General Info

File name

[Private]BTC-Claimer.rar

Full analysis
https://app.any.run/tasks/cd2ffa32-cab0-4a46-8a72-a02611fa3431
Verdict
Malicious activity
Analysis date
3/14/2019, 14:09:18
OS:
Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
evasion
autoit
stealer
Indicators:

MIME:
application/x-rar
File info:
RAR archive data, v5
MD5

887fac71dc7e038bc73dc9362585bf70

SHA1

6e4f33df315b30c3f14b2e69dcedfa55e72c7f44

SHA256

00f7acb31c7e2c7b2ba3f3267007f8a2ac708a89f5a8b6641e650e9af03d8bb6

SSDEEP

24576:/uiF4t+1z4vkmH0NUOXv+5SukrRU8+8GQRkyS7UbmKJsgmbzyg5y5HnY3ZPrejWt:fF4YmvkmH+UOXvO2drRpguJsgm55QqNN

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distored by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Software environment set and analysis options

Launch configuration

Task duration
60 seconds
Additional time used
none
Fakenet option
off
Heavy Evaision option
off
MITM proxy
off
Route via Tor
off
Network geolocation
off
Privacy
Public submission
Autoconfirmation of UAC
on

Software preset

  • Internet Explorer 8.0.7601.17514
  • Adobe Acrobat Reader DC MUI (15.023.20070)
  • Adobe Flash Player 26 ActiveX (26.0.0.131)
  • Adobe Flash Player 26 NPAPI (26.0.0.131)
  • Adobe Flash Player 26 PPAPI (26.0.0.131)
  • Adobe Refresh Manager (1.8.0)
  • CCleaner (5.35)
  • FileZilla Client 3.36.0 (3.36.0)
  • Google Chrome (68.0.3440.106)
  • Google Update Helper (1.3.33.17)
  • Java 8 Update 92 (8.0.920.14)
  • Java Auto Updater (2.8.92.14)
  • Microsoft .NET Framework 4.6.1 (4.6.01055)
  • Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Professional 2010 (14.0.6029.1000)
  • Microsoft Office Proof (English) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (French) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
  • Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
  • Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Single Image 2010 (14.0.6029.1000)
  • Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
  • Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
  • Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
  • Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2017 Redistributable (x86) - 14.15.26706 (14.15.26706.0)
  • Microsoft Visual C++ 2017 x86 Additional Runtime - 14.15.26706 (14.15.26706)
  • Microsoft Visual C++ 2017 x86 Minimum Runtime - 14.15.26706 (14.15.26706)
  • Mozilla Firefox 61.0.2 (x86 en-US) (61.0.2)
  • Notepad++ (32-bit x86) (7.5.1)
  • Opera 12.15 (12.15.1748)
  • Skype version 8.29 (8.29)
  • VLC media player (2.2.6)
  • WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

  • Client LanguagePack Package
  • Client Refresh LanguagePack Package
  • CodecPack Basic Package
  • Foundation Package
  • IE Troubleshooters Package
  • InternetExplorer Optional Package
  • KB2534111
  • KB2999226
  • KB976902
  • LocalPack AU Package
  • LocalPack CA Package
  • LocalPack GB Package
  • LocalPack US Package
  • LocalPack ZA Package
  • ProfessionalEdition
  • UltimateEdition

Behavior activities

MALICIOUS SUSPICIOUS INFO
Connects to CnC server
  • rpcrt4.exe (PID: 2576)
Stealing of credential data
  • rpcrt4.exe (PID: 2576)
Application was dropped or rewritten from another process
  • rpcrt4.exe (PID: 2576)
  • [Private]BTC-Claimer.exe (PID: 3208)
Loads the Task Scheduler COM API
  • [Private]BTC-Claimer.exe (PID: 3208)
Connects to unusual port
  • rpcrt4.exe (PID: 2576)
Reads Internet Cache Settings
  • rundll32.exe (PID: 3216)
  • rundll32.exe (PID: 3676)
  • rundll32.exe (PID: 2248)
Creates files in the user directory
  • rpcrt4.module.exe (PID: 2784)
  • rpcrt4.exe (PID: 2576)
  • [Private]BTC-Claimer.exe (PID: 3208)
Uses RUNDLL32.EXE to load library
  • rpcrt4.exe (PID: 2576)
Reads the cookies of Google Chrome
  • rpcrt4.exe (PID: 2576)
Starts itself from another location
  • [Private]BTC-Claimer.exe (PID: 3208)
Reads the cookies of Mozilla Firefox
  • rpcrt4.exe (PID: 2576)
Executable content was dropped or overwritten
  • [Private]BTC-Claimer.exe (PID: 3208)
  • WinRAR.exe (PID: 2876)
Reads settings of System Certificates
  • rpcrt4.exe (PID: 2576)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Static information

