File name: | Order PCT1086586 - Project Commercial Conditions.zip |
Full analysis: | https://app.any.run/tasks/a214c84d-e99f-4a70-98ef-3fefd82993d5 |
Verdict: | Malicious activity |
Threats: | A keylogger is a type of spyware that infects a system and has the ability to record every keystroke made on the device. This lets attackers collect personal information of victims, which may include their online banking credentials, as well as personal conversations. The most widespread vector of attack leading to a keylogger infection begins with a phishing email or link. Keylogging is also often present in remote access trojans as part of an extended set of malicious tools. |
Analysis date: | July 18, 2019, 07:42:28 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/zip |
File info: | Zip archive data, at least v2.0 to extract |
MD5: | D08C78C2052432CA6ECA13C79EF6DF1A |
SHA1: | A6EF2828EA27BAA756B243B16C815F03C9D19B8F |
SHA256: | 1AA27D6164A04A5F1713ED89353B4F6DBA19617C94B88E91813F3E7F29C1613C |
SSDEEP: | 6144:rcK1z/TDjOpEYQ7uQycOAAcekZ5qCGkN2XR8VS9cS84zaMgwSDNkQZ:gCT/JYdjxA9LXGklVS9cSPOMi5hZ |
.zip | | | ZIP compressed archive (100) |
---|
ZipFileName: | Order PCT1086586 - Project Commercial Conditions.exe |
---|---|
ZipUncompressedSize: | 544768 |
ZipCompressedSize: | 290356 |
ZipCRC: | 0xe99659d7 |
ZipModifyDate: | 2005:01:27 01:09:26 |
ZipCompression: | Deflated |
ZipBitFlag: | - |
ZipRequiredVersion: | 20 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3012 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Order PCT1086586 - Project Commercial Conditions.zip" | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.60.0 | ||||
3872 | "C:\Users\admin\AppData\Local\Temp\Rar$EXa3012.37035\Order PCT1086586 - Project Commercial Conditions.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXa3012.37035\Order PCT1086586 - Project Commercial Conditions.exe | — | WinRAR.exe |
User: admin Company: Reva Integrity Level: MEDIUM Description: CYNODONT10 Exit code: 0 Version: 1.07.0009 | ||||
4020 | "C:\Users\admin\AppData\Local\Temp\Rar$EXa3012.37040\Order PCT1086586 - Project Commercial Conditions.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXa3012.37040\Order PCT1086586 - Project Commercial Conditions.exe | — | WinRAR.exe |
User: admin Company: Reva Integrity Level: MEDIUM Description: CYNODONT10 Exit code: 0 Version: 1.07.0009 | ||||
2904 | "C:\Users\admin\AppData\Local\Temp\Rar$EXa3012.37071\Order PCT1086586 - Project Commercial Conditions.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXa3012.37071\Order PCT1086586 - Project Commercial Conditions.exe | — | WinRAR.exe |
User: admin Company: Reva Integrity Level: MEDIUM Description: CYNODONT10 Exit code: 0 Version: 1.07.0009 | ||||
3048 | "C:\Users\admin\AppData\Local\Temp\Rar$EXa3012.37079\Order PCT1086586 - Project Commercial Conditions.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXa3012.37079\Order PCT1086586 - Project Commercial Conditions.exe | — | WinRAR.exe |
User: admin Company: Reva Integrity Level: MEDIUM Description: CYNODONT10 Exit code: 0 Version: 1.07.0009 | ||||
1528 | C:\Users\admin\AppData\Local\Temp\Rar$EXa3012.37040\Order PCT1086586 - Project Commercial Conditions.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXa3012.37040\Order PCT1086586 - Project Commercial Conditions.exe | — | Order PCT1086586 - Project Commercial Conditions.exe |
User: admin Company: Reva Integrity Level: MEDIUM Description: CYNODONT10 Exit code: 1 Version: 1.07.0009 | ||||
3892 | C:\Users\admin\AppData\Local\Temp\Rar$EXa3012.37079\Order PCT1086586 - Project Commercial Conditions.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXa3012.37079\Order PCT1086586 - Project Commercial Conditions.exe | Order PCT1086586 - Project Commercial Conditions.exe | |
User: admin Company: Reva Integrity Level: MEDIUM Description: CYNODONT10 Exit code: 0 Version: 1.07.0009 | ||||
3896 | C:\Users\admin\AppData\Local\Temp\Rar$EXa3012.37035\Order PCT1086586 - Project Commercial Conditions.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXa3012.37035\Order PCT1086586 - Project Commercial Conditions.exe | — | Order PCT1086586 - Project Commercial Conditions.exe |
User: admin Company: Reva Integrity Level: MEDIUM Description: CYNODONT10 Exit code: 1 Version: 1.07.0009 | ||||
3948 | C:\Users\admin\AppData\Local\Temp\Rar$EXa3012.37071\Order PCT1086586 - Project Commercial Conditions.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXa3012.37071\Order PCT1086586 - Project Commercial Conditions.exe | — | Order PCT1086586 - Project Commercial Conditions.exe |
