File name: | what is long stop date in a contract(50123).zip |
Full analysis: | https://app.any.run/tasks/198502ef-f4b4-4f3b-8fba-b7cb477865d6 |
Verdict: | Malicious activity |
Analysis date: | May 21, 2022, 03:46:57 |
OS: | Windows 10 Professional (build: 16299, 32 bit) |
Indicators: | |
MIME: | application/zip |
File info: | Zip archive data, at least v2.0 to extract |
MD5: | 631F5FD55CACB7D31FE915D35A9FD657 |
SHA1: | 9E6DE102E3D63BBC42EAF2B414601A9C5A981EF4 |
SHA256: | AB9A1B589EF81C2855D16F3B63DDDDD90D05D2DFD8CF2EEE79BD11B3330CEBE9 |
SSDEEP: | 1536:bZnxS4G8k2PL9646ivJzvQ1fvf/gO/T+iyqcpqhUocwdC0SNSu9dT+D0Ln0:bRxS4M2PhJtvCfvf/gk+qiswSuDT+m0 |
.zip | | | ZIP compressed archive (100) |
---|
ZipFileName: | what_is_long_stop_date_in_a_contract 91856.js |
---|---|
ZipUncompressedSize: | 293211 |
ZipCompressedSize: | 87634 |
ZipCRC: | 0x80ff9c5c |
ZipModifyDate: | 2022:05:20 20:47:00 |
ZipCompression: | Deflated |
ZipBitFlag: | 0x0002 |
ZipRequiredVersion: | 20 |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
3968 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Downloads\what is long stop date in a contract(50123).zip" | C:\Program Files\WinRAR\WinRAR.exe | — | Explorer.EXE | |||||||||||
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.60.0 Modules
| |||||||||||||||
304 | "C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\SDXHelper.exe" -Embedding | C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\SDXHelper.exe | svchost.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Office SDX Helper Exit code: 0 Version: 16.0.11929.20300 Modules
| |||||||||||||||
960 | "C:\Windows\System32\WScript.exe" "C:\Users\admin\Desktop\what_is_long_stop_date_in_a_contract 91856.js" | C:\Windows\System32\WScript.exe | Explorer.EXE | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Version: 5.812.10240.16384 Modules
| |||||||||||||||
3776 | C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding | C:\WINDOWS\System32\rundll32.exe | — | svchost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows host process (Rundll32) Exit code: 0 Version: 10.0.16299.15 (WinBuild.160101.0800) Modules
| |||||||||||||||
1604 | "C:\Program Files\Notepad++\notepad++.exe" "C:\Users\admin\AppData\Local\Temp\c6dda813-2a3c-46e2-9c8d-690353cd516f.ps1" | C:\Program Files\Notepad++\notepad++.exe | Explorer.EXE | ||||||||||||
User: admin Company: Don HO [email protected] Integrity Level: MEDIUM Description: Notepad++ : a free (GNU) source code editor Exit code: 0 Version: 7.51 Modules
| |||||||||||||||
1360 | "C:\Program Files\Notepad++\updater\gup.exe" -v7.51 | C:\Program Files\Notepad++\updater\gup.exe | notepad++.exe | ||||||||||||
User: admin Company: Don HO [email protected] Integrity Level: MEDIUM Description: GUP : a free (LGPL) Generic Updater Exit code: 0 Version: 4.1 Modules
| |||||||||||||||
2884 | "C:\WINDOWS\system32\taskmgr.exe" /4 | C:\WINDOWS\system32\taskmgr.exe | — | Explorer.EXE | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Task Manager Exit code: 3221226540 Version: 10.0.16299.15 (WinBuild.160101.0800) Modules
| |||||||||||||||
260 | "C:\WINDOWS\system32\taskmgr.exe" /4 | C:\WINDOWS\system32\taskmgr.exe | Explorer.EXE | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Task Manager Exit code: 0 Version: 10.0.16299.15 (WinBuild.160101.0800) Modules
| |||||||||||||||
972 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\c6dda813-2a3c-46e2-9c8d-690353cd516f.zip" | C:\Program Files\WinRAR\WinRAR.exe | — | Explorer.EXE | |||||||||||
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.60.0 Modules
| |||||||||||||||
304 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "-Command" "if((Get-ExecutionPolicy ) -ne 'AllSigned') { Set-ExecutionPolicy -Scope Process Bypass }; & 'C:\Users\admin\AppData\Local\Temp\Rar$DIa972.46921\c6dda813-2a3c-46e2-9c8d-690353cd516f.ps1'" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | — | WinRAR.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 10.0.16299.15 (WinBuild.160101.0800) Modules
|
PID | Process | Filename | Type | |
---|---|---|---|---|
304 | SDXHelper.exe | C:\Users\admin\AppData\Local\Microsoft\Office\SolutionPackages\3cdc9d5f248d6d7506214ff391c8c3\Package.appx | compressed | |
MD5:318E7DDAE132EF0EED81FA934ED76D7A | SHA256:96B27DDAFCF88A7F6F929FB48321C6CD9D3843591B7245927BD71359BDB8AC49 | |||
304 | SDXHelper.exe | C:\Users\admin\AppData\Local\Microsoft\Office\SolutionPackages\9b0eba726102ef75983c6ce565f95c22\Package.appx | compressed | |