TRiD
.rar
|   RAR compressed archive (v5.0) (61.5%)
.rar
|   RAR compressed archive (gen) (38.4%)

Screenshots

Processes

Total processes
37
Monitored processes
7
Malicious processes
3
Suspicious processes
0

Behavior graph

+
drop and start start drop and start winrar.exe [private]btc-claimer.exe rpcrt4.exe rundll32.exe no specs rundll32.exe no specs rpcrt4.module.exe no specs rundll32.exe no specs
Specs description
Program did not start
Integrity level elevation
Task сontains an error or was rebooted
Process has crashed
Task contains several apps running
Executable file was dropped
Debug information is available
Process was injected
Network attacks were detected
Application downloaded the executable file
Actions similar to stealing personal data
Behavior similar to exploiting the vulnerability
Inspected object has sucpicious PE structure
File is detected by antivirus software
CPU overrun
RAM overrun
Process starts the services
Process was added to the startup
Behavior similar to spam
Low-level access to the HDD
Probably Tor was used
System was rebooted
Connects to the network
Known threat

Process information

Click at the process to see the details.

PID
2876
CMD
"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\[Private]BTC-Claimer.rar"
Path
C:\Program Files\WinRAR\WinRAR.exe
Indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Version:
Company
Alexander Roshal
Description
WinRAR archiver
Version
5.60.0
Modules
Image
c:\program files\winrar\winrar.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\shlwapi.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\uxtheme.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\msimg32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\riched20.dll
c:\program files\common files\microsoft shared\ink\tiptsf.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ehstorshell.dll
c:\windows\system32\cscui.dll
c:\windows\system32\cscdll.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\slc.dll
c:\windows\system32\imageres.dll
c:\windows\system32\mpr.dll
c:\windows\system32\drprov.dll
c:\windows\system32\winsta.dll
c:\windows\system32\ntlanman.dll
c:\windows\system32\davclnt.dll
c:\windows\system32\davhlpr.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\netutils.dll
c:\windows\system32\wpdshext.dll
c:\windows\system32\winmm.dll
c:\windows\system32\portabledeviceapi.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\audiodev.dll
c:\windows\system32\wmvcore.dll
c:\windows\system32\wmasf.dll
c:\windows\system32\ehstorapi.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\samcli.dll
c:\windows\system32\samlib.dll
c:\windows\system32\profapi.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\explorerframe.dll
c:\windows\system32\duser.dll
c:\windows\system32\dui70.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\users\admin\appdata\local\temp\rar$exa2876.49501\[private]btc-claimer.exe

PID
3208
CMD
"C:\Users\admin\AppData\Local\Temp\Rar$EXa2876.49501\[Private]BTC-Claimer.exe"
Path
C:\Users\admin\AppData\Local\Temp\Rar$EXa2876.49501\[Private]BTC-Claimer.exe
Indicators
Parent process
WinRAR.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Список контактов удаленного помощника
Description
Динамическая библиотека службы Net Logon
Version
67.57.54.24
Modules
Image
c:\users\admin\appdata\local\temp\rar$exa2876.49501\[private]btc-claimer.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\wsock32.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\windows\system32\version.dll
c:\windows\system32\winmm.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\mpr.dll
c:\windows\system32\wininet.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\psapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\webio.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\wbem\wbemdisp.dll
c:\windows\system32\wbemcomn.dll
c:\windows\system32\wbem\wbemprox.dll
c:\windows\system32\wbem\wmiutils.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\napinsp.dll
c:\windows\system32\pnrpnsp.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\winrnr.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\wbem\wbemsvc.dll
c:\windows\system32\wbem\fastprox.dll
c:\windows\system32\ntdsapi.dll
c:\windows\system32\taskschd.dll
c:\windows\system32\sxs.dll
c:\windows\system32\xmllite.dll
c:\windows\system32\apphelp.dll
c:\users\admin\appdata\roaming\amd64_microsoft-windows-t..ices-msrdpwebacces

