File name:

asd.rar

Full analysis: https://app.any.run/tasks/27faf987-c1bb-45e5-a9ea-162da10c1e3c
Verdict: Malicious activity
Analysis date: February 27, 2019, 04:54:22
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-rar
File info: RAR archive data, v5
MD5:

EDA548842B2719497B385E67A6924C04

SHA1:

9A1967B0C58B488946AC0C0CDA3211C5A24D44E0

SHA256:

AC490A968F3102015026984BD549520652B88E65C4F35851255F7C8DA12C1A0B

SSDEEP:

24576:IBOIB+XKHjfaOJAbflzzq4ZQUb0E2ejzHKncR:VM+6TaH9vQPE2ejzHKcR

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • ROBOCOPY.exe (PID: 1824)

  • SUSPICIOUS

    • Uses REG.EXE to modify Windows registry

      • cmd.exe (PID: 560)
      • cmd.exe (PID: 2676)
      • cmd.exe (PID: 3760)
      • cmd.exe (PID: 3460)

    • Application launched itself

      • cmd.exe (PID: 3700)

    • Starts CMD.EXE for commands execution

      • cmd.exe (PID: 3700)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 3480)

    • Executes scripts

      • WinRAR.exe (PID: 3480)

  • INFO

    • Application was crashed

      • ROBOCOPY.exe (PID: 1824)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v5.0) (61.5)
.rar | RAR compressed archive (gen) (38.4)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
57
Monitored processes
23
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe wscript.exe no specs cmd.exe no specs mountvol.exe no specs cmd.exe no specs reg.exe no specs find.exe no specs findstr.exe no specs cmd.exe no specs reg.exe no specs find.exe no specs findstr.exe no specs cmd.exe no specs reg.exe no specs find.exe no specs findstr.exe no specs cmd.exe no specs reg.exe no specs find.exe no specs findstr.exe no specs wscript.exe no specs robocopy.exe wscript.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
560C:\Windows\system32\cmd.exe /c REG Query "HKLM\SYSTEM\MountedDevices" /s | FIND "\DosDevices\" | FINDSTR /R /E /C:" 5F[0-9A-F]*"C:\Windows\system32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
1380"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\Rar$DIa3480.29447\system.vbs" C:\Windows\System32\WScript.exeWinRAR.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
Modules
Images
c:\windows\system32\wscript.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
1824"C:\Users\admin\Desktop\ROBOCOPY.exe" C:\Users\admin\Desktop\ROBOCOPY.exe
explorer.exe
User:
admin
Company:
Microsoft
Integrity Level:
MEDIUM
Description:
robocopy
Exit code:
3221225477
Version:
5, 1, 10, 1027
Modules
Images
c:\users\admin\desktop\robocopy.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\mfc42u.dll
c:\windows\system32\user32.dll
2320REG Query "HKLM\SYSTEM\MountedDevices" /s C:\Windows\system32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Console Tool
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\reg.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
2324MOUNTVOL /RC:\Windows\system32\mountvol.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Mount Volume Utility
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\mountvol.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
2436FIND "\DosDevices\" C:\Windows\system32\find.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Find String (grep) Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\find.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ulib.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\advapi32.dll
2436"C:\Windows\System32\WScript.exe" "C:\Users\admin\Desktop\system.vbs" C:\Windows\System32\WScript.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
Modules
Images
c:\windows\system32\imm32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\usp10.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\ulib.dll
c:\windows\system32\kernelbase.dll
c:\systemroot\system32\ntdll.dll
c:\windows\system32\wscript.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\msvcrt.dll
2536FINDSTR /R /E /C:" 5F[0-9A-F]*"C:\Windows\system32\findstr.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Find String (QGREP) Utility
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\findstr.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
2612"C:\Windows\System32\wscript.exe" \DEVICE\system\folder\start.vbsC:\Windows\System32\wscript.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
1
Version:
5.8.7600.16385
Modules
Images
c:\windows\system32\wscript.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
2676C:\Windows\system32\cmd.exe /c REG Query "HKLM\SYSTEM\MountedDevices" /s | FIND "\DosDevices\" | FINDSTR /R /E /C:" 5F[0-9A-F]*"C:\Windows\system32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
Total events
497
Read events
481
Write events
16
Delete events
0

