File name:

Memoxide.rar

Full analysis: https://app.any.run/tasks/30d6783a-a190-48e5-9c37-3320e489b4ba
Verdict: Malicious activity
Analysis date: February 06, 2025, 06:28:40
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
arch-exec
lua
Indicators:
MIME: application/x-rar
File info: RAR archive data, v5
MD5:

E3B249BB0C9AEC71297CBB72DF7201BD

SHA1:

90B7279FB22A6B3C7FF193FCBCF2EC6825123DA1

SHA256:

2E6AE91180E4A05C4E2D2A0B6DCE36EDA0F449FA2E6E8731AE8E617DCC6EA107

SSDEEP:

12288:ErO/1OvCTtm5Eoy5nNVevpPNybF8QefZ+6FOqZfFdr3C:ztOvCQ5Eoy5NVevxNybF8QA+6FdZfFdm

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Generic archive extractor

      • WinRAR.exe (PID: 6472)
  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • WinRAR.exe (PID: 6472)
    • Starts CMD.EXE for commands execution

      • WinRAR.exe (PID: 6472)
      • Memoxide.exe (PID: 6752)
    • Executing commands from a ".bat" file

      • WinRAR.exe (PID: 6472)
    • There is functionality for taking screenshot (YARA)

      • Memoxide-safety.exe (PID: 6644)
      • vlc.exe (PID: 6912)
      • Memoxide.exe (PID: 6752)
    • Uses REG/REGEDIT.EXE to modify registry

      • cmd.exe (PID: 5880)
      • cmd.exe (PID: 3544)
  • INFO

    • Checks supported languages

      • vlc.exe (PID: 6912)
      • Memoxide-safety.exe (PID: 6644)
      • Memoxide.exe (PID: 6752)
      • MpCmdRun.exe (PID: 5092)
    • Reads the computer name

      • Memoxide.exe (PID: 6752)
      • vlc.exe (PID: 6912)
      • Memoxide-safety.exe (PID: 6644)
      • MpCmdRun.exe (PID: 5092)
    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 6472)
    • Manual execution by a user

      • Memoxide-safety.exe (PID: 6644)
      • Memoxide.exe (PID: 6684)
      • vlc.exe (PID: 6912)
      • Memoxide.exe (PID: 6752)
    • Create files in a temporary directory

      • MpCmdRun.exe (PID: 5092)
    • The process uses Lua

      • vlc.exe (PID: 6912)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v5.0) (61.5)
.rar | RAR compressed archive (gen) (38.4)

EXIF

ZIP

FileVersion: RAR v5
CompressedSize: 8834
UncompressedSize: 960044
OperatingSystem: Win32
ArchivedFileName: sound6.wav
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
133
Monitored processes
14
Malicious processes
0
Suspicious processes
1

Behavior graph

Click at the process to see the details

Process information

PID
CMD
Path
Indicators
Parent process
1448\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2356REG ADD hkcu\Software\Microsoft\Windows\CurrentVersion\policies\system /v DisableTaskMgr /t reg_dword /d 1 /fC:\Windows\SysWOW64\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
2612\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3544C:\WINDOWS\system32\cmd.exe /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1 /fC:\Windows\SysWOW64\cmd.exeMemoxide.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
5092"C:\Program Files\Windows Defender\MpCmdRun.exe" -Scan -ScanType 3 -File "C:\Users\admin\AppData\Local\Temp\Rar$VR6472.14604"C:\Program Files\Windows Defender\MpCmdRun.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Malware Protection Command Line Utility
Exit code:
2
Version:
4.18.1909.6 (WinBuild.160101.0800)
Modules
Images
c:\program files\windows defender\mpcmdrun.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
5208\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
5880C:\WINDOWS\system32\cmd.exe /c REG ADD hkcu\Software\Microsoft\Windows\CurrentVersion\policies\system /v DisableTaskMgr /t reg_dword /d 1 /fC:\Windows\SysWOW64\cmd.exeMemoxide.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
6184C:\WINDOWS\system32\cmd.exe /c ""C:\Users\admin\AppData\Local\Temp\Rar$VR6472.14604\Rar$Scan8400.bat" "C:\Windows\System32\cmd.exeWinRAR.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cmdext.dll
c:\windows\system32\advapi32.dll
6272reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1 /fC:\Windows\SysWOW64\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
6472"C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\Desktop\Memoxide.rarC:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
Total events
3 136
Read events
3 125
Write events
11
Delete events
0

Modification events

(PID) Process:(6472) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\preferences.zip
(PID) Process:(6472) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:(6472) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:(6472) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\Memoxide.rar
(PID) Process:(6472) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(6472) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(6472) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(6472) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(6472) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\VirusScan
Operation:writeName:DefScanner
Value:
Windows Defender
(PID) Process:(2356) reg.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system
Operation:writeName:DisableTaskMgr
Value:
1
Executable files
4
Suspicious files
3
Text files
3
Unknown types
0

