General Info

File name

Sample1.zip

Full analysis
https://app.any.run/tasks/c7fa93e0-cfdd-4b32-809e-d586c3f5e0c6
Verdict
Malicious activity
Analysis date
7/11/2019, 23:21:08
OS:
Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:

MIME:
application/zip
File info:
Zip archive data, at least v2.0 to extract
MD5

a0bf7fdf56cc2a84a2f555a7b6832b79

SHA1

8f089ee6e280ed185c2b8b5f17da5fadb6625cc0

SHA256

95ca5dec3e1c00ef77a58dc279897cb784936f6080ed4a1f204ce37afbb713ff

SSDEEP

12288:B5uFwmTUPkuzxEHHwRGIbRFnzU1JJjnzdbTLWH9Dvaqr0lPvr7PLRU:aFjMtEiJbvU1JlnzdqHtvQlPvPFU

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distored by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Software environment set and analysis options

Launch configuration

Task duration
300 seconds
Additional time used
240 seconds
Fakenet option
off
Heavy Evaision option
off
MITM proxy
off
Route via Tor
off
Network geolocation
off
Privacy
Public submission
Autoconfirmation of UAC
on

Software preset

  • Internet Explorer 8.0.7601.17514
  • Adobe Acrobat Reader DC MUI (15.023.20070)
  • Adobe Flash Player 26 ActiveX (26.0.0.131)
  • Adobe Flash Player 26 NPAPI (26.0.0.131)
  • Adobe Flash Player 26 PPAPI (26.0.0.131)
  • Adobe Refresh Manager (1.8.0)
  • CCleaner (5.35)
  • FileZilla Client 3.36.0 (3.36.0)
  • Google Chrome (75.0.3770.100)
  • Google Update Helper (1.3.34.7)
  • Java 8 Update 92 (8.0.920.14)
  • Java Auto Updater (2.8.92.14)
  • Microsoft .NET Framework 4.7.2 (4.7.03062)
  • Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Professional 2010 (14.0.6029.1000)
  • Microsoft Office Proof (English) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (French) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
  • Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
  • Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Single Image 2010 (14.0.6029.1000)
  • Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
  • Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
  • Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
  • Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2015-2019 Redistributable (x86) - 14.21.27702 (14.21.27702.2)
  • Microsoft Visual C++ 2019 X86 Additional Runtime - 14.21.27702 (14.21.27702)
  • Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.21.27702 (14.21.27702)
  • Mozilla Firefox 67.0.4 (x86 en-US) (67.0.4)
  • Notepad++ (32-bit x86) (7.5.1)
  • Opera 12.15 (12.15.1748)
  • Skype version 8.29 (8.29)
  • Update for Microsoft .NET Framework 4.7.2 (KB4087364) (1)
  • VLC media player (2.2.6)
  • WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

  • Client LanguagePack Package
  • Client Refresh LanguagePack Package
  • CodecPack Basic Package
  • Foundation Package
  • IE Troubleshooters Package
  • InternetExplorer Optional Package
  • KB2534111
  • KB2999226
  • KB4019990
  • KB976902
  • LocalPack AU Package
  • LocalPack CA Package
  • LocalPack GB Package
  • LocalPack US Package
  • LocalPack ZA Package
  • ProfessionalEdition
  • UltimateEdition

Behavior activities

MALICIOUS SUSPICIOUS INFO
Application was dropped or rewritten from another process
  • ayy.exe (PID: 2780)
  • ayy.exe (PID: 3656)
Creates files in the user directory
  • ayy.exe (PID: 3656)
Application launched itself
  • ayy.exe (PID: 2780)
Manual execution by user
  • opera.exe (PID: 2888)
  • ayy.exe (PID: 2780)
Creates files in the user directory
  • opera.exe (PID: 2888)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Static information

TRiD
.zip
|   ZIP compressed archive (100%)
EXIF
ZIP
ZipRequiredVersion:
788
ZipBitFlag:
0x0001
ZipCompression:
Deflated
ZipModifyDate:
2019:07:11 21:15:11
ZipCRC:
0x4a6f473c
ZipCompressedSize:
706275
ZipUncompressedSize:
1188352
ZipFileName:
09ba56c84942f13a91f00f7879a82715534d630a8f9c81fdf9fadfc919f7de17.bin

Screenshots

Processes

Total processes
40
Monitored processes
4
Malicious processes
1
Suspicious processes
0

