File name: | Your-File-is-Ready-f_789458824.zip |
Full analysis: | https://app.any.run/tasks/158cd675-5e53-463f-868e-9e5a607a549a |
Verdict: | Malicious activity |
Analysis date: | August 19, 2021, 01:54:24 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/zip |
File info: | Zip archive data, at least v2.0 to extract |
MD5: | 59C7B5B14798A740BD7947A93852D5A9 |
SHA1: | F15118D679EA36C2CF841D50B5FCE2DDE1D3852E |
SHA256: | 36C2700AF2687239545E01E26D71F7664594F73D314E89C5860787715F62EB52 |
SSDEEP: | 196608:k7iha/qgW4JmrqVgHUWUu1zmhASQPgj8GBLIE0YFiRnp0CaPvALGk3C:yqeWkRgHZX1zmhVQPgwG9inpMPP |
.zip | | | ZIP compressed archive (100) |
---|
ZipRequiredVersion: | 20 |
---|---|
ZipBitFlag: | - |
ZipCompression: | Deflated |
ZipModifyDate: | 2019:12:17 19:30:18 |
ZipCRC: | 0xd7503770 |
ZipCompressedSize: | 4864419 |
ZipUncompressedSize: | 4973240 |
ZipFileName: | _rlqtpelh.r1r.exe |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3176 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Your-File-is-Ready-f_789458824.zip" | C:\Program Files\WinRAR\WinRAR.exe | Explorer.EXE | |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.91.0 | ||||
3908 | "C:\Users\admin\Desktop\_rlqtpelh.r1r.exe" | C:\Users\admin\Desktop\_rlqtpelh.r1r.exe | Explorer.EXE | |
User: admin Company: Comfort Software Group Integrity Level: MEDIUM Description: Comfort Clipboard Pro 9.1.1.0 Setup Exit code: 0 Version: 9.1.1.0 | ||||
3876 | "C:\Users\admin\AppData\Local\Temp\is-URCPD.tmp\_rlqtpelh.r1r.tmp" /SL5="$C0192,4409556,180736,C:\Users\admin\Desktop\_rlqtpelh.r1r.exe" | C:\Users\admin\AppData\Local\Temp\is-URCPD.tmp\_rlqtpelh.r1r.tmp | — | _rlqtpelh.r1r.exe |
User: admin Integrity Level: MEDIUM Description: Setup/Uninstall Exit code: 0 Version: 51.1052.0.0 | ||||
3348 | "C:\Users\admin\Desktop\_rlqtpelh.r1r.exe" /SPAWNWND=$120144 /NOTIFYWND=$C0192 | C:\Users\admin\Desktop\_rlqtpelh.r1r.exe | _rlqtpelh.r1r.tmp | |
User: admin Company: Comfort Software Group Integrity Level: HIGH Description: Comfort Clipboard Pro 9.1.1.0 Setup Exit code: 0 Version: 9.1.1.0 | ||||
1552 | "C:\Users\admin\AppData\Local\Temp\is-QIGJ0.tmp\_rlqtpelh.r1r.tmp" /SL5="$110176,4409556,180736,C:\Users\admin\Desktop\_rlqtpelh.r1r.exe" /SPAWNWND=$120144 /NOTIFYWND=$C0192 | C:\Users\admin\AppData\Local\Temp\is-QIGJ0.tmp\_rlqtpelh.r1r.tmp | _rlqtpelh.r1r.exe | |
User: admin Integrity Level: HIGH Description: Setup/Uninstall Exit code: 0 Version: 51.1052.0.0 | ||||
1956 | "C:\Users\admin\Desktop\Your-File-is-Ready-f_789458824.exe" | C:\Users\admin\Desktop\Your-File-is-Ready-f_789458824.exe | Explorer.EXE | |
User: admin Company: Integrity Level: MEDIUM Description: Dolores Setup Version: | ||||
1284 | "C:\Users\admin\AppData\Local\Temp\is-UGFMP.tmp\Your-File-is-Ready-f_789458824.tmp" /SL5="$D01A0,4418666,780800,C:\Users\admin\Desktop\Your-File-is-Ready-f_789458824.exe" | C:\Users\admin\AppData\Local\Temp\is-UGFMP.tmp\Your-File-is-Ready-f_789458824.tmp | — | Your-File-is-Ready-f_789458824.exe |
User: admin Company: Integrity Level: MEDIUM Description: Setup/Uninstall Version: 51.1052.0.0 | ||||
3340 | "C:\Users\admin\Desktop\Your-File-is-Ready-f_789458824.exe" /SPAWNWND=$100180 /NOTIFYWND=$D01A0 | C:\Users\admin\Desktop\Your-File-is-Ready-f_789458824.exe | Your-File-is-Ready-f_789458824.tmp | |
User: admin Company: Integrity Level: HIGH Description: Dolores Setup Version: | ||||
3112 | "C:\Users\admin\AppData\Local\Temp\is-I84NV.tmp\Your-File-is-Ready-f_789458824.tmp" /SL5="$140182,4418666,780800,C:\Users\admin\Desktop\Your-File-is-Ready-f_789458824.exe" /SPAWNWND=$100180 /NOTIFYWND=$D01A0 | C:\Users\admin\AppData\Local\Temp\is-I84NV.tmp\Your-File-is-Ready-f_789458824.tmp | Your-File-is-Ready-f_789458824.exe | |
User: admin Company: Integrity Level: HIGH Description: Setup/Uninstall Version: 51.1052.0.0 | ||||
460 | "C:\Users\admin\AppData\Local\Temp\is-MUA6F.tmp\Eius.exe" 6cb7add20650a0a6289d2deb5605b187 | C:\Users\admin\AppData\Local\Temp\is-MUA6F.tmp\Eius.exe | Your-File-is-Ready-f_789458824.tmp | |
User: admin Integrity Level: HIGH |
