File name:

AIOSCREENSMALL.rar

Full analysis: https://app.any.run/tasks/28a7dea6-61d4-4366-b46f-74d1cf74d0a9
Verdict: Malicious activity
Analysis date: December 18, 2024, 17:42:18
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
arch-exec
arch-doc
upx
antivm
Indicators:
MIME: application/x-rar
File info: RAR archive data, v5
MD5:

2B219DEAA203F8EE9A21D6F5782A1A73

SHA1:

B05F65CF990128611507BC31DD345B7993EECE87

SHA256:

0FE8A51C858C36FCECDD7CA6A9A9113EA1A0DEA09224B178B1F7A5C9EAF25EF5

SSDEEP:

98304:hCZQP7YpvmczDYQlgFWTX/T7EwSfkQpVkcUbKRT+tK+jHDM23eTYMgDQIwPORGJr:zQfR+Q0XYMolW/a8

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • UsbMonitor.exe (PID: 6268)

    • Reads the BIOS version

      • UsbMonitor.exe (PID: 6268)

    • There is functionality for VM detection antiVM strings (YARA)

      • UsbMonitor.exe (PID: 6268)

    • The process checks if it is being run in the virtual environment

      • UsbMonitor.exe (PID: 6268)

    • Drops a system driver (possible attempt to evade defenses)

      • UsbMonitor.exe (PID: 6268)

    • Process drops legitimate windows executable

      • WinRAR.exe (PID: 1392)

  • INFO

    • Checks supported languages

      • UsbMonitor.exe (PID: 4128)
      • UsbMonitor.exe (PID: 6268)

    • Manual execution by a user

      • UsbMonitor.exe (PID: 4128)
      • UsbMonitor.exe (PID: 7080)
      • UsbMonitor.exe (PID: 6268)
      • WinRAR.exe (PID: 1392)
      • UsbMonitor.exe (PID: 6696)

    • The process uses the downloaded file

      • WinRAR.exe (PID: 6744)
      • WinRAR.exe (PID: 1392)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 6744)
      • WinRAR.exe (PID: 1392)

    • The sample compiled with english language support

      • WinRAR.exe (PID: 1392)
      • UsbMonitor.exe (PID: 6268)

    • Reads the computer name

      • UsbMonitor.exe (PID: 6268)
      • UsbMonitor.exe (PID: 4128)

    • Reads the machine GUID from the registry

      • UsbMonitor.exe (PID: 6268)
      • UsbMonitor.exe (PID: 4128)

    • Checks proxy server information

      • UsbMonitor.exe (PID: 6268)

    • Create files in a temporary directory

      • UsbMonitor.exe (PID: 6268)

    • Reads CPU info

      • UsbMonitor.exe (PID: 6268)

    • Disables trace logs

      • UsbMonitor.exe (PID: 6268)

    • Reads Environment values

      • UsbMonitor.exe (PID: 6268)

    • Reads the software policy settings

      • UsbMonitor.exe (PID: 6268)

    • UPX packer has been detected

      • UsbMonitor.exe (PID: 6268)

    • The sample compiled with french language support

      • WinRAR.exe (PID: 1392)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v5.0) (61.5)
.rar | RAR compressed archive (gen) (38.4)

EXIF

ZIP

FileVersion: RAR v5
CompressedSize: 2
UncompressedSize: 2
OperatingSystem: Win32
ArchivedFileName: AIOSCREENSMALL/code.ini
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
138
Monitored processes
7
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe usbmonitor.exe no specs usbmonitor.exe winrar.exe rundll32.exe no specs usbmonitor.exe no specs usbmonitor.exe

Process information

PID
CMD
Path
Indicators
Parent process
1392"C:\Program Files\WinRAR\WinRAR.exe" x -iext -ow -ver -- "C:\Users\admin\Desktop\AIOSCREENSMALL.rar" C:\Users\admin\Desktop\C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
4128"C:\Users\admin\Desktop\UsbMonitor.exe" C:\Users\admin\Desktop\UsbMonitor.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Description:
TURZX
Exit code:
0
Version:
2.2.1.0
Modules
Images
c:\users\admin\desktop\usbmonitor.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
6268"C:\Users\admin\Desktop\AIOSCREENSMALL\UsbMonitor.exe" C:\Users\admin\Desktop\AIOSCREENSMALL\UsbMonitor.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Description:
TURZX
Version:
2.2.1.0
Modules
Images
c:\users\admin\desktop\aioscreensmall\usbmonitor.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
6636C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -EmbeddingC:\Windows\System32\rundll32.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shcore.dll
c:\windows\system32\imagehlp.dll
6696"C:\Users\admin\Desktop\AIOSCREENSMALL\UsbMonitor.exe" C:\Users\admin\Desktop\AIOSCREENSMALL\UsbMonitor.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
TURZX
Exit code:
3221226540
Version:
2.2.1.0
Modules
Images
c:\users\admin\desktop\aioscreensmall\usbmonitor.exe
c:\windows\system32\ntdll.dll
6744"C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\Desktop\AIOSCREENSMALL.rarC:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
7080"C:\Users\admin\Desktop\UsbMonitor.exe" C:\Users\admin\Desktop\UsbMonitor.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
TURZX
Exit code:
3221226540
Version:
2.2.1.0
Modules
Images
c:\users\admin\desktop\usbmonitor.exe
c:\windows\system32\ntdll.dll
Total events
6 363
Read events
6 327
Write events
36
Delete events
0

