File name:

1.7z

Full analysis: https://app.any.run/tasks/724a9213-d793-4c71-8de0-72b53c14d0b5
Verdict: Malicious activity
Analysis date: December 02, 2023, 19:10:44
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-7z-compressed
File info: 7-zip archive data, version 0.4
MD5:

D260B4204D98280A52137140D56CE190

SHA1:

EF24D0C3A6C97CB3797992DD87652B7A816F575E

SHA256:

0EC03CB57F876817BEB80D0B4087A3F5DC7D5A9BA9AA012257391F940096248A

SSDEEP:

98304:UX1llWXWXTMGvEgWZ0Gjps5SN2sY6Rd0tPjYnDlwu4sfI2G/N1Ghi7reSJcTKRbh:3q/eq

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Starts NET.EXE for service management

      • net.exe (PID: 3516)
      • net.exe (PID: 4008)
      • cmd.exe (PID: 3340)
      • cmd.exe (PID: 3612)

    • Creates a writable file in the system directory

      • NetLimiter Keygen v1.3.exe (PID: 2300)

    • Drops the executable file immediately after the start

      • NetLimiter Keygen v1.3.exe (PID: 2300)

    • Renames files like ransomware

      • NetLimiter Keygen v1.3.exe (PID: 2300)

  • SUSPICIOUS

    • Reads the BIOS version

      • NetLimiter Keygen v1.3.exe (PID: 2300)

    • Starts CMD.EXE for commands execution

      • NetLimiter Keygen v1.3.exe (PID: 2300)

  • INFO

    • Drops the executable file immediately after the start

      • WinRAR.exe (PID: 124)

    • Checks supported languages

      • NetLimiter Keygen v1.3.exe (PID: 2300)

    • Manual execution by a user

      • NetLimiter Keygen v1.3.exe (PID: 2528)
      • WinRAR.exe (PID: 124)
      • NetLimiter Keygen v1.3.exe (PID: 2300)
      • chrome.exe (PID: 2708)
      • firefox.exe (PID: 1420)

    • Process checks are UAC notifies on

      • NetLimiter Keygen v1.3.exe (PID: 2300)

    • Reads the computer name

      • NetLimiter Keygen v1.3.exe (PID: 2300)

    • Reads the machine GUID from the registry

      • NetLimiter Keygen v1.3.exe (PID: 2300)

    • Create files in a temporary directory

      • NetLimiter Keygen v1.3.exe (PID: 2300)

    • Application launched itself

      • firefox.exe (PID: 1420)
      • firefox.exe (PID: 2584)
      • chrome.exe (PID: 2708)

    • Creates files in the program directory

      • NetLimiter Keygen v1.3.exe (PID: 2300)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.7z | 7-Zip compressed archive (v0.4) (57.1)
.7z | 7-Zip compressed archive (gen) (42.8)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
76
Monitored processes
29
Malicious processes
1
Suspicious processes
2

