URL: | https://www.mediafire.com/file/eqx7276mg3sed15/James+Skype+Tool+v5.3+Clean+Copy.zip |
Full analysis: | https://app.any.run/tasks/5d3f0258-72f0-4aa8-9862-7dad6a6a8218 |
Verdict: | Malicious activity |
Analysis date: | June 16, 2019, 12:03:05 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MD5: | 8980FC7F81558BE7E0FD36EC536A170B |
SHA1: | 5E256922D00689E6DC1921E0395B236A256543C7 |
SHA256: | 69E0CCDBACA9B64B17AD5106FE9C9C4053860AE77E3C44C20F99B1078DCAAB3D |
SSDEEP: | 3:N8DSLw3eGUoxdSCE8kGEIAAVAVe+dEV6kV:2OLw3eG6dnGWwAVXKV6kV |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3316 | "C:\Program Files\Internet Explorer\iexplore.exe" -nohome | C:\Program Files\Internet Explorer\iexplore.exe | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Version: 8.00.7600.16385 (win7_rtm.090713-1255) | ||||
2532 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3316 CREDAT:71937 | C:\Program Files\Internet Explorer\iexplore.exe | iexplore.exe | |
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Version: 8.00.7600.16385 (win7_rtm.090713-1255) | ||||
3568 | C:\Windows\system32\Macromed\Flash\FlashUtil32_26_0_0_131_ActiveX.exe -Embedding | C:\Windows\system32\Macromed\Flash\FlashUtil32_26_0_0_131_ActiveX.exe | — | svchost.exe |
User: admin Company: Adobe Systems Incorporated Integrity Level: MEDIUM Description: Adobe® Flash® Player Installer/Uninstaller 26.0 r0 Version: 26,0,0,131 | ||||
3672 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\VH2RFAUI\James_Skype_Tool_v5.3_Clean_Copy[1].zip" | C:\Program Files\WinRAR\WinRAR.exe | iexplore.exe | |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.60.0 | ||||
296 | "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe5_ Global\UsGthrCtrlFltPipeMssGthrPipe5 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" | C:\Windows\System32\SearchProtocolHost.exe | — | SearchIndexer.exe |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Microsoft Windows Search Protocol Host Version: 7.00.7600.16385 (win7_rtm.090713-1255) | ||||
1492 | "C:\Users\admin\Desktop\New folder\James Reborns Skype Tool v 5.3.exe" | C:\Users\admin\Desktop\New folder\James Reborns Skype Tool v 5.3.exe | explorer.exe | |
User: admin Company: James Creations Integrity Level: MEDIUM Description: James Reborns Skype Tool v 5.3 Exit code: 3762504530 Version: 5.3.0.0 | ||||
2536 | "C:\Users\admin\Desktop\New folder\James Reborns Skype Tool v 5.3.vshost.exe" | C:\Users\admin\Desktop\New folder\James Reborns Skype Tool v 5.3.vshost.exe | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: vshost32.exe Exit code: 3762504530 Version: 14.0.23107.0 | ||||
932 | "C:\Users\admin\Desktop\New folder\James Reborns Skype Tool v 5.3.exe" | C:\Users\admin\Desktop\New folder\James Reborns Skype Tool v 5.3.exe | explorer.exe | |
User: admin Company: James Creations Integrity Level: MEDIUM Description: James Reborns Skype Tool v 5.3 Exit code: 3762504530 Version: 5.3.0.0 | ||||
2360 | "C:\Program Files\Notepad++\notepad++.exe" "C:\Users\admin\Desktop\New folder\James Reborns Skype Tool v 5.3.exe" | C:\Program Files\Notepad++\notepad++.exe | explorer.exe | |
User: admin Company: Don HO [email protected] Integrity Level: MEDIUM Description: Notepad++ : a free (GNU) source code editor Exit code: 0 Version: 7.51 | ||||
1728 | "C:\Program Files\Notepad++\updater\gup.exe" -v7.51 | C:\Program Files\Notepad++\updater\gup.exe | notepad++.exe | |
User: admin Company: Don HO [email protected] Integrity Level: MEDIUM Description: GUP : a free (LGPL) Generic Updater Exit code: 0 Version: 4.1 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3316 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\favicon[1].ico | — | |
MD5:— | SHA256:— | |||
