File name:

AIOSCREENSMALL.rar

Full analysis: https://app.any.run/tasks/28a7dea6-61d4-4366-b46f-74d1cf74d0a9
Verdict: Malicious activity
Analysis date: December 18, 2024, 17:42:18
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
arch-exec
arch-doc
upx
antivm
Indicators:
MIME: application/x-rar
File info: RAR archive data, v5
MD5:

2B219DEAA203F8EE9A21D6F5782A1A73

SHA1:

B05F65CF990128611507BC31DD345B7993EECE87

SHA256:

0FE8A51C858C36FCECDD7CA6A9A9113EA1A0DEA09224B178B1F7A5C9EAF25EF5

SSDEEP:

98304:hCZQP7YpvmczDYQlgFWTX/T7EwSfkQpVkcUbKRT+tK+jHDM23eTYMgDQIwPORGJr:zQfR+Q0XYMolW/a8

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • WinRAR.exe (PID: 1392)

    • Executable content was dropped or overwritten

      • UsbMonitor.exe (PID: 6268)

    • Drops a system driver (possible attempt to evade defenses)

      • UsbMonitor.exe (PID: 6268)

    • The process checks if it is being run in the virtual environment

      • UsbMonitor.exe (PID: 6268)

    • Reads the BIOS version

      • UsbMonitor.exe (PID: 6268)

    • There is functionality for VM detection antiVM strings (YARA)

      • UsbMonitor.exe (PID: 6268)

  • INFO

    • Manual execution by a user

      • UsbMonitor.exe (PID: 4128)
      • UsbMonitor.exe (PID: 7080)
      • UsbMonitor.exe (PID: 6696)
      • WinRAR.exe (PID: 1392)
      • UsbMonitor.exe (PID: 6268)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 6744)
      • WinRAR.exe (PID: 1392)

    • The process uses the downloaded file

      • WinRAR.exe (PID: 6744)
      • WinRAR.exe (PID: 1392)

    • Reads the computer name

      • UsbMonitor.exe (PID: 4128)
      • UsbMonitor.exe (PID: 6268)

    • Reads the machine GUID from the registry

      • UsbMonitor.exe (PID: 4128)
      • UsbMonitor.exe (PID: 6268)

    • Checks supported languages

      • UsbMonitor.exe (PID: 4128)
      • UsbMonitor.exe (PID: 6268)

    • The sample compiled with french language support

      • WinRAR.exe (PID: 1392)

    • The sample compiled with english language support

      • WinRAR.exe (PID: 1392)
      • UsbMonitor.exe (PID: 6268)

    • Create files in a temporary directory

      • UsbMonitor.exe (PID: 6268)

    • Checks proxy server information

      • UsbMonitor.exe (PID: 6268)

    • Reads CPU info

      • UsbMonitor.exe (PID: 6268)

    • Disables trace logs

      • UsbMonitor.exe (PID: 6268)

    • Reads Environment values

      • UsbMonitor.exe (PID: 6268)

    • Reads the software policy settings

      • UsbMonitor.exe (PID: 6268)

    • UPX packer has been detected

      • UsbMonitor.exe (PID: 6268)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v5.0) (61.5)
.rar | RAR compressed archive (gen) (38.4)

EXIF

ZIP

FileVersion: RAR v5
CompressedSize: 2
UncompressedSize: 2
OperatingSystem: Win32
ArchivedFileName: AIOSCREENSMALL/code.ini
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
138
Monitored processes
7
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe usbmonitor.exe no specs usbmonitor.exe winrar.exe rundll32.exe no specs usbmonitor.exe no specs usbmonitor.exe

Process information

PID
CMD
Path
Indicators
Parent process
1392"C:\Program Files\WinRAR\WinRAR.exe" x -iext -ow -ver -- "C:\Users\admin\Desktop\AIOSCREENSMALL.rar" C:\Users\admin\Desktop\C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
4128"C:\Users\admin\Desktop\UsbMonitor.exe" C:\Users\admin\Desktop\UsbMonitor.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Description:
TURZX
Exit code:
0
Version:
2.2.1.0
Modules
Images
c:\users\admin\desktop\usbmonitor.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
6268"C:\Users\admin\Desktop\AIOSCREENSMALL\UsbMonitor.exe" C:\Users\admin\Desktop\AIOSCREENSMALL\UsbMonitor.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Description:
TURZX
Version:
2.2.1.0
Modules
Images
c:\users\admin\desktop\aioscreensmall\usbmonitor.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
6636C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -EmbeddingC:\Windows\System32\rundll32.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shcore.dll
c:\windows\system32\imagehlp.dll
6696"C:\Users\admin\Desktop\AIOSCREENSMALL\UsbMonitor.exe" C:\Users\admin\Desktop\AIOSCREENSMALL\UsbMonitor.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
TURZX
Exit code:
3221226540
Version:
2.2.1.0
Modules
Images
c:\users\admin\desktop\aioscreensmall\usbmonitor.exe
c:\windows\system32\ntdll.dll
6744"C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\Desktop\AIOSCREENSMALL.rarC:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
7080"C:\Users\admin\Desktop\UsbMonitor.exe" C:\Users\admin\Desktop\UsbMonitor.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
TURZX
Exit code:
3221226540
Version:
2.2.1.0
Modules
Images
c:\users\admin\desktop\usbmonitor.exe
c:\windows\system32\ntdll.dll
Total events
6 363
Read events
6 327
Write events
36
Delete events
0