PID
2576
CMD
C:\Users\admin\AppData\Roaming\amd64_microsoft-windows-t..ices-msrdpwebaccess\rpcrt4.exe
Path
C:\Users\admin\AppData\Roaming\amd64_microsoft-windows-t..ices-msrdpwebaccess\rpcrt4.exe
Indicators
Parent process
[Private]BTC-Claimer.exe
User
admin
Integrity Level
MEDIUM
Version:
Company
Список контактов удаленного помощника
Description
Динамическая библиотека службы Net Logon
Version
67.57.54.24
Modules
Image
c:\users\admin\appdata\roaming\amd64_microsoft-windows-t..ices-msrdpwebaccess\rpcrt4.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\wsock32.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\windows\system32\version.dll
c:\windows\system32\winmm.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\mpr.dll
c:\windows\system32\wininet.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\psapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\webio.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\wbem\wbemdisp.dll
c:\windows\system32\wbemcomn.dll
c:\windows\system32\wbem\wbemprox.dll
c:\windows\system32\wbem\wmiutils.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\napinsp.dll
c:\windows\system32\pnrpnsp.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\winrnr.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\wbem\wbemsvc.dll
c:\windows\system32\wbem\fastprox.dll
c:\windows\system32\ntdsapi.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\sensapi.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\rundll32.exe
c:\windows\system32\normaliz.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\schannel.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\wship6.dll
c:\windows\system32\credssp.dll
c:\users\admin\appdata\roaming\amd64_microsoft-windows-t..ices-msrdpwebaccess\rpcrt4.sqlite3.module.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\sxs.dll
c:\windows\system32\secur32.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\gpapi.dll
c:\windows\system32\scrrun.dll
c:\users\admin\appdata\roaming\amd64_microsoft-windows-t..ices-msrdpwebaccess\rpcrt4.module.exe
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\propsys.dll
c:\program files\filezilla ftp client\fzshellext.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\slc.dll
c:\windows\system32\netutils.dll
c:\windows\system32\mssprxy.dll
c:\windows\system32\security.dll

PID
3676
CMD
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\WININET.dll",DispatchAPICall 1
Path
C:\Windows\system32\rundll32.exe
Indicators
No indicators
Parent process
rpcrt4.exe
User
admin
Integrity Level
LOW
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows host process (Rundll32)
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\rundll32.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imagehlp.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\aclayers.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\winspool.drv
c:\windows\system32\mpr.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\wininet.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\iertutil.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\sensapi.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\rasadhlp.dll

PID
2248
CMD
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\WININET.dll",DispatchAPICall 1
Path
C:\Windows\system32\rundll32.exe
Indicators
No indicators
Parent process
rpcrt4.exe
User
admin
Integrity Level
LOW
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows host process (Rundll32)
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\rundll32.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imagehlp.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\aclayers.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\winspool.drv
c:\windows\system32\mpr.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\wininet.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\iertutil.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\sensapi.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\rasadhlp.dll

PID
2784
CMD
C:\Users\admin\AppData\Roaming\amd64_microsoft-windows-t..ices-msrdpwebaccess\rpcrt4.module.exe a -y -mx9 -ssw "C:\Users\admin\AppData\Roaming\amd64_microsoft-windows-t..ices-msrdpwebaccess\ENU_6887FE9730D2535E9D41.7z" "C:\Users\admin\AppData\Roaming\amd64_microsoft-windows-t..ices-msrdpwebaccess\1\*"
Path
C:\Users\admin\AppData\Roaming\amd64_microsoft-windows-t..ices-msrdpwebaccess\rpcrt4.module.exe
Indicators
No indicators
Parent process
rpcrt4.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Igor Pavlov
Description
7-Zip Reduced Standalone Console
Version
19.00
Modules
Image
c:\users\admin\appdata\roaming\amd64_microsoft-windows-t..ices-msrdpwebaccess\rpcrt4.module.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll

PID
3216
CMD
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\WININET.dll",DispatchAPICall 1
Path
C:\Windows\system32\rundll32.exe
Indicators
No indicators
Parent process
rpcrt4.exe
User
admin
Integrity Level
LOW
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows host process (Rundll32)
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\rundll32.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imagehlp.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\aclayers.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\winspool.drv
c:\windows\system32\mpr.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\wininet.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\iertutil.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\sensapi.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\rasadhlp.dll

