File name: | WVr6LB0QaAUHwfBigemg.rar |
Full analysis: | https://app.any.run/tasks/240bb030-4ad3-4a7a-a604-34308d5b42e2 |
Verdict: | Malicious activity |
Analysis date: | August 25, 2019, 19:54:56 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/x-rar |
File info: | RAR archive data, v5 |
MD5: | 4F31449BC51E655675009195BDD5696B |
SHA1: | 96CE50B1147994C17AF6CF2AAB5A3E088A8EBE28 |
SHA256: | 307CCEB9F2FCFFAED9C1085C4CE7F5F3C870B287F4A652358FDE5DF3B15EE481 |
SSDEEP: | 49152:y8YVSD4rnDOH7sZhukWI4U+R7TCoi6YSn6CE1XCSxC:BswH7KHW0+lCx6xn6CEBCh |
.rar | | | RAR compressed archive (v5.0) (61.5) |
---|---|---|
.rar | | | RAR compressed archive (gen) (38.4) |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3724 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\WVr6LB0QaAUHwfBigemg.rar" | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.60.0 | ||||
3820 | "C:\Program Files\Opera\opera.exe" | C:\Program Files\Opera\opera.exe | explorer.exe | |
User: admin Company: Opera Software Integrity Level: MEDIUM Description: Opera Internet Browser Exit code: 0 Version: 1748 | ||||
2412 | "C:\Program Files\Google\Chrome\Application\chrome.exe" | C:\Program Files\Google\Chrome\Application\chrome.exe | explorer.exe | |
User: admin Company: Google LLC Integrity Level: MEDIUM Description: Google Chrome Exit code: 3221225547 Version: 75.0.3770.100 | ||||
3004 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win32 --annotation=prod=Chrome --annotation=ver=75.0.3770.100 --initial-client-data=0x7c,0x80,0x84,0x78,0x88,0x6fe6a9d0,0x6fe6a9e0,0x6fe6a9ec | C:\Program Files\Google\Chrome\Application\chrome.exe | — | chrome.exe |
User: admin Company: Google LLC Integrity Level: MEDIUM Description: Google Chrome Exit code: 0 Version: 75.0.3770.100 | ||||
880 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=watcher --main-thread-id=2428 --on-initialized-event-handle=312 --parent-handle=316 /prefetch:6 | C:\Program Files\Google\Chrome\Application\chrome.exe | — | chrome.exe |
User: admin Company: Google LLC Integrity Level: MEDIUM Description: Google Chrome Exit code: 0 Version: 75.0.3770.100 | ||||
564 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1016,6187303025903886722,10844240645833322152,131072 --enable-features=PasswordImport --gpu-preferences=KAAAAAAAAADgAAAgAQAAAAAAAAAAAGAAAAAAAAAAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAFAAAAEAAAAAAAAAAAAAAABgAAABAAAAAAAAAAAQAAAAUAAAAQAAAAAAAAAAEAAAAGAAAA --service-request-channel-token=8955830751524010001 --mojo-platform-channel-handle=1048 --ignored=" --type=renderer " /prefetch:2 | C:\Program Files\Google\Chrome\Application\chrome.exe | — | chrome.exe |
User: admin Company: Google LLC Integrity Level: LOW Description: Google Chrome Exit code: 0 Version: 75.0.3770.100 | ||||
3308 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --field-trial-handle=1016,6187303025903886722,10844240645833322152,131072 --enable-features=PasswordImport --lang=en-US --service-sandbox-type=network --service-request-channel-token=4386045596608271529 --mojo-platform-channel-handle=1648 /prefetch:8 | C:\Program Files\Google\Chrome\Application\chrome.exe | chrome.exe | |
User: admin Company: Google LLC Integrity Level: MEDIUM Description: Google Chrome Exit code: 0 Version: 75.0.3770.100 | ||||
2552 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1016,6187303025903886722,10844240645833322152,131072 --enable-features=PasswordImport --lang=en-US --instant-process --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=1684038512302416652 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2240 /prefetch:1 | C:\Program Files\Google\Chrome\Application\chrome.exe | — | chrome.exe |
