File name:

skycut_20200611.exe

Full analysis: https://app.any.run/tasks/f9ea9442-149e-4949-b1b4-ce74abacedbc
Verdict: Malicious activity
Analysis date: August 06, 2024, 05:18:53
OS: Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows, RAR self-extracting archive
MD5:

A135D2B67D487D7DF68ED946B76AFAB3

SHA1:

466AA6F5A8DEBC2A601EE822D9CEBCA52C4527D0

SHA256:

2BF65A2D380DDFE4862BB528FADD4F1C8C899FE95747C825825BDDEE05CFB588

SSDEEP:

98304:VP4MWljvGT4WoAjBcrzVWvUfn0QS/3iCVSC93ucm2ojgW+cDgCWxLPxlLxrAGUf8:hGaAs

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • skycut_20200611.exe (PID: 6340)

  • SUSPICIOUS

    • Reads the date of Windows installation

      • skycut_20200611.exe (PID: 6340)

    • Executable content was dropped or overwritten

      • skycut_20200611.exe (PID: 6340)

    • Reads security settings of Internet Explorer

      • skycut_20200611.exe (PID: 6340)

  • INFO

    • Create files in a temporary directory

      • skycut_20200611.exe (PID: 6340)

    • Reads the computer name

      • skycut_20200611.exe (PID: 6340)
      • CameraCutInstall.exe (PID: 6428)

    • Checks supported languages

      • CameraCutInstall.exe (PID: 6428)
      • skycut_20200611.exe (PID: 6340)

    • Process checks computer location settings

      • skycut_20200611.exe (PID: 6340)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (67.4)
.dll | Win32 Dynamic Link Library (generic) (14.2)
.exe | Win32 Executable (generic) (9.7)
.exe | Generic Win/DOS Executable (4.3)
.exe | DOS Executable Generic (4.3)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2014:06:10 17:11:07+00:00
ImageFileCharacteristics: No relocs, Executable, 32-bit
PEType: PE32
LinkerVersion: 9
CodeSize: 165376
InitializedDataSize: 174080
UninitializedDataSize: -
EntryPoint: 0x1d41b
OSVersion: 5
ImageVersion: -
SubsystemVersion: 5
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
131
Monitored processes
3
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start skycut_20200611.exe cameracutinstall.exe no specs cameracutinstall.exe

Process information

PID
CMD
Path
Indicators
Parent process
6340"C:\Users\admin\AppData\Local\Temp\skycut_20200611.exe" C:\Users\admin\AppData\Local\Temp\skycut_20200611.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\skycut_20200611.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
6380"C:\Users\admin\AppData\Local\Temp\RarSFX0\CameraCutInstall.exe" C:\Users\admin\AppData\Local\Temp\RarSFX0\CameraCutInstall.exeskycut_20200611.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Microsoft 基础类应用程序
Exit code:
3221226540
Version:
1, 0, 0, 1
Modules
Images
c:\users\admin\appdata\local\temp\rarsfx0\cameracutinstall.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
6428"C:\Users\admin\AppData\Local\Temp\RarSFX0\CameraCutInstall.exe" C:\Users\admin\AppData\Local\Temp\RarSFX0\CameraCutInstall.exe
skycut_20200611.exe
User:
admin
Integrity Level:
HIGH
Description:
Microsoft 基础类应用程序
Exit code:
2
Version:
1, 0, 0, 1
Modules
Images
c:\users\admin\appdata\local\temp\rarsfx0\cameracutinstall.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
Total events
3 822
Read events
3 814
Write events
8
Delete events
0

