File name: | _.zip |
Full analysis: | https://app.any.run/tasks/13ddd915-956c-473c-8485-1786bac13a5b |
Verdict: | Malicious activity |
Analysis date: | September 30, 2020, 07:41:41 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 64 bit) |
Indicators: | |
MIME: | application/zip |
File info: | Zip archive data, at least v2.0 to extract |
MD5: | 5DBF41454F3F9AA46B310010ACB83A69 |
SHA1: | F7A9210F64F297F6602950AD868585DB53823D68 |
SHA256: | D3160823838521D5E2AFD1F10AE47BA38CFAF0F63E3E27C943073890A1A1238D |
SSDEEP: | 196608:NHw3N4MyGZpkrURxw8IqXMkM8FukVTiu3hUYel+ACtnpTknzyt5s2iL973wXFFq:NHun+URxwlPitliu3O3CpTkzOd45w1Fq |
.kmz | | | Google Earth saved working session (60) |
---|---|---|
.zip | | | ZIP compressed archive (40) |
ZipFileName: | _/ |
---|---|
ZipUncompressedSize: | - |
ZipCompressedSize: | - |
ZipCRC: | 0x00000000 |
ZipModifyDate: | 2020:09:28 14:44:22 |
ZipCompression: | None |
ZipBitFlag: | - |
ZipRequiredVersion: | 20 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2596 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\_.zip" | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.60.0 | ||||
1704 | "C:\Windows\system32\NOTEPAD.EXE" C:\Users\admin\Desktop\!.txt | C:\Windows\system32\NOTEPAD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Notepad Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
1240 | "C:\Users\admin\Desktop\FileZilla_3.50.0_win64_sponsored-setup.exe" | C:\Users\admin\Desktop\FileZilla_3.50.0_win64_sponsored-setup.exe | explorer.exe | |
User: admin Company: Tim Kosse Integrity Level: MEDIUM Description: FileZilla FTP Client Exit code: 0 Version: 3.50.0 | ||||
1728 | "C:\Users\admin\Desktop\FileZilla_3.50.0_win64_sponsored-setup.exe" /UAC:60152 /NCRC | C:\Users\admin\Desktop\FileZilla_3.50.0_win64_sponsored-setup.exe | FileZilla_3.50.0_win64_sponsored-setup.exe | |
User: admin Company: Tim Kosse Integrity Level: HIGH Description: FileZilla FTP Client Exit code: 0 Version: 3.50.0 | ||||
2336 | "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\FileZilla FTP Client\fzshellext_64.dll" | C:\Windows\system32\regsvr32.exe | — | FileZilla_3.50.0_win64_sponsored-setup.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Microsoft(C) Register Server Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
1884 | "C:\Program Files\FileZilla FTP Client\filezilla.exe" | C:\Program Files\FileZilla FTP Client\filezilla.exe | FileZilla_3.50.0_win64_sponsored-setup.exe | |
User: admin Company: FileZilla Project Integrity Level: MEDIUM Description: FileZilla FTP Client Exit code: 0 Version: 3, 50, 0, 0 | ||||
2624 | "C:\Program Files\WinRAR\WinRAR.exe" a -ep1 -scul -r0 -iext -- . C:\Users\admin\Desktop\old C:\Users\admin\Desktop\new | C:\Program Files\WinRAR\WinRAR.exe | — | explorer.exe |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.60.0 |
(PID) Process: | (2596) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
Operation: | write | Name: | ShellExtBMP |
Value: | |||
(PID) Process: | (2596) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
Operation: | write | Name: | ShellExtIcon |
Value: | |||
(PID) Process: | (2596) WinRAR.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\13B\52C64B7E |
Operation: | write | Name: | LanguageList |
Value: en-US | |||
(PID) Process: | (2596) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
Operation: | write | Name: | 0 |
Value: C:\Users\admin\Desktop\_.zip | |||
(PID) Process: | (2596) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | name |
Value: 120 | |||
(PID) Process: | (2596) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | size |
Value: 80 | |||
(PID) Process: | (2596) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | type |
Value: 120 | |||
(PID) Process: | (2596) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | mtime |
Value: 100 | |||
(PID) Process: | (2596) WinRAR.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\13B\52C64B7E |
Operation: | write | Name: | @C:\Windows\system32\notepad.exe,-469 |
Value: Text Document | |||
(PID) Process: | (2596) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\MainWin |
Operation: | write | Name: | Placement |
Value: 2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF1600000016000000D60300000B020000 |
PID | Process | Filename | Type | |
---|---|---|---|---|
