File name: | C:\Users\admin\AppData\Local\Temp\Rar$DRa3784.35658\private_cheat_v51.zip |
Full analysis: | https://app.any.run/tasks/e3bd127f-15ca-45b4-ac4c-ff174361fd12 |
Verdict: | Malicious activity |
Analysis date: | April 15, 2019, 14:59:21 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/zip |
File info: | Zip archive data, at least v1.0 to extract |
MD5: | C5B0B1D2AA3FED968E146783EA5F1E9D |
SHA1: | B424DEE363AD21BB4FE56624AE59D3756FD29BDD |
SHA256: | 49AC8D1C6949D3BDA8623A8DC4318BDE34A00D18915528F1250B34A1D829E29C |
SSDEEP: | 49152:TZFKWiNuCeQRnzQOzPW3Ub2ARfXTXlFewADllcOgtgG36uzzGDLEz9TzEDH4Q:tak6nzQO7WEltXTfTOQtgG36QzGDLCC7 |
.zip | | | ZIP compressed archive (100) |
---|
ZipFileName: | private_cheat_v51.exe |
---|---|
ZipUncompressedSize: | 2639872 |
ZipCompressedSize: | 2639872 |
ZipCRC: | 0x8df0470d |
ZipModifyDate: | 2019:04:15 14:50:14 |
ZipCompression: | None |
ZipBitFlag: | - |
ZipRequiredVersion: | 10 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2660 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\private_cheat_v51.zip" | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.60.0 | ||||
2476 | "C:\Users\admin\AppData\Local\Temp\Rar$EXa2660.38642\private_cheat_v51.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXa2660.38642\private_cheat_v51.exe | — | WinRAR.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
404 | "C:\Users\admin\AppData\Local\Temp\Rar$EXa2660.38642\private_cheat_v51.exe" "C:\Users\admin\AppData\Local\Temp\Rar$EXa2660.38642\private_cheat_v51.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXa2660.38642\private_cheat_v51.exe | private_cheat_v51.exe | |
User: admin Integrity Level: HIGH Exit code: 0 | ||||
2448 | "C:\Program Files\Mozilla Firefox\firefox.exe" | C:\Program Files\Mozilla Firefox\firefox.exe | explorer.exe | |
User: admin Company: Mozilla Corporation Integrity Level: MEDIUM Description: Firefox Version: 65.0.2 | ||||
3324 | "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2448.0.309358677\1943550283" -parentBuildID 20190225143501 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - "C:\Users\admin\AppData\LocalLow\Mozilla\Temp-{ce348e4c-7d33-445e-89f9-60108c51bcaf}" 2448 "\\.\pipe\gecko-crash-server-pipe.2448" 1120 gpu | C:\Program Files\Mozilla Firefox\firefox.exe | — | firefox.exe |
User: admin Company: Mozilla Corporation Integrity Level: MEDIUM Description: Firefox Version: 65.0.2 | ||||
2436 | "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2448.6.1945090839\754012043" -childID 1 -isForBrowser -prefsHandle 832 -prefMapHandle 1652 -prefsLen 1 -prefMapSize 180950 -schedulerPrefs 0001,2 -parentBuildID 20190225143501 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - 2448 "\\.\pipe\gecko-crash-server-pipe.2448" 1572 tab | C:\Program Files\Mozilla Firefox\firefox.exe | firefox.exe | |
User: admin Company: Mozilla Corporation Integrity Level: LOW Description: Firefox Version: 65.0.2 | ||||
3156 | "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2448.13.171721139\2019000760" -childID 2 -isForBrowser -prefsHandle 2564 -prefMapHandle 2568 -prefsLen 216 -prefMapSize 180950 -schedulerPrefs 0001,2 -parentBuildID 20190225143501 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - 2448 "\\.\pipe\gecko-crash-server-pipe.2448" 2580 tab | C:\Program Files\Mozilla Firefox\firefox.exe | firefox.exe | |
User: admin Company: Mozilla Corporation Integrity Level: LOW Description: Firefox Version: 65.0.2 | ||||