Behavior graph

+
start winrar.exe no specs opera.exe ayy.exe no specs ayy.exe
Specs description
Program did not start
Integrity level elevation
Task сontains an error or was rebooted
Process has crashed
Task contains several apps running
Executable file was dropped
Debug information is available
Process was injected
Network attacks were detected
Application downloaded the executable file
Actions similar to stealing personal data
Behavior similar to exploiting the vulnerability
Inspected object has sucpicious PE structure
File is detected by antivirus software
CPU overrun
RAM overrun
Process starts the services
Process was added to the startup
Behavior similar to spam
Low-level access to the HDD
Probably Tor was used
System was rebooted
Connects to the network
Known threat

Process information

Click at the process to see the details.

PID
3100
CMD
"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Sample1.zip"
Path
C:\Program Files\WinRAR\WinRAR.exe
Indicators
No indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Alexander Roshal
Description
WinRAR archiver
Version
5.60.0
Modules
Image
c:\program files\winrar\winrar.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\shlwapi.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\uxtheme.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\msimg32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\riched20.dll
c:\program files\common files\microsoft shared\ink\tiptsf.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ehstorshell.dll
c:\windows\system32\cscui.dll
c:\windows\system32\cscdll.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\slc.dll
c:\windows\system32\imageres.dll
c:\windows\system32\mpr.dll
c:\windows\system32\drprov.dll
c:\windows\system32\winsta.dll
c:\windows\system32\ntlanman.dll
c:\windows\system32\davclnt.dll
c:\windows\system32\davhlpr.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\netutils.dll
c:\windows\system32\wpdshext.dll
c:\windows\system32\winmm.dll
c:\windows\system32\portabledeviceapi.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\audiodev.dll
c:\windows\system32\wmvcore.dll
c:\windows\system32\wmasf.dll
c:\windows\system32\ehstorapi.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\samcli.dll
c:\windows\system32\samlib.dll
c:\windows\system32\profapi.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\explorerframe.dll
c:\windows\system32\duser.dll
c:\windows\system32\dui70.dll

PID
2888
CMD
"C:\Program Files\Opera\opera.exe"
Path
C:\Program Files\Opera\opera.exe
Indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Opera Software
Description
Opera Internet Browser
Version
1748
Modules
Image
c:\program files\opera\opera.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\psapi.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\ole32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\program files\opera\opera.dll
c:\windows\system32\oleacc.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\msimg32.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\winmm.dll
c:\windows\system32\version.dll
c:\windows\system32\wsock32.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\profapi.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\linkinfo.dll
c:\windows\system32\devenum.dll
c:\windows\system32\msdmo.dll
c:\windows\system32\avicap32.dll
c:\windows\system32\msvfw32.dll
c:\windows\system32\quartz.dll
c:\program files\adobe\acrobat reader dc\reader\browser\nppdf32.dll
c:\windows\system32\macromed\flash\npswf32_26_0_0_131.dll
c:\program files\java\jre1.8.0_92\bin\dtplugin\npdeployjava1.dll
c:\program files\java\jre1.8.0_92\bin\plugin2\npjp2.dll
c:\progra~1\micros~1\office14\npauthz.dll
c:\progra~1\micros~1\office14\npspwrap.dll
c:\program files\google\update\1.3.34.11\npgoogleupdate3.dll
c:\program files\videolan\vlc\npvlc.dll
c:\program files\adobe\acrobat reader dc\reader\air\nppdf32.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ehstorshell.dll
c:\windows\system32\cscui.dll
c:\windows\system32\cscdll.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\slc.dll
c:\windows\system32\imageres.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\wship6.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\dhcpcsvc6.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\userenv.dll

PID
2780
CMD
"C:\Users\admin\Desktop\ayy.exe"
Path
C:\Users\admin\Desktop\ayy.exe
Indicators
No indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Description
Version
Modules
Image
c:\users\admin\desktop\ayy.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\wsock32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\windows\system32\version.dll
c:\windows\system32\winmm.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\mpr.dll
c:\windows\system32\wininet.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\psapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\apphelp.dll