Behavior graph

Click at the process to see the details
start winrar.exe no specs winrar.exe no specs netlimiter keygen v1.3.exe no specs netlimiter keygen v1.3.exe cmd.exe no specs net.exe no specs net1.exe no specs cmd.exe no specs net.exe no specs net1.exe no specs firefox.exe no specs firefox.exe firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
124"C:\Program Files\WinRAR\WinRAR.exe" x -iext -ow -ver -- "C:\Users\admin\Desktop\1.7z" C:\Users\admin\Desktop\C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
824"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1476 --field-trial-handle=1172,i,14067420990358866321,2165220261060433653,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
109.0.5414.120
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\109.0.5414.120\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
1184"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win32 --annotation=prod=Chrome --annotation=ver=109.0.5414.120 --initial-client-data=0xc8,0xcc,0xd0,0x9c,0xd4,0x6a7a8b38,0x6a7a8b48,0x6a7a8b54C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
0
Version:
109.0.5414.120
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\109.0.5414.120\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
1248"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2584.2.1357695110\1601495434" -childID 1 -isForBrowser -prefsHandle 2068 -prefMapHandle 2064 -prefsLen 28712 -prefMapSize 244195 -jsInitHandle 836 -jsInitLen 240908 -parentBuildID 20230710165010 -appDir "C:\Program Files\Mozilla Firefox\browser" - {31c3a3f5-805d-41d1-a006-2a01515db13e} 2584 "\\.\pipe\gecko-crash-server-pipe.2584" 2080 127546d0 tabC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
LOW
Description:
Firefox
Exit code:
0
Version:
115.0.2
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\msasn1.dll
c:\program files\mozilla firefox\msvcp140.dll
c:\program files\mozilla firefox\vcruntime140.dll
1420"C:\Program Files\Mozilla Firefox\firefox.exe" C:\Program Files\Mozilla Firefox\firefox.exeexplorer.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Exit code:
0
Version:
115.0.2
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\msasn1.dll
c:\program files\mozilla firefox\msvcp140.dll
c:\program files\mozilla firefox\vcruntime140.dll
2004"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2584.3.1822188311\330729635" -childID 2 -isForBrowser -prefsHandle 2784 -prefMapHandle 2780 -prefsLen 34225 -prefMapSize 244195 -jsInitHandle 836 -jsInitLen 240908 -parentBuildID 20230710165010 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3f3d001b-5a99-40b4-adbe-469722a6a577} 2584 "\\.\pipe\gecko-crash-server-pipe.2584" 2796 1649c280 tabC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
LOW
Description:
Firefox
Exit code:
0
Version:
115.0.2
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\msasn1.dll
c:\program files\mozilla firefox\msvcp140.dll
c:\program files\mozilla firefox\vcruntime140.dll
2080"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2584.6.8314728\853531771" -childID 5 -isForBrowser -prefsHandle 3892 -prefMapHandle 3896 -prefsLen 29102 -prefMapSize 244195 -jsInitHandle 836 -jsInitLen 240908 -parentBuildID 20230710165010 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1849bf48-b2ad-4df0-b737-17e8e48a2fa9} 2584 "\\.\pipe\gecko-crash-server-pipe.2584" 3820 18259f70 tabC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
LOW
Description:
Firefox
Exit code:
0
Version:
115.0.2
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\msasn1.dll
c:\program files\mozilla firefox\msvcp140.dll
c:\program files\mozilla firefox\vcruntime140.dll
2132"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2268 --field-trial-handle=1172,i,14067420990358866321,2165220261060433653,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
109.0.5414.120
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\109.0.5414.120\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
2300"C:\Users\admin\Desktop\NetLimiter Keygen v1.3.exe" C:\Users\admin\Desktop\NetLimiter Keygen v1.3.exe
explorer.exe
User:
admin
Company:
Jasi2169
Integrity Level:
HIGH
Description:
Netlimiter Keygen By Jasi2169
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\desktop\netlimiter keygen v1.3.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
2308"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --disable-quic --mojo-platform-channel-handle=1392 --field-trial-handle=1172,i,14067420990358866321,2165220261060433653,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exe
chrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
0
Version:
109.0.5414.120
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\109.0.5414.120\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
Total events
13 275
Read events
13 013
Write events
253
Delete events
9

Modification events

(PID) Process:(2980) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\17F\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(2980) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip
(PID) Process:(2980) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(2980) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\phacker.zip
(PID) Process:(2980) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(2980) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(2980) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(2980) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(2980) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\MainWin
Operation:writeName:Placement
Value:
2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF42000000420000000204000037020000
(PID) Process:(2980) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\General
Operation:writeName:LastFolder
Value:
C:\Users\admin\Desktop
Executable files
6
Suspicious files
59
Text files
28
Unknown types
0

