File name: | loas-crystal-h-208912983.zip |
Full analysis: | https://app.any.run/tasks/2b84b6fb-0448-43db-b023-35c232d801f2 |
Verdict: | Malicious activity |
Analysis date: | November 30, 2020, 06:10:41 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/zip |
File info: | Zip archive data, at least v2.0 to extract |
MD5: | 400DAAEB60473307ACA47D65A7515D91 |
SHA1: | B566AE9062D659C1A29A656D04C857F0E04123EB |
SHA256: | 57B0E949DA44E7A74753E66A1A65A51C9FA061BE919C4CDFA9499A8A8EEA4A3B |
SSDEEP: | 393216:ZSREC0bltFJP7pLNmkNu+5ujrg1pWRaUWEJYrSJq6ict:Yv0xtFxzu+5K29UtOqq6X |
.zip | | | ZIP compressed archive (100) |
---|
ZipRequiredVersion: | 20 |
---|---|
ZipBitFlag: | - |
ZipCompression: | Deflated |
ZipModifyDate: | 2020:10:21 21:24:14 |
ZipCRC: | 0x09f882c6 |
ZipCompressedSize: | 2916667 |
ZipUncompressedSize: | 3000008 |
ZipFileName: | CaretVisible.exe |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2696 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\loas-crystal-h-208912983.zip" | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.60.0 | ||||
2980 | "C:\Users\admin\Desktop\loas-crystal-h-208912983.exe" | C:\Users\admin\Desktop\loas-crystal-h-208912983.exe | explorer.exe | |
User: admin Company: pasoft Integrity Level: MEDIUM Description: http://www.yburn.com Exit code: 0 Version: 1.1.0.0 | ||||
780 | "C:\Users\admin\AppData\Local\Temp\is-23TSU.tmp\loas-crystal-h-208912983.tmp" /SL5="$2015A,11846826,50688,C:\Users\admin\Desktop\loas-crystal-h-208912983.exe" | C:\Users\admin\AppData\Local\Temp\is-23TSU.tmp\loas-crystal-h-208912983.tmp | — | loas-crystal-h-208912983.exe |
User: admin Integrity Level: MEDIUM Description: Setup/Uninstall Exit code: 0 Version: 51.52.0.0 | ||||
2704 | "C:\Users\admin\Desktop\loas-crystal-h-208912983.exe" /SPAWNWND=$30156 /NOTIFYWND=$2015A | C:\Users\admin\Desktop\loas-crystal-h-208912983.exe | loas-crystal-h-208912983.tmp | |
User: admin Company: pasoft Integrity Level: HIGH Description: http://www.yburn.com Exit code: 0 Version: 1.1.0.0 | ||||
3024 | "C:\Users\admin\AppData\Local\Temp\is-CH7NN.tmp\loas-crystal-h-208912983.tmp" /SL5="$40128,11846826,50688,C:\Users\admin\Desktop\loas-crystal-h-208912983.exe" /SPAWNWND=$30156 /NOTIFYWND=$2015A | C:\Users\admin\AppData\Local\Temp\is-CH7NN.tmp\loas-crystal-h-208912983.tmp | loas-crystal-h-208912983.exe | |
User: admin Integrity Level: HIGH Description: Setup/Uninstall Exit code: 0 Version: 51.52.0.0 | ||||
184 | "C:\Program Files\IrtualDVW\wmfdist.exe" /Q:A /R:N | C:\Program Files\IrtualDVW\wmfdist.exe | — | loas-crystal-h-208912983.tmp |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Media Component Setup Application Exit code: 0 Version: 9.00.00.2926 | ||||
2892 | "C:\Program Files\IrtualDVW\VirtualDVW.exe" loas-crystal-h-208912983.exe | C:\Program Files\IrtualDVW\VirtualDVW.exe | loas-crystal-h-208912983.tmp | |
User: admin Company: Ower Software Ltd Integrity Level: HIGH Description: AnyBurn Exit code: 3221225477 Version: 8, 1, 0, 3 | ||||
4012 | "C:\Users\admin\Desktop\CaretVisible.exe" | C:\Users\admin\Desktop\CaretVisible.exe | explorer.exe | |
