File name: | ItroublveTSC.v6.Fix.7.2_1.rar |
Full analysis: | https://app.any.run/tasks/8b34d5a8-896e-4138-babd-0a616e94790c |
Verdict: | Malicious activity |
Analysis date: | April 01, 2023, 19:10:27 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/x-rar |
File info: | RAR archive data, v5 |
MD5: | 8F43A4C325FD8E9A74FD95B981E47EB0 |
SHA1: | 9B81F726258EDB058A976021FEF6BF80EA3B0D49 |
SHA256: | ACA29BB525C3551E04C4EB159A5E7531F4AEB84C51386DCD828793FC3A97079B |
SSDEEP: | 98304:h/Oeozvy8dptnsI9/JG4GRtqKCmp5Yj28AYwsrN7ZzHhlvnO6AQQMnTy:xT4vyetsI9/JMibrzZzHzKvp |
.rar | | | RAR compressed archive (v5.0) (61.5) |
---|---|---|
.rar | | | RAR compressed archive (gen) (38.4) |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
1900 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\ItroublveTSC.v6.Fix.7.2_1.rar" | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | ||||||||||||
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.91.0 Modules
| |||||||||||||||
1920 | "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" | C:\Windows\System32\SearchProtocolHost.exe | — | SearchIndexer.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Microsoft Windows Search Protocol Host Version: 7.00.7601.24542 (win7sp1_ldr_escrow.191209-2211) Modules
| |||||||||||||||
1848 | "C:\Users\admin\Desktop\ItroublveTSC.v6.Fix.7.2 (1)\ItroublveTSC.exe" | C:\Users\admin\Desktop\ItroublveTSC.v6.Fix.7.2 (1)\ItroublveTSC.exe | explorer.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Description: ItroublveTSC Version: 6.0.0.0 Modules
| |||||||||||||||
3912 | "C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\bin_copy\compile.vbs" | C:\Windows\System32\wscript.exe | — | ItroublveTSC.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.8.7600.16385 Modules
| |||||||||||||||
2392 | "C:\Windows\System32\cmd.exe" /c compile.bat | C:\Windows\System32\cmd.exe | wscript.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
2500 | C:/Windows/Microsoft.NET/Framework/v4.0.30319/msbuild.exe TSC.sln | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | cmd.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: MSBuild.exe Exit code: 0 Version: 4.0.30319.34209 built by: FX452RTMGDR Modules
| |||||||||||||||
2448 | "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Csc.exe" /noconfig @"C:\Users\admin\AppData\Local\Temp\tmp1142bbb637204390b66516b367beed90.rsp" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe | MSBuild.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Visual C# Command Line Compiler Exit code: 0 Version: 4.0.30319.34209 built by: FX452RTMGDR Modules
| |||||||||||||||
3068 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\admin\AppData\Local\Temp\RES944C.tmp" "c:\Users\admin\AppData\Local\Temp\bin_copy\obj\Debug\CSCDD92D1B0EEDF427CB7332FE8BF17298.TMP" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe | — | csc.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft® Resource File To COFF Object Conversion Utility Exit code: 0 Version: 12.00.51209.34209 built by: FX452RTMGDR Modules
| |||||||||||||||
1824 | "C:\Users\admin\Desktop\ItroublveTSC.v6.Fix.7.2 (1)\fsdf.exe" | C:\Users\admin\Desktop\ItroublveTSC.v6.Fix.7.2 (1)\fsdf.exe | explorer.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Description: Exit code: 0 Version: 1.0.0.0 Modules
| |||||||||||||||
2472 | "C:\Users\admin\AppData\Local\Temp\RtkBtManServ.exe" Eb+2YsaQwteu3TZx6uflbg== | C:\Users\admin\AppData\Local\Temp\RtkBtManServ.exe | fsdf.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Description: RtkBtManServ Version: 1.0.0.0 Modules
|
(PID) Process: | (1900) WinRAR.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\16D\52C64B7E |
Operation: | write | Name: | LanguageList |
Value: en-US | |||
(PID) Process: | (1900) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
Operation: | write | Name: | 2 |
Value: C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip | |||
