File name:

New folder.rar

Full analysis: https://app.any.run/tasks/361a2718-b405-41d3-8e53-f3dbeb9fdc36
Verdict: Malicious activity
Analysis date: December 04, 2023, 18:58:59
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-rar
File info: RAR archive data, v5
MD5:

EB37670E8F8D6399FF0923B4DE5BBE20

SHA1:

39DC59786C188978BB838238E62A88E8D2A2E8E1

SHA256:

4E7E1432E320848F9A61F4FE4353A9AD6D34F25F05F799FCCDC8C2AFC81EA6E5

SSDEEP:

98304:wBMuLqLssgQ2wczTOaXFJlwSRGIS+aoeHofNP1+Pav1KnyUpD9AMBTaSXkNBgq51:Kvqfst

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • Black World.exe (PID: 2348)

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • WinRAR.exe (PID: 3264)

  • INFO

    • Drops the executable file immediately after the start

      • WinRAR.exe (PID: 3264)

    • Checks supported languages

      • 日月神教.exe (PID: 3144)
      • 中国黑客组织第五版.exe (PID: 2224)
      • wmpnscfg.exe (PID: 1452)
      • 中国黑客组织.exe (PID: 644)
      • 中国黑客组织第六版.exe (PID: 3884)
      • 日月神教 IM DDOS压力测试.exe (PID: 3248)
      • 中国黑客组织VIP远程协助V2011.exe (PID: 1460)
      • Black World.exe (PID: 2348)
      • Server.exe (PID: 1840)
      • NetBot_Cn.exe (PID: 3620)
      • 中国黑客组织VIP远程协助V2011.exe (PID: 120)

    • Manual execution by a user

      • 日月神教.exe (PID: 3144)
      • WinRAR.exe (PID: 3264)
      • 中国黑客组织第五版.exe (PID: 2224)
      • 中国黑客组织.exe (PID: 644)
      • 中国黑客组织第六版.exe (PID: 3884)
      • 日月神教 IM DDOS压力测试.exe (PID: 3248)
      • wmpnscfg.exe (PID: 1452)
      • NetBot_Cn.exe (PID: 3620)
      • Black World.exe (PID: 2348)
      • Server.exe (PID: 1840)
      • Server.exe (PID: 3028)
      • 中国黑客组织VIP远程协助V2011.exe (PID: 120)
      • 中国黑客组织VIP远程协助V2011.exe (PID: 1460)

    • Reads the computer name

      • 中国黑客组织.exe (PID: 644)
      • 中国黑客组织第五版.exe (PID: 2224)
      • 日月神教.exe (PID: 3144)
      • 中国黑客组织第六版.exe (PID: 3884)
      • wmpnscfg.exe (PID: 1452)
      • 日月神教 IM DDOS压力测试.exe (PID: 3248)
      • NetBot_Cn.exe (PID: 3620)
      • 中国黑客组织VIP远程协助V2011.exe (PID: 120)
      • Black World.exe (PID: 2348)
      • 中国黑客组织VIP远程协助V2011.exe (PID: 1460)
      • Server.exe (PID: 1840)

    • Creates files or folders in the user directory

      • Black World.exe (PID: 2348)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v5.0) (61.5)
.rar | RAR compressed archive (gen) (38.4)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
71
Monitored processes
14
Malicious processes
0
Suspicious processes
1

Behavior graph

Click at the process to see the details
start winrar.exe no specs winrar.exe no specs 日月神教.exe no specs 中国黑客组织.exe no specs 中国黑客组织第五版.exe no specs 中国黑客组织第六版.exe no specs wmpnscfg.exe no specs 日月神教 im ddos压力测试.exe no specs netbot_cn.exe 中国黑客组织vip远程协助v2011.exe 中国黑客组织vip远程协助v2011.exe black world.exe no specs server.exe no specs server.exe