User: admin Company: Reva Integrity Level: MEDIUM Description: CYNODONT10 Exit code: 1 Version: 1.07.0009 | ||||
1420 | "C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\install.vbs" | C:\Windows\System32\WScript.exe | — | Order PCT1086586 - Project Commercial Conditions.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.8.7600.16385 |
(PID) Process: | (3012) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
Operation: | write | Name: | ShellExtBMP |
Value: | |||
(PID) Process: | (3012) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
Operation: | write | Name: | ShellExtIcon |
Value: | |||
(PID) Process: | (3012) WinRAR.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\70\52C64B7E |
Operation: | write | Name: | LanguageList |
Value: en-US | |||
(PID) Process: | (3012) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
Operation: | write | Name: | 0 |
Value: C:\Users\admin\AppData\Local\Temp\Order PCT1086586 - Project Commercial Conditions.zip | |||
(PID) Process: | (3012) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | name |
Value: 120 | |||
(PID) Process: | (3012) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | size |
Value: 80 | |||
(PID) Process: | (3012) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | type |
Value: 120 | |||
(PID) Process: | (3012) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | mtime |
Value: 100 | |||
(PID) Process: | (3012) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 0 | |||
(PID) Process: | (3012) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | AutoDetect |
Value: 1 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3012 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa3012.37035\Order PCT1086586 - Project Commercial Conditions.exe | executable | |
MD5:F2ECAAD95EB5C1EC560456807507554E | SHA256:6B67C78359A721A5D973706792105EB2E108F2C24B1E195C85E517AB32AA0FA5 | |||
4040 | hpsupport.exe | C:\Users\admin\AppData\Roaming\hpsupport\logs.dat | text | |
MD5:741D3F59B03144F17912A6A42F863889 | SHA256:113D8074A692B9C30AEF8D424F7BE10F2E1B326F50959B05F970B8ED455213C2 | |||
3892 | Order PCT1086586 - Project Commercial Conditions.exe | C:\Users\admin\AppData\Roaming\hpsupport\hpsupport.exe | executable | |
MD5:F2ECAAD95EB5C1EC560456807507554E | SHA256:6B67C78359A721A5D973706792105EB2E108F2C24B1E195C85E517AB32AA0FA5 | |||
3012 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa3012.37079\Order PCT1086586 - Project Commercial Conditions.exe | executable | |
MD5:F2ECAAD95EB5C1EC560456807507554E | SHA256:6B67C78359A721A5D973706792105EB2E108F2C24B1E195C85E517AB32AA0FA5 | |||
3012 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa3012.37040\Order PCT1086586 - Project Commercial Conditions.exe | executable | |
MD5:F2ECAAD95EB5C1EC560456807507554E | SHA256:6B67C78359A721A5D973706792105EB2E108F2C24B1E195C85E517AB32AA0FA5 | |||
3012 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa3012.37071\Order PCT1086586 - Project Commercial Conditions.exe | executable | |
MD5:F2ECAAD95EB5C1EC560456807507554E | SHA256:6B67C78359A721A5D973706792105EB2E108F2C24B1E195C85E517AB32AA0FA5 | |||
3892 | Order PCT1086586 - Project Commercial Conditions.exe | C:\Users\admin\AppData\Local\Temp\install.vbs | binary | |
MD5:B4DD0E6DED24F260B85FEAFCBF394F64 | SHA256:41DCAD305F95F49F5B3528711D01C80B86C5DAD0DD247751620033F746AE56AB |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
4040 | hpsupport.exe | 185.247.228.250:5001 | dubaidhllee.ddns.net | — | — | malicious |
Domain | IP | Reputation |
---|---|---|
dubaidhllee.ddns.net |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
4040 | hpsupport.exe | A Network Trojan was detected | MALWARE [PTsecurity] Win32/Remcos RAT Checkin |
4040 | hpsupport.exe | A Network Trojan was detected | MALWARE [PTsecurity] Remcos RAT |
4040 | hpsupport.exe | A Network Trojan was detected | ET TROJAN Remcos RAT Checkin 23 |
4040 | hpsupport.exe | A Network Trojan was detected | MALWARE [PTsecurity] Win32/Remcos RAT Checkin |
4040 | hpsupport.exe | A Network Trojan was detected | MALWARE [PTsecurity] Remcos RAT |
4040 | hpsupport.exe | A Network Trojan was detected | MALWARE [PTsecurity] Backdoor.Win32/Remcos RAT connection |
4040 | hpsupport.exe | A Network Trojan was detected | MALWARE [PTsecurity] Win32/Remcos RAT Checkin |
4040 | hpsupport.exe | A Network Trojan was detected | MALWARE [PTsecurity] Remcos RAT |
4040 | hpsupport.exe | A Network Trojan was detected | ET TROJAN Remcos RAT Checkin 23 |
4040 | hpsupport.exe | A Network Trojan was detected | MALWARE [PTsecurity] Win32/Remcos RAT Checkin |