General Info

File name

RemoteAssistant.exe

Full analysis
https://app.any.run/tasks/7314790e-d1aa-4f6c-aa64-5a92dc351d18
Verdict
Malicious activity
Analysis date
11/8/2019, 18:23:03
OS:
Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:

MIME:
application/x-dosexec
File info:
PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5

54d52b3dcc18e33d5a23608a7fc289f3

SHA1

6f84e9940c18d4278fe43d4658ef6d42e4971ec9

SHA256

c49e9382673c45d87e28384b2292de029e104e8be87912061d04301582616a15

SSDEEP

49152:xlb/PlTGJoMAEkbihgoMQZfd43GsIOHtuTFyNNq2DoLJHIRtYnH7Hn8Apdi5Qddi:vrtTNagoxZ23GsIDsJMLJHTH7HdIN+0

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distored by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Software environment set and analysis options

Launch configuration

Task duration
300 seconds
Additional time used
240 seconds
Fakenet option
off
Heavy Evaision option
off
MITM proxy
off
Route via Tor
off
Network geolocation
off
Privacy
Public submission
Autoconfirmation of UAC
on

Software preset

  • Internet Explorer 8.0.7601.17514
  • Adobe Acrobat Reader DC MUI (15.023.20070)
  • Adobe Flash Player 26 ActiveX (26.0.0.131)
  • Adobe Flash Player 26 NPAPI (26.0.0.131)
  • Adobe Flash Player 26 PPAPI (26.0.0.131)
  • Adobe Refresh Manager (1.8.0)
  • CCleaner (5.35)
  • FileZilla Client 3.36.0 (3.36.0)
  • Google Chrome (75.0.3770.100)
  • Google Update Helper (1.3.34.7)
  • Java 8 Update 92 (8.0.920.14)
  • Java Auto Updater (2.8.92.14)
  • Microsoft .NET Framework 4.7.2 (4.7.03062)
  • Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Access MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office Access MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office Access MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office Access MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office Access MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office Access MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office Access MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office Access MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office Access MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Excel MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office Excel MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office Excel MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office Excel MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office Excel MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office Excel MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office Excel MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office Excel MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office Excel MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office Groove MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office Groove MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office Groove MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office Groove MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office Groove MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office Groove MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office Groove MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office Groove MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office Groove MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office IME (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office IME (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office InfoPath MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office InfoPath MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office InfoPath MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office InfoPath MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office InfoPath MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office InfoPath MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office InfoPath MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office InfoPath MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office InfoPath MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office Language Pack 2010 - French/Français (14.0.4763.1000)
  • Microsoft Office Language Pack 2010 - German/Deutsch (14.0.4763.1000)
  • Microsoft Office Language Pack 2010 - Italian/Italiano (14.0.4763.1000)
  • Microsoft Office Language Pack 2010 - Japanese/日本語 (14.0.4763.1000)
  • Microsoft Office Language Pack 2010 - Korean/한국어 (14.0.4763.1000)
  • Microsoft Office Language Pack 2010 - Portuguese/Português (Brasil) (14.0.4763.1000)
  • Microsoft Office Language Pack 2010 - Russian/русский (14.0.4763.1000)
  • Microsoft Office Language Pack 2010 - Spanish/Español (14.0.4763.1000)
  • Microsoft Office Language Pack 2010 - Turkish/Türkçe (14.0.4763.1013)
  • Microsoft Office O MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office O MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office O MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office O MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office O MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office O MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office O MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office O MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office O MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office OneNote MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office OneNote MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office OneNote MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office OneNote MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office OneNote MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office OneNote MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office OneNote MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office OneNote MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office OneNote MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Outlook MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office Outlook MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office Outlook MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office Outlook MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office Outlook MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office Outlook MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office Outlook MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office Outlook MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office Outlook MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office PowerPoint MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office PowerPoint MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office PowerPoint MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office PowerPoint MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office PowerPoint MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office PowerPoint MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office PowerPoint MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office PowerPoint MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office PowerPoint MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office Professional 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Arabic) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (Basque) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (Catalan) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (Dutch) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (English) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (French) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Galician) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (German) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office Proof (Ukrainian) 2010 (14.0.4763.1000)
  • Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
  • Microsoft Office Proofing (French) 2010 (14.0.4763.1000)
  • Microsoft Office Proofing (German) 2010 (14.0.4763.1000)
  • Microsoft Office Proofing (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office Proofing (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office Proofing (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office Proofing (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office Proofing (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office Proofing (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office Proofing (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Publisher MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office Publisher MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office Publisher MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office Publisher MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office Publisher MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office Publisher MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office Publisher MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office Publisher MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office Publisher MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office SharePoint Designer MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office SharePoint Designer MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office SharePoint Designer MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office SharePoint Designer MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office SharePoint Designer MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office SharePoint Designer MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office SharePoint Designer MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office SharePoint Designer MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office SharePoint Designer MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office Shared MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office Shared MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office Shared MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office Shared MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office Shared MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office Shared MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office Shared MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office Shared MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Single Image 2010 (14.0.6029.1000)
  • Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Word MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office Word MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office Word MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office Word MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office Word MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office Word MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office Word MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office Word MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office Word MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office X MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office X MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office X MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office X MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office X MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office X MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office X MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office X MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office X MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
  • Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
  • Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
  • Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2015-2019 Redistributable (x86) - 14.21.27702 (14.21.27702.2)
  • Microsoft Visual C++ 2019 X86 Additional Runtime - 14.21.27702 (14.21.27702)
  • Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.21.27702 (14.21.27702)
  • Mozilla Firefox 68.0.1 (x86 en-US) (68.0.1)
  • Notepad++ (32-bit x86) (7.5.1)
  • Opera 12.15 (12.15.1748)
  • Skype version 8.29 (8.29)
  • Update for Microsoft .NET Framework 4.7.2 (KB4087364) (1)
  • VLC media player (2.2.6)
  • WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

