File name: | Gemini.zip |
Full analysis: | https://app.any.run/tasks/67f20c5a-40bd-46e0-96fd-04f70d965fa3 |
Verdict: | Malicious activity |
Analysis date: | January 14, 2022, 21:22:42 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/zip |
File info: | Zip archive data, at least v2.0 to extract |
MD5: | CBFE5673D23E90CC29F1B3B4CA54FB4D |
SHA1: | E6B38188153691D1F0D6F5F656728D8C30982FED |
SHA256: | 64A2713DAE65C9B69DDC8595BF5D16E1D9A60AF83F9654EA1CA931348F29778A |
SSDEEP: | 98304:pXyoj/EHL/nB8oGfIMWX8pYWLp+ItQwNZDsISlO9eP9XEk4DS33QhDt8yIp:pXyKkL/nB8oSIDXCfAItQk9sDw90Gjm3 |
.zip | | | ZIP compressed archive (100) |
---|
ZipRequiredVersion: | 20 |
---|---|
ZipBitFlag: | - |
ZipCompression: | Deflated |
ZipModifyDate: | 2098:01:01 01:00:00 |
ZipCRC: | 0x4439a3d8 |
ZipCompressedSize: | 391473 |
ZipUncompressedSize: | 1324032 |
ZipFileName: | BrotliSharpLib.dll |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
2280 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Gemini.zip" | C:\Program Files\WinRAR\WinRAR.exe | Explorer.EXE | ||||||||||||
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.91.0 Modules
| |||||||||||||||
1228 | "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe4_ Global\UsGthrCtrlFltPipeMssGthrPipe4 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" | C:\Windows\system32\SearchProtocolHost.exe | — | SearchIndexer.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Microsoft Windows Search Protocol Host Exit code: 0 Version: 7.00.7601.24542 (win7sp1_ldr_escrow.191209-2211) Modules
| |||||||||||||||
1656 | C:\Windows\Explorer.EXE | C:\Windows\Explorer.EXE | — | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
3488 | "C:\Users\admin\Desktop\virus\Project_Gemini_3.4.exe" | C:\Users\admin\Desktop\virus\Project_Gemini_3.4.exe | Explorer.EXE | ||||||||||||
User: admin Integrity Level: MEDIUM Description: Exit code: 0 Version: 1.0.0.0 Modules
| |||||||||||||||
3380 | "C:\Users\admin\AppData\Local\Temp\RtkBtManServ.exe" ZhXl39BlhP84+Y4kurA8wpehxxqA0X22IMYZ6Vpiqs4MrS8XYPae42vHBCmVGz5LuTrpOtikH8tggmmTYMabgILKk6ilwPmb43Ls83Nr/LHqiuZPbcUSt/o9uSOJIHReT7fF/YFDDj6zFV1jZBd/Kj/kBi8wyZPZMXDeiHjFPGc= | C:\Users\admin\AppData\Local\Temp\RtkBtManServ.exe | Project_Gemini_3.4.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Description: RtkBtManServ Exit code: 0 Version: 1.0.0.0 Modules
| |||||||||||||||
420 | "C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\compile.vbs" | C:\Windows\System32\WScript.exe | — | RtkBtManServ.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft � Windows Based Script Host Exit code: 0 Version: 5.8.7600.16385 Modules
| |||||||||||||||
2880 | "C:\Windows\System32\cmd.exe" /c compile.bat | C:\Windows\System32\cmd.exe | — | WScript.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
2072 | C:\Users\admin\AppData\Local\Temp\bfsvc.exe /capture /Filename "C:\Users\admin\AppData\Local\Temp\capture.png" | C:\Users\admin\AppData\Local\Temp\bfsvc.exe | — | cmd.exe | |||||||||||
User: admin Company: NirSoft Integrity Level: MEDIUM Description: WebCamImageSave Exit code: 3221225547 Version: 1.11 Modules
| |||||||||||||||
2252 | "C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\compile.vbs" | C:\Windows\System32\WScript.exe | — | RtkBtManServ.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft � Windows Based Script Host Exit code: 0 Version: 5.8.7600.16385 Modules
| |||||||||||||||
2236 | "C:\Windows\System32\cmd.exe" /c compile.bat | C:\Windows\System32\cmd.exe | — | WScript.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
|
(PID) Process: | (2280) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
Operation: | write | Name: | ShellExtBMP |
Value: | |||
(PID) Process: | (2280) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
Operation: | write | Name: | ShellExtIcon |
Value: | |||
(PID) Process: | (2280) WinRAR.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\16C\52C64B7E |
Operation: | write | Name: | LanguageList |
Value: en-US | |||
