Malware analysis Download Rhinoceros 3D Full Crack.rar Malicious activity

Add for printing

File name:	Download Rhinoceros 3D Full Crack.rar
Full analysis:	https://app.any.run/tasks/30520ffc-cd6e-4fa1-80c4-b465d50ce91c
Verdict:	Malicious activity
Analysis date:	February 12, 2026, 19:56:23
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	netreactor autoit
Indicators:
MIME:	application/x-rar
File info:	RAR archive data, v5
MD5:	F0D639C0F83F28520CA4BE402F95A892
SHA1:	E8BCB83F7D1B40F2875FA42857BBCD118D042A2A
SHA256:	558ADDCE27D6C672CE6F2C1FC40670C933C731338D4D6FC9EE0BF16F212FFF2C
SSDEEP:	24576:OpvgvqlmSXVmTnvkIU4AxT20QXwjncr/c21A4l3jjD3Z1LF7+/TzihVhcHI/:OtEqlmSXVmTnvkIUtxT20qw7crJ1A4lJ

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
Google Chrome (133.0.6943.127)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (133.0.3065.92)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (136.0)
Mozilla Maintenance Service (136.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
No malicious indicators.
SUSPICIOUS
- Start notepad (likely ransomware note)
  - WinRAR.exe (PID: 7340)
- Application launched itself
  - WinRAR.exe (PID: 7340)
  - cmd.exe (PID: 4188)
  - cmd.exe (PID: 9208)
- Starts CMD.EXE for commands execution
  - cmd.exe (PID: 4188)
  - cmd.exe (PID: 9208)
- Uses ATTRIB.EXE to modify file attributes
  - cmd.exe (PID: 5504)
  - cmd.exe (PID: 4188)
  - cmd.exe (PID: 6488)
  - cmd.exe (PID: 9208)
- Uses attrib.exe to force local storage
  - cmd.exe (PID: 4188)
  - cmd.exe (PID: 9208)
- Modifies hosts file to alter network resolution
  - cmd.exe (PID: 4188)
  - cmd.exe (PID: 9208)
- Service autostart disabling
  - sc.exe (PID: 2092)
  - sc.exe (PID: 6348)
- Starts SC.EXE for service management
  - cmd.exe (PID: 4188)
  - cmd.exe (PID: 9208)
- Stops a currently running service
  - sc.exe (PID: 5048)
  - sc.exe (PID: 8668)
- Windows service management via SC.EXE
  - sc.exe (PID: 6348)
  - sc.exe (PID: 2092)
- Uses NETSH.EXE to delete a firewall rule or allowed programs
  - cmd.exe (PID: 4188)
  - cmd.exe (PID: 9208)
- Uses NETSH.EXE to add a firewall rule or allowed programs
  - cmd.exe (PID: 4188)
  - cmd.exe (PID: 9208)
INFO
- Reads Microsoft Office registry keys
  - WinRAR.exe (PID: 7340)
- Reads mouse settings
  - rhino_en-us_7.27.23032.13001.exe (PID: 4212)
  - rhino_en-us_7.27.23032.13001.exe (PID: 7820)
  - rhino_en-us_7.27.23032.13001.exe (PID: 9184)
- Reads security settings of Internet Explorer
  - notepad.exe (PID: 6060)
  - WinRAR.exe (PID: 7340)
- Checks supported languages
  - rhino_en-us_7.27.23032.13001.exe (PID: 4212)
  - rhino_en-us_7.27.23032.13001.exe (PID: 7820)
  - RhinoActivator.exe (PID: 1600)
  - rhino_en-us_7.27.23032.13001.exe (PID: 9184)
  - RhinoActivator.exe (PID: 6500)
- Reads the computer name
  - rhino_en-us_7.27.23032.13001.exe (PID: 4212)
  - rhino_en-us_7.27.23032.13001.exe (PID: 7820)
  - RhinoActivator.exe (PID: 6500)
  - RhinoActivator.exe (PID: 1600)
  - rhino_en-us_7.27.23032.13001.exe (PID: 9184)
- Executable content was dropped or overwritten
  - WinRAR.exe (PID: 7340)
  - WinRAR.exe (PID: 5108)
- Drops script file
  - WinRAR.exe (PID: 7340)
  - WinRAR.exe (PID: 5108)
  - cmd.exe (PID: 4188)
  - cmd.exe (PID: 9208)
- The sample compiled with english language support
  - WinRAR.exe (PID: 7340)
  - WinRAR.exe (PID: 5108)
- Checks proxy server information
  - slui.exe (PID: 8572)
- Manual execution by a user
  - cmd.exe (PID: 4188)
  - rhino_en-us_7.27.23032.13001.exe (PID: 7820)
  - cmd.exe (PID: 9208)
  - RhinoActivator.exe (PID: 1600)
  - rhino_en-us_7.27.23032.13001.exe (PID: 9184)
  - RhinoActivator.exe (PID: 6500)
- Reads the machine GUID from the registry
  - RhinoActivator.exe (PID: 1600)
  - RhinoActivator.exe (PID: 6500)
- Creates files in the program directory
  - RhinoActivator.exe (PID: 1600)
- .NET Reactor protector has been detected
  - RhinoActivator.exe (PID: 6500)
- There is functionality for taking screenshot (YARA)
  - rhino_en-us_7.27.23032.13001.exe (PID: 9184)
- The process uses AutoIt
  - rhino_en-us_7.27.23032.13001.exe (PID: 9184)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.rar	\|	RAR compressed archive (v5.0) (61.5)
.rar	\|	RAR compressed archive (gen) (38.4)