  • Client LanguagePack Package
  • Client Refresh LanguagePack Package
  • CodecPack Basic Package
  • Foundation Package
  • IE Troubleshooters Package
  • InternetExplorer Optional Package
  • KB2534111
  • KB2999226
  • KB4019990
  • KB976902
  • LocalPack AU Package
  • LocalPack CA Package
  • LocalPack GB Package
  • LocalPack US Package
  • LocalPack ZA Package
  • ProfessionalEdition
  • UltimateEdition

Behavior activities

MALICIOUS SUSPICIOUS INFO
Loads dropped or rewritten executable
  • RemoteAssistant.exe (PID: 3172)
  • Remote Assistant.exe (PID: 4076)
Application was dropped or rewritten from another process
  • Remote Assistant.exe (PID: 4076)
  • Remote Assistant.exe (PID: 3032)
Executable content was dropped or overwritten
  • RemoteAssistant.exe (PID: 3172)
Reads Internet Cache Settings
  • Remote Assistant.exe (PID: 4076)
Reads internet explorer settings
  • Remote Assistant.exe (PID: 4076)
Reads Environment values
  • Remote Assistant.exe (PID: 4076)
Reads settings of System Certificates
  • Remote Assistant.exe (PID: 4076)
Dropped object may contain Bitcoin addresses
  • RemoteAssistant.exe (PID: 3172)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Static information

TRiD
.exe
|   Win32 Executable MS Visual C++ (generic) (67.4%)
.dll
|   Win32 Dynamic Link Library (generic) (14.2%)
.exe
|   Win32 Executable (generic) (9.7%)
.exe
|   Generic Win/DOS Executable (4.3%)
.exe
|   DOS Executable Generic (4.3%)
EXIF
EXE
MachineType:
Intel 386 or later, and compatibles
TimeStamp:
2016:04:02 05:21:43+02:00
PEType:
PE32
LinkerVersion:
6
CodeSize:
26112
InitializedDataSize:
169984
UninitializedDataSize:
1024
EntryPoint:
0x35a5
OSVersion:
4
ImageVersion:
6
SubsystemVersion:
4
Subsystem:
Windows GUI
FileVersionNumber:
2.2.0.49
ProductVersionNumber:
2.2.0.49
FileFlagsMask:
0x0000
FileFlags:
(none)
FileOS:
Win32
ObjectFileType:
Executable application
FileSubtype:
null
LanguageCode:
English (U.S.)
CharacterSet:
ASCII
CompanyName:
CloudBerry Lab Inc.
LegalCopyright:
Copyright 2019 CloudBerry Lab Inc.
ProductName:
Remote Assistant
Summary
Architecture:
IMAGE_FILE_MACHINE_I386
Subsystem:
IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date:
02-Apr-2016 03:21:43
Detected languages
English - United States
CompanyName:
CloudBerry Lab Inc.
LegalCopyright:
Copyright 2019 CloudBerry Lab Inc.
ProductName:
Remote Assistant
DOS Header
Magic number:
MZ
Bytes on last page of file:
0x0090
Pages in file:
0x0003
Relocations:
0x0000
Size of header:
0x0004
Min extra paragraphs:
0x0000
Max extra paragraphs:
0xFFFF
Initial SS value:
0x0000
Initial SP value:
0x00B8
Checksum:
0x0000
Initial IP value:
0x0000
Initial CS value:
0x0000
Overlay number:
0x0000
OEM identifier:
0x0000
OEM information:
0x0000
Address of NE header:
0x000000D8
PE Headers
Signature:
PE
Machine:
IMAGE_FILE_MACHINE_I386
Number of sections:
5
Time date stamp:
02-Apr-2016 03:21:43
Pointer to Symbol Table:
0x00000000
Number of symbols:
0
Size of Optional Header:
0x00E0
Characteristics
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_RELOCS_STRIPPED
Sections
Name Virtual Address Virtual Size Raw Size Charateristics Entropy
.text 0x00001000 0x000065BF 0x00006600 IMAGE_SCN_CNT_CODE,IMAGE_SCN_MEM_EXECUTE,IMAGE_SCN_MEM_READ 6.47825
.rdata 0x00008000 0x000012EE 0x00001400 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ 5.16943
.data 0x0000A000 0x000271B8 0x00000E00 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ,IMAGE_SCN_MEM_WRITE 4.99201
.ndata 0x00032000 0x00010000 0x00000000 IMAGE_SCN_CNT_UNINITIALIZED_DATA,IMAGE_SCN_MEM_READ,IMAGE_SCN_MEM_WRITE 0
.rsrc 0x00042000 0x0005B338 0x0005B400 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ 5.01059
Resources
1

2

3

4

5

6

7

103

105

106

111

Imports
    KERNEL32.dll

    USER32.dll

    GDI32.dll

    SHELL32.dll

    ADVAPI32.dll

    COMCTL32.dll

    ole32.dll

Exports

    No exports.

