File name: | BLTools_Final.zip |
Full analysis: | https://app.any.run/tasks/c9d9dea3-01c0-4e24-9f79-ac4d6390c15a |
Verdict: | Malicious activity |
Analysis date: | May 21, 2022, 03:28:08 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/zip |
File info: | Zip archive data, at least v2.0 to extract |
MD5: | F3FDCBC17B20F58CE3AF721D55F2B267 |
SHA1: | BDEB2736E9944106E161BFBEBFE65E6B0A43F93B |
SHA256: | 60336BD27CE659C18ABE50E95CE9F5BF825E88380D71F587E8FF8DE9EB148FCC |
SSDEEP: | 49152:bv+3k/tQRfTNI+EdvjttQLz71bTJ9O30r0XJgWiGnMDAllpqanER8uLwe1lVI9wn:rQksu5dvjttoRb7O3e0XLnbsanL2bS9m |
.zip | | | ZIP compressed archive (100) |
---|
ZipFileName: | BLTools_Final/ |
---|---|
ZipUncompressedSize: | - |
ZipCompressedSize: | - |
ZipCRC: | 0x00000000 |
ZipModifyDate: | 2022:05:20 21:24:25 |
ZipCompression: | None |
ZipBitFlag: | - |
ZipRequiredVersion: | 20 |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
2840 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\BLTools_Final.zip" | C:\Program Files\WinRAR\WinRAR.exe | Explorer.EXE | ||||||||||||
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.91.0 Modules
| |||||||||||||||
3448 | "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe3_ Global\UsGthrCtrlFltPipeMssGthrPipe3 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" | C:\Windows\system32\SearchProtocolHost.exe | — | SearchIndexer.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Microsoft Windows Search Protocol Host Version: 7.00.7601.24542 (win7sp1_ldr_escrow.191209-2211) Modules
| |||||||||||||||
916 | "C:\Users\admin\Desktop\BLTools_Final\BLTools_Final\BLTools_Final.exe" | C:\Users\admin\Desktop\BLTools_Final\BLTools_Final\BLTools_Final.exe | Explorer.EXE | ||||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
148 | C:\Users\admin\AppData\Roaming\ctools.exe | C:\Users\admin\AppData\Roaming\ctools.exe | BLTools_Final.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
1988 | C:\Users\admin\Desktop\BLTools_Final\BLTools_Final\CTools_Cracked.exe | C:\Users\admin\Desktop\BLTools_Final\BLTools_Final\CTools_Cracked.exe | BLTools_Final.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Description: BLTools Exit code: 3762504530 Version: 1.7.0.0 Modules
| |||||||||||||||
2928 | "C:\Windows\System32\WScript.exe" "C:\reviewsessionhost\D6Xan8JJYBjDKbexO8eqOdSVNaW.vbe" | C:\Windows\System32\WScript.exe | — | ctools.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.8.7600.16385 Modules
| |||||||||||||||
1224 | C:\Windows\system32\cmd.exe /c ""C:\reviewsessionhost\2bFb8.bat" " | C:\Windows\system32\cmd.exe | — | WScript.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
3300 | "C:\reviewsessionhost\reviewsessionhostrefcommon.exe" | C:\reviewsessionhost\reviewsessionhostrefcommon.exe | cmd.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Version: 3.06 Modules
| |||||||||||||||
2616 | schtasks.exe /create /tn "csrss" /sc MINUTE /mo 5 /tr "'C:\Windows\Tasks\csrss.exe'" /rl HIGHEST /f | C:\Windows\system32\schtasks.exe | — | wmiprvse.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Manages scheduled tasks Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
1068 | schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Tasks\csrss.exe'" /rl HIGHEST /f | C:\Windows\system32\schtasks.exe | — | wmiprvse.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Manages scheduled tasks Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
|
(PID) Process: | (2840) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
Operation: | write | Name: | ShellExtBMP |
Value: | |||
(PID) Process: | (2840) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
Operation: | write | Name: | ShellExtIcon |
Value: | |||
(PID) Process: | (2840) WinRAR.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\16C\52C64B7E |
Operation: | write | Name: | LanguageList |
Value: en-US | |||
(PID) Process: | (2840) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
