File name: | 0bedaae8637bb133a16e87b90a81539a74e92693961a7ef53b7b0a631f9bf192.bin.gz |
Full analysis: | https://app.any.run/tasks/4dd944b7-4bdd-48a1-87a5-d9e64fe2b13b |
Verdict: | Malicious activity |
Analysis date: | July 17, 2019, 10:16:24 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/gzip |
File info: | gzip compressed data, max compression, from Unix |
MD5: | 3FD16958B7429D615110D9DEEA1009A3 |
SHA1: | 98914C78EF87AD22DB143D9341A720C00A508B59 |
SHA256: | BBBC86AD3FB81286AD9D0C90713252923B854BE70CAF79DEAAA9A3D53534B757 |
SSDEEP: | 24576:YLVQ+YTDOs+JIsKIfwf/jLGw76HtawDWRrzpf:YLEG39fwfrK00swDWRrd |
.z/gz/gzip | | | GZipped data (100) |
---|
Compression: | Deflated |
---|---|
Flags: | (none) |
ModifyDate: | 0000:00:00 00:00:00 |
ExtraFlags: | Maximum Compression |
OperatingSystem: | Unix |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2952 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\0bedaae8637bb133a16e87b90a81539a74e92693961a7ef53b7b0a631f9bf192.bin.gz.z" | C:\Program Files\WinRAR\WinRAR.exe | — | explorer.exe |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.60.0 | ||||
2828 | "C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\admin\Desktop\0bedaae8637bb133a16e87b90a81539a74e92693961a7ef53b7b0a631f9bf192.bin.pdf" | C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | explorer.exe | |
User: admin Company: Adobe Systems Incorporated Integrity Level: MEDIUM Description: Adobe Acrobat Reader DC Exit code: 1 Version: 15.23.20070.215641 | ||||
2372 | "C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" --type=renderer "C:\Users\admin\Desktop\0bedaae8637bb133a16e87b90a81539a74e92693961a7ef53b7b0a631f9bf192.bin.pdf" | C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | — | AcroRd32.exe |
User: admin Company: Adobe Systems Incorporated Integrity Level: LOW Description: Adobe Acrobat Reader DC Exit code: 1 Version: 15.23.20070.215641 | ||||
2208 | "C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16448250 | C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe | — | AcroRd32.exe |
User: admin Company: Adobe Systems Incorporated Integrity Level: MEDIUM Description: Adobe RdrCEF Exit code: 3221225547 Version: 15.23.20053.211670 | ||||
3304 | "C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-3d-apis --disable-databases --disable-direct-npapi-requests --disable-file-system --disable-notifications --disable-shared-workers --disable-direct-write --lang=en-US --lang=en-US --log-severity=disable --product-version="ReaderServices/15.23.20053 Chrome/45.0.2454.85" --device-scale-factor=1 --enable-delegated-renderer --num-raster-threads=2 --gpu-rasterization-msaa-sample-count=8 --content-image-texture-target=3553 --video-image-texture-target=3553 --disable-accelerated-video-decode --disable-webrtc-hw-encoding --disable-gpu-compositing --channel="2208.0.1037186797\2114401837" --allow-no-sandbox-job /prefetch:673131151 | C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe | — | RdrCEF.exe |
User: admin Company: Adobe Systems Incorporated Integrity Level: LOW Description: Adobe RdrCEF Exit code: 0 Version: 15.23.20053.211670 | ||||
3432 | "C:\Users\admin\Desktop\0bedaae8637bb133a16e87b90a81539a74e92693961a7ef53b7b0a631f9bf192.bin.exe" | C:\Users\admin\Desktop\0bedaae8637bb133a16e87b90a81539a74e92693961a7ef53b7b0a631f9bf192.bin.exe | — | explorer.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
2184 | "C:\Windows\System32\eventvwr.exe" | C:\Windows\System32\eventvwr.exe | — | 0bedaae8637bb133a16e87b90a81539a74e92693961a7ef53b7b0a631f9bf192.bin.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Event Viewer Snapin Launcher Exit code: 3221226540 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2768 | "C:\Windows\System32\eventvwr.exe" | C:\Windows\System32\eventvwr.exe | 0bedaae8637bb133a16e87b90a81539a74e92693961a7ef53b7b0a631f9bf192.bin.exe | |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Event Viewer Snapin Launcher Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2672 | "C:\Users\admin\Desktop\0bedaae8637bb133a16e87b90a81539a74e92693961a7ef53b7b0a631f9bf192.bin.exe" | C:\Users\admin\Desktop\0bedaae8637bb133a16e87b90a81539a74e92693961a7ef53b7b0a631f9bf192.bin.exe | eventvwr.exe | |
User: admin Integrity Level: HIGH Exit code: 3221225477 | ||||
