File name:

Clear-ManualsLibrary.b3003.SK041.ed.exe.7z

Full analysis: https://app.any.run/tasks/15124faf-b86a-4848-8011-ca01e5b03bf9
Verdict: Malicious activity
Analysis date: March 01, 2024, 18:00:41
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-7z-compressed
File info: 7-zip archive data, version 0.4
MD5:

E12879E8046B8C0D5CA63ABC1D12BAC5

SHA1:

0EE9A9FB6CBD1BAF06DFA8987F104556642819B2

SHA256:

4FCB6BE37B6DEA20D61A83466E9E97CAFD328BF7AD273568C971FEFBB1AA9D97

SSDEEP:

98304:LV+cE1rP8U+ap6eMzuu5TbV051rAP+2OX9ggDPK9llkJy+ujA8GKghvTZ3AkUhdH:KUhJ4

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • WinRAR.exe (PID: 4052)
      • Clear-ManualsLibrary.b3003.SK041.ed.tmp (PID: 2844)
      • Clear-ManualsLibrary.b3003.SK041.ed.exe (PID: 3216)
      • Clear-ManualsLibrary.b3003.SK041.ed.exe (PID: 3092)
      • Clear-ManualsLibrary.b3003.SK041.ed.tmp (PID: 4000)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • Clear-ManualsLibrary.b3003.SK041.ed.exe (PID: 3216)
      • Clear-ManualsLibrary.b3003.SK041.ed.tmp (PID: 2844)
      • Clear-ManualsLibrary.b3003.SK041.ed.exe (PID: 3092)
      • Clear-ManualsLibrary.b3003.SK041.ed.tmp (PID: 4000)

    • Reads the Windows owner or organization settings

      • Clear-ManualsLibrary.b3003.SK041.ed.tmp (PID: 2844)
      • Clear-ManualsLibrary.b3003.SK041.ed.tmp (PID: 4000)

  • INFO

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 4052)

    • Checks supported languages

      • Clear-ManualsLibrary.b3003.SK041.ed.exe (PID: 3216)
      • Clear-ManualsLibrary.b3003.SK041.ed.tmp (PID: 2844)
      • Clear-ManualsLibrary.b3003.SK041.ed.exe (PID: 3092)
      • Clear-ManualsLibrary.b3003.SK041.ed.tmp (PID: 4000)

    • Reads the computer name

      • Clear-ManualsLibrary.b3003.SK041.ed.tmp (PID: 2844)
      • Clear-ManualsLibrary.b3003.SK041.ed.tmp (PID: 4000)

    • Create files in a temporary directory

      • Clear-ManualsLibrary.b3003.SK041.ed.exe (PID: 3216)
      • Clear-ManualsLibrary.b3003.SK041.ed.tmp (PID: 2844)
      • Clear-ManualsLibrary.b3003.SK041.ed.exe (PID: 3092)
      • Clear-ManualsLibrary.b3003.SK041.ed.tmp (PID: 4000)

    • Manual execution by a user

      • Clear-ManualsLibrary.b3003.SK041.ed.exe (PID: 3216)
      • Clear-ManualsLibrary.b3003.SK041.ed.exe (PID: 3092)

    • Reads Environment values

      • Clear-ManualsLibrary.b3003.SK041.ed.tmp (PID: 2844)
      • Clear-ManualsLibrary.b3003.SK041.ed.tmp (PID: 4000)

    • Reads the machine GUID from the registry

      • Clear-ManualsLibrary.b3003.SK041.ed.tmp (PID: 2844)
      • Clear-ManualsLibrary.b3003.SK041.ed.tmp (PID: 4000)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.7z | 7-Zip compressed archive (v0.4) (57.1)
.7z | 7-Zip compressed archive (gen) (42.8)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
44
Monitored processes
5
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe clear-manualslibrary.b3003.sk041.ed.exe clear-manualslibrary.b3003.sk041.ed.tmp clear-manualslibrary.b3003.sk041.ed.exe clear-manualslibrary.b3003.sk041.ed.tmp