User: admin Company: VSO-Software SARL Integrity Level: MEDIUM Description: VSO Inspector Setup Exit code: 0 Version: | ||||
1848 | "C:\Users\admin\AppData\Local\Temp\is-LUBC9.tmp\CaretVisible.tmp" /SL5="$70138,2571070,140800,C:\Users\admin\Desktop\CaretVisible.exe" | C:\Users\admin\AppData\Local\Temp\is-LUBC9.tmp\CaretVisible.tmp | — | CaretVisible.exe |
User: admin Integrity Level: MEDIUM Description: Setup/Uninstall Exit code: 0 Version: 51.1052.0.0 | ||||
2736 | "C:\Users\admin\Desktop\CaretVisible.exe" /SPAWNWND=$1018E /NOTIFYWND=$70138 | C:\Users\admin\Desktop\CaretVisible.exe | CaretVisible.tmp | |
User: admin Company: VSO-Software SARL Integrity Level: HIGH Description: VSO Inspector Setup Exit code: 0 Version: |
PID | Process | Filename | Type | |
---|---|---|---|---|
3024 | loas-crystal-h-208912983.tmp | C:\Program Files\IrtualDVW\is-K8QOU.tmp | — | |
MD5:— | SHA256:— | |||
3024 | loas-crystal-h-208912983.tmp | C:\Program Files\IrtualDVW\is-TL0I2.tmp | — | |
MD5:— | SHA256:— | |||
3024 | loas-crystal-h-208912983.tmp | C:\Program Files\IrtualDVW\is-MQSE2.tmp | — | |
MD5:— | SHA256:— | |||
3024 | loas-crystal-h-208912983.tmp | C:\Program Files\IrtualDVW\is-9BAH7.tmp | — | |
MD5:— | SHA256:— | |||
3024 | loas-crystal-h-208912983.tmp | C:\Program Files\IrtualDVW\is-QS6LA.tmp | — | |
MD5:— | SHA256:— | |||
3024 | loas-crystal-h-208912983.tmp | C:\Program Files\IrtualDVW\is-967F1.tmp | — | |
MD5:— | SHA256:— | |||
3024 | loas-crystal-h-208912983.tmp | C:\Program Files\IrtualDVW\is-FHO9Q.tmp | — | |
MD5:— | SHA256:— | |||
3024 | loas-crystal-h-208912983.tmp | C:\Program Files\IrtualDVW\is-KCKIU.tmp | — | |
MD5:— | SHA256:— | |||
3024 | loas-crystal-h-208912983.tmp | C:\Program Files\IrtualDVW\is-54IGR.tmp | — | |
MD5:— | SHA256:— | |||
3024 | loas-crystal-h-208912983.tmp | C:\Program Files\IrtualDVW\LibSSL\is-OC2NM.tmp | — | |
MD5:— | SHA256:— |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3536 | VirtualDVW.exe | POST | — | 104.27.183.150:80 | http://opengolad.com/v2/events | US | — | — | malicious |
2892 | VirtualDVW.exe | POST | — | 104.27.183.150:80 | http://opengolad.com/v2/events | US | — | — | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2892 | VirtualDVW.exe | 104.27.183.150:80 | opengolad.com | Cloudflare Inc | US | malicious |
3536 | VirtualDVW.exe | 104.27.183.150:80 | opengolad.com | Cloudflare Inc | US | malicious |
Domain | IP | Reputation |
---|---|---|
opengolad.com |
| unknown |
PID | Process | Class | Message |
---|---|---|---|
2892 | VirtualDVW.exe | A Network Trojan was detected | ET MALWARE DownloadAssistant Activity |
2892 | VirtualDVW.exe | Misc activity | ADWARE [PTsecurity] Possible DownloadAssistant |
2892 | VirtualDVW.exe | Misc activity | ADWARE [PTsecurity] DownloadAssistant |
3536 | VirtualDVW.exe | A Network Trojan was detected | ET MALWARE DownloadAssistant Activity |
3536 | VirtualDVW.exe | Misc activity | ADWARE [PTsecurity] Possible DownloadAssistant |
3536 | VirtualDVW.exe | Misc activity | ADWARE [PTsecurity] DownloadAssistant |