Modification events

(PID) Process:(3480) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(3480) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(3480) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3480) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\asd.rar
(PID) Process:(3480) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(3480) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(3480) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(3480) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(3480) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
Operation:writeName:@C:\Windows\System32\acppage.dll,-6003
Value:
Windows Command Script
(PID) Process:(3480) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
Operation:writeName:@C:\Windows\System32\wshext.dll,-4802
Value:
VBScript Script File
Executable files
2
Suspicious files
9
Text files
23
Unknown types
1

Dropped files

PID
Process
Filename
Type
3480WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DIa3480.29447\system.vbstext
MD5:DF5EC9CB8CA7B5BE1F066CDE5707FBC8
SHA256:6F04F9F40C22ECDD838F8289B06652990E21F5E360107F52436A8DF660AE889B
3480WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3480.29972\asd\Apps\LPDB.xmltext
MD5:3CE2298CB1779CFC7D109EC10BFBB9C3
SHA256:63108C1A9E3E85C73F4FE2917FAEA654781200F4D55E4018D595587AD4540B96
3480WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3480.29972\asd\browser\bookmark\Facebook - Inici.urltext
MD5:4E9C3007C887C600141DA95C745C7B15
SHA256:379965EBA3D8BDF90B06E3CA40995EDF14B3DA7AE04DDEB2F8418ED7DE1870CD
3480WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3480.29972\asd\drm\__wmdrm_sfs\license.hdsbinary
MD5:AB9D520BF9E6FEDA5224E716F7A2C572
SHA256:3ED690B3DDD7BFB1B09FF3B8D34AC6394239DA30DADF5C4307F6A5A6BF8AC0B6
3480WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3480.29972\asd\folder\start.vbstext
MD5:5F1A3AF7138E767AD3741893E6A623B0
SHA256:C13A5500F8AC907D8D802298704E2428C1A83FCAA4F89715FD50484D19D02EB3
3480WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3480.29972\asd\NOMINA_PIU_BELLA_2016\Cesta Ticket FEBRERO 2016 piu bella.xlsdocument
MD5:276A1564778DDCBC3F7F1CFDA5D46F6D
SHA256:F05F0608913C8E9654FE51B453B307D5A290009643380CCA243404722BE9CD47
3480WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3480.29972\asd\NOMINA_PIU_BELLA_2016\informes Seniat Piu Bella Sept 2016\BanescOnline lunes, 12 de febrero de 2018 14_14_11 993 pm.htmlhtml
MD5:BF5E78E92EC50B38644C9831BB96734A
SHA256:0E8AF69FE0F1E3F692FF437836C3076FFB2E934B3F9D0E5EBAB5F2966DFF90DD
3480WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3480.29972\asd\NOMINA_PIU_BELLA_2016\CESTA_TICKET_PIU_BELLA_NOVIEMBRE_2017.xlsxdocument
MD5:66DF0DE1BDFCD02A5E1C08F0DBFE2295
SHA256:229CB8C94DAC5B0C28B4BD484AB22DE5A0AC981B9DCDCB4DD85D29E062CC0807
3480WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3480.29972\asd\Apps\LPGDB.xmltext
MD5:F7029470C36B7F2D0D7AF42169ED763F
SHA256:2287AC3488372D101AFCC41D820C627102F061351437F912CB27855BC73A7223
3480WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3480.29972\asd\folder\min.vbstext
MD5:BF6EDBAFE9E334097C93E9F6D828498A
SHA256:295230B4665BB04B8CAFB2D8CDDEFED911AFDE45B21C4682C38947C1767EC43A
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
asd.rar