PID
3656
CMD
"C:\Users\admin\Desktop\ayy.exe"
Path
C:\Users\admin\Desktop\ayy.exe
Indicators
Parent process
ayy.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Description
Version
Modules
Image
c:\users\admin\desktop\ayy.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\crtdll.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\wininet.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\iertutil.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\userenv.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\schannel.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\sensapi.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\version.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\wship6.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\credssp.dll
c:\windows\system32\secur32.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\gpapi.dll

Registry activity

Total events
742
Read events
582
Write events
160
Delete events
0

Modification events

PID
Process
Operation
Key
Name
Value
3100
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
ShellExtBMP
3100
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
ShellExtIcon
3100
WinRAR.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\70\52C64B7E
LanguageList
en-US
3100
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
0
C:\Users\admin\AppData\Local\Temp\Sample1.zip
3100
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
name
120
3100
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
size
80
3100
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
type
120
3100
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
mtime
100
3100
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\Interface
ShowPassword
0
3100
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\Interface\MainWin
Placement
2C00000000000000010000000083FFFF0083FFFFFFFFFFFFFFFFFFFF42000000420000000204000037020000
3100
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\General
LastFolder
C:\Users\admin\AppData\Local\Temp
3100
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\ArcColumnWidths
name
120
3100
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\ArcColumnWidths
size
80
3100
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\ArcColumnWidths
psize
80
3100
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\ArcColumnWidths
type
120
3100
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\ArcColumnWidths
mtime
100
3100
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\ArcColumnWidths
crc
70
3100
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\General\Toolbar\Layout
Band56_0
38000000730100000402000000000000D4D0C800000000000000000000000000A40102000000000039000000B40200000000000001000000
3100
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\General\Toolbar\Layout
Band56_1
38000000730100000500000000000000D4D0C800000000000000000000000000A801020000000000160000002A0000000000000002000000
3100
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\General\Toolbar\Layout
Band56_2
38000000730100000400000000000000D4D0C800000000000000000000000000AC0103000000000016000000640000000000000003000000
2888
opera.exe
write
HKEY_CURRENT_USER\Software\Opera Software
Last CommandLine v2
C:\Program Files\Opera\opera.exe
2888
opera.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\70\52C64B7E
LanguageList
en-US
3656
ayy.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\ayy_RASAPI32
EnableFileTracing
0
3656
ayy.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\ayy_RASAPI32
EnableConsoleTracing
0
3656
ayy.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\ayy_RASAPI32
FileTracingMask
4294901760
3656
ayy.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\ayy_RASAPI32
ConsoleTracingMask
4294901760
3656
ayy.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\ayy_RASAPI32
MaxFileSize
1048576
3656
ayy.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\ayy_RASAPI32
FileDirectory
%windir%\tracing
3656
ayy.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\ayy_RASMANCS
EnableFileTracing
0
3656
ayy.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\ayy_RASMANCS
EnableConsoleTracing
0
3656
ayy.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\ayy_RASMANCS
FileTracingMask
4294901760
3656
ayy.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\ayy_RASMANCS
ConsoleTracingMask
4294901760
3656
ayy.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\ayy_RASMANCS
MaxFileSize
1048576
3656
ayy.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\ayy_RASMANCS
FileDirectory
%windir%\tracing
3656
ayy.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
ProxyEnable
0
3656
ayy.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
SavedLegacySettings
4600000077000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
3656
ayy.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
3656
ayy.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
3656
ayy.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\70\52C64B7E
LanguageList
en-US

