File name: | KMSX2.zip |
Full analysis: | https://app.any.run/tasks/9b879911-8f21-40aa-bb64-96a6e0edb736 |
Verdict: | Malicious activity |
Analysis date: | July 18, 2019, 06:44:34 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/zip |
File info: | Zip archive data, at least v2.0 to extract |
MD5: | ACD20E9E26C18B888A09A703220CAF72 |
SHA1: | EFB3895CD3B9BB8D91FBABA5954DE5E9A92E50B2 |
SHA256: | B366F923B9ACC9D80DE8B075F21EA4AB60333DDAE3EB22F9115A4BC7342A8166 |
SSDEEP: | 393216:6J6XfBqGh2okF4tkRa9MTCMQyfpGeoEnTw8Ye1C2MIbHTISa:w4f9co04tkVCMEhETwS11M4zO |
.zip | | | ZIP compressed archive (100) |
---|
ZipFileName: | ??OFFICE???kms-bf??2018-4?汾??.exe |
---|---|
ZipUncompressedSize: | 8067700 |
ZipCompressedSize: | 8054581 |
ZipCRC: | 0x0a0dabc0 |
ZipModifyDate: | 2018:04:13 17:16:14 |
ZipCompression: | Deflated |
ZipBitFlag: | 0x0001 |
ZipRequiredVersion: | 20 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3224 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Downloads\KMSX2.zip" | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.60.0 | ||||
452 | "C:\Users\admin\Desktop\¦¬+t+ñ+eV17.0-2019-6-22¦µ¦+.exe" | C:\Users\admin\Desktop\¦¬+t+ñ+eV17.0-2019-6-22¦µ¦+.exe | — | explorer.exe |
User: admin Integrity Level: MEDIUM Exit code: 3221226540 | ||||
2232 | "C:\Users\admin\Desktop\¦¬+t+ñ+eV17.0-2019-6-22¦µ¦+.exe" | C:\Users\admin\Desktop\¦¬+t+ñ+eV17.0-2019-6-22¦µ¦+.exe | explorer.exe | |
User: admin Integrity Level: HIGH Exit code: 0 | ||||
3516 | "C:\Users\admin\AppData\Local\Temp\nsd4B20.tmp\ns4BAE.tmp" "C:\Users\admin\AppData\Local\Temp\7z.exe" rn -paabbccdd "C:\Users\admin\AppData\Local\Temp\Play32.dat" "UfdsvtIopuy.sys" "OTAwNT.sys" | C:\Users\admin\AppData\Local\Temp\nsd4B20.tmp\ns4BAE.tmp | — | ¦¬+t+ñ+eV17.0-2019-6-22¦µ¦+.exe |
User: admin Integrity Level: HIGH Exit code: 0 | ||||
4004 | "C:\Users\admin\AppData\Local\Temp\7z.exe" rn -paabbccdd "C:\Users\admin\AppData\Local\Temp\Play32.dat" "UfdsvtIopuy.sys" "OTAwNT.sys" | C:\Users\admin\AppData\Local\Temp\7z.exe | — | ns4BAE.tmp |
User: admin Company: Igor Pavlov Integrity Level: HIGH Description: 7-Zip Console Exit code: 0 Version: 16.02 | ||||
2648 | "C:\Users\admin\AppData\Local\Temp\nsd4B20.tmp\ns4D07.tmp" "C:\Users\admin\AppData\Local\Temp\7z.exe" x -paabbccdd "C:\Users\admin\AppData\Local\Temp\Play32.dat" -o"C:\Windows\system32\" | C:\Users\admin\AppData\Local\Temp\nsd4B20.tmp\ns4D07.tmp | — | ¦¬+t+ñ+eV17.0-2019-6-22¦µ¦+.exe |
User: admin Integrity Level: HIGH Exit code: 0 | ||||
3204 | "C:\Users\admin\AppData\Local\Temp\7z.exe" x -paabbccdd "C:\Users\admin\AppData\Local\Temp\Play32.dat" -o"C:\Windows\system32\" | C:\Users\admin\AppData\Local\Temp\7z.exe | ns4D07.tmp | |
User: admin Company: Igor Pavlov Integrity Level: HIGH Description: 7-Zip Console Exit code: 0 Version: 16.02 | ||||
2828 | "C:\Users\admin\AppData\Local\Temp\nsd4B20.tmp\ns56EB.tmp" "C:\Users\admin\AppData\Local\Temp\7z.exe" x -aoa -paabbccdd "C:\Users\admin\AppData\Local\Temp\Play14.dat" -o"C:\Users\admin\AppData\Local\Temp" | C:\Users\admin\AppData\Local\Temp\nsd4B20.tmp\ns56EB.tmp | — | ¦¬+t+ñ+eV17.0-2019-6-22¦µ¦+.exe |
User: admin Integrity Level: HIGH Exit code: 0 | ||||
3360 | "C:\Users\admin\AppData\Local\Temp\7z.exe" x -aoa -paabbccdd "C:\Users\admin\AppData\Local\Temp\Play14.dat" -o"C:\Users\admin\AppData\Local\Temp" | C:\Users\admin\AppData\Local\Temp\7z.exe | ns56EB.tmp | |
