File name: | Downloads.zip |
Full analysis: | https://app.any.run/tasks/59dfe9c6-8539-4b10-8fd0-1536ffcaf599 |
Verdict: | Malicious activity |
Threats: | A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. |
Analysis date: | March 30, 2020, 18:57:31 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/zip |
File info: | Zip archive data, at least v2.0 to extract |
MD5: | FC7F30E3EFF5D2E39CD4C2EDA7E61B2E |
SHA1: | 9C4D9E3C5EAF387539942E3854E5BAC419BB33A3 |
SHA256: | A972729CCD8771C09D53ED32262A60534D8EE02753CA8A50B822A140184EF950 |
SSDEEP: | 196608:iC91QGauTpuHXCWgLMZp174LU0/njeoXTodCo0T5QeYhdiPIUWd/i:iCLlaikHXAlL1/njjqCoYTtBW5i |
.zip | | | ZIP compressed archive (100) |
---|
ZipRequiredVersion: | 20 |
---|---|
ZipBitFlag: | - |
ZipCompression: | Deflated |
ZipModifyDate: | 2020:03:30 13:36:22 |
ZipCRC: | 0x76126107 |
ZipCompressedSize: | 5988256 |
ZipUncompressedSize: | 6048152 |
ZipFileName: | Firefox_Setup_2.0.0.20.exe |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3540 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Downloads.zip" | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.60.0 | ||||
3516 | "C:\Users\admin\AppData\Local\Temp\Rar$EXa3540.611\isoworkshop_9.1.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXa3540.611\isoworkshop_9.1.exe | WinRAR.exe | |
User: admin Company: Glorylogic Integrity Level: MEDIUM Description: ISO Workshop Installation Version: 9.1.0.0 | ||||
1500 | "C:\Users\admin\AppData\Local\Temp\is-1CKKM.tmp\isoworkshop_9.1.tmp" /SL5="$10023E,3213412,121344,C:\Users\admin\AppData\Local\Temp\Rar$EXa3540.611\isoworkshop_9.1.exe" | C:\Users\admin\AppData\Local\Temp\is-1CKKM.tmp\isoworkshop_9.1.tmp | — | isoworkshop_9.1.exe |
User: admin Integrity Level: MEDIUM Description: Setup/Uninstall Version: 51.1052.0.0 | ||||
3264 | "C:\Users\admin\AppData\Local\Temp\Rar$EXa3540.611\isoworkshop_9.1.exe" /SPAWNWND=$60246 /NOTIFYWND=$10023E | C:\Users\admin\AppData\Local\Temp\Rar$EXa3540.611\isoworkshop_9.1.exe | isoworkshop_9.1.tmp | |
User: admin Company: Glorylogic Integrity Level: HIGH Description: ISO Workshop Installation Version: 9.1.0.0 | ||||
1524 | "C:\Users\admin\AppData\Local\Temp\is-QE5J0.tmp\isoworkshop_9.1.tmp" /SL5="$601CC,3213412,121344,C:\Users\admin\AppData\Local\Temp\Rar$EXa3540.611\isoworkshop_9.1.exe" /SPAWNWND=$60246 /NOTIFYWND=$10023E | C:\Users\admin\AppData\Local\Temp\is-QE5J0.tmp\isoworkshop_9.1.tmp | isoworkshop_9.1.exe | |
User: admin Integrity Level: HIGH Description: Setup/Uninstall Version: 51.1052.0.0 | ||||
2228 | "C:\Users\admin\AppData\Local\Temp\is-UNF3Q.tmp\BA003.exe" | C:\Users\admin\AppData\Local\Temp\is-UNF3Q.tmp\BA003.exe | isoworkshop_9.1.tmp | |
User: admin Company: Glorylogic Integrity Level: HIGH Description: Glorylogic Installation Exit code: 0 Version: 10.3.0.0 | ||||
3084 | .\installer.exe | C:\Users\admin\AppData\Local\Temp\7zS4B86DBF6\installer.exe | BA003.exe | |
User: admin Company: adaware Integrity Level: HIGH Description: Glorylogic Installation Exit code: 0 Version: 2.5.0.1009 | ||||
3212 | C:\Users\admin\AppData\Local\Temp\7zS4B86DBF6\GenericSetup.exe husertype=Admin | C:\Users\admin\AppData\Local\Temp\7zS4B86DBF6\GenericSetup.exe | installer.exe | |
User: admin Company: adaware Integrity Level: HIGH Description: Glorylogic Installation Exit code: 0 Version: 2.5.0.1009 | ||||
2908 | "C:\Program Files\Glorylogic\ISO Workshop\ISOWorkshop.exe" | C:\Program Files\Glorylogic\ISO Workshop\ISOWorkshop.exe | explorer.exe | |
User: admin Company: Glorylogic Integrity Level: MEDIUM Description: ISO Workshop Version: 9.1.0.0 | ||||
924 | "C:\Program Files\Glorylogic\ISO Workshop\ISOTools.exe" 2 | C:\Program Files\Glorylogic\ISO Workshop\ISOTools.exe | — | ISOWorkshop.exe |