Dropped files

PID
Process
Filename
Type
6472WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$VR6472.14604\Memoxide.rar\Memoxide.exeexecutable
MD5:A349AB8E1679E3131CFCEFB0EBBEC958
SHA256:5783B24D3D6EB613D07B06E83960B37E8C2FD4F52258FFE756186CB2EEEC4F4C
6912vlc.exeC:\Users\admin\AppData\Roaming\vlc\vlc-qt-interface.initext
MD5:C06E051AD1E55B9BC12B8463FCAF91A6
SHA256:28A50A64B4E0F34E1DDC7E41D4F3B9DC6841E11CC7FE47BA15FE437A594D5B3E
6912vlc.exeC:\Users\admin\AppData\Roaming\vlc\vlc-qt-interface.ini.mz6912text
MD5:C06E051AD1E55B9BC12B8463FCAF91A6
SHA256:28A50A64B4E0F34E1DDC7E41D4F3B9DC6841E11CC7FE47BA15FE437A594D5B3E
6912vlc.exeC:\Users\admin\AppData\Roaming\vlc\vlc-qt-interface.ini.locktext
MD5:CC64217E0F39B7614B721F5656AF7582
SHA256:B3AD1CEECCEFD29E31408503F59560C9B7A1F59BFB903B3E8AF5BCC82C4BBFDE
6472WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$VR6472.14604\Memoxide.rar\sound6.wavbinary
MD5:066271455D3002F1F3718FB95E6500F2
SHA256:8F59D6329F334EF589D225835BE75FF1901420925AF1EE93C41730B1CBEF1420
6472WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$VR6472.14604\Memoxide.rar\READ ME FIRST!!!.txttext
MD5:5779A1E8914E9445AF5FDB4C71912894
SHA256:6DFC079D796605C66C649C49562D97C5BE7CC2622737DE555A17D0A4D7763E5A
6472WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$VR6472.14604\Memoxide.rar\sound10.wavbinary
MD5:3AD164596207447769BE0ED86F641EF9
SHA256:7867F7ACE0C5769DB50D1629207B025C2A7A43C47A6DB8CB4FC1D42BCF736FC9
6472WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$VR6472.14604\Memoxide.rar\Memoxide-safety.exeexecutable
MD5:5A987E379ECABE4BC8DBF173B08E8817
SHA256:8CB0BDB77FA3226FB242BA593C5388D0A62A70D53ABD2A2DA23EDF26825F342F
5092MpCmdRun.exeC:\Users\admin\AppData\Local\Temp\MpCmdRun.logbinary
MD5:A3757D72736FCC39B7D08B08E1AC2D49
SHA256:BF1938DE96049C93CE5BBCC878DBFBF7220F895953F7BC8A3C41ABF90FCA10AA
6472WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$VR6472.14604\Rar$Scan8400.battext
MD5:AA1F38231C0EE275206395888DD1BBB3
SHA256:0288DE1C88405B1461026339A68605A1AAF4D3BA9D87CFF5728B2E8329B00469
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
16
DNS requests
5
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4712
MoUsoCoreWorker.exe
GET
200
2.19.217.218:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
NL
binary
973 b
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
23.48.23.183:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
DE
binary
1.01 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
20.73.194.208:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
23.212.110.152:443
Akamai International B.V.
CZ
unknown
4712
MoUsoCoreWorker.exe
20.73.194.208:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
3508
svchost.exe
20.73.194.208:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:137
whitelisted
4712
MoUsoCoreWorker.exe
23.48.23.183:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4712
MoUsoCoreWorker.exe
2.19.217.218:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
4712
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3508
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.184.238
whitelisted
crl.microsoft.com
  • 23.48.23.183
  • 23.48.23.140
  • 23.48.23.167
  • 23.48.23.176
  • 23.48.23.137
  • 23.48.23.180
  • 23.48.23.190
  • 23.48.23.193
  • 23.48.23.169
whitelisted
www.microsoft.com
  • 2.19.217.218
whitelisted
settings-win.data.microsoft.com
  • 40.127.240.158
whitelisted
self.events.data.microsoft.com
  • 20.42.65.84
whitelisted

Threats

No threats detected
Process
Message
vlc.exe
main libvlc debug: VLC media player - 3.0.11 Vetinari
vlc.exe
main libvlc debug: revision 3.0.11-0-gdc0c5ced72
vlc.exe
main libvlc debug: using multimedia timers as clock source
vlc.exe
main libvlc debug: min period: 1 ms, max period: 1000000 ms
vlc.exe
main libvlc debug: Copyright © 1996-2020 the VideoLAN team
vlc.exe
main libvlc debug: configured with ../extras/package/win32/../../../configure '--enable-update-check' '--enable-lua' '--enable-faad' '--enable-flac' '--enable-theora' '--enable-avcodec' '--enable-merge-ffmpeg' '--enable-dca' '--enable-mpc' '--enable-libass' '--enable-schroedinger' '--enable-realrtsp' '--enable-live555' '--enable-dvdread' '--enable-shout' '--enable-goom' '--enable-caca' '--enable-qt' '--enable-skins2' '--enable-sse' '--enable-mmx' '--enable-libcddb' '--enable-zvbi' '--disable-telx' '--enable-nls' '--host=x86_64-w64-mingw32' '--with-breakpad=https://win.crashes.videolan.org' 'host_alias=x86_64-w64-mingw32' 'PKG_CONFIG_LIBDIR=/home/jenkins/workspace/vlc-release/windows/vlc-release-win32-x64/contrib/x86_64-w64-mingw32/lib/pkgconfig'
vlc.exe
main libvlc debug: searching plug-in modules
vlc.exe
main libvlc debug: loading plugins cache file C:\Program Files\VideoLAN\VLC\plugins\plugins.dat
vlc.exe
main libvlc debug: recursively browsing `C:\Program Files\VideoLAN\VLC\plugins'
vlc.exe
main libvlc debug: plug-ins loaded: 494 modules