Malware analysis 1.rar Malicious activity | ANY.RUN

Add for printing

File name:	1.rar
Full analysis:	https://app.any.run/tasks/34418fc8-8c5b-43e9-a1e3-377c5b262cb0
Verdict:	Malicious activity
Analysis date:	January 18, 2020, 11:24:30
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME:	application/x-rar
File info:	RAR archive data, v5
MD5:	30EDD123DC12367712A5C4EE6CA68635
SHA1:	75543031C63C5CD1145AD429056726E8E3528C97
SHA256:	36E345A37B718088538C4C4A84FFF940DBB7A0B94F243D60072666D88356E9F9
SSDEEP:	393216:lLKjgS3HY3hlZxncawyHXQA9aFYZrW5sjfviS:Jq7XY3rXcqXQA9EOjniS

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 8.0.7601.17514 undefined
Adobe Acrobat Reader DC MUI (15.023.20070)
Adobe Flash Player 26 ActiveX (26.0.0.131)
Adobe Flash Player 26 NPAPI (26.0.0.131)
Adobe Flash Player 26 PPAPI (26.0.0.131)
Adobe Refresh Manager (1.8.0)
CCleaner (5.35)
FileZilla Client 3.36.0 (3.36.0)
Google Chrome (75.0.3770.100)
Google Update Helper (1.3.34.7)
Java 8 Update 92 (8.0.920.14)
Java Auto Updater (2.8.92.14)
Microsoft .NET Framework 4.7.2 (4.7.03062)
Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Groove MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office IME (Japanese) 2010 (14.0.4763.1000)
Microsoft Office IME (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (French) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (German) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Language Pack 2010 - French/Français (14.0.4763.1000)
Microsoft Office Language Pack 2010 - German/Deutsch (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Italian/Italiano (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Japanese/日本語 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Korean/한국어 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Portuguese/Português (Brasil) (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Russian/русский (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Spanish/Español (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Turkish/Türkçe (14.0.4763.1013)
Microsoft Office O MUI (French) 2010 (14.0.4763.1000)
Microsoft Office O MUI (German) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
Microsoft Office OneNote MUI (French) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (German) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Outlook MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
Microsoft Office PowerPoint MUI (French) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (German) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Professional 2010 (14.0.6029.1000)
Microsoft Office Proof (Arabic) 2010 (14.0.4763.1000)
Microsoft Office Proof (Basque) 2010 (14.0.4763.1000)
Microsoft Office Proof (Catalan) 2010 (14.0.4763.1000)
Microsoft Office Proof (Dutch) 2010 (14.0.4763.1000)
Microsoft Office Proof (English) 2010 (14.0.6029.1000)
Microsoft Office Proof (French) 2010 (14.0.6029.1000)
Microsoft Office Proof (Galician) 2010 (14.0.4763.1000)
Microsoft Office Proof (German) 2010 (14.0.4763.1000)
Microsoft Office Proof (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proof (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proof (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proof (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
Microsoft Office Proof (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Proof (Ukrainian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
Microsoft Office Proofing (French) 2010 (14.0.4763.1000)
Microsoft Office Proofing (German) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Publisher MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office SharePoint Designer MUI (French) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (German) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Single Image 2010 (14.0.6029.1000)
Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Word MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office X MUI (French) 2010 (14.0.4763.1000)
Microsoft Office X MUI (German) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2019 Redistributable (x86) - 14.21.27702 (14.21.27702.2)
Microsoft Visual C++ 2019 X86 Additional Runtime - 14.21.27702 (14.21.27702)
Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.21.27702 (14.21.27702)
Mozilla Firefox 68.0.1 (x86 en-US) (68.0.1)
Notepad++ (32-bit x86) (7.5.1)
Opera 12.15 (12.15.1748)
Skype version 8.29 (8.29)
Update for Microsoft .NET Framework 4.7.2 (KB4087364) (1)
VLC media player (2.2.6)
WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

Client LanguagePack Package
Client Refresh LanguagePack Package
CodecPack Basic Package
Foundation Package
IE Troubleshooters Package
InternetExplorer Optional Package
KB2534111
KB2999226
KB4019990
KB976902
LocalPack AU Package
LocalPack CA Package
LocalPack GB Package
LocalPack US Package
LocalPack ZA Package
ProfessionalEdition
UltimateEdition

