File name: | Q9om3ev2DO1d6cA6F9KbTA(1).zip |
Full analysis: | https://app.any.run/tasks/8cce8c77-0276-4357-88d7-414c7d0e47a8 |
Verdict: | Malicious activity |
Analysis date: | November 15, 2018, 02:46:42 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/zip |
File info: | Zip archive data, at least v2.0 to extract |
MD5: | 9059962192E58A0F89A3B05C871A5F89 |
SHA1: | C2B8A2FD5F2D1543D2E5A331800B0A5E3D65BA87 |
SHA256: | CA4467AA603DB93689AD3969149D588CF7C7F6F170F437A8BFE026003DEE67A0 |
SSDEEP: | 393216:uhcSwW4rtvUtKwzeF/+HhoeMKaGUP3jkK:uB2UwwzeF/+BzMKaGUPgK |
.zip | | | ZIP compressed archive (100) |
---|
ZipFileName: | PhotoViewer_v1.4.0.9_sem2_001.exe_ |
---|---|
ZipUncompressedSize: | 16168352 |
ZipCompressedSize: | 15102957 |
ZipCRC: | 0x80219d79 |
ZipModifyDate: | 2018:11:15 02:39:05 |
ZipCompression: | Deflated |
ZipBitFlag: | 0x0009 |
ZipRequiredVersion: | 20 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3564 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Q9om3ev2DO1d6cA6F9KbTA(1).zip" | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.60.0 | ||||
588 | "C:\Users\admin\Desktop\PhotoViewer_v1.4.0.9_sem2_001.exe" | C:\Users\admin\Desktop\PhotoViewer_v1.4.0.9_sem2_001.exe | — | explorer.exe |
User: admin Company: 上海展盟网络科技有限公司 Integrity Level: MEDIUM Description: ABC看图安装包 Exit code: 3221226540 Version: 1.4.0.9 | ||||
2452 | "C:\Users\admin\Desktop\PhotoViewer_v1.4.0.9_sem2_001.exe" | C:\Users\admin\Desktop\PhotoViewer_v1.4.0.9_sem2_001.exe | explorer.exe | |
User: admin Company: 上海展盟网络科技有限公司 Integrity Level: HIGH Description: ABC看图安装包 Exit code: 0 Version: 1.4.0.9 | ||||
3520 | "C:\Windows\System32\taskkill.exe" /f /im PhotoViewer.exe | C:\Windows\System32\taskkill.exe | — | PhotoViewer_v1.4.0.9_sem2_001.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Terminates Processes Exit code: 128 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3656 | "C:\Windows\System32\taskkill.exe" /f /im Photomanager.exe | C:\Windows\System32\taskkill.exe | — | PhotoViewer_v1.4.0.9_sem2_001.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Terminates Processes Exit code: 128 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3876 | "C:\Windows\System32\taskkill.exe" /f /im PdfReader.exe | C:\Windows\System32\taskkill.exe | — | PhotoViewer_v1.4.0.9_sem2_001.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Terminates Processes Exit code: 128 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
4080 | "C:\Windows\System32\taskkill.exe" /f /im Update.exe | C:\Windows\System32\taskkill.exe | — | PhotoViewer_v1.4.0.9_sem2_001.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Terminates Processes Exit code: 128 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2484 | "C:\Windows\System32\taskkill.exe" /f /im Report.exe | C:\Windows\System32\taskkill.exe | — | PhotoViewer_v1.4.0.9_sem2_001.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Terminates Processes Exit code: 128 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3096 | "C:\Windows\system32\regsvr32.exe" /s /u C:\Users\admin\AppData\Roaming\PhotoViewer\ShellExt.dll | C:\Windows\system32\regsvr32.exe | — | PhotoViewer_v1.4.0.9_sem2_001.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Microsoft(C) Register Server Exit code: 3 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
