File name:

ManageEngineAssetExplorerAgent.7z

Full analysis: https://app.any.run/tasks/ad1f3fef-7846-4d74-8874-e35798426b43
Verdict: Suspicious activity
Analysis date: August 14, 2018, 03:35:17
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-7z-compressed
File info: 7-zip archive data, version 0.4
MD5:

D5D18E7610E51D91764361CFCC5A45B1

SHA1:

527161BD04D1E1E3D350EA924249A768A9BC28F0

SHA256:

E1DF2D2118A65E227E2E88F79091CD421155EC739C607311564CF9FFA5E81CD3

SSDEEP:

98304:qc9QCBY/HELBu1+f/sirhzv6jueRJVTWA2Rae:qWGR1s/bJQV6A2Rae

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Creates files in the program directory

      • CustomActions.exe (PID: 3336)
      • agentmonitor.exe (PID: 1888)
      • aeagent.exe (PID: 2912)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 1996)
      • msiexec.exe (PID: 2596)

    • Starts Microsoft Installer

      • WinRAR.exe (PID: 1996)

    • Creates or modifies windows services

      • agentmonitor.exe (PID: 1652)

    • Starts CMD.EXE for commands execution

      • aeagent.exe (PID: 2912)

    • Executes scripts

      • cmd.exe (PID: 2628)
      • cmd.exe (PID: 1284)

  • INFO

    • Searches for installed software

      • msiexec.exe (PID: 2596)

    • Low-level read access rights to disk partition

      • vssvc.exe (PID: 2836)

    • Creates or modifies windows services

      • msiexec.exe (PID: 2596)
      • vssvc.exe (PID: 2836)

    • Creates a software uninstall entry

      • msiexec.exe (PID: 2596)

    • Creates files in the program directory

      • msiexec.exe (PID: 2596)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.7z | 7-Zip compressed archive (v0.4) (57.1)
.7z | 7-Zip compressed archive (gen) (42.8)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
56
Monitored processes
14
Malicious processes
0
Suspicious processes
3

Behavior graph

Click at the process to see the details
start winrar.exe msiexec.exe no specs msiexec.exe vssvc.exe no specs drvinst.exe no specs customactions.exe no specs agentmonitor.exe agentmonitor.exe aeagent.exe no specs agentmonitor.exe no specs cmd.exe no specs cmd.exe no specs wscript.exe no specs wscript.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1180"C:\Windows\System32\msiexec.exe" /i "C:\Users\admin\AppData\Local\Temp\Rar$EXa1996.45106\ManageEngineAssetExplorerAgent.msi" C:\Windows\System32\msiexec.exeWinRAR.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Exit code:
0
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\msiexec.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
1196DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "00000000" "000005C0" "0000055C"C:\Windows\system32\DrvInst.exesvchost.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Driver Installation Module
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\drvinst.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
1284cmd /c aeagent.bat scanC:\Windows\system32\cmd.exeaeagent.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
1652agentmonitor.exe /iC:\Program Files\ManageEngine\AssetExplorer\bin\agentmonitor.exe
CustomActions.exe
User:
SYSTEM
Integrity Level:
SYSTEM
Exit code:
0
Modules
Images
c:\program files\manageengine\assetexplorer\bin\agentmonitor.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\wininet.dll
c:\windows\system32\shlwapi.dll
1888agentmonitor.exe /rC:\Program Files\ManageEngine\AssetExplorer\bin\agentmonitor.exe
CustomActions.exe
User:
SYSTEM
Integrity Level:
SYSTEM
Exit code:
0
Modules
Images
c:\program files\manageengine\assetexplorer\bin\agentmonitor.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\wininet.dll
c:\windows\system32\shlwapi.dll
1996"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\ManageEngineAssetExplorerAgent.7z"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
2596C:\Windows\system32\msiexec.exe /VC:\Windows\system32\msiexec.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows® installer
Exit code:
0
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\msiexec.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
2628cmd /c aeagent.bat scanC:\Windows\system32\cmd.exeaeagent.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
2648WSCRIPT /B ae_scan.vbs agentdataC:\Windows\system32\wscript.execmd.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
Modules
Images
c:\windows\system32\wscript.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
2836C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft® Volume Shadow Copy Service
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\vssvc.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
Total events
1 208
Read events
825
Write events
371
Delete events
12

Modification events

(PID) Process:(1996) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(1996) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(1996) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\59\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(1996) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\ManageEngineAssetExplorerAgent.7z
(PID) Process:(1996) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(1996) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(1996) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(1996) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(1996) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\59\52C64B7E
Operation:writeName:@C:\Windows\System32\msimsg.dll,-34
Value:
Windows Installer Package
(PID) Process:(1996) WinRAR.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
Executable files
2
Suspicious files
3
Text files
63
Unknown types
1

Dropped files

PID
Process
Filename
Type
2596msiexec.exeC:\System Volume Information\SPP\metadata-2
MD5:
SHA256:
1996WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa1996.45106\ManageEngineAssetExplorerAgent.msiexecutable
MD5:
SHA256:
1196DrvInst.exeC:\Windows\INF\setupapi.dev.logini
MD5:
SHA256:
2596msiexec.exeC:\System Volume Information\SPP\OnlineMetadataCache\{aa315784-f0c4-4aa3-b739-1d924c66ea4b}_OnDiskSnapshotPropbinary
MD5:
SHA256:
2596msiexec.exeC:\System Volume Information\SPP\snapshot-2binary
MD5:
SHA256:
1196DrvInst.exeC:\Windows\INF\setupapi.ev3abr
MD5:
SHA256:
1196DrvInst.exeC:\Windows\INF\setupapi.ev1binary
MD5:
SHA256:
2596msiexec.exeC:\Windows\Installer\45fa6d.msiexecutable
MD5:
SHA256:
3336CustomActions.exeC:\Program Files\ManageEngine\AssetExplorer\log\ca.logtext
MD5:
SHA256:
1652agentmonitor.exeC:\Program Files\ManageEngine\AssetExplorer\log\aeservice.logtext
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
ManageEngineAssetExplorerAgent.7z