File name: | HilanCenter.zip |
Full analysis: | https://app.any.run/tasks/48d5883b-3d6f-49ce-b1f9-0c53ce487577 |
Verdict: | Malicious activity |
Analysis date: | November 08, 2018, 10:51:16 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/zip |
File info: | Zip archive data, at least v2.0 to extract |
MD5: | D2CED3227488CD6BF6F519C072EC1BA6 |
SHA1: | 8BD65954EDD1F620707E837CF6FD480337E82808 |
SHA256: | D64D5FBEB41450E7C8DDD97F389D9EEA7CE1B2291B793519CB2BA0BE4E62B30E |
SSDEEP: | 98304:Kiie/nSOkoSDc3bAaKLBgDXas/ftJEVAgaxeSP3ZRAhUdtv:Kii0VFAHLB+XD9xd8kJRGUdt |
.zip | | | ZIP compressed archive (100) |
---|
ZipFileName: | ClientSideLog/ |
---|---|
ZipUncompressedSize: | - |
ZipCompressedSize: | - |
ZipCRC: | 0x00000000 |
ZipModifyDate: | 2018:02:25 16:49:15 |
ZipCompression: | None |
ZipBitFlag: | - |
ZipRequiredVersion: | 20 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3532 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\HilanCenter.zip" | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.60.0 | ||||
716 | "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe14_ Global\UsGthrCtrlFltPipeMssGthrPipe14 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" | C:\Windows\System32\SearchProtocolHost.exe | — | SearchIndexer.exe |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Microsoft Windows Search Protocol Host Exit code: 0 Version: 7.00.7600.16385 (win7_rtm.090713-1255) | ||||
2116 | "C:\Users\admin\Desktop\hilan\HilanCenter.exe" | C:\Users\admin\Desktop\hilan\HilanCenter.exe | explorer.exe | |
User: admin Integrity Level: HIGH Description: HilanCenter Version: 1.0.6862.28081 | ||||
1604 | C:\Windows\Explorer.EXE | C:\Windows\explorer.exe | — | — |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
1484 | "C:\Users\admin\Desktop\hilan\Hilanver.exe" | C:\Users\admin\Desktop\hilan\Hilanver.exe | explorer.exe | |
User: admin Company: zzz Integrity Level: HIGH Exit code: 0 Version: 1.00 | ||||
1540 | "C:\Users\admin\Desktop\hilan\GF5PORT.exe" | C:\Users\admin\Desktop\hilan\GF5PORT.exe | explorer.exe | |
User: admin Company: Hilan Integrity Level: HIGH Exit code: 0 Version: 1.00 | ||||
236 | "C:\Program Files\Notepad++\notepad++.exe" "C:\Users\admin\Desktop\hilan\HilanCenter.application" | C:\Program Files\Notepad++\notepad++.exe | explorer.exe | |
User: admin Company: Don HO [email protected] Integrity Level: MEDIUM Description: Notepad++ : a free (GNU) source code editor Version: 7.51 | ||||
2888 | "C:\Program Files\Notepad++\updater\gup.exe" -v7.51 | C:\Program Files\Notepad++\updater\gup.exe | notepad++.exe | |
User: admin Company: Don HO [email protected] Integrity Level: MEDIUM Description: GUP : a free (LGPL) Generic Updater Version: 4.1 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3532 | WinRAR.exe | C:\Users\admin\Desktop\hilan | — | |
MD5:— | SHA256:— | |||
3532 | WinRAR.exe | C:\Users\admin\Desktop\hilan\fonts\OpenSansHebrew-Bold.otf | otf | |
