download:

/stascorp/rdpwrap/releases/download/v1.6.2/RDPWrap-v1.6.2.zip

Full analysis: https://app.any.run/tasks/91e95bf1-cb41-4e41-93ef-933939652231
Verdict: Malicious activity
Analysis date: July 15, 2024, 19:09:20
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract, compression method=deflate
MD5:

C26A2C5F6154225E8D83C4000306F162

SHA1:

67C586CEDBF0852AA52268311841CBAC5C96FDF8

SHA256:

35A9481DDBED5177431A9EA4BD09468FE987797D7B1231D64942D17EB54EC269

SSDEEP:

49152:cPEbpqUPr0OMPjmNgyV24OXxr2/NV0CA7QUmu4LnB:cPEbpPPrC4gWFOBr4Wfg

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • WinRAR.exe (PID: 3416)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • WinRAR.exe (PID: 3416)

    • Reads the history of recent RDP connections

      • RDPCheck.exe (PID: 1172)

    • Reads the Internet Settings

      • cmd.exe (PID: 832)
      • cmd.exe (PID: 3724)

  • INFO

    • Checks supported languages

      • RDPCheck.exe (PID: 1172)
      • RDPWInst.exe (PID: 3572)
      • RDPWInst.exe (PID: 2300)
      • RDPConf.exe (PID: 880)
      • RDPWInst.exe (PID: 2856)
      • RDPWInst.exe (PID: 580)
      • RDPWInst.exe (PID: 3752)

    • Reads the computer name

      • RDPCheck.exe (PID: 1172)
      • RDPConf.exe (PID: 880)

    • Manual execution by a user

      • RDPCheck.exe (PID: 3992)
      • RDPWInst.exe (PID: 3484)
      • RDPWInst.exe (PID: 3572)
      • notepad.exe (PID: 2796)
      • RDPCheck.exe (PID: 1172)
      • RDPConf.exe (PID: 880)
      • RDPConf.exe (PID: 2620)
      • RDPWInst.exe (PID: 2856)
      • RDPWInst.exe (PID: 3872)
      • notepad.exe (PID: 3816)
      • cmd.exe (PID: 3724)
      • cmd.exe (PID: 832)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 3416)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.xpi | Mozilla Firefox browser extension (66.6)
.zip | ZIP compressed archive (33.3)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: Deflated
ZipModifyDate: 2016:07:23 19:19:08
ZipCRC: 0xfd9956a7
ZipCompressedSize: 250
ZipUncompressedSize: 458
ZipFileName: install.bat
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
87
Monitored processes
21
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe rdpwinst.exe no specs rdpwinst.exe rdpwinst.exe no specs rdpwinst.exe notepad.exe no specs rdpcheck.exe no specs rdpcheck.exe rdpconf.exe no specs rdpconf.exe rdpwinst.exe no specs rdpwinst.exe notepad.exe no specs cmd.exe no specs rdpwinst.exe no specs rdpwinst.exe no specs rdpwinst.exe cmd.exe no specs rdpwinst.exe no specs rdpwinst.exe no specs rdpwinst.exe

Process information

PID
CMD
Path
Indicators
Parent process
448"C:\Users\admin\Desktop\RDPWInst" -wC:\Users\admin\Desktop\RDPWInst.execmd.exe
User:
admin
Company:
Stas'M Corp.
Integrity Level:
MEDIUM
Description:
RDP Wrapper Library Installer
Exit code:
3221226540
Version:
2.5.0.0
Modules
Images
c:\users\admin\desktop\rdpwinst.exe
c:\windows\system32\ntdll.dll
580"C:\Users\admin\Desktop\RDPWInst.exe" -wC:\Users\admin\Desktop\RDPWInst.exe
cmd.exe
User:
admin
Company:
Stas'M Corp.
Integrity Level:
HIGH
Description:
RDP Wrapper Library Installer
Exit code:
1
Version:
2.5.0.0
Modules
Images
c:\users\admin\desktop\rdpwinst.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
832C:\Windows\system32\cmd.exe /c ""C:\Users\admin\Desktop\update.bat" "C:\Windows\System32\cmd.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
880"C:\Users\admin\Desktop\RDPConf.exe" C:\Users\admin\Desktop\RDPConf.exe
explorer.exe
User:
admin
Company:
Stas'M Corp.
Integrity Level:
HIGH
Description:
RDP Configuration Program
Exit code:
0
Version:
1.4.0.0
Modules
Images
c:\users\admin\desktop\rdpconf.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
1172"C:\Users\admin\Desktop\RDPCheck.exe" C:\Users\admin\Desktop\RDPCheck.exe
explorer.exe
User:
admin
Company:
Stas'M Corp.
Integrity Level:
HIGH
Description:
Local RDP Checker
Exit code:
0
Version:
2.2.0.0
Modules
Images
c:\users\admin\desktop\rdpcheck.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
1384"C:\Users\admin\Desktop\RDPWInst.exe" -wC:\Users\admin\Desktop\RDPWInst.execmd.exe
User:
admin
Company:
Stas'M Corp.
Integrity Level:
MEDIUM
Description:
RDP Wrapper Library Installer
Exit code:
3221226540
Version:
2.5.0.0
Modules
Images
c:\users\admin\desktop\rdpwinst.exe
c:\windows\system32\ntdll.dll
2300"C:\Users\admin\AppData\Local\Temp\Rar$EXa3416.38720\RDPWInst.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa3416.38720\RDPWInst.exe
WinRAR.exe
User:
admin
Company:
Stas'M Corp.
Integrity Level:
HIGH
Description:
RDP Wrapper Library Installer
Exit code:
0
Version:
2.5.0.0
Modules
Images
c:\users\admin\appdata\local\temp\rar$exa3416.38720\rdpwinst.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
2620"C:\Users\admin\Desktop\RDPConf.exe" C:\Users\admin\Desktop\RDPConf.exeexplorer.exe
User:
admin
Company:
Stas'M Corp.
Integrity Level:
MEDIUM
Description:
RDP Configuration Program
Exit code:
3221226540
Version:
1.4.0.0
Modules
Images
c:\users\admin\desktop\rdpconf.exe
c:\windows\system32\ntdll.dll
2796"C:\Windows\System32\NOTEPAD.EXE" C:\Users\admin\Desktop\install.batC:\Windows\System32\notepad.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Notepad
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\notepad.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
2856"C:\Users\admin\Desktop\RDPWInst.exe" C:\Users\admin\Desktop\RDPWInst.exe
explorer.exe
User:
admin
Company:
Stas'M Corp.
Integrity Level:
HIGH
Description:
RDP Wrapper Library Installer
Exit code:
0
Version:
2.5.0.0
Modules
Images
c:\users\admin\desktop\rdpwinst.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
Total events
7 454
Read events
7 380
Write events
74
Delete events
0