Modification events

(PID) Process:(6744) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\preferences.zip
(PID) Process:(6744) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:(6744) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:(6744) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\AIOSCREENSMALL.rar
(PID) Process:(6744) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(6744) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(6744) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(6744) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(6744) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\MainWin
Operation:writeName:Placement
Value:
2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF3D0000002D000000FD03000016020000
(PID) Process:(6744) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\ArcColumnWidths
Operation:writeName:name
Value:
256
Executable files
8
Suspicious files
47
Text files
10
Unknown types
0

Dropped files

PID
Process
Filename
Type
1392WinRAR.exeC:\Users\admin\Desktop\AIOSCREENSMALL\config\Landscape6Grid.databinary
MD5:585809583D1910375B02BD85955036D0
SHA256:A9A3A71FE90532592F772A58B30E4C16BC33C457BD6AD9818CDA6532FD75AF51
1392WinRAR.exeC:\Users\admin\Desktop\AIOSCREENSMALL\config\Gradient.datapi2
MD5:0FF17FB4E6C9EDE0A49CDDC14D5E7D6F
SHA256:0DC0C43965D03CDA343873AB3CFAAA0CC6E5E188DDE1ADD5F6025837AED43A21
1392WinRAR.exeC:\Users\admin\Desktop\AIOSCREENSMALL\config\gundam1.databinary
MD5:05860238007F6B0177252A03E4A3561E
SHA256:7F706F9376FB0CCF7C40E045F53A5E2C4B51A49654E945CBB6B335851958CFFC
1392WinRAR.exeC:\Users\admin\Desktop\AIOSCREENSMALL\config\LandscapeMagicBlue.databinary
MD5:D45761BC13CB09E13A62CF7D1B29C786
SHA256:B7F514D53E1B5CEFCB68A2822F30F061F1ED16FE03386AA94C6CECE227AA22DE
1392WinRAR.exeC:\Users\admin\Desktop\AIOSCREENSMALL\config\A EVA UI 001.datapi2
MD5:1949526A9F0A342117CB07817B64E001
SHA256:B7E9B07DB6DB780E98CD6569ECC79ED0A5C1AE4D3B132129B4EC4562FB7589B1
1392WinRAR.exeC:\Users\admin\Desktop\AIOSCREENSMALL\config\AORUS.datapi2
MD5:E26383346311930E93C25275D7B232A8
SHA256:1F313FB30DD4904994CBED98DA6DEA5F55A4D81F9C78F4B969BDCCA80475C914
1392WinRAR.exeC:\Users\admin\Desktop\AIOSCREENSMALL\config\3.5inchTheme1.datapi2
MD5:FA4BF0786E089EDB7A75D0C3387A757B
SHA256:83FCEB936597B25FB9A8E3A895DDCAD3EF45888F42E3DB3CB7A6046707FDDA82
1392WinRAR.exeC:\Users\admin\Desktop\AIOSCREENSMALL\config\A cyberpunk.databinary
MD5:4754DE3C149EC21F693D097B8CEA962C
SHA256:7E212AE98E845B51CC712FEEF330E56CFE74BF8946B0536C333FF7B9C7BFE520
1392WinRAR.exeC:\Users\admin\Desktop\AIOSCREENSMALL\code.initext
MD5:EA5D2F1C4608232E07D3AA3D998E5135
SHA256:A68B412C4282555F15546CF6E1FC42893B7E07F271557CEB021821098DD66C1B
1392WinRAR.exeC:\Users\admin\Desktop\AIOSCREENSMALL\config\A EVA UI 002.datapi2
MD5:90BD0908C02FF5A3E48A70BB28CF437E
SHA256:1261B796F18DEB09F3FE7A5741DC13AFCC551E7267EDD9F13B4A397A0AD5C95A
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
9
TCP/UDP connections
40
DNS requests
23
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
2.16.164.114:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5064
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
1176
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
6344
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
6344
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
6268
UsbMonitor.exe
GET
301
111.230.112.70:80
http://www.turzx.com/update_35.html
unknown
unknown
4716
SIHClient.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
4716
SIHClient.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4712
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:137
whitelisted
5004
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2.16.164.114:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
88.221.169.152:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
5064
SearchApp.exe
2.23.209.183:443
www.bing.com
Akamai International B.V.
GB
whitelisted
5064
SearchApp.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
4
System
192.168.100.255:138
whitelisted
40.126.32.76:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
  • 4.231.128.59
whitelisted
crl.microsoft.com
  • 2.16.164.114
  • 2.16.164.99
  • 2.16.164.106
  • 2.16.164.17
  • 2.16.164.98
  • 2.16.164.97
  • 2.16.164.24
  • 2.16.164.107
  • 2.16.164.49
unknown
www.microsoft.com
  • 88.221.169.152
whitelisted
www.bing.com
  • 2.23.209.183
  • 2.23.209.187
  • 2.23.209.181
  • 2.23.209.182
  • 2.23.209.150
  • 2.23.209.177
  • 2.23.209.158
  • 2.23.209.160
  • 2.23.209.185
whitelisted
google.com
  • 142.250.185.142
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
login.live.com
  • 40.126.32.76
  • 40.126.32.136
  • 20.190.160.14
  • 40.126.32.74
  • 20.190.160.20
  • 20.190.160.17
  • 40.126.32.138
  • 20.190.160.22
whitelisted
go.microsoft.com
  • 184.28.89.167
whitelisted
arc.msn.com
  • 20.199.58.43
  • 20.103.156.88
whitelisted
fd.api.iris.microsoft.com
  • 20.105.99.58
  • 20.31.169.57
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
AIOSCREENSMALL.rar