General Info

File name

3C722F99DF5D1018DCD361D8DEB5CDC425C725EDBEB0A688D62F1B6C67ABD22C.zip

Full analysis
https://app.any.run/tasks/3b10ec13-1f0c-4e5d-b803-d1c9df799224
Verdict
Malicious activity
Analysis date
12/2/2019, 18:25:32
OS:
Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:

MIME:
application/zip
File info:
Zip archive data, at least v2.0 to extract
MD5

e157a53f006d70e6e80e4fad75bd150e

SHA1

e96210b19be3a77aa0e430c2426f4e12cdd30a65

SHA256

9556872f594f32f07ea1a045c7c303f33666c0d144b1451a122fa95883c061b1

SSDEEP

196608:z99dwPPvn8RlkLiy8spcuMFzPSXh99VAexciLnHxuRWB9u:zpwP3ulJiM9KXh9VucB8

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distored by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Software environment set and analysis options

Launch configuration

Task duration
300 seconds
Additional time used
240 seconds
Fakenet option
off
Heavy Evaision option
off
MITM proxy
off
Route via Tor
on
Network geolocation
off
Privacy
Public submission
Autoconfirmation of UAC
on

Software preset

  • Internet Explorer 8.0.7601.17514
  • Adobe Acrobat Reader DC MUI (15.023.20070)
  • Adobe Flash Player 26 ActiveX (26.0.0.131)
  • Adobe Flash Player 26 NPAPI (26.0.0.131)
  • Adobe Flash Player 26 PPAPI (26.0.0.131)
  • Adobe Refresh Manager (1.8.0)
  • CCleaner (5.35)
  • FileZilla Client 3.36.0 (3.36.0)
  • Google Chrome (75.0.3770.100)
  • Google Update Helper (1.3.34.7)
  • Java 8 Update 92 (8.0.920.14)
  • Java Auto Updater (2.8.92.14)
  • Microsoft .NET Framework 4.7.2 (4.7.03062)
  • Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Access MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office Access MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office Access MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office Access MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office Access MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office Access MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office Access MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office Access MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office Access MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Excel MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office Excel MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office Excel MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office Excel MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office Excel MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office Excel MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office Excel MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office Excel MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office Excel MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office Groove MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office Groove MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office Groove MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office Groove MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office Groove MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office Groove MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office Groove MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office Groove MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office Groove MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office IME (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office IME (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office InfoPath MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office InfoPath MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office InfoPath MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office InfoPath MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office InfoPath MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office InfoPath MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office InfoPath MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office InfoPath MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office InfoPath MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office Language Pack 2010 - French/Français (14.0.4763.1000)
  • Microsoft Office Language Pack 2010 - German/Deutsch (14.0.4763.1000)
  • Microsoft Office Language Pack 2010 - Italian/Italiano (14.0.4763.1000)
  • Microsoft Office Language Pack 2010 - Japanese/日本語 (14.0.4763.1000)
  • Microsoft Office Language Pack 2010 - Korean/한국어 (14.0.4763.1000)
  • Microsoft Office Language Pack 2010 - Portuguese/Português (Brasil) (14.0.4763.1000)
  • Microsoft Office Language Pack 2010 - Russian/русский (14.0.4763.1000)
  • Microsoft Office Language Pack 2010 - Spanish/Español (14.0.4763.1000)
  • Microsoft Office Language Pack 2010 - Turkish/Türkçe (14.0.4763.1013)
  • Microsoft Office O MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office O MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office O MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office O MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office O MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office O MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office O MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office O MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office O MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office OneNote MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office OneNote MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office OneNote MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office OneNote MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office OneNote MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office OneNote MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office OneNote MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office OneNote MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office OneNote MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Outlook MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office Outlook MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office Outlook MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office Outlook MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office Outlook MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office Outlook MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office Outlook MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office Outlook MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office Outlook MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office PowerPoint MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office PowerPoint MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office PowerPoint MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office PowerPoint MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office PowerPoint MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office PowerPoint MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office PowerPoint MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office PowerPoint MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office PowerPoint MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office Professional 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Arabic) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (Basque) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (Catalan) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (Dutch) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (English) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (French) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Galician) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (German) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office Proof (Ukrainian) 2010 (14.0.4763.1000)
  • Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
  • Microsoft Office Proofing (French) 2010 (14.0.4763.1000)
  • Microsoft Office Proofing (German) 2010 (14.0.4763.1000)
  • Microsoft Office Proofing (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office Proofing (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office Proofing (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office Proofing (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office Proofing (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office Proofing (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office Proofing (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Publisher MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office Publisher MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office Publisher MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office Publisher MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office Publisher MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office Publisher MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office Publisher MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office Publisher MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office Publisher MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office SharePoint Designer MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office SharePoint Designer MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office SharePoint Designer MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office SharePoint Designer MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office SharePoint Designer MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office SharePoint Designer MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office SharePoint Designer MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office SharePoint Designer MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office SharePoint Designer MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office Shared MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office Shared MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office Shared MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office Shared MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office Shared MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office Shared MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office Shared MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office Shared MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Single Image 2010 (14.0.6029.1000)
  • Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Word MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office Word MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office Word MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office Word MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office Word MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office Word MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office Word MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office Word MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office Word MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office X MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office X MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office X MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office X MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office X MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office X MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office X MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office X MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office X MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
  • Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
  • Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
  • Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2015-2019 Redistributable (x86) - 14.21.27702 (14.21.27702.2)
  • Microsoft Visual C++ 2019 X86 Additional Runtime - 14.21.27702 (14.21.27702)
  • Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.21.27702 (14.21.27702)
  • Mozilla Firefox 68.0.1 (x86 en-US) (68.0.1)
  • Notepad++ (32-bit x86) (7.5.1)
  • Opera 12.15 (12.15.1748)
  • Skype version 8.29 (8.29)
  • Update for Microsoft .NET Framework 4.7.2 (KB4087364) (1)
  • VLC media player (2.2.6)
  • WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