3316 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico | — | |
MD5:— | SHA256:— | |||
2532 | iexplore.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\admin@mediafire[2].txt | — | |
MD5:— | SHA256:— | |||
2532 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\3L0F9Y3Y\James+Skype+Tool+v5.3+Clean+Copy[1].zip | — | |
MD5:— | SHA256:— | |||
2532 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat | dat | |
MD5:D103D27D15A89BD37D8324C25723C3BE | SHA256:8109EEC0CEACC91354528DD927DCB75F442C68AE3501B120D97A1DD54DA13ABA | |||
2532 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\VH2RFAUI\gtm[1].js | text | |
MD5:CFB47D101E25019DADA5AD62D61246DA | SHA256:B79598628680AB7F04DFB08DDF37CCFACF56CA90CF626817AB1E285537C0BCA3 | |||
2532 | iexplore.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\index.dat | dat | |
MD5:4D5ADD51989CA76602F5512702D52A84 | SHA256:4036FB72DE43F1B18BD458B1A9F78E3C8AF5A46288D7938CD76084E2E0244CBA | |||
2532 | iexplore.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\admin@mediafire[1].txt | text | |
MD5:8F06D600776DCB6B0630B9B3016C33D4 | SHA256:D7955EE96EB3225092B28C95C821DF407B523BA018BFE92C5E4B2D7C0154496D | |||
2532 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\3L0F9Y3Y\js[1] | text | |
MD5:6ECDDEEB7E126E0DA630B44B06CD9E12 | SHA256:810BE48AE13D5B0B352C9228873074DE63D46A016E2C53481C13D41B18535BF7 | |||
2532 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\3L0F9Y3Y\James+Skype+Tool+v5.3+Clean+Copy[1].htm | html | |
MD5:0780DB9716C5F89239DD4553E6148E53 | SHA256:A34ED0220D69E4D4357DE67BC86CA3056A0C8B57BB392140EBD2A99D6E6A775C |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
— | — | GET | 200 | 2.20.189.204:80 | http://isrg.trustid.ocsp.identrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRv9GhNQxLSSGKBnMArPUcsHYovpgQUxKexpHsscfrb4UuQdf%2FEFWCFiRACEAoBQUIAAAFThXNqC4Xspwg%3D | unknown | der | 1.37 Kb | whitelisted |
3316 | iexplore.exe | GET | 200 | 204.79.197.200:80 | http://www.bing.com/favicon.ico | US | image | 237 b | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2532 | iexplore.exe | 172.217.23.142:443 | translate.google.com | Google Inc. | US | whitelisted |
3316 | iexplore.exe | 204.79.197.200:80 | www.bing.com | Microsoft Corporation | US | whitelisted |
2532 | iexplore.exe | 172.217.18.14:443 | www.google-analytics.com | Google Inc. | US | whitelisted |
2532 | iexplore.exe | 172.217.22.106:443 | translate.googleapis.com | Google Inc. | US | whitelisted |
2532 | iexplore.exe | 216.58.207.72:443 | www.googletagmanager.com | Google Inc. | US | whitelisted |
2532 | iexplore.exe | 104.19.194.29:443 | www.mediafire.com | Cloudflare Inc | US | shared |
2532 | iexplore.exe | 35.190.74.157:443 | desiredirt.com | Google Inc. | US | unknown |
2532 | iexplore.exe | 104.19.195.29:443 | www.mediafire.com | Cloudflare Inc | US | shared |
2532 | iexplore.exe | 172.217.22.34:443 | www.googletagservices.com | Google Inc. | US | whitelisted |
2532 | iexplore.exe | 104.19.215.37:443 | cdn.otnolatrnup.com | Cloudflare Inc | US | shared |
Domain | IP | Reputation |
---|---|---|
www.bing.com |
| whitelisted |
www.mediafire.com |
| shared |
www.googletagmanager.com |
| whitelisted |
www.googletagservices.com |
| whitelisted |
www.google-analytics.com |
| whitelisted |
desiredirt.com |
| unknown |
static.mediafire.com |
| shared |
translate.google.com |
| whitelisted |
cdn.otnolatrnup.com |
| whitelisted |
translate.googleapis.com |
| whitelisted |
Process | Message |
---|---|
notepad++.exe | VerifyLibrary: C:\Program Files\Notepad++\SciLexer.dll
|
notepad++.exe | VerifyLibrary: certificate revocation checking is disabled
|
notepad++.exe | 42C4C5846BB675C74E2B2C90C69AB44366401093
|