File name: | vshost.rar |
Full analysis: | https://app.any.run/tasks/b6fced14-dc7d-4880-b2b8-72af113f840c |
Verdict: | Malicious activity |
Analysis date: | March 14, 2019, 23:32:43 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/x-rar |
File info: | RAR archive data, v4, os: Win32 |
MD5: | 7D1981B1EF1D54CF375C15125C3BC605 |
SHA1: | B1732CA22ACA11AE3E0B780B50837B669FB2C79C |
SHA256: | 4A2D9F576114E8A5427E5D1A1A4FCBA302769133921298478EBC736ABCD35E68 |
SSDEEP: | 384:ezheGlDKXxLVL0xT9ege+NNK3LCji2pn0/fbZOtHARQxhNdW2A:shHYj0xg+NpjFpnabZOsQTNU2A |
.rar | | | RAR compressed archive (v-4.x) (58.3) |
---|---|---|
.rar | | | RAR compressed archive (gen) (41.6) |
ArchivedFileName: | vshost.exe |
---|---|
PackingMethod: | Normal |
ModifyDate: | 2017:06:27 16:16:14 |
OperatingSystem: | Win32 |
UncompressedSize: | 62464 |
CompressedSize: | 17690 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2956 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\vshost.rar" | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.60.0 | ||||
2204 | "C:\Users\admin\AppData\Local\Temp\Rar$EXa2956.39554\vshost.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXa2956.39554\vshost.exe | — | WinRAR.exe |
User: admin Integrity Level: MEDIUM Description: vshost.exe Exit code: 3221226540 Version: 1.0.0.0 | ||||
2640 | "C:\Users\admin\AppData\Local\Temp\Rar$EXa2956.39554\vshost.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXa2956.39554\vshost.exe | WinRAR.exe | |
User: admin Integrity Level: HIGH Description: vshost.exe Version: 1.0.0.0 | ||||
2804 | "C:\Users\admin\AppData\Local\Temp\Rar$EXa2956.40661\vshost.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXa2956.40661\vshost.exe | — | WinRAR.exe |
User: admin Integrity Level: MEDIUM Description: vshost.exe Exit code: 3221226540 Version: 1.0.0.0 | ||||
2652 | "C:\Users\admin\AppData\Local\Temp\Rar$EXa2956.40700\vshost.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXa2956.40700\vshost.exe | — | WinRAR.exe |
User: admin Integrity Level: MEDIUM Description: vshost.exe Exit code: 3221226540 Version: 1.0.0.0 | ||||
3776 | "C:\Users\admin\AppData\Local\Temp\Rar$EXa2956.40661\vshost.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXa2956.40661\vshost.exe | WinRAR.exe | |
User: admin Integrity Level: HIGH Description: vshost.exe Version: 1.0.0.0 | ||||
3444 | "C:\Users\admin\AppData\Local\Temp\Rar$EXa2956.40700\vshost.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXa2956.40700\vshost.exe | WinRAR.exe | |
User: admin Integrity Level: HIGH Description: vshost.exe Version: 1.0.0.0 | ||||
3628 | "C:\Users\admin\AppData\Local\Temp\Rar$EXa2956.40906\vshost.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXa2956.40906\vshost.exe | — | WinRAR.exe |
User: admin Integrity Level: MEDIUM Description: vshost.exe Exit code: 3221226540 Version: 1.0.0.0 | ||||
296 | "C:\Users\admin\AppData\Local\Temp\Rar$EXa2956.40911\vshost.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXa2956.40911\vshost.exe | — | WinRAR.exe |
User: admin Integrity Level: MEDIUM Description: vshost.exe Exit code: 3221226540 Version: 1.0.0.0 | ||||
2124 | "C:\Users\admin\AppData\Local\Temp\Rar$EXa2956.40906\vshost.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXa2956.40906\vshost.exe | WinRAR.exe | |
User: admin Integrity Level: HIGH Description: vshost.exe Version: 1.0.0.0 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2956 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa2956.38962\vshost.exe | — | |
MD5:— | SHA256:— | |||
2956 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa2956.40661\vshost.exe | executable | |