(PID) Process: | (2280) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
Operation: | write | Name: | 2 |
Value: C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip | |||
(PID) Process: | (2280) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
Operation: | write | Name: | 1 |
Value: C:\Users\admin\Desktop\Win7-KB3191566-x86.zip | |||
(PID) Process: | (2280) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
Operation: | write | Name: | 0 |
Value: C:\Users\admin\AppData\Local\Temp\Gemini.zip | |||
(PID) Process: | (2280) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | name |
Value: 120 | |||
(PID) Process: | (2280) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | size |
Value: 80 | |||
(PID) Process: | (2280) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | type |
Value: 120 | |||
(PID) Process: | (2280) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | mtime |
Value: 100 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2280 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa2280.12312\TwoCaptcha.dll | executable | |
MD5:0BA56E43509DF3D799C2D4BE6CF2F236 | SHA256:DFC587F85A86A4DDDB2E7603E3D205E4B2F33D9CF9A943DA8A2213C5807EC9DE | |||
2280 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa2280.12312\MetroSuite 2.0.dll | executable | |
MD5:7988C35882E1F099ACC9F8C2819F8121 | SHA256:2FAAF6AFE6C42E60CEED13C2BDD3F9DF62D21ED85589D77112D84C6B79CA000A | |||
1656 | Explorer.EXE | C:\Users\admin\Desktop\virus\MetroSuite 2.0.dll | executable | |
MD5:7988C35882E1F099ACC9F8C2819F8121 | SHA256:2FAAF6AFE6C42E60CEED13C2BDD3F9DF62D21ED85589D77112D84C6B79CA000A | |||
2280 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa2280.12312\websocket-sharp-customheaders.dll | executable | |
MD5:5F0E090A911EAA61DAA3C95818B76380 | SHA256:9A77112F10C96B4C5F099208ECA409ABECC07E2395CD72ED1FDFE9839CC1262B | |||
2280 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa2280.12312\BrotliSharpLib.dll | executable | |
MD5:7BA33B5FBFD4662D72B50BB09BDE7ED7 | SHA256:EC1E6529A83DB97684474C1CB4E0A989EB7BCFEA98591AFC2C026B08F48600A0 | |||
1656 | Explorer.EXE | C:\Users\admin\Desktop\virus\BrotliSharpLib.dll | executable | |
MD5:7BA33B5FBFD4662D72B50BB09BDE7ED7 | SHA256:EC1E6529A83DB97684474C1CB4E0A989EB7BCFEA98591AFC2C026B08F48600A0 | |||
2280 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa2280.12312\Bunifu.UI.WinForms.1.5.3.dll | executable | |
MD5:B4280D2898D92AB5C3911F0305D7672F | SHA256:E2248459DCC95183D0F0C5F3ABD3B0A2B93CD26CF8E130A1F43C8B32C58F4C8F | |||
1656 | Explorer.EXE | C:\Users\admin\Desktop\virus\Guna.UI.dll | executable | |
MD5:6D6A1F28978D42AD2F0A8F278EAAC966 | SHA256:FB23FA4FCA8F28BEBE7B7E39593A211CD3C3405DE5F948EC520E859B1BCAF91E | |||
2280 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa2280.12312\Bunifu.UI.WinForms.BunifuSlider.dll | executable | |
MD5:DC256AF8A6709E8D02DBCA9955A73B32 | SHA256:DC3BE56629858FF7327BFBB3A5986D87AF3A2D48E4D40806320AF5C1F8432005 | |||
2280 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa2280.12312\Bunifu.Licensing.dll | executable | |
MD5:8836EDB783CE89CA6481C297772325BC | SHA256:CFA1993C3E7272B3AEE610634592C26BEAF8E573AC9D3C59695E35A5D2372B17 |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2460 | RtkBtManServ.exe | 162.159.138.232:443 | discord.com | Cloudflare Inc | — | malicious |
2460 | RtkBtManServ.exe | 162.159.137.232:443 | discord.com | Cloudflare Inc | — | malicious |
2460 | RtkBtManServ.exe | 162.159.135.232:443 | discord.com | Cloudflare Inc | — | malicious |
3380 | RtkBtManServ.exe | 162.159.128.233:443 | discord.com | Cloudflare Inc | — | malicious |
2460 | RtkBtManServ.exe | 162.159.136.232:443 | discord.com | Cloudflare Inc | — | shared |
2460 | RtkBtManServ.exe | 162.159.128.233:443 | discord.com | Cloudflare Inc | — | malicious |
Domain | IP | Reputation |
---|---|---|
itroublvehacker.gq |
| whitelisted |
discord.com |
| whitelisted |
dns.msftncsi.com |
| shared |
PID | Process | Class | Message |
---|---|---|---|
— | — | Potentially Bad Traffic | ET INFO DNS Query for Suspicious .gq Domain |