Dropped files

PID
Process
Filename
Type
124WinRAR.exeC:\Users\admin\Desktop\Read.txttext
MD5:5C7861A3048403B22AD4F08EFF1C582C
SHA256:C46F9BE18017C6446E38D94A07602EBB075AE63A9E9AC70650BD81961CD6563A
2300NetLimiter Keygen v1.3.exeC:\Users\admin\Desktop\NetLimiter.dllexecutable
MD5:7510B2CA992AE6B932D49D810026E4DC
SHA256:468314858CF76177B8830D432A89D10F288E8E758A98F945A679A43558377CD1
2300NetLimiter Keygen v1.3.exeC:\Windows\system32\bassmod.dllexecutable
MD5:E4EC57E8508C5C4040383EBE6D367928
SHA256:8AD9E47693E292F381DA42DDC13724A3063040E51C26F4CA8E1F8E2F1DDD547F
124WinRAR.exeC:\Users\admin\Desktop\NetLimiter Keygen v1.3.exeexecutable
MD5:403CE52E780C06D2869145AD4461B567
SHA256:124E9A0FB03FCEB4DD2ED5820C5A8D8381A2BFE6922A6CF8B630C29D3BEF564A
2300NetLimiter Keygen v1.3.exeC:\Users\admin\AppData\Local\Temp\Netlimiter Keygen.X86.1.0.0.0\keygen_cursor.curbinary
MD5:FC9B2E18A0E21C712E227E88248882C1
SHA256:FE802DB4DE68C9340F7A211DDF694109FD983478454CCB925A06F68851276C69
2300NetLimiter Keygen v1.3.exeC:\Users\admin\AppData\Local\Temp\Netlimiter Keygen.X86.1.0.0.0\Native.dllexecutable
MD5:36FDE2466FEA08328EDB8744EE01981E
SHA256:AC3D757539AF3AC2103803F5F058FCF05D4082498DCB02F42EBF322A5AC9D9D6
124WinRAR.exeC:\Users\admin\Desktop\NetLimiter.dllexecutable
MD5:86BA206D979D85536C8D7FF5CC366036
SHA256:68EC7C601737F6CED53E59E2526DFFD7885F83C0B0B59BBB2E329281EE266C15
2300NetLimiter Keygen v1.3.exeC:\Users\admin\Desktop\NetLimiter.dll.bakexecutable
MD5:86BA206D979D85536C8D7FF5CC366036
SHA256:68EC7C601737F6CED53E59E2526DFFD7885F83C0B0B59BBB2E329281EE266C15
2584firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\cookies.sqlite-shmbinary
MD5:B7C14EC6110FA820CA6B65F5AEC85911
SHA256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
2584firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-wal
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
141
DNS requests
113
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1080
svchost.exe
224.0.0.252:5355
unknown
4
System
192.168.100.255:137
whitelisted
2588
svchost.exe
239.255.255.250:1900
whitelisted
4
System
192.168.100.255:138
whitelisted
2584
firefox.exe
34.107.221.82:80
detectportal.firefox.com
GOOGLE
US
whitelisted
2584
firefox.exe
34.117.237.239:443
contile.services.mozilla.com
GOOGLE-CLOUD-PLATFORM
US
unknown
2584
firefox.exe
34.204.4.120:443
spocs.getpocket.com
AMAZON-AES
US
unknown
2584
firefox.exe
34.149.100.209:443
firefox.settings.services.mozilla.com
GOOGLE
US
unknown
2584
firefox.exe
142.250.186.170:443
safebrowsing.googleapis.com
GOOGLE
US
whitelisted
2584
firefox.exe
34.107.243.93:443
push.services.mozilla.com
GOOGLE
US
unknown

DNS requests

Domain
IP
Reputation
detectportal.firefox.com
  • 34.107.221.82
whitelisted
prod.detectportal.prod.cloudops.mozgcp.net
  • 34.107.221.82
  • 2600:1901:0:38d7::
whitelisted
contile.services.mozilla.com
  • 34.117.237.239
whitelisted
spocs.getpocket.com
  • 34.204.4.120
  • 54.81.250.249
  • 3.234.84.42
  • 34.233.191.125
shared
proxyserverecs-1736642167.us-east-1.elb.amazonaws.com
  • 34.204.4.120
  • 54.81.250.249
  • 3.234.84.42
  • 34.233.191.125
shared
firefox.settings.services.mozilla.com
  • 34.149.100.209
whitelisted
prod.remote-settings.prod.webservices.mozgcp.net
  • 34.149.100.209
whitelisted
safebrowsing.googleapis.com
  • 142.250.186.170
  • 2a00:1450:4001:831::200a
whitelisted
push.services.mozilla.com
  • 34.107.243.93
whitelisted
autopush.prod.mozaws.net
  • 34.107.243.93
whitelisted

Threats

No threats detected
No debug info