User: admin Company: Glorylogic Integrity Level: MEDIUM Description: ISO Tools Version: 9.1.0.0 |
PID | Process | Filename | Type | |
---|---|---|---|---|
1524 | isoworkshop_9.1.tmp | C:\Users\admin\AppData\Local\Temp\CabD317.tmp | — | |
MD5:— | SHA256:— | |||
1524 | isoworkshop_9.1.tmp | C:\Users\admin\AppData\Local\Temp\TarD318.tmp | — | |
MD5:— | SHA256:— | |||
1524 | isoworkshop_9.1.tmp | C:\Program Files\Glorylogic\ISO Workshop\is-DFEC1.tmp | — | |
MD5:— | SHA256:— | |||
1524 | isoworkshop_9.1.tmp | C:\Program Files\Glorylogic\ISO Workshop\is-J8Q1D.tmp | — | |
MD5:— | SHA256:— | |||
1524 | isoworkshop_9.1.tmp | C:\Program Files\Glorylogic\ISO Workshop\is-S399F.tmp | — | |
MD5:— | SHA256:— | |||
1524 | isoworkshop_9.1.tmp | C:\Program Files\Glorylogic\ISO Workshop\is-9N643.tmp | — | |
MD5:— | SHA256:— | |||
1524 | isoworkshop_9.1.tmp | C:\Program Files\Glorylogic\ISO Workshop\is-S2H4D.tmp | — | |
MD5:— | SHA256:— | |||
1524 | isoworkshop_9.1.tmp | C:\Program Files\Glorylogic\ISO Workshop\is-95ME7.tmp | — | |
MD5:— | SHA256:— | |||
1524 | isoworkshop_9.1.tmp | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\5080DC7A65DB6A5960ECD874088F3328_862BA1770B2FEE013603D2FF9ABEAFDA | binary | |
MD5:BAC5B43110872976174E85B8D8BCA57E | SHA256:92E84622936AA035FB94950FD3312F0E5FDB5A46ED3DE7557871D77FCDFB7120 | |||
1524 | isoworkshop_9.1.tmp | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\5457A8CE4B2A7499F8299A013B6E1C7C_CE50F893881D43DC0C815E4D80FAF2B4 | binary | |
MD5:6DA387CF1B59554799046868FC147087 | SHA256:7CD73E636F86A0A05EF98CA63007B75A2B30431D1BDB63425A85239858571EAA |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2356 | OfferInstaller.exe | GET | 200 | 104.16.236.79:80 | http://sdl.adaware.com/cdn/saBSI.exe | US | executable | 1.06 Mb | whitelisted |
1524 | isoworkshop_9.1.tmp | GET | 200 | 151.139.128.14:80 | http://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBR8sWZUnKvbRO5iJhat9GV793rVlAQUrb2YejS0Jvf6xCZU7wO94CTLVBoCECdm7lbrSfOOq9dwovyE3iI%3D | US | der | 471 b | whitelisted |
1524 | isoworkshop_9.1.tmp | GET | 200 | 151.139.128.14:80 | http://ocsp.comodoca.com/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBReAhtobFzTvhaRmVeJ38QUchY9AwQUu69%2BAj36pvE8hI6t7jiY7NkyMtQCEQDwHUvue3yjezwFZqwFlyRY | US | der | 728 b | whitelisted |
3212 | GenericSetup.exe | POST | 200 | 104.16.236.79:80 | http://sos.adaware.com/v1/bundle/list/?bundleId=BA003 | US | text | 9.13 Kb | whitelisted |
3580 | instup.exe | GET | 200 | 92.123.101.193:80 | http://b1477563.iavs9x.u.avast.com/iavs9x/servers.def.vpx | unknown | binary | 3.25 Kb | whitelisted |
2152 | xmyllw4g.wji.exe | POST | 204 | 5.62.44.223:80 | http://v7event.stats.avast.com/cgi-bin/iavsevents.cgi | US | — | — | whitelisted |
3580 | instup.exe | GET | 200 | 92.123.101.193:80 | http://h1745978.iavs9x.u.avast.com/iavs9x/prod-pgm.vpx | unknown | binary | 602 b | whitelisted |
3580 | instup.exe | GET | 200 | 92.123.101.193:80 | http://h1745978.iavs9x.u.avast.com/iavs9x/avdump_x86_ais-95d.vpx | unknown | binary | 331 Kb | whitelisted |
4000 | instup.exe | GET | 200 | 2.19.194.243:80 | http://r7110576.vps18tiny.u.avcdn.net/vps18tiny/prod-vps.vpx | unknown | binary | 336 b | whitelisted |
3580 | instup.exe | GET | 200 | 92.123.101.193:80 | http://h1745978.iavs9x.u.avast.com/iavs9x/sbr_x86_ais-95d.vpx | unknown | binary | 7.27 Kb | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
1524 | isoworkshop_9.1.tmp | 208.100.25.83:443 | www.glorylogic.com | Steadfast | US | suspicious |
2908 | ISOWorkshop.exe | 208.100.25.83:80 | www.glorylogic.com | Steadfast | US | suspicious |
1524 | isoworkshop_9.1.tmp | 151.139.128.14:80 | ocsp.usertrust.com | Highwinds Network Group, Inc. | US | suspicious |
