File name:

Bandicut Full Crack.rar

Full analysis: https://app.any.run/tasks/571845c9-0c5a-4aaf-a1ca-669c8caf2b7d
Verdict: Malicious activity
Analysis date: May 10, 2024, 13:37:42
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-rar
File info: RAR archive data, v5
MD5:

BD95FD7A845F24172710C3A6962F372C

SHA1:

4CAA945F1FCBB03A0B0D281B7BC77D45ED5167B9

SHA256:

39313BE32226926A2147369BD9FE7C71539DFBF295F55E4721C44C4993A9DA5E

SSDEEP:

98304:7UUks2Lgi1vEzaD90h/w1F6Ackco4+ZuvS4aSARVsPoPEvK2/2OVoGSV+0GWGc34:uQh4XB9AaKG21qWzmNTKrOXPmHp

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • bdcut.exe (PID: 2240)
      • icsys.icn.exe (PID: 2232)
      • explorer.exe (PID: 2264)
      • spoolsv.exe (PID: 2256)

    • Changes appearance of the Explorer extensions

      • explorer.exe (PID: 2264)
      • svchost.exe (PID: 1596)
      • explorer.exe (PID: 992)
      • explorer.exe (PID: 1344)

    • Changes the autorun value in the registry

      • explorer.exe (PID: 992)
      • explorer.exe (PID: 2264)
      • svchost.exe (PID: 1596)
      • explorer.exe (PID: 1344)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • bdcut.exe (PID: 2240)
      • icsys.icn.exe (PID: 2232)
      • explorer.exe (PID: 2264)
      • spoolsv.exe (PID: 2256)

    • Starts itself from another location

      • bdcut.exe (PID: 2240)
      • icsys.icn.exe (PID: 2232)
      • spoolsv.exe (PID: 2256)
      • svchost.exe (PID: 1596)
      • explorer.exe (PID: 2264)
      • spoolsv.exe (PID: 1980)
      • explorer.exe (PID: 992)
      • explorer.exe (PID: 1344)
      • spoolsv.exe (PID: 1964)

    • Starts application with an unusual extension

      • bdcut.exe (PID: 2240)

    • The process creates files with name similar to system file names

      • icsys.icn.exe (PID: 2232)
      • spoolsv.exe (PID: 2256)

    • Creates or modifies Windows services

      • svchost.exe (PID: 1596)

  • INFO

    • Manual execution by a user

      • bdcut.exe (PID: 2240)
      • taskmgr.exe (PID: 1432)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 3984)

    • Checks supported languages

      • bdcut.exe (PID: 2240)
      • icsys.icn.exe (PID: 2232)
      • explorer.exe (PID: 2264)
      • spoolsv.exe (PID: 2256)
      • svchost.exe (PID: 1596)
      • spoolsv.exe (PID: 736)
      • spoolsv.exe (PID: 1980)
      • explorer.exe (PID: 992)
      • spoolsv.exe (PID: 324)
      • spoolsv.exe (PID: 1964)
      • explorer.exe (PID: 1344)
      • spoolsv.exe (PID: 2656)

    • Drops the executable file immediately after the start

      • WinRAR.exe (PID: 3984)

    • Reads the machine GUID from the registry

      • bdcut.exe (PID: 2240)
      • icsys.icn.exe (PID: 2232)
      • explorer.exe (PID: 2264)
      • spoolsv.exe (PID: 736)
      • spoolsv.exe (PID: 2256)
      • svchost.exe (PID: 1596)
      • spoolsv.exe (PID: 1980)
      • explorer.exe (PID: 992)
      • spoolsv.exe (PID: 324)
      • spoolsv.exe (PID: 2656)
      • explorer.exe (PID: 1344)
      • spoolsv.exe (PID: 1964)

    • Create files in a temporary directory

      • bdcut.exe (PID: 2240)
      • icsys.icn.exe (PID: 2232)
      • explorer.exe (PID: 2264)
      • spoolsv.exe (PID: 2256)
      • svchost.exe (PID: 1596)
      • spoolsv.exe (PID: 736)
      • spoolsv.exe (PID: 1980)
      • explorer.exe (PID: 992)
      • spoolsv.exe (PID: 324)
      • spoolsv.exe (PID: 1964)
      • spoolsv.exe (PID: 2656)
      • explorer.exe (PID: 1344)