Files activity

Executable files
0
Suspicious files
36
Text files
23
Unknown types
7

Dropped files

PID
Process
Filename
Type
3100
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$DRb3100.18934\09ba56c84942f13a91f00f7879a82715534d630a8f9c81fdf9fadfc919f7de17.bin
––
MD5:  ––
SHA256:  ––
2888
opera.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\sessions\autosave.win
text
MD5: f433f8fe5fd947bbe336669b3e32395c
SHA256: 1a5efcb3709ca66084cf2a863de6def02b7588390b26798f12d8dc1a61716796
2888
opera.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\oprand.dat
binary
MD5: cf5c36ebbffbc152cf3cedf2054884c6
SHA256: 4c65936b49566c2bdf4acd1b1d05c7d46cd9e2f0912e47b15bf023932cf2a00c
2888
opera.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\vlink4.dat
binary
MD5: b87be9654a34bf2ebe393bc1fb5f2311
SHA256: ba3a021c34c1c5acf4f83edc3917ed96c4f756c43aeaccc83ece039e791dc84f
2888
opera.exe
C:\Users\admin\AppData\Local\Opera\Opera\cache\g_0000\opr00002.tmp
binary
MD5: 7d41791279a4f6adf341b481c249a04e
SHA256: 65fb55d1599712b289a9b64444c8f040eec6e91ee965d151d99608e420e03ca0
2888
opera.exe
C:\Users\admin\AppData\Local\Opera\Opera\cache\dcache4.url
binary
MD5: 43da597c8fdd0d3d9ac2993369c38ef0
SHA256: cc59066f5fbdf84d4d52ed52a67da789ff1592eb905363df85544c895f9bb490
2888
opera.exe
C:\Users\admin\AppData\Local\Opera\Opera\opcache\dcache4.url
binary
MD5: fdf7c35d22700ee4c724230c452175f1
SHA256: 20be7e1c79bd15cd3dcc0f3a09760c712c31ab392b2a285b98e7ba2d173e9ba5
2888
opera.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\cookies4.dat
binary
MD5: f8f1abb5a51912ef13a3f4e944f5ee01
SHA256: 6275ead00a733e30583c20dc9233553407fa8a0fb9b42a9a11008a5dfffa405c
2888
opera.exe
C:\Users\admin\AppData\Local\Opera\Opera\application_cache\mcache\dcache4.url
binary
MD5: 269abfcdb8eb1886306172aad82c919b
SHA256: 6e5005153bf4250978bd0f260f94b47abfa8b8676b36d7e8b8b1703c36c47f59
2888
opera.exe
C:\Users\admin\AppData\Local\Opera\Opera\cache\revocation\dcache4.url
binary
MD5: a6ec6cbe0c8f1e0488c1ca4ea745346c
SHA256: 127900218bf15da750b5d8584e97c4b848bc013c31476fec14e6fcfdc9190669
2888
opera.exe
C:\Users\admin\AppData\Local\Opera\Opera\cache\revocation\vlink4.dat
binary
MD5: 9b7e1769f56deedd364f9c444e75f7d8
SHA256: 90c916114e174bfceeb6bd5066b6d0810b53c55870284d290599e127c4c907a1
2888
opera.exe
C:\Users\admin\AppData\Local\Opera\Opera\application_cache\mcache\vlink4.dat
binary
MD5: 9b7e1769f56deedd364f9c444e75f7d8
SHA256: 90c916114e174bfceeb6bd5066b6d0810b53c55870284d290599e127c4c907a1
2888
opera.exe
C:\Users\admin\AppData\Local\Opera\Opera\application_cache\mcache\opr5474.tmp
––
MD5:  ––
SHA256:  ––
2888
opera.exe
C:\Users\admin\AppData\Local\Opera\Opera\cache\revocation\opr5473.tmp
––
MD5:  ––
SHA256:  ––
2888
opera.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\opr5472.tmp
––
MD5:  ––
SHA256:  ––
2888
opera.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\opr5462.tmp
––
MD5:  ––
SHA256:  ––
2888
opera.exe
C:\Users\admin\AppData\Local\Opera\Opera\mail\omailbase.dat
abr
MD5: f52d18b1988d60b85f3df3b422e67906
SHA256: e8c7c39ae1a30e455ceea25c20267ef6d3035cc2dbbaa80c62650ae6610710f8
2888
opera.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\webserver\users.xml
xml
MD5: 8f9bc25082526679d20832e134280689
SHA256: 0fede19a884e68af700217770d350b22bfe9cee4cf87ba9438d50f2341a85b2c
2888
opera.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\download.dat
binary
MD5: 9b7e1769f56deedd364f9c444e75f7d8
SHA256: 90c916114e174bfceeb6bd5066b6d0810b53c55870284d290599e127c4c907a1
2888
opera.exe
C:\Users\admin\AppData\Local\Opera\Opera\vps\0000\md.dat
abr
MD5: 4ccacb766afadcd2ae4c65e5eceaaec6
SHA256: b1c5eb9953002e3716807485e54ff249f2b7f4884083447eff8f38de1694f9a5
2888
opera.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\opssl6.dat
binary
MD5: 04045a22d2fbddaf884c38bcd207b41e
SHA256: 93a6247a70c7e4fc7a00262835f993b7a95d7bfacaddeb7925e30e30b2e7d36b
2888
opera.exe
C:\Users\admin\AppData\Local\Opera\Opera\vps\0000\adoc.bx
abr
MD5: ad973d69060c288cf7c70e9ada4b4b81
SHA256: 998c3980d784c306a7b833e7fb914c731d3935d4b94894ba809bd90b11d7f496
2888
opera.exe
C:\Users\admin\AppData\Local\Opera\Opera\vps\0000\url.axx
abr
MD5: 04a1fb3bc2cdb697eec281ee1042d2aa
SHA256: dd9efd68d8bdb8cdabdee048202e38644ef8a9f7028d3e15643a3eca56f10b2b
2888
opera.exe
