File name:

带毒暴风激活.zip

Full analysis: https://app.any.run/tasks/b4e0e65b-82de-4a8b-8f7d-9e1ec65c5c41
Verdict: Malicious activity
Analysis date: July 18, 2019, 07:00:41
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

348A01DC8257D9CBBFADAAE5F7E6ACF0

SHA1:

A05EB641E25CAEAC7B6C17C9115FCBCA311C290B

SHA256:

D5B2028332CFA7C6ABD45DCC02310443C9ADA7FF61FB8C9BEDE910892E55DFD6

SSDEEP:

98304:ZQ0zOWINi5Ua0ozEW5KujzMwChFgcbr0SOFtBPjAaEPx8VX:K7/owW5KujQ1F74TFXPcnPuR

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • uvwxyz±©·ç¼¤»î¹¤¾ßV17.0Srv.exe (PID: 2792)
      • DesktopLayer.exe (PID: 3976)
      • uvwxyz±©·ç¼¤»î¹¤¾ßV17.0.exe (PID: 752)
      • lmnopqrstuvwxyz1.exe (PID: 2680)
      • klmnopqrstuvwxyz_¼¤»î¹¤¾ß2.exe (PID: 1376)
      • ¼¤»î¹¤¾ß2.exe (PID: 2504)
      • FavriteAdd.exe (PID: 3424)
      • ghijklmnopqrstuvwxyz1227Favrite.exe (PID: 3392)
      • vwxyz73351a00c84c94d3.exe (PID: 3968)
      • DelNsisSelf.exe (PID: 3480)
      • Del24E8.tmp (PID: 2476)
      • IELink.exe (PID: 2880)
      • ASBarBroker.exe (PID: 2632)
      • SppExtComObjPatcher.exe (PID: 3496)
      • KMSService.exe (PID: 3804)

    • Changes the login/logoff helper path in the registry

      • iexplore.exe (PID: 4064)

    • Loads dropped or rewritten executable

      • vwxyz73351a00c84c94d3.exe (PID: 3968)
      • OSPPSVC.EXE (PID: 4020)

    • Loads the Task Scheduler COM API

      • OSPPSVC.EXE (PID: 4020)

    • Changes Image File Execution Options

      • uvwxyz±©·ç¼¤»î¹¤¾ßV17.0.exe (PID: 752)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 3008)
      • uvwxyz±©·ç¼¤»î¹¤¾ßV17.0.exe (PID: 752)
      • uvwxyz±©·ç¼¤»î¹¤¾ßV17.0Srv.exe (PID: 2792)
      • ¦¬+t+ñ+e¦ñ+¯V17.0.exe (PID: 3084)
      • ghijklmnopqrstuvwxyz1227Favrite.exe (PID: 3392)
      • klmnopqrstuvwxyz_¼¤»î¹¤¾ß2.exe (PID: 1376)
      • vwxyz73351a00c84c94d3.exe (PID: 3968)
      • DelNsisSelf.exe (PID: 3480)

    • Creates files in the program directory

      • uvwxyz±©·ç¼¤»î¹¤¾ßV17.0Srv.exe (PID: 2792)
      • iexplore.exe (PID: 4064)
      • vwxyz73351a00c84c94d3.exe (PID: 3968)

    • Starts itself from another location

      • uvwxyz±©·ç¼¤»î¹¤¾ßV17.0Srv.exe (PID: 2792)
      • DelNsisSelf.exe (PID: 3480)

    • Creates files in the user directory

      • lmnopqrstuvwxyz1.exe (PID: 2680)
      • FavriteAdd.exe (PID: 3424)

    • Starts Internet Explorer

      • DesktopLayer.exe (PID: 3976)

    • Low-level read access rights to disk partition

      • vwxyz73351a00c84c94d3.exe (PID: 3968)
      • ¼¤»î¹¤¾ß2.exe (PID: 2504)

    • Executed as Windows Service

      • ¼¤»î¹¤¾ß2.exe (PID: 2504)
      • KMSService.exe (PID: 3804)
      • SppExtComObjPatcher.exe (PID: 3496)