Registry activity

Total events
647
Read events
600
Write events
47
Delete events
0

Modification events

PID
Process
Operation
Key
Name
Value
2876
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
ShellExtBMP
2876
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
ShellExtIcon
2876
WinRAR.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
LanguageList
en-US
2876
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
0
C:\Users\admin\AppData\Local\Temp\[Private]BTC-Claimer.rar
2876
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
name
120
2876
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
size
80
2876
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
type
120
2876
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
mtime
100
2876
WinRAR.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
2876
WinRAR.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
2576
rpcrt4.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
GlobalUserOffline
0
2576
rpcrt4.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\rpcrt4_RASAPI32
EnableFileTracing
0
2576
rpcrt4.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\rpcrt4_RASAPI32
EnableConsoleTracing
0
2576
rpcrt4.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\rpcrt4_RASAPI32
FileTracingMask
4294901760
2576
rpcrt4.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\rpcrt4_RASAPI32
ConsoleTracingMask
4294901760
2576
rpcrt4.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\rpcrt4_RASAPI32
MaxFileSize
1048576
2576
rpcrt4.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\rpcrt4_RASAPI32
FileDirectory
%windir%\tracing
2576
rpcrt4.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\rpcrt4_RASMANCS
EnableFileTracing
0
2576
rpcrt4.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\rpcrt4_RASMANCS
EnableConsoleTracing
0
2576
rpcrt4.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\rpcrt4_RASMANCS
FileTracingMask
4294901760
2576
rpcrt4.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\rpcrt4_RASMANCS
ConsoleTracingMask
4294901760
2576
rpcrt4.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\rpcrt4_RASMANCS
MaxFileSize
1048576
2576
rpcrt4.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\rpcrt4_RASMANCS
FileDirectory
%windir%\tracing
2576
rpcrt4.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
ProxyEnable
0
2576
rpcrt4.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
SavedLegacySettings
4600000069000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
2576
rpcrt4.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
2576
rpcrt4.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
2576
rpcrt4.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
SavedLegacySettings
460000006A000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
2576
rpcrt4.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
LanguageList
en-US
2576
rpcrt4.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
SavedLegacySettings
460000006B000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000

Files activity

Executable files
2
Suspicious files
1
Text files
6
Unknown types
0

Dropped files

PID
Process
Filename
Type
2876
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$EXa2876.49501\[Private]BTC-Claimer.exe
executable
MD5: 5ea67a40e6e844b516524e6f837f8fe3
SHA256: e8072ca5ce0eb6b74a825455df6959accea67c14a7a9f63f06bac808c2d77a7f
3208
[Private]BTC-Claimer.exe
C:\Users\admin\AppData\Roaming\amd64_microsoft-windows-t..ices-msrdpwebaccess\rpcrt4.exe
executable
MD5: 5ea67a40e6e844b516524e6f837f8fe3
SHA256: e8072ca5ce0eb6b74a825455df6959accea67c14a7a9f63f06bac808c2d77a7f
2576
rpcrt4.exe
C:\Users\admin\AppData\Roaming\amd64_microsoft-windows-t..ices-msrdpwebaccess\1\Information.txt
––
MD5:  ––
SHA256:  ––
2576
rpcrt4.exe
C:\Users\admin\AppData\Roaming\amd64_microsoft-windows-t..ices-msrdpwebaccess\rpcrt4.module.exe.5
––
MD5:  ––
SHA256:  ––
2576
rpcrt4.exe
C:\Users\admin\AppData\Local\Temp\aut3362.tmp
––
MD5:  ––
SHA256:  ––
2576
rpcrt4.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R9ZEWH8D\json[1]
text
MD5: 85c8281a0af9b2bb87fd602545577b98
SHA256: 365d2bb0c8a2d15d762ef76acb90cac9378c4588f220a662bf17b5f3ce8a89ac
2576
rpcrt4.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
text
MD5: a201628b1e311f520ef95862eb4dc134
SHA256: e2fcbd3f6938d11e70434b587516afbdc66b75df230400a657980030940f6bd9
2576
rpcrt4.exe
C:\Users\admin\AppData\Roaming\amd64_microsoft-windows-t..ices-msrdpwebaccess\1\Passwords.txt
text
MD5: 0da63ebae5f693e1c9d3f994114189dd
SHA256: 41c546b590114583d38f222f54e66595d084bb3ecf76f3711f178433c6143b31
2576
rpcrt4.exe
C:\Users\admin\AppData\Roaming\amd64_microsoft-windows-t..ices-msrdpwebaccess\1\AutoFills.txt
text
MD5: 3d40095347187e9d364ddf6dbe291f93
SHA256: 7274e1d278005e668877d4cf1d0c0f15cc46ff5959e4ea05a135464082217122
2576
rpcrt4.exe
C:\Users\admin\AppData\Roaming\amd64_microsoft-windows-t..ices-msrdpwebaccess\1\Cookies\Google Chrome (1).txt
text
MD5: d5a225fce6b8bffe2c27701a5fb23e2e
SHA256: da30b10c652631475042fa47e82b342f7c36fb471e6d69cacf9fc38f27591e34
2576
rpcrt4.exe
C:\Users\admin\AppData\Roaming\amd64_microsoft-windows-t..ices-msrdpwebaccess\1\Screen.jpg
image
MD5: ce1c07f544d9583feab3638d66aed621
SHA256: 58094fa5e1fbb0add01400d7e7379f0efbac32ff0257a5d8a593c1c481336074
2576
rpcrt4.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\cookies.sqlite-shm
––
MD5:  ––
SHA256:  ––
2576
rpcrt4.exe
C:\Users\admin\AppData\Local\Temp\aut27E7.tmp
––
MD5:  ––
SHA256:  ––
2576
rpcrt4.exe
C:\Users\admin\AppData\Roaming\amd64_microsoft-windows-t..ices-msrdpwebaccess\rpcrt4.sqlite3.module.dll.5
––
MD5:  ––
SHA256:  ––
2576
rpcrt4.exe
C:\Users\admin\AppData\Roaming\amd64_microsoft-windows-t..ices-msrdpwebaccess\rpcrt4.sqlite3.module.dll
––
MD5:  ––
SHA256:  ––
3208
[Private]BTC-Claimer.exe
C:\Users\admin\AppData\Roaming\amd64_microsoft-windows-t..ices-msrdpwebaccess\ENU_6887FE9730D2535E9D41
––
MD5:  ––
SHA256:  ––
2784
rpcrt4.module.exe
C:\Users\admin\AppData\Roaming\amd64_microsoft-windows-t..ices-msrdpwebaccess\ENU_6887FE9730D2535E9D41.7z
compressed
MD5: c86d4e945f93b9c2e57ecbb5dde4e5ac
SHA256: ddbc2152c0f8e01de0696e8fb331f4ebeaa674718551a241e270dd170506597d
2576
rpcrt4.exe
C:\Users\admin\AppData\Roaming\amd64_microsoft-windows-t..ices-msrdpwebaccess\rpcrt4.module.exe
––
MD5:  ––
SHA256:  ––