C:\Users\admin\AppData\Local\Opera\Opera\vps\0000\wb.vx
abr
MD5: 92e9c1cacdf89ee367f1defbe237750c
SHA256: de74d00b0be06c30ca17e1ff973617de8bf1571a24045b02fd505f614b6f3bee
2888
opera.exe
C:\Users\admin\AppData\Local\Opera\Opera\application_cache\cache_groups.xml
xml
MD5: 0c3d13ca7a1b93960f71a49613f4aa5c
SHA256: eb9eaf372a1df1d4d3f389bb09f05b0cd8a1dbd838ae1247f34b36fa7566bb5a
2888
opera.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\global_history.dat
text
MD5: 7b73f30d9a844c9f578c11dfbca8ebfe
SHA256: 050aedaa5128450892ebec39fb8fdf4ee30dcac21ad289ee6c9d858d1648a6f4
2888
opera.exe
C:\Users\admin\AppData\Local\Opera\Opera\vps\0000\w.axx
abr
MD5: 04a1fb3bc2cdb697eec281ee1042d2aa
SHA256: dd9efd68d8bdb8cdabdee048202e38644ef8a9f7028d3e15643a3eca56f10b2b
2888
opera.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\tips.ini
text
MD5: 378946a66814bed3e90d8b14e9d94180
SHA256: e3fabf8e0007a8a229c143f8ea11af31a52ee9a51297a692d8c3cb5217f76d85
2888
opera.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\operaprefs.ini
text
MD5: 065880b823ef0331eccea7c8da32f9d7
SHA256: 73b5df7dd2790d620c1eb5f5d01b7bfb40ae93ea736af55360c5c2afb44ead2a
2888
opera.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\opr5451.tmp
––
MD5:  ––
SHA256:  ––
2888
opera.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\opr5450.tmp
––
MD5:  ––
SHA256:  ––
2888
opera.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\sessions\autosave.win.bak
text
MD5: f433f8fe5fd947bbe336669b3e32395c
SHA256: 1a5efcb3709ca66084cf2a863de6def02b7588390b26798f12d8dc1a61716796
2888
opera.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\16ec093b8f51508f.customDestinations-ms~RF115437.TMP
binary
MD5: 8d2af1b32332cbc3eb43e52363bc928d
SHA256: a8a64be8eab84cf198494b0773676df0fb6cab57e8dc1329ebcfdcd849ebdfe0
2888
opera.exe
C:\Users\admin\AppData\Local\Opera\Opera\cache\sesn\opr00005.tmp
––
MD5:  ––
SHA256:  ––
2888
opera.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\R8H0YVLZCXDMTW374Z8L.temp
––
MD5:  ––
SHA256:  ––
2888
opera.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\sessions\opr543F.tmp
––
MD5:  ––
SHA256:  ––
3656
ayy.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
dat
MD5: d7a950fefd60dbaa01df2d85fefb3862
SHA256: 75d0b1743f61b76a35b1fedd32378837805de58d79fa950cb6e8164bfa72073a
2888
opera.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\sessions\opr5085.tmp
––
MD5:  ––
SHA256:  ––
2888
opera.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\sessions\autosave.win
text
MD5: 74b2c4e27e7687d88e3c6aefd9884cbc
SHA256: c28732b9c31aa13f14630a56c7e2c699e1ed33961105d2f62377b387257c117c
2888
opera.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\sessions\opr44AD.tmp
––
MD5:  ––
SHA256:  ––
2888
opera.exe
C:\Users\admin\AppData\Local\Opera\Opera\cache\sesn\opr00004.tmp
html
MD5: 7c2f028854f7f05361f65be2b04ce0a2
SHA256: 9f53d27c650c056cc69fd26dea2c814eadc05168c1fc6a30103d4bd718e89532
2888
opera.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\typed_history.xml
xml
MD5: ca6d090fda94c6c0837f5abc493c81ae
SHA256: 50559d961658cf7792517248b3536637a98fc8fa7330dfef3a22f4a715f5ccbf
2888
opera.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\global_history.dat
text
MD5: c35d8e51d5d2e6c2073e9a671408762b
SHA256: dbe77f393d871d06ef17f36184dae8abc63f261087bdf8a3296f04186a03341d
2888
opera.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\sessions\autosave.win
text
MD5: af1b9c5894035b3cddc4257e804db433
SHA256: a809955e977702c39377ff46b2ea361893004e7d9ff4960fa0c0b49dac0fd152
2888
opera.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\sessions\opr2879.tmp
––
MD5:  ––
SHA256:  ––
2888
opera.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\sessions\autosave.win
text
MD5: bfc887600e071c0b860ed99fdec030cc
SHA256: 0010908b25f8f2de51cd64fc8c5921cea8c33caf52a4103991e95efc3a3c6d7b
2888
opera.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\sessions\opr1CA1.tmp
––
MD5:  ––
SHA256:  ––
2888
opera.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\typed_history.xml
xml
MD5: 68b2e0fa0f8602a68292b20532b4b3ef
SHA256: 63cd0a752cadb0b818d43fbf8b5636dbe818e8a08305383e272ddf52ae03ce42
2888
opera.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\global_history.dat
text
MD5: cda6bc5e7421f96cd5533a2210a013f2