2708 | "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2448.20.1316374529\606843198" -childID 3 -isForBrowser -prefsHandle 3408 -prefMapHandle 3420 -prefsLen 5882 -prefMapSize 180950 -schedulerPrefs 0001,2 -parentBuildID 20190225143501 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - 2448 "\\.\pipe\gecko-crash-server-pipe.2448" 3432 tab | C:\Program Files\Mozilla Firefox\firefox.exe | firefox.exe | |
User: admin Company: Mozilla Corporation Integrity Level: LOW Description: Firefox Version: 65.0.2 |
(PID) Process: | (2660) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
Operation: | write | Name: | ShellExtBMP |
Value: | |||
(PID) Process: | (2660) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
Operation: | write | Name: | ShellExtIcon |
Value: | |||
(PID) Process: | (2660) WinRAR.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E |
Operation: | write | Name: | LanguageList |
Value: en-US | |||
(PID) Process: | (2660) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
Operation: | write | Name: | 0 |
Value: C:\Users\admin\AppData\Local\Temp\private_cheat_v51.zip | |||
(PID) Process: | (2660) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | name |
Value: 120 | |||
(PID) Process: | (2660) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | size |
Value: 80 | |||
(PID) Process: | (2660) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | type |
Value: 120 | |||
(PID) Process: | (2660) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | mtime |
Value: 100 | |||
(PID) Process: | (2660) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 0 | |||
(PID) Process: | (2660) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | AutoDetect |
Value: 1 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2660 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa2660.39388\private_cheat_v51.exe | — | |
MD5:— | SHA256:— | |||
2448 | firefox.exe | C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\startupCache\scriptCache-current.bin | — | |
MD5:— | SHA256:— | |||
2448 | firefox.exe | C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\cookies.sqlite-shm | — | |
MD5:— | SHA256:— | |||
2448 | firefox.exe | C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\prefs-1.js | — | |
MD5:— | SHA256:— | |||
2448 | firefox.exe | C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\sessionCheckpoints.json.tmp | — | |
MD5:— | SHA256:— | |||
2660 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa2660.38642\private_cheat_v51.exe | executable | |
MD5:99F3596FD70ABBA48DA03FA1D864C0D4 | SHA256:A26FFFA2F488EB83F70E93BDF8101377CBD4EC3D9928C81259942B281A78E95B | |||
2448 | firefox.exe | C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\startupCache\scriptCache-child-current.bin | binary | |
MD5:82F61C08D68502377826CA7EA054CEA7 | SHA256:85801BCE5D7CE3A2ABC14E3208151AC9D324A6EA82FB2ADA1D10BAA8EF58E7DF | |||
2448 | firefox.exe | C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\prefs.js | text | |
MD5:C52C31E2D546FC217645CD7F542CF3E0 | SHA256:73974F60357B038693803F51CA750E9ED609A3376548C88C117FA1FCBB328236 | |||
2448 | firefox.exe | C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\cache2\entries\DE5401831A1AAA432169EE71F66DF325C098EB4E | der | |
MD5:DDFEC0A424A371D549D95DAC84CA925D | SHA256:AE29082D485E14860637C2DB8C0906612F8C3DE86F3CA44D3FA3D1D8AE59A540 | |||
2448 | firefox.exe | C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\startupCache\urlCache-current.bin | binary | |
MD5:79262A046A800BC3C3125FF94893CC51 | SHA256:EA78CB0E02CA9BD0DC9AE055B82486E63ED4643A53717970A20D5FED7D18A51E |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2448 | firefox.exe | POST | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/ | US | der | 471 b | whitelisted |