  • Client LanguagePack Package
  • Client Refresh LanguagePack Package
  • CodecPack Basic Package
  • Foundation Package
  • IE Troubleshooters Package
  • InternetExplorer Optional Package
  • KB2534111
  • KB2999226
  • KB4019990
  • KB976902
  • LocalPack AU Package
  • LocalPack CA Package
  • LocalPack GB Package
  • LocalPack US Package
  • LocalPack ZA Package
  • ProfessionalEdition
  • UltimateEdition

Behavior activities

MALICIOUS SUSPICIOUS INFO
Loads dropped or rewritten executable
  • a.exe (PID: 3128)
  • Pago Haberes y Recaudaciones Suc.exe (PID: 2176)
Application was dropped or rewritten from another process
  • a.exe (PID: 3128)
  • Pago Haberes y Recaudaciones Suc.exe (PID: 2176)
Executable content was dropped or overwritten
  • a.exe (PID: 3128)
Creates files in the user directory
  • a.exe (PID: 3128)
  • Pago Haberes y Recaudaciones Suc.exe (PID: 2176)
Manual execution by user
  • a.exe (PID: 3128)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Static information

TRiD
.zip
|   ZIP compressed archive (100%)
EXIF
ZIP
ZipRequiredVersion:
20
ZipBitFlag:
0x0009
ZipCompression:
Deflated
ZipModifyDate:
2019:12:02 16:55:00
ZipCRC:
0xdaab3608
ZipCompressedSize:
8745137
ZipUncompressedSize:
12341332
ZipFileName:
3C722F99DF5D1018DCD361D8DEB5CDC425C725EDBEB0A688D62F1B6C67ABD22C

Screenshots

Processes

Total processes
38
Monitored processes
3
Malicious processes
1
Suspicious processes
1

Behavior graph

+
start drop and start winrar.exe no specs a.exe pago haberes y recaudaciones suc.exe no specs
Specs description
Program did not start
Integrity level elevation
Task сontains an error or was rebooted
Process has crashed
Task contains several apps running
Executable file was dropped
Debug information is available
Process was injected
Network attacks were detected
Application downloaded the executable file
Actions similar to stealing personal data
Behavior similar to exploiting the vulnerability
Inspected object has sucpicious PE structure
File is detected by antivirus software
CPU overrun
RAM overrun
Process starts the services
Process was added to the startup
Behavior similar to spam
Low-level access to the HDD
Probably Tor was used
System was rebooted
Connects to the network
Known threat

Process information

Click at the process to see the details.