    • Uses WMIC.EXE to obtain a system information

      • uvwxyz±©·ç¼¤»î¹¤¾ßV17.0.exe (PID: 752)
      • ¼¤»î¹¤¾ß2.exe (PID: 2504)

    • Starts CMD.EXE for commands execution

      • klmnopqrstuvwxyz_¼¤»î¹¤¾ß2.exe (PID: 1376)
      • FavriteAdd.exe (PID: 3424)
      • Del24E8.tmp (PID: 2476)

    • Starts CMD.EXE for self-deleting

      • klmnopqrstuvwxyz_¼¤»î¹¤¾ß2.exe (PID: 1376)

    • Starts application with an unusual extension

      • DelNsisSelf.exe (PID: 3480)

    • Uses NETSH.EXE for network configuration

      • uvwxyz±©·ç¼¤»î¹¤¾ßV17.0.exe (PID: 752)

    • Creates a software uninstall entry

      • vwxyz73351a00c84c94d3.exe (PID: 3968)

    • Creates COM task schedule object

      • vwxyz73351a00c84c94d3.exe (PID: 3968)

    • Uses TASKKILL.EXE to kill process

      • uvwxyz±©·ç¼¤»î¹¤¾ßV17.0.exe (PID: 752)

    • Creates files in the Windows directory

      • uvwxyz±©·ç¼¤»î¹¤¾ßV17.0.exe (PID: 752)
      • ¼¤»î¹¤¾ß2.exe (PID: 2504)

    • Executes scripts

      • uvwxyz±©·ç¼¤»î¹¤¾ßV17.0.exe (PID: 752)

    • Removes files from Windows directory

      • ¼¤»î¹¤¾ß2.exe (PID: 2504)

    • Reads Environment values

      • ¼¤»î¹¤¾ß2.exe (PID: 2504)

  • INFO

    • Manual execution by user

      • ¦¬+t+ñ+e¦ñ+¯V17.0.exe (PID: 2892)
      • ¦¬+t+ñ+e¦ñ+¯V17.0.exe (PID: 3084)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: 0x0001
ZipCompression: Deflated
ZipModifyDate: 2019:04:18 18:47:12
ZipCRC: 0x40c57347
ZipCompressedSize: 54767
ZipUncompressedSize: 56320
ZipFileName: ???????缤??/DesktopLayer.exe
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
98
Monitored processes
39
Malicious processes
6
Suspicious processes
7