Add for printing

MALICIOUS
- Loads dropped or rewritten executable
  - SearchProtocolHost.exe (PID: 3544)
  - BlackBullet2.exe (PID: 1096)
  - BlackBullet2.exe (PID: 3652)
SUSPICIOUS
- Executable content was dropped or overwritten
  - WinRAR.exe (PID: 996)
- Starts CMD.EXE for commands execution
  - Launcher(u can try if other not work).exe (PID: 2444)
- Starts Internet Explorer
  - cmd.exe (PID: 1292)
INFO
- Manual execution by user
  - BlackBullet2.exe (PID: 1096)
  - Launcher(u can try if other not work).exe (PID: 2444)
  - Launcher(updated).exe (PID: 3772)
  - Launcher(updated).exe (PID: 3096)
  - Launcher(updated).exe (PID: 3292)
- Changes internet zones settings
  - iexplore.exe (PID: 4040)
- Creates files in the user directory
  - iexplore.exe (PID: 2136)
- Changes settings of System certificates
  - iexplore.exe (PID: 2136)
- Adds / modifies Windows certificates
  - iexplore.exe (PID: 2136)
- Reads internet explorer settings
  - iexplore.exe (PID: 2136)
- Reads Internet Cache Settings
  - iexplore.exe (PID: 2136)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.rar	\|	RAR compressed archive (v5.0) (61.5)
.rar	\|	RAR compressed archive (gen) (38.4)

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

996

"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\1.rar"

C:\Program Files\WinRAR\WinRAR.exe

explorer.exe

User:

admin

Company:

Alexander Roshal

Integrity Level:

MEDIUM

Description:

WinRAR archiver

Exit code:

Version:

5.60.0

Modules

Images
c:\program files\winrar\winrar.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll

1096

"C:\Users\admin\Desktop\Amazon GC Checker & Generator\Amazon GC Checker & Generator\BlackBullet2.exe"

C:\Users\admin\Desktop\Amazon GC Checker & Generator\Amazon GC Checker & Generator\BlackBullet2.exe

explorer.exe

User:

admin

Integrity Level:

HIGH

Description:

BlackBullet2

Exit code:

Version:

1.0.0.0

Modules

Images
c:\users\admin\desktop\amazon gc checker & generator\amazon gc checker & generator\blackbullet2.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll

1292

"C:\Windows\system32\cmd.exe" /c "C:\Users\admin\AppData\Local\Temp\7EF9.tmp\7EFA.tmp\7EFB.bat "C:\Users\admin\Desktop\Amazon GC Checker & Generator\Amazon GC Checker & Generator\Launcher(u can try if other not work).exe""

C:\Windows\system32\cmd.exe

—

Launcher(u can try if other not work).exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Windows Command Processor

Exit code:

Version:

6.1.7601.17514 (win7sp1_rtm.101119-1850)

Modules

Images
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll

2136

"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:4040 CREDAT:79873

C:\Program Files\Internet Explorer\iexplore.exe

iexplore.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Internet Explorer

Exit code:

Version:

8.00.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\user32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll

2444

"C:\Users\admin\Desktop\Amazon GC Checker & Generator\Amazon GC Checker & Generator\Launcher(u can try if other not work).exe"

C:\Users\admin\Desktop\Amazon GC Checker & Generator\Amazon GC Checker & Generator\Launcher(u can try if other not work).exe

explorer.exe

User:

admin

Integrity Level:

HIGH

Exit code:

Modules

Images
c:\users\admin\desktop\amazon gc checker & generator\amazon gc checker & generator\launcher(u can try if other not work).exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll

3096

"C:\Users\admin\Desktop\Amazon GC Checker & Generator\Amazon GC Checker & Generator\Launcher(updated).exe"

C:\Users\admin\Desktop\Amazon GC Checker & Generator\Amazon GC Checker & Generator\Launcher(updated).exe

—

explorer.exe

User:

admin

Company:

CPUID Hardware Monitor

Integrity Level:

MEDIUM

Description:

CPUID Hardware Monitor

Exit code:

Version:

1.3.4.0

Modules

Images
c:\windows\system32\iertutil.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\clbcatq.dll
c:\users\admin\desktop\amazon gc checker & generator\amazon gc checker & generator\blackbullet2.exe
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\fveui.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\p2pcollab.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\wintrust.dll

3292

"C:\Users\admin\Desktop\Amazon GC Checker & Generator\Amazon GC Checker & Generator\Launcher(updated).exe"

C:\Users\admin\Desktop\Amazon GC Checker & Generator\Amazon GC Checker & Generator\Launcher(updated).exe

—

explorer.exe

User:

admin

Company:

CPUID Hardware Monitor

Integrity Level:

MEDIUM

Description:

CPUID Hardware Monitor

Exit code:

Version:

1.3.4.0

Modules

Images
c:\users\admin\desktop\amazon gc checker & generator\amazon gc checker & generator\launcher(updated).exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\aclayers.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll

