File name:

proxy.switcher.6.5.0.7677.zip

Full analysis: https://app.any.run/tasks/7f2c4fc3-88d7-4893-bea9-8babdb2a67ca
Verdict: Malicious activity
Threats:

Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email.

Malware Trends Tracker     >>>
Analysis date: December 09, 2018, 08:53:39
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
opendir
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

954B8789F67821534CFA98EC93421EFE

SHA1:

A4A1991281EA1C94E67CD7AB26D0751C2190F73F

SHA256:

200599B833FFFD0D7B17771F903B1F2E24A50A9D01FCF73DD9831639BECB74D3

SSDEEP:

196608:E47Uk1xuE5zEib4R8Bja+Kg96ZC6GJ4SNJ7vvGbxeXF:RPldHJBja+FILUjNJbvmxeV

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • ProxySwitcherStandard.exe (PID: 2576)
      • ProxySwitcher.exe (PID: 3308)
      • ProxySwitcher.exe (PID: 2216)
      • ProxySwitcher.exe (PID: 2660)

    • Changes the autorun value in the registry

      • ProxySwitcherStandard.tmp (PID: 3160)

    • Loads dropped or rewritten executable

      • ProxySwitcher.exe (PID: 3308)
      • ProxySwitcher.exe (PID: 2660)

    • Changes settings of System certificates

      • ProxySwitcher.exe (PID: 2660)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • ProxySwitcherStandard.exe (PID: 2576)
      • ProxySwitcherStandard.tmp (PID: 3160)
      • DllHost.exe (PID: 4004)

    • Reads Windows owner or organization settings

      • ProxySwitcherStandard.tmp (PID: 3160)

    • Reads the Windows organization settings

      • ProxySwitcherStandard.tmp (PID: 3160)

    • Reads Internet Cache Settings

      • ProxySwitcher.exe (PID: 3308)
      • ProxySwitcher.exe (PID: 2660)
      • rundll32.exe (PID: 3376)
      • rundll32.exe (PID: 3872)

    • Creates files in the program directory

      • ProxySwitcher.exe (PID: 2660)

    • Creates files in the user directory

      • ProxySwitcher.exe (PID: 2660)

    • Uses RUNDLL32.EXE to load library

      • ProxySwitcher.exe (PID: 2660)

    • Reads internet explorer settings

      • ProxySwitcher.exe (PID: 2660)

    • Adds / modifies Windows certificates

      • ProxySwitcher.exe (PID: 2660)

    • Connects to unusual port

      • ProxySwitcher.exe (PID: 2660)

  • INFO

    • Loads dropped or rewritten executable

      • ProxySwitcherStandard.tmp (PID: 3160)

    • Application was dropped or rewritten from another process

      • ProxySwitcherStandard.tmp (PID: 3160)

    • Creates files in the program directory

      • ProxySwitcherStandard.tmp (PID: 3160)

    • Creates a software uninstall entry

      • ProxySwitcherStandard.tmp (PID: 3160)

    • Reads settings of System Certificates

      • ProxySwitcher.exe (PID: 2660)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: None
ZipModifyDate: 2018:06:10 20:23:01
ZipCRC: 0x00000000
ZipCompressedSize: -
ZipUncompressedSize: -
ZipFileName: Crack/
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
52
Monitored processes
9
Malicious processes
3
Suspicious processes
1