2448 | firefox.exe | POST | 200 | 216.58.207.35:80 | http://ocsp.pki.goog/GTSGIAG3 | US | der | 471 b | whitelisted |
404 | private_cheat_v51.exe | GET | — | 54.88.21.193:80 | http://two.wastescrew.pw/offer.php?affId=7512&trackingId=410616853&instId=7584&ho_trackingid=HO410616853&cc=RU&sb=x86&wv=7sp1&db=InternetExplorer&uac=1&cid=5d979308c3b6ea5ad7e984e628c8cac1&v=3&net=4.6.01055&ie=8%2e0%2e7601%2e17514&res=1280x720&osd=557&kid=hqmrb21b5ddalhll5vo | US | — | — | malicious |
2448 | firefox.exe | POST | 200 | 216.58.207.35:80 | http://ocsp.pki.goog/GTSGIAG3 | US | der | 471 b | whitelisted |
2448 | firefox.exe | GET | 302 | 216.239.36.21:80 | http://virustotal.com/ | US | — | — | whitelisted |
2448 | firefox.exe | POST | 200 | 216.58.207.35:80 | http://ocsp.pki.goog/GTSGIAG3 | US | der | 471 b | whitelisted |
2448 | firefox.exe | POST | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/ | US | der | 471 b | whitelisted |
2448 | firefox.exe | POST | 200 | 93.184.220.29:80 | http://status.rapidssl.com/ | US | der | 471 b | shared |
2448 | firefox.exe | POST | 200 | 216.58.207.35:80 | http://ocsp.pki.goog/GTSGIAG3 | US | der | 471 b | whitelisted |
2448 | firefox.exe | POST | 200 | 216.58.207.35:80 | http://ocsp.pki.goog/GTSGIAG3 | US | der | 471 b | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
404 | private_cheat_v51.exe | 13.32.222.100:80 | one.mountaincanvas.pw | Amazon.com, Inc. | US | whitelisted |
2448 | firefox.exe | 93.184.220.29:80 | ocsp.digicert.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
2448 | firefox.exe | 35.166.112.39:443 | search.services.mozilla.com | Amazon.com, Inc. | US | unknown |
2448 | firefox.exe | 104.107.216.187:80 | a1089.dscd.akamai.net | Akamai International B.V. | NL | whitelisted |
2448 | firefox.exe | 13.32.159.2:443 | snippets.cdn.mozilla.net | Amazon.com, Inc. | US | unknown |
2448 | firefox.exe | 52.10.122.55:443 | tiles.services.mozilla.com | Amazon.com, Inc. | US | unknown |
2448 | firefox.exe | 172.217.21.234:443 | detectportal.firefox.com | Google Inc. | US | whitelisted |
2448 | firefox.exe | 216.239.36.21:80 | virustotal.com | Google Inc. | US | whitelisted |
2448 | firefox.exe | 52.32.141.83:443 | shavar.services.mozilla.com | Amazon.com, Inc. | US | unknown |
2448 | firefox.exe | 216.239.36.21:443 | virustotal.com | Google Inc. | US | whitelisted |
Domain | IP | Reputation |
---|---|---|
one.mountaincanvas.pw |
| whitelisted |
detectportal.firefox.com |
| whitelisted |
a1089.dscd.akamai.net |
| whitelisted |
search.services.mozilla.com |
| whitelisted |
search.r53-2.services.mozilla.com |
| whitelisted |
tiles.services.mozilla.com |
| whitelisted |
tiles.r53-2.services.mozilla.com |
| whitelisted |
snippets.cdn.mozilla.net |
| whitelisted |
drcwo519tnci7.cloudfront.net |
| shared |
ocsp.digicert.com |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
— | — | Potentially Bad Traffic | ET DNS Query to a *.pw domain - Likely Hostile |
— | — | Potentially Bad Traffic | ET DNS Query to a *.pw domain - Likely Hostile |
2448 | firefox.exe | Generic Protocol Command Decode | SURICATA STREAM excessive retransmissions |
404 | private_cheat_v51.exe | A Network Trojan was detected | ET MALWARE Suspicious User-Agent (1 space) |
404 | private_cheat_v51.exe | Potentially Bad Traffic | ET INFO HTTP Request to a *.pw domain |
404 | private_cheat_v51.exe | Misc activity | ADWARE [PTsecurity] SoftwareBundler:Win32/Prepscram |