Behavior graph

Click at the process to see the details
start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start winrar.exe ¦¬+t+ñ+e¦ñ+¯v17.0.exe no specs ¦¬+t+ñ+e¦ñ+¯v17.0.exe uvwxyz±©·ç¼¤»î¹¤¾ßv17.0.exe lmnopqrstuvwxyz1.exe uvwxyz±©·ç¼¤»î¹¤¾ßv17.0srv.exe ghijklmnopqrstuvwxyz1227favrite.exe desktoplayer.exe no specs klmnopqrstuvwxyz_¼¤»î¹¤¾ß2.exe vwxyz73351a00c84c94d3.exe iexplore.exe favriteadd.exe no specs ¼¤»î¹¤¾ß2.exe wmic.exe no specs cmd.exe no specs cmd.exe no specs ping.exe no specs ielink.exe no specs delnsisself.exe del24e8.tmp no specs cmd.exe no specs wmic.exe no specs wmic.exe no specs wmic.exe no specs wmic.exe no specs asbarbroker.exe no specs wmic.exe no specs netsh.exe no specs taskkill.exe no specs netsh.exe no specs kmsservice.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs cscript.exe no specs sppextcomobjpatcher.exe no specs osppsvc.exe no specs cscript.exe no specs wmic.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
680netsh firewall delete allowedprogram "C:\Windows\KMSService.exe"C:\Windows\system32\netsh.exeuvwxyz±©·ç¼¤»î¹¤¾ßV17.0.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Network Command Shell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\netsh.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\credui.dll
c:\windows\system32\user32.dll
752"C:\Users\admin\AppData\Local\Temp\uvwxyz±©·ç¼¤»î¹¤¾ßV17.0.exe" C:\Users\admin\AppData\Local\Temp\uvwxyz±©·ç¼¤»î¹¤¾ßV17.0.exe
¦¬+t+ñ+e¦ñ+¯V17.0.exe
User:
admin
Integrity Level:
HIGH
Description:
暴风一键激活工具
Exit code:
0
Version:
16.0.0.0
Modules
Images
c:\users\admin\appdata\local\temp\uvwxyz±©·ç¼¤»î¹¤¾ßv17.0.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\gdi32.dll
788taskkill /im "KMSService.exe" /t /fC:\Windows\system32\taskkill.exeuvwxyz±©·ç¼¤»î¹¤¾ßV17.0.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Terminates Processes
Exit code:
128
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\taskkill.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\version.dll
c:\windows\system32\user32.dll
1376"C:\Users\admin\AppData\Local\Temp\klmnopqrstuvwxyz_¼¤»î¹¤¾ß2.exe" C:\Users\admin\AppData\Local\Temp\klmnopqrstuvwxyz_¼¤»î¹¤¾ß2.exe
¦¬+t+ñ+e¦ñ+¯V17.0.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\klmnopqrstuvwxyz_¼¤»î¹¤¾ß2.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
1604wmic path SoftwareLicensingService where version='6.1.7601.17514' call SetVLActivationTypeEnabled 2C:\Windows\System32\Wbem\wmic.exeuvwxyz±©·ç¼¤»î¹¤¾ßV17.0.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
WMI Commandline Utility
Exit code:
44028
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\wbem\wmic.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
1604netsh firewall add allowedprogram "C:\Windows\KMSService.exe" "vlmcsd"C:\Windows\system32\netsh.exeuvwxyz±©·ç¼¤»î¹¤¾ßV17.0.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Network Command Shell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\wbem\fastprox.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\profapi.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\wininet.dll
c:\windows\system32\msxml3.dll
c:\windows\system32\wbem\wbemprox.dll
2340cscript C:\Windows\system32\slmgr.vbs -xprC:\Windows\system32\cscript.exeuvwxyz±©·ç¼¤»î¹¤¾ßV17.0.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft ® Console Based Script Host
Exit code:
0
Version:
5.8.7600.16385
Modules
Images
c:\windows\system32\cscript.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
2472taskkill /im "osppsvc.exe" /t /fC:\Windows\system32\taskkill.exeuvwxyz±©·ç¼¤»î¹¤¾ßV17.0.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Terminates Processes
Exit code:
128
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\taskkill.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\version.dll
c:\windows\system32\user32.dll
2476"C:\Users\admin\AppData\Local\Temp\Del24E8.tmp" /pcmd="c:\users\admin\appdata\local\temp\ghijklmnopqrstuvwxyz1227favrite.exe" /cmd="C:\Users\admin\Desktop\DelNsisSelf.exe" /ppid=3392 /pid=3480C:\Users\admin\AppData\Local\Temp\Del24E8.tmpDelNsisSelf.exe
User:
admin
Integrity Level:
HIGH
Exit code:
1
Modules
Images
c:\users\admin\appdata\local\temp\del24e8.tmp
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
2504C:\Users\admin\AppData\Local\Temp\¼¤»î¹¤¾ß2.exeC:\Users\admin\AppData\Local\Temp\¼¤»î¹¤¾ß2.exe
services.exe
User:
SYSTEM
Integrity Level:
SYSTEM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\¼¤»î¹¤¾ß2.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
Total events
2 319
Read events
1 986
Write events
331
Delete events
2

Modification events

(PID) Process:(3008) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(3008) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(3008) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\70\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3008) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\带毒暴风激活.zip
(PID) Process:(3008) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(3008) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(3008) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(3008) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(3008) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface
Operation:writeName:ShowPassword
Value:
0
(PID) Process:(3008) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\MainWin
Operation:writeName:Placement
Value:
2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF42000000420000000204000037020000
Executable files
35
Suspicious files
4
Text files
20
Unknown types
6

