File name: | taklol.zip |
Full analysis: | https://app.any.run/tasks/25bf33d4-7bf2-40f5-9bfa-69ebe4b75194 |
Verdict: | Malicious activity |
Analysis date: | September 30, 2020, 14:32:30 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/zip |
File info: | Zip archive data, at least v1.0 to extract |
MD5: | 73A47DDC9A9EB18A72E4B81B3A05BCE2 |
SHA1: | 3860060CEC8974948C91BBFC73F41F477D9230A4 |
SHA256: | EEAB2E0C590B21C7A4579B7D01E2F2543DB3F3D8B78D648F3C6380857EBF3963 |
SSDEEP: | 98304:fy/yUb7vFeU0auScyLKZvf89PzkWt61/sq35A9+V:fy/yUb7vFeU0aufOKxfiPMsSom |
.zip | | | ZIP compressed archive (100) |
---|
ZipFileName: | TakLoL/ |
---|---|
ZipUncompressedSize: | - |
ZipCompressedSize: | - |
ZipCRC: | 0x00000000 |
ZipModifyDate: | 2020:09:23 18:50:27 |
ZipCompression: | None |
ZipBitFlag: | - |
ZipRequiredVersion: | 10 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2752 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\taklol.zip" | C:\Program Files\WinRAR\WinRAR.exe | — | explorer.exe |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.60.0 | ||||
2852 | "C:\Program Files\WinRAR\WinRAR.exe" x -iext -ow -ver -- "C:\Users\admin\Desktop\taklol.zip" C:\Users\admin\Desktop\ | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.60.0 | ||||
3844 | "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe5_ Global\UsGthrCtrlFltPipeMssGthrPipe5 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" | C:\Windows\System32\SearchProtocolHost.exe | — | SearchIndexer.exe |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Microsoft Windows Search Protocol Host Exit code: 0 Version: 7.00.7600.16385 (win7_rtm.090713-1255) | ||||
3336 | "C:\Users\admin\Desktop\TakLoL\TakLoL.exe" | C:\Users\admin\Desktop\TakLoL\TakLoL.exe | — | explorer.exe |
User: admin Integrity Level: MEDIUM Description: TakLoL Apps Exit code: 3221226540 Version: 1.1.1.0 | ||||
1720 | "C:\Users\admin\Desktop\TakLoL\TakLoL.exe" | C:\Users\admin\Desktop\TakLoL\TakLoL.exe | explorer.exe | |
User: admin Integrity Level: HIGH Description: TakLoL Apps Version: 1.1.1.0 | ||||
2808 | "C:\Users\admin\Desktop\TakLoL\libraries\pfier\pfier.exe" | C:\Users\admin\Desktop\TakLoL\libraries\pfier\pfier.exe | — | TakLoL.exe |
User: admin Company: Initex Integrity Level: HIGH Description: Proxifier Portable Edition v3.42 Version: 3.42.0.1 | ||||
328 | C:\Windows\Explorer.EXE | C:\Windows\explorer.exe | — | — |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
612 | C:\Windows\System32\ctfmon.exe | C:\Windows\System32\ctfmon.exe | — | taskeng.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: CTF Loader Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2816 | "C:\Users\admin\Desktop\TakLoL\Update.exe" | C:\Users\admin\Desktop\TakLoL\Update.exe | — | explorer.exe |
User: admin Integrity Level: MEDIUM Description: TakLoL Updater Exit code: 3221226540 Version: 1.0.4.0 | ||||
2844 | "C:\Users\admin\Desktop\TakLoL\Update.exe" | C:\Users\admin\Desktop\TakLoL\Update.exe | explorer.exe | |
