File name:

El.Libro.Negro.del.Hacker.-.Black.Hack.rar

Full analysis: https://app.any.run/tasks/1d39fb01-c21e-4a00-91a7-5d43d3a34ac7
Verdict: Malicious activity
Analysis date: August 05, 2019, 03:00:22
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-rar
File info: RAR archive data, v4, os: Win32, flags: RecoveryRecordPresent
MD5:

E7C56FCF5200A46F32DC98631110D908

SHA1:

A8DA61393C8922F316C787197BEA9EB368B16388

SHA256:

3244E723F2C13684B7D1515F0A94A264C38D71A022E4EE801D3FFA66ABDF8E54

SSDEEP:

24576:O+c/bW4uHdVx0GDv1t0tDRMi353a+U9XqONF6Z3d8jOZvLP7CSxxTalae:qNu9H16dfG0QA3uqLPm4x+8e

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • Setup.exe (PID: 1088)
      • Setup.exe (PID: 1924)

    • Loads dropped or rewritten executable

      • SearchProtocolHost.exe (PID: 2196)

  • SUSPICIOUS

    • Starts Microsoft Office Application

      • WinRAR.exe (PID: 2900)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 2900)

  • INFO

    • Manual execution by user

      • WINWORD.EXE (PID: 2848)
      • WINWORD.EXE (PID: 2940)
      • WINWORD.EXE (PID: 2452)

    • Creates files in the user directory

      • WINWORD.EXE (PID: 2060)

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 2848)
      • WINWORD.EXE (PID: 2060)
      • WINWORD.EXE (PID: 2940)
      • WINWORD.EXE (PID: 2452)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v-4.x) (58.3)
.rar | RAR compressed archive (gen) (41.6)

EXIF

ZIP

CompressedSize: 7260
UncompressedSize: 29184
OperatingSystem: Win32
ModifyDate: 2004:01:19 14:22:01
PackingMethod: Best Compression
ArchivedFileName: El.Libro.Negro.del.Hacker.-.Black.Hack\EL LIBRO NEGRO DEL HACKER Disco 1\A. Pr?logo\El Libro Negro del Hacker-Contenido.doc
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
55
Monitored processes
8
Malicious processes
2
Suspicious processes
1

Behavior graph

Click at the process to see the details
drop and start drop and start start winrar.exe winword.exe no specs setup.exe no specs setup.exe searchprotocolhost.exe no specs winword.exe no specs winword.exe no specs winword.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1088"C:\Users\admin\AppData\Local\Temp\Rar$EXa2900.15091\El.Libro.Negro.del.Hacker.-.Black.Hack\EL LIBRO NEGRO DEL HACKER Disco 3 UTILIDADES 1\Encripta tus archivos importantes Crypto v.3.2\Setup.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa2900.15091\El.Libro.Negro.del.Hacker.-.Black.Hack\EL LIBRO NEGRO DEL HACKER Disco 3 UTILIDADES 1\Encripta tus archivos importantes Crypto v.3.2\Setup.exeWinRAR.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Modules
Images
c:\users\admin\appdata\local\temp\rar$exa2900.15091\el.libro.negro.del.hacker.-.black.hack\el libro negro del hacker disco 3 utilidades 1\encripta tus archivos importantes crypto v.3.2\setup.exe
c:\systemroot\system32\ntdll.dll
1924"C:\Users\admin\AppData\Local\Temp\Rar$EXa2900.15091\El.Libro.Negro.del.Hacker.-.Black.Hack\EL LIBRO NEGRO DEL HACKER Disco 3 UTILIDADES 1\Encripta tus archivos importantes Crypto v.3.2\Setup.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa2900.15091\El.Libro.Negro.del.Hacker.-.Black.Hack\EL LIBRO NEGRO DEL HACKER Disco 3 UTILIDADES 1\Encripta tus archivos importantes Crypto v.3.2\Setup.exe
WinRAR.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\rar$exa2900.15091\el.libro.negro.del.hacker.-.black.hack\el libro negro del hacker disco 3 utilidades 1\encripta tus archivos importantes crypto v.3.2\setup.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\apphelp.dll
2060"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\Rar$DIa2900.6149\El Libro Negro del Hacker-Contenido.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEWinRAR.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Exit code:
0
Version:
14.0.6024.1000
Modules
Images
c:\program files\microsoft office\office14\winword.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
2196"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe14_ Global\UsGthrCtrlFltPipeMssGthrPipe14 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" C:\Windows\system32\SearchProtocolHost.exeSearchIndexer.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Windows Search Protocol Host
Exit code:
0
Version:
7.00.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\searchprotocolhost.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
2452"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\El.Libro.Negro.del.Hacker.-.Black.Hack\EL LIBRO NEGRO DEL HACKER Disco 2\T. Crackeando Sistemas\Sistema.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Exit code:
0
Version:
14.0.6024.1000
Modules
Images
c:\program files\microsoft office\office14\winword.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
2848"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\El.Libro.Negro.del.Hacker.-.Black.Hack\EL LIBRO NEGRO DEL HACKER Disco 1\D. Todo sobre la IP\IP.DOC"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Exit code:
0
Version:
14.0.6024.1000
Modules
Images
c:\program files\microsoft office\office14\winword.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
2900"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\El.Libro.Negro.del.Hacker.-.Black.Hack.rar"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\usp10.dll
c:\windows\system32\comdlg32.dll
2940"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\El.Libro.Negro.del.Hacker.-.Black.Hack\EL LIBRO NEGRO DEL HACKER Disco 1\H. Spoofing\SPOOFING.DOC"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Exit code:
0
Version:
14.0.6024.1000
Modules
Images
c:\program files\microsoft office\office14\winword.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
Total events
2 554
Read events
2 080
Write events
428
Delete events
46