Process information

PID
CMD
Path
Indicators
Parent process
2844"C:\Users\admin\AppData\Local\Temp\is-QUC02.tmp\Clear-ManualsLibrary.b3003.SK041.ed.tmp" /SL5="$140158,4024375,806400,C:\Users\admin\Desktop\Clear-ManualsLibrary.b3003.SK041.ed.exe" C:\Users\admin\AppData\Local\Temp\is-QUC02.tmp\Clear-ManualsLibrary.b3003.SK041.ed.tmp
Clear-ManualsLibrary.b3003.SK041.ed.exe
User:
admin
Company:
Clear.App
Integrity Level:
MEDIUM
Description:
Setup/Uninstall
Exit code:
3762504530
Version:
51.1052.0.0
Modules
Images
c:\users\admin\appdata\local\temp\is-quc02.tmp\clear-manualslibrary.b3003.sk041.ed.tmp
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\mpr.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
3092"C:\Users\admin\Desktop\Clear-ManualsLibrary.b3003.SK041.ed.exe" C:\Users\admin\Desktop\Clear-ManualsLibrary.b3003.SK041.ed.exe
explorer.exe
User:
admin
Company:
Clear.App
Integrity Level:
MEDIUM
Description:
Clear Setup
Exit code:
3762504530
Version:
1.1.1.0
Modules
Images
c:\users\admin\desktop\clear-manualslibrary.b3003.sk041.ed.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
3216"C:\Users\admin\Desktop\Clear-ManualsLibrary.b3003.SK041.ed.exe" C:\Users\admin\Desktop\Clear-ManualsLibrary.b3003.SK041.ed.exe
explorer.exe
User:
admin
Company:
Clear.App
Integrity Level:
MEDIUM
Description:
Clear Setup
Exit code:
3762504530
Version:
1.1.1.0
Modules
Images
c:\users\admin\desktop\clear-manualslibrary.b3003.sk041.ed.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
4000"C:\Users\admin\AppData\Local\Temp\is-QO6S9.tmp\Clear-ManualsLibrary.b3003.SK041.ed.tmp" /SL5="$150158,4024375,806400,C:\Users\admin\Desktop\Clear-ManualsLibrary.b3003.SK041.ed.exe" C:\Users\admin\AppData\Local\Temp\is-QO6S9.tmp\Clear-ManualsLibrary.b3003.SK041.ed.tmp
Clear-ManualsLibrary.b3003.SK041.ed.exe
User:
admin
Company:
Clear.App
Integrity Level:
MEDIUM
Description:
Setup/Uninstall
Exit code:
3762504530
Version:
51.1052.0.0
Modules
Images
c:\users\admin\appdata\local\temp\is-qo6s9.tmp\clear-manualslibrary.b3003.sk041.ed.tmp
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\mpr.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
4052"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Clear-ManualsLibrary.b3003.SK041.ed.exe.7z"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
Total events
4 292
Read events
4 258
Write events
31
Delete events
3

Modification events

(PID) Process:(4052) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(4052) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(4052) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(4052) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\phacker.zip
(PID) Process:(4052) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(4052) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\curl-8.5.0_1-win32-mingw.zip
(PID) Process:(4052) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\Clear-ManualsLibrary.b3003.SK041.ed.exe.7z
(PID) Process:(4052) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(4052) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(4052) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
Executable files
7
Suspicious files
2
Text files
34
Unknown types
0

