File name: | IMAGEN001 IMAGEN0002 IMAGEN0003 IMAGEN0004.UUE |
Full analysis: | https://app.any.run/tasks/b9eb2963-2fdf-43a5-94f3-47695f040179 |
Verdict: | Malicious activity |
Analysis date: | July 17, 2019, 17:21:10 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/x-rar |
File info: | RAR archive data, v5 |
MD5: | 7FB08D7F99E2895E1B9ED9E07E8CB501 |
SHA1: | A2A2F989D26DE561DF8D6B0F53EA7008C079B20A |
SHA256: | 3B405BED5D6CDAF34D9C71F664345E513246AAAB9F2AEFF5DDE31B96A7673947 |
SSDEEP: | 12288:4I+Elunj/yNeDmp4gq+WXKuH5Rc7m6K/K2JKEFjfst3hYpLzdrZMgGMvW4Lxzs:41nLZmp1L0jcS6vTEl4hYBpZHVls |
.rar | | | RAR compressed archive (v5.0) (61.5) |
---|---|---|
.rar | | | RAR compressed archive (gen) (38.4) |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3524 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\IMAGEN001 IMAGEN0002 IMAGEN0003 IMAGEN0004.UUE.rar" | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.60.0 | ||||
872 | "C:\Users\admin\AppData\Local\Temp\Rar$EXa3524.9868\IMAGEN001 IMAGEN0002 IMAGEN0003 IMAGEN0004.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXa3524.9868\IMAGEN001 IMAGEN0002 IMAGEN0003 IMAGEN0004.exe | WinRAR.exe | |
User: admin Company: dasHost Integrity Level: MEDIUM Description: RAVBg64 Version: 752.777.546.180 | ||||
3468 | "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | IMAGEN001 IMAGEN0002 IMAGEN0003 IMAGEN0004.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft .NET Assembly Registration Utility Exit code: 0 Version: 4.7.3062.0 built by: NET472REL1 | ||||
4068 | "C:\Users\admin\AppData\Local\Temp\server.exe" | C:\Users\admin\AppData\Local\Temp\server.exe | — | RegAsm.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft .NET Assembly Registration Utility Exit code: 0 Version: 4.7.3062.0 built by: NET472REL1 | ||||
3604 | "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | IMAGEN001 IMAGEN0002 IMAGEN0003 IMAGEN0004.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft .NET Assembly Registration Utility Exit code: 0 Version: 4.7.3062.0 built by: NET472REL1 | ||||
1148 | "C:\Users\admin\AppData\Local\Temp\server.exe" | C:\Users\admin\AppData\Local\Temp\server.exe | — | RegAsm.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft .NET Assembly Registration Utility Exit code: 0 Version: 4.7.3062.0 built by: NET472REL1 | ||||
3000 | "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | IMAGEN001 IMAGEN0002 IMAGEN0003 IMAGEN0004.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft .NET Assembly Registration Utility Exit code: 0 Version: 4.7.3062.0 built by: NET472REL1 | ||||
3272 | "C:\Users\admin\AppData\Local\Temp\server.exe" | C:\Users\admin\AppData\Local\Temp\server.exe | — | RegAsm.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft .NET Assembly Registration Utility Exit code: 0 Version: 4.7.3062.0 built by: NET472REL1 | ||||
3084 | "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | IMAGEN001 IMAGEN0002 IMAGEN0003 IMAGEN0004.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft .NET Assembly Registration Utility Exit code: 0 Version: 4.7.3062.0 built by: NET472REL1 | ||||
3288 | "C:\Users\admin\AppData\Local\Temp\server.exe" | C:\Users\admin\AppData\Local\Temp\server.exe | — | RegAsm.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft .NET Assembly Registration Utility Exit code: 0 Version: 4.7.3062.0 built by: NET472REL1 |
PID | Process | Filename | Type | |
---|---|---|---|---|
872 | IMAGEN001 IMAGEN0002 IMAGEN0003 IMAGEN0004.exe | C:\Users\Public\phNTDIOTYV.vbs | text | |
MD5:6760D024748EB9F106BAE423A7498A76 | SHA256:ECAA8C9AC68DAAF417730AAC98819862618A6CAA4AAF051ACC9A0E1A803B5174 | |||
872 | IMAGEN001 IMAGEN0002 IMAGEN0003 IMAGEN0004.exe | C:\Users\admin\AppData\Roaming\auditpolcore\cscript.bat | executable | |
MD5:F782333547682BA20E00501FE8807D8C | SHA256:9C3BAF4A84909D15E7BE3A59FEF7803A5EDC27A29C2B52F12FDE071241FF5530 | |||
3524 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa3524.9868\IMAGEN001 IMAGEN0002 IMAGEN0003 IMAGEN0004.exe | executable | |
MD5:20B19E64D6989EA50123ED022FDB84C0 | SHA256:F41795787130CA391E573238EC8335FF0785B74B213EFE064D80AC98CEB32299 | |||
3084 | RegAsm.exe | C:\Users\admin\AppData\Local\Temp\server.exe | executable | |
MD5:B58B926C3574D28D5B7FDD2CA3EC30D5 | SHA256:6E70B56D748C4CCAB13CC8A055D3795EA0DD95FE3B70568D7D3AC0C6621140A3 | |||
3604 | RegAsm.exe | C:\Users\admin\AppData\Local\Temp\server.exe | executable | |
MD5:B58B926C3574D28D5B7FDD2CA3EC30D5 | SHA256:6E70B56D748C4CCAB13CC8A055D3795EA0DD95FE3B70568D7D3AC0C6621140A3 | |||
3364 | RegAsm.exe | C:\Users\admin\AppData\Local\Temp\server.exe | executable | |
MD5:B58B926C3574D28D5B7FDD2CA3EC30D5 | SHA256:6E70B56D748C4CCAB13CC8A055D3795EA0DD95FE3B70568D7D3AC0C6621140A3 | |||
3468 | RegAsm.exe | C:\Users\admin\AppData\Local\Temp\server.exe | executable | |
MD5:B58B926C3574D28D5B7FDD2CA3EC30D5 | SHA256:6E70B56D748C4CCAB13CC8A055D3795EA0DD95FE3B70568D7D3AC0C6621140A3 | |||
3852 | RegAsm.exe | C:\Users\admin\AppData\Local\Temp\server.exe | executable | |
MD5:B58B926C3574D28D5B7FDD2CA3EC30D5 | SHA256:6E70B56D748C4CCAB13CC8A055D3795EA0DD95FE3B70568D7D3AC0C6621140A3 | |||
1548 | RegAsm.exe | C:\Users\admin\AppData\Local\Temp\server.exe | executable | |
MD5:B58B926C3574D28D5B7FDD2CA3EC30D5 | SHA256:6E70B56D748C4CCAB13CC8A055D3795EA0DD95FE3B70568D7D3AC0C6621140A3 | |||
3992 | RegAsm.exe | C:\Users\admin\AppData\Local\Temp\server.exe | executable | |
MD5:B58B926C3574D28D5B7FDD2CA3EC30D5 | SHA256:6E70B56D748C4CCAB13CC8A055D3795EA0DD95FE3B70568D7D3AC0C6621140A3 |