MD5:09FA37090BB9027BFF3077429FAB3D75 | SHA256:0BD5491B220C4F9FEBE979B0C326528E69E997DA72F558E47E6705797E63C5EF | |||
3532 | WinRAR.exe | C:\Users\admin\Desktop\hilan\Helpers\cmd\bgh.png | image | |
MD5:B9BEC0F09DEF3D6272AA4EBA5236D6AC | SHA256:4BE9A9FF627CC0A2E0C9BC4C86B166B79E700EE018470C36BCFC7FBC5739F44C | |||
3532 | WinRAR.exe | C:\Users\admin\Desktop\hilan\fonts\OpenSansHebrew-Bold.eot | eot | |
MD5:782954FF50F71C9DA916238737EA2F59 | SHA256:9424391DC9F91274B32C85079285CEF9336390C32F59BA65A01347211C1DC331 | |||
3532 | WinRAR.exe | C:\Users\admin\Desktop\hilan\GF5PORT.exe | executable | |
MD5:2406EA363B97A954865C4DBAA4C43EC5 | SHA256:49B9876186A4DCA590B75EAA7BDF8DEB510DC334BF7154E36EAD6C968B993F6E | |||
3532 | WinRAR.exe | C:\Users\admin\Desktop\hilan\fonts\OpenSansHebrew-Bold.svg | image | |
MD5:3C3FC47C24B3B47700E461B0C334EFED | SHA256:5A3B10801CB4025AD6A19AA20CBDEDDA1CDDFCE54DB81FBEBCF1C4E8F00E941C | |||
3532 | WinRAR.exe | C:\Users\admin\Desktop\hilan\fonts\OpenSansHebrew-Bold.woff | woff | |
MD5:D2883D95656448D9720BCE0CD913B8D7 | SHA256:232C0064A625EA7CCA475C36A7E59988FB00F197639C25C3B8456FF23CE4B9EF | |||
3532 | WinRAR.exe | C:\Users\admin\Desktop\hilan\fonts\OpenSansHebrew-Regular.otf | otf | |
MD5:06E6CCD43C5A2FD5C29A62D24C0ED935 | SHA256:90E52DBF8F5E8096C836E998587C3A047BE6E22CA4AD9492195359F8C07C1BDB | |||
3532 | WinRAR.exe | C:\Users\admin\Desktop\hilan\fonts\OpenSansHebrew-Regular.svg | image | |
MD5:E156B1C0F6183613AB9441BF1B6C6D1C | SHA256:CD9CDE69456D9980761CA0C81A2B6F4629509EF56349F4C2639578E2CE373DB3 | |||
3532 | WinRAR.exe | C:\Users\admin\Desktop\hilan\Helpers\cmd\Erasure.exe | executable | |
MD5:CF8D4D4862A00216ECF50208E52B3AF0 | SHA256:8BD18EF57129007637088A02575EED4AE4BEA85CC7A2460CAD9B43C7E75017FB |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
— | — | GET | 200 | 2.16.186.32:80 | http://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTNMNJMNDqCqx8FcBWK16EHdimS6QQUU3m%2FWqorSs9UgOHYm8Cd8rIDZssCEAXk3DuUOKs7hZfLpqGYUOM%3D | unknown | der | 727 b | whitelisted |
— | — | GET | 200 | 2.16.186.32:80 | http://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBR8sWZUnKvbRO5iJhat9GV793rVlAQUrb2YejS0Jvf6xCZU7wO94CTLVBoCEBPqKHBb9OztDDZjCYBhQzY%3D | unknown | der | 471 b | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2888 | gup.exe | 37.59.28.236:443 | notepad-plus-plus.org | OVH SAS | FR | whitelisted |
— | — | 2.16.186.32:80 | ocsp.usertrust.com | Akamai International B.V. | — | whitelisted |
Domain | IP | Reputation |
---|---|---|
portal.hilan.co.il |
| unknown |
notepad-plus-plus.org |
| whitelisted |
ocsp.usertrust.com |
| whitelisted |
Process | Message |
---|---|
notepad++.exe | VerifyLibrary: certificate revocation checking is disabled
|
notepad++.exe | VerifyLibrary: certificate revocation checking is disabled
|
notepad++.exe | 42C4C5846BB675C74E2B2C90C69AB44366401093
|