URL:

https://livelikerach.org/wp-content/uploads/2020/03/direct/86391/86391.zip

Full analysis: https://app.any.run/tasks/a39f36ae-4d5d-4984-b2b1-c48f95ae0048
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: March 31, 2020, 07:39:57
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
loader
Indicators:
MD5:

A7692867B076A18A3F71F1B59E700966

SHA1:

CC4EAAAB49C55BF4D284D85139542311BE582789

SHA256:

597F8219508FCFBD7C2C57DE15C1FC866A5120EE42A69B9F3087C47C09AD2CE9

SSDEEP:

3:N8MTRfNfsGEAQyXRtNKdTwLcn:2MgAZHNK64

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Downloads executable files from the Internet

      • WScript.exe (PID: 3004)
      • WScript.exe (PID: 1708)
      • WScript.exe (PID: 3332)

    • Loads the Task Scheduler COM API

      • WScript.exe (PID: 1708)
      • WScript.exe (PID: 3004)
      • WScript.exe (PID: 3332)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • WScript.exe (PID: 3004)
      • WScript.exe (PID: 1708)
      • WScript.exe (PID: 3332)

    • Executes scripts

      • WinRAR.exe (PID: 3152)

    • Creates files in the user directory

      • notepad++.exe (PID: 1516)

  • INFO

    • Reads Internet Cache Settings

      • iexplore.exe (PID: 2808)
      • iexplore.exe (PID: 2644)

    • Changes internet zones settings

      • iexplore.exe (PID: 2644)

    • Modifies the phishing filter of IE

      • iexplore.exe (PID: 2644)

    • Reads internet explorer settings

      • iexplore.exe (PID: 2808)

    • Creates files in the user directory

      • iexplore.exe (PID: 2644)

    • Manual execution by user

      • WScript.exe (PID: 3332)
      • notepad++.exe (PID: 1516)

    • Reads settings of System Certificates

      • iexplore.exe (PID: 2808)
      • iexplore.exe (PID: 2644)

    • Adds / modifies Windows certificates

      • iexplore.exe (PID: 2644)

    • Changes settings of System certificates

      • iexplore.exe (PID: 2644)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
45
Monitored processes
8
Malicious processes
0
Suspicious processes
1

Behavior graph

Click at the process to see the details
start iexplore.exe iexplore.exe winrar.exe no specs wscript.exe wscript.exe wscript.exe notepad++.exe gup.exe

Process information

PID
CMD
Path
Indicators
Parent process
956"C:\Program Files\Notepad++\updater\gup.exe" -v7.51C:\Program Files\Notepad++\updater\gup.exe
notepad++.exe
User:
admin
Company:
Don HO don.h@free.fr
Integrity Level:
MEDIUM
Description:
GUP : a free (LGPL) Generic Updater
Exit code:
4294967295
Version:
4.1
Modules
Images
c:\program files\notepad++\updater\gup.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\notepad++\updater\libcurl.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\windows\system32\advapi32.dll
1516"C:\Program Files\Notepad++\notepad++.exe" "C:\Users\admin\Desktop\MSG_364994.vbs"C:\Program Files\Notepad++\notepad++.exe
explorer.exe
User:
admin
Company:
Don HO don.h@free.fr
Integrity Level:
MEDIUM
Description:
Notepad++ : a free (GNU) source code editor
Exit code:
0
Version:
7.51
Modules
Images
c:\program files\notepad++\notepad++.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
1708"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\Rar$DIa3152.30935\MSG_364994.vbs" C:\Windows\System32\WScript.exe
WinRAR.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
Modules
Images
c:\windows\system32\wscript.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
2644"C:\Program Files\Internet Explorer\iexplore.exe" "https://livelikerach.org/wp-content/uploads/2020/03/direct/86391/86391.zip"C:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
1
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iertutil.dll
2808"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2644 CREDAT:267521 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iertutil.dll
3004"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\Rar$DIa3152.30066\MSG_364994.vbs" C:\Windows\System32\WScript.exe
WinRAR.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
Modules
Images
c:\windows\system32\wscript.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
3152"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6Z2BCOUL\86391.zip"C:\Program Files\WinRAR\WinRAR.exeiexplore.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
3332"C:\Windows\System32\WScript.exe" "C:\Users\admin\Desktop\MSG_364994.vbs" C:\Windows\System32\WScript.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
Modules
Images
c:\windows\system32\wscript.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
Total events
10 060
Read events
2 223
Write events
5 240
Delete events
2 597