1728 | FileZilla_3.50.0_win64_sponsored-setup.exe | C:\Users\admin\AppData\Local\Temp\0018E327.log | — | |
MD5:— | SHA256:— | |||
2596 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa2596.6582\_\FileZilla_3.50.0_win64_sponsored-setup.exe | executable | |
MD5:90F560CE71CC77FC2E121761EEEF265C | SHA256:D04BBCD2855D3BBA4627CBB1DA3A0E5FA79FE0B27B371024605FF1382EA94C58 | |||
2596 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa2596.6582\_\!.txt | text | |
MD5:50411758798F11294A9C27DE6C37B4E9 | SHA256:510FE6A59D8BBD8A7508C56A997D56A07632DF77FD934CB556D883C9CB8C3193 | |||
1728 | FileZilla_3.50.0_win64_sponsored-setup.exe | C:\Users\admin\AppData\Local\Temp\nsh852B.tmp\nsdE04D.tmp | executable | |
MD5:B7B1A495F08CF92743B57890CDDCBAB3 | SHA256:6F86F098CEEE30D723AC2505B3C1A3C2C75246CFF14E3CBC10D92F2730F8DD95 | |||
1728 | FileZilla_3.50.0_win64_sponsored-setup.exe | C:\Users\admin\AppData\Local\Temp\nsh852B.tmp\modern-wizard.bmp | image | |
MD5:CBE40FD2B1EC96DAEDC65DA172D90022 | SHA256:3AD2DC318056D0A2024AF1804EA741146CFC18CC404649A44610CBF8B2056CF2 | |||
1240 | FileZilla_3.50.0_win64_sponsored-setup.exe | C:\Users\admin\AppData\Local\Temp\nsf7F9D.tmp\UAC.dll | executable | |
MD5:ADB29E6B186DAA765DC750128649B63D | SHA256:2F7F8FC05DC4FD0D5CDA501B47E4433357E887BBFED7292C028D99C73B52DC08 | |||
1728 | FileZilla_3.50.0_win64_sponsored-setup.exe | C:\Users\admin\AppData\Local\Temp\nsd16310159593\css\main.css | text | |
MD5:9B27E2A266FE15A3AABFE635C29E8923 | SHA256:166AA42BC5216C5791388847AE114EC0671A0D97B9952D14F29419B8BE3FB23F | |||
1728 | FileZilla_3.50.0_win64_sponsored-setup.exe | C:\Users\admin\AppData\Local\Temp\nsh852B.tmp\nsDialogs.dll | executable | |
MD5:466179E1C8EE8A1FF5E4427DBB6C4A01 | SHA256:1E40211AF65923C2F4FD02CE021458A7745D28E2F383835E3015E96575632172 | |||
1728 | FileZilla_3.50.0_win64_sponsored-setup.exe | C:\Users\admin\AppData\Local\Temp\nsh852B.tmp\System.dll | executable | |
MD5:0D7AD4F45DC6F5AA87F606D0331C6901 | SHA256:3EB38AE99653A7DBC724132EE240F6E5C4AF4BFE7C01D31D23FAF373F9F2EACA | |||
1240 | FileZilla_3.50.0_win64_sponsored-setup.exe | C:\Users\admin\AppData\Local\Temp\nsf7F9D.tmp\System.dll | executable | |
MD5:0D7AD4F45DC6F5AA87F606D0331C6901 | SHA256:3EB38AE99653A7DBC724132EE240F6E5C4AF4BFE7C01D31D23FAF373F9F2EACA |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
532 | svchost.exe | GET | 200 | 49.12.121.47:443 | https://offers.filezilla-project.org/offerinfo.php | IN | — | — | whitelisted |
1728 | FileZilla_3.50.0_win64_sponsored-setup.exe | GET | 200 | 143.204.94.91:80 | http://cloud.nitehe-nutete.com/ | US | — | — | whitelisted |
1728 | FileZilla_3.50.0_win64_sponsored-setup.exe | POST | 200 | 143.204.94.91:443 | https://cloud.nitehe-nutete.com/ | US | — | — | whitelisted |
1728 | FileZilla_3.50.0_win64_sponsored-setup.exe | POST | 200 | 143.204.94.91:443 | https://cloud.nitehe-nutete.com/ | US | — | — | whitelisted |
1728 | FileZilla_3.50.0_win64_sponsored-setup.exe | POST | 200 | 13.225.73.25:443 | https://remote.nitehe-nutete.com/ | US | binary | 654 Kb | shared |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
1728 | FileZilla_3.50.0_win64_sponsored-setup.exe | 13.225.73.25:443 | remote.nitehe-nutete.com | — | US | suspicious |
1884 | filezilla.exe | 192.185.155.49:49890 | — | CyrusOne LLC | US | malicious |
1728 | FileZilla_3.50.0_win64_sponsored-setup.exe | 49.12.121.47:443 | offers.filezilla-project.org | — | IN | suspicious |
1728 | FileZilla_3.50.0_win64_sponsored-setup.exe | 143.204.94.91:80 | cloud.nitehe-nutete.com | — | US | unknown |
1728 | FileZilla_3.50.0_win64_sponsored-setup.exe | 143.204.94.91:443 | cloud.nitehe-nutete.com | — | US | unknown |
1884 | filezilla.exe | 49.12.121.47:443 | offers.filezilla-project.org | — | IN | suspicious |
1884 | filezilla.exe | 192.185.155.49:47566 | — | CyrusOne LLC | US | malicious |
1884 | filezilla.exe | 192.185.155.49:21 | — | CyrusOne LLC | US | malicious |
1884 | filezilla.exe | 192.185.155.49:48452 | — | CyrusOne LLC | US | malicious |
1884 | filezilla.exe | 192.185.155.49:38758 | — | CyrusOne LLC | US | malicious |
Domain | IP | Reputation |
---|---|---|
offers.filezilla-project.org |
| whitelisted |
cloud.nitehe-nutete.com |
| whitelisted |
remote.nitehe-nutete.com |
| shared |
update.filezilla-project.org |
| whitelisted |