Screenshots

Processes

Total processes
39
Monitored processes
3
Malicious processes
2
Suspicious processes
0

Behavior graph

+
drop and start drop and start start remoteassistant.exe remote assistant.exe no specs remote assistant.exe
Specs description
Program did not start
Integrity level elevation
Task сontains an error or was rebooted
Process has crashed
Task contains several apps running
Executable file was dropped
Debug information is available
Process was injected
Network attacks were detected
Application downloaded the executable file
Actions similar to stealing personal data
Behavior similar to exploiting the vulnerability
Inspected object has sucpicious PE structure
File is detected by antivirus software
CPU overrun
RAM overrun
Process starts the services
Process was added to the startup
Behavior similar to spam
Low-level access to the HDD
Probably Tor was used
System was rebooted
Connects to the network
Known threat

Process information

Click at the process to see the details.

PID
3172
CMD
"C:\Users\admin\AppData\Local\Temp\RemoteAssistant.exe"
Path
C:\Users\admin\AppData\Local\Temp\RemoteAssistant.exe
Indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Version:
Company
CloudBerry Lab Inc.
Description
Version
Modules
Image
c:\users\admin\appdata\local\temp\remoteassistant.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\propsys.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\oleacc.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\version.dll
c:\windows\system32\shfolder.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\shdocvw.dll
c:\users\admin\appdata\local\temp\nsrb0fc.tmp\processwork.dll
c:\users\admin\appdata\local\temp\nsrb0fc.tmp\system.dll
c:\windows\system32\riched20.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\sspicli.dll
c:\users\admin\appdata\local\temp\remote assistant quick support\remote assistant.exe
c:\windows\system32\mpr.dll
c:\windows\system32\sfc.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\devrtl.dll

PID
3032
CMD
"C:\Users\admin\AppData\Local\Temp\Remote Assistant Quick Support\Remote Assistant.exe"
Path
C:\Users\admin\AppData\Local\Temp\Remote Assistant Quick Support\Remote Assistant.exe
Indicators
No indicators
Parent process
RemoteAssistant.exe
User
admin
Integrity Level
MEDIUM
Exit code
3221226540
Version:
Company
CloudBerry Lab
Description
Remote Assistant
Version
2.2.0.49
Modules
Image
c:\users\admin\appdata\local\temp\remote assistant quick support\remote assistant.exe
c:\systemroot\system32\ntdll.dll

