File name: | RW.rar |
Full analysis: | https://app.any.run/tasks/8a7bccb5-f2ae-44ea-bf41-2cbac0d0e7fa |
Verdict: | Malicious activity |
Analysis date: | June 19, 2019, 14:31:43 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/x-rar |
File info: | RAR archive data, v4, os: Win32 |
MD5: | 2C65DA7DB8D78C9C024E8C8E4853530C |
SHA1: | 230FF8449F35C12317F22B996A50BCB4083B5CFC |
SHA256: | 7FF71E4E853DF009F93A0E174EADBFD1E419C6A86F8FEBA2289FD7625E23BC3A |
SSDEEP: | 98304:vGayOq9LV6tJLaGSarg1wAGxH042kQrYpveZbTFgRe:6n6vLaGmGxHckQrfRTqRe |
.rar | | | RAR compressed archive (v-4.x) (58.3) |
---|---|---|
.rar | | | RAR compressed archive (gen) (41.6) |
ArchivedFileName: | phanmem47.com--RemoveWAT.2.2.7\RemoveWAT.2.2.7.0.exe |
---|---|
PackingMethod: | Normal |
ModifyDate: | 2010:09:20 13:05:28 |
OperatingSystem: | Win32 |
UncompressedSize: | 6664704 |
CompressedSize: | 3937517 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3972 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\RW.rar" | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.60.0 | ||||
3664 | "C:\Users\admin\Desktop\phanmem47.com--RemoveWAT.2.2.7\RemoveWAT.2.2.7.0.exe" | C:\Users\admin\Desktop\phanmem47.com--RemoveWAT.2.2.7\RemoveWAT.2.2.7.0.exe | — | explorer.exe |
User: admin Company: Hazar & Co. Integrity Level: MEDIUM Description: RemoveWAT Exit code: 3221226540 Version: 2.2.6.0 | ||||
2056 | "C:\Users\admin\Desktop\phanmem47.com--RemoveWAT.2.2.7\RemoveWAT.2.2.7.0.exe" | C:\Users\admin\Desktop\phanmem47.com--RemoveWAT.2.2.7\RemoveWAT.2.2.7.0.exe | explorer.exe | |
User: admin Company: Hazar & Co. Integrity Level: HIGH Description: RemoveWAT Version: 2.2.6.0 | ||||
1928 | "C:\Windows\System32\taskkill.exe" /f /im explorer.exe | C:\Windows\System32\taskkill.exe | — | RemoveWAT.2.2.7.0.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Terminates Processes Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
1540 | "C:\Windows\system32\wusa.exe" "C:\Windows\wat.MSU" /quiet | C:\Windows\system32\wusa.exe | — | RemoveWAT.2.2.7.0.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Update Standalone Installer Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2288 | C:\Windows\system32\vssvc.exe | C:\Windows\system32\vssvc.exe | — | services.exe |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Microsoft® Volume Shadow Copy Service Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
996 | DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot18" "" "" "6792c44eb" "00000000" "00000334" "000005A0" | C:\Windows\system32\DrvInst.exe | — | svchost.exe |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Driver Installation Module Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
1464 | "C:\Windows\System32\cmd.exe" /c taskkill /f /im WatAdminSvc.exe & taskkill /f /im WatUX.exe | C:\Windows\System32\cmd.exe | — | RemoveWAT.2.2.7.0.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Exit code: 128 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3400 | taskkill /f /im WatAdminSvc.exe | C:\Windows\system32\taskkill.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Terminates Processes Exit code: 128 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2644 | taskkill /f /im WatUX.exe | C:\Windows\system32\taskkill.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Terminates Processes Exit code: 128 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
1540 | wusa.exe | C:\f1710cad26178daefdb9\$dpx$.tmp\3320481daad83f43bbcb0720800b4bf9.tmp | — | |
MD5:— | SHA256:— | |||
1540 | wusa.exe | C:\f1710cad26178daefdb9\$dpx$.tmp\b2f86fcdd7266b4c8b272c170b8cad72.tmp | — | |
MD5:— | SHA256:— | |||
1540 | wusa.exe | C:\f1710cad26178daefdb9\$dpx$.tmp\b537927743924141a77c6971e4c6b4d7.tmp | — | |
MD5:— | SHA256:— | |||
1540 | wusa.exe | C:\f1710cad26178daefdb9\$dpx$.tmp\4133cfe071ba814aac08a0fe17b52f3e.tmp | — | |
MD5:— | SHA256:— | |||
1540 | wusa.exe | C:\f1710cad26178daefdb9\WSUSSCAN.cab | compressed | |
MD5:63B344025100243B997D5E2756A11F7A | SHA256:9B3FC7CAC1E02935F5D59D96D76844780DCCAE81CCC275FB0847A81E5BDB8594 | |||
3972 | WinRAR.exe | C:\Users\admin\Desktop\phanmem47.com--RemoveWAT.2.2.7\RemoveWAT.2.2.7.0.exe | executable | |
MD5:BFACF78644CA41FD6D4B23976E7574A1 | SHA256:94A1A26F61B015C2CED2FD50BDBA4070B6C9AEC7D2938FBF7EB9E99960D3B7A9 | |||
996 | DrvInst.exe | C:\Windows\INF\setupapi.ev3 | binary | |
MD5:76DCC60F78B3DFF1AE3627619074F465 | SHA256:18541AC1875315C4F9EFF75050C574FAFF83717C029DAE6B366F9C6C3F0C19E0 | |||
996 | DrvInst.exe | C:\Windows\INF\setupapi.dev.log | ini | |
MD5:5AF9DD2528CCE65C77B85477196B1AC0 | SHA256:5517E317EA36E906FBDA70F77D4058A0BC806D1A3E6FF4A1F859DF597E1DEDDD | |||
1540 | wusa.exe | C:\f1710cad26178daefdb9\Windows6.1-KB971033-x86.cab | compressed | |
MD5:12BEBE43FBEBB6F9E8FA25330D73824D | SHA256:8CAAE7D64047F6DFC72FA92628E44899C12338FE4E5DBDF098960405E87EE1C0 | |||
1540 | wusa.exe | C:\f1710cad26178daefdb9\Windows6.1-KB971033-x86-pkgProperties.txt | text | |
MD5:2A935916F7EA88AA5EE735B1775C228E | SHA256:D71B35046C13D0638ADBC20F5D9835E5E363AE685E23CECC3A47E66C79510337 |