MD5:123ED3786AD7F96824CB946F5469D58E | SHA256:E50B163C79E1F67FB38ABCDB5135C69E5C7547E81308BC00618DA8049408F9E4 | |||
304 | SDXHelper.exe | C:\Users\admin\AppData\Local\Microsoft\Office\SolutionPackages\45cfa0ff7e2dbd7b6089b3990c58a2ad\Package.appx | compressed | |
MD5:DFC97B74237F7D2BAA44543D36CFFC71 | SHA256:AEA53FADB383FCD22F321E5B9297267CD5089A20E8BD47FD9D5D2BEE96417BFA | |||
304 | SDXHelper.exe | C:\Users\admin\AppData\Local\Microsoft\Office\SolutionPackages\297d816682165b8eee0b3371d74a59d8\Package.appx | compressed | |
MD5:D8BFA7A44A5D848745AB40985F41A83E | SHA256:1ECE78D0E5DCFAB60C9DDB9233853B2D92078A13EE0CEEB8DDE2A252A6AC482E | |||
304 | SDXHelper.exe | C:\Users\admin\AppData\Local\Microsoft\Office\SolutionPackages\a20c7ca10684ad15f9df10646379679c\Package.appx | compressed | |
MD5:378E4DB2989AD5C633AB7CBB40AE43EA | SHA256:7EB24CAB9687CA6B652C5A17062BB9DC35FF8AE571A784BBB4A02933D69BA067 | |||
304 | SDXHelper.exe | C:\Users\admin\AppData\Local\Microsoft\Office\SolutionPackages\d226ad8293cd11d5fb2ac743a0d861a4\Package.appx | compressed | |
MD5:5435D6C595BA7750DD573AD9D0F06AE6 | SHA256:E2BCE5B0ABDB77D04CA64AC3C5AE50E2CC5EC383106956151ED81FC0DFF9AE42 | |||
304 | SDXHelper.exe | C:\Users\admin\AppData\Local\Microsoft\Office\SolutionPackages\819fb485a17719be1a6514b0586bad55\Package.appx | compressed | |
MD5:A510CF15CB6AB0A6C452EE2D0DF6794D | SHA256:3B71840F3278DDC205C79F0A0E38416F8EFD5F4EBDD8C2B3D4E6BF13C59C1AA2 | |||
304 | SDXHelper.exe | C:\Users\admin\AppData\Local\Microsoft\Office\SolutionPackages\590b7ea04daf428bf1a2a504bd30e016\Package.appx | compressed | |
MD5:BD2EBD75F83634C7C573D46E6F95A6E1 | SHA256:0F56E88AFB6D2176DA1728BBCC95FF109468CF3FD78B1BD011D1A0CA3FA447C4 | |||
304 | SDXHelper.exe | C:\Users\admin\AppData\Local\Microsoft\Office\SolutionPackages\e6ec30329225bb49c9a13ed193ce8f50\Package.appx | compressed | |
MD5:7829E26912654FC92D7FE138FA6F7B29 | SHA256:B5FCF0AEE1028675BC9A53839E4338B80D05A67362C666E802739C9789FB5CDD | |||
3968 | WinRAR.exe | C:\Users\admin\Desktop\what_is_long_stop_date_in_a_contract 91856.js | text | |
MD5:5DB63C2212BBC183776A05A9034BE0D8 | SHA256:D210C860E33449C17500D6E023ADB209E15F41F81C5B1C31290C805AAF10BC9A |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
1244 | lsass.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAo3h2ReX7SMIk79G%2B0UDDw%3D | US | der | 1.47 Kb | whitelisted |
1436 | svchost.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D | US | der | 471 b | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
1436 | svchost.exe | 93.184.220.29:80 | ocsp.digicert.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
304 | SDXHelper.exe | 13.107.42.16:443 | config.edge.skype.com | Microsoft Corporation | US | whitelisted |
3816 | sdxhelper.exe | 52.109.12.18:443 | nexusrules.officeapps.live.com | Microsoft Corporation | US | whitelisted |
3816 | sdxhelper.exe | 13.107.42.16:443 | config.edge.skype.com | Microsoft Corporation | US | whitelisted |
304 | SDXHelper.exe | 52.109.12.18:443 | nexusrules.officeapps.live.com | Microsoft Corporation | US | whitelisted |
1456 | svchost.exe | 52.152.110.14:443 | sls.update.microsoft.com | Microsoft Corporation | US | whitelisted |
304 | SDXHelper.exe | 20.126.153.54:443 | mrodevicemgr.officeapps.live.com | — | US | suspicious |
1436 | svchost.exe | 40.126.32.136:443 | — | Microsoft Corporation | US | suspicious |
304 | SDXHelper.exe | 52.109.32.63:443 | officeclient.microsoft.com | Microsoft Corporation | GB | whitelisted |
3816 | sdxhelper.exe | 52.109.32.63:443 | officeclient.microsoft.com | Microsoft Corporation | GB | whitelisted |
Domain | IP | Reputation |
---|---|---|
officeclient.microsoft.com |
| whitelisted |
nexusrules.officeapps.live.com |
| whitelisted |
config.edge.skype.com |
| whitelisted |
sls.update.microsoft.com |
| whitelisted |
self.events.data.microsoft.com |
| whitelisted |
ocsp.digicert.com |
| whitelisted |
mrodevicemgr.officeapps.live.com |
| whitelisted |
officecdn.microsoft.com |
| whitelisted |
www.lintelconsulting.co.uk |
| unknown |
www.labbunnies.eu |
| unknown |
Process | Message |
---|---|
notepad++.exe | VerifyLibrary: C:\Program Files\Notepad++\SciLexer.dll
|
notepad++.exe | VerifyLibrary: certificate revocation checking is disabled
|
notepad++.exe | 42C4C5846BB675C74E2B2C90C69AB44366401093
|
conhost.exe | InitSideBySide failed create an activation context. Error: 1814 |
notepad++.exe | VerifyLibrary: C:\Program Files\Notepad++\SciLexer.dll
|
notepad++.exe | VerifyLibrary: certificate revocation checking is disabled
|
notepad++.exe | 42C4C5846BB675C74E2B2C90C69AB44366401093
|