File name: | 带毒暴风激活.zip |
Full analysis: | https://app.any.run/tasks/b4e0e65b-82de-4a8b-8f7d-9e1ec65c5c41 |
Verdict: | Malicious activity |
Analysis date: | July 18, 2019, 07:00:41 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/zip |
File info: | Zip archive data, at least v2.0 to extract |
MD5: | 348A01DC8257D9CBBFADAAE5F7E6ACF0 |
SHA1: | A05EB641E25CAEAC7B6C17C9115FCBCA311C290B |
SHA256: | D5B2028332CFA7C6ABD45DCC02310443C9ADA7FF61FB8C9BEDE910892E55DFD6 |
SSDEEP: | 98304:ZQ0zOWINi5Ua0ozEW5KujzMwChFgcbr0SOFtBPjAaEPx8VX:K7/owW5KujQ1F74TFXPcnPuR |
.zip | | | ZIP compressed archive (100) |
---|
ZipRequiredVersion: | 20 |
---|---|
ZipBitFlag: | 0x0001 |
ZipCompression: | Deflated |
ZipModifyDate: | 2019:04:18 18:47:12 |
ZipCRC: | 0x40c57347 |
ZipCompressedSize: | 54767 |
ZipUncompressedSize: | 56320 |
ZipFileName: | ???????缤??/DesktopLayer.exe |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3008 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\带毒暴风激活.zip" | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.60.0 | ||||
2892 | "C:\Users\admin\Desktop\¦°¦+¦¬+t+ñ+e\¦¬+t+ñ+e¦ñ+¯V17.0.exe" | C:\Users\admin\Desktop\¦°¦+¦¬+t+ñ+e\¦¬+t+ñ+e¦ñ+¯V17.0.exe | — | explorer.exe |
User: admin Integrity Level: MEDIUM Exit code: 3221226540 | ||||
3084 | "C:\Users\admin\Desktop\¦°¦+¦¬+t+ñ+e\¦¬+t+ñ+e¦ñ+¯V17.0.exe" | C:\Users\admin\Desktop\¦°¦+¦¬+t+ñ+e\¦¬+t+ñ+e¦ñ+¯V17.0.exe | explorer.exe | |
User: admin Integrity Level: HIGH Exit code: 0 | ||||
752 | "C:\Users\admin\AppData\Local\Temp\uvwxyz±©·ç¼¤»î¹¤¾ßV17.0.exe" | C:\Users\admin\AppData\Local\Temp\uvwxyz±©·ç¼¤»î¹¤¾ßV17.0.exe | ¦¬+t+ñ+e¦ñ+¯V17.0.exe | |
User: admin Integrity Level: HIGH Description: 暴风一键激活工具 Version: 16.0.0.0 | ||||
2680 | "C:\Users\admin\AppData\Local\Temp\lmnopqrstuvwxyz1.exe" | C:\Users\admin\AppData\Local\Temp\lmnopqrstuvwxyz1.exe | ¦¬+t+ñ+e¦ñ+¯V17.0.exe | |
User: admin Integrity Level: HIGH Exit code: 0 | ||||
2792 | C:\Users\admin\AppData\Local\Temp\uvwxyz±©·ç¼¤»î¹¤¾ßV17.0Srv.exe | C:\Users\admin\AppData\Local\Temp\uvwxyz±©·ç¼¤»î¹¤¾ßV17.0Srv.exe | uvwxyz±©·ç¼¤»î¹¤¾ßV17.0.exe | |
User: admin Company: SOFTWIN S.R.L. Integrity Level: HIGH Description: BitDefender Management Console Exit code: 0 Version: 106.42.73.61 | ||||
3392 | "C:\Users\admin\AppData\Local\Temp\ghijklmnopqrstuvwxyz1227Favrite.exe" | C:\Users\admin\AppData\Local\Temp\ghijklmnopqrstuvwxyz1227Favrite.exe | ¦¬+t+ñ+e¦ñ+¯V17.0.exe | |
User: admin Integrity Level: HIGH Exit code: 0 | ||||
3976 | "C:\Program Files\Microsoft\DesktopLayer.exe" | C:\Program Files\Microsoft\DesktopLayer.exe | — | uvwxyz±©·ç¼¤»î¹¤¾ßV17.0Srv.exe |
User: admin Company: SOFTWIN S.R.L. Integrity Level: HIGH Description: BitDefender Management Console Exit code: 0 Version: 106.42.73.61 | ||||
1376 | "C:\Users\admin\AppData\Local\Temp\klmnopqrstuvwxyz_¼¤»î¹¤¾ß2.exe" | C:\Users\admin\AppData\Local\Temp\klmnopqrstuvwxyz_¼¤»î¹¤¾ß2.exe | ¦¬+t+ñ+e¦ñ+¯V17.0.exe | |
User: admin Integrity Level: HIGH Exit code: 0 | ||||
4064 | "C:\Program Files\Internet Explorer\iexplore.exe" | C:\Program Files\Internet Explorer\iexplore.exe | DesktopLayer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Internet Explorer Exit code: 0 Version: 8.00.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
3008 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRb3008.29236\¦°¦+¦¬+t+ñ+e\¦¬+t+ñ+e¦ñ+¯V17.0.exe | — | |
MD5:— | SHA256:— | |||
