File name: | scandoc.rar |
Full analysis: | https://app.any.run/tasks/d3ae3a44-8b55-47b7-bf83-60925dcd1e7f |
Verdict: | Malicious activity |
Analysis date: | December 06, 2018, 16:56:29 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/x-rar |
File info: | RAR archive data, v5 |
MD5: | 63F8B148B240503F8A7B93A83DDDC04B |
SHA1: | 8A11A2D727695A9FDFC8B19A84D3E60066EBB84F |
SHA256: | 1232402BEF625DC8328ECE768E9943667389AED97207CF24F5215FE88B5F88EC |
SSDEEP: | 1536:01jMMIu/7LPqqvQ7fh+FTB9dYsnEguWz79ALasPmQEhW5xf7nzGMO:qMcDLiqIl+F7GWfaLasedwjf/Gd |
.rar | | | RAR compressed archive (v5.0) (61.5) |
---|---|---|
.rar | | | RAR compressed archive (gen) (38.4) |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2960 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\scandoc.rar" | C:\Program Files\WinRAR\WinRAR.exe | — | explorer.exe |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.60.0 | ||||
3148 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\Rar$DIa2960.41029\Scan0033.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | WinRAR.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
1376 | C:\WINDOWS\system32\cmd.exe /c set path=%ProgramFiles(x86)%\WinRAR;C:\Program Files\WinRAR; && cd /d %~dp0 & rar.exe e -o+ -r -inul *.rar scan032.jpg & rar.exe e -o+ -r -inul scan032.jpg backup.exe & backup.exe | C:\WINDOWS\system32\cmd.exe | — | WINWORD.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 1 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3080 | rar.exe e -o+ -r -inul *.rar scan032.jpg | C:\Program Files\WinRAR\Rar.exe | cmd.exe | |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: Command line RAR Exit code: 0 Version: 5.60.0 | ||||
3048 | rar.exe e -o+ -r -inul scan032.jpg backup.exe | C:\Program Files\WinRAR\Rar.exe | — | cmd.exe |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: Command line RAR Exit code: 10 Version: 5.60.0 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3148 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVRB876.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3148 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\C053A636.png | — | |
MD5:— | SHA256:— | |||
3148 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\9BE59C25.wmf | — | |
MD5:— | SHA256:— | |||
3148 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\Word8.0\ShockwaveFlashObjects.exd | tlb | |
MD5:C2C137E3AD64C7F344F08A6244660A45 | SHA256:3EE314B690C8FB434B1B721129601BD1692C3716F2C091E5A101BFF988176C08 | |||
3148 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\Rar$DIa2960.41029\~$an0033.doc | pgc | |
MD5:F0AD17770887BC1832DCD8FE633C98F8 | SHA256:23695CABFD94A29FB339F8117A7A659F0729EB296E1EF6900FFFD598517660DE | |||
2960 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DIa2960.41029\Scan0033.doc | document | |
MD5:BFC05909537F5522EB2AA2FAC4DF5836 | SHA256:9C6FBE25429D177FCAC4CB53F85DACC58D84A618E3BDDD1181CD0E604CB522CE | |||
3148 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:35E1E8E39A24BFB966DB6952B4C32D8E | SHA256:A4C2008762CB30A5D71A151542D32E07222C58F84F67EFC2D6B628B269EA0BB9 | |||
3148 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\settings.sol | sol | |
MD5:A6A3011D711FB7A838A88BA29C80679E | SHA256:B394504D9300AD8C900BA53D70275F08FCC34C7E675FD0FA2A89A37A5D6AD425 | |||
3148 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\settings.sxx | sol | |
MD5:0DD3631A4DF7BED11E4B389AC2E95882 | SHA256:F06E531C2FEB84B511F7FEED945C13936122AA2A6DCE287776F724398D27394A | |||
3080 | Rar.exe | C:\Users\admin\AppData\Local\Temp\scan032.jpg | executable | |
MD5:EFE45B2640D63F4A25C03F0F4D711F11 | SHA256:E34F7E6E26F80CA0DBC83A0218B73110FF50939BD2D0A9BF5B6D403C92E59D45 |