Modification events

(PID) Process:(2644) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager
Operation:writeName:NextCheckForUpdateLowDateTime
Value:
2882104336
(PID) Process:(2644) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager
Operation:writeName:NextCheckForUpdateHighDateTime
Value:
30803759
(PID) Process:(2644) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(2644) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(2644) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(2644) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Operation:writeName:CompatibilityFlags
Value:
0
(PID) Process:(2644) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:writeName:ProxyEnable
Value:
0
(PID) Process:(2644) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Operation:writeName:SavedLegacySettings
Value:
46000000A1000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
(PID) Process:(2644) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
(PID) Process:(2644) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
1
Executable files
3
Suspicious files
26
Text files
8
Unknown types
9

Dropped files

PID
Process
Filename
Type
2808iexplore.exeC:\Users\admin\AppData\Local\Temp\Low\Cab6431.tmp
MD5:
SHA256:
2808iexplore.exeC:\Users\admin\AppData\Local\Temp\Low\Tar6432.tmp
MD5:
SHA256:
2644iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
2644iexplore.exeC:\Users\admin\AppData\Local\Temp\~DFA7C0968FA120BAF4.TMP
MD5:
SHA256:
2644iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\EPOTCY9QMUF5VB0DMZ3N.temp
MD5:
SHA256:
2808iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6Z2BCOUL\86391.zip.qcw5v5x.partial
MD5:
SHA256:
2644iexplore.exeC:\Users\admin\AppData\Local\Temp\~DFA15413553695C099.TMP
MD5:
SHA256:
2644iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6Z2BCOUL\86391.zip.qcw5v5x.partial:Zone.Identifier
MD5:
SHA256:
3152WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DIa3152.30066\MSG_364994.vbs
MD5:
SHA256:
3152WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DIa3152.30935\MSG_364994.vbs
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
16
TCP/UDP connections
25
DNS requests
16
Threats
16