PID | Process | Filename | Type | |
---|---|---|---|---|
1552 | _rlqtpelh.r1r.tmp | C:\Program Files\ComfortClipboard\Lang\ar.txt | text | |
MD5:8B3AFAF9D2CD7C1278D974F40DEC4BD8 | SHA256:E3DD5F495724A2DDE20EED88AB2737B57D316C9EC325A8B98DA322E442ED0360 | |||
1552 | _rlqtpelh.r1r.tmp | C:\Program Files\ComfortClipboard\Lang\be.txt | text | |
MD5:57ED9F355E65EF5FDC9D7C60A4361D61 | SHA256:77FEECFEFFDB1D5618E954CB4E007CC07A774F365ECB35C70EB76BDDD6D3E94F | |||
1552 | _rlqtpelh.r1r.tmp | C:\Program Files\ComfortClipboard\Lang\bg.txt | text | |
MD5:D4FBFE141E014679DA2B4C0107D297A3 | SHA256:8F33C2B49DE3EC662D4CEBB8C342432691B749A7AB941DD3CFB24943DC68BE01 | |||
1552 | _rlqtpelh.r1r.tmp | C:\Program Files\ComfortClipboard\unins000.exe | executable | |
MD5:D29050098035688999EB8EB4F086EF25 | SHA256:942F16143197A229892470086930839A5A63BF5CE9CD2F5D55670F0908E8B125 | |||
3176 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa3176.26465\_rlqtpelh.r1r.exe | executable | |
MD5:1F48B2B2B55E0CAEC93705AC57EEEDC6 | SHA256:6B64CAF1083EB17E9878A5B05013D191E5D72852C1E49AA1BCE006955D941255 | |||
3340 | Your-File-is-Ready-f_789458824.exe | C:\Users\admin\AppData\Local\Temp\is-I84NV.tmp\Your-File-is-Ready-f_789458824.tmp | executable | |
MD5:352FB97C10B28D24579ED9E2EB6338C8 | SHA256:81622D0D3B02297EE07F48594E894E17A4A205B77DC4B5AEE29900714D419C62 | |||
1724 | Explorer.EXE | C:\Users\admin\Desktop\_rlqtpelh.r1r.exe | executable | |
MD5:1F48B2B2B55E0CAEC93705AC57EEEDC6 | SHA256:6B64CAF1083EB17E9878A5B05013D191E5D72852C1E49AA1BCE006955D941255 | |||
3908 | _rlqtpelh.r1r.exe | C:\Users\admin\AppData\Local\Temp\is-URCPD.tmp\_rlqtpelh.r1r.tmp | executable | |
MD5:D29050098035688999EB8EB4F086EF25 | SHA256:942F16143197A229892470086930839A5A63BF5CE9CD2F5D55670F0908E8B125 | |||
1956 | Your-File-is-Ready-f_789458824.exe | C:\Users\admin\AppData\Local\Temp\is-UGFMP.tmp\Your-File-is-Ready-f_789458824.tmp | executable | |
MD5:352FB97C10B28D24579ED9E2EB6338C8 | SHA256:81622D0D3B02297EE07F48594E894E17A4A205B77DC4B5AEE29900714D419C62 | |||
3348 | _rlqtpelh.r1r.exe | C:\Users\admin\AppData\Local\Temp\is-QIGJ0.tmp\_rlqtpelh.r1r.tmp | executable | |
MD5:D29050098035688999EB8EB4F086EF25 | SHA256:942F16143197A229892470086930839A5A63BF5CE9CD2F5D55670F0908E8B125 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
1672 | svchost.exe | GET | 304 | 93.184.221.240:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?0968e9df1e2aec06 | US | — | — | whitelisted |
1672 | svchost.exe | GET | 304 | 93.184.221.240:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?65aa4131f7afa66c | US | — | — | whitelisted |
3300 | CClipboard.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAo3h2ReX7SMIk79G%2B0UDDw%3D | US | der | 1.47 Kb | whitelisted |
460 | Eius.exe | POST | — | 172.67.177.45:80 | http://jorjifornk.live/v3/api | US | — | — | malicious |
460 | Eius.exe | POST | — | 172.67.177.45:80 | http://jorjifornk.live/v3/api | US | — | — | malicious |
3300 | CClipboard.exe | GET | 200 | 93.184.221.240:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?83c7148e1baea2e5 | US | compressed | 4.70 Kb | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3300 | CClipboard.exe | 104.21.24.80:443 | www.comfort-software.com | Cloudflare Inc | US | malicious |
— | — | 172.67.177.45:80 | jorjifornk.live | — | US | malicious |
3300 | CClipboard.exe | 104.21.57.22:443 | www.comfortsoftware.com | Cloudflare Inc | US | unknown |
460 | Eius.exe | 172.67.177.45:80 | jorjifornk.live | — | US | malicious |
3300 | CClipboard.exe | 93.184.221.240:80 | ctldl.windowsupdate.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
3300 | CClipboard.exe | 93.184.220.29:80 | ocsp.digicert.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
1672 | svchost.exe | 93.184.221.240:80 | ctldl.windowsupdate.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
Domain | IP | Reputation |
---|---|---|
jorjifornk.live |
| unknown |
www.comfort-software.com |
| malicious |
ctldl.windowsupdate.com |
| whitelisted |
ocsp.digicert.com |
| whitelisted |
www.comfortsoftware.com |
| malicious |