3544

"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"

C:\Windows\System32\SearchProtocolHost.exe

—

SearchIndexer.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Microsoft Windows Search Protocol Host

Exit code:

Version:

7.00.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\searchprotocolhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll

3652

BlackBullet2.exe FL

C:\Users\admin\Desktop\Amazon GC Checker & Generator\Amazon GC Checker & Generator\BlackBullet2.exe

cmd.exe

User:

admin

Integrity Level:

HIGH

Description:

BlackBullet2

Exit code:

3221225477

Version:

1.0.0.0

Modules

Images
c:\users\admin\desktop\amazon gc checker & generator\amazon gc checker & generator\blackbullet2.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\aclayers.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll

3772

"C:\Users\admin\Desktop\Amazon GC Checker & Generator\Amazon GC Checker & Generator\Launcher(updated).exe"

C:\Users\admin\Desktop\Amazon GC Checker & Generator\Amazon GC Checker & Generator\Launcher(updated).exe

explorer.exe

User:

admin

Company:

CPUID Hardware Monitor

Integrity Level:

HIGH

Description:

CPUID Hardware Monitor

Exit code:

Version:

1.3.4.0

Modules

Images
c:\users\admin\desktop\amazon gc checker & generator\amazon gc checker & generator\launcher(updated).exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\aclayers.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll

Add for printing

Total events

1 219

Read events

1 134

Write events

Delete events

Modification events


(PID) Process:	(996) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:	write	Name:	ShellExtBMP
Value:
(PID) Process:	(996) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:	write	Name:	ShellExtIcon
Value:
(PID) Process:	(996) WinRAR.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\MuiCache\12B\52C64B7E
Operation:	write	Name:	LanguageList
Value: en-US
(PID) Process:	(996) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:	write	Name:	0
Value: C:\Users\admin\AppData\Local\Temp\1.rar
(PID) Process:	(996) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	name
Value: 120
(PID) Process:	(996) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	size
Value: 80
(PID) Process:	(996) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	type
Value: 120
(PID) Process:	(996) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	mtime
Value: 100
(PID) Process:	(3544) SearchProtocolHost.exe	Key:	HKEY_USERS\.DEFAULT\Software\Classes\Local Settings\MuiCache\12B\52C64B7E
Operation:	write	Name:	LanguageList
Value: en-US
(PID) Process:	(3544) SearchProtocolHost.exe	Key:	HKEY_USERS\.DEFAULT\Software\Classes\Local Settings\MuiCache\12B\52C64B7E
Operation:	write	Name:	@C:\Windows\System32\msxml3r.dll,-1
Value: XML Document

Add for printing

Executable files

Suspicious files

Text files

110

Unknown types

Dropped files

PID	Process	Filename		Type
996	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa996.23199\Amazon GC Checker & Generator\Amazon GC Checker & Generator\Amazon GC.bbc		text
		MD5:—	SHA256:—
996	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa996.23199\Amazon GC Checker & Generator\Amazon GC Checker & Generator\903fb8d8.bin		html
		MD5:—	SHA256:—
996	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa996.23199\Amazon GC Checker & Generator\Amazon GC Checker & Generator\bin\AntiCaptchaLibrary.pdb		pdb
		MD5:D40FCC3B05BD2890790DFAB3D7EB857F	SHA256:A72658B2C43BE5FA61F771149155704C4FC550BE24F9AB1148AB0B0CA45747DF
996	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa996.23199\Amazon GC Checker & Generator\Amazon GC Checker & Generator\bin\DeathByCaptcha.dll		executable
		MD5:3495203999B4A2C1A91A6C2E7903E0DB	SHA256:FDD3C336E835F01FA052CF23C1B5A8070D510FFA3C8EE12187C1EA46A08287D1
996	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa996.23199\Amazon GC Checker & Generator\Amazon GC Checker & Generator\bin\AngleSharp.dll		executable
		MD5:EC22828DA8A4053F8B4B23FCB5B3FDE0	SHA256:7BBF3C452CAAF914CCC56A45E6C3BDB21B4B5BF8A4C2C2633A6EC46C97EA885F
996	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa996.23199\Amazon GC Checker & Generator\Amazon GC Checker & Generator\bin\DeathByCaptcha.pdb		pdb
		MD5:1C127B5964FE54CA87E72D4E0F27DDBB	SHA256:B880BF64DCB57E490BB05B13F8CC3C0059C80987EE8B8C9D2E113293669309CF
996	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa996.23199\Amazon GC Checker & Generator\Amazon GC Checker & Generator\bin\chromedriver.exe		executable
		MD5:2FBE8348A03B7440EB5B025ABAE7F7D1	SHA256:C68BB9B97E36B5DAAB3D100F427A7977A535D9B4EA20890FBB755F39D0421E94
996	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa996.23199\Amazon GC Checker & Generator\Amazon GC Checker & Generator\bin\AntiCaptchaLibrary.dll		executable
		MD5:7F1F5E8F97C0E8D6A6C110D7E992D3E7	SHA256:1A3EF40CFCE664828534E83188B1054F4E8A3BEFDFBE9391E402B4C96181C784
996	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa996.23199\Amazon GC Checker & Generator\Amazon GC Checker & Generator\bin\DeCaptcherLibrary.dll		executable
		MD5:DF02DB790400B829B51F831E5ED451B4	SHA256:E0F83DAC5ADE8FC434A69DFFE75E90267749EFEEFFDEE80033BBA6BABF03D2E3
996	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa996.23199\Amazon GC Checker & Generator\Amazon GC Checker & Generator\bin\DeCaptcherLibrary.pdb		pdb
		MD5:3504A330E2782EF3E549B438946578BF	SHA256:408C07A85B04949CE0900E4545EE9790D93BF1EFDAA51DE7EBAA37BD03BDB62A