Find more information of the staic content and download it at the full report

Network activity

HTTP(S) requests
4
TCP/UDP connections
7
DNS requests
2
Threats
6

HTTP requests

PID Process Method HTTP Code IP URL CN Type Size Reputation
2576 rpcrt4.exe CONNECT –– 89.191.233.38:65233 http://api.telegram.org:443 GB
––
––
suspicious
2576 rpcrt4.exe CONNECT –– 89.191.233.38:65233 http://api.telegram.org:443 GB
––
––
suspicious
2576 rpcrt4.exe CONNECT –– 89.191.233.38:65233 http://api.telegram.org:443 GB
––
––
suspicious
2576 rpcrt4.exe CONNECT –– 89.191.233.38:65233 http://api.telegram.org:443 GB
––
––
suspicious

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID Process IP ASN CN Reputation
2576 rpcrt4.exe 149.154.167.220:443 Telegram Messenger LLP GB malicious
2576 rpcrt4.exe 104.25.210.99:443 Cloudflare Inc US shared
2576 rpcrt4.exe 89.191.233.38:65233 RackSRV Communications Limited GB suspicious

DNS requests

Domain IP Reputation
api.telegram.org 149.154.167.220
malicious
ipapi.co 104.25.210.99
104.25.209.99
shared

Threats

PID Process Class Message
–– –– Potential Corporate Privacy Violation ET POLICY External IP Lookup Domain (ipapi .co in DNS lookup)
2576 rpcrt4.exe Potential Corporate Privacy Violation ET POLICY Autoit Windows Automation tool User-Agent in HTTP Request - Possibly Hostile
2576 rpcrt4.exe Potential Corporate Privacy Violation ET POLICY Autoit Windows Automation tool User-Agent in HTTP Request - Possibly Hostile
2576 rpcrt4.exe Generic Protocol Command Decode SURICATA TLS handshake invalid length
2576 rpcrt4.exe Generic Protocol Command Decode SURICATA TLS handshake invalid length
2576 rpcrt4.exe A Network Trojan was detected MALWARE [PTsecurity] Malicious SSL connection (Formbook/Upatre Downloader CnC)

Debug output strings

No debug info.