File name:

Keygen_For_Fake_2021_11_by_ReverseCodez.rar

Full analysis: https://app.any.run/tasks/8afb8580-0840-45fe-a91a-2bf4b8cc29a1
Verdict: Malicious activity
Analysis date: May 28, 2023, 19:44:22
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-rar
File info: RAR archive data, v5
MD5:

89C1142CA760197306B87A1EA4FF8488

SHA1:

0EC9213E12975550333729ECCC03CBE9CE44ED53

SHA256:

0DD4434FE34DE41C317A14592A1B6A3DCC4EB7450125CFA6F843CADDFB2337FA

SSDEEP:

3072:9sqC6TsuOXZXeFO23iaq78IIM2bBjEIRUA:JsukZXeFUF70M2bmIRUA

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • Keygen_For_Fake_2021_11_by_ReverseCodez.exe (PID: 2476)

  • SUSPICIOUS

    • Reads the Internet Settings

      • Keygen_For_Fake_2021_11_by_ReverseCodez.exe (PID: 2476)

  • INFO

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 4092)

    • Reads the computer name

      • Keygen_For_Fake_2021_11_by_ReverseCodez.exe (PID: 2476)

    • Checks supported languages

      • Keygen_For_Fake_2021_11_by_ReverseCodez.exe (PID: 2476)

    • Application launched itself

      • iexplore.exe (PID: 820)

    • The process checks LSA protection

      • Keygen_For_Fake_2021_11_by_ReverseCodez.exe (PID: 2476)

    • Reads the machine GUID from the registry

      • Keygen_For_Fake_2021_11_by_ReverseCodez.exe (PID: 2476)

    • Create files in a temporary directory

      • iexplore.exe (PID: 820)
      • iexplore.exe (PID: 3120)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v5.0) (61.5)
.rar | RAR compressed archive (gen) (38.4)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
40
Monitored processes
4
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start start winrar.exe keygen_for_fake_2021_11_by_reversecodez.exe no specs iexplore.exe iexplore.exe

Process information

PID
CMD
Path
Indicators
Parent process
820"C:\Program Files\Internet Explorer\iexplore.exe" https://www.autocom.re/yt.phpC:\Program Files\Internet Explorer\iexplore.exe
Keygen_For_Fake_2021_11_by_ReverseCodez.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
0
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
2476"C:\Users\admin\AppData\Local\Temp\Rar$EXa4092.5472\Keygen_For_Fake_2021_11_by_ReverseCodez.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa4092.5472\Keygen_For_Fake_2021_11_by_ReverseCodez.exeWinRAR.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Keygen
Exit code:
0
Version:
1.0.0.0
3120"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:820 CREDAT:267521 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
4092"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Keygen_For_Fake_2021_11_by_ReverseCodez.rar"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Total events
0
Read events
0
Write events
0
Delete events
0