Behavior graph

Click at the process to see the details
start drop and start drop and start winrar.exe no specs proxyswitcher.exe proxyswitcherstandard.exe proxyswitcherstandard.tmp proxyswitcher.exe no specs Copy/Move/Rename/Delete/Link Object proxyswitcher.exe rundll32.exe no specs rundll32.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2216"C:\Users\admin\Desktop\Crack\ProxySwitcher.exe" C:\Users\admin\Desktop\Crack\ProxySwitcher.exe
explorer.exe
User:
admin
Company:
Proxy Switcher
Integrity Level:
HIGH
Description:
Proxy Switcher
Exit code:
3221225781
Version:
6.5.0.7677
Modules
Images
c:\users\admin\desktop\crack\proxyswitcher.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
2576"C:\Users\admin\Desktop\ProxySwitcherStandard.exe" C:\Users\admin\Desktop\ProxySwitcherStandard.exe
explorer.exe
User:
admin
Company:
V-Tech LLC
Integrity Level:
HIGH
Description:
ProxySwitcher Standard Setup
Exit code:
0
Version:
Modules
Images
c:\users\admin\desktop\proxyswitcherstandard.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
2660"C:\Program Files\Proxy Switcher Standard\ProxySwitcher.exe" C:\Program Files\Proxy Switcher Standard\ProxySwitcher.exe
explorer.exe
User:
admin
Company:
Proxy Switcher
Integrity Level:
HIGH
Description:
Proxy Switcher
Exit code:
0
Version:
6.5.0.7677
Modules
Images
c:\program files\proxy switcher standard\proxyswitcher.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
3160"C:\Users\admin\AppData\Local\Temp\is-TIBCF.tmp\ProxySwitcherStandard.tmp" /SL5="$80140,5622032,140800,C:\Users\admin\Desktop\ProxySwitcherStandard.exe" C:\Users\admin\AppData\Local\Temp\is-TIBCF.tmp\ProxySwitcherStandard.tmp
ProxySwitcherStandard.exe
User:
admin
Integrity Level:
HIGH
Description:
Setup/Uninstall
Exit code:
0
Version:
51.1052.0.0
Modules
Images
c:\users\admin\appdata\local\temp\is-tibcf.tmp\proxyswitcherstandard.tmp
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
3176"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\proxy.switcher.6.5.0.7677.zip"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
3308"C:\Program Files\Proxy Switcher Standard\ProxySwitcher.exe" -first -fast -z -x -qC:\Program Files\Proxy Switcher Standard\ProxySwitcher.exeProxySwitcherStandard.tmp
User:
admin
Company:
Proxy Switcher
Integrity Level:
HIGH
Description:
Proxy Switcher
Exit code:
1
Version:
6.5.0.7677
Modules
Images
c:\program files\proxy switcher standard\proxyswitcher.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
3376"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\wininet.dll",DispatchAPICall 1 C:\Windows\system32\rundll32.exeProxySwitcher.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\rundll32.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imagehlp.dll
3872"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\wininet.dll",DispatchAPICall 1 C:\Windows\system32\rundll32.exeProxySwitcher.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\rundll32.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imagehlp.dll
4004C:\Windows\system32\DllHost.exe /Processid:{3AD05575-8857-4850-9277-11B85BDB8E09}C:\Windows\system32\DllHost.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
COM Surrogate
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\dllhost.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
Total events
1 069
Read events
939
Write events
120
Delete events
10

Modification events

(PID) Process:(3176) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(3176) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(3176) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3176) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\proxy.switcher.6.5.0.7677.zip
(PID) Process:(3176) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(3176) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(3176) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(3176) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(3176) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\MainWin
Operation:writeName:Placement
Value:
2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF42000000420000000204000037020000
(PID) Process:(3176) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\General
Operation:writeName:LastFolder
Value:
C:\Users\admin\AppData\Local\Temp
Executable files
10
Suspicious files
30
Text files
2
Unknown types
11

Dropped files

PID
Process
Filename
Type
3176WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3176.16072\Crack\ProxySwitcher.exe
MD5:
SHA256:
3176WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3176.16072\ProxySwitcherStandard.exe
MD5:
SHA256:
3160ProxySwitcherStandard.tmpC:\Program Files\Proxy Switcher Standard\is-NU68T.tmp
MD5:
SHA256:
3160ProxySwitcherStandard.tmpC:\Program Files\Proxy Switcher Standard\is-15UVF.tmp
MD5:
SHA256:
3160ProxySwitcherStandard.tmpC:\Program Files\Proxy Switcher Standard\is-ORT4J.tmp
MD5:
SHA256:
3160ProxySwitcherStandard.tmpC:\Program Files\Proxy Switcher Standard\is-PH93F.tmp
MD5:
SHA256:
3160ProxySwitcherStandard.tmpC:\Program Files\Proxy Switcher Standard\is-UFMO1.tmp
MD5:
SHA256:
3160ProxySwitcherStandard.tmpC:\Program Files\Proxy Switcher Standard\is-FBS22.tmp
MD5:
SHA256:
3160ProxySwitcherStandard.tmpC:\Program Files\Proxy Switcher Standard\is-KO44G.tmp
MD5:
SHA256:
3160ProxySwitcherStandard.tmpC:\Program Files\Proxy Switcher Standard\is-6AO20.tmp
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
202
TCP/UDP connections
311
DNS requests
21
Threats
4