User: admin Company: Google LLC Integrity Level: LOW Description: Google Chrome Exit code: 0 Version: 75.0.3770.100 | ||||
3208 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1016,6187303025903886722,10844240645833322152,131072 --enable-features=PasswordImport --lang=en-US --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=5536235333818731709 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2420 /prefetch:1 | C:\Program Files\Google\Chrome\Application\chrome.exe | — | chrome.exe |
User: admin Company: Google LLC Integrity Level: LOW Description: Google Chrome Exit code: 0 Version: 75.0.3770.100 | ||||
3700 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1016,6187303025903886722,10844240645833322152,131072 --enable-features=PasswordImport --lang=en-US --extension-process --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=8779327208808446785 --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2452 /prefetch:1 | C:\Program Files\Google\Chrome\Application\chrome.exe | — | chrome.exe |
User: admin Company: Google LLC Integrity Level: LOW Description: Google Chrome Exit code: 0 Version: 75.0.3770.100 |
(PID) Process: | (3724) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
Operation: | write | Name: | ShellExtBMP |
Value: | |||
(PID) Process: | (3724) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
Operation: | write | Name: | ShellExtIcon |
Value: | |||
(PID) Process: | (3724) WinRAR.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\72\52C64B7E |
Operation: | write | Name: | LanguageList |
Value: en-US | |||
(PID) Process: | (3724) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
Operation: | write | Name: | 0 |
Value: C:\Users\admin\AppData\Local\Temp\WVr6LB0QaAUHwfBigemg.rar | |||
(PID) Process: | (3724) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | name |
Value: 120 | |||
(PID) Process: | (3724) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | size |
Value: 80 | |||
(PID) Process: | (3724) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | type |
Value: 120 | |||
(PID) Process: | (3724) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | mtime |
Value: 100 | |||
(PID) Process: | (3724) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\MainWin |
Operation: | write | Name: | Placement |
Value: 2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF42000000420000000204000037020000 | |||
(PID) Process: | (3724) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\General |
Operation: | write | Name: | LastFolder |
Value: C:\Users\admin\AppData\Local\Temp |
PID | Process | Filename | Type | |
---|---|---|---|---|
3820 | opera.exe | C:\Users\admin\AppData\Roaming\Opera\Opera\oprD2F4.tmp | — | |
MD5:— | SHA256:— | |||
3820 | opera.exe | C:\Users\admin\AppData\Roaming\Opera\Opera\oprD382.tmp | — | |
MD5:— | SHA256:— | |||
3820 | opera.exe | C:\Users\admin\AppData\Local\Opera\Opera\cache\sesn\opr00001.tmp | — | |
MD5:— | SHA256:— | |||
3820 | opera.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\H6WHNY7KU9NYY4B9QBIJ.temp | — | |
MD5:— | SHA256:— | |||
3820 | opera.exe | C:\Users\admin\AppData\Roaming\Opera\Opera\oprE46B.tmp | — | |
MD5:— | SHA256:— | |||
3820 | opera.exe | C:\Users\admin\AppData\Roaming\Opera\Opera\sessions\oprF66E.tmp | — | |
MD5:— | SHA256:— | |||
3820 | opera.exe | C:\Users\admin\AppData\Roaming\Opera\Opera\opssl6.dat | binary | |
MD5:276306CDAE75922DC4946D60152183C8 | SHA256:6B8FD952098D771141574456CB9A85D740AC27E822ABCF73E4E63C3371FAE28F | |||