3212 | GenericSetup.exe | 104.16.236.79:443 | sos.adaware.com | Cloudflare Inc | US | shared |
3212 | GenericSetup.exe | 104.16.236.79:80 | sos.adaware.com | Cloudflare Inc | US | shared |
3212 | GenericSetup.exe | 104.18.88.101:443 | flow.lavasoft.com | Cloudflare Inc | US | shared |
2356 | OfferInstaller.exe | 104.16.236.79:80 | sos.adaware.com | Cloudflare Inc | US | shared |
2908 | ISOWorkshop.exe | 208.100.25.83:443 | www.glorylogic.com | Steadfast | US | suspicious |
3084 | installer.exe | 104.18.87.101:80 | flow.lavasoft.com | Cloudflare Inc | US | shared |
2356 | OfferInstaller.exe | 104.18.88.101:443 | flow.lavasoft.com | Cloudflare Inc | US | shared |
Domain | IP | Reputation |
---|---|---|
www.glorylogic.com |
| suspicious |
ocsp.usertrust.com |
| whitelisted |
ocsp.comodoca.com |
| whitelisted |
www.google.com |
| whitelisted |
sos.adaware.com |
| whitelisted |
flow.lavasoft.com |
| whitelisted |
dns.msftncsi.com |
| shared |
sdl.adaware.com |
| whitelisted |
cu1pehnswad01.servicebus.windows.net |
| whitelisted |
sadownload.mcafee.com |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
3084 | installer.exe | A Network Trojan was detected | ET MALWARE Lavasoft PUA/Adware Client Install |
3084 | installer.exe | Misc activity | ADWARE [PTsecurity] lavasoft StubBundleStart PUP Install |
3084 | installer.exe | Misc activity | ADWARE [PTsecurity] lavasoft StubBundleStart PUP Install |
2356 | OfferInstaller.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
2356 | OfferInstaller.exe | Potentially Bad Traffic | ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download |
2356 | OfferInstaller.exe | Misc activity | ET INFO Packed Executable Download |
2152 | xmyllw4g.wji.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
3060 | AvEmUpdate.exe | Potential Corporate Privacy Violation | ET POLICY External IP Lookup (avast .com) |
3060 | AvEmUpdate.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
2140 | AvEmUpdate.exe | Potential Corporate Privacy Violation | ET POLICY External IP Lookup (avast .com) |
Process | Message |
---|---|
u1ggojr1.k2g.exe | NotComDllGetInterface: DLL not found in install location, looking in current directory |
u1ggojr1.k2g.exe | NotComDllGetInterface: C:\Users\admin\AppData\Local\Temp\u1ggojr1.k2g.exe loading C:\Users\admin\AppData\Local\Temp\mfeaaca.dll, WinVerifyTrust failed with 80092003
|
u1ggojr1.k2g.exe | NotComDllGetInterface: DLL not found in install location, looking in current directory |
u1ggojr1.k2g.exe | NotComDllGetInterface: C:\Users\admin\AppData\Local\Temp\u1ggojr1.k2g.exe loading C:\Users\admin\AppData\Local\Temp\mfeaaca.dll, WinVerifyTrust failed with 80092003
|
u1ggojr1.k2g.exe | NotComDllGetInterface: DLL not found in install location, looking in current directory |
u1ggojr1.k2g.exe | NotComDllGetInterface: C:\Users\admin\AppData\Local\Temp\u1ggojr1.k2g.exe loading C:\Users\admin\AppData\Local\Temp\mfeaaca.dll, WinVerifyTrust failed with 80092003
|
AvastSvc.exe | [2020-03-30 19:01:32.779] [error ] [av_pp_prov ] [ 3668: 1508] Exception: get_file_content 'C:\Program Files\AVAST Software\Avast\gui_resources\default\updatefile.json'
Code: 0x00000003 (3)
|
AvastSvc.exe | [2020-03-30 19:01:33.857] [error ] [av_pp_prov ] [ 3668: 2892] Exception: Request 'app.browserExtensions.GetDetails' was not processed. Routing parameters:
|
AvastSvc.exe | [2020-03-30 19:01:33.857] [error ] [av_pp_prov ] [ 3668: 2892] Exception: Request 'app.browserExtensions.GetDetails' was not processed. Routing parameters:
|
AvastSvc.exe | [2020-03-30 19:01:33.857] [error ] [av_pp_prov ] [ 3668: 2892] Exception: Request 'app.browserExtensions.GetDetails' was not processed. Routing parameters:
|