File name:

兵河五四3.6完美云库版加载佳佳2020新佳佳.7z

Full analysis: https://app.any.run/tasks/b5faac35-a070-474e-bb0d-1a314d92bb3b
Verdict: Malicious activity
Analysis date: July 13, 2020, 03:03:50
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-7z-compressed
File info: 7-zip archive data, version 0.4
MD5:

870263341683079D9543C89DE487BF9D

SHA1:

53FFB3E7E842F404635F8BF9C8E3C53449C54B4E

SHA256:

18712B1C13A01D416B0EC035B27C1B2CDB8976AEC7BD7E781BB1474758C90A53

SSDEEP:

393216:KOFB+Ewo+98IH6LQriV5LpVpCOVC9u1JA4Kgt:NH+i+FaYUL5COE9u1JSi

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Loads dropped or rewritten executable

      • 兵河五四.exe (PID: 272)
      • SearchProtocolHost.exe (PID: 3588)

    • Application was dropped or rewritten from another process

      • 兵河五四.exe (PID: 272)
      • 兵河五四.exe (PID: 1236)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 2440)

    • Reads Internet Cache Settings

      • 兵河五四.exe (PID: 272)

  • INFO

    • Manual execution by user

      • 兵河五四.exe (PID: 272)
      • 兵河五四.exe (PID: 1236)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.7z | 7-Zip compressed archive (v0.4) (57.1)
.7z | 7-Zip compressed archive (gen) (42.8)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
40
Monitored processes
4
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe searchprotocolhost.exe no specs 兵河五四.exe no specs 兵河五四.exe

Process information

PID
CMD
Path
Indicators
Parent process
272"C:\Users\admin\Desktop\兵河五四.exe" C:\Users\admin\Desktop\兵河五四.exe
explorer.exe
User:
admin
Company:
CHINA
Integrity Level:
HIGH
Description:
Chinese Chess Gui
Exit code:
0
Version:
3.6.0.0
Modules
Images
c:\users\admin\desktop\兵河五四.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msimg32.dll
1236"C:\Users\admin\Desktop\兵河五四.exe" C:\Users\admin\Desktop\兵河五四.exeexplorer.exe
User:
admin
Company:
CHINA
Integrity Level:
MEDIUM
Description:
Chinese Chess Gui
Exit code:
3221226540
Version:
3.6.0.0
Modules
Images
c:\users\admin\desktop\兵河五四.exe
c:\systemroot\system32\ntdll.dll
2440"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\兵河五四3.6完美云库版加载佳佳2020新佳佳.7z"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
3588"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe3_ Global\UsGthrCtrlFltPipeMssGthrPipe3 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" C:\Windows\System32\SearchProtocolHost.exeSearchIndexer.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Windows Search Protocol Host
Exit code:
0
Version:
7.00.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\searchprotocolhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
Total events
814
Read events
779
Write events
35
Delete events
0

Modification events

(PID) Process:(2440) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(2440) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(2440) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\12F\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(2440) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\12F\52C64B7E
Operation:writeName:@C:\Windows\system32\NetworkExplorer.dll,-1
Value:
Network
(PID) Process:(2440) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\兵河五四3.6完美云库版加载佳佳2020新佳佳.7z
(PID) Process:(2440) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(2440) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(2440) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(2440) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(2440) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\12F\52C64B7E
Operation:writeName:@C:\Windows\System32\msxml3r.dll,-1
Value:
XML Document
Executable files
5
Suspicious files
0
Text files
71
Unknown types
51

Dropped files

PID
Process
Filename
Type
2440WinRAR.exeC:\Users\admin\Desktop\account.dbsqlite
MD5:
SHA256:
2440WinRAR.exeC:\Users\admin\Desktop\bcg.xmltext
MD5:
SHA256:
2440WinRAR.exeC:\Users\admin\Desktop\obks.dbsqlite
MD5:
SHA256:
2440WinRAR.exeC:\Users\admin\Desktop\engines.dbsqlite
MD5:
SHA256:
2440WinRAR.exeC:\Users\admin\Desktop\Engines\009号引擎 全新架构\ggX64set2017.initext
MD5:
SHA256:
2440WinRAR.exeC:\Users\admin\Desktop\Piece\large\bc.pngimage
MD5:
SHA256:
2440WinRAR.exeC:\Users\admin\Desktop\connect.dbsqlite
MD5:
SHA256:
2440WinRAR.exeC:\Users\admin\Desktop\Piece\large\bk.pngimage
MD5:
SHA256:
2440WinRAR.exeC:\Users\admin\Desktop\Piece\large\mask.pngimage
MD5:
SHA256:
2440WinRAR.exeC:\Users\admin\Desktop\Piece\large\ra.pngimage
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
1
DNS requests
1
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
272
兵河五四.exe
GET
200
156.238.189.3:80
http://www.chessdb.cn/chessdb.php?action=queryall&board=rnbakabnr/9/1c5c1/p1p1p1p1p/9/9/P1P1P1P1P/1C5C1/9/RNBAKABNR%20w&ban=&learn=1&egtbmetric=dtm
US
text
2.37 Kb
unknown
272
兵河五四.exe
GET
200
156.238.189.3:80
http://www.chessdb.cn/chessdb.php?action=query&board=rnbakabnr/9/1c5c1/p1p1p1p1p/9/9/P1P1P1P1P/1C5C1/9/RNBAKABNR%20w&ban=&learn=1&egtbmetric=dtm
US
text
10 b
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
272
兵河五四.exe
156.238.189.3:80
www.chessdb.cn
MULTACOM CORPORATION
US
unknown

DNS requests

Domain
IP
Reputation
www.chessdb.cn
  • 156.238.189.3
  • 156.238.189.2
unknown

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
兵河五四3.6完美云库版加载佳佳2020新佳佳.7z