PID
4076
CMD
"C:\Users\admin\AppData\Local\Temp\Remote Assistant Quick Support\Remote Assistant.exe"
Path
C:\Users\admin\AppData\Local\Temp\Remote Assistant Quick Support\Remote Assistant.exe
Indicators
Parent process
RemoteAssistant.exe
User
admin
Integrity Level
MEDIUM
Version:
Company
CloudBerry Lab
Description
Remote Assistant
Version
2.2.0.49
Modules
Image
c:\users\admin\appdata\local\temp\remote assistant quick support\remote assistant.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\version.dll
c:\windows\microsoft.net\framework\v4.0.30319\clr.dll
c:\windows\system32\msvcr120_clr0400.dll
c:\windows\system32\psapi.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\mscorlib\97e047cf68e9a7d90e196d072cd49cac\mscorlib.ni.dll
c:\windows\system32\ole32.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system\e071297bb06faa961bef045ae5f25fdc\system.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.core\21a1606b6c00f9abe7db55c02e0f87c9\system.core.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\windowsbase\0d5a8e6f89227cc5d954e65856f9cf1a\windowsbase.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\presentationcore\e7873d3bd71f6122c2a954be1bb5bb28\presentationcore.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\presentatio5ae0f00f#\b34cda03a984c515b31faf410e5b7e39\presentationframework.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.xaml\4d290752f65a065fcde70178562c3383\system.xaml.ni.dll
c:\windows\system32\dwrite.dll
c:\windows\microsoft.net\framework\v4.0.30319\wpf\wpfgfx_v0400.dll
c:\windows\system32\msvcp120_clr0400.dll
c:\windows\system32\oleaut32.dll
c:\windows\microsoft.net\framework\v4.0.30319\wpf\presentationnative_v0400.dll
c:\windows\microsoft.net\framework\v4.0.30319\clrjit.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.drawing\61dfb69c9ad6ed96809170d54d80b8a6\system.drawing.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.windows.forms\2dc6cfd856864312d563098f9486361c\system.windows.forms.ni.dll
c:\users\admin\appdata\local\temp\remote assistant quick support\cloud.ra.common.dll
c:\windows\system32\rpcrtremote.dll
c:\users\admin\appdata\local\temp\remote assistant quick support\cloud.ra.winapi.dll
c:\users\admin\appdata\local\temp\remote assistant quick support\cloud.base.dll
c:\windows\microsoft.net\framework\v4.0.30319\nlssorting.dll
c:\windows\system32\shell32.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.configuration\cd03f9386e02f56502e01a25ddd7e0a7\system.configuration.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.xml\7c8f75f367134a030cba4a127dc62a2f\system.xml.ni.dll
c:\windows\system32\profapi.dll
c:\windows\system32\uxtheme.dll
c:\windows\microsoft.net\assembly\gac_msil\system.windows.forms\v4.0_4.0.0.0__b77a5c561934e089\system.windows.forms.dll
c:\users\admin\appdata\local\temp\remote assistant quick support\cloud.ra.common.xmlserializers.dll
c:\users\admin\appdata\local\temp\remote assistant quick support\cloud.client.dll
c:\users\admin\appdata\local\temp\remote assistant quick support\cloud.ra.dll
c:\users\admin\appdata\local\temp\remote assistant quick support\cloud.ra.directconnection.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\winsta.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\d3d9.dll
c:\windows\system32\d3d8thk.dll
c:\windows\system32\vga.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\presentatiod51afaa5#\867cbe7462b04e2cf1ae39abb576ae2a\presentationframework.classic.ni.dll
c:\users\admin\appdata\local\temp\remote assistant quick support\cloud.ra.server.dll
c:\users\admin\appdata\local\temp\remote assistant quick support\cloud.ra.filetransfer.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\windowsform0b574481#\c6131c3262a5bf98463da8f219b75baa\windowsformsintegration.ni.dll
c:\users\admin\appdata\local\temp\remote assistant quick support\cloud.ra.commonhelpers.dll
c:\users\admin\appdata\local\temp\remote assistant quick support\cloud.ra.appconfig.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\users\admin\appdata\local\temp\remote assistant quick support\naudio.dll
c:\users\admin\appdata\local\temp\remote assistant quick support\audioprocessingmodulecs.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\mmdevapi.dll
c:\windows\system32\propsys.dll
c:\windows\system32\winmm.dll
c:\windows\system32\wdmaud.drv
c:\windows\system32\ksuser.dll
c:\windows\system32\avrt.dll
c:\windows\system32\audioses.dll
c:\windows\system32\msacm32.drv
c:\windows\system32\msacm32.dll
c:\windows\system32\midimap.dll
c:\users\admin\appdata\local\temp\remote assistant quick support\cloud.ra.video.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.management\e588691224a17737f3a164cc2d46c156\system.management.ni.dll
c:\windows\system32\wbem\wmiutils.dll
c:\windows\system32\wbemcomn.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\wbem\wbemprox.dll
c:\windows\microsoft.net\framework\v4.0.30319\wminet_utils.dll
c:\windows\system32\wbem\wbemsvc.dll
c:\windows\system32\wbem\fastprox.dll
c:\windows\system32\ntdsapi.dll
c:\users\admin\appdata\local\temp\remote assistant quick support\cloud.ra.servicecontract.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.servicemodel\e27ae693b6e71bb689ec66761a65901f\system.servicemodel.ni.dll
c:\users\admin\appdata\local\temp\remote assistant quick support\cloud.backup.rm.sio.dll
c:\users\admin\appdata\local\temp\remote assistant quick support\newtonsoft.json.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\wship6.dll
c:\users\admin\appdata\local\temp\remote assistant quick support\cloud.ra.client.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\msctfui.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\uiautomationtypes\1e1a1bd97e618bc4934ee967bea27ae8\uiautomationtypes.ni.dll
c:\windows\system32\secur32.dll
c:\windows\system32\uiautomationcore.dll
c:\windows\system32\oleacc.dll
c:\windows\system32\credssp.dll
c:\windows\system32\schannel.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\ieframe.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\sxs.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.web.services\15edb548fa79197e66dc803215bd391b\system.web.services.ni.dll
c:\windows\system32\userenv.dll
c:\windows\system32\gpapi.dll
c:\windows\system32\cryptnet.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\sensapi.dll
c:\windows\system32\cabinet.dll
c:\windows\system32\devrtl.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\webio.dll
c:\windows\system32\dhcpcsvc6.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\explorerframe.dll
c:\windows\system32\duser.dll
c:\windows\system32\dui70.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.numerics\5ac17cc5b92efda83e2925857f4fa655\system.numerics.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.runteb92aa12#\62a6b39f4f68c25dfd2f6308d7541401\system.runtime.serialization.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.xml.linq\f68563fb25af65c25de37130ebcd576c\system.xml.linq.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.data\1288d7e030bc0c5d8b2cbe5f33aeed7f\system.data.ni.dll
c:\windows\microsoft.net\assembly\gac_32\system.data\v4.0_4.0.0.0__b77a5c561934e089\system.data.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\msls31.dll
c:\windows\system32\ntmarta.dll
c:\users\admin\appdata\local\temp\remote assistant quick support\open.nat.dll
c:\windows\system32\msimtf.dll
c:\windows\system32\mlang.dll
c:\windows\assembly\gac\microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\microsoft.mshtml.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\t2embed.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\uiautomationprovider\3bfcfe12488f0a2285f5f08274cbc13f\uiautomationprovider.ni.dll