SHA256: 60b36f180caf39523324a429a519d47e544d980b6d0a716e4a7e409caa1cc8c6
2888
opera.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\sessions\autosave.win.bak
text
MD5: 30ee670c006312db95d9758233cd7bb9
SHA256: 7756c998b8d8f7f2b82dfbcd713d9f793f6d3c675aa4995312e4befdb6f3fbe4
2888
opera.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\sessions\autosave.win
text
MD5: 1ff2e95095a24890fdaa78e1d0fb3714
SHA256: 6f8f67b182d6ea33a29715c550a883697641e19f9e1594309466f9483912ef6a
2888
opera.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\sessions\oprD3CF.tmp
––
MD5:  ––
SHA256:  ––
2888
opera.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\typed_history.xml
xml
MD5: edb0be685dbde6be7e52dbab90811ab9
SHA256: b7f93a0d57b1765c6c0fbe4157c690295141c38e429e166dc29b9c8b342fb7c9
2888
opera.exe
C:\Users\admin\AppData\Local\Opera\Opera\cache\sesn\opr00003.tmp
html
MD5: ac9a4f73cae62442d98c33900d9388b6
SHA256: 6539a9841f7fa4d60b4fdca3fea551590abfbe8190056f958d4ec40bae080c8c
2888
opera.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\sessions\autosave.win
text
MD5: 30ee670c006312db95d9758233cd7bb9
SHA256: 7756c998b8d8f7f2b82dfbcd713d9f793f6d3c675aa4995312e4befdb6f3fbe4
2888
opera.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\sessions\oprC7A9.tmp
––
MD5:  ––
SHA256:  ––
2888
opera.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\16ec093b8f51508f.customDestinations-ms~RF1045e4.TMP
binary
MD5: 8d2af1b32332cbc3eb43e52363bc928d
SHA256: a8a64be8eab84cf198494b0773676df0fb6cab57e8dc1329ebcfdcd849ebdfe0
2888
opera.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\16ec093b8f51508f.customDestinations-ms
binary
MD5: 8d2af1b32332cbc3eb43e52363bc928d
SHA256: a8a64be8eab84cf198494b0773676df0fb6cab57e8dc1329ebcfdcd849ebdfe0
2888
opera.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\TAMJ2TLEW1WT5CP0RBT7.temp
––
MD5:  ––
SHA256:  ––
2888
opera.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\opssl6.dat
binary
MD5: 346d4d301724f4a03e24bbe0000bbd51
SHA256: 4c9a733cbacfb27717999d223bc0349e4d7172ea57c296c3e77febab93237566
2888
opera.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\optrust.dat
binary
MD5: 1aa8644c9261dc10f7247f6a145c1dd2
SHA256: 58a8933f65361633c6ab194000d312dc9d566f717b1a16814a0dbee24a60ebe3
2888
opera.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\opcacrt6.dat
binary
MD5: 7f5dcbf9f067f258078d5071195d5c51
SHA256: fec0be3946fe4780375cee50eb647bea4fb130af228e473fe442b39ff19d0492
2888
opera.exe
C:\Users\admin\AppData\Local\Opera\Opera\cache\sesn\opr00001.tmp
––
MD5:  ––
SHA256:  ––
2888
opera.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\opicacrt6.dat
binary
MD5: 82f1a2b1176a5ecc457d32301e2ad833
SHA256: a783052804dd4c232be2ed3dc00c430cb67a20370890e235562ed2b27b5a602e
2888
opera.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\opssl6.dat
binary
MD5: 911dcc0e90442586d7b9972b25265bd4
SHA256: 68a0977d7a613ede9df626167b4c4289f8c9ee44c90bf1b72d7ec03849614506
2888
opera.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\opuntrust.dat
binary
MD5: 1aa8644c9261dc10f7247f6a145c1dd2
SHA256: 58a8933f65361633c6ab194000d312dc9d566f717b1a16814a0dbee24a60ebe3
2888
opera.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\opcacrt6.dat
binary
MD5: 59761e989f564f76a3a4b778db7abcf1
SHA256: af879942d234d85c0ce75921dbdda50e2f6d135bd961f259106131751359052b
2888
opera.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\opcert6.dat
binary
MD5: 1aa8644c9261dc10f7247f6a145c1dd2
SHA256: 58a8933f65361633c6ab194000d312dc9d566f717b1a16814a0dbee24a60ebe3
2888
opera.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\tasks.xml
xml
MD5: 19b290f0ebcdec898f730cfc403a5476
SHA256: eeb0925810c6baf745f18b5838d8950623261dfcaccadc0c3a60e6647600a8cc
2888
opera.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\opr3A7B.tmp
––
MD5:  ––
SHA256:  ––
2888
opera.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\operaprefs.ini
text
MD5: 5c9eb850a6e72401449c0cf0df6ccfbe
SHA256: fb0092c145ae951e02a7896738533785d18405a70b340d8850e0e482e1db6f1a
2888
opera.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\opr3A3C.tmp
––
MD5:  ––
SHA256:  ––
2888
opera.exe
C:\Users\admin\AppData\Local\Opera\Opera\cache\CACHEDIR.TAG
text
MD5: e717f92fa29ae97dbe4f6f5c04b7a3d9
SHA256: 5bbd5dcbf87fd8cd7544c522badf22a2951cf010ad9f25c40f9726f09ea2b552