User: admin Company: Igor Pavlov Integrity Level: HIGH Description: 7-Zip Console Exit code: 0 Version: 16.02 | ||||
792 | C:\Users\admin\AppData\Local\Temp\KMSpico1.exe | C:\Users\admin\AppData\Local\Temp\KMSpico1.exe | ¦¬+t+ñ+eV17.0-2019-6-22¦µ¦+.exe | |
User: admin Integrity Level: HIGH Description: 暴风一键激活工具 Exit code: 0 Version: 16.0.0.0 |
PID | Process | Filename | Type | |
---|---|---|---|---|
4004 | 7z.exe | C:\Users\admin\AppData\Local\Temp\Play32.dat.tmp | — | |
MD5:— | SHA256:— | |||
2232 | ¦¬+t+ñ+eV17.0-2019-6-22¦µ¦+.exe | C:\Users\admin\AppData\Local\Temp\nsd4B20.tmp\ns4D07.tmp | — | |
MD5:— | SHA256:— | |||
2232 | ¦¬+t+ñ+eV17.0-2019-6-22¦µ¦+.exe | C:\Users\admin\AppData\Local\Temp\Play32.dat | compressed | |
MD5:7EE1D179B22FC2D5149ABCECAA1C915D | SHA256:3C8BC0565F3D00B96B4F2FC79224CAC81D2A8226F48E729045C86768E235E985 | |||
3224 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRb3224.30988\ú¿OFFICE+ñ+eú¬kms-bfú¿2018-4¦µ¦+ú¬.exe | executable | |
MD5:EA605CFF1C07FA04BD018439162D3A6F | SHA256:503677756C55D538C034B0B9AC27C403F52F16600C3FF9AA09C5B91FF21DE99D | |||
3224 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRb3224.30988\¦¬+t+ñ+eV17.0-2019-6-22¦µ¦+.exe | executable | |
MD5:511385F38C34B117375EB51F0B0606D1 | SHA256:1F1E885FFECC0CCDD584EE2F5346BBFF0ECD29EC839A8D552F8DF7B211C0EA56 | |||
2232 | ¦¬+t+ñ+eV17.0-2019-6-22¦µ¦+.exe | C:\Users\admin\AppData\Local\Temp\nsd4B20.tmp\ns4BAE.tmp | executable | |
MD5:FB24456C282F9C505192014CA00DA0D5 | SHA256:79969A3511D17FAE9B1537B5C0EE0E0C06EE55D9F5F0CFD2D7B9B0A8DC7CABCA | |||
4004 | 7z.exe | C:\Users\admin\AppData\Local\Temp\Play32.dat | compressed | |
MD5:7EE1D179B22FC2D5149ABCECAA1C915D | SHA256:3C8BC0565F3D00B96B4F2FC79224CAC81D2A8226F48E729045C86768E235E985 | |||
2232 | ¦¬+t+ñ+eV17.0-2019-6-22¦µ¦+.exe | C:\Users\admin\AppData\Local\Temp\nsd4B20.tmp\ns56EB.tmp | — | |
MD5:— | SHA256:— | |||
3204 | 7z.exe | C:\Windows\system32\OTAwNT.sys | executable | |
MD5:401DC161B1707A3373F656DCCC3F2164 | SHA256:1AA8A8BC530A5F3F9851125C5E77BEE7EE47D45495BBB9ACCF1A2105D8CCCB5A | |||
2232 | ¦¬+t+ñ+eV17.0-2019-6-22¦µ¦+.exe | C:\Users\admin\AppData\Local\Temp\Play1.dat | compressed | |
MD5:A8205CBF599D5703B6E10220645598B3 | SHA256:FDEC594C0445A37BD06EA6C5D9321DC6B059095E1E9A415F7AC9593A886E8BA0 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2836 | ú¿OFFICE+ñ+eú¬kms-bfú¿2018-4¦µ¦+ú¬.exe | GET | — | 42.51.38.18:80 | http://win3.zhfcxd.com/bs4-300-4.mp3 | CN | — | — | suspicious |
2392 | ú¿OFFICE+ñ+eú¬kms-bfú¿2018-4¦µ¦+ú¬.exe | GET | — | 42.51.38.18:80 | http://win3.zhfcxd.com/bs4-300-4.mp3 | CN | — | — | suspicious |
2232 | ¦¬+t+ñ+eV17.0-2019-6-22¦µ¦+.exe | GET | — | 42.51.38.18:80 | http://win3.zhfcxd.com/bs4-200-4.mp3 | CN | — | — | suspicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2392 | ú¿OFFICE+ñ+eú¬kms-bfú¿2018-4¦µ¦+ú¬.exe | 42.51.38.18:80 | win3.zhfcxd.com | Henan Telcom Union Technology Co., LTD | CN | suspicious |
2836 | ú¿OFFICE+ñ+eú¬kms-bfú¿2018-4¦µ¦+ú¬.exe | 42.51.38.18:80 | win3.zhfcxd.com | Henan Telcom Union Technology Co., LTD | CN | suspicious |
2232 | ¦¬+t+ñ+eV17.0-2019-6-22¦µ¦+.exe | 42.51.38.18:80 | win3.zhfcxd.com | Henan Telcom Union Technology Co., LTD | CN | suspicious |
Domain | IP | Reputation |
---|---|---|
win3.zhfcxd.com |
| suspicious |