Dropped files

PID
Process
Filename
Type
4052WinRAR.exeC:\Users\admin\Desktop\Clear-ManualsLibrary.b3003.SK041.ed.exeexecutable
MD5:A196BF8E7BDADAC7A17007AD2F75BA2D
SHA256:E161A46FE428D16D2D006C0C2415B36710278C7E273FE409E51010A2BC6404C9
3216Clear-ManualsLibrary.b3003.SK041.ed.exeC:\Users\admin\AppData\Local\Temp\is-QUC02.tmp\Clear-ManualsLibrary.b3003.SK041.ed.tmpexecutable
MD5:D250BC4F53D1D78AAC084AAD5B3EEC04
SHA256:229F1ECFCE581B66AFB249FF19EDFBECAF9FF893A5DAB8E6E022DA958F056A8E
2844Clear-ManualsLibrary.b3003.SK041.ed.tmpC:\Users\admin\AppData\Local\Temp\is-PF25L.tmp\HtmlInstaller.dllexecutable
MD5:646B373188A97FCF379D0EB89C50218B
SHA256:79B279A911BFB9620F4E61C88876E7DE8711936AB0453C211B5A2A03FEFE4999
2844Clear-ManualsLibrary.b3003.SK041.ed.tmpC:\Users\admin\AppData\Local\Temp\is-PF25L.tmp\html\css\baselinenew.csstext
MD5:4D9E4F45F1F8500EB7FE29AC4A34818D
SHA256:03ED977D9D2B9AEEE7912886185B69BABB7496DC9B45042190097F81153762DC
2844Clear-ManualsLibrary.b3003.SK041.ed.tmpC:\Users\admin\AppData\Local\Temp\is-PF25L.tmp\html\assets\common\browse_icon.pngimage
MD5:9C26F5DD459C12F2F8A28CAFB7447520
SHA256:3156AD4638AB7AE34E17E07A4BFC0E2509690B886506035DC92EF0EA8ADB0847
2844Clear-ManualsLibrary.b3003.SK041.ed.tmpC:\Users\admin\AppData\Local\Temp\is-PF25L.tmp\html\assets\common\check_badge.pngimage
MD5:5BB846C7F7965BB689DC678AF686C9BF
SHA256:DFEDC430D48922DDC24166AF1EF4E2B77112386602CB6BE15686C6A60E0D0F5C
2844Clear-ManualsLibrary.b3003.SK041.ed.tmpC:\Users\admin\AppData\Local\Temp\is-PF25L.tmp\html\assets\common\green-check.pngimage
MD5:7F05D0A50CD14E33215C6AB3DE84FA9F
SHA256:DE3168CAA9EE5026EBD96DA1F665A4C98762F29A53AEB480E107FB9DE7B342E8
2844Clear-ManualsLibrary.b3003.SK041.ed.tmpC:\Users\admin\AppData\Local\Temp\is-PF25L.tmp\html\assets\common\greenprogress.gifimage
MD5:CB84E51D64C4D8F5C25D1563BC83C49A
SHA256:D916A57D1601286604BF570FA5F88E5A257026EDE1A41F5D305AF24B6315CE05
2844Clear-ManualsLibrary.b3003.SK041.ed.tmpC:\Users\admin\AppData\Local\Temp\is-PF25L.tmp\html\css\manualslibrary-new.csstext
MD5:D9834A8056461F16A32B90A6215F8EA9
SHA256:93A8434B614E2C8E67B678875F1AB50FA0B643A3A04E8924128E1A5B44189362
2844Clear-ManualsLibrary.b3003.SK041.ed.tmpC:\Users\admin\AppData\Local\Temp\is-PF25L.tmp\html\assets\manualslibrary-new\128.pngimage
MD5:4D8C0EC508F20C04F51CD23618A67130
SHA256:31D7D00F3F99D712393559627A0576BFF7673E4739C9E834BBC6AFD00494ED73
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
5
DNS requests
2
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
4
System
192.168.100.255:137
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown
1040
WerFault.exe
104.208.16.93:443
watson.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown

DNS requests

Domain
IP
Reputation
watson.microsoft.com
  • 104.208.16.93
whitelisted
dns.msftncsi.com
  • 131.107.255.255
shared

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Clear-ManualsLibrary.b3003.SK041.ed.exe.7z