Modification events

(PID) Process:(6744) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\preferences.zip
(PID) Process:(6744) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:(6744) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:(6744) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\AIOSCREENSMALL.rar
(PID) Process:(6744) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(6744) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(6744) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(6744) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(6744) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\MainWin
Operation:writeName:Placement
Value:
2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF3D0000002D000000FD03000016020000
(PID) Process:(6744) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\ArcColumnWidths
Operation:writeName:name
Value:
256
Executable files
8
Suspicious files
47
Text files
10
Unknown types
0

Dropped files

PID
Process
Filename
Type
1392WinRAR.exeC:\Users\admin\Desktop\AIOSCREENSMALL\config\AORUS.datapi2
MD5:E26383346311930E93C25275D7B232A8
SHA256:1F313FB30DD4904994CBED98DA6DEA5F55A4D81F9C78F4B969BDCCA80475C914
1392WinRAR.exeC:\Users\admin\Desktop\AIOSCREENSMALL\config\Dragon Ball.datapi2
MD5:90D4D46A513F41C36B11E49714B0AC99
SHA256:E07BD266D16DE981866ADDD4225C24593958B83093932D5C56DD2A9F707DA4D2
1392WinRAR.exeC:\Users\admin\Desktop\AIOSCREENSMALL\config\A cyberpunk.databinary
MD5:4754DE3C149EC21F693D097B8CEA962C
SHA256:7E212AE98E845B51CC712FEEF330E56CFE74BF8946B0536C333FF7B9C7BFE520
1392WinRAR.exeC:\Users\admin\Desktop\AIOSCREENSMALL\config\3.5inchTheme1.datapi2
MD5:FA4BF0786E089EDB7A75D0C3387A757B
SHA256:83FCEB936597B25FB9A8E3A895DDCAD3EF45888F42E3DB3CB7A6046707FDDA82
1392WinRAR.exeC:\Users\admin\Desktop\AIOSCREENSMALL\config\A EVA UI 001.datapi2
MD5:1949526A9F0A342117CB07817B64E001
SHA256:B7E9B07DB6DB780E98CD6569ECC79ED0A5C1AE4D3B132129B4EC4562FB7589B1
1392WinRAR.exeC:\Users\admin\Desktop\AIOSCREENSMALL\config\3.5inchTheme2.databinary
MD5:1E2B9AECC39C808E4FB22D335489BE4E
SHA256:C522394513118510252B74FE71CEFC4A667CB2D71834EB41205CCAFEBFD1AF11
1392WinRAR.exeC:\Users\admin\Desktop\AIOSCREENSMALL\config\A EVA UI 002.datapi2
MD5:90BD0908C02FF5A3E48A70BB28CF437E
SHA256:1261B796F18DEB09F3FE7A5741DC13AFCC551E7267EDD9F13B4A397A0AD5C95A
1392WinRAR.exeC:\Users\admin\Desktop\AIOSCREENSMALL\config\Gradient.datapi2
MD5:0FF17FB4E6C9EDE0A49CDDC14D5E7D6F
SHA256:0DC0C43965D03CDA343873AB3CFAAA0CC6E5E188DDE1ADD5F6025837AED43A21
1392WinRAR.exeC:\Users\admin\Desktop\AIOSCREENSMALL\config\B cyberpunk.databinary
MD5:26CC535B3F028D8928C523D641FB10C3
SHA256:0CDE29EC197CEB3E842D7576AF6E8389184C66F03A973293B6B87C9B4B9F5E49
1392WinRAR.exeC:\Users\admin\Desktop\AIOSCREENSMALL\config\Earth theme.databinary
MD5:075CEBA11520CD4972095DAE1EFD31F6
SHA256:5813609025792850C5626669EEDA0F55DF189D66784105EC97B5190BE610D67A
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
9
TCP/UDP connections
40
DNS requests
23
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5064
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
GET
200
2.16.164.114:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1176
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
6344
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
6344
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
4716
SIHClient.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
4716
SIHClient.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
6268
UsbMonitor.exe
GET
301
111.230.112.70:80
http://www.turzx.com/update_35.html
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4712
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:137
whitelisted
5004
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2.16.164.114:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
88.221.169.152:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
5064
SearchApp.exe
2.23.209.183:443
www.bing.com
Akamai International B.V.
GB
whitelisted
5064
SearchApp.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
4
System
192.168.100.255:138
whitelisted
40.126.32.76:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
  • 4.231.128.59
whitelisted
crl.microsoft.com
  • 2.16.164.114
  • 2.16.164.99
  • 2.16.164.106
  • 2.16.164.17
  • 2.16.164.98
  • 2.16.164.97
  • 2.16.164.24
  • 2.16.164.107
  • 2.16.164.49
unknown
www.microsoft.com
  • 88.221.169.152
whitelisted
www.bing.com
  • 2.23.209.183
  • 2.23.209.187
  • 2.23.209.181
  • 2.23.209.182
  • 2.23.209.150
  • 2.23.209.177
  • 2.23.209.158
  • 2.23.209.160
  • 2.23.209.185
whitelisted
google.com
  • 142.250.185.142
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
login.live.com
  • 40.126.32.76
  • 40.126.32.136
  • 20.190.160.14
  • 40.126.32.74
  • 20.190.160.20
  • 20.190.160.17
  • 40.126.32.138
  • 20.190.160.22
whitelisted
go.microsoft.com
  • 184.28.89.167
whitelisted
arc.msn.com
  • 20.199.58.43
  • 20.103.156.88
whitelisted
fd.api.iris.microsoft.com
  • 20.105.99.58
  • 20.31.169.57
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
AIOSCREENSMALL.rar