File name: | NordVPNCracked.rar |
Full analysis: | https://app.any.run/tasks/619fb59a-909b-46ad-91dc-76e08616e845 |
Verdict: | Malicious activity |
Analysis date: | November 08, 2018, 09:18:49 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/x-rar |
File info: | RAR archive data, v5 |
MD5: | F3FEC0A5117DC73B1EE72A71E3C157AA |
SHA1: | 743D82DB2C0D3EFCFAD5DA7BF9B6F5D442AFAF16 |
SHA256: | E560106A372C2C4C25B7856E290511D51EAE3975A3396BDC85D7585D1E157589 |
SSDEEP: | 196608:dGqOaCHaeb8GYSrkUuvoEn/8h61paJie/xc9euMeYAaOGlaC:dGqOaC9bhk5/8h61paUe/xc3MeYTOGlx |
.rar | | | RAR compressed archive (v5.0) (61.5) |
---|---|---|
.rar | | | RAR compressed archive (gen) (38.4) |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3832 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\NordVPNCracked.rar" | C:\Program Files\WinRAR\WinRAR.exe | — | explorer.exe |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.60.0 | ||||
2744 | "C:\Users\admin\Desktop\NordVPNCracked.exe" | C:\Users\admin\Desktop\NordVPNCracked.exe | explorer.exe | |
User: admin Company: NordVPN Integrity Level: HIGH Description: NordVPNCracked Exit code: 0 Version: 6.5.0.0 | ||||
3452 | C:\Users\admin\AppData\Local\Temp\IXP000.TMP\CDS.exe | C:\Users\admin\AppData\Local\Temp\IXP000.TMP\CDS.exe | NordVPNCracked.exe | |
User: admin Integrity Level: HIGH Description: AutoPlay Application Exit code: 3221225547 Version: 8.5.0.0 | ||||
3956 | "C:\Users\admin\AppData\Local\Temp\IXP000.TMP\crypted.exe" | C:\Users\admin\AppData\Local\Temp\IXP000.TMP\crypted.exe | — | CDS.exe |
User: admin Integrity Level: HIGH Description: Exit code: 3735929054 Version: 0.0.0.0 |
(PID) Process: | (3832) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
Operation: | write | Name: | ShellExtBMP |
Value: | |||
(PID) Process: | (3832) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
Operation: | write | Name: | ShellExtIcon |
Value: | |||
(PID) Process: | (3832) WinRAR.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E |
Operation: | write | Name: | LanguageList |
Value: en-US | |||
(PID) Process: | (3832) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
Operation: | write | Name: | 0 |
Value: C:\Users\admin\AppData\Local\Temp\NordVPNCracked.rar | |||
(PID) Process: | (3832) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | name |
Value: 120 | |||
(PID) Process: | (3832) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | size |
Value: 80 | |||
(PID) Process: | (3832) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | type |
Value: 120 | |||
(PID) Process: | (3832) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | mtime |
Value: 100 | |||
(PID) Process: | (3832) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface |
Operation: | write | Name: | ShowPassword |
Value: 0 | |||
(PID) Process: | (2744) NordVPNCracked.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce |
Operation: | write | Name: | wextract_cleanup0 |
Value: rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\admin\AppData\Local\Temp\IXP000.TMP\" |
PID | Process | Filename | Type | |
---|---|---|---|---|
3832 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRb3832.25860\NordVPNCracked.exe | — | |
MD5:— | SHA256:— | |||
2744 | NordVPNCracked.exe | C:\Users\admin\AppData\Local\Temp\IXP000.TMP\c.dat | — | |
MD5:— | SHA256:— | |||
3452 | CDS.exe | C:\Users\admin\AppData\Local\Temp\IXP000.TMP\crypted.exe | executable | |
MD5:293ED863E6AD0F7034BF77C4AB2310E4 | SHA256:E9DA0E236CE986694A3640316EF2C7B568B1EE07EE7FDA6D5B92575F3A7F2724 | |||
2744 | NordVPNCracked.exe | C:\Users\admin\AppData\Local\Temp\IXP000.TMP\CDS.cdd | compressed | |
MD5:3E7ECAEB51C2812D13B07EC852D74AAF | SHA256:E7E942993864E8B18780EF10A415F7B93924C6378248C52F0C96895735222B96 | |||
2744 | NordVPNCracked.exe | C:\Users\admin\AppData\Local\Temp\IXP000.TMP\ap3.dat | compressed | |
MD5:967FDFE0A01C083804673B4976AD6730 | SHA256:72EDA9D49BCD0CD3B540F75C4215714378AFBB1CE40AFCBB7A0B246AB2A44F21 | |||
2744 | NordVPNCracked.exe | C:\Users\admin\AppData\Local\Temp\IXP000.TMP\CDS.exe | executable | |
MD5:424BF196DEAEB4DDCAFB78E137FA560A | SHA256:0963CEF2F742A31B2604FE975F4471AE6A76641490FE60805DB744FEF9BDD5D2 | |||
2744 | NordVPNCracked.exe | C:\Users\admin\AppData\Local\Temp\IXP000.TMP\fs.settings | text | |
MD5:68934A3E9455FA72420237EB05902327 | SHA256:FCBCF165908DD18A9E49F7FF27810176DB8E9F63B4352213741664245224F8AA | |||
2744 | NordVPNCracked.exe | C:\Users\admin\AppData\Local\Temp\IXP000.TMP\cdd.zip | compressed | |
MD5:1D5698B4E2DD3435D103865E881AA2DD | SHA256:064167B67ACEBCA10B61531C2B8A6BC1539406F15002A2F56F3F8ECD29B10890 | |||
2744 | NordVPNCracked.exe | C:\Users\admin\AppData\Local\Temp\IXP000.TMP\ap2.dat | ogg | |
MD5:FC2A595F574B1EAD82A6DCF06492C985 | SHA256:EE9A4903A8DF90EFF4C5B65A8073E564A3581CF73772A72EB82396E69932E769 | |||
2744 | NordVPNCracked.exe | C:\Users\admin\AppData\Local\Temp\IXP000.TMP\lua5.1.dll | executable | |
MD5:C3256800DCE47C14ACC83CCCA4C3E2AC | SHA256:F26F4F66022ACC96D0319C09814EBEDA60F4AB96B63B6262045DC786DC7C5866 |