File name: | GCLauncher.bin(2).zip |
Full analysis: | https://app.any.run/tasks/09a2e32b-a2e3-4250-8230-c37a4fd5ddd9 |
Verdict: | Malicious activity |
Analysis date: | May 30, 2020, 20:15:49 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/zip |
File info: | Zip archive data, at least v2.0 to extract |
MD5: | FAEF3E871F9406E435C556ED2C62EF96 |
SHA1: | 5A986403131E7EB0B6133DF6C70B8E08877839C1 |
SHA256: | 9B0A954969819CC879450AEBD8D482233EC6CECA1421FE751E8EE754127D4DA3 |
SSDEEP: | 196608:ZiLPDOdYL15HXMdh8gPaj746Re0e0bvrmkgvjWRGtjiyoXx+bKkl9Z4gB5WyLlkh:IrOdYL1ujete0mRvj0h1u4aWyLlkOCKe |
.zip | | | ZIP compressed archive (100) |
---|
ZipRequiredVersion: | 788 |
---|---|
ZipBitFlag: | 0x0001 |
ZipCompression: | Deflated |
ZipModifyDate: | 2020:05:30 22:08:17 |
ZipCRC: | 0x939d3000 |
ZipCompressedSize: | 13638161 |
ZipUncompressedSize: | 13817488 |
ZipFileName: | GCLauncher.bin |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
1492 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\GCLauncher.bin(2).zip" | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.60.0 | ||||
2284 | "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\admin\AppData\Local\Temp\Rar$DIb1492.11287\GCLauncher.bin | C:\Windows\system32\rundll32.exe | — | WinRAR.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows host process (Rundll32) Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2392 | "C:\Program Files\Microsoft\Skype for Desktop\Skype.exe" | C:\Program Files\Microsoft\Skype for Desktop\Skype.exe | explorer.exe | |
User: admin Company: Skype Technologies S.A. Integrity Level: MEDIUM Description: Skype Version: 8.29.0.50 | ||||
1360 | "C:\Program Files\Microsoft\Skype for Desktop\Skype.exe" --reporter-url=https://rink.hockeyapp.net/api/2/apps/a741743329d94bc08826af367733939d/crashes/upload --application-name=skype-preview "--crashes-directory=C:\Users\admin\AppData\Local\Temp\skype-preview Crashes" --v=1 | C:\Program Files\Microsoft\Skype for Desktop\Skype.exe | Skype.exe | |
User: admin Company: Skype Technologies S.A. Integrity Level: MEDIUM Description: Skype Version: 8.29.0.50 | ||||
536 | C:\Windows\system32\reg.exe ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "Skype for Desktop" /t REG_SZ /d "C:\Program Files\Microsoft\Skype for Desktop\Skype.exe" /f | C:\Windows\system32\reg.exe | Skype.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Registry Console Tool Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3764 | "C:\Program Files\Microsoft\Skype for Desktop\Skype.exe" --type=renderer --ms-disable-indexeddb-transaction-timeout --no-sandbox --service-pipe-token=B5BF4BF0630777B1C7C11E0337178F99 --lang=en-US --app-user-model-id=Microsoft.Skype.SkypeDesktop --app-path="C:\Program Files\Microsoft\Skype for Desktop\resources\app.asar" --node-integration=false --webview-tag=true --no-sandbox --preload="C:\Program Files\Microsoft\Skype for Desktop\resources\app.asar\Preload.js" --context-id=2 --enable-pinch --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553 --disable-accelerated-video-decode --disable-gpu-compositing --enable-gpu-async-worker-context --service-request-channel-token=B5BF4BF0630777B1C7C11E0337178F99 --renderer-client-id=3 --mojo-platform-channel-handle=1580 /prefetch:1 | C:\Program Files\Microsoft\Skype for Desktop\Skype.exe | — | Skype.exe |