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
2136	iexplore.exe	GET	301	104.27.160.126:80	http://crackingcentral.com/	US	—	—	malicious
4040	iexplore.exe	GET	200	204.79.197.200:80	http://www.bing.com/favicon.ico	US	image	237 b	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4040	iexplore.exe	204.79.197.200:80	www.bing.com	Microsoft Corporation	US	whitelisted
2136	iexplore.exe	172.217.18.170:443	fonts.googleapis.com	Google Inc.	US	whitelisted
2136	iexplore.exe	104.17.64.4:443	cdnjs.cloudflare.com	Cloudflare Inc	US	unknown
2136	iexplore.exe	209.197.3.15:443	maxcdn.bootstrapcdn.com	Highwinds Network Group, Inc.	US	whitelisted
2136	iexplore.exe	151.101.2.109:443	cdn.jsdelivr.net	Fastly	US	suspicious
2136	iexplore.exe	172.217.22.67:443	fonts.gstatic.com	Google Inc.	US	whitelisted
2136	iexplore.exe	172.217.22.2:443	www.googleadservices.com	Google Inc.	US	whitelisted
2136	iexplore.exe	216.58.208.46:443	www.google-analytics.com	Google Inc.	US	whitelisted
2136	iexplore.exe	173.194.76.156:443	stats.g.doubleclick.net	Google Inc.	US	whitelisted
2136	iexplore.exe	172.217.23.100:443	www.google.com	Google Inc.	US	whitelisted

DNS requests

Domain	IP	Reputation
crackingcentral.com	104.27.160.126 104.27.161.126	malicious
www.bing.com	204.79.197.200 13.107.21.200	whitelisted
cracked.to	104.27.11.92 104.27.10.92	whitelisted
static.cracked.to	104.27.10.92 104.27.11.92	suspicious
fonts.googleapis.com	172.217.18.170	whitelisted
maxcdn.bootstrapcdn.com	209.197.3.15	whitelisted
cdnjs.cloudflare.com	104.17.64.4 104.17.65.4	whitelisted
cdn.jsdelivr.net	151.101.2.109 151.101.66.109 151.101.130.109 151.101.194.109	whitelisted
www.googletagmanager.com	172.217.22.40	whitelisted
fonts.gstatic.com	172.217.22.67	whitelisted

Threats

PID	Process	Class	Message
1080	svchost.exe	Potentially Bad Traffic	ET DNS Query for .to TLD
1080	svchost.exe	Potentially Bad Traffic	ET DNS Query for .to TLD

Add for printing

No debug info

General Info

1.rar

30EDD123DC12367712A5C4EE6CA68635

75543031C63C5CD1145AD429056726E8E3528C97

36E345A37B718088538C4C4A84FFF940DBB7A0B94F243D60072666D88356E9F9

393216:lLKjgS3HY3hlZxncawyHXQA9aFYZrW5sjfviS:Jq7XY3rXcqXQA9EOjniS

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Loads dropped or rewritten executable

SUSPICIOUS

Executable content was dropped or overwritten

Starts CMD.EXE for commands execution

Starts Internet Explorer

INFO

Manual execution by user

Changes internet zones settings

Creates files in the user directory

Changes settings of System certificates

Adds / modifies Windows certificates

Reads internet explorer settings

Reads Internet Cache Settings

Malware configuration

Static information

TRiD

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings