File name: | aaa.rar |
Full analysis: | https://app.any.run/tasks/cc3dbf6a-bede-4939-8c07-18e0a90021b5 |
Verdict: | Malicious activity |
Analysis date: | December 18, 2018, 09:14:14 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/x-rar |
File info: | RAR archive data, v5 |
MD5: | CD0912519EA2E24747F43B8E7717841D |
SHA1: | E724327E0F58DACC32A2634FEC03DC2CE5D15242 |
SHA256: | 81B85A34DC68F1B3BAB2BC3CB94663360C156462BC9E1C1E92596D46F43E2E01 |
SSDEEP: | 1536:sE2k41bEYJssomjBmsFOWvzhz8xTT2+N1OP283ZuAIi:sZEwo8jt4RE3UAIi |
.rar | | | RAR compressed archive (v5.0) (61.5) |
---|---|---|
.rar | | | RAR compressed archive (gen) (38.4) |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2900 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\aaa.rar" | C:\Program Files\WinRAR\WinRAR.exe | — | explorer.exe |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.60.0 | ||||
2460 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\aaa.rar" | C:\Program Files\WinRAR\WinRAR.exe | — | explorer.exe |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.60.0 | ||||
2972 | "C:\Windows\System32\WScript.exe" "C:\Users\admin\Desktop\DS948545324554.js" | C:\Windows\System32\WScript.exe | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.8.7600.16385 | ||||
3332 | "C:\Windows\System32\WScript.exe" "C:\Users\admin\Desktop\DS948545324554.js" | C:\Windows\System32\WScript.exe | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.8.7600.16385 | ||||
3160 | "C:\Program Files\Notepad++\notepad++.exe" "C:\Users\admin\Desktop\DS948545324554.js" | C:\Program Files\Notepad++\notepad++.exe | explorer.exe | |
User: admin Company: Don HO [email protected] Integrity Level: MEDIUM Description: Notepad++ : a free (GNU) source code editor Version: 7.51 | ||||
1928 | "C:\Program Files\Notepad++\updater\gup.exe" -v7.51 | C:\Program Files\Notepad++\updater\gup.exe | notepad++.exe | |
User: admin Company: Don HO [email protected] Integrity Level: MEDIUM Description: GUP : a free (LGPL) Generic Updater Exit code: 0 Version: 4.1 | ||||
2808 | "C:\Program Files\Google\Chrome\Application\chrome.exe" | C:\Program Files\Google\Chrome\Application\chrome.exe | explorer.exe | |
User: admin Company: Google Inc. Integrity Level: MEDIUM Description: Google Chrome Version: 68.0.3440.106 | ||||
3652 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win32 --annotation=prod=Chrome --annotation=ver=68.0.3440.106 --initial-client-data=0x78,0x7c,0x80,0x74,0x84,0x6f3800b0,0x6f3800c0,0x6f3800cc | C:\Program Files\Google\Chrome\Application\chrome.exe | — | chrome.exe |
User: admin Company: Google Inc. Integrity Level: MEDIUM Description: Google Chrome Version: 68.0.3440.106 | ||||
3192 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=watcher --main-thread-id=3076 --on-initialized-event-handle=304 --parent-handle=308 /prefetch:6 | C:\Program Files\Google\Chrome\Application\chrome.exe | — | chrome.exe |
User: admin Company: Google Inc. Integrity Level: MEDIUM Description: Google Chrome Version: 68.0.3440.106 | ||||
3872 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=188,12456098340009108953,13280544581916401540,131072 --enable-features=PasswordImport --gpu-preferences=KAAAAAAAAACAAwBAAQAAAAAAAAAAAGAAEAAAAAAAAAAAAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAKAAAAEAAAAAAAAAAAAAAACwAAABAAAAAAAAAAAQAAAAoAAAAQAAAAAAAAAAEAAAALAAAA --service-request-channel-token=756D358E72380BEE705703F406BA060A --mojo-platform-channel-handle=1016 --ignored=" --type=renderer " /prefetch:2 | C:\Program Files\Google\Chrome\Application\chrome.exe | — | chrome.exe |
User: admin Company: Google Inc. Integrity Level: LOW Description: Google Chrome Version: 68.0.3440.106 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2460 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRb2460.1780\DS948545324554\DS948545324554.js | — | |
MD5:— | SHA256:— | |||
2808 | chrome.exe | C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\cd6196c0-fcb2-496e-82e7-db3bfbefaa74.tmp | — | |
MD5:— | SHA256:— | |||
2808 | chrome.exe | C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Download Service\EntryDB\000016.dbtmp | — | |
MD5:— | SHA256:— | |||
2808 | chrome.exe | C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\000016.dbtmp | — | |
MD5:— | SHA256:— | |||
2972 | WScript.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat | dat | |
MD5:D7A950FEFD60DBAA01DF2D85FEFB3862 | SHA256:75D0B1743F61B76A35B1FEDD32378837805DE58D79FA950CB6E8164BFA72073A | |||
