File name:

@everest.rar

Full analysis: https://app.any.run/tasks/7865c4ac-b1b2-4395-9c03-fb4f0cf4db99
Verdict: Malicious activity
Analysis date: March 10, 2024, 13:25:14
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-rar
File info: RAR archive data, v5
MD5:

A95E5AFF328D50816C69B85B3219D702

SHA1:

9BA58B16D55E577BB72ED8C36D2E60735C400FD9

SHA256:

28D736FE488546EEFEB6B8F770362DFF58A596C7C7E2BDF33EE9D03834BF3438

SSDEEP:

98304:TAJbLGZqx9bOGKlxSBWVV5IcuGNAqP7uWdQOy2WLzfGq1ziApNAgKTgKDiNsyFhy:f6e0jH9lJsC8

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • WinRAR.exe (PID: 2472)

  • SUSPICIOUS

    No suspicious indicators.

  • INFO

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 2472)

    • Checks supported languages

      • everest.exe (PID: 2580)

    • Manual execution by a user

      • everest.exe (PID: 3460)
      • everest.exe (PID: 2580)

    • Reads Environment values

      • everest.exe (PID: 2580)

    • Create files in a temporary directory

      • everest.exe (PID: 2580)

    • Reads the computer name

      • everest.exe (PID: 2580)

    • Reads the machine GUID from the registry

      • everest.exe (PID: 2580)

    • Reads CPU info

      • everest.exe (PID: 2580)

    • Reads product name

      • everest.exe (PID: 2580)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v5.0) (61.5)
.rar | RAR compressed archive (gen) (38.4)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
44
Monitored processes
3
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe everest.exe no specs everest.exe

Process information

PID
CMD
Path
Indicators
Parent process
2472"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\@everest.rar"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
2580"C:\Users\admin\Desktop\@everest\everest.exe" C:\Users\admin\Desktop\@everest\everest.exe
explorer.exe
User:
admin
Company:
Lavalys, Inc.
Integrity Level:
HIGH
Description:
EVEREST Ultimate Edition 2007
Exit code:
0
Version:
3.80.888 Beta
Modules
Images
c:\users\admin\desktop\@everest\everest.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\system32\gdi32.dll
3460"C:\Users\admin\Desktop\@everest\everest.exe" C:\Users\admin\Desktop\@everest\everest.exeexplorer.exe
User:
admin
Company:
Lavalys, Inc.
Integrity Level:
MEDIUM
Description:
EVEREST Ultimate Edition 2007
Exit code:
3221226540
Version:
3.80.888 Beta
Modules
Images
c:\users\admin\desktop\@everest\everest.exe
c:\windows\system32\ntdll.dll
Total events
5 253
Read events
5 227
Write events
24
Delete events
2

Modification events

(PID) Process:(2472) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(2472) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(2472) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(2472) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\phacker.zip
(PID) Process:(2472) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(2472) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\curl-8.5.0_1-win32-mingw.zip
(PID) Process:(2472) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\@everest.rar
(PID) Process:(2472) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(2472) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(2472) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
Executable files
22
Suspicious files
2
Text files
10
Unknown types
0

Dropped files

PID
Process
Filename
Type
2472WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2472.12200\@everest\everest.datbinary
MD5:D5B52FD642499411D7491146EBA61C71
SHA256:0E3668AD143FBBC7F60D2D7C9BA9FC6D7973F0CDDD51F3203CA4CE644840B1EF
2472WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2472.12200\@everest\DLL\inport32.dllexecutable
MD5:056F13C182296DBD6F48229BBF31C935
SHA256:82121C5E6226701831A4F89612AE967C36DF3AE86DFAB3FFCD141E6BE9C28593
2472WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2472.12200\@everest\DLL\io.dllexecutable
MD5:FA78D9F93B11EDAB1BE2305373393C72
SHA256:2CF889D7AF1EC7CE8E0944C1200F12D1DD39587F8E7DC373842EB353BDAA779F
2472WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2472.12200\@everest\everest.exeexecutable
MD5:BA4E9E04F822629626CF7B756F9AB74B
SHA256:173EADA5D83F9D3D89EB1C7D5B9C5A8F433F7BC0DF6C1D414B2C7A7C7ADC729D
2472WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2472.12200\@everest\everest.keytext
MD5:7678C4B61D4791EFF7693D87B1704C8B
SHA256:9B0BA53CAB0C103C56A08EE38048C4E16AE78508495FFFE7435CC29D029ABE74
2472WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2472.12200\@everest\everest.exe.manifestxml
MD5:0494A03A66EFDB97F7E3D7C4D9C923EC
SHA256:A6E92BDD09E662BD55FFCC2BAFD2CD122F980A71C4176F8741AC910E959F3CD0
2472WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2472.12200\@everest\BatteryMark.Ru.exeexecutable
MD5:87F51AFE5851B57CE406A5C1992DB221
SHA256:BAB580770EABE1198C13C41AC920BA9374368B93D989F2DE020A6F9F5E199913
2472WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2472.12200\@everest\everest.initext
MD5:8357BC068AD96EA43A3DCDC84E0C502D
SHA256:4A02952AD142D06F65145CDE76E093B5B7473EE7F403A98B517BC2E73B4AA9B1
2472WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2472.12200\@everest\everest.memexecutable
MD5:755B8015339F3F317D0CC8956DEB8D0E
SHA256:EEAFC424A0583DF5AA23598C1BB45036E22723DD851EAC184714EECA171247F0
2472WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2472.12200\@everest\everest_vsb.vsbcompressed
MD5:F718A2DFEF1CFF9C2182658CDADCFDC2
SHA256:ED850F833B788D9594CC76A7586B238E5671C56C1FB3AE6F106990DB54B9200C
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
4
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
4
System
192.168.100.255:137
whitelisted
224.0.0.252:5355
unknown
1080
svchost.exe
224.0.0.252:5355
unknown

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
@everest.rar