Registry activity

Total events
547
Read events
510
Write events
37
Delete events
0

Modification events

PID
Process
Operation
Key
Name
Value
3172
RemoteAssistant.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
3172
RemoteAssistant.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
4076
Remote Assistant.exe
write
HKEY_CLASSES_ROOT\CLSID\{06A0E2A6-801E-41D9-8579-31305F8D075E}\QuickSupport\Server
Id
727666748
4076
Remote Assistant.exe
write
HKEY_CLASSES_ROOT\CLSID\{06A0E2A6-801E-41D9-8579-31305F8D075E}\QuickSupport\Server
HardwareId
{QSUPPORT-78DA-4922-8A44-532E9052E6EF}
4076
Remote Assistant.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Direct3D\MostRecentApplication
Name
Remote Assistant.exe
4076
Remote Assistant.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
4076
Remote Assistant.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
4076
Remote Assistant.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\12B\52C64B7E
LanguageList
en-US
4076
Remote Assistant.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Remote Assistant_RASAPI32
EnableFileTracing
0
4076
Remote Assistant.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Remote Assistant_RASAPI32
EnableConsoleTracing
0
4076
Remote Assistant.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Remote Assistant_RASAPI32
FileTracingMask
4294901760
4076
Remote Assistant.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Remote Assistant_RASAPI32
ConsoleTracingMask
4294901760
4076
Remote Assistant.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Remote Assistant_RASAPI32
MaxFileSize
1048576
4076
Remote Assistant.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Remote Assistant_RASAPI32
FileDirectory
%windir%\tracing
4076
Remote Assistant.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Remote Assistant_RASMANCS
EnableFileTracing
0
4076
Remote Assistant.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Remote Assistant_RASMANCS
EnableConsoleTracing
0
4076
Remote Assistant.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Remote Assistant_RASMANCS
FileTracingMask
4294901760
4076
Remote Assistant.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Remote Assistant_RASMANCS
ConsoleTracingMask
4294901760
4076
Remote Assistant.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Remote Assistant_RASMANCS
MaxFileSize
1048576
4076
Remote Assistant.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Remote Assistant_RASMANCS
FileDirectory
%windir%\tracing
4076
Remote Assistant.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
ProxyEnable
0
4076
Remote Assistant.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
SavedLegacySettings
4600000092000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000