User: admin Integrity Level: HIGH Description: TakLoL Updater Exit code: 0 Version: 1.0.4.0 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2852 | WinRAR.exe | C:\Users\admin\Desktop\TakLoL\libraries\pfier\Settings.ini | text | |
MD5:AFC5B6952039B7B68DC051505EF83D5D | SHA256:49E327BF2ED1FEA16CE3463115B1B4348D8CFFF7283BF78CECD5B7F9E8864D9A | |||
2852 | WinRAR.exe | C:\Users\admin\Desktop\TakLoL\Update.exe | executable | |
MD5:A8F319DC27F9AAE736B14EADDE175C17 | SHA256:3159687665B6487A1238C1A2FB9229986013D509A00D600E8121C8C87976ACC6 | |||
1720 | TakLoL.exe | C:\Windows\System32\drivers\etc\hosts | text | |
MD5:722BCDE9CBEC87BE7E58909B2391210B | SHA256:BE35D26A1C476FB4FEBC680C0C031674A9F6E75259E9C4895A7C75416BA425B6 | |||
1720 | TakLoL.exe | C:\Users\admin\Desktop\TakLoL\libraries\pfier\Profiles\Default.ppx | xml | |
MD5:E0EDA326DAB2852AED2440B0F238A57E | SHA256:4D24F698AA7ECD1BE270618D6D822E39FC1CFC6AD4DE287C0C3AE94176133099 | |||
328 | explorer.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\290532160612e071.automaticDestinations-ms | automaticdestinations-ms | |
MD5:F8019C33C0764237C4CCF6E1833D4AB3 | SHA256:2F438169287CA423617E6A349886AD889E0A8CEB14932A11CA7C3652D4285036 | |||
328 | explorer.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\taklol.zip.lnk | lnk | |
MD5:4A00EBECB76AEBA0CEE50D8376EDB483 | SHA256:A8EAE0D883E5F979FAA776F072F71C7B7FE6E780362BF86D15E2DB5CFBD51188 | |||
1720 | TakLoL.exe | C:\Users\admin\Desktop\TakLoL\LData.cfg | text | |
MD5:78628EA3AB7EDD2E031FACBCE54BC4D9 | SHA256:12C423969E44991D0792192D8A3FD3762C07E7C8518F27FD02A1E15C3DAD5D2C | |||
328 | explorer.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\1b4dd67f29cb1962.automaticDestinations-ms | automaticdestinations-ms | |
MD5:4F11CAD9DA98EB78ACC4D17CEBA9EBBE | SHA256:487691007B057BC39DD29B0C33DDBD00F6E7FAD1A3F7A15BB1EC9E1615F2E16F | |||
2852 | WinRAR.exe | C:\Users\admin\Desktop\TakLoL\TakLoL.exe | executable | |
MD5:370B1C975AA0AB38B721B36C481638FA | SHA256:7BC2F4DDF720F9E8EB48F61391AF09BEFE792ED0794519DB6C47BA51E11E1F69 | |||
2808 | pfier.exe | C:\Users\admin\Desktop\TakLoL\libraries\pfier\Settings.ini | text | |
MD5:133DEE23563C444ABB4FE1FFE804087B | SHA256:B273B70FA310E4C4D079479C5056B7BB2F0721064E83B9997705F5A0F85A7350 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
1720 | TakLoL.exe | POST | 200 | 104.24.113.121:80 | http://taklol.ir/update/getlast5 | US | text | 3.68 Kb | suspicious |
1720 | TakLoL.exe | POST | 200 | 104.24.112.121:80 | http://taklol.taklol.ir/update/getlast5 | US | text | 3.68 Kb | suspicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2844 | Update.exe | 172.67.146.87:80 | taklol.ir | — | US | suspicious |
1720 | TakLoL.exe | 104.24.112.121:80 | taklol.ir | Cloudflare Inc | US | shared |
1720 | TakLoL.exe | 104.24.113.121:80 | taklol.ir | Cloudflare Inc | US | shared |
Domain | IP | Reputation |
---|---|---|
taklol.ir |
| suspicious |
taklol.taklol.ir |
| suspicious |
www.google.com |
| whitelisted |