Dropped files

PID
Process
Filename
Type
3008WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb3008.29236\¦°¦+¦¬+t+ñ+e\¦¬+t+ñ+e¦ñ+¯V17.0.exe
MD5:
SHA256:
3008WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb3008.29236\¦°¦+¦¬+t+ñ+e\¦+¦ª.exe
MD5:
SHA256:
3008WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb3008.29236\¦°¦+¦¬+t+ñ+e\¦+¦+.exe
MD5:
SHA256:
3084¦¬+t+ñ+e¦ñ+¯V17.0.exeC:\Users\admin\AppData\Local\Temp\lmnopqrstuvwxyz1.exeexecutable
MD5:
SHA256:
3084¦¬+t+ñ+e¦ñ+¯V17.0.exeC:\Users\admin\AppData\Local\Temp\klmnopqrstuvwxyz_¼¤»î¹¤¾ß2.exeexecutable
MD5:
SHA256:
3008WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb3008.29236\¦°¦+¦¬+t+ñ+e\InstallDeleteFile.exeexecutable
MD5:
SHA256:
3392ghijklmnopqrstuvwxyz1227Favrite.exeC:\Users\admin\AppData\Local\Temp\Fav\FavriteAdd.exeexecutable
MD5:
SHA256:
3424FavriteAdd.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Bookmarkstext
MD5:
SHA256:
3084¦¬+t+ñ+e¦ñ+¯V17.0.exeC:\Users\admin\AppData\Local\Temp\vwxyz73351a00c84c94d3.exeexecutable
MD5:
SHA256:
1376klmnopqrstuvwxyz_¼¤»î¹¤¾ß2.exeC:\Users\admin\AppData\Local\Temp\¼¤»î¹¤¾ß2.exeexecutable
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
4
DNS requests
31
Threats
3

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2680
lmnopqrstuvwxyz1.exe
GET
42.180.125.194:80
http://down.win11xz.cn/hp0409.exe
CN
suspicious
3968
vwxyz73351a00c84c94d3.exe
POST
61.135.186.213:80
http://dr.toolbar.baidu.com/
CN
unknown
2504
¼¤»î¹¤¾ß2.exe
GET
200
103.235.46.39:80
http://www.baidu.com/s?ie=utf-8&wd=ip
HK
html
416 Kb
whitelisted
2504
¼¤»î¹¤¾ß2.exe
POST
119.23.216.188:80
http://report.win10999.com/reportStatistics/
CN
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2680
lmnopqrstuvwxyz1.exe
42.180.125.194:80
down.win11xz.cn
CHINA UNICOM China169 Backbone
CN
suspicious
3968
vwxyz73351a00c84c94d3.exe
61.135.186.213:80
dr.toolbar.baidu.com
China Unicom Beijing Province Network
CN
unknown
2504
¼¤»î¹¤¾ß2.exe
103.235.46.39:80
www.baidu.com
Beijing Baidu Netcom Science and Technology Co., Ltd.
HK
unknown
2504
¼¤»î¹¤¾ß2.exe
119.23.216.188:80
report.win10999.com
Hangzhou Alibaba Advertising Co.,Ltd.
CN
malicious

DNS requests

Domain
IP
Reputation
down.win11xz.cn
  • 42.180.125.194
suspicious
dr.toolbar.baidu.com
  • 61.135.186.213
unknown
www.baidu.com
  • 103.235.46.39
whitelisted
dr.addressbar.baidu.com
  • 61.135.186.213
unknown
dns.msftncsi.com
  • 131.107.255.255
shared
report.win10999.com
  • 119.23.216.188
malicious

Threats

PID
Process
Class
Message
2680
lmnopqrstuvwxyz1.exe
A Network Trojan was detected
ET CURRENT_EVENTS Possible Malicious Macro DL EXE Feb 2016
2680
lmnopqrstuvwxyz1.exe
A Network Trojan was detected
ET CURRENT_EVENTS Possible Malicious Macro EXE DL AlphaNumL
1 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
带毒暴风激活.zip