Modification events

(PID) Process:(3416) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(3416) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(3416) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3416) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\phacker.zip
(PID) Process:(3416) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(3416) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\curl-8.5.0_1-win32-mingw.zip
(PID) Process:(3416) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\RDPWrap-v1.6.2.zip
(PID) Process:(3416) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(3416) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(3416) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
Executable files
6
Suspicious files
0
Text files
6
Unknown types
0

Dropped files

PID
Process
Filename
Type
3416WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3416.38720\RDPCheck.exeexecutable
MD5:8F82226B2F24D470C02F6664F67F23F7
SHA256:5603338A1F8DBB46EFB8E0869DB3491D5DB92F362711D6680F91ECC5D18BFADF
3416WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3416.38720\install.battext
MD5:CBAD5B2CA73917006791882274F769E8
SHA256:022364EE1FCE61C8A867216C79F223BF47692CD648E3FD6B244FC615B86E4C58
3416WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3416.38720\RDPWInst.exeexecutable
MD5:3288C284561055044C489567FD630AC2
SHA256:AC92D4C6397EB4451095949AC485EF4EC38501D7BB6F475419529AE67E297753
3416WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3416.38720\uninstall.battext
MD5:ECCB8A01D0427EF29C2380D7DDA399F3
SHA256:083CD340C800CC021D4A59388680CE0E7AB0F8B998E67DEF6A507070E7FA01B7
3416WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3416.38720\RDPConf.exeexecutable
MD5:03FB8E478F4BA100D37A136231FA2F78
SHA256:3C0E5D6863B03283AFDA9BD188501757D47DC57FC4BBA2BDBB0D9BAA34487FE0
3416WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3416.38720\update.battext
MD5:29CA1C35075247B035AF75C11CAB78F1
SHA256:353F2DC17A4E80564CAA175F7170DBEDC1B40F704444520AE671F78A5D1F2B6D
3416WinRAR.exeC:\Users\admin\Desktop\update.battext
MD5:29CA1C35075247B035AF75C11CAB78F1
SHA256:353F2DC17A4E80564CAA175F7170DBEDC1B40F704444520AE671F78A5D1F2B6D
3416WinRAR.exeC:\Users\admin\Desktop\RDPCheck.exeexecutable
MD5:8F82226B2F24D470C02F6664F67F23F7
SHA256:5603338A1F8DBB46EFB8E0869DB3491D5DB92F362711D6680F91ECC5D18BFADF
3416WinRAR.exeC:\Users\admin\Desktop\install.battext
MD5:CBAD5B2CA73917006791882274F769E8
SHA256:022364EE1FCE61C8A867216C79F223BF47692CD648E3FD6B244FC615B86E4C58
3416WinRAR.exeC:\Users\admin\Desktop\uninstall.battext
MD5:ECCB8A01D0427EF29C2380D7DDA399F3
SHA256:083CD340C800CC021D4A59388680CE0E7AB0F8B998E67DEF6A507070E7FA01B7
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
11
DNS requests
6
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1372
svchost.exe
GET
304
199.232.210.172:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?33775f6043c93e33
US
whitelisted
1372
svchost.exe
GET
200
23.48.23.156:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
DE
binary
1.01 Kb
whitelisted
1060
svchost.exe
GET
304
23.50.131.202:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?a9f83325acc8ca75
DE
whitelisted
1372
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
DE
binary
973 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
224.0.0.252:5355
whitelisted
4
System
192.168.100.255:138
whitelisted
1372
svchost.exe
4.231.128.59:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1060
svchost.exe
224.0.0.252:5355
whitelisted
1372
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
1372
svchost.exe
199.232.210.172:80
ctldl.windowsupdate.com
FASTLY
US
unknown
1372
svchost.exe
23.48.23.156:80
crl.microsoft.com
Akamai International B.V.
DE
unknown
1372
svchost.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
unknown
1060
svchost.exe
23.50.131.202:80
ctldl.windowsupdate.com
Akamai International B.V.
DE
unknown

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.185.142
whitelisted
settings-win.data.microsoft.com
  • 20.73.194.208
whitelisted
ctldl.windowsupdate.com
  • 199.232.210.172
  • 199.232.214.172
  • 23.50.131.202
  • 23.50.131.208
  • 23.50.131.205
whitelisted
crl.microsoft.com
  • 23.48.23.156
  • 23.48.23.143
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
/stascorp/rdpwrap/releases/download/v1.6.2/RDPWrap-v1.6.2.zip