URL: | https://cvws.icloud-content.com/B/AfeBSE-GgYLDj4PDy0XnTLYnq7kpASxyNhh_9O3eHPrOxnyveZOyWBWS/Activation.rar?o=AhNO4YijyPJmT4G0zYK7SimY4IlmLdgKzhm8xFK7k6ft&v=1&x=3&a=B5tuMM_rnope_7NCIqrHrXwZLI3dAxXRSQEACAHIAP93A0fWA1UoSQ&e=1552563153&k=A8Y0xpQkkjBQPYKhErBdmQ&fl=&r=3b93e0be-4de9-49e1-ae77-3c985f4653a6-1&ckc=com.apple.largeattachment&ckz=Apple-Webmail&y=1&p=34&s=-gjjIrjVBRMwfe3ZZne9xSnTnGQ&teh=1 |
Full analysis: | https://app.any.run/tasks/1a791528-010a-4ac1-bc85-e10228451a30 |
Verdict: | Malicious activity |
Analysis date: | February 28, 2019, 16:58:20 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MD5: | 1BF3A62F2C5CAABA01393471CFD30C79 |
SHA1: | FABB97789AEBF49E0C159642F772B6D058745193 |
SHA256: | F013710493F1CD88A9989E971C7375FD014EA8FAE3637036AC7AD1F0A8F221AC |
SSDEEP: | 12:20RG2mbUXfvBdgUWqkUQVfUMQN/mDMLYN:2IGlbUX3/fzSVcMW/mQLA |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2996 | "C:\Program Files\Internet Explorer\iexplore.exe" -nohome | C:\Program Files\Internet Explorer\iexplore.exe | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Exit code: 1 Version: 8.00.7600.16385 (win7_rtm.090713-1255) | ||||
3336 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2996 CREDAT:71937 | C:\Program Files\Internet Explorer\iexplore.exe | iexplore.exe | |
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Exit code: 0 Version: 8.00.7600.16385 (win7_rtm.090713-1255) | ||||
3884 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\OCDM6JB6\Activation[1].rar" | C:\Program Files\WinRAR\WinRAR.exe | iexplore.exe | |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.60.0 | ||||
3504 | "C:\Windows\system32\NOTEPAD.EXE" C:\Users\admin\AppData\Local\Temp\Rar$DIa3884.15400\readme.txt | C:\Windows\system32\NOTEPAD.EXE | — | WinRAR.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Notepad Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3728 | "C:\Users\admin\AppData\Local\Temp\Rar$EXa3884.16080\Activation\KMS_Tools_Portable_12_01_17\KMSTools.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXa3884.16080\Activation\KMS_Tools_Portable_12_01_17\KMSTools.exe | — | WinRAR.exe |
User: admin Company: Ratiborus Integrity Level: MEDIUM Exit code: 3221226540 | ||||
2460 | "C:\Users\admin\AppData\Local\Temp\Rar$EXa3884.16080\Activation\KMS_Tools_Portable_12_01_17\KMSTools.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXa3884.16080\Activation\KMS_Tools_Portable_12_01_17\KMSTools.exe | WinRAR.exe | |
User: admin Company: Ratiborus Integrity Level: HIGH | ||||
3568 | "C:\Users\admin\AppData\Local\Temp\fver.exe" /D /A "C:\Users\admin\AppData\Local\Temp\Rar$EXa3884.16080\Activation\KMS_Tools_Portable_12_01_17\Programs\KMSAuto Net 2016 v1.4.9 Portable\KMSAuto Net.exe" | C:\Users\admin\AppData\Local\Temp\fver.exe | — | KMSTools.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Microsoft Version Resource Dump Utility Exit code: 0 Version: 5.1.2600.0 (XPClient.010817-1148) | ||||
2068 | "C:\Users\admin\AppData\Local\Temp\fver.exe" /D /A "C:\Users\admin\AppData\Local\Temp\Rar$EXa3884.16080\Activation\KMS_Tools_Portable_12_01_17\Programs\Office 2013-2016 C2R Install v5.9.2\OInstall.exe" | C:\Users\admin\AppData\Local\Temp\fver.exe | — | KMSTools.exe |
User: admin Integrity Level: HIGH Exit code: 0 | ||||
2948 | "C:\Windows\System32\cmd.exe" /c copy C:\Windows\system32\Tasks\KMSTools "C:\Users\admin\AppData\Local\Temp\KMSTools.tmp" /Y | C:\Windows\System32\cmd.exe | — | KMSTools.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Exit code: 1 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3816 | "C:\Users\admin\AppData\Local\Temp\7zaxxx.exe" x data.pak -pkmstools -y -bsp1 -o"C:\Users\admin\AppData\Local\Temp\Rar$EXa3884.16080\Activation\KMS_Tools_Portable_12_01_17\Programs" "KMSAuto Net"* | C:\Users\admin\AppData\Local\Temp\7zaxxx.exe | KMSTools.exe | |
User: admin Company: Igor Pavlov Integrity Level: HIGH Description: 7-Zip Standalone Console Exit code: 0 Version: 15.14 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2996 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RB73MZ6Y\favicon[1].ico | — | |
