File name: | pubg_lite_multihack_version_230_634e3.zip |
Full analysis: | https://app.any.run/tasks/587e57bf-efb9-4e4a-b4f1-a98c0c1e2db7 |
Verdict: | Malicious activity |
Analysis date: | August 18, 2019, 08:25:40 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/zip |
File info: | Zip archive data, at least v1.0 to extract |
MD5: | 24D736098DCE73F12CED460CDB4B588F |
SHA1: | 69F454F9E7A24D5DC34AA11A1CBF5A1761E7C8CE |
SHA256: | 2B9FF521FEE69B407FBA9ED127F6C4A3EC2E75274C71547DD507822B083A8F0A |
SSDEEP: | 49152:0F5wzorqHfMhxamZthMJSz3Ne52z6Olr/V1ZA4Yz7D1F6kwHUfD:M5V+/Mzam357gIh91ZAt7pw07 |
.zip | | | ZIP compressed archive (100) |
---|
ZipRequiredVersion: | 10 |
---|---|
ZipBitFlag: | 0x0009 |
ZipCompression: | None |
ZipModifyDate: | 2019:08:18 08:21:28 |
ZipCRC: | 0x68650f4b |
ZipCompressedSize: | 2712588 |
ZipUncompressedSize: | 2712588 |
ZipFileName: | pubg_lite_multihack_version_230.exe |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3060 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\pubg_lite_multihack_version_230_634e3.zip" | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.60.0 | ||||
3268 | "C:\Users\admin\Desktop\pubg_lite_multihack_version_230.exe" | C:\Users\admin\Desktop\pubg_lite_multihack_version_230.exe | — | explorer.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
2772 | "C:\Users\admin\Desktop\pubg_lite_multihack_version_230.exe" "C:\Users\admin\Desktop\pubg_lite_multihack_version_230.exe" | C:\Users\admin\Desktop\pubg_lite_multihack_version_230.exe | pubg_lite_multihack_version_230.exe | |
User: admin Integrity Level: HIGH Exit code: 0 | ||||
2256 | "C:\Users\admin\Desktop\pubg_lite_multihack_version_230.exe" | C:\Users\admin\Desktop\pubg_lite_multihack_version_230.exe | explorer.exe | |
User: admin Integrity Level: HIGH Exit code: 0 | ||||
4076 | "C:\Users\admin\Desktop\pubg_lite_multihack_version_230.exe" | C:\Users\admin\Desktop\pubg_lite_multihack_version_230.exe | — | explorer.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
2820 | "C:\Users\admin\Desktop\pubg_lite_multihack_version_230.exe" "C:\Users\admin\Desktop\pubg_lite_multihack_version_230.exe" | C:\Users\admin\Desktop\pubg_lite_multihack_version_230.exe | pubg_lite_multihack_version_230.exe | |
User: admin Integrity Level: HIGH Exit code: 0 |
(PID) Process: | (3060) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
Operation: | write | Name: | ShellExtBMP |
Value: | |||
(PID) Process: | (3060) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
Operation: | write | Name: | ShellExtIcon |
Value: | |||
(PID) Process: | (3060) WinRAR.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\72\52C64B7E |
Operation: | write | Name: | LanguageList |
Value: en-US | |||
(PID) Process: | (3060) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
Operation: | write | Name: | 0 |
Value: C:\Users\admin\AppData\Local\Temp\pubg_lite_multihack_version_230_634e3.zip | |||
(PID) Process: | (3060) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | name |
Value: 120 | |||
(PID) Process: | (3060) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | size |
Value: 80 | |||
(PID) Process: | (3060) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | type |
Value: 120 | |||
(PID) Process: | (3060) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | mtime |
Value: 100 | |||
(PID) Process: | (3060) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface |
Operation: | write | Name: | ShowPassword |
Value: 0 | |||
(PID) Process: | (3060) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\MainWin |
Operation: | write | Name: | Placement |
Value: 2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF42000000420000000204000037020000 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3060 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRb3060.26709\pubg_lite_multihack_version_230.exe | executable | |
MD5:A907D0D20A6A2E2E9ADAE5F1EF8E7129 | SHA256:294C6F77606E801AC6DFB56F9B7DF6823858D8EAA13902206A007D6B4C79531A |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2256 | pubg_lite_multihack_version_230.exe | GET | 200 | 54.230.93.128:80 | http://d1hq9wbcfo7dcl.cloudfront.net/offer.php?affId=7512&trackingId=422357691&instId=7584&ho_trackingid=HO422357691&cc=DE&sb=x86&wv=7sp1&db=InternetExplorer&uac=1&cid=5d979308c3b6ea5ad7e984e628c8cac1&v=3&net=4.7.03062&ie=8%2e0%2e7601%2e17514&res=1280x720&osd=681&kid=hqmrb21bevmlgik8hf7 | US | — | — | shared |
2772 | pubg_lite_multihack_version_230.exe | GET | 200 | 54.230.93.128:80 | http://d1hq9wbcfo7dcl.cloudfront.net/offer.php?affId=7512&trackingId=422357691&instId=7584&ho_trackingid=HO422357691&cc=DE&sb=x86&wv=7sp1&db=InternetExplorer&uac=1&cid=5d979308c3b6ea5ad7e984e628c8cac1&v=3&net=4.7.03062&ie=8%2e0%2e7601%2e17514&res=1280x720&osd=681&kid=hqmrb21bevmlgik8hf7 | US | — | — | shared |
2820 | pubg_lite_multihack_version_230.exe | GET | 200 | 54.230.93.41:80 | http://d1hq9wbcfo7dcl.cloudfront.net/offer.php?affId=7512&trackingId=422357691&instId=7584&ho_trackingid=HO422357691&cc=DE&sb=x86&wv=7sp1&db=InternetExplorer&uac=1&cid=5d979308c3b6ea5ad7e984e628c8cac1&v=3&net=4.7.03062&ie=8%2e0%2e7601%2e17514&res=1280x720&osd=681&kid=hqmrb21bevmlgik8hf7 | US | — | — | shared |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2772 | pubg_lite_multihack_version_230.exe | 54.230.93.128:80 | d1hq9wbcfo7dcl.cloudfront.net | Amazon.com, Inc. | US | whitelisted |
2820 | pubg_lite_multihack_version_230.exe | 54.230.93.41:80 | d1hq9wbcfo7dcl.cloudfront.net | Amazon.com, Inc. | US | malicious |
2256 | pubg_lite_multihack_version_230.exe | 54.230.93.128:80 | d1hq9wbcfo7dcl.cloudfront.net | Amazon.com, Inc. | US | whitelisted |
Domain | IP | Reputation |
---|---|---|
d1hq9wbcfo7dcl.cloudfront.net |
| shared |
PID | Process | Class | Message |
---|---|---|---|
2772 | pubg_lite_multihack_version_230.exe | Unknown Traffic | ET INFO Suspicious User-Agent (1 space) |
2772 | pubg_lite_multihack_version_230.exe | Misc activity | ADWARE [PTsecurity] SoftwareBundler:Win32/Prepscram |
2256 | pubg_lite_multihack_version_230.exe | Unknown Traffic | ET INFO Suspicious User-Agent (1 space) |
2256 | pubg_lite_multihack_version_230.exe | Misc activity | ADWARE [PTsecurity] SoftwareBundler:Win32/Prepscram |
2820 | pubg_lite_multihack_version_230.exe | Unknown Traffic | ET INFO Suspicious User-Agent (1 space) |
2820 | pubg_lite_multihack_version_230.exe | Misc activity | ADWARE [PTsecurity] SoftwareBundler:Win32/Prepscram |