PID
388
CMD
"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\3C722F99DF5D1018DCD361D8DEB5CDC425C725EDBEB0A688D62F1B6C67ABD22C.zip"
Path
C:\Program Files\WinRAR\WinRAR.exe
Indicators
No indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Alexander Roshal
Description
WinRAR archiver
Version
5.60.0
Modules
Image
c:\program files\winrar\winrar.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\shlwapi.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\uxtheme.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\msimg32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\riched20.dll
c:\program files\common files\microsoft shared\ink\tiptsf.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ehstorshell.dll
c:\windows\system32\cscui.dll
c:\windows\system32\cscdll.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\slc.dll
c:\windows\system32\imageres.dll
c:\windows\system32\mpr.dll
c:\windows\system32\drprov.dll
c:\windows\system32\winsta.dll
c:\windows\system32\ntlanman.dll
c:\windows\system32\davclnt.dll
c:\windows\system32\davhlpr.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\netutils.dll
c:\windows\system32\wpdshext.dll
c:\windows\system32\winmm.dll
c:\windows\system32\portabledeviceapi.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\audiodev.dll
c:\windows\system32\wmvcore.dll
c:\windows\system32\wmasf.dll
c:\windows\system32\ehstorapi.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\samcli.dll
c:\windows\system32\samlib.dll
c:\windows\system32\profapi.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\explorerframe.dll
c:\windows\system32\duser.dll
c:\windows\system32\dui70.dll

PID
3128
CMD
"C:\Users\admin\Desktop\a.exe"
Path
C:\Users\admin\Desktop\a.exe
Indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Cameyo (cameyo.com)
Description
Version
2, 6, 1209, 0
Modules
Image
c:\users\admin\desktop\a.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\wininet.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\activeds.dll
c:\windows\system32\adsldpc.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\atl.dll
c:\windows\system32\shell32.dll
c:\windows\system32\winspool.drv
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\msi.dll
c:\windows\system32\oleacc.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\asycfilt.dll
c:\windows\system32\clbcatq.dll
c:\users\admin\appdata\roaming\vos\pago haberes y recaudaciones suc\appvirtdll_pago haberes y recaudaciones suc.dll
c:\windows\system32\psapi.dll
c:\windows\system32\apphelp.dll
c:\users\admin\appdata\roaming\vos\pago haberes y recaudaciones suc\pago haberes y recaudaciones suc.exe

PID
2176
CMD
"C:\Program Files\Pago Haberes por Empresas (Suc.)\BPSSucursal.exe"
Path
C:\Users\admin\AppData\Roaming\VOS\Pago Haberes y Recaudaciones Suc\Pago Haberes y Recaudaciones Suc.exe
Indicators
No indicators
Parent process
a.exe
User
admin
Integrity Level
MEDIUM
Version:
Company
Description
Version
Modules
Image
c:\users\admin\appdata\roaming\vos\pago haberes y recaudaciones suc\pago haberes y recaudaciones suc.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\users\admin\appdata\roaming\vos\pago haberes y recaudaciones suc\appvirtdll_pago haberes y recaudaciones suc.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\wininet.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\psapi.dll
c:\windows\system32\shell32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\msvbvm60.dll
c:\windows\system32\sxs.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\scrrun.dll
c:\windows\system32\version.dll
c:\program files\common files\system\ado\msado15.dll
c:\windows\system32\msdart.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\program files\common files\system\ole db\oledb32.dll
c:\windows\system32\bcrypt.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\program files\common files\system\ole db\oledb32r.dll
c:\windows\system32\comsvcs.dll
c:\windows\system32\atl.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\msjetoledb40.dll
c:\windows\system32\msjet40.dll
c:\windows\system32\mswstr10.dll
c:\windows\system32\msjter40.dll
c:\windows\system32\msjint40.dll
c:\windows\system32\msrd3x40.dll
c:\windows\system32\msjtes40.dll
c:\windows\system32\vbajet32.dll
c:\windows\system32\expsrv.dll
c:\program files\common files\system\msadc\msadce.dll
c:\program files\common files\system\msadc\msadcer.dll
c:\windows\system32\comdlg32.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll

Registry activity

Total events
539
Read events
506
Write events
31
Delete events
2

Modification events

PID
Process
Operation
Key
Name
Value
388
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
ShellExtBMP
388
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
ShellExtIcon
388
WinRAR.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\12B\52C64B7E
LanguageList
en-US
388
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
0
C:\Users\admin\AppData\Local\Temp\3C722F99DF5D1018DCD361D8DEB5CDC425C725EDBEB0A688D62F1B6C67ABD22C.zip
388
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
name
120
388
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
size
80
388
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
type
120
388
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
mtime
100
388
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\Interface
ShowPassword
0
388
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\Interface\MainWin
Placement
2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF42000000420000000204000037020000
388
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\General
LastFolder
C:\Users\admin\AppData\Local\Temp
388
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\ArcColumnWidths
name
120
388
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\ArcColumnWidths
size
80
388
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\ArcColumnWidths
psize
80
388
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\ArcColumnWidths
type
120
388
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\ArcColumnWidths
mtime
100
388
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\ArcColumnWidths
crc
70
388
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\General\Toolbar\Layout
Band56_0
38000000730100000402000000000000D4D0C800000000000000000000000000A20102000000000039000000B40200000000000001000000
388
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\General\Toolbar\Layout
Band56_1
38000000730100000500000000000000D4D0C800000000000000000000000000AC01020000000000160000002A0000000000000002000000
388
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\General\Toolbar\Layout
Band56_2
38000000730100000400000000000000D4D0C800000000000000000000000000260104000000000016000000640000000000000003000000
3128
a.exe
delete key
\REGISTRY\A\{527B1874-405A-4DD0-9149-CCA5860D91AB}\MyTest.3808125
3128
a.exe
write
HKEY_CURRENT_USER\Software\VOS\Pago Haberes y Recaudaciones Suc
BaseDirName
C:\Users\admin\AppData\Roaming\VOS\Pago Haberes y Recaudaciones Suc
3128
a.exe
write
HKEY_CURRENT_USER\Software\VOS\Pago Haberes y Recaudaciones Suc
CarrierExeName
C:\Users\admin\Desktop\a.exe
2176
Pago Haberes y Recaudaciones Suc.exe
delete key
\REGISTRY\A\{527B1874-405A-4DD0-9149-CCA5860D91AB}\MyTest.3808343
2176
Pago Haberes y Recaudaciones Suc.exe
write
HKEY_CURRENT_USER\Software\VOS\Pago Haberes y Recaudaciones Suc
DataIntegrity
+8208|0|0||c_\BPSArchivos>
2176
Pago Haberes y Recaudaciones Suc.exe
write
HKEY_CURRENT_USER\Software\VOS\Pago Haberes y Recaudaciones Suc
DataIntegrity
+8208|0|0||c_\BPSArchivos>+8480|0|0||%Local AppData%\Temp\JET1D9F.tmp>