3820 | opera.exe | C:\Users\admin\AppData\Roaming\Opera\Opera\operaprefs.ini | text | |
MD5:C18CF2211D7EE78F40A11BD68D81E8CE | SHA256:6CB60D02FAFF026577D5FF3F7EAA51DD5C020DE6B4A4DB2831C83A47D04729B8 | |||
3724 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa3724.41924\WVr6LB0QaAUHwfBigemg.exe | executable | |
MD5:4F0BC2E8BECC78BD6E0AF2E511AC1583 | SHA256:0D395D6A6E028CD575F190A5753FA94CDD920009ED52DAEF0AAB0B1D6462C695 | |||
3820 | opera.exe | C:\Users\admin\AppData\Roaming\Opera\Opera\opuntrust.dat | binary | |
MD5:1AA8644C9261DC10F7247F6A145C1DD2 | SHA256:58A8933F65361633C6AB194000D312DC9D566F717B1A16814A0DBEE24A60EBE3 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3820 | opera.exe | GET | — | 93.184.220.29:80 | http://crl4.digicert.com/DigiCertGlobalRootG2.crl | US | — | — | whitelisted |
3820 | opera.exe | GET | 200 | 93.184.220.29:80 | http://crl4.digicert.com/DigiCertGlobalRootG2.crl | US | der | 517 b | whitelisted |
3820 | opera.exe | GET | 200 | 13.35.254.124:80 | http://crl.rootg2.amazontrust.com/rootg2.crl | US | der | 608 b | whitelisted |
3820 | opera.exe | GET | 200 | 93.184.220.29:80 | http://status.geotrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBR3enuod9bxDxzpICGW%2B2sabjf17QQUkFj%2FsJx1qFFUd7Ht8qNDFjiebMUCEAMaIhsM3XufEZcybSH3JrI%3D | US | der | 471 b | whitelisted |
3820 | opera.exe | GET | 301 | 99.86.1.130:80 | http://www.amazon.co.uk/?tag=opspeeddial-21 | US | html | 183 b | whitelisted |
3820 | opera.exe | GET | 200 | 93.184.220.29:80 | http://crl3.digicert.com/sha2-ha-server-g6.crl | US | binary | 322 Kb | whitelisted |
3820 | opera.exe | GET | 200 | 13.224.197.65:80 | http://s.ss2.us/r.crl | US | der | 434 b | whitelisted |
3820 | opera.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTPJvUY%2Bsl%2Bj4yzQuAcL2oQno5fCgQUUWj%2FkK8CB3U8zNllZGKiErhZcjsCEASnjI9aXa5Un%2BQBbbRyiuM%3D | US | der | 471 b | whitelisted |
3820 | opera.exe | GET | 302 | 185.26.182.110:80 | http://redir.opera.com/speeddials/amazon/ | unknown | html | 293 b | whitelisted |
3820 | opera.exe | GET | 302 | 185.26.182.110:80 | http://redir.opera.com/speeddials/amazon/ | unknown | html | 293 b | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3820 | opera.exe | 93.184.220.29:80 | crl4.digicert.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
3820 | opera.exe | 99.86.1.130:80 | www.amazon.co.uk | AT&T Services, Inc. | US | unknown |
3820 | opera.exe | 185.26.182.94:443 | certs.opera.com | Opera Software AS | — | whitelisted |
3820 | opera.exe | 13.35.250.160:443 | images-eu.ssl-images-amazon.com | — | US | unknown |
3820 | opera.exe | 185.26.182.110:80 | redir.opera.com | Opera Software AS | — | unknown |
3820 | opera.exe | 99.86.1.130:443 | www.amazon.co.uk | AT&T Services, Inc. | US | unknown |
3820 | opera.exe | 185.26.182.93:80 | certs.opera.com | Opera Software AS | — | whitelisted |
3820 | opera.exe | 52.210.57.173:443 | fls-eu.amazon.co.uk | Amazon.com, Inc. | IE | unknown |
3820 | opera.exe | 13.35.254.155:80 | crl.rootca1.amazontrust.com | — | US | whitelisted |
3820 | opera.exe | 13.224.197.65:80 | s.ss2.us | — | US | unknown |
Domain | IP | Reputation |
---|---|---|
certs.opera.com |
| whitelisted |
crl4.digicert.com |
| whitelisted |
redir.opera.com |
| whitelisted |
sitecheck2.opera.com |
| whitelisted |
www.amazon.co.uk |
| whitelisted |
s.symcb.com |
| whitelisted |
images-eu.ssl-images-amazon.com |
| whitelisted |
m.media-amazon.com |
| whitelisted |
fls-eu.amazon.co.uk |
| whitelisted |
images-na.ssl-images-amazon.com |
| shared |