MD5:AFA8A8FF2A9EB5DDB9B001AE0602483A | SHA256:BAA41840B1D9A12FFC084EF3B557B5357561AC7E58759B788D7570657174BABC | |||
3020 | vshost.exe | C:\Users\admin\AppData\Local\Temp\0308\final.txt | text | |
MD5:4BA78AEF772F03BD04914DE9D47BF35F | SHA256:9951DC5589B2ECD16587482EDB281170D4E81B6A6BE4D0DA52616630AB7E763A | |||
2956 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa2956.39554\vshost.exe | executable | |
MD5:AFA8A8FF2A9EB5DDB9B001AE0602483A | SHA256:BAA41840B1D9A12FFC084EF3B557B5357561AC7E58759B788D7570657174BABC | |||
2956 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa2956.40906\vshost.exe | executable | |
MD5:AFA8A8FF2A9EB5DDB9B001AE0602483A | SHA256:BAA41840B1D9A12FFC084EF3B557B5357561AC7E58759B788D7570657174BABC | |||
2956 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa2956.40700\vshost.exe | executable | |
MD5:AFA8A8FF2A9EB5DDB9B001AE0602483A | SHA256:BAA41840B1D9A12FFC084EF3B557B5357561AC7E58759B788D7570657174BABC | |||
3776 | vshost.exe | C:\Users\admin\AppData\Local\Temp\0308\final.txt | text | |
MD5:4BA78AEF772F03BD04914DE9D47BF35F | SHA256:9951DC5589B2ECD16587482EDB281170D4E81B6A6BE4D0DA52616630AB7E763A | |||
2640 | vshost.exe | C:\Users\admin\AppData\Local\Temp\0308\final.txt | text | |
MD5:4BA78AEF772F03BD04914DE9D47BF35F | SHA256:9951DC5589B2ECD16587482EDB281170D4E81B6A6BE4D0DA52616630AB7E763A | |||
2124 | vshost.exe | C:\Users\admin\AppData\Local\Temp\0308\final.txt | text | |
MD5:4BA78AEF772F03BD04914DE9D47BF35F | SHA256:9951DC5589B2ECD16587482EDB281170D4E81B6A6BE4D0DA52616630AB7E763A | |||
2956 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa2956.40911\vshost.exe | executable | |
MD5:AFA8A8FF2A9EB5DDB9B001AE0602483A | SHA256:BAA41840B1D9A12FFC084EF3B557B5357561AC7E58759B788D7570657174BABC |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3020 | vshost.exe | GET | 200 | 158.69.62.243:80 | http://workinmemory.com/uploads/procfalse.txt | CA | text | 45.1 Kb | malicious |
3444 | vshost.exe | GET | 200 | 158.69.62.243:80 | http://workinmemory.com/uploads/procfalse.txt | CA | text | 45.1 Kb | malicious |
2640 | vshost.exe | GET | 200 | 158.69.62.243:80 | http://workinmemory.com/uploads/procfalse.txt | CA | text | 45.1 Kb | malicious |
2124 | vshost.exe | GET | 200 | 158.69.62.243:80 | http://workinmemory.com/uploads/procfalse.txt | CA | text | 45.1 Kb | malicious |
3444 | vshost.exe | GET | 200 | 158.69.62.243:80 | http://workinmemory.com/uploads/procfalse.txt | CA | text | 45.1 Kb | malicious |
2640 | vshost.exe | GET | 200 | 158.69.62.243:80 | http://workinmemory.com/uploads/proctrue.txt | CA | text | 1.62 Kb | malicious |
3776 | vshost.exe | GET | 200 | 158.69.62.243:80 | http://workinmemory.com/uploads/proctrue.txt | CA | text | 1.62 Kb | malicious |
3776 | vshost.exe | GET | 200 | 158.69.62.243:80 | http://workinmemory.com/uploads/procfalse.txt | CA | text | 45.1 Kb | malicious |
3020 | vshost.exe | GET | 200 | 158.69.62.243:80 | http://workinmemory.com/uploads/procfalse.txt | CA | text | 45.1 Kb | malicious |
2640 | vshost.exe | GET | 200 | 158.69.62.243:80 | http://workinmemory.com/uploads/procfalse.txt | CA | text | 45.1 Kb | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2640 | vshost.exe | 158.69.62.243:80 | workinmemory.com | OVH SAS | CA | suspicious |
3020 | vshost.exe | 158.69.62.243:80 | workinmemory.com | OVH SAS | CA | suspicious |
3444 | vshost.exe | 158.69.62.243:80 | workinmemory.com | OVH SAS | CA | suspicious |
3776 | vshost.exe | 158.69.62.243:80 | workinmemory.com | OVH SAS | CA | suspicious |
2124 | vshost.exe | 158.69.62.243:80 | workinmemory.com | OVH SAS | CA | suspicious |
Domain | IP | Reputation |
---|---|---|
workinmemory.com |
| malicious |