3008 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRb3008.29236\¦°¦+¦¬+t+ñ+e\¦+¦ª.exe | — | |
MD5:— | SHA256:— | |||
3008 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRb3008.29236\¦°¦+¦¬+t+ñ+e\¦+¦+.exe | — | |
MD5:— | SHA256:— | |||
4064 | iexplore.exe | C:\Program Files\Internet Explorer\dmlconf.dat | binary | |
MD5:326A6A047A53851BD9173FC64FAD73FA | SHA256:02E2E1CF9C39C685FBFD362472138F82D7F72B82E4796094CD3A4246E775FA58 | |||
3424 | FavriteAdd.exe | C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Bookmarks | text | |
MD5:34566C46376D079D27B12EEA85CEEBAA | SHA256:250642DC7E73AD9672BC101A36070DA0146D95C3F7C77339CBF0743DCB5519FB | |||
3084 | ¦¬+t+ñ+e¦ñ+¯V17.0.exe | C:\Users\admin\AppData\Local\Temp\ghijklmnopqrstuvwxyz1227Favrite.exe | executable | |
MD5:7056FE9E72CA2C0BDA7A9CD3D31F957A | SHA256:8107FD89F68F296ED7B6E1C9EAF0DE8CB7FD30C26C326AF3ABA9181A13E84564 | |||
3084 | ¦¬+t+ñ+e¦ñ+¯V17.0.exe | C:\Users\admin\AppData\Local\Temp\lmnopqrstuvwxyz1.exe | executable | |
MD5:CEBBB6981127ADFE289B7F1590EB3A86 | SHA256:95814D21A4E481E90EF386095CA88684CE69EF6B844D8D4C47E1F90F2D3903D4 | |||
3008 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRb3008.29236\¦°¦+¦¬+t+ñ+e\QGrX1Y9Ksx.sys | executable | |
MD5:92E55907BB25B02522FBAFD21B683D98 | SHA256:D87A67CF824DC6C073AF4928563944308722470D663A283DF4E73901CFF21760 | |||
3084 | ¦¬+t+ñ+e¦ñ+¯V17.0.exe | C:\Users\admin\AppData\Local\Temp\vwxyz73351a00c84c94d3.exe | executable | |
MD5:DAFCF4141772AA93371798BEC1C60A28 | SHA256:AC8C2D9FBE06DA7D399B6A04B45A00692ADB08D5044C4D776F8C5237F3085FED | |||
3008 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRb3008.29236\¦°¦+¦¬+t+ñ+e\InstallDeleteFile.exe | executable | |
MD5:705D68F498D5F31C921B1133ACD0ECAF | SHA256:F360CE7A7952092789EB40B416EA07F63D224A98834743AB04BCB57BB35D7819 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2680 | lmnopqrstuvwxyz1.exe | GET | — | 42.180.125.194:80 | http://down.win11xz.cn/hp0409.exe | CN | — | — | suspicious |
2504 | ¼¤»î¹¤¾ß2.exe | POST | — | 119.23.216.188:80 | http://report.win10999.com/reportStatistics/ | CN | — | — | malicious |
2504 | ¼¤»î¹¤¾ß2.exe | GET | 200 | 103.235.46.39:80 | http://www.baidu.com/s?ie=utf-8&wd=ip | HK | html | 416 Kb | whitelisted |
3968 | vwxyz73351a00c84c94d3.exe | POST | — | 61.135.186.213:80 | http://dr.toolbar.baidu.com/ | CN | — | — | unknown |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2504 | ¼¤»î¹¤¾ß2.exe | 119.23.216.188:80 | report.win10999.com | Hangzhou Alibaba Advertising Co.,Ltd. | CN | malicious |
2680 | lmnopqrstuvwxyz1.exe | 42.180.125.194:80 | down.win11xz.cn | CHINA UNICOM China169 Backbone | CN | suspicious |
2504 | ¼¤»î¹¤¾ß2.exe | 103.235.46.39:80 | www.baidu.com | Beijing Baidu Netcom Science and Technology Co., Ltd. | HK | unknown |
3968 | vwxyz73351a00c84c94d3.exe | 61.135.186.213:80 | dr.toolbar.baidu.com | China Unicom Beijing Province Network | CN | unknown |
Domain | IP | Reputation |
---|---|---|
down.win11xz.cn |
| suspicious |
dr.toolbar.baidu.com |
| unknown |
www.baidu.com |
| whitelisted |
dr.addressbar.baidu.com |
| unknown |
dns.msftncsi.com |
| shared |
report.win10999.com |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
2680 | lmnopqrstuvwxyz1.exe | A Network Trojan was detected | ET CURRENT_EVENTS Possible Malicious Macro DL EXE Feb 2016 |
2680 | lmnopqrstuvwxyz1.exe | A Network Trojan was detected | ET CURRENT_EVENTS Possible Malicious Macro EXE DL AlphaNumL |