Operation: | write | Name: | 2 |
Value: C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip | |||
(PID) Process: | (2840) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
Operation: | write | Name: | 1 |
Value: C:\Users\admin\Desktop\Win7-KB3191566-x86.zip | |||
(PID) Process: | (2840) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
Operation: | write | Name: | 0 |
Value: C:\Users\admin\AppData\Local\Temp\BLTools_Final.zip | |||
(PID) Process: | (2840) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | name |
Value: 120 | |||
(PID) Process: | (2840) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | size |
Value: 80 | |||
(PID) Process: | (2840) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | type |
Value: 120 | |||
(PID) Process: | (2840) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | mtime |
Value: 100 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2840 | WinRAR.exe | C:\Users\admin\Desktop\BLTools_Final\BLTools_Final\Settings.ini | text | |
MD5:9BB6D12BBD9A71286AF2868C6B7582D0 | SHA256:73A54064BF568F6DE2C1534CE3E7F204037DAAF5AC6C6DD305D477EF8186E8D1 | |||
916 | BLTools_Final.exe | C:\Users\admin\Desktop\BLTools_Final\BLTools_Final\CTools_Cracked.exe | executable | |
MD5:36EEFF46768711B999C33E4231CEE85A | SHA256:068259BCCA090AF57215639F22230FC1DEE37693CF44F3A1ED6FF50C916B805D | |||
148 | ctools.exe | C:\reviewsessionhost\2bFb8.bat | text | |
MD5:4476298D66CDDB0C9BD5684FEFC26148 | SHA256:5D2FC877BE0911F30C9DEB024F6A7537210DA47CD9F121206B3DC12C34DB1CF6 | |||
1080 | Explorer.EXE | C:\Users\admin\Desktop\CTools_Cracked.exe | executable | |
MD5:36EEFF46768711B999C33E4231CEE85A | SHA256:068259BCCA090AF57215639F22230FC1DEE37693CF44F3A1ED6FF50C916B805D | |||
3300 | reviewsessionhostrefcommon.exe | C:\Windows\Tasks\886983d96e3d3e | text | |
MD5:65B902B836764747D41F6BE37AE66A92 | SHA256:96965A3614AAE6EEDF21E23B5076929304850CACF9E69B61F7CBEABA5617A4DE | |||
148 | ctools.exe | C:\reviewsessionhost\reviewsessionhostrefcommon.exe | executable | |
MD5:51D2168D64ACDB418C4579AA1782349C | SHA256:CAEFF4A54FDAE31D92B07A8657D85FE987337D154540F8FEFB3F246DF1C9CF70 | |||
3300 | reviewsessionhostrefcommon.exe | C:\Windows\Tasks\csrss.exe | executable | |
MD5:51D2168D64ACDB418C4579AA1782349C | SHA256:CAEFF4A54FDAE31D92B07A8657D85FE987337D154540F8FEFB3F246DF1C9CF70 | |||
1544 | WerFault.exe | C:\Users\admin\AppData\Local\Temp\WEREAA2.tmp.hdmp | — | |
MD5:— | SHA256:— | |||
1544 | WerFault.exe | C:\Users\admin\AppData\Local\Temp\WERBF6.tmp.mdmp | — | |
MD5:— | SHA256:— | |||
3300 | reviewsessionhostrefcommon.exe | C:\reviewsessionhost\6cb0b6c459d5d3 | text | |
MD5:BF45D446AE80440EFFD0419C4E5AD658 | SHA256:8932A7E4B4C7EB6CE70AD6FF338642FB7D37018C740F9E89702D5CA79D762401 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
1024 | dwm.exe | GET | — | 31.44.184.55:80 | http://racoons1k.cyberhost.cf/httpGeneratortestUploads.php?R97D5K23MtglQIYC6=fWvi3jhZ&330b2136a6d0326a5b3565ce531f5b86=73baa74b47daff2f1a8b8f10ffbb8207&1e8f6e8ac9bc02ab983ff9c0e68bc6be=gZlBTOiVTOzAzY2IWM5ATY2MjM2MWM4YmMilzYwYWNjJmYkZzM2QTM&R97D5K23MtglQIYC6=fWvi3jhZ | RU | — | — | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
— | — | 193.109.246.157:443 | bltools.moy.su | Filanco, ltd. | RU | suspicious |
1544 | WerFault.exe | 104.208.16.93:443 | watson.microsoft.com | Microsoft Corporation | US | suspicious |
2432 | CTools_Cracked.exe | 193.109.246.157:443 | bltools.moy.su | Filanco, ltd. | RU | suspicious |
1024 | dwm.exe | 31.44.184.55:80 | racoons1k.cyberhost.cf | Petersburg Internet Network ltd. | RU | malicious |
Domain | IP | Reputation |
---|---|---|
bltools.moy.su |
| suspicious |
watson.microsoft.com |
| whitelisted |
racoons1k.cyberhost.cf |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
— | — | Potentially Bad Traffic | ET DNS Query for .su TLD (Soviet Union) Often Malware Related |
— | — | Potentially Bad Traffic | ET INFO DNS Query for Suspicious .cf Domain |