2176
Pago Haberes y Recaudaciones Suc.exe
write
HKEY_CURRENT_USER\Software\VOS\Pago Haberes y Recaudaciones Suc
DataIntegrity
+8208|0|0||c_\BPSArchivos>+8480|0|0||%Local AppData%\Temp\JET1D9F.tmp>X%Program Files%\Pago Haberes por Empresas (Suc.)>
2176
Pago Haberes y Recaudaciones Suc.exe
write
HKEY_CURRENT_USER\Software\VOS\Pago Haberes y Recaudaciones Suc
DataIntegrity
+8208|0|0||c_\BPSArchivos>+8480|0|0||%Local AppData%\Temp\JET1D9F.tmp>X%Program Files%\Pago Haberes por Empresas (Suc.)>X%Program Files%\Pago Haberes por Empresas (Suc.)\BPSSucursal.mdb>
2176
Pago Haberes y Recaudaciones Suc.exe
write
HKEY_CURRENT_USER\Software\VOS\Pago Haberes y Recaudaciones Suc
DataIntegrity
+8208|0|0||c_\BPSArchivos>+8480|0|0||%Local AppData%\Temp\JET1D9F.tmp>X%Program Files%\Pago Haberes por Empresas (Suc.)>X%Program Files%\Pago Haberes por Empresas (Suc.)\BPSSucursal.mdb>+8224|0|0||%Program Files%\Pago Haberes por Empresas (Suc.)\BPSSucursal.mdb>
2176
Pago Haberes y Recaudaciones Suc.exe
write
HKEY_CURRENT_USER\Software\VOS\Pago Haberes y Recaudaciones Suc
DataIntegrity
+8208|0|0||c_\BPSArchivos>+8480|0|0||%Local AppData%\Temp\JET1D9F.tmp>X%Program Files%\Pago Haberes por Empresas (Suc.)>X%Program Files%\Pago Haberes por Empresas (Suc.)\BPSSucursal.mdb>+8224|0|0||%Program Files%\Pago Haberes por Empresas (Suc.)\BPSSucursal.mdb>+8224|0|0||%Local AppData%\Temp\JET1E4B.tmp>
2176
Pago Haberes y Recaudaciones Suc.exe
write
HKEY_CURRENT_USER\Software\VOS\Pago Haberes y Recaudaciones Suc
DataIntegrity
+8208|0|0||c_\BPSArchivos>+8480|0|0||%Local AppData%\Temp\JET1D9F.tmp>X%Program Files%\Pago Haberes por Empresas (Suc.)>X%Program Files%\Pago Haberes por Empresas (Suc.)\BPSSucursal.mdb>+8224|0|0||%Program Files%\Pago Haberes por Empresas (Suc.)\BPSSucursal.mdb>+8224|0|0||%Local AppData%\Temp\JET1E4B.tmp>+8224|0|0||%Program Files%\Pago Haberes por Empresas (Suc.)\BPSSucursal.ldb>
2176
Pago Haberes y Recaudaciones Suc.exe
write
HKEY_CURRENT_USER\Software\VOS\Pago Haberes y Recaudaciones Suc
DataIntegrity
+8208|0|0||c_\BPSArchivos>+8480|0|0||%Local AppData%\Temp\JET1D9F.tmp>X%Program Files%\Pago Haberes por Empresas (Suc.)>X%Program Files%\Pago Haberes por Empresas (Suc.)\BPSSucursal.mdb>+8224|0|0||%Program Files%\Pago Haberes por Empresas (Suc.)\BPSSucursal.mdb>+8224|0|0||%Local AppData%\Temp\JET1E4B.tmp>+8224|0|0||%Program Files%\Pago Haberes por Empresas (Suc.)\BPSSucursal.ldb>+8224|0|0||%Local AppData%\Temp\~DFCC65F93589D25DAD.TMP>
2176
Pago Haberes y Recaudaciones Suc.exe
write
HKEY_CURRENT_USER\Software\VOS\Pago Haberes y Recaudaciones Suc
DataIntegrity
+8208|0|0||c_\BPSArchivos>+8480|0|0||%Local AppData%\Temp\JET1D9F.tmp>X%Program Files%\Pago Haberes por Empresas (Suc.)>X%Program Files%\Pago Haberes por Empresas (Suc.)\BPSSucursal.mdb>+8224|0|0||%Program Files%\Pago Haberes por Empresas (Suc.)\BPSSucursal.mdb>+8224|0|0||%Local AppData%\Temp\JET1E4B.tmp>+8224|0|0||%Program Files%\Pago Haberes por Empresas (Suc.)\BPSSucursal.ldb>+8224|0|0||%Local AppData%\Temp\~DFCC65F93589D25DAD.TMP>-%Program Files%\Pago Haberes por Empresas (Suc.)\BPSSucursal.ldb>