2496 | "C:\Windows\System32\cmd.exe" /c TimeOut 1 & Del /F "C:\Users\admin\Desktop\0bedaae8637bb133a16e87b90a81539a74e92693961a7ef53b7b0a631f9bf192.bin.exe" | C:\Windows\System32\cmd.exe | — | 0bedaae8637bb133a16e87b90a81539a74e92693961a7ef53b7b0a631f9bf192.bin.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) |
(PID) Process: | (2952) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
Operation: | write | Name: | ShellExtBMP |
Value: | |||
(PID) Process: | (2952) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
Operation: | write | Name: | ShellExtIcon |
Value: | |||
(PID) Process: | (2952) WinRAR.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\70\52C64B7E |
Operation: | write | Name: | LanguageList |
Value: en-US | |||
(PID) Process: | (2952) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
Operation: | write | Name: | 0 |
Value: C:\Users\admin\Desktop\0bedaae8637bb133a16e87b90a81539a74e92693961a7ef53b7b0a631f9bf192.bin.gz.z | |||
(PID) Process: | (2952) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | name |
Value: 120 | |||
(PID) Process: | (2952) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | size |
Value: 80 | |||
(PID) Process: | (2952) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | type |
Value: 120 | |||
(PID) Process: | (2952) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | mtime |
Value: 100 | |||
(PID) Process: | (2372) AcroRd32.exe | Key: | HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\DC\ExitSection |
Operation: | write | Name: | bLastExitNormal |
Value: 0 | |||
(PID) Process: | (2372) AcroRd32.exe | Key: | HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\DC\SDI |
Operation: | write | Name: | bMaximizeNextDocument |
Value: 0 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2952 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa2952.12335\0bedaae8637bb133a16e87b90a81539a74e92693961a7ef53b7b0a631f9bf192.bin.gz | — | |
MD5:— | SHA256:— | |||
2372 | AcroRd32.exe | C:\Users\admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages-journal | — | |
MD5:— | SHA256:— | |||
2372 | AcroRd32.exe | C:\Users\admin\AppData\Local\Adobe\Acrobat\DC\Cache\AdobeFnt16.lst.2372 | — | |
MD5:— | SHA256:— | |||
2372 | AcroRd32.exe | C:\Users\admin\AppData\Local\Adobe\Acrobat\DC\AdobeFnt16.lst.2372 | — | |
MD5:— | SHA256:— | |||
2372 | AcroRd32.exe | C:\Users\admin\AppData\Local\Temp\acrord32_sbx\A9R1s0gvyx_bou2z3_1tw.tmp | — | |
MD5:— | SHA256:— | |||
2372 | AcroRd32.exe | C:\Users\admin\AppData\Local\Temp\acrord32_sbx\A9R1tdxe49_bou2z2_1tw.tmp | — | |
MD5:— | SHA256:— | |||
2372 | AcroRd32.exe | C:\Users\admin\AppData\Local\Temp\acrord32_sbx\A9Rpqrzeh_bou2z1_1tw.tmp | — | |
MD5:— | SHA256:— | |||
2372 | AcroRd32.exe | C:\Users\admin\AppData\Local\Temp\acrord32_sbx\A9R127v6pv_bou2z0_1tw.tmp | — | |
MD5:— | SHA256:— | |||
2828 | AcroRd32.exe | C:\Users\admin\AppData\Local\Adobe\Acrobat\DC\AdobeCMapFnt15.lst | ps | |
MD5:0D5624ABBF1C79AEC38CBE52B56038B4 | SHA256:AB5A46BA09F515E56892C0270D67EED215E56E43557B83A2CE295F2ED87D09D6 | |||
2372 | AcroRd32.exe | C:\Users\admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages | sqlite | |
MD5:30E552B137B24E3C302BFFD4C00339F6 | SHA256:1CAB6E4D5865F071574D7ADBA8E615010FC0C653A7F0C7D5BD3276BCBC920FF5 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2828 | AcroRd32.exe | GET | 304 | 2.16.186.32:80 | http://acroipm2.adobe.com/15/rdr/ENU/win/nooem/none/consumer/280_15_23_20070.zip | unknown | — | — | whitelisted |
2828 | AcroRd32.exe | GET | 304 | 2.16.186.32:80 | http://acroipm2.adobe.com/15/rdr/ENU/win/nooem/none/consumer/281_15_23_20070.zip | unknown | — | — | whitelisted |
2828 | AcroRd32.exe | GET | 304 | 2.16.186.32:80 | http://acroipm2.adobe.com/15/rdr/ENU/win/nooem/none/consumer/277_15_23_20070.zip | unknown | — | — | whitelisted |
2828 | AcroRd32.exe | GET | 304 | 2.16.186.32:80 | http://acroipm2.adobe.com/15/rdr/ENU/win/nooem/none/consumer/279_15_23_20070.zip | unknown | — | — | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2828 | AcroRd32.exe | 2.16.186.32:80 | acroipm2.adobe.com | Akamai International B.V. | — | whitelisted |
2828 | AcroRd32.exe | 2.18.233.74:443 | armmf.adobe.com | Akamai International B.V. | — | whitelisted |
Domain | IP | Reputation |
---|---|---|
acroipm2.adobe.com |
| whitelisted |
armmf.adobe.com |
| whitelisted |