo7dcl.cloudfront.net
Amazon.com, Inc.
US
whitelisted
324
setup (2).exe
52.222.149.159:80
d1hq9wbcfo7dcl.cloudfront.net
Amazon.com, Inc.
US
whitelisted
1324
setup.exe
52.222.149.159:80
d1hq9wbcfo7dcl.cloudfront.net
Amazon.com, Inc.
US
whitelisted

DNS requests

Domain
IP
Reputation
d1hq9wbcfo7dcl.cloudfront.net
  • 13.32.222.41
  • 13.32.222.223
  • 13.32.222.228
  • 13.32.222.11
  • 52.222.149.159
  • 52.222.149.178
  • 52.222.149.210
  • 52.222.149.32
shared

Threats

PID
Process
Class
Message
944
setup.exe
Unknown Traffic
ET INFO Suspicious User-Agent (1 space)
944
setup.exe
Misc activity
ADWARE [PTsecurity] SoftwareBundler:Win32/Prepscram
3152
setup.exe
Unknown Traffic
ET INFO Suspicious User-Agent (1 space)
3152
setup.exe
Misc activity
ADWARE [PTsecurity] SoftwareBundler:Win32/Prepscram
324
setup (2).exe
Unknown Traffic
ET INFO Suspicious User-Agent (1 space)
324
setup (2).exe
Misc activity
ADWARE [PTsecurity] SoftwareBundler:Win32/Prepscram
1324
setup.exe
Unknown Traffic
ET INFO Suspicious User-Agent (1 space)
1324
setup.exe
Misc activity
ADWARE [PTsecurity] SoftwareBundler:Win32/Prepscram
12 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
photoscore-notateme-ultimate-v882-crack-inc_CRACK.zip.zs