File name: | GjkeqZjxdJVq2K.rar |
Full analysis: | https://app.any.run/tasks/2a4a7a5f-d2ab-48b7-ba4b-30257c3e279d |
Verdict: | Malicious activity |
Analysis date: | May 30, 2020, 09:09:19 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/x-rar |
File info: | RAR archive data, v5 |
MD5: | 5B639E895D8FD75E5CB3F2BD25811A41 |
SHA1: | 774E54BCA857A3D5284910649F5901B7509FF955 |
SHA256: | 18A14C770DC8D0679D2C22D35853F53C5B40EC7B10F098FEA57A38989929B525 |
SSDEEP: | 49152:d7JF/7akKMurXK+4uVreB0cQyXusC2haQ7BhcwAhjIZJf+qiNpT4V9lpNrqTwwH:d7JN7ajXNBC0GC1QNhcDGf+qifkTlppO |
.rar | | | RAR compressed archive (v5.0) (61.5) |
---|---|---|
.rar | | | RAR compressed archive (gen) (38.4) |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2452 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\GjkeqZjxdJVq2K.rar" | C:\Program Files\WinRAR\WinRAR.exe | — | explorer.exe |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.60.0 | ||||
2728 | "C:\Users\admin\Desktop\Vq2K$GjkeqZjxdJ.exe" | C:\Users\admin\Desktop\Vq2K$GjkeqZjxdJ.exe | — | explorer.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
2836 | "C:\Users\admin\Desktop\Vq2K$GjkeqZjxdJ.exe" -el -s2 "-dC:\Windows\System32\drivers" "-sp" | C:\Users\admin\Desktop\Vq2K$GjkeqZjxdJ.exe | Vq2K$GjkeqZjxdJ.exe | |
User: admin Integrity Level: HIGH Exit code: 0 | ||||
2004 | "C:\Windows\System32\drivers\ztYw2y8tYw2N9yeRPFMT.exe" | C:\Windows\System32\drivers\ztYw2y8tYw2N9yeRPFMT.exe | — | Vq2K$GjkeqZjxdJ.exe |
User: admin Integrity Level: HIGH Exit code: 1 | ||||
2732 | "C:\Windows\System32\drivers\NzmQfYnDsd.exe" | C:\Windows\System32\drivers\NzmQfYnDsd.exe | Vq2K$GjkeqZjxdJ.exe | |
User: admin Integrity Level: HIGH Description: FluxLoader Version: 1.0.0.0 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2452 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa2452.11447\Vq2K$GjkeqZjxdJ.exe | — | |
MD5:— | SHA256:— | |||
2732 | NzmQfYnDsd.exe | C:\Users\admin\AppData\Local\FluxLoader\DefaultDomain_Path_otxh1g3d2uhtlcxxtxzivz3e0bknhhgq\1.0.0.0\weg3olz3.newcfg | — | |
MD5:— | SHA256:— | |||
2732 | NzmQfYnDsd.exe | C:\Users\admin\AppData\Local\FluxLoader\DefaultDomain_Path_otxh1g3d2uhtlcxxtxzivz3e0bknhhgq\1.0.0.0\wmd0suv0.newcfg | xml | |
MD5:1788F2062F6A7E22E4927886A11D3382 | SHA256:34084F133FCB718A7B6AF21D002BD4C58CFC9E9D26DEC560CAE2D24061B7DE0C | |||
2836 | Vq2K$GjkeqZjxdJ.exe | C:\Windows\System32\drivers\NzmQfYnDsd.exe | executable | |
MD5:5AFE1B8FA3B129BAF77CC93FB9E8ABCE | SHA256:ABFA7D4DFCB563C9513B74632CB409077398EF322D9D1E0103AFFC6E8CCF1499 | |||
2732 | NzmQfYnDsd.exe | C:\Users\admin\AppData\Local\FluxLoader\DefaultDomain_Path_otxh1g3d2uhtlcxxtxzivz3e0bknhhgq\1.0.0.0\user.config | xml | |
MD5:EC9C54B3B844A101D9CF34D1DFEF0B36 | SHA256:6CF63C9684DE5FBDC16CF52170C9777FEF2CB6D6F73DFB2ACFA78735276EB22D | |||
2732 | NzmQfYnDsd.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\78RFYB7Z\check[1].htm | html | |
MD5:9D4FBA3544D638604A90669C319B94AF | SHA256:BEC6F1EF1206BE834319F90DCAB5A683D12790EADFAA248E2785B81A9C75261E | |||
2836 | Vq2K$GjkeqZjxdJ.exe | C:\Windows\System32\drivers\ztYw2y8tYw2N9yeRPFMT.exe | executable | |
MD5:FF5D13943A0ED41A293B0262A6D3BF36 | SHA256:C4CB80458AE8DD744CB5CD0672AF7B0D0B0E2B324EA00290F97508D3E37D5175 | |||
2732 | NzmQfYnDsd.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\ECKJYRJ0.txt | text | |
MD5:B06CE482EA337F9FEADF149D30508F0F | SHA256:A542834BD1175D85DFA71B8773C7FAFF8AF3D0D1498457AB7348D77CB42C4717 | |||
2732 | NzmQfYnDsd.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\aes[1].js | text | |
MD5:78A66859739B0C9E18BC5B4538C03BF9 | SHA256:D2701C86A2A31A641520E72121749DBBABEED4B1A59AECE20BBF14F9C9DE82BC |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2732 | NzmQfYnDsd.exe | GET | 200 | 185.27.134.125:80 | http://fluxware.epizy.com/forums/check/check.php?username=dick&password=awdadawdawdawdwuaiawidaawdaw | GB | — | — | suspicious |
2732 | NzmQfYnDsd.exe | GET | 200 | 185.27.134.125:80 | http://fluxware.epizy.com/forums/check/check.php?username=dwadwad&password=awdadawdawdaw | GB | html | 593 b | suspicious |
2732 | NzmQfYnDsd.exe | GET | 200 | 185.27.134.125:80 | http://fluxware.epizy.com/forums/check/check.php?username=dwadwad&password=awdadawdawdaw&i=1 | GB | text | 30.4 Kb | suspicious |
2732 | NzmQfYnDsd.exe | GET | 200 | 185.27.134.125:80 | http://fluxware.epizy.com/aes.js | GB | text | 30.4 Kb | suspicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2732 | NzmQfYnDsd.exe | 185.27.134.125:80 | fluxware.epizy.com | Wildcard UK Limited | GB | suspicious |
Domain | IP | Reputation |
---|---|---|
fluxware.epizy.com |
| suspicious |
PID | Process | Class | Message |
---|---|---|---|
2732 | NzmQfYnDsd.exe | Misc activity | SUSPICIOUS [PTsecurity] Encryptor aes.js script (seen PedCont ransomware) |