Files activity

Executable files
27
Suspicious files
4
Text files
36
Unknown types
1

Dropped files

PID
Process
Filename
Type
3172
RemoteAssistant.exe
C:\Users\admin\AppData\Local\Temp\nsrB0FC.tmp\processwork.dll
executable
MD5: 0a4fa7a9ba969a805eb0603c7cfe3378
SHA256: 27329ea7002d9ce81c8e28e97a5c761922097b33cedeada4db30d2b9d505007c
3172
RemoteAssistant.exe
C:\Users\admin\AppData\Local\Temp\Remote Assistant Quick Support\Cloud.Ra.DirectConnection.dll
executable
MD5: 6267ddf0e917f1809d1d5967fc0844d1
SHA256: 9c7d40fae009239866d9d7dcbc8beca245ad4056b5f7d6132380d178d1609925
3172
RemoteAssistant.exe
C:\Users\admin\AppData\Local\Temp\Remote Assistant Quick Support\CloudRaUtilities.exe
executable
MD5: d0f3476074758a3867902e3f13cfc1b8
SHA256: 1563ed2929536bb470a94b5e7d380a2e392a2cdd8447ffa83007afc1e991c070
3172
RemoteAssistant.exe
C:\Users\admin\AppData\Local\Temp\Remote Assistant Quick Support\LZ4.dll
executable
MD5: 031d50f8089f30c265a281b7f8d90e73
SHA256: de81e4ccb659ba85a4a6d1bad8742ba0af75aa6ff50a2f6330e78721681d3b14
3172
RemoteAssistant.exe
C:\Users\admin\AppData\Local\Temp\Remote Assistant Quick Support\Newtonsoft.Json.dll
executable
MD5: 8d6860fe26c7fdd1b80381c22979238c
SHA256: 0516d4109263c126c779e4e8f5879349663fa0a5b23d6d44167403e14066e6f9
3172
RemoteAssistant.exe
C:\Users\admin\AppData\Local\Temp\Remote Assistant Quick Support\Cloud.Ra.WinApi.dll
executable
MD5: a07e0167831eca8b4d398e3caf560266
SHA256: 75cdf2532d704161eb4d9ef2ebede94846921acbcedd4960bb51fa355d345646
3172
RemoteAssistant.exe
C:\Users\admin\AppData\Local\Temp\Remote Assistant Quick Support\Cloud.Backup.RM.SIO.dll
executable
MD5: 756061ed26f97cb4115752b54f341a1b
SHA256: 4b5a59758751d7504762326310b3bed368494359f339a9ed9cbd18bb366f29d5
3172
RemoteAssistant.exe
C:\Users\admin\AppData\Local\Temp\Remote Assistant Quick Support\Cloud.Ra.Firewall.dll
executable
MD5: 021a31777c5dd8a2b6a158f749b9cc22
SHA256: 95f495057545aad563d73985820f4f97260a7f5a6103f72b434e9399beded2d1
3172
RemoteAssistant.exe
C:\Users\admin\AppData\Local\Temp\Remote Assistant Quick Support\Cloud.Ra.ServiceContract.dll
executable
MD5: 0f24d8054aae8e3be8b79b1283d85212
SHA256: cb1cdc5e401fa67793134ee478b8ea0522963159f09eb669e295030ec1d8ce89
3172
RemoteAssistant.exe
C:\Users\admin\AppData\Local\Temp\Remote Assistant Quick Support\Cloud.Ra.Video.dll
executable
MD5: 4a43a8984af4742b2a8e0a9c65947716
SHA256: c0702f0810631ae4972a3c19692921d7cd3087123605faf1e01fb58f3401a8b4
3172
RemoteAssistant.exe
C:\Users\admin\AppData\Local\Temp\Remote Assistant Quick Support\CloudRaService.exe
executable
MD5: 1d89cb79b20c9be4b9aee3ef3f0da398
SHA256: 286cda47d0cc2c17457853b335a5c1c5089153ea69756e28a8c68ca0abe5ea18
3172
RemoteAssistant.exe
C:\Users\admin\AppData\Local\Temp\Remote Assistant Quick Support\Cloud.RA.dll
executable
MD5: 5a69c85a2fdaf3896e19229a1308aaf7
SHA256: b336a051892773907d28d071d83973960adfc4cb33cc5a948cd83d4787a4ebf1
3172
RemoteAssistant.exe
C:\Users\admin\AppData\Local\Temp\Remote Assistant Quick Support\Cloud.Ra.Common.dll
executable
MD5: 7dd15df995b8c6f0da552932d0245149
SHA256: 1ecfea829cc665e38f1fbed6f77e9b2e942267f6e783414177ce445400a36b45
3172
RemoteAssistant.exe
C:\Users\admin\AppData\Local\Temp\Remote Assistant Quick Support\Cloud.Ra.Common.XmlSerializers.dll
executable
MD5: d8d9ff89cae159dec4f908e7cb8683b9
SHA256: 564ca22266e3b5dc8d30debe61d02f68994497ea7259e0efedde0bcad20a3f1f
3172
RemoteAssistant.exe
C:\Users\admin\AppData\Local\Temp\Remote Assistant Quick Support\Remote Assistant.exe
executable
MD5: 932ee68fe285df1360d3c6d5426c2102
SHA256: e152e9e252cd200fe915fac1585dc88501969bb5dae621a2a1dc59d9e518e830
3172
RemoteAssistant.exe
C:\Users\admin\AppData\Local\Temp\Remote Assistant Quick Support\Cloud.Ra.CommonHelpers.dll
executable
MD5: 2caa3e327ab893111cef31a4fd405286
SHA256: 9290866d62db6d5d58499ac2b4edd64c29afe1892083582e6bd67c10222ed41e
3172
RemoteAssistant.exe
C:\Users\admin\AppData\Local\Temp\Remote Assistant Quick Support\Cloud.Ra.FileTransfer.dll
executable
MD5: cca3a218321202b23331571cbf08631d
SHA256: 0fb467adefa958a3c87400cb31fc8ef538cfac1b83800ada6518b3067a7ca95d
3172
RemoteAssistant.exe
C:\Users\admin\AppData\Local\Temp\Remote Assistant Quick Support\AudioProcessingModuleCs.dll
executable
MD5: 63f5433dfbb614021dde6f53ee0bacf6
SHA256: e94710012bdb552a61d622eaf0a4e5bc61a21bac297a835b10db225a70a075cf
3172
RemoteAssistant.exe
C:\Users\admin\AppData\Local\Temp\nsrB0FC.tmp\System.dll
executable
MD5: 56a321bd011112ec5d8a32b2f6fd3231
SHA256: bb6df93369b498eaa638b0bcdc4bb89f45e9b02ca12d28bcedf4629ea7f5e0f1
3172
RemoteAssistant.exe
C:\Users\admin\AppData\Local\Temp\Remote Assistant Quick Support\ICSharpCode.SharpZipLib.dll
executable
MD5: 0b3b4e8d1de31f844e466d61cf7937b5
SHA256: cfc2a838569a48d16a15269bb701de87b81b3d2bc303bb7c4c3724cc3bba0c50
3172
RemoteAssistant.exe
C:\Users\admin\AppData\Local\Temp\Remote Assistant Quick Support\Cloud.Ra.Client.dll
executable
MD5: 890064488d9a79df8ebdaa421a51c104
SHA256: e3b6d4c140f42b735e72dd90c10516eca8a056a5674bad5f6716e1a67d463ce4
3172
RemoteAssistant.exe
C:\Users\admin\AppData\Local\Temp\Remote Assistant Quick Support\Open.Nat.dll
executable
MD5: cc6f6503d29a99f37b73bfd881de8ae0
SHA256: 0b1e0d8f87f557b52315d98c1f4727e539f5120d20b4ca9edba548983213fbb5
3172
RemoteAssistant.exe
C:\Users\admin\AppData\Local\Temp\Remote Assistant Quick Support\Cloud.Client.dll
executable
MD5: 23dccfbf4f02034dbb36d09e20b3210e
SHA256: 6f0e836da38d9d9c1ed614106dc16dbbc8ea6b9976180d27aebede99738a83f1
3172
RemoteAssistant.exe
C:\Users\admin\AppData\Local\Temp\Remote Assistant Quick Support\Cloud.Base.dll
executable
MD5: 8a64972a1b5b12850821886069945151
SHA256: fb55e8960ba71ed087e388afcfcc443232c313d69ecb6cd5f1c9403172901501
3172
RemoteAssistant.exe