Files activity

Executable files
4
Suspicious files
13
Text files
0
Unknown types
5

Dropped files

PID
Process
Filename
Type
3128
a.exe
C:\Users\admin\AppData\Roaming\VOS\Pago Haberes y Recaudaciones Suc\AppVirtDll64_Pago Haberes y Recaudaciones Suc.dll
executable
MD5: 93cb87cac5eb94f7184a8cadb46dfd0a
SHA256: be2cdcbf5978f04e7fe70b9e979f669d223a7c4c5fdbe41e9cdea760573e0abf
3128
a.exe
C:\Users\admin\AppData\Roaming\VOS\Pago Haberes y Recaudaciones Suc\Pago Haberes y Recaudaciones Suc64.exe
executable
MD5: 9d62ac69db3ce3de39072b95f5756df1
SHA256: cf6833b7f0364c9c44ef5f6995201c9469dc958105980c30f277c12971d4f687
3128
a.exe
C:\Users\admin\AppData\Roaming\VOS\Pago Haberes y Recaudaciones Suc\Pago Haberes y Recaudaciones Suc.exe
executable
MD5: 48ab17ba2376cacb65f7605e1a6d6dbd
SHA256: 3c8494fa94388bf94cf4a7f5da05728ec507680ed30127e561474d441893c05a
3128
a.exe
C:\Users\admin\AppData\Roaming\VOS\Pago Haberes y Recaudaciones Suc\AppVirtDll_Pago Haberes y Recaudaciones Suc.dll
executable
MD5: b3cf339813c5d1b4c9e5b5f514bfa1d0
SHA256: 5534b2a92bdabfaa2f13522a6361f199b4c8790ce9a26493d8582b54b998e2d5
3128
a.exe
C:\Users\admin\AppData\Roaming\VOS\Pago Haberes y Recaudaciones Suc\VirtReg.Prog.dat
hiv
MD5: 6ad12db8577be1c16d3ed6f2f2a32193
SHA256: acd18e088a1fdcc397cf3ab2369afc52c6615394fa342d3fdbd0c4536b3e7edf
2176
Pago Haberes y Recaudaciones Suc.exe
C:\Users\admin\AppData\Roaming\VOS\Pago Haberes y Recaudaciones Suc\SandboxCfg.db.2104.tmp
––
MD5:  ––
SHA256:  ––
2176
Pago Haberes y Recaudaciones Suc.exe
C:\Users\admin\AppData\Roaming\VOS\Pago Haberes y Recaudaciones Suc\CHANGES\VirtFiles.db
binary
MD5: 9de85c85f46ef9303d5d843590c15600
SHA256: 2336db5fdc811eb21b01bdc7d84fb02ac1fa8d0279f409720c8e359c6b3b57e0
2176
Pago Haberes y Recaudaciones Suc.exe
C:\Users\admin\AppData\Roaming\VOS\Pago Haberes y Recaudaciones Suc\CHANGES\VirtFiles.db.2104.tmp
––
MD5:  ––
SHA256:  ––
3128
a.exe
C:\Users\admin\AppData\Roaming\VOS\Pago Haberes y Recaudaciones Suc\SandboxCfg.db
binary
MD5: 83de5d8641711be6ff4947ef61ceee3a
SHA256: 8add5134f17e9e0ee2031a7326297c27e4bb971ec3301f9cf9630c0193af72ae
3128
a.exe
C:\Users\admin\AppData\Roaming\VOS\Pago Haberes y Recaudaciones Suc\CHANGES\VirtFiles.db
binary
MD5: 9de85c85f46ef9303d5d843590c15600
SHA256: 2336db5fdc811eb21b01bdc7d84fb02ac1fa8d0279f409720c8e359c6b3b57e0
3128
a.exe
C:\Users\admin\AppData\Roaming\VOS\Pago Haberes y Recaudaciones Suc\SandboxCfg.db.3148.tmp
––
MD5:  ––
SHA256:  ––
3128
a.exe
C:\Users\admin\AppData\Roaming\VOS\Pago Haberes y Recaudaciones Suc\CHANGES\VirtFiles.db.3148.tmp
––
MD5:  ––
SHA256:  ––
3128
a.exe
C:\Users\admin\AppData\Roaming\VOS\Pago Haberes y Recaudaciones Suc\EngineStamps\ZipCache.20140625-182934.674.stamp
––
MD5:  ––
SHA256:  ––
3128
a.exe
C:\Users\admin\AppData\Roaming\VOS\Pago Haberes y Recaudaciones Suc\ZipCache
––
MD5:  ––
SHA256:  ––
3128
a.exe
C:\Users\admin\AppData\Roaming\VOS\Pago Haberes y Recaudaciones Suc\CHANGES\VirtReg.Base.dat
hiv
MD5: 6ad12db8577be1c16d3ed6f2f2a32193
SHA256: acd18e088a1fdcc397cf3ab2369afc52c6615394fa342d3fdbd0c4536b3e7edf
388
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$DRb388.7015\3C722F99DF5D1018DCD361D8DEB5CDC425C725EDBEB0A688D62F1B6C67ABD22C
