File name: | _Cracked_Streambot_2.rar |
Full analysis: | https://app.any.run/tasks/547416d6-3361-4a73-818d-e3c339f8a221 |
Verdict: | Malicious activity |
Analysis date: | December 18, 2018, 15:15:18 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-rar |
File info: | RAR archive data, v5 |
MD5: | C98AAE43EC84FADC9EAC5EBC0CD7A1B2 |
SHA1: | FCD63318B9146484A521D9AFC0AFC0AE17F13D18 |
SHA256: | 141FB3AB10523E8624E5736218F9A6B7A8CD1FFB3862444F491D5792FA6D3142 |
SSDEEP: | 196608:R9itwJNPwD7qM2KFJUycFd+o+zOwAd+jDoWRJO4Zvj57UIG+uMNZkyzf29F0Hl:uiJNYy4C/Fd+ond47nOc9UIG+DZ/29Fg |
.rar | | | RAR compressed archive (v5.0) (61.5) |
---|---|---|
.rar | | | RAR compressed archive (gen) (38.4) |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3308 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\_Cracked_Streambot_2.rar" | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.60.0 | ||||
1328 | "C:\Windows\explorer.exe" | C:\Windows\explorer.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
1040 | "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe6_ Global\UsGthrCtrlFltPipeMssGthrPipe6 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" | C:\Windows\System32\SearchProtocolHost.exe | — | SearchIndexer.exe |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Microsoft Windows Search Protocol Host Version: 7.00.7600.16385 (win7_rtm.090713-1255) | ||||
3836 | "C:\Users\admin\Desktop\[Cracked]Streambot 2\V\Streambot 2.exe" | C:\Users\admin\Desktop\[Cracked]Streambot 2\V\Streambot 2.exe | — | explorer.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
3328 | "C:\Windows\System32\eventvwr.exe" | C:\Windows\System32\eventvwr.exe | — | Streambot 2.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Event Viewer Snapin Launcher Exit code: 3221226540 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3976 | "C:\Windows\System32\eventvwr.exe" | C:\Windows\System32\eventvwr.exe | Streambot 2.exe | |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Event Viewer Snapin Launcher Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3272 | "C:\Users\admin\Desktop\[Cracked]Streambot 2\V\Streambot 2.exe" | C:\Users\admin\Desktop\[Cracked]Streambot 2\V\Streambot 2.exe | eventvwr.exe | |
User: admin Integrity Level: HIGH | ||||
2912 | "C:\Users\admin\AppData\Local\Temp\streambot2.exe" | C:\Users\admin\AppData\Local\Temp\streambot2.exe | — | Streambot 2.exe |
User: admin Company: Shadiku Izayoi, Emma Skye <neosyndicate.net> Integrity Level: HIGH Description: streambot² Exit code: 3221225781 Version: 2.5.0.0 | ||||
3652 | "C:\Users\admin\AppData\Local\Temp\Protectedcy.exe" | C:\Users\admin\AppData\Local\Temp\Protectedcy.exe | — | Streambot 2.exe |
User: admin Integrity Level: HIGH | ||||
2192 | "C:\Users\admin\AppData\Local\Temp\Protectedin.exe" | C:\Users\admin\AppData\Local\Temp\Protectedin.exe | — | Streambot 2.exe |
User: admin Integrity Level: HIGH |
PID | Process | Filename | Type | |
---|---|---|---|---|
3308 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa3308.16372\[Cracked]Streambot 2\V\includes\dat01\ap24.dat | image | |
MD5:28389196BE905D4D4660C46FB663A3CC | SHA256:95365C85C587D51BE1B69AC572FE6E87C1A093DA0E7B98E67BD309AB09483B54 | |||
3308 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa3308.16372\[Cracked]Streambot 2\V\includes\dat01\ap22.dat | compressed | |