Find more information of the staic content and download it at the full report

Network activity

HTTP(S) requests
2
TCP/UDP connections
24
DNS requests
6
Threats
0

HTTP requests

PID Process Method HTTP Code IP URL CN Type Size Reputation
2888 opera.exe GET 200 93.184.220.29:80 http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl US
der
whitelisted
2888 opera.exe GET 200 185.26.182.109:80 http://redir.opera.com/favicons/google/favicon.ico unknown
image
whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID Process IP ASN CN Reputation
2888 opera.exe 185.26.182.94:443 Opera Software AS –– malicious
2888 opera.exe 93.184.220.29:80 MCI Communications Services, Inc. d/b/a Verizon Business US whitelisted
2888 opera.exe 52.237.22.139:443 Microsoft Corporation CA unknown
2888 opera.exe 185.26.182.112:443 Opera Software AS –– suspicious
–– –– 52.237.22.139:443 Microsoft Corporation CA unknown
2888 opera.exe 185.26.182.109:80 Opera Software AS –– unknown
3656 ayy.exe 194.5.179.42:443 FR unknown

DNS requests

Domain IP Reputation
certs.opera.com 185.26.182.94
185.26.182.93
whitelisted
crl4.digicert.com 93.184.220.29
whitelisted
ec2-3-83-64-249.azurewebsites.net 52.237.22.139
unknown
sitecheck2.opera.com 185.26.182.112
185.26.182.93
185.26.182.94
185.26.182.111
whitelisted
redir.opera.com 185.26.182.109
185.26.182.110
whitelisted
k.icf-fx.kz 194.5.179.42
unknown

Threats

No threats detected.

Debug output strings

No debug info.