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2660
ProxySwitcher.exe
GET
302
87.250.250.242:80
http://ya.ru/
RU
whitelisted
2660
ProxySwitcher.exe
HEAD
200
2.16.186.26:80
http://www.msftncsi.com/ncsi.txt
unknown
whitelisted
GET
302
87.250.250.242:80
http://ya.ru/
RU
whitelisted
2660
ProxySwitcher.exe
GET
200
139.59.143.183:80
http://core.proxyswitcher.com/trouble.php
DE
text
43 b
suspicious
2660
ProxySwitcher.exe
GET
200
139.59.143.183:80
http://core.proxyswitcher.com/dt.bin?r=0&c=0&i=C4BA3647F1728E4E&i2=522030D000005341%2D000F%2D0CB7B5C4BA3647%2D379C0590A4412013752B8DB52F0D85A9FFFF9EA50F03FFFF%2DE49CF1F9
DE
binary
2.46 Kb
suspicious
2660
ProxySwitcher.exe
GET
200
139.59.143.183:80
http://core.proxyswitcher.com/news.php?r=0&c=0&i=C4BA3647F1728E4E&i2=522030D000005341%2D000F%2D0CB7B5C4BA3647%2D379C0590A4412013752B8DB52F0D85A9FFFF9EA50F03FFFF%2DE49CF1F9
DE
binary
256 b
suspicious
2660
ProxySwitcher.exe
GET
200
139.59.143.183:80
http://core.proxyswitcher.com/script.lz?r=0&c=0&i=C4BA3647F1728E4E&i2=522030D000005341%2D000F%2D0CB7B5C4BA3647%2D379C0590A4412013752B8DB52F0D85A9FFFF9EA50F03FFFF%2DE49CF1F9
DE
binary
22.2 Kb
suspicious
2660
ProxySwitcher.exe
GET
200
159.203.30.68:80
http://core4.proxyswitcher.com/update.php?act=load&i2=522030D000005341%2D000F%2D0CB7B5C4BA3647%2D379C0590A4412013752B8DB52F0D85A9FFFF9EA50F03FFFF%2DE49CF1F9
CA
text
25 b
malicious
GET
200
139.59.143.183:80
http://core.proxyswitcher.com/mwf.php
DE
html
123 b
suspicious
GET
200
139.59.143.183:80
http://core.proxyswitcher.com/update.php?act=load&i2=522030D000005341%2D000F%2D0CB7B5C4BA3647%2D379C0590A4412013752B8DB52F0D85A9FFFF9EA50F03FFFF%2DE49CF1F9
DE
text
25 b
suspicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2660
ProxySwitcher.exe
139.59.143.183:80
core.proxyswitcher.com
Digital Ocean, Inc.
DE
suspicious
2660
ProxySwitcher.exe
2.16.186.26:80
www.msftncsi.com
Akamai International B.V.
whitelisted
2660
ProxySwitcher.exe
178.154.131.217:80
yastatic.net
YANDEX LLC
RU
whitelisted
2660
ProxySwitcher.exe
87.250.250.242:80
ya.ru
YANDEX LLC
RU
whitelisted
2660
ProxySwitcher.exe
172.217.168.10:80
ajax.googleapis.com
Google Inc.
US
whitelisted
2660
ProxySwitcher.exe
104.19.199.151:443
cdnjs.cloudflare.com
Cloudflare Inc
US
shared
2660
ProxySwitcher.exe
172.217.168.10:443
ajax.googleapis.com
Google Inc.
US
whitelisted
2660
ProxySwitcher.exe
209.197.3.15:443
maxcdn.bootstrapcdn.com
Highwinds Network Group, Inc.
US
whitelisted
2660
ProxySwitcher.exe
46.109.119.79:80
core3.proxyswitcher.com
SIA Lattelecom
LV
unknown
2660
ProxySwitcher.exe
78.84.142.198:80
core2.proxyswitcher.com
SIA Lattelecom
LV
unknown

DNS requests

Domain
IP
Reputation
core.proxyswitcher.com
  • 139.59.143.183
suspicious
microsoft.com
whitelisted
www.msftncsi.com
  • 2.16.186.26
  • 2.16.186.17
whitelisted
yastatic.net
  • 178.154.131.217
  • 178.154.131.216
  • 178.154.131.215
whitelisted
ya.ru
  • 87.250.250.242
whitelisted
ajax.googleapis.com
  • 172.217.168.10
  • 216.58.215.234
whitelisted
godaddy.com
  • 208.109.192.70
unknown
maxcdn.bootstrapcdn.com
  • 209.197.3.15
whitelisted
cdnjs.cloudflare.com
  • 104.19.199.151
  • 104.19.198.151
  • 104.19.197.151
  • 104.19.196.151
  • 104.19.195.151
whitelisted
core4.proxyswitcher.com
  • 159.203.30.68
malicious

Threats

PID
Process
Class
Message
2660
ProxySwitcher.exe
Misc activity
SUSPICIOUS [PTsecurity] Possible TrojanDownloader
2660
ProxySwitcher.exe
Misc activity
SUSPICIOUS [PTsecurity] Possible TrojanDownloader
2660
ProxySwitcher.exe
Misc activity
SUSPICIOUS [PTsecurity] Possible TrojanDownloader
2660
ProxySwitcher.exe
A Network Trojan was detected
SC TROJAN_DOWNLOADER Possible threat - .exe downloading with HEAD option
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
proxy.switcher.6.5.0.7677.zip