MD5:— | SHA256:— | |||
2996 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico | — | |
MD5:— | SHA256:— | |||
3336 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\Low\Cab8BFA.tmp | — | |
MD5:— | SHA256:— | |||
3336 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\Low\Tar8BFB.tmp | — | |
MD5:— | SHA256:— | |||
3336 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\Low\Cab8C2B.tmp | — | |
MD5:— | SHA256:— | |||
3336 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\Low\Tar8C2C.tmp | — | |
MD5:— | SHA256:— | |||
3336 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\Low\Cab8D27.tmp | — | |
MD5:— | SHA256:— | |||
3336 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\Low\Tar8D28.tmp | — | |
MD5:— | SHA256:— | |||
2996 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\~DF03ED0698473E99BE.TMP | — | |
MD5:— | SHA256:— | |||
3336 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\OCDM6JB6\Activation[1].rar | — | |
MD5:— | SHA256:— |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3364 | Setup16.exe | HEAD | 301 | 2.18.68.82:80 | http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/MRO.cab | unknown | — | — | whitelisted |
3364 | Setup16.exe | HEAD | 200 | 2.16.186.83:80 | http://officecdn.microsoft.com.edgesuite.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/MRO.cab | unknown | — | — | whitelisted |
3364 | Setup16.exe | GET | 301 | 2.18.68.82:80 | http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/MRO.cab | unknown | — | — | whitelisted |
3364 | Setup16.exe | HEAD | 301 | 2.18.68.82:80 | http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/MRO-E.cab | unknown | — | — | whitelisted |
3364 | Setup16.exe | GET | — | 2.16.186.74:80 | http://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl | unknown | — | — | whitelisted |
3364 | Setup16.exe | GET | 301 | 2.18.68.82:80 | http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/MRO-E.cab | unknown | — | — | whitelisted |
3364 | Setup16.exe | GET | 200 | 2.16.186.83:80 | http://officecdn.microsoft.com.edgesuite.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/MRO-E.cab | unknown | compressed | 16.0 Kb | whitelisted |
3364 | Setup16.exe | GET | 200 | 2.16.186.74:80 | http://crl.microsoft.com/pki/crl/products/MicrosoftTimeStampPCA.crl | unknown | der | 550 b | whitelisted |
3336 | iexplore.exe | GET | 200 | 2.16.186.81:80 | http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab | unknown | compressed | 55.2 Kb | whitelisted |
3364 | Setup16.exe | GET | 301 | 2.18.68.82:80 | http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v64_16.0.11231.20174.cab | unknown | — | — | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2996 | iexplore.exe | 204.79.197.200:80 | www.bing.com | Microsoft Corporation | US | whitelisted |
3252 | GarbageCollector.exe | 89.111.162.36:80 | img15.nnm.me | Jsc ru-center | RU | unknown |
3336 | iexplore.exe | 2.16.186.81:80 | www.download.windowsupdate.com | Akamai International B.V. | — | whitelisted |
3364 | Setup16.exe | 2.16.186.83:80 | officecdn.microsoft.com.edgesuite.net | Akamai International B.V. | — | whitelisted |
3336 | iexplore.exe | 17.248.146.12:443 | cvws.icloud-content.com | Apple Inc. | US | unknown |
2732 | wmiprvse.exe | 65.52.98.231:443 | activation.sls.microsoft.com | Microsoft Corporation | US | whitelisted |
3364 | Setup16.exe | 2.16.186.74:80 | crl.microsoft.com | Akamai International B.V. | — | whitelisted |
3364 | Setup16.exe | 2.18.68.82:80 | officecdn.microsoft.com | Akamai International B.V. | — | whitelisted |
2732 | wmiprvse.exe | 92.122.18.115:80 | go.microsoft.com | Akamai Technologies, Inc. | GB | whitelisted |
Domain | IP | Reputation |
---|---|---|
cvws.icloud-content.com |
| suspicious |
www.bing.com |
| whitelisted |
www.download.windowsupdate.com |
| whitelisted |
officecdn.microsoft.com |
| whitelisted |
officecdn.microsoft.com.edgesuite.net |
| whitelisted |
crl.microsoft.com |
| whitelisted |
img15.nnm.me |
| unknown |
go.microsoft.com |
| whitelisted |
activation.sls.microsoft.com |
| whitelisted |