File name:

CBM219X_UMPToolV7200(2022-04-28).rar

Full analysis: https://app.any.run/tasks/ee6df427-046e-4081-a4e2-63d549fc73d7
Verdict: Malicious activity
Analysis date: September 23, 2025, 13:16:56
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
arch-exec
arch-doc
Indicators:
MIME: application/x-rar
File info: RAR archive data, v4, os: Win32, flags: Solid
MD5:

04808C2FCE6B28C5EFD84E1950795D72

SHA1:

AE8DFB25CDA47FDF90D4FAC992BE3E004C118408

SHA256:

2C50E8D6F2232CB05DC648AC63D8267576B825A49CC5050BF1C97CA6B372D247

SSDEEP:

98304:+YTdNl8bivcFIMB1eL9mYbc9D/kmsFwNBOIFPvb5:HZAiWBOL9mYg7asOIFV

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Generic archive extractor

      • WinRAR.exe (PID: 3832)

  • SUSPICIOUS

    • Creates or modifies Windows services

      • UmpToolV6A.exe (PID: 5372)

    • Drops a system driver (possible attempt to evade defenses)

      • WinRAR.exe (PID: 3832)

    • There is functionality for taking screenshot (YARA)

      • UmpToolV6A.exe (PID: 5372)

  • INFO

    • The sample compiled with chinese language support

      • WinRAR.exe (PID: 3832)

    • The sample compiled with german language support

      • WinRAR.exe (PID: 3832)

    • Manual execution by a user

      • UmpToolV6A.exe (PID: 6876)
      • UmpToolV6A.exe (PID: 5372)

    • The sample compiled with english language support

      • WinRAR.exe (PID: 3832)

    • Checks supported languages

      • UmpToolV6A.exe (PID: 5372)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 3832)

    • Reads the computer name

      • UmpToolV6A.exe (PID: 5372)

    • Create files in a temporary directory

      • UmpToolV6A.exe (PID: 5372)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v-4.x) (58.3)
.rar | RAR compressed archive (gen) (41.6)

EXIF

ZIP

FileVersion: RAR v4
CompressedSize: 221
UncompressedSize: 53
OperatingSystem: Win32
ModifyDate: 2000:01:01 00:00:00
PackingMethod: Best Compression
ArchivedFileName: readme.txt
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
142
Monitored processes
5
Malicious processes
0
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe rundll32.exe no specs umptoolv6a.exe no specs umptoolv6a.exe slui.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3732C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -EmbeddingC:\Windows\System32\rundll32.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shcore.dll
c:\windows\system32\imagehlp.dll
3832"C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\AppData\Local\Temp\CBM219X_UMPToolV7200(2022-04-28).rarC:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
4512C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
5372"C:\Users\admin\Desktop\CBM219X UMPToolV7200(2022-04-28)\UmpToolV6A.exe" C:\Users\admin\Desktop\CBM219X UMPToolV7200(2022-04-28)\UmpToolV6A.exe
explorer.exe
User:
admin
Company:
ChipsBank
Integrity Level:
HIGH
Description:
UMPTool
Exit code:
0
Version:
7.2.0.0
Modules
Images
c:\users\admin\desktop\cbm219x umptoolv7200(2022-04-28)\umptoolv6a.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\setupapi.dll
6876"C:\Users\admin\Desktop\CBM219X UMPToolV7200(2022-04-28)\UmpToolV6A.exe" C:\Users\admin\Desktop\CBM219X UMPToolV7200(2022-04-28)\UmpToolV6A.exeexplorer.exe
User:
admin
Company:
ChipsBank
Integrity Level:
MEDIUM
Description:
UMPTool
Exit code:
3221226540
Version:
7.2.0.0
Modules
Images
c:\users\admin\desktop\cbm219x umptoolv7200(2022-04-28)\umptoolv6a.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
Total events
5 236
Read events
5 223
Write events
12
Delete events
1

Modification events

(PID) Process:(3832) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(3832) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(3832) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\preferences.zip
(PID) Process:(3832) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:(3832) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:(3832) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\CBM219X_UMPToolV7200(2022-04-28).rar
(PID) Process:(3832) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(3832) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(3832) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(3832) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
Executable files
30
Suspicious files
19
Text files
784
Unknown types
0