C:\Users\admin\AppData\Local\Temp\Remote Assistant Quick Support\NAudio.dll
executable
MD5: d1b08f517c31ab58842a4f242d58b354
SHA256: f266f75cde67dc14f5813dc8c83f452db1642538d8593fd8497795b441674089
3172
RemoteAssistant.exe
C:\Users\admin\AppData\Local\Temp\Remote Assistant Quick Support\Cloud.Ra.Server.dll
executable
MD5: 92469ad05324d579b4956c4612d6962e
SHA256: 3135e139864032660ecb91c33f21d6f068527e8f77b294c0d3f38e453d270de2
3172
RemoteAssistant.exe
C:\Users\admin\AppData\Local\Temp\Remote Assistant Quick Support\Cloud.Ra.AppConfig.dll
executable
MD5: ea8c933edfc594912d959896668c4250
SHA256: 8050d758e8673a8ab99474dbdb06390888cb29ea283370129e97c3125251dda6
3172
RemoteAssistant.exe
C:\Users\admin\AppData\Local\Temp\Remote Assistant Quick Support\license.txt
text
MD5: e60e10eaec4c84daf050a6adec7528be
SHA256: 4468c1914c261185828d3bedcef516c584d92a7daf6ffb844d93961abe268ba8
4076
Remote Assistant.exe
C:\Users\admin\AppData\Local\Temp\TarCE8A.tmp
––
MD5:  ––
SHA256:  ––
4076
Remote Assistant.exe
C:\Users\admin\AppData\Local\Temp\Remote Assistant Quick Support\RaSettings.xml
xml
MD5: 4ac71ca37ba5716b49a28f434d6e1bbb
SHA256: c2749e9c39c8e971c084ed513ffb9704c6b915839bc51cf4c614a09807bf1b01
4076
Remote Assistant.exe
C:\Users\admin\AppData\Local\Temp\Remote Assistant Quick Support\Logs\Remote Assistant.log
text
MD5: 1d15c047ce6f6fd0b0c836d8c844b388
SHA256: f08bce06996655a94350e895f14b8e0c07a58f00bbaf2cceb1d7237427b60ff0
4076
Remote Assistant.exe
C:\Users\admin\AppData\Local\Temp\Remote Assistant Quick Support\Logs\Remote Assistant.log
text
MD5: b4774128c47015cb677aa7debba50ad2
SHA256: 469abbfe85f79e53f6ee0ecded5250c0ed9282a6f0eb5f2574d83495a2bb02ed
4076
Remote Assistant.exe
C:\Users\admin\AppData\Local\Temp\Remote Assistant Quick Support\RaSettings.xml
xml
MD5: 6d160daf75103cad7cb8ebb19d9256f4
SHA256: 6e3e10715f330e7361536dc74229116ab8ce8892f1c3faccab72cb80516b9dad
4076
Remote Assistant.exe
C:\Users\admin\AppData\Local\Temp\Remote Assistant Quick Support\Logs\Remote Assistant.log
text
MD5: 576340cdddef18f6371196a32636f438
SHA256: 3ac816deacbe6398e63681369b4ca6f155f67d46284824d5f58ca9e15dcf4c0c
4076
Remote Assistant.exe
C:\Users\admin\AppData\Local\Temp\TarC0AC.tmp
––
MD5:  ––
SHA256:  ––
4076
Remote Assistant.exe
C:\Users\admin\AppData\Local\Temp\CabC0AB.tmp
––
MD5:  ––
SHA256:  ––
3172
RemoteAssistant.exe
C:\Users\admin\AppData\Local\Temp\Remote Assistant Quick Support\Open.Nat.xml
xml
MD5: 420f31a6847befc5a7c6bc076f90c4e5
SHA256: 96b0de6ea800b893e0953dfbda61a8357ac9ea01742a810fcf9df9d8b4112578
3172
RemoteAssistant.exe
C:\Users\admin\AppData\Local\Temp\Remote Assistant Quick Support\NAudio.xml
xml
MD5: 17dd26f137f7a4936b04edcca108a508
SHA256: c731c49f339274eec5155cf7fdc3af1888ea9cf78981e8caab2250fc9bd72183
4076
Remote Assistant.exe
C:\Users\admin\AppData\Local\Temp\CabC0BC.tmp
––
MD5:  ––
SHA256:  ––
4076
Remote Assistant.exe
C:\Users\admin\AppData\Local\Temp\TarC0BD.tmp
––
MD5:  ––
SHA256:  ––
4076
Remote Assistant.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\css[1].txt
text
MD5: 583eeb8c76fc402b59587bae634c7c9d
SHA256: b94ad164bf353693418daa002dec81bedfb4ba81cadb889fac4c337e782ab349
4076
Remote Assistant.exe
C:\Users\admin\AppData\Local\Temp\CabCE89.tmp
––
MD5:  ––
SHA256:  ––
3172
RemoteAssistant.exe
C:\Users\admin\AppData\Local\Temp\Remote Assistant Quick Support\CloudRaUtilities.exe.config
xml
MD5: 09d574f3f88ac63b77294ff6477cff89
SHA256: 42ffc3620e073a1d66f740c3de447353ee9b6edc6af21486780fea18ac467125
4076
Remote Assistant.exe
C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
compressed
MD5: 5ad071a3917588e8cd883b123b395b21
SHA256: de62965c15528da598b0079d2d20d953dd6f71b13a23807bff0666d03f69c0fa
3172
RemoteAssistant.exe
C:\Users\admin\AppData\Local\Temp\Remote Assistant Quick Support\CloudRaService.exe.config
xml
MD5: acbad3ce60dec2fcaf24555b2888a5a2
SHA256: 0e6b3b607dc118b50722972f6fe0b4519eb883aafef0b2080ad05250e5a5291e
4076
Remote Assistant.exe
C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
binary
MD5: 8a322fe7dbb43488059eea8699bc68f0
SHA256: 61e3dfb6c32865ea126715d535e666f7d132483d4afb99c4b787f2fae6b3a0d5
4076
Remote Assistant.exe
C:\Users\admin\AppData\Local\Temp\Remote Assistant Quick Support\Logs\Remote Assistant.log
text
MD5: 31d03c1d4d0bf672676239b296d401e5
SHA256: 68e763174ed06677a4e9166a4ad164566067020b90d315af54f9d5c5a9114e15
3172
RemoteAssistant.exe
C:\Users\admin\AppData\Local\Temp\Remote Assistant Quick Support\Cloud.Ra.config
xml
MD5: 98df379dcf32a97a22ab8174aa125d0f
SHA256: 466e9c4cd16300ae2495dfc27a8067e7465ab32d920413d97fe8e501c98f91a7
3172
RemoteAssistant.exe
C:\Users\admin\AppData\Local\Temp\Remote Assistant Quick Support\Remote Assistant.exe.manifest
xml
MD5: d3e2537e83ee910d1c97d1fa023e9128
SHA256: bbc305664bb75bbea972d55348f91ff57dd5b09559b34ed0dcc0e2380c85f4bb
4076
Remote Assistant.exe
C:\Users\admin\AppData\Local\Temp\Remote Assistant Quick Support\Logs\Remote Assistant.log
text
MD5: 6dee6a821a4cdb2348a6faf713a269b4
SHA256: 46bdae3ae29b118573d7f874569bbde0df99e31308136c600db731b97ea21659
3172
RemoteAssistant.exe
C:\Users\admin\AppData\Local\Temp\Remote Assistant Quick Support\Remote Assistant.exe.config
xml
MD5: 7c70509b30ce2829aff5df446a06bb71
SHA256: cb3dd364dfd7844c003bad7a3350622a6eae14062b2b5e4859d3080452cdb6ee
4076
Remote Assistant.exe
C:\Users\admin\AppData\Local\Temp\Remote Assistant Quick Support\Logs\Remote Assistant.log
text
MD5: 746ab8457d2b34de1b2b2793c590910d
SHA256: 2ac19619d48f21986102c525b75dbb85b285e361f5e189819b31b36ae1c55397
4076
Remote Assistant.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\KFOmCnqEu92Fr1Mu4mxO[1].eot
eot
MD5: 4be1a572fca40bcb2202504cb17aed91
SHA256: 64d06eeb18abad7d4ef1b1ef7409cf108bd4774c50a64e2c7b49ffb708ff24f4