––
MD5:  ––
SHA256:  ––
3128
a.exe
C:\Users\admin\AppData\Roaming\VOS\Pago Haberes y Recaudaciones Suc\CHANGES\VirtReg.dat
––
MD5:  ––
SHA256:  ––
2176
Pago Haberes y Recaudaciones Suc.exe
C:\Users\admin\AppData\Roaming\VOS\Pago Haberes y Recaudaciones Suc\CHANGES\%Program Files%\Pago Haberes por Empresas (Suc.)\BPSSucursal.ldb
––
MD5:  ––
SHA256:  ––
2176
Pago Haberes y Recaudaciones Suc.exe
C:\Users\admin\AppData\Roaming\VOS\Pago Haberes y Recaudaciones Suc\CHANGES\%Program Files%\Pago Haberes por Empresas (Suc.)\BPSSucursal.mdb
mdb
MD5: 2e963a261baa2deea6f819ccea1e5c58
SHA256: 16d4456d2b6542159084c81c389e72922716aa9d7bffcda5306ec609aeba2ff2
3128
a.exe
C:\Users\admin\AppData\Roaming\VOS\Pago Haberes y Recaudaciones Suc\VirtFiles.Prog.db
binary
MD5: 9de85c85f46ef9303d5d843590c15600
SHA256: 2336db5fdc811eb21b01bdc7d84fb02ac1fa8d0279f409720c8e359c6b3b57e0
2176
Pago Haberes y Recaudaciones Suc.exe
C:\Users\admin\AppData\Roaming\VOS\Pago Haberes y Recaudaciones Suc\PROG\%Program Files%\Pago Haberes por Empresas (Suc.)\BPSSucursal.mdb
mdb
MD5: 2e963a261baa2deea6f819ccea1e5c58
SHA256: 16d4456d2b6542159084c81c389e72922716aa9d7bffcda5306ec609aeba2ff2
2176
Pago Haberes y Recaudaciones Suc.exe
C:\Users\admin\AppData\Roaming\VOS\Pago Haberes y Recaudaciones Suc\SandboxCfg.db
binary
MD5: 83de5d8641711be6ff4947ef61ceee3a
SHA256: 8add5134f17e9e0ee2031a7326297c27e4bb971ec3301f9cf9630c0193af72ae
3128
a.exe
C:\Users\admin\AppData\Roaming\VOS\Pago Haberes y Recaudaciones Suc\EngineStamps\VirtReg.Prog.dat.20140630-174023.847.stamp
––
MD5:  ––
SHA256:  ––
3128
a.exe
C:\Users\admin\AppData\Roaming\VOS\Pago Haberes y Recaudaciones Suc\EngineStamps\SandboxCfg.db.20140625-182934.644.stamp
––
MD5:  ––
SHA256:  ––
3128
a.exe
C:\Users\admin\AppData\Roaming\VOS\Pago Haberes y Recaudaciones Suc\EngineStamps\Pago Haberes y Recaudaciones Suc64.exe.20140625-182934.634.stamp
––
MD5:  ––
SHA256:  ––
3128
a.exe
C:\Users\admin\AppData\Roaming\VOS\Pago Haberes y Recaudaciones Suc\EngineStamps\VirtFiles.Prog.db.20140630-174023.811.stamp
––
MD5:  ––
SHA256:  ––
3128
a.exe
C:\Users\admin\AppData\Roaming\VOS\Pago Haberes y Recaudaciones Suc\EngineStamps\Pago Haberes y Recaudaciones Suc.exe.20140625-182934.634.stamp
––
MD5:  ––
SHA256:  ––
3128
a.exe
C:\Users\admin\AppData\Roaming\VOS\Pago Haberes y Recaudaciones Suc\EngineStamps\AppVirtDll64_Pago Haberes y Recaudaciones Suc.dll.20140625-182934.424.stamp
––
MD5:  ––
SHA256:  ––
3128
a.exe
C:\Users\admin\AppData\Roaming\VOS\Pago Haberes y Recaudaciones Suc\EngineStamps\AppVirtDll_Pago Haberes y Recaudaciones Suc.dll.20140625-182934.274.stamp
––
MD5:  ––
SHA256:  ––
3128
a.exe
C:\Users\admin\AppData\Roaming\VOS\Pago Haberes y Recaudaciones Suc\VirtApp.ini
binary
MD5: 4b06baed60e297bfc63074b4c29f06cc
SHA256: 7e311fe96e9c214e2668ec85dd9f32aab25c33c6dfac0d9a340559d95b53dbb2
3128
a.exe
C:\Users\admin\AppData\Local\Temp\~DF3F809D3314E6A7FA.TMP
––
MD5:  ––
SHA256:  ––

Find more information of the staic content and download it at the full report

Network activity

HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

No network activity.

Debug output strings

No debug info.