(PID) Process: | (1900) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
Operation: | write | Name: | 1 |
Value: C:\Users\admin\Desktop\Win7-KB3191566-x86.zip | |||
(PID) Process: | (1900) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
Operation: | write | Name: | 0 |
Value: C:\Users\admin\Desktop\phacker.zip | |||
(PID) Process: | (1900) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | name |
Value: 120 | |||
(PID) Process: | (1900) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | size |
Value: 80 | |||
(PID) Process: | (1900) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | type |
Value: 120 | |||
(PID) Process: | (1900) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | mtime |
Value: 100 | |||
(PID) Process: | (1920) SearchProtocolHost.exe | Key: | HKEY_USERS\.DEFAULT\Software\Classes\Local Settings\MuiCache\16D\52C64B7E |
Operation: | write | Name: | LanguageList |
Value: en-US | |||
(PID) Process: | (1900) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\MainWin |
Operation: | write | Name: | Placement |
Value: 2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF42000000420000000204000037020000 |
PID | Process | Filename | Type | |
---|---|---|---|---|
1900 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa1900.22275\ItroublveTSC.v6.Fix.7.2 (1)\bin\Binaries\RtkBtManServ.exe | executable | |
MD5:88AB0BB59B0B20816A833BA91C1606D3 | SHA256:F4FB42C8312A6002A8783E2A1AB4571EB89E92CD192B1A21E8C4582205C37312 | |||
1900 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa1900.22275\ItroublveTSC.v6.Fix.7.2 (1)\bin\App.config | xml | |
MD5:13FF21470B63470978E08E4933EB8E56 | SHA256:16286566D54D81C3721F7ECF7F426D965DE364E9BE2F9E628D7363B684B6FE6A | |||
1900 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa1900.22275\ItroublveTSC.v6.Fix.7.2 (1)\bin\o.crproj | text | |
MD5:3551F612ED34F86EC42F1DE69F758101 | SHA256:70E55A0723846040D90B664E300B58BBD7D6061EAABC79EAEB943DC5598CC373 | |||
1900 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa1900.22275\ItroublveTSC.v6.Fix.7.2 (1)\bin\Binaries\config | binary | |
MD5:1BA367D0F9AAC0F650E65AB7401776C0 | SHA256:68C4EC552C98F3B5A4744E4EEFADD6364DC8075C2E718B7BCBFC76625AA60D03 | |||
1900 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa1900.22275\ItroublveTSC.v6.Fix.7.2 (1)\bin\obf\Confuser.Core.dll | executable | |
MD5:6F3E120BAA644B4DC085A3DD3E183BCF | SHA256:4742104D8E47541ED998D22321717D288CD62682B56F56F4A69DC9BD99C9A6FB | |||
1900 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa1900.22275\ItroublveTSC.v6.Fix.7.2 (1)\bin\packages\System.IO.Compression.ZipFile.4.3.0\.signature.p7s | der | |
MD5:1CAF0E5AE358804C975D33C8381E7506 | SHA256:517116CA9BB57682DA5460CE0BC3AE6BB35D6B0B2A6B70E6E18AABB409B05992 | |||
1900 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa1900.22275\ItroublveTSC.v6.Fix.7.2 (1)\bin\Digitallity.cs | text | |
MD5:E96DB35E82B4088E0258E593A9DACE7F | SHA256:F880F91E5F46E3FB6589841556A97CBE79773385A1CBDE8676E3F071952662C8 | |||
1900 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa1900.22275\ItroublveTSC.v6.Fix.7.2 (1)\bin\obf\Confuser.DynCipher.dll | executable | |
MD5:6EBC90E77623826E71DED623A296660B | SHA256:CDAD0A76F0D3F3E73FCDC6E5E6D98B0E88ADCC2353C54344375B80197A86FCF6 | |||
1900 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa1900.22275\ItroublveTSC.v6.Fix.7.2 (1)\bin\obf\CLI.exe | executable | |
MD5:A6F83DA2BFE041D92FF79B9C238ED72E | SHA256:0B997165E348B17658BEF1E869881C37C79C2A9BB26E132AC4141EEFD5912652 | |||
1900 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa1900.22275\ItroublveTSC.v6.Fix.7.2 (1)\bin\obf\dnlib.dll | executable | |
MD5:E61BAD0331819ED63CA3B0D537F7E1A1 | SHA256:D8FC78217493FEBE82670C5A93FEB85AB86FC6A0387ABCB6E9165E0C0BB97000 |
Domain | IP | Reputation |
---|---|---|
itroublvehacker.gq |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
— | — | Potentially Bad Traffic | ET INFO DNS Query for Suspicious .gq Domain |