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
956
gup.exe
GET
31.220.49.230:80
http://download.notepad-plus-plus.org/repository/7.x/7.8.5/npp.7.8.5.Installer.exe
US
suspicious
2808
iexplore.exe
GET
200
2.21.242.197:80
http://isrg.trustid.ocsp.identrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRv9GhNQxLSSGKBnMArPUcsHYovpgQUxKexpHsscfrb4UuQdf%2FEFWCFiRACEAoBQUIAAAFThXNqC4Xspwg%3D
NL
der
1.37 Kb
whitelisted
2808
iexplore.exe
GET
200
2.21.242.197:80
http://isrg.trustid.ocsp.identrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRv9GhNQxLSSGKBnMArPUcsHYovpgQUxKexpHsscfrb4UuQdf%2FEFWCFiRACEAoBQUIAAAFThXNqC4Xspwg%3D
NL
der
1.37 Kb
whitelisted
2808
iexplore.exe
GET
200
2.21.242.245:80
http://ocsp.int-x3.letsencrypt.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBR%2B5mrncpqz%2FPiiIGRsFqEtYHEIXQQUqEpqYwR93brm0Tm3pkVl7%2FOo7KECEgSEWDpyMzAGdFeXJ%2BOn%2BBBhCQ%3D%3D
NL
der
527 b
whitelisted
2644
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8sEMlbBsCTf7jUSfg%2BhWk%3D
US
der
1.47 Kb
whitelisted
2644
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8sEMlbBsCTf7jUSfg%2BhWk%3D
US
der
1.47 Kb
whitelisted
3004
WScript.exe
GET
200
66.198.240.35:80
http://stickit.ae/direct/444444.png?uid=TQBpAGMAcgBvAHMAbwBmAHQAIABXAGkAbgBkAG8AdwBzACAANwAgAFAAcgBvAGYAZQBzAHMAaQBvAG4AYQBsACAA
US
executable
1.84 Mb
malicious
2644
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8sEMlbBsCTf7jUSfg%2BhWk%3D
US
der
1.47 Kb
whitelisted
2644
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8sEMlbBsCTf7jUSfg%2BhWk%3D
US
der
1.47 Kb
whitelisted
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA%2Fz5hY5qj0aEmX0H4s05bY%3D
US
der
1.47 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2808
iexplore.exe
174.126.12.250:443
livelikerach.org
Cable One, Inc.
US
unknown
2808
iexplore.exe
2.21.242.197:80
isrg.trustid.ocsp.identrust.com
Akamai International B.V.
NL
whitelisted
2644
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
2808
iexplore.exe
2.21.242.245:80
ocsp.int-x3.letsencrypt.org
Akamai International B.V.
NL
whitelisted
2644
iexplore.exe
152.199.19.161:443
iecvlist.microsoft.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
2808
iexplore.exe
2.21.242.204:80
ocsp.int-x3.letsencrypt.org
Akamai International B.V.
NL
whitelisted
2644
iexplore.exe
204.79.197.200:443
www.bing.com
Microsoft Corporation
US
whitelisted
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
956
gup.exe
31.220.49.230:80
download.notepad-plus-plus.org
Hostinger International Limited
US
suspicious
1052
svchost.exe
23.55.110.211:80
crl.microsoft.com
NTT America, Inc.
US
suspicious

DNS requests

Domain
IP
Reputation
livelikerach.org
  • 174.126.12.250
unknown
isrg.trustid.ocsp.identrust.com
  • 2.21.242.197
  • 2.21.242.187
whitelisted
ocsp.int-x3.letsencrypt.org
  • 2.21.242.245
  • 2.21.242.204
whitelisted
api.bing.com
  • 13.107.5.80
whitelisted
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
iecvlist.microsoft.com
  • 152.199.19.161
whitelisted
r20swj13mr.microsoft.com
  • 152.199.19.161
whitelisted
ieonline.microsoft.com
  • 204.79.197.200
whitelisted
ocsp.digicert.com
  • 93.184.220.29
whitelisted
stickit.ae
  • 66.198.240.35
malicious

Threats

PID
Process
Class
Message
3004
WScript.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
3004
WScript.exe
A Network Trojan was detected
AV POLICY EXE or DLL in HTTP Image Content Inbound - Likely Malicious
3004
WScript.exe
Misc activity
ET INFO EXE - Served Attached HTTP
3004
WScript.exe
Misc activity
SUSPICIOUS [PTsecurity] PE as Image Content type mismatch
1708
WScript.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
1708
WScript.exe
A Network Trojan was detected
AV POLICY EXE or DLL in HTTP Image Content Inbound - Likely Malicious
1708
WScript.exe
Misc activity
ET INFO EXE - Served Attached HTTP
1708
WScript.exe
Misc activity
SUSPICIOUS [PTsecurity] PE as Image Content type mismatch
3332
WScript.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
3332
WScript.exe
A Network Trojan was detected
AV POLICY EXE or DLL in HTTP Image Content Inbound - Likely Malicious
3 ETPRO signatures available at the full report
Process
Message
notepad++.exe
VerifyLibrary: certificate revocation checking is disabled
notepad++.exe
VerifyLibrary: C:\Program Files\Notepad++\SciLexer.dll
notepad++.exe
42C4C5846BB675C74E2B2C90C69AB44366401093
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
https://livelikerach.org/wp-content/uploads/2020/03/direct/86391/86391.zip