Dropped files

PID
Process
Filename
Type
3832WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3832.6872\CBM219X UMPToolV7200(2022-04-28)\libin\SerialNo.initext
MD5:A90D325AEC2A845CBCF088B52D5262BA
SHA256:8D054105FF05DDDE79CF2CBBFDF89EED7D127D5D991FA3429D0C1DFAB4082824
3832WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3832.6872\CBM219X UMPToolV7200(2022-04-28)\Lang\Chinese.initext
MD5:DA048A42D4AB348E9B93F1FD857F5790
SHA256:0397E83A05146EC4830E9A41A64092194324D904E3859B1FD190AFC80FAB9CEE
3832WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3832.6872\CBM219X UMPToolV7200(2022-04-28)\Lang\English.initext
MD5:99BD682456ABB534FD0207297AC239B2
SHA256:81F27F1298D590E29EDF24F0AF03B33CBBE00F0EFE722EB9787891CEBCEF578C
3832WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3832.6872\CBM219X UMPToolV7200(2022-04-28)\LoginTool\LoginTool.exeexecutable
MD5:1E813D9BDC87D4BDE12D7A8B42AB31AD
SHA256:42332DB5078F8364A3C29CD3C9E267E143DAA45C7DC17FAD41B2B51D7934AD7D
3832WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3832.6872\CBM219X UMPToolV7200(2022-04-28)\bootFile\MSCDEX.EXEexecutable
MD5:5BD08551C96F27988FB844146B8EE4DC
SHA256:6BC3F4C4BEB693E99CE119444BD4052014CBC9B2C7495791EAA9FF89C26C9217
3832WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3832.6872\CBM219X UMPToolV7200(2022-04-28)\libin\USBSpeedUp.exeexecutable
MD5:805D3A064EEEF342AC66DF89AE45B47A
SHA256:92E64E7E656778C5F82B05D27A4BAAB3A1D5E04B54CFA43D47040C744672527A
3832WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3832.6872\CBM219X UMPToolV7200(2022-04-28)\Dll\AutoH2Main.dllexecutable
MD5:731D503A88ECD9639F00AB64242DE5BE
SHA256:10226C40B6C52682A1D477D69F848492499084632BFE15BA8C693ECC2895EBDF
3832WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3832.6872\CBM219X UMPToolV7200(2022-04-28)\bootFile\SETRAMD.BATtext
MD5:085CE67567470885133BA4827C5A00C7
SHA256:F537D6AD27070B6EBF92D9DB30866604D29C8557B52A99E5EC04B9061B7B2B64
3832WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3832.6872\CBM219X UMPToolV7200(2022-04-28)\libin\FastScan.initext
MD5:EB21B463890DBFD7B56ACD8D9C9EAFD8
SHA256:FB79A0E2CF281D23FF7DE60E7E69AECAF1732A54281CD80B67002486D38BF329
3832WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3832.6872\CBM219X UMPToolV7200(2022-04-28)\bootFile\EXTRACT.EXEexecutable
MD5:BA30CC93703D29059CCEF87E5BD75A15
SHA256:51E54BC273DDA4E9E6C68B00328B62CAC597A1308C793D54D0929BF18ACC3378
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
12
TCP/UDP connections
29
DNS requests
18
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5980
SIHClient.exe
GET
200
23.32.97.216:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
SE
binary
407 b
whitelisted
5980
SIHClient.exe
GET
200
23.32.97.216:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
SE
binary
419 b
whitelisted
5980
SIHClient.exe
GET
200
23.32.97.216:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.2.crl
SE
binary
813 b
whitelisted
5980
SIHClient.exe
GET
200
23.32.97.216:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.1.crl
SE
binary
401 b
whitelisted
5980
SIHClient.exe
GET
200
23.32.97.216:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.2.crl
SE
binary
400 b
whitelisted
5980
SIHClient.exe
GET
200
23.32.97.216:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl
SE
binary
813 b
whitelisted
5980
SIHClient.exe
GET
200
2.16.168.124:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
RU
binary
824 b
whitelisted
5980
SIHClient.exe
GET
200
23.32.97.216:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Time-Stamp%20PCA%202010(1).crl
SE
binary
814 b
whitelisted
1268
svchost.exe
GET
200
2.16.168.114:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
RU
binary
825 b
whitelisted
1864
svchost.exe
GET
200
23.63.118.230:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
DE
binary
471 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
5944
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1268
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2728
RUXIMICS.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
1268
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1268
svchost.exe
2.16.168.114:80
crl.microsoft.com
Akamai International B.V.
RU
whitelisted
1268
svchost.exe
23.32.97.216:80
www.microsoft.com
AKAMAI-AS
SE
whitelisted
5944
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1864
svchost.exe
20.190.159.0:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 4.231.128.59
whitelisted
google.com
  • 142.250.186.46
whitelisted
crl.microsoft.com
  • 2.16.168.114
  • 2.16.168.124
whitelisted
www.microsoft.com
  • 23.32.97.216
whitelisted
login.live.com
  • 20.190.159.0
  • 20.190.159.128
  • 20.190.159.71
  • 40.126.31.131
  • 20.190.159.4
  • 20.190.159.131
  • 40.126.31.0
  • 40.126.31.130
whitelisted
ocsp.digicert.com
  • 23.63.118.230
whitelisted
www.bing.com
  • 2.23.227.215
  • 2.23.227.208
whitelisted
slscr.update.microsoft.com
  • 135.233.95.144
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 13.85.23.206
whitelisted
fp.msedge.net
  • 204.79.197.222
whitelisted

Threats

PID
Process
Class
Message
Unknown Traffic
ET USER_AGENTS Microsoft Dr Watson User-Agent (MSDW)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
CBM219X_UMPToolV7200(2022-04-28).rar