User: admin Company: Skype Technologies S.A. Integrity Level: MEDIUM Description: Skype Exit code: 0 Version: 8.29.0.50 | ||||
2648 | C:\Windows\system32\reg.exe QUERY HKCU\Software\Microsoft\Skype /v RestartForUpdate | C:\Windows\system32\reg.exe | — | Skype.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Registry Console Tool Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2424 | "C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\admin\AppData\Local\Temp\Rar$DIb1492.11287\GCLauncher.bin" | C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | — | rundll32.exe |
User: admin Company: Adobe Systems Incorporated Integrity Level: MEDIUM Description: Adobe Acrobat Reader DC Version: 15.23.20070.215641 | ||||
2488 | "C:\Program Files\Opera\opera.exe" | C:\Program Files\Opera\opera.exe | explorer.exe | |
User: admin Company: Opera Software Integrity Level: MEDIUM Description: Opera Internet Browser Version: 1748 | ||||
4028 | "C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" --type=renderer "C:\Users\admin\AppData\Local\Temp\Rar$DIb1492.11287\GCLauncher.bin" | C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | — | AcroRd32.exe |
User: admin Company: Adobe Systems Incorporated Integrity Level: LOW Description: Adobe Acrobat Reader DC Version: 15.23.20070.215641 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2392 | Skype.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\5OE3C9QU55NVGVZWS7YI.temp | — | |
MD5:— | SHA256:— | |||
2488 | opera.exe | C:\Users\admin\AppData\Roaming\Opera\Opera\opr1A77.tmp | — | |
MD5:— | SHA256:— | |||
2488 | opera.exe | C:\Users\admin\AppData\Roaming\Opera\Opera\opr1AC7.tmp | — | |
MD5:— | SHA256:— | |||
4028 | AcroRd32.exe | C:\Users\admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages-journal | — | |
MD5:— | SHA256:— | |||
2488 | opera.exe | C:\Users\admin\AppData\Roaming\Opera\Opera\tasks.xml | xml | |
MD5:2A27A644C2EA3D37E2A02727A0D7EBA8 | SHA256:63E8A3F6D39234C228F3B841295DC25E82E54362B173A76A1197C194E904D7E0 | |||
2488 | opera.exe | C:\Users\admin\AppData\Roaming\Opera\Opera\operaprefs.ini | text | |
MD5:EF4B80E835CB769E6341F6F58C74F76A | SHA256:3C888D86B55E0E88C8585920EBA2B5D384448568F9B6ECF319A484ED3E89E822 | |||
1492 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DIb1492.11287\GCLauncher.bin | executable | |
MD5:683554E22EB45069E76168652996FA3E | SHA256:319CD1D360F683479FF19744BFBD3DC00D72A1628D6EEDF2DE52AD2858E4467D | |||
2816 | Skype.exe | C:\Users\admin\AppData\Local\Temp\skype-preview Crashes\operation_log.txt | text | |
MD5:73C1FC4670B43A6EF2B270DF3BA0D361 | SHA256:BF13AD76D8DCBAC759EA784AFEDBE925CB77C57B65B6C90433C854A16AC863BF | |||
2488 | opera.exe | C:\Users\admin\AppData\Roaming\Opera\Opera\opssl6.dat | binary | |
MD5:3413DFA1E08028A4DED2B1F3D3745799 | SHA256:7DA04AFE0E968670F1EC56A7CFCF256C50671D7ECE663E2F3595FCEDB6FE541A | |||
2392 | Skype.exe | C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\ecscache.json | text | |
MD5:13D5A8AA06324A630BF2D13FAC8317A3 | SHA256:48F30685BF7C69D81659D234A428E65D323F6B7EC6CF397F95857BCDC764651E |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2488 | opera.exe | GET | 200 | 93.184.220.29:80 | http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl | US | der | 564 b | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2488 | opera.exe | 185.26.182.93:443 | certs.opera.com | Opera Software AS | — | whitelisted |
2392 | Skype.exe | 172.217.21.202:443 | www.googleapis.com | Google Inc. | US | whitelisted |
2392 | Skype.exe | 23.210.249.5:443 | download.skype.com | Akamai International B.V. | NL | whitelisted |
2488 | opera.exe | 93.184.220.29:80 | crl4.digicert.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
2392 | Skype.exe | 52.174.193.75:443 | get.skype.com | Microsoft Corporation | NL | whitelisted |
2392 | Skype.exe | 13.107.42.23:443 | a.config.skype.com | Microsoft Corporation | US | suspicious |
2392 | Skype.exe | 52.233.180.130:443 | avatar.skype.com | Microsoft Corporation | NL | unknown |
2392 | Skype.exe | 152.199.19.160:443 | bot-framework.azureedge.net | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
— | — | 13.107.42.23:443 | a.config.skype.com | Microsoft Corporation | US | suspicious |
Domain | IP | Reputation |
---|---|---|
get.skype.com |
| whitelisted |
a.config.skype.com |
| whitelisted |
download.skype.com |
| whitelisted |
certs.opera.com |
| whitelisted |
crl4.digicert.com |
| whitelisted |
www.googleapis.com |
| whitelisted |
avatar.skype.com |
| whitelisted |
bot-framework.azureedge.net |
| whitelisted |
config.edge.skype.com |
| whitelisted |
Process | Message |
---|---|
Skype.exe | [2816:2696:0530/211654.155:VERBOSE1:crash_service_main.cc(78)] Session start. cmdline is [--reporter-url=https://rink.hockeyapp.net/api/2/apps/a741743329d94bc08826af367733939d/crashes/upload --application-name=skype-preview "--crashes-directory=C:\Users\admin\AppData\Local\Temp\skype-preview Crashes" --v=1]
|
Skype.exe | [2816:2696:0530/211654.155:VERBOSE1:crash_service.cc(145)] window handle is 0002019A
|
Skype.exe | [2816:2696:0530/211654.155:VERBOSE1:crash_service.cc(300)] pipe name is \\.\pipe\skype-preview Crash Service
dumps at C:\Users\admin\AppData\Local\Temp\skype-preview Crashes
|
Skype.exe | [2816:2696:0530/211654.155:VERBOSE1:crash_service.cc(304)] checkpoint is C:\Users\admin\AppData\Local\Temp\skype-preview Crashes\crash_checkpoint.txt
server is https://rink.hockeyapp.net/api/2/apps/a741743329d94bc08826af367733939d/crashes/upload
maximum 128 reports/day
reporter is electron-crash-service
|
Skype.exe | [2816:2696:0530/211654.155:ERROR:crash_service.cc(311)] could not start dumper
|
Skype.exe | [3744:3992:0530/211702.587:VERBOSE1:crash_service_main.cc(78)] Session start. cmdline is [--reporter-url=https://rink.hockeyapp.net/api/2/apps/a741743329d94bc08826af367733939d/crashes/upload --application-name=skype-preview "--crashes-directory=C:\Users\admin\AppData\Local\Temp\skype-preview Crashes" --v=1]
|
Skype.exe | [3744:3992:0530/211702.588:VERBOSE1:crash_service.cc(145)] window handle is 0003019C
|
Skype.exe | [3744:3992:0530/211702.588:VERBOSE1:crash_service.cc(300)] pipe name is \\.\pipe\skype-preview Crash Service
dumps at C:\Users\admin\AppData\Local\Temp\skype-preview Crashes
|
Skype.exe | [3744:3992:0530/211702.589:VERBOSE1:crash_service.cc(304)] checkpoint is C:\Users\admin\AppData\Local\Temp\skype-preview Crashes\crash_checkpoint.txt
server is https://rink.hockeyapp.net/api/2/apps/a741743329d94bc08826af367733939d/crashes/upload
maximum 128 reports/day
reporter is electron-crash-service
|
Skype.exe | [3744:3992:0530/211702.589:ERROR:crash_service.cc(311)] could not start dumper
|