Modification events

(PID) Process:(2900) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(2900) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(2900) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\72\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(2900) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\El.Libro.Negro.del.Hacker.-.Black.Hack.rar
(PID) Process:(2900) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(2900) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(2900) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(2900) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(2060) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
Operation:writeName:e&9
Value:
652639000C080000010000000000000000000000
(PID) Process:(2060) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1033
Value:
Off
Executable files
42
Suspicious files
70
Text files
115
Unknown types
16

Dropped files

PID
Process
Filename
Type
2060WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR26E5.tmp.cvr
MD5:
SHA256:
2060WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:
SHA256:
2060WINWORD.EXEC:\Users\admin\AppData\Local\Temp\Rar$DIa2900.6149\~$ Libro Negro del Hacker-Contenido.docpgc
MD5:
SHA256:
2060WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryES0c0a.lextext
MD5:F3B25701FE362EC84616A93A45CE9998
SHA256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
2900WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DIa2900.6149\El Libro Negro del Hacker-Contenido.docdocument
MD5:0545FF945D3684E4D630C61AF3842AB4
SHA256:1E4E7243E05588AF4B9D31BBC5FD8CF191143B6331CC0D2310BE5C4C9C6904D0
2900WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa2900.12729\El.Libro.Negro.del.Hacker.-.Black.Hack\EL LIBRO NEGRO DEL HACKER Disco 1\A. Prólogo\El Libro Negro del Hacker-Contenido.docdocument
MD5:0545FF945D3684E4D630C61AF3842AB4
SHA256:1E4E7243E05588AF4B9D31BBC5FD8CF191143B6331CC0D2310BE5C4C9C6904D0
2060WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\2CBB67F0.wmfwmf
MD5:
SHA256:
2900WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa2900.12729\El.Libro.Negro.del.Hacker.-.Black.Hack\EL LIBRO NEGRO DEL HACKER Disco 1\B. MEDIDAS DE SEGURIDAD ¡peligro!\Medidas de Seguridad.docdocument
MD5:F9153F9643AEDB219E3CC002CD9BDDC7
SHA256:6B2520281EED09A6942C83C3E3E63AFFF65DC491FE267375DF84BB713EEC5B73
2900WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa2900.12729\El.Libro.Negro.del.Hacker.-.Black.Hack\EL LIBRO NEGRO DEL HACKER Disco 1\G. Hackear via Telnet\Guia1_5.htmhtml
MD5:C3B7BC59177B53DE7488F6505AF020D4
SHA256:85819A2B35966B7006F9C83CACCDC92CBB874E9E3988B9A2F4AB0847053C9172
2900WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa2900.12729\El.Libro.Negro.del.Hacker.-.Black.Hack\EL LIBRO NEGRO DEL HACKER Disco 1\F. Sniffing\SNIFFING.DOCdocument
MD5:F87427E1CAB1B95ABE12E8CD6F7CDA6E
SHA256:F0E8E75089B725F31A526E3E3A42200207468D9BF31EE734F1742C4B408B6D61
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
El.Libro.Negro.del.Hacker.-.Black.Hack.rar