File name: | 1.rar |
Full analysis: | https://app.any.run/tasks/3e354ae1-b424-48c0-b9b2-3226131fd5e4 |
Verdict: | Malicious activity |
Analysis date: | April 23, 2019, 08:43:29 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/x-rar |
File info: | RAR archive data, v5 |
MD5: | CBB5BA28A8E99F01CC9587A11822157F |
SHA1: | 8F49847FB98E46E009B1944002B53FCFA8CCE48C |
SHA256: | 8153ABFA38D3AB2DDA7BF3776E9B7EF8AC8313D7ACE2DB654ABC7C8E7513CD7F |
SSDEEP: | 6144:PCXR/yosaaq00uwyd6IeduRQJv2MYB+NyDB6xDONafrEf5qbu75fRP9zeHJT8L/h:PMRsaaq03wyEWk93NocONArLbl18L/rF |
.rar | | | RAR compressed archive (v5.0) (61.5) |
---|---|---|
.rar | | | RAR compressed archive (gen) (38.4) |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2580 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\1.rar" | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.60.0 | ||||
3888 | "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe4_ Global\UsGthrCtrlFltPipeMssGthrPipe4 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" | C:\Windows\System32\SearchProtocolHost.exe | — | SearchIndexer.exe |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Microsoft Windows Search Protocol Host Exit code: 0 Version: 7.00.7600.16385 (win7_rtm.090713-1255) | ||||
2504 | "C:\Users\admin\Desktop\NordVPN Spaceman\Nord VPN.exe" | C:\Users\admin\Desktop\NordVPN Spaceman\Nord VPN.exe | explorer.exe | |
User: admin Integrity Level: MEDIUM Description: Nord VPN Exit code: 3221225477 Version: 1.0.0.0 | ||||
3648 | C:\Windows\system32\WerFault.exe -u -p 2504 -s 760 | C:\Windows\system32\WerFault.exe | — | svchost.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Problem Reporting Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3116 | "C:\Users\admin\Desktop\NordVPN Spaceman\Nord VPN.exe" | C:\Users\admin\Desktop\NordVPN Spaceman\Nord VPN.exe | — | explorer.exe |
User: admin Integrity Level: MEDIUM Description: Nord VPN Exit code: 0 Version: 1.0.0.0 | ||||
3096 | "C:\Users\admin\Desktop\NordVPN Spaceman\Nord VPN.exe" | C:\Users\admin\Desktop\NordVPN Spaceman\Nord VPN.exe | — | explorer.exe |
User: admin Integrity Level: MEDIUM Description: Nord VPN Version: 1.0.0.0 |
(PID) Process: | (2580) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
Operation: | write | Name: | ShellExtBMP |
Value: | |||
(PID) Process: | (2580) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
Operation: | write | Name: | ShellExtIcon |
Value: | |||
(PID) Process: | (2580) WinRAR.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E |
Operation: | write | Name: | LanguageList |
Value: en-US | |||
(PID) Process: | (2580) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
Operation: | write | Name: | 0 |
Value: C:\Users\admin\AppData\Local\Temp\1.rar | |||
(PID) Process: | (2580) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | name |
Value: 120 | |||
(PID) Process: | (2580) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | size |
Value: 80 | |||
(PID) Process: | (2580) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | type |
Value: 120 | |||
(PID) Process: | (2580) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | mtime |
Value: 100 | |||
(PID) Process: | (3888) SearchProtocolHost.exe | Key: | HKEY_USERS\.DEFAULT\Software\Classes\Local Settings\MuiCache\62\52C64B7E |
Operation: | write | Name: | LanguageList |
Value: en-US | |||
(PID) Process: | (3888) SearchProtocolHost.exe | Key: | HKEY_USERS\.DEFAULT\Software\Classes\Local Settings\MuiCache\62\52C64B7E |
Operation: | write | Name: | @C:\Windows\System32\msxml3r.dll,-1 |
Value: XML Document |
PID | Process | Filename | Type | |
---|---|---|---|---|
3648 | WerFault.exe | C:\Users\admin\AppData\Local\CrashDumps\Nord VPN.exe.2504.dmp | — | |
MD5:— | SHA256:— | |||
2580 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa2580.3651\NordVPN Spaceman\Nord VPN.xml | xml | |
MD5:0AB22309C317B4464CC9926C20DD5DF0 | SHA256:75ADF3DB1231BA8D1E891DEADBCB41C733F9401A4D1B276BFE19B2B09550215C | |||
2580 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa2580.3334\NordVPN Spaceman\Nord VPN.xml | xml | |
MD5:0AB22309C317B4464CC9926C20DD5DF0 | SHA256:75ADF3DB1231BA8D1E891DEADBCB41C733F9401A4D1B276BFE19B2B09550215C | |||
2580 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa2580.3334\NordVPN Spaceman\nord.ico | image | |
MD5:FC5FB10168F43C796A428D8D7E589819 | SHA256:35C4D7C5DBB2569AA33692CA0FAFD4FEDD5B8421389C8E426BC3F80CBD9AE8D4 | |||
2580 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa2580.3334\NordVPN Spaceman\Nord VPN.pdb | pdb | |
MD5:E90E9BE439B7297D575483331958FE2B | SHA256:9CFE02BB053223E576505EC4E477951CCAA6822C2039D05806E9CBEA53F3976B | |||
2580 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa2580.3334\NordVPN Spaceman\Nord VPN.exe | executable | |
MD5:93ABCB2C37FAAD68B03356A127B55390 | SHA256:1975DE6FFE745E38FD7EC470B81FFBE98A840839BA179B2D42D81D91D3C0836D | |||
2580 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa2580.3651\NordVPN Spaceman\nord.ico | image | |
MD5:FC5FB10168F43C796A428D8D7E589819 | SHA256:35C4D7C5DBB2569AA33692CA0FAFD4FEDD5B8421389C8E426BC3F80CBD9AE8D4 | |||
2580 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa2580.3651\NordVPN Spaceman\Nord VPN.pdb | pdb | |
MD5:E90E9BE439B7297D575483331958FE2B | SHA256:9CFE02BB053223E576505EC4E477951CCAA6822C2039D05806E9CBEA53F3976B | |||
2580 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa2580.3651\NordVPN Spaceman\Nord VPN.exe | executable | |
MD5:93ABCB2C37FAAD68B03356A127B55390 | SHA256:1975DE6FFE745E38FD7EC470B81FFBE98A840839BA179B2D42D81D91D3C0836D | |||
3648 | WerFault.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\WER\ReportArchive\AppCrash_Nord VPN.exe_d9e8eb9b6f4cebd4a65d170f6978b8c9e7e1081_0e50e64b\Report.wer | binary | |
MD5:7409FDA6E9CB0959DC4BB2A6D230A24B | SHA256:BE589B61E4583EE10622A9531D2D231B71AA4AA8C6A6859C0B536B4E43FF12E7 |