2808 | chrome.exe | C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\Database\LOG.old | text | |
MD5:1AA66EFDB743FB0A8DCC1CD79B0B6542 | SHA256:28D56532CCED7375A2A1C7731E57C1A1C2EC1AC9827F3E5BEEE7F8069A5F87DD | |||
2808 | chrome.exe | C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\LOG.old | text | |
MD5:92BE6B127E72365885AD4C3FB6534EE2 | SHA256:54302A2573ACC775720E7DB0AD85873276713302B4F72596A8DCC44B01C70E51 | |||
2808 | chrome.exe | C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOG.old~RF1bee06.TMP | text | |
MD5:197882774A7ECEC9046BC48F63189B66 | SHA256:27377B0D5F989997C2C3F74ACF163EED44B60631DDAA768F6655D7BE555742B2 | |||
2808 | chrome.exe | C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\LOG.old~RF1bed98.TMP | text | |
MD5:92BE6B127E72365885AD4C3FB6534EE2 | SHA256:54302A2573ACC775720E7DB0AD85873276713302B4F72596A8DCC44B01C70E51 | |||
2808 | chrome.exe | C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\b18fb050-e4f2-420f-9945-eff56cae8004.tmp | — | |
MD5:— | SHA256:— |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2972 | WScript.exe | GET | 302 | 185.60.216.35:80 | http://www.facebook.com/jrordekdd.php | IE | — | — | whitelisted |
3332 | WScript.exe | GET | 200 | 64.71.34.24:80 | http://www.grossblatt.com/license/039405903394.php | US | — | — | malicious |
3332 | WScript.exe | GET | 200 | 94.127.190.195:80 | http://www.gtmas.net/random/microupdate.php | ES | — | — | suspicious |
3332 | WScript.exe | GET | 200 | 107.6.20.201:80 | http://www.c7tech.com/email_images/mi30djISo.php | CA | — | — | unknown |
2972 | WScript.exe | GET | 200 | 94.127.190.195:80 | http://www.gtmas.net/random/microupdate.php | ES | — | — | suspicious |
3332 | WScript.exe | GET | 302 | 185.60.216.35:80 | http://www.facebook.com/up/fepwoeepe.php | IE | — | — | whitelisted |
2972 | WScript.exe | GET | 200 | 107.6.20.201:80 | http://www.c7tech.com/email_images/mi30djISo.php | CA | — | — | unknown |
3332 | WScript.exe | GET | 302 | 185.60.216.35:80 | http://www.facebook.com/jrordekdd.php | IE | — | — | whitelisted |
2972 | WScript.exe | GET | 302 | 185.60.216.35:80 | http://www.facebook.com/up/fepwoeepe.php | IE | — | — | whitelisted |
2972 | WScript.exe | GET | 200 | 64.71.34.24:80 | http://www.grossblatt.com/license/039405903394.php | US | — | — | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2972 | WScript.exe | 185.60.216.35:80 | www.facebook.com | Facebook, Inc. | IE | whitelisted |
3332 | WScript.exe | 185.60.216.35:80 | www.facebook.com | Facebook, Inc. | IE | whitelisted |
2972 | WScript.exe | 172.217.20.100:80 | www.google.com | Google Inc. | US | whitelisted |
3332 | WScript.exe | 94.127.190.195:80 | www.gtmas.net | Infortelecom Hosting S.L. | ES | suspicious |
2972 | WScript.exe | 64.71.34.24:80 | www.grossblatt.com | Hostway Corporation | US | malicious |
2972 | WScript.exe | 94.127.190.195:80 | www.gtmas.net | Infortelecom Hosting S.L. | ES | suspicious |
3332 | WScript.exe | 172.217.20.100:80 | www.google.com | Google Inc. | US | whitelisted |
2972 | WScript.exe | 107.6.20.201:80 | www.c7tech.com | Peer 1 Network (USA) Inc. | CA | unknown |
3332 | WScript.exe | 107.6.20.201:80 | www.c7tech.com | Peer 1 Network (USA) Inc. | CA | unknown |
3332 | WScript.exe | 64.71.34.24:80 | www.grossblatt.com | Hostway Corporation | US | malicious |
Domain | IP | Reputation |
---|---|---|
www.google.com |
| whitelisted |
www.facebook.com |
| whitelisted |
www.gtmas.net |
| unknown |
pza6e.m8h4-pklah4pv.m8h4-pklah4pva.m8h4-pklah4pv.6e |
| unknown |
iq-.ibxsxsx-oaklsx-sx-wiqzhiqzhbxsxsx-oaklsx-sx-wq-.ibxsxsx-oaklsx-sx-wiqzhipq-hsx5.psx5.pp |
| unknown |
bxsxsx-oaklsx-sx-wbxsxsx-oaklsx-sx-wiqzhiqzhbxsxsx-oaklsx-sx-w.-bxsxsx-oaklsx-sx-wbxsxsx-oaklsx-sx-wiqzhiqzhbxsxsx-oaklsx-sx-w.5.vbxsxsx-oaklsx-sx-w.q-.-i.-tp |
| unknown |
pzsx--bxsxsx-oaklsx-sx-wbxsxsx-oaklsx-sx-wsx-bxsxsx-oaklsx-sx-w.- |
| unknown |
bxsxsx-oaklsx-sx-wbxsxsx-oaklsx-sx-wiqzhiqzhbxsxsx-oaklsx-sx-w.-bxsxsx-oaklsx-sx-wbxsxsx-oaklsx-sx-wiqzhiqzhbxsxsx-sx-w.5.sx-5msxsx-oaklsx-sx-wsx-.sx-sx-iqzq.5 |
| unknown |
bx88--pkl8-8-wbx88--pkl8-8-wibx88--pkl8-8-wbx88--pkl8-8-wh.5bx88--pkl8-8-wbx88--pkl8-8-wbx88--pkl8-8-wbx88--pkl8-8-w |
| unknown |
bxsxsx-oaklsx-sx-w.5.ptiz5.tbxsxsx-oaklsx-sx-wbxsxsx-oaklsx-sx-wsx-bxsxsx-oaklsx-sx-wt.tizbxsxsx-oaklsx-sx-w- |
| unknown |
Process | Message |
---|---|
notepad++.exe | VerifyLibrary: C:\Program Files\Notepad++\SciLexer.dll
|
notepad++.exe | VerifyLibrary: certificate revocation checking is disabled
|
notepad++.exe | 42C4C5846BB675C74E2B2C90C69AB44366401093
|