download: | KoiVMdevirt.rar |
Full analysis: | https://app.any.run/tasks/1d0176cc-e03b-4a17-be64-03338cfb2f3a |
Verdict: | Malicious activity |
Analysis date: | July 18, 2019, 07:37:56 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
MIME: | application/x-rar |
File info: | RAR archive data, v5 |
MD5: | C20061859A2B517D6CBB0BB165B098DA |
SHA1: | 6031FA8863F9EA981092100A69656629C7D868A3 |
SHA256: | 4749DEED8672318B6C78D3EC4C7EFA62D58C66D7ABD53FE04168A0A0478E5A00 |
SSDEEP: | 12288:3sNJbMh2DHYf1o73KaCJEEx0sz/FaB8oJLl:3sNZG28fqYEEfz/F4LJJ |
.rar | | | RAR compressed archive (v5.0) (61.5) |
---|---|---|
.rar | | | RAR compressed archive (gen) (38.4) |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3000 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\KoiVMdevirt.rar" | C:\Program Files\WinRAR\WinRAR.exe | — | explorer.exe |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.60.0 | ||||
1344 | "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe6_ Global\UsGthrCtrlFltPipeMssGthrPipe6 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" | C:\Windows\System32\SearchProtocolHost.exe | — | SearchIndexer.exe |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Microsoft Windows Search Protocol Host Version: 7.00.7600.16385 (win7_rtm.090713-1255) | ||||
3596 | "C:\Users\admin\Desktop\KoiVMDevirtualizer.exe" | C:\Users\admin\Desktop\KoiVMDevirtualizer.exe | — | explorer.exe |
User: admin Integrity Level: MEDIUM Description: KoivmDevirt Exit code: 0 Version: 1.0.0.0 | ||||
3552 | "C:\Users\admin\Desktop\KoiVMDevirtualizer.exe" | C:\Users\admin\Desktop\KoiVMDevirtualizer.exe | — | explorer.exe |
User: admin Integrity Level: MEDIUM Description: KoivmDevirt Exit code: 0 Version: 1.0.0.0 |
(PID) Process: | (3000) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
Operation: | write | Name: | ShellExtBMP |
Value: | |||
(PID) Process: | (3000) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
Operation: | write | Name: | ShellExtIcon |
Value: | |||
(PID) Process: | (3000) WinRAR.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\70\52C64B7E |
Operation: | write | Name: | LanguageList |
Value: en-US | |||
(PID) Process: | (3000) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
Operation: | write | Name: | 0 |
Value: C:\Users\admin\AppData\Local\Temp\KoiVMdevirt.rar | |||
(PID) Process: | (3000) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | name |
Value: 120 | |||
(PID) Process: | (3000) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | size |
Value: 80 | |||
(PID) Process: | (3000) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | type |
Value: 120 | |||
(PID) Process: | (3000) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | mtime |
Value: 100 | |||
(PID) Process: | (3000) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\MainWin |
Operation: | write | Name: | Placement |
Value: 2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF42000000420000000204000037020000 | |||
(PID) Process: | (3000) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\General |
Operation: | write | Name: | LastFolder |
Value: C:\Users\admin\AppData\Local\Temp |
PID | Process | Filename | Type | |
---|---|---|---|---|
3000 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa3000.1660\de4dot.blocks.dll | — | |
MD5:— | SHA256:— | |||
3000 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa3000.1660\dnlib.dll | — | |
MD5:— | SHA256:— | |||
3000 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa3000.1660\KoiVMDevirtualizer.exe | — | |
MD5:— | SHA256:— |