MD5:45DDEF3B2DFA5D79DDE211620FCF538C | SHA256:1159A44808FAA6C897BDA6D66AE0620B898593A13EAF56318CDDBE66A8298583 | |||
3308 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa3308.16372\[Cracked]Streambot 2\V\curl.exe | executable | |
MD5:B22281F1DD04E1D09643E437AAEEE065 | SHA256:83D1FDB808BD681100DD946A7CFB2D7AB39ED1553D71261DFEA30B727D786F00 | |||
3308 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa3308.16372\[Cracked]Streambot 2\V\includes\dat01\ap16.dat | compressed | |
MD5:05285A412184D9B14B68514E5BC7178C | SHA256:6F3863BFAA7A17CC371579D02DD5C2CE3000C940DFC2C67B8205AA02B231BBA5 | |||
3308 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa3308.16372\[Cracked]Streambot 2\V\includes\dat01\ap20.dat | image | |
MD5:694B28725867A2C893A2535CA310ACB8 | SHA256:475FE9452812C91BCD7208687DE014419FDC0C77FE29747FD18DDA3EADACAEA8 | |||
3308 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa3308.16372\[Cracked]Streambot 2\V\includes\dat01\ap10.dat | image | |
MD5:15FEC6C33A20A6ECB295FA55514781E7 | SHA256:E238521A1915A0C488D87FA0068D03135BA2D806268F58E973B858195975B20D | |||
3308 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa3308.16372\[Cracked]Streambot 2\V\includes\dat01\ap18.dat | image | |
MD5:9073D4D6CB37AB39CAA44CFF241182EE | SHA256:19105802E9202F5070919D1326732BE8E8B0D0EF0B9E7DD11AA6BF7DD43042D3 | |||
3308 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa3308.16372\[Cracked]Streambot 2\V\includes\dat01\ap1.dat | text | |
MD5:38DE427224A5082A04FE82E2BD4EA9EC | SHA256:12F99F53144294750FE8713D580EDA286F4BD95CD9C840DB8AB957DEF8040028 | |||
3308 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa3308.16372\[Cracked]Streambot 2\V\includes\dat01\ap14.dat | image | |
MD5:58724CE63DFB037C86EE19358FC20157 | SHA256:D4D9BE6BFBAAF7B4215D149907182B8D92137628E0369986D07E8E27006817E8 | |||
3308 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa3308.16372\[Cracked]Streambot 2\V\includes\dat01\ap12.dat | image | |
MD5:D8D7A1347773A2F1BF652174075C6BC3 | SHA256:4D19EEFAA357F7EAC71FA28EB55AAD26627716B6ABE6F0361C4948E69E7ECB62 |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2864 | SDVGJHKHC.exe | 192.154.110.50:2222 | pooleu.xmrminingpool.net | GorillaServers, Inc. | US | suspicious |
3008 | ZVKQHTPNL.exe | 192.154.110.50:2222 | pooleu.xmrminingpool.net | GorillaServers, Inc. | US | suspicious |
Domain | IP | Reputation |
---|---|---|
pooleu.xmrminingpool.net |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
3008 | ZVKQHTPNL.exe | Potential Corporate Privacy Violation | ET POLICY Cryptocurrency Miner Checkin |
3008 | ZVKQHTPNL.exe | Misc activity | MINER [PTsecurity] CoinMiner CryptoNight XMRig JSON_RPC Client Login |
2864 | SDVGJHKHC.exe | Potential Corporate Privacy Violation | ET POLICY Cryptocurrency Miner Checkin |
2864 | SDVGJHKHC.exe | Misc activity | MINER [PTsecurity] CoinMiner CryptoNight XMRig JSON_RPC Client Login |
3008 | ZVKQHTPNL.exe | Misc activity | MINER [PTsecurity] Riskware/CoinMiner JSON_RPC Response |
3008 | ZVKQHTPNL.exe | Misc activity | MINER [PTsecurity] Risktool.W32.coinminer!c |
2864 | SDVGJHKHC.exe | Misc activity | MINER [PTsecurity] Riskware/CoinMiner JSON_RPC Response |
2864 | SDVGJHKHC.exe | Misc activity | MINER [PTsecurity] Risktool.W32.coinminer!c |