analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

2.rar

Full analysis: https://app.any.run/tasks/7b072ded-78e4-415c-8620-ce887b40f2dc
Verdict: Malicious activity
Analysis date: January 22, 2019, 20:12:40
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-rar
File info: RAR archive data, v4, os: Win32
MD5:

1CE300ECA78E4920DD8359C72CBBC29D

SHA1:

806B1A95AA14C71BF06E144CB3CA687B7B4EEC26

SHA256:

2A241F4EB74C4DFFF790DA70FE9564C3E3DFDEB330B751C10AD20EDB95F310BE

SSDEEP:

12288:NN1WskVEmcvNJ01013BTGGRUUV1klQYvy63ElMP:3vkVcvNGgTlV1klQElrP

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Loads dropped or rewritten executable

      • Uplay Checker v1.0.1.exe (PID: 3008)
      • SearchProtocolHost.exe (PID: 1592)
    • Application was dropped or rewritten from another process

      • Uplay Checker v1.0.1.exe (PID: 3008)
  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 2984)
  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v-4.x) (58.3)
.rar | RAR compressed archive (gen) (41.6)

EXIF

ZIP

CompressedSize: 111852
UncompressedSize: 238080
OperatingSystem: Win32
ModifyDate: 2016:11:22 09:31:19
PackingMethod: Normal
ArchivedFileName: Bunifu_UI_v1.52.dll
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
32
Monitored processes
3
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe searchprotocolhost.exe no specs uplay checker v1.0.1.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2984"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\2.rar"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
1592"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe6_ Global\UsGthrCtrlFltPipeMssGthrPipe6 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" C:\Windows\System32\SearchProtocolHost.exeSearchIndexer.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Windows Search Protocol Host
Exit code:
0
Version:
7.00.7600.16385 (win7_rtm.090713-1255)
3008"C:\Users\admin\Desktop\Uplay Checker v1.0.1.exe" C:\Users\admin\Desktop\Uplay Checker v1.0.1.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
BruteCore
Version:
1.0.0.0
Total events
432
Read events
413
Write events
19
Delete events
0

Modification events

(PID) Process:(2984) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(2984) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(2984) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(2984) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\2.rar
(PID) Process:(2984) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(2984) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(2984) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(2984) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(2984) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\MainWin
Operation:writeName:Placement
Value:
2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF42000000420000000204000037020000
(PID) Process:(2984) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\General
Operation:writeName:LastFolder
Value:
C:\Users\admin\AppData\Local\Temp
Executable files
3
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
2984WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2984.48770\Bunifu_UI_v1.52.dllexecutable
MD5:3C1804A0781C9D7A82D0FB43D3A181F3
SHA256:D5BE2CB21EB8190B40E7453E9AE2418679A8C050C470FF36B044273A41A88A0C
2984WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2984.48770\Uplay Checker v1.0.1.exeexecutable
MD5:F8CD3EB229E04D2CF6609B0C8AA27214
SHA256:B3223DF91B0CBD008A299FE3019BBCF02061526A91D8AD5B497E16449B3E2EA0
2984WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2984.48770\Extreme.Net.dllexecutable
MD5:313CD8DF3CA832760DC1CDC09AF44EE5
SHA256:C548B92070E6553377098A4D86C67CD89EBE58AD040174E7A949FF12894ABD33
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info