1996 | "C:\Windows\system32\regsvr32.exe" /s /u C:\Users\admin\AppData\Roaming\PhotoViewer\Checker.dll | C:\Windows\system32\regsvr32.exe | — | PhotoViewer_v1.4.0.9_sem2_001.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Microsoft(C) Register Server Exit code: 3 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2452 | PhotoViewer_v1.4.0.9_sem2_001.exe | C:\Users\admin\AppData\Local\Temp\ABCPhotoView.7z | — | |
MD5:— | SHA256:— | |||
832 | svchost.exe | C:\Windows\appcompat\programs\RecentFileCache.bcf | txt | |
MD5:9A24B65FCBC1386B75BEF6D800F00467 | SHA256:CA84D551051C7FEEEB2E618C1ED21EF3A5511C3F4937EB969629F58AEADF58E6 | |||
2452 | PhotoViewer_v1.4.0.9_sem2_001.exe | C:\Users\admin\AppData\Local\Temp\CheckABCPhotoView.7z.md5 | text | |
MD5:D3A69274F5AFD78BAF3962EB67A11E7D | SHA256:084DC4A0AED2CA57137B62A88A1FBB0F98B61485A640BD870405D564B784C213 | |||
2452 | PhotoViewer_v1.4.0.9_sem2_001.exe | C:\Users\admin\AppData\Roaming\PhotoViewer\UpdateCheck.exe | executable | |
MD5:B337F848EAE3E82EF226237DC967CD5D | SHA256:662035F10460F746F54DAB734DD74519D23985708020A3055E79B186C0F2F61F | |||
2452 | PhotoViewer_v1.4.0.9_sem2_001.exe | C:\Users\admin\AppData\Roaming\PhotoViewer\render-gdi.dll | executable | |
MD5:8D7FA3E6D279BF7E18ED1978B3A3DF0C | SHA256:920A6EF0B8D0180483F493C517475FD02260EE45FB92588B5E20B35695B59639 | |||
2452 | PhotoViewer_v1.4.0.9_sem2_001.exe | C:\Users\admin\AppData\Roaming\PhotoViewer\Uninst.exe | executable | |
MD5:0AF56280F0E3622309C4C16ABD51994A | SHA256:BA6CF403C10A6CEEE80531F0BE8D9BB6A21448FC9079D4B618CF3D54B170DCAD | |||
3564 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRb3564.3830\PhotoViewer_v1.4.0.9_sem2_001.exe_ | executable | |
MD5:63C8853AB225B5764FBA1ABC5D2C897B | SHA256:B9C1693F726F0AF9378FB5AC979986A60430D2262B47E0B34E6C29EC264D0DA0 | |||
2452 | PhotoViewer_v1.4.0.9_sem2_001.exe | C:\Users\admin\AppData\Roaming\PhotoViewer\CaptureScreen.exe | executable | |
MD5:3E4C0737DA7CFB1777AC4B780F111BAC | SHA256:098237F348DBD21280CC2D1B685BA0B08792E95D0C27EF72B6CCD9724A41EC31 | |||
2452 | PhotoViewer_v1.4.0.9_sem2_001.exe | C:\Users\admin\AppData\Roaming\PhotoViewer\PhotoManager.exe | executable | |
MD5:6EB403F6D631E7A383C4235B04905C06 | SHA256:962A275F2318366B470018BEC4E76BB7FBB1C02585DDC11ADAEE77BA1347CAFF | |||
2452 | PhotoViewer_v1.4.0.9_sem2_001.exe | C:\Users\admin\AppData\Roaming\PhotoViewer\imgdecoder-gdip.dll | executable | |
MD5:397E4E197ED636452CC708136DE66DBA | SHA256:9C788ADF50510B2C52B088C1DFD551B397FE9BBE795FFB9A60C20F0136CC85EB |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3500 | PhotoViewer.exe | GET | 200 | 221.204.58.110:80 | http://ktnews.7654.com/css/reset.css | CN | text | 915 b | malicious |
3500 | PhotoViewer.exe | GET | 200 | 221.204.58.110:80 | http://ktnews.7654.com/css/reset.css | CN | text | 915 b | malicious |
3500 | PhotoViewer.exe | GET | 200 | 221.204.58.110:80 | http://ktnews.7654.com/ | CN | html | 625 b | malicious |
3500 | PhotoViewer.exe | GET | 200 | 221.204.58.110:80 | http://ktnews.7654.com/imgs/img_ktnews.png | CN | image | 151 Kb | malicious |