Modification events

(PID) Process:(6340) skycut_20200611.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(6340) skycut_20200611.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(6340) skycut_20200611.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(6340) skycut_20200611.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
Executable files
4
Suspicious files
5
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
6340skycut_20200611.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\cutbar7.cdwscompressed
MD5:0E8EFA0F79E149F1963F8BEAC5FE671A
SHA256:B032546ED71D33F09BE8C921E0F4706F3A928463FD9DC009086594E3220E455A
6340skycut_20200611.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\cutbar.xsltxml
MD5:1D94B285F90AB0CBFF1F46512D7C86C8
SHA256:423F29102AAAA94F7A40AEFCC309374C0147382E4C2B7361C473C75F48BC48AB
6340skycut_20200611.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\CameraCut\CameraCut.exeexecutable
MD5:C60028DBCED6CD0B25EB0D67577C4D53
SHA256:4C26B546C30D85E7509711C4B288747599186D90A0D0FE45381B9EEBC095EDB0
6340skycut_20200611.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\CameraCut\CameraCutMch.exeexecutable
MD5:90284DD7EFAD2020769ABA6AA46FD920
SHA256:4ADD1D7BBA2D40BFF79CA865C6BB2F083450C93DEA8D1D4AA5F6547009A5BAF0
6340skycut_20200611.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\cutbar8.cdwscompressed
MD5:AD914AA31AF8F97513890F1027496633
SHA256:3C405420D409F83E8EB8A54E68F198A6E5B7032DD6B735B59B3FAF0FF6751CDC
6340skycut_20200611.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\CameraCutInstall.exeexecutable
MD5:EFEA13BE3C9BA4236AA456E26200D98D
SHA256:A117C5E50CCD8789A8686A7B76C13669272CAD1D9C38C20F84B01C13A0BC37F1
6340skycut_20200611.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\SKYMark.gmsbinary
MD5:14CB793BDA72371548F5A4F5A83ECDBA
SHA256:1C558B419943427D0F00E7266DF1D92365D92BC6FEBC8ECA9364D09D7578FEFC
6340skycut_20200611.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\SKYCut.gmsbinary
MD5:C53F00EFC38CEC9A4960BAA3E4B54A91
SHA256:37E34176727ED26F50618A23EB950CC538A1DE04F06E0919874C485DE86C38A0
6340skycut_20200611.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\CameraCut\CameraCut.cfgtext
MD5:0D7D0A04F8B836345EB545C2260A8FDC
SHA256:61E36F425C1A90621CCB91D0B86967BADE2EDAA74375479B241DF3804B199AB2
6340skycut_20200611.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\SKYSet.gmsbinary
MD5:D1ED35207BFA0391FCC91E8035EB3EDD
SHA256:66411956988AD1E9859D7050BCC3CA69CFA78F9A85AE6C64378B576B5BE00A6B
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
9
DNS requests
10
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4788
RUXIMICS.exe
4.231.128.59:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2120
MoUsoCoreWorker.exe
4.231.128.59:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4056
svchost.exe
4.231.128.59:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3888
svchost.exe
239.255.255.250:1900
whitelisted
4
System
192.168.100.255:138
whitelisted
4
System
192.168.100.255:137
whitelisted
4056
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
5336
SearchApp.exe
95.100.146.19:443
www.bing.com
Akamai International B.V.
CZ
unknown

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.186.174
whitelisted
settings-win.data.microsoft.com
  • 40.127.240.158
whitelisted
www.bing.com
  • 95.100.146.19
  • 95.100.146.27
  • 95.100.146.25
  • 95.100.146.16
  • 95.100.146.40
  • 95.100.146.10
  • 95.100.146.33
  • 95.100.146.17
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
login.live.com
  • 20.190.159.2
  • 40.126.31.73
  • 40.126.31.71
  • 20.190.159.71
  • 40.126.31.69
  • 20.190.159.4
  • 20.190.159.68
  • 40.126.31.67
whitelisted
client.wns.windows.com
  • 40.113.110.67
whitelisted
th.bing.com
  • 95.100.146.16
  • 95.100.146.19
  • 95.100.146.40
  • 95.100.146.33
  • 95.100.146.27
  • 95.100.146.10
  • 95.100.146.17
  • 95.100.146.25
whitelisted
fd.api.iris.microsoft.com
  • 20.86.201.138
whitelisted
arc.msn.com
  • 20.223.36.55
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
skycut_20200611.exe