File name: | Product list.pdf.gz |
Full analysis: | https://app.any.run/tasks/a1b4df7c-22d8-46f7-94c0-02498b066fa6 |
Verdict: | Malicious activity |
Analysis date: | March 31, 2020, 00:11:34 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/x-rar |
File info: | RAR archive data, v5 |
MD5: | 5476D7E612541522C4EBBC17654C169B |
SHA1: | 7C11B4E31721F2EF61E85C3E8291281DD8A5A7A3 |
SHA256: | F1CC7BCFCE852A007B51FBDFC19292619461715999C2C619ED91DBAAFA579D7B |
SSDEEP: | 384:zfczVl3LvPOJsSDgq/w48OJmKzaO3RfhqduY5m8hu02nepIXKtkIs4MUivV:zUV1vPusmnQO4eJh6mnv6tkIs4nivV |
.rar | | | RAR compressed archive (v5.0) (61.5) |
---|---|---|
.rar | | | RAR compressed archive (gen) (38.4) |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2820 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Product list.pdf.gz.rar" | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.60.0 | ||||
3612 | "C:\Users\admin\AppData\Local\Temp\Rar$EXa2820.34846\Product list.pdf.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXa2820.34846\Product list.pdf.exe | — | WinRAR.exe |
User: admin Company: WONderware Integrity Level: MEDIUM Description: Stiklings Exit code: 0 Version: 1.00 | ||||
4056 | "C:\Users\admin\AppData\Local\Temp\Rar$EXa2820.34846\Product list.pdf.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXa2820.34846\Product list.pdf.exe | Product list.pdf.exe | |
User: admin Company: WONderware Integrity Level: MEDIUM Description: Stiklings Version: 1.00 |
PID | Process | Filename | Type | |
---|---|---|---|---|
4056 | Product list.pdf.exe | C:\Users\admin\AppData\Local\Temp\CabEC9A.tmp | — | |
MD5:— | SHA256:— | |||
4056 | Product list.pdf.exe | C:\Users\admin\AppData\Local\Temp\TarEC9B.tmp | — | |
MD5:— | SHA256:— | |||
4056 | Product list.pdf.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_C9FB72B5AE80778A08024D8B0FDECC6F | der | |
MD5:7EDFA95BE4ED2446834630176880B200 | SHA256:72BC58B52F64AB4CEE37C8E60435B66B3944567AF08DBF69DCC93DC0C43EF523 | |||
4056 | Product list.pdf.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_D9817BD5013875AD517DA73475345203 | binary | |
MD5:B9EB73EBCC3AF2EEC26956F757B36B72 | SHA256:9F63176343A39461D8362F17D10E87B90C2578BE0B8878D766ADCFFD87BDE8CE | |||
2820 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa2820.34846\Product list.pdf.exe | executable | |
MD5:904984BAD4E1841FC86A010409AEE08C | SHA256:DF48B963C63E8C2F4C2F03B534745CD55ED35BBE0AF13877BE2ED4D82097FD65 | |||
4056 | Product list.pdf.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\TXVRE35Z.txt | text | |
MD5:687C5FD7498D47D093DD1F1806226CB8 | SHA256:9FF4B0FBF50F0407D191631A369255881FBE4B83D877FA2C14C2FB7B10B1E1F3 | |||
4056 | Product list.pdf.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_D9817BD5013875AD517DA73475345203 | der | |
MD5:B211134DC2B559A0A8FDD5600FCA0662 | SHA256:471E7C400B878CF174F3D1E67CFBFF5B099378A6EAA8E4E5E346E7D6B681981E | |||
4056 | Product list.pdf.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_C9FB72B5AE80778A08024D8B0FDECC6F | binary | |
MD5:6C139FD3DE27E7E9D247D62F1B26ADEC | SHA256:9E056CECD600420D483E25070928FEDC226AA6D43BA700885D12BF0FC086623A |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
4056 | Product list.pdf.exe | 13.107.42.12:443 | 4apotw.bn.files.1drv.com | Microsoft Corporation | US | suspicious |
4056 | Product list.pdf.exe | 93.184.220.29:80 | ocsp.digicert.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
4056 | Product list.pdf.exe | 13.107.42.13:443 | onedrive.live.com | Microsoft Corporation | US | malicious |
4056 | Product list.pdf.exe | 212.227.15.142:587 | smtp.1and1.es | 1&1 Internet SE | DE | suspicious |
Domain | IP | Reputation |
---|---|---|
onedrive.live.com |
| shared |
ocsp.digicert.com |
| whitelisted |
4apotw.bn.files.1drv.com |
| whitelisted |
smtp.1and1.es |
| shared |
PID | Process | Class | Message |
---|---|---|---|
4056 | Product list.pdf.exe | Generic Protocol Command Decode | SURICATA Applayer Detect protocol only one direction |