2592 | Report.exe | GET | 200 | 117.50.8.146:80 | http://kantu.shzhanmeng.com/2.gif?proj=kantu&food=D5CmfVa3GLYOp7vJfg4eJzBqmNAKk4D5s4iWrN493HliZr6wPa/CkXSxSZeMkN3tRtfydHIcsV42Yzqrr7+GtJJBI5QFK8z8U2RX8GLddccSGIoJg7vNdjWpw+ZrQgGaLfjlF0vKjuYXrZ9Mt7VXiZHYoT/CQsAIbplnJQkJ/X7SB+cm3zLQ/v+QM4SihKRgD0GmsjWNgFLv20Z9bFnvcskH | CN | image | 43 b | malicious |
3500 | PhotoViewer.exe | GET | 200 | 221.204.58.110:80 | http://ktnews.7654.com/css/index.css | CN | text | 449 b | malicious |
3500 | PhotoViewer.exe | GET | 200 | 221.204.58.110:80 | http://ktnews.7654.com/imgs/news_logo.png | CN | image | 824 b | malicious |
4088 | Report.exe | GET | 200 | 117.50.8.146:80 | http://kantu.shzhanmeng.com/2.gif?proj=kantu&food=D5CmfVa3GLYOp7vJfg4eJzBqmNAKk4D5s4iWrN493HliZr6wPa/CkXSxSZeMkN3tRtfydHIcsV42Yzqrr7+GtJJBI5QFK8z8U2RX8GLddccSGIoJg7vNdjWpw+ZrQgGaLfjlF0vKjuYXrZ9Mt7VXiZHYoT/CQsAIbplnJQkJ/X7SB+cm3zLQ/v+QM4SihKRgD0GmsjWNgFLv2kp7bFnvcskGlB4xiguZm09g7d6kxrOn41QeX6lX5bD7QYXD9rTXWnL4KKKIV1ok1PKIe1y9OYBoVb5pYCgcsOMREN2LDtYl | CN | image | 43 b | malicious |
3500 | PhotoViewer.exe | GET | 200 | 221.204.58.110:80 | http://ktnews.7654.com/js/data.js | CN | text | 643 b | malicious |
4088 | Report.exe | GET | 200 | 117.50.8.146:80 | http://kantu.shzhanmeng.com/2.gif?proj=kantu&food=D5CmfVa3GLYOp7vJfg4eJzBqmNAKk4D5s4iWrN493HliZr6wPa/CkXSxSZeMkN3tRtfydHIcsV42Yzqrr7+GtJJBI5QFK8z8U2RX8GLddccSGIoJg7vNdjWpw+ZrQgGaLfjlF0vKjuYXrZ9Mt7VXiZHYoT/CQsAIbplnJQkJ/X7SB+cm3zLQ/v+QM4SihKR1HwiqtjGZ3ga9jhJ2GlDjcpta3BY/wR6V0w4xuJjzkOvzsg9dXbUY8r+uV4nf6O6IUmjnPLnIA1YmgqTYM0yk | CN | image | 43 b | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3500 | PhotoViewer.exe | 221.204.58.110:80 | ktnews.7654.com | CHINA UNICOM China169 Backbone | CN | suspicious |
2592 | Report.exe | 117.50.8.146:80 | kantu.shzhanmeng.com | China Unicom Beijing Province Network | CN | malicious |
3500 | PhotoViewer.exe | 43.224.184.222:80 | down2.abckantu.com | Computer Network Information Center | CN | suspicious |
2592 | Report.exe | 43.224.184.222:80 | down2.abckantu.com | Computer Network Information Center | CN | suspicious |
2592 | Report.exe | 43.224.184.221:80 | down2.abckantu.com | Computer Network Information Center | CN | unknown |
3500 | PhotoViewer.exe | 43.224.184.221:80 | down2.abckantu.com | Computer Network Information Center | CN | unknown |
3500 | PhotoViewer.exe | 221.204.166.22:80 | ktnews.7654.com | CHINA UNICOM China169 Backbone | CN | malicious |
2592 | Report.exe | 43.224.184.217:80 | down2.abckantu.com | Computer Network Information Center | CN | unknown |
2592 | Report.exe | 43.224.184.219:80 | down2.abckantu.com | Computer Network Information Center | CN | unknown |
2592 | Report.exe | 43.224.184.235:80 | down2.abckantu.com | Computer Network Information Center | CN | unknown |
Domain | IP | Reputation |
---|---|---|
kantu.shzhanmeng.com |
| malicious |
ktnews.7654.com |
| malicious |
down2.abckantu.com |
| unknown |
cdn3.guangsuss.com |
| malicious |
dns.msftncsi.com |
| shared |
Process | Message |
---|---|
PhotoViewer.exe | ~ImageProxy() |
PhotoViewer.exe | ~ImageProxy() |
PhotoViewer.exe | ~ImageProxy() |
PhotoViewer.exe | ~ImageProxy() |
PhotoViewer.exe | ~ImageProxy() |
PhotoViewer.exe | ~ImageProxy() |
PhotoViewer.exe | ~ImageProxy() |
PhotoViewer.exe | ~ImageProxy() |