Find more information of the staic content and download it at the full report

Network activity

HTTP(S) requests
1
TCP/UDP connections
19
DNS requests
25
Threats
0

HTTP requests

PID Process Method HTTP Code IP URL CN Type Size Reputation
–– –– GET 200 91.199.212.52:80 http://crt.comodoca.com/COMODORSAAddTrustCA.crt GB
der
whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID Process IP ASN CN Reputation
–– –– 91.199.212.52:80 Comodo CA Ltd GB unknown
4076 Remote Assistant.exe 18.197.126.202:443 Amazon.com, Inc. DE unknown
4076 Remote Assistant.exe 50.19.243.6:443 Amazon.com, Inc. US unknown
4076 Remote Assistant.exe 92.122.213.201:80 Akamai International B.V. –– whitelisted
4076 Remote Assistant.exe 172.217.23.138:443 Google Inc. US whitelisted
4076 Remote Assistant.exe 172.217.23.131:443 Google Inc. US whitelisted

DNS requests

Domain IP Reputation
crt.comodoca.com 91.199.212.52
whitelisted
connect.ra.cloudberrylab.com 18.197.126.202
unknown
www.cloudberrylab.com 50.19.243.6
unknown
www.download.windowsupdate.com 92.122.213.201
92.122.213.217
whitelisted
ec2.us-east-1.amazonaws.com 54.239.28.168
unknown
ec2.us-east-2.amazonaws.com 52.95.16.2
unknown
ec2.us-west-2.amazonaws.com 54.240.249.157
unknown
ec2.us-west-1.amazonaws.com 176.32.118.30
unknown
fonts.googleapis.com 172.217.23.138
whitelisted
ec2.ap-northeast-1.amazonaws.com 54.239.96.159
unknown
ec2.ap-northeast-2.amazonaws.com 52.95.193.73
unknown
ec2.ap-northeast-3.amazonaws.com 13.248.0.76
unknown
ec2.ap-southeast-2.amazonaws.com 54.240.206.54
unknown
ec2.ap-south-1.amazonaws.com 52.95.80.15
unknown
ec2.ap-southeast-1.amazonaws.com 52.95.35.53
unknown
ec2.ca-central-1.amazonaws.com 52.94.96.60
unknown
ec2.cn-north-1.amazonaws.com.cn 54.222.17.62
unknown
ec2.cn-northwest-1.amazonaws.com.cn 52.82.209.55
unknown
ec2.eu-central-1.amazonaws.com 54.239.55.102
unknown
ec2.eu-west-1.amazonaws.com 54.239.35.17
unknown
ec2.eu-west-2.amazonaws.com 52.94.56.52
unknown
ec2.eu-west-3.amazonaws.com 52.46.68.57
unknown
ec2.eu-north-1.amazonaws.com 52.46.196.96
unknown
ec2.sa-east-1.amazonaws.com 177.72.245.178
unknown
fonts.gstatic.com 172.217.23.131
whitelisted

Threats

No threats detected.

Debug output strings

No debug info.