Process information

PID
CMD
Path
Indicators
Parent process
120"C:\Users\admin\Desktop\bin\中国黑客组织VIP远程协助V2011.exe" C:\Users\admin\Desktop\bin\中国黑客组织VIP远程协助V2011.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
2147483652
Modules
Images
c:\users\admin\desktop\bin\中国黑客组织vip远程协助v2011.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
644"C:\Users\admin\Desktop\中国黑客组织VIP专版远程控制\中国黑客组织.exe" C:\Users\admin\Desktop\中国黑客组织VIP专版远程控制\中国黑客组织.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
中国黑客组织 改进版
Exit code:
3221225477
Version:
2.1
Modules
Images
c:\users\admin\desktop\中国黑客组织vip专版远程控制\中国黑客组织.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\winmm.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
1452"C:\Program Files\Windows Media Player\wmpnscfg.exe"C:\Program Files\Windows Media Player\wmpnscfg.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Media Player Network Sharing Service Configuration Application
Exit code:
0
Version:
12.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\windows media player\wmpnscfg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
1460"C:\Users\admin\Desktop\bin\中国黑客组织VIP远程协助V2011.exe" C:\Users\admin\Desktop\bin\中国黑客组织VIP远程协助V2011.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Exit code:
2147483652
Modules
Images
c:\users\admin\desktop\bin\中国黑客组织vip远程协助v2011.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
1840"C:\Users\admin\Desktop\Black World DDOSV1.3日月神教专版\Server.exe" C:\Users\admin\Desktop\Black World DDOSV1.3日月神教专版\Server.exe
explorer.exe
User:
admin
Company:
360.cn
Integrity Level:
HIGH
Description:
360手机助手
Exit code:
0
Version:
1, 6, 0, 1610
Modules
Images
c:\users\admin\desktop\black world ddosv1.3日月神教专版\server.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
2144"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\New folder.rar"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
2224"C:\Users\admin\Desktop\中国黑客组织第五版\中国黑客组织第五版\中国黑客组织第五版.exe" C:\Users\admin\Desktop\中国黑客组织第五版\中国黑客组织第五版\中国黑客组织第五版.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
中国黑客组织第五版
Exit code:
0
Version:
5, 0, 0, 0
Modules
Images
c:\users\admin\desktop\中国黑客组织第五版\中国黑客组织第五版\中国黑客组织第五版.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\winmm.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
2348"C:\Users\admin\Desktop\Black World DDOSV1.3日月神教专版\Black World.exe" C:\Users\admin\Desktop\Black World DDOSV1.3日月神教专版\Black World.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Blck Wrold DDOS V1.3
Exit code:
0
Version:
1, 0, 0, 0
Modules
Images
c:\users\admin\desktop\black world ddosv1.3日月神教专版\black world.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\winmm.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
3028"C:\Users\admin\Desktop\Black World DDOSV1.3日月神教专版\Server.exe" C:\Users\admin\Desktop\Black World DDOSV1.3日月神教专版\Server.exeexplorer.exe
User:
admin
Company:
360.cn
Integrity Level:
MEDIUM
Description:
360手机助手
Exit code:
3221226540
Version:
1, 6, 0, 1610
Modules
Images
c:\users\admin\desktop\black world ddosv1.3日月神教专版\server.exe
c:\windows\system32\ntdll.dll
3144"C:\Users\admin\Desktop\Sword beta 3.0\日月神教.exe" C:\Users\admin\Desktop\Sword beta 3.0\日月神教.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\sword beta 3.0\日月神教.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\winmm.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
Total events
5 267
Read events
5 255
Write events
12
Delete events
0

Modification events

(PID) Process:(2144) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\17F\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(2144) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip
(PID) Process:(2144) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(2144) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\phacker.zip
(PID) Process:(2144) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(2144) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(2144) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(2144) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(3264) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(3264) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
Executable files
31
Suspicious files
18
Text files
14
Unknown types
0

Dropped files

PID
Process
Filename
Type
3264WinRAR.exeC:\Users\admin\Desktop\Black World DDOSV1.3日月神教专版\Black World.exeexecutable
MD5:B8678094AF229486DEB00D682CCC3DAC
SHA256:224E121154EBD7D37B868BDD44D35B2DC9E68F5A5CA904764818CB6E229045C3
2144WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2144.34036\日月神教 IM DDOS压力测试.rarcompressed
MD5:0BC1B31079F70AE72E4AE23EB24971AE
SHA256:D29A2BBF5661958928760001AD41A85AB0D2ABC9A4EB29FD18FE7CC5BA3A249F
2144WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2144.34036\Black World DDOSV1.3日月神教专版.rarcompressed
MD5:A1F08BBE3A571FEBBCD06AA36AD1924C
SHA256:73C0D29BDA4644922F5B3AF482DA01CBAE4F7D0E8383488B232F8DC6EB1EB36B
3264WinRAR.exeC:\Users\admin\Desktop\Black World DDOSV1.3日月神教专版\SkinH.dllexecutable
MD5:A00C474DC4CED90B8F5A692108C45DCE
SHA256:6504E515CBCF89CB98FD9F1A310125BFDF93E1F6A6BF0C64C0229E5670CAC9B1
3264WinRAR.exeC:\Users\admin\Desktop\Black World DDOSV1.3日月神教专版\hzdg.datexecutable
MD5:398D9F89AC61AA7C540B3FDE70731947
SHA256:A816535085D90D5D352653D5D2ECB06E4CA70C352042B514F179B1E14D0EC4B9
3264WinRAR.exeC:\Users\admin\Desktop\Black World DDOSV1.3日月神教专版\QQWry.DATbinary
MD5:88CA00E1DE4A0EB8C532C8C56F60C823
SHA256:3A57E963C0A99F27039EB28CB5918042DF3EA3BEEF30BA79985BAD0A537CBA9D
2144WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2144.34036\中国黑客组织第六版.rarcompressed
MD5:718CB9E80BDD4755317CE10F9AFEA0DD
SHA256:E8964A5E99B45EC3D52C7F579B3E10FEA7207E206F8DCB58D885AA38C5AC47AF
3264WinRAR.exeC:\Users\admin\Desktop\Sword beta 3.0\sound\Setting.wavbinary
MD5:D5D3845902DD1541089E4AFC8EE429FC
SHA256:146F2068C9A6B5865C20F163FA3A530156D9BD13DCAB3398FBDC7215D7000888
3264WinRAR.exeC:\Users\admin\Desktop\Sword beta 3.0\rysj.datexecutable
MD5:BAFFA4E8A30C1F8329BE4847E02DC302
SHA256:0F83FAF85DB7114F7CF656BE7E7607331C37DA4DB067F90D327D09758B6498A6
3264WinRAR.exeC:\Users\admin\Desktop\Sword beta 3.0\sound\Login.wavwav
MD5:4E642F0D041D6EF79D7701E599E4BBE9
SHA256:C2CFBABF111D231FB2531B6C0759C5191FD91F767059790FF53AEF87FAB2280F
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
4
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
2588
svchost.exe
239.255.255.250:1900
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
New folder.rar