File name: | a2a97535e15e4c76bf42bb43b5f74b5c5cd601cf402f8f55faf88729537ec657.zip |
Full analysis: | https://app.any.run/tasks/608ea44d-80d1-4369-bf16-481daca724da |
Verdict: | Malicious activity |
Analysis date: | March 21, 2019, 15:14:56 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/zip |
File info: | Zip archive data, at least v2.0 to extract |
MD5: | C35EEC2AED4374F08E77C6977DBCAB0D |
SHA1: | DA4561D4A7AC4137C3872BAC409C42DE180120BC |
SHA256: | 85D5E2F2741C62865E78B8C5B278FED0D3B0754B828EEF5CF3BE1EF994E768B2 |
SSDEEP: | 3072:QTH40m+zT0W+sLbOizrkMHFVkdeI1EMAPv93fH4CKYRdJkZsH:QTH4/9smKFHFCdeI1EMyv9vH5UW |
.zip | | | ZIP compressed archive (100) |
---|
ZipRequiredVersion: | 788 |
---|---|
ZipBitFlag: | 0x0801 |
ZipCompression: | Deflated |
ZipModifyDate: | 2019:03:21 16:14:22 |
ZipCRC: | 0xbab31749 |
ZipCompressedSize: | 174071 |
ZipUncompressedSize: | 335872 |
ZipFileName: | a2a97535e15e4c76bf42bb43b5f74b5c5cd601cf402f8f55faf88729537ec657.bin.exe |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2668 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\a2a97535e15e4c76bf42bb43b5f74b5c5cd601cf402f8f55faf88729537ec657.zip" | C:\Program Files\WinRAR\WinRAR.exe | — | explorer.exe |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.60.0 | ||||
2992 | "C:\Users\admin\Desktop\a2a97535e15e4c76bf42bb43b5f74b5c5cd601cf402f8f55faf88729537ec657.bin.exe" | C:\Users\admin\Desktop\a2a97535e15e4c76bf42bb43b5f74b5c5cd601cf402f8f55faf88729537ec657.bin.exe | explorer.exe | |
User: admin Integrity Level: HIGH Description: INTevATiOn GmbH Exit code: 0 Version: 1.00 | ||||
2228 | "C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\install.vbs" | C:\Windows\System32\WScript.exe | — | a2a97535e15e4c76bf42bb43b5f74b5c5cd601cf402f8f55faf88729537ec657.bin.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.8.7600.16385 | ||||
3940 | "C:\Windows\System32\cmd.exe" /c "C:\Users\admin\AppData\Roaming\Rem4\Rem4.exe" | C:\Windows\System32\cmd.exe | — | WScript.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2572 | C:\Users\admin\AppData\Roaming\Rem4\Rem4.exe | C:\Users\admin\AppData\Roaming\Rem4\Rem4.exe | cmd.exe | |
User: admin Integrity Level: HIGH Description: INTevATiOn GmbH Version: 1.00 | ||||
3460 | C:\Windows\system32\svchost.exe | C:\Windows\system32\svchost.exe | — | Rem4.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Host Process for Windows Services Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2668 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRb2668.31807\a2a97535e15e4c76bf42bb43b5f74b5c5cd601cf402f8f55faf88729537ec657.bin.exe | — | |
MD5:— | SHA256:— | |||
2992 | a2a97535e15e4c76bf42bb43b5f74b5c5cd601cf402f8f55faf88729537ec657.bin.exe | C:\Windows\win.ini | text | |
MD5:8E6100FAA270F8B935EBBA91AE814491 | SHA256:293B109535400CDD3EB36C8A47DCDDA245E8F48200AA59BFDDB21D105923E93B | |||
2992 | a2a97535e15e4c76bf42bb43b5f74b5c5cd601cf402f8f55faf88729537ec657.bin.exe | C:\Users\admin\AppData\Local\Temp\install.vbs | binary | |
MD5:7EEF6231B6DF38AD85DCC06804F81894 | SHA256:A1148C3A9F2BF85A86D78FE7C8948F8505DFBE5D599AD5FF9808B94F81247E3A | |||
2572 | Rem4.exe | C:\Users\admin\AppData\Roaming\Rem4\logs.dat | binary | |
MD5:E4328DAA7A4A64BCAC75EC28F9FE45A9 | SHA256:858BB4F5680BDFFBE480A850FBB7B0660F11BA026B3D2AED67B3F9ABBCB5A3C9 | |||
3460 | svchost.exe | C:\Windows\win.ini | text | |
MD5:8E6100FAA270F8B935EBBA91AE814491 | SHA256:293B109535400CDD3EB36C8A47DCDDA245E8F48200AA59BFDDB21D105923E93B | |||
2572 | Rem4.exe | C:\Windows\win.ini | text | |
MD5:8E6100FAA270F8B935EBBA91AE814491 | SHA256:293B109535400CDD3EB36C8A47DCDDA245E8F48200AA59BFDDB21D105923E93B | |||
2992 | a2a97535e15e4c76bf42bb43b5f74b5c5cd601cf402f8f55faf88729537ec657.bin.exe | C:\Users\admin\AppData\Roaming\Rem4\Rem4.exe | executable | |
MD5:DB8EDED1CB17508BF05BA4CF87992F0D | SHA256:A2A97535E15E4C76BF42BB43B5F74B5C5CD601CF402F8F55FAF88729537EC657 |
Domain | IP | Reputation |
---|---|---|
allmyfwds.ddns.net |
| malicious |