Modification events

No data
Executable files
1
Suspicious files
63
Text files
165
Unknown types
0

Dropped files

PID
Process
Filename
Type
3120iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751binary
MD5:60FE01DF86BE2E5331B0CDBE86165686
SHA256:C08CCBC876CD5A7CDFA9670F9637DA57F6A1282198A9BC71FC7D7247A6E5B7A8
3120iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8408FE5CA4467EE4DA84A76EF238FE3binary
MD5:2294742613441B300284FB5A7EF4A9A9
SHA256:2ABA9680DD0804402C9CACFC36409FDB831A522E85CAF7AD670265B04561C910
3120iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157binary
MD5:1A2016CD7D68A14413530A182AF83C00
SHA256:25C1C7F25C1AB3757C853A00FC92EB9CFC0A5CA89A3D610B09158EBA93D940DA
3120iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506compressed
MD5:3AC860860707BAAF32469FA7CC7C0192
SHA256:D015145D551ECD14916270EFAD773BBC9FD57FAD2228D2C24559F696C961D904
3120iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8408FE5CA4467EE4DA84A76EF238FE3binary
MD5:E829E65D7C4307D6FBC13C179E037A36
SHA256:67ADD1166B020AE61B8F5FC96813C04C2AA589960796865572A3C7E737613DFD
3120iexplore.exeC:\Users\admin\AppData\Local\Temp\Low\Cab3288.tmpcompressed
MD5:3AC860860707BAAF32469FA7CC7C0192
SHA256:D015145D551ECD14916270EFAD773BBC9FD57FAD2228D2C24559F696C961D904
3120iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6993ED1A32879B8A1ECFCC601881358Fbinary
MD5:A0D548F37209280F0E6A3EF2138CA960
SHA256:AA83E697BEFC64E738191C0237E6FC7F1E204FB14AAE9C6588E1D33DB1319C4F
3120iexplore.exeC:\Users\admin\AppData\Local\Temp\Low\Tar3289.tmpbinary
MD5:4FF65AD929CD9A367680E0E5B1C08166
SHA256:C8733C93CC5AAF5CA206D06AF22EE8DBDEC764FB5085019A6A9181FEB9DFDEE6
3120iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6993ED1A32879B8A1ECFCC601881358Fbinary
MD5:E2E9510A1693F1863377A6DAAB42DF98
SHA256:EC4BF82C91C584B9B3956CEA31D18273418F43485D8D8E4F1A6AC9B819BB201B
820iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63binary
MD5:BE5E6FFE0CEF71E84AA5445537FD611A
SHA256:99989DDB05AC43D7AA3B6857E63985B38B3123D939814A374A11762026775FA3
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
24
TCP/UDP connections
78
DNS requests
32
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3120
iexplore.exe
GET
142.250.185.131:80
http://ocsp.pki.goog/gts1c3/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBTHLnmK3f9hNLO67UdCuLvGwCQHYwQUinR%2Fr4XN7pXNPZzQ4kYU83E1HScCEQCKJOyu2maNfwq1WudyH8eI
US
whitelisted
3120
iexplore.exe
GET
142.250.185.131:80
http://ocsp.pki.goog/gts1c3/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBTHLnmK3f9hNLO67UdCuLvGwCQHYwQUinR%2Fr4XN7pXNPZzQ4kYU83E1HScCEQCf4d%2FNemnDwxJHGtU61rL9
US
whitelisted
3120
iexplore.exe
GET
200
23.201.254.55:80
http://r3.i.lencr.org/
CH
der
1.28 Kb
whitelisted
3120
iexplore.exe
GET
200
2.16.241.15:80
http://r3.o.lencr.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBRI2smg%2ByvTLU%2Fw3mjS9We3NfmzxAQUFC6zF7dYVsuuUAlA5h%2BvnYsUwsYCEgRMi9LcSgOIgf8ZGsUoFqtiNg%3D%3D
unknown
binary
503 b
shared
3120
iexplore.exe
GET
200
23.201.254.55:80
http://x1.c.lencr.org/
CH
der
717 b
whitelisted
3120
iexplore.exe
GET
200
142.250.185.131:80
http://ocsp.pki.goog/gsr1/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS3V7W2nAf4FiMTjpDJKg6%2BMgGqMQQUYHtmGkUNl8qJUC99BM00qP%2F8%2FUsCEHe9DWzbNvka6iEPxPBY0w0%3D
US
binary
1.41 Kb
whitelisted
3120
iexplore.exe
GET
200
18.66.92.70:80
http://o.ss2.us//MEowSDBGMEQwQjAJBgUrDgMCGgUABBSLwZ6EW5gdYc9UaSEaaLjjETNtkAQUv1%2B30c7dH4b0W1Ws3NcQwg6piOcCCQCnDkpMNIK3fw%3D%3D
US
binary
1.70 Kb
whitelisted
3120
iexplore.exe
GET
200
142.250.185.131:80
http://ocsp.pki.goog/gts1c3/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTHLnmK3f9hNLO67UdCuLvGwCQHYwQUinR%2Fr4XN7pXNPZzQ4kYU83E1HScCEE2xqsersTtyEFvM64zHN1E%3D
US
binary
471 b
whitelisted
3120
iexplore.exe
GET
200
142.250.185.131:80
http://ocsp.pki.goog/gts1c3/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBTHLnmK3f9hNLO67UdCuLvGwCQHYwQUinR%2Fr4XN7pXNPZzQ4kYU83E1HScCEQD92PX9Q8FmlAp79IClZhAt
US
binary
472 b
whitelisted
GET
200
52.222.250.42:80
http://ocsp.rootca1.amazontrust.com/MFQwUjBQME4wTDAJBgUrDgMCGgUABBRPWaOUU8%2B5VZ5%2Fa9jFTaU9pkK3FAQUhBjMhTTsvAyUlC4IWZzHshBOCggCEwdzEjgLnWaIozse2b%2BczaaODg8%3D
US
binary
1.39 Kb
shared
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3616
svchost.exe
239.255.255.250:1900
whitelisted
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
1076
svchost.exe
224.0.0.252:5355
unknown
3120
iexplore.exe
67.26.81.254:80
ctldl.windowsupdate.com
LEVEL3
US
suspicious
3120
iexplore.exe
2.16.241.15:80
r3.o.lencr.org
Akamai International B.V.
DE
suspicious
3120
iexplore.exe
103.163.187.150:443
www.autocom.re
SpeedyPage Ltd
GB
suspicious
3120
iexplore.exe
86.105.14.24:443
www.universaltuning.it
IT.Gate S.p.A.
IT
unknown
820
iexplore.exe
2.23.209.187:443
www.bing.com
Akamai International B.V.
GB
suspicious
3120
iexplore.exe
23.201.254.55:80
r3.i.lencr.org
AKAMAI-AS
CH
unknown

DNS requests

Domain
IP
Reputation
www.autocom.re
  • 103.163.187.150
suspicious
ctldl.windowsupdate.com
  • 67.26.81.254
  • 67.27.157.254
  • 8.248.117.254
  • 8.248.119.254
  • 8.253.95.120
whitelisted
api.bing.com
  • 13.107.5.80
whitelisted
www.bing.com
  • 2.23.209.187
  • 2.23.209.149
  • 2.23.209.130
  • 2.23.209.182
  • 2.23.209.133
whitelisted
r3.i.lencr.org
  • 23.201.254.55
whitelisted
x1.c.lencr.org
  • 23.201.254.55
whitelisted
r3.o.lencr.org
  • 2.16.241.15
  • 2.16.241.12
shared
www.universaltuning.it
  • 86.105.14.24
unknown
ocsp.digicert.com
  • 192.229.221.95
whitelisted
cdn.jsdelivr.net
  • 151.101.1.229
  • 151.101.65.229
  • 151.101.129.229
  • 151.101.193.229
whitelisted

Threats

PID
Process
Class
Message
1076
svchost.exe
Potentially Bad Traffic
ET INFO Observed DNS Query to .biz TLD
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
Keygen_For_Fake_2021_11_by_ReverseCodez.rar