    • Reads the computer name

      • svchost.exe (PID: 1596)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v5.0) (61.5)
.rar | RAR compressed archive (gen) (38.4)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
56
Monitored processes
17
Malicious processes
9
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe taskmgr.exe no specs bdcut.exe bdcut.exe  no specs icsys.icn.exe explorer.exe spoolsv.exe svchost.exe spoolsv.exe no specs schtasks.exe no specs spoolsv.exe no specs explorer.exe spoolsv.exe no specs schtasks.exe no specs spoolsv.exe no specs explorer.exe spoolsv.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
324c:\windows\resources\spoolsv.exe SEC:\Windows\resources\spoolsv.exeexplorer.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Version:
1.00
Modules
Images
c:\windows\resources\spoolsv.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvbvm60.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
736c:\windows\resources\spoolsv.exe PRC:\Windows\resources\spoolsv.exesvchost.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Version:
1.00
Modules
Images
c:\windows\resources\spoolsv.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvbvm60.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
860schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 14:41 /fC:\Windows\System32\schtasks.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Manages scheduled tasks
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
992c:\windows\resources\themes\explorer.exeC:\Windows\resources\Themes\explorer.exe
spoolsv.exe
User:
admin
Integrity Level:
HIGH
Exit code:
1
Version:
1.00
Modules
Images
c:\windows\resources\themes\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvbvm60.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
1344c:\windows\resources\themes\explorer.exeC:\Windows\resources\Themes\explorer.exe
spoolsv.exe
User:
admin
Integrity Level:
HIGH
Version:
1.00
Modules
Images
c:\windows\resources\themes\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvbvm60.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
1432"C:\Windows\system32\taskmgr.exe" C:\Windows\System32\taskmgr.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Task Manager
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\taskmgr.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
1596c:\windows\resources\svchost.exeC:\Windows\resources\svchost.exe
spoolsv.exe
User:
admin
Integrity Level:
HIGH
Version:
1.00
Modules
Images
c:\windows\resources\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvbvm60.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
1964c:\windows\resources\spoolsv.exe PRC:\Windows\resources\spoolsv.exesvchost.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Version:
1.00
Modules
Images
c:\windows\resources\spoolsv.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvbvm60.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
1980c:\windows\resources\spoolsv.exe PRC:\Windows\resources\spoolsv.exesvchost.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Version:
1.00
Modules
Images
c:\windows\resources\spoolsv.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvbvm60.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
2232C:\Windows\Resources\Themes\icsys.icn.exeC:\Windows\Resources\Themes\icsys.icn.exe
bdcut.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Version:
1.00
Modules
Images
c:\windows\resources\themes\icsys.icn.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvbvm60.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
Total events
5 031
Read events
4 940
Write events
83
Delete events
8

Modification events

(PID) Process:(3984) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(3984) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(3984) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3984) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface
Operation:writeName:ShowPassword
Value:
1
(PID) Process:(3984) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\phacker.zip
(PID) Process:(3984) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(3984) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\curl-8.5.0_1-win32-mingw.zip
(PID) Process:(3984) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\Bandicut Full Crack.rar
(PID) Process:(3984) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(3984) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
Executable files
7
Suspicious files
9
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
736spoolsv.exeC:\Users\admin\AppData\Local\Temp\~DF4A8E79AC1ACDF3EE.TMP
MD5:
SHA256:
2232icsys.icn.exeC:\windows\resources\themes\explorer.exeexecutable
MD5:955AAA7C0635F41A7EB2C70F44151687
SHA256:4316B180B8D3FDA376E8DEF586B20A545F76149C6B88788690A3CC14219141F7
3984WinRAR.exeC:\Users\admin\Desktop\Bandicut Full + file kich hoat\file kich hoat\bdcut.exeexecutable
MD5:F0B0D73B3E19FA5EA1331387BA9633BC
SHA256:DFE1C7A8D32298BF33DDEEA9F02EDDE052078A80A290EA3CF63DBEB03CA47DDE
3984WinRAR.exeC:\Users\admin\Desktop\Bandicut Full + file kich hoat\Bandicut 2021 new updated.exeexecutable
MD5:9BD51E8573C57B37EEFB866570EF8568
SHA256:5137D6F1AD631DB29752AD04E373AE0619C4EDDCF751F72FBFF3814355AFD5E7
2264explorer.exeC:\windows\resources\spoolsv.exeexecutable
MD5:C970F4A495502229943D90C7F67125C7
SHA256:05C8452E2DEA7CFAE3668157A9CA9BBA9F258F385DD20195D28777965F913BEF
2240bdcut.exeC:\Users\admin\AppData\Local\Temp\~DF82F80B65FF79E284.TMPbinary
MD5:D047CD39186E445497E1E070A6B175DA
SHA256:5869A24450D383CAE56F75AA6A5A5489A26BDE6D8A51A46A631663F8AC19F960
2232icsys.icn.exeC:\Users\admin\AppData\Local\Temp\~DFE7B5D8FC61A4D46E.TMPbinary
MD5:7EBDDE653172B22E0A2B65C29AE98CF4
SHA256:9B6F0D09B1859AADB402CE2C9021429411F92AAB62B556B1C5E1921D7AC6ADED
2240bdcut.exeC:\users\admin\desktop\bandicut full + file kich hoat\file kich hoat\bdcut.exe executable
MD5:D597126BFBB5B290A3900FF3BD6E1175
SHA256:B3303F8484DA9D35B37CF961527447C90739B7A3BD60D46C6D41C65C278A657D
2240bdcut.exeC:\Windows\Resources\Themes\icsys.icn.exeexecutable
MD5:2C21EA65F781634AFB3166404C5288E5
SHA256:3ED207FDEEE295835A906244FCD58201BA32D3D0C07A6D06F21F4CD4559EC8A4
2256spoolsv.exeC:\Users\admin\AppData\Local\Temp\~DFF7AC40E1CC6CB266.TMPbinary
MD5:7EBDDE653172B22E0A2B65C29AE98CF4
SHA256:9B6F0D09B1859AADB402CE2C9021429411F92AAB62B556B1C5E1921D7AC6ADED
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
3
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
unknown
4
System
192.168.100.255:137
whitelisted
224.0.0.252:5355
unknown

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Bandicut Full Crack.rar