File name: | Downloads.7z |
Full analysis: | https://app.any.run/tasks/9e67257f-1197-43d1-9d0f-9162b2146baa |
Verdict: | Malicious activity |
Analysis date: | July 18, 2019, 11:14:52 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/x-7z-compressed |
File info: | 7-zip archive data, version 0.4 |
MD5: | AA2C76C0546EE537FE23ED26704BC8EB |
SHA1: | CA94CB2E23A066E85AB96ADFB59320BE2C6E44DB |
SHA256: | A43C4A9331086ACF6933CEEB8B7F0ED9B55DA24718F88C44332CDDDEFC8EEB69 |
SSDEEP: | 98304:kHmtdgdu51Vo/fv3JkYivxVM43/4AY/4oy/PudoHsm90j5ZzSn7zCc:Dtdgd61Vo/KYivxVV4D/4o/dQLQ5ZzS1 |
.7z | | | 7-Zip compressed archive (v0.4) (57.1) |
---|---|---|
.7z | | | 7-Zip compressed archive (gen) (42.8) |
MPEGAudioVersion: | 2 |
---|---|
AudioLayer: | 3 |
AudioBitrate: | 80 kbps |
SampleRate: | 16000 |
ChannelMode: | Stereo |
MSStereo: | On |
IntensityStereo: | Off |
CopyrightFlag: | |
OriginalMedia: | |
Emphasis: | None |
Duration: | 0:08:33 (approx) |
---|
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3836 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\Downloads.7z" | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.60.0 | ||||
3932 | "C:\Users\admin\Desktop\kms.exe" | C:\Users\admin\Desktop\kms.exe | explorer.exe | |
User: admin Integrity Level: HIGH Description: KmsGUI Exit code: 1 Version: 1, 0, 0, 1 | ||||
3160 | cmd.exe /c wmic os get caption /value | C:\Windows\system32\cmd.exe | — | kms.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3640 | wmic os get caption /value | C:\Windows\System32\Wbem\WMIC.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: WMI Commandline Utility Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3480 | cmd.exe /c ping 1.2.3.4 -n 1 1>nul 2>nul && echo yes | C:\Windows\system32\cmd.exe | — | kms.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Exit code: 1 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3108 | ping 1.2.3.4 -n 1 | C:\Windows\system32\PING.EXE | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: TCP/IP Ping Command Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3712 | cmd.exe /c taskkill /fi "services eq vkms" /f && sc delete vkms | C:\Windows\system32\cmd.exe | kms.exe | |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Windows Command Processor Exit code: 1060 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2060 | taskkill /fi "services eq vkms" /f | C:\Windows\system32\taskkill.exe | — | cmd.exe |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Terminates Processes Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3524 | sc delete vkms | C:\Windows\system32\sc.exe | — | cmd.exe |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: A tool to aid in developing services for WindowsNT Exit code: 1060 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3732 | cmd.exe /c taskkill /fi "services eq ukms" /f && sc delete ukms | C:\Windows\system32\cmd.exe | kms.exe | |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Windows Command Processor Exit code: 1060 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2468 | ikms.exe | C:\Users\admin\AppData\Local\Temp\nsz25C5.tmp\SelfDel.dll | — | |
MD5:— | SHA256:— | |||
2468 | ikms.exe | C:\Users\admin\AppData\Local\Temp\nsz25B4.tmp | — | |
MD5:— | SHA256:— | |||
2364 | mkms.exe | C:\Program Files\Common Files\system\msadc\mkms.dat | — | |
MD5:— | SHA256:— | |||
2364 | mkms.exe | C:\Users\admin\AppData\Local\Temp\nsuA526.tmp\SelfDel.dll | — | |
MD5:— | SHA256:— | |||
2364 | mkms.exe | C:\Users\admin\AppData\Local\Temp\nsuA525.tmp | — | |
MD5:— | SHA256:— | |||
2948 | svchost.exe | C:\Program Files\Common Files\System\ado\SSL\VeriSign Root CA.cer | der | |
MD5:0BE220D4427A8355641DA13F568ACF87 | SHA256:2F479BADEF10E207FB507E92345C5A78DFD5E57B07ABCF3A4F2A9AC67D02FEC3 | |||
3836 | WinRAR.exe | C:\Users\admin\Desktop\kms.exe | executable | |
MD5:3318A8B7BC3F30DCF3E867D4393B9F44 | SHA256:8D7A9F55572DDA35278C8EC23E4C76F1FE900E99BFBB82B2FD7166238CCB92A1 | |||
3932 | kms.exe | C:\Program Files\Common Files\System\ikms.exe | executable | |
MD5:275F76AFE331C0519B6000E376CD7F06 | SHA256:5AC38E840FEFFC9062D006911C40617189254E685E636002E0012BA68AA6D885 | |||
3836 | WinRAR.exe | C:\Users\admin\Desktop\win7oem.exe | executable | |
MD5:0F647BC72C1958D7B0383C9F17DEE6DB | SHA256:1420BCF83F0AEEE6BD9E1DB5AF7FADC21B26C123AFC219DA32B52F1A6F756FB3 | |||
2948 | svchost.exe | C:\Users\admin\AppData\Roaming\Opera\Opera\opcacrt6.dat | binary | |
MD5:D865EC3AA2C9E47D4EAC74BC0B2B5C22 | SHA256:F31BA795670516F3D48B7CFA12D4A7A040E0E0567D8FD5616FC4FC04AE1A96BC |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
936 | svchost.exe | 45.32.71.123:443 | m.360scloud.com | Choopa, LLC | US | unknown |
3580 | svchost.exe | 45.32.71.123:443 | m.360scloud.com | Choopa, LLC | US | unknown |
2120 | svchost.exe | 45.32.71.123:443 | m.360scloud.com | Choopa, LLC | US | unknown |
3268 | svchost.exe | 45.32.71.123:443 | m.360scloud.com | Choopa, LLC | US | unknown |
Domain | IP | Reputation |
---|---|---|
i.wabudian.com |
| unknown |
m.360scloud.com |
| unknown |
Process | Message |
---|---|
kms.exe | SMessageLoop::Run - exiting,code = 1 |