EXIF

ZIP

FileVersion:	RAR v5
CompressedSize:	656
UncompressedSize:	3903
OperatingSystem:	Win32
ArchivedFileName:	Download Rhinoceros 3D Full Crack/Crack/Block Rhino (rules in hosts and stock firewall).cmd

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

223

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

224

netsh advfirewall firewall add rule name="Rhino 7" dir=out program="C:\Program Files\Rhino 7\System\Rhino.exe" profile=any action=block

C:\Windows\System32\netsh.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Network Command Shell

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\netsh.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

416

netsh advfirewall firewall add rule name="Rhino 6" dir=in program="C:\Program Files\Rhino 6\System\Rhino.exe" profile=any action=block

C:\Windows\System32\netsh.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Network Command Shell

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\netsh.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

468

netsh advfirewall firewall delete rule name=all program="C:\Program Files\Rhinoceros 5 (64-bit)\System\RmaErrorReporting.exe"

C:\Windows\System32\netsh.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Network Command Shell

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\netsh.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

680

find /I "api.mcneel.com" "C:\WINDOWS\system32\drivers\etc\hosts"

C:\Windows\System32\find.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Find String (grep) Utility

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\find.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ulib.dll
c:\windows\system32\fsutilext.dll

1324

netsh advfirewall firewall delete rule name=all program="C:\Program Files\Rhino 7\System\Yak.exe"

C:\Windows\System32\netsh.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Network Command Shell

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\netsh.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

1600

"C:\Crack\RhinoActivator.exe"

C:\Crack\RhinoActivator.exe

—

explorer.exe

User:

admin

Integrity Level:

MEDIUM

Description:

RhinoActivator

Exit code:

Version:

1.0.0.0

Modules

Images
c:\crack\rhinoactivator.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll

1820

netsh advfirewall firewall add rule name="Rhino 7" dir=in program="C:\Program Files\Rhino 7\System\Rhino.exe" profile=any action=block

C:\Windows\System32\netsh.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Network Command Shell

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\netsh.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

1848

netsh advfirewall firewall delete rule name=all program="C:\Program Files\Rhino 7\System\RmaErrorReporting.exe"

C:\Windows\System32\netsh.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Network Command Shell

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\netsh.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

1924

netsh advfirewall firewall delete rule name=all program="C:\Program Files\Rhino 7\System\Rhino.exe"

C:\Windows\System32\netsh.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Network Command Shell

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\netsh.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

1928

netsh advfirewall firewall delete rule name=all program="C:\Program Files\Rhino 6\System\Yak.exe"

C:\Windows\System32\netsh.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Network Command Shell

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\netsh.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

Add for printing

Total events

28 287

Read events

28 248

Write events

Delete events

Modification events


(PID) Process:	(7340) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	3
Value: C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:	(7340) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	2
Value: C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:	(7340) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	1
Value: C:\Users\admin\Downloads\chromium_build 1.zip
(PID) Process:	(7340) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	0
Value: C:\Users\admin\AppData\Local\Temp\Download Rhinoceros 3D Full Crack.rar
(PID) Process:	(7340) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	name
Value: 120
(PID) Process:	(7340) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	size
Value: 80
(PID) Process:	(7340) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	type
Value: 120
(PID) Process:	(7340) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	mtime
Value: 100
(PID) Process:	(7340) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface
Operation:	write	Name:	ShowPassword
Value: 0
(PID) Process:	(7340) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.txt\OpenWithProgids
Operation:	write	Name:	txtfile
Value:

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
7340	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$EXb7340.41944\Download Rhinoceros 3D Full Crack\Crack\RhinoActivator.exe		executable
		MD5:3E36F68337428649642C2CDAE20316BA	SHA256:F41F69D72E9CCF6F564129A003CFF12371BE207FABC68B1643A163CCBAA87947
5108	WinRAR.exe	C:\Crack\RhinoActivator.exe		executable
		MD5:3E36F68337428649642C2CDAE20316BA	SHA256:F41F69D72E9CCF6F564129A003CFF12371BE207FABC68B1643A163CCBAA87947
7340	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$EXb7340.41944\Download Rhinoceros 3D Full Crack\Hướng Dẫn Crack.txt		text
		MD5:4231D6126D5DAF667836334632C52E72	SHA256:24A33F3231AA9FDA2F1ABAFE9A68CF7D56874F3B25799041C8BDF3B552EF8781
1600	RhinoActivator.exe	C:\ProgramData\McNeel\Rhinoceros\6.0\License Manager\Licenses\59ff75c9-9c71-4ef8-a290-6b590f3fc63a.lic		binary
		MD5:019208C773817296BBA032109D269138	SHA256:AE01B7D0F83B0E42B7C1DC8CCDB0BBAE827B00F65DE8B64D18B66A863B34ABD2
5108	WinRAR.exe	C:\Crack\Block Rhino (rules in hosts and stock firewall).cmd		text
		MD5:F0004011858334E492EFAE00BBA44EC5	SHA256:D50741DBE04ECCEDD91CB3737C339FEC28E6D2CEF1F87AFFAB172DCA57F53DF9
5108	WinRAR.exe	C:\Hướng Dẫn Crack.txt		text
		MD5:4231D6126D5DAF667836334632C52E72	SHA256:24A33F3231AA9FDA2F1ABAFE9A68CF7D56874F3B25799041C8BDF3B552EF8781
7340	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$EXb7340.41944\Download Rhinoceros 3D Full Crack\rhino_en-us_7.27.23032.13001.exe		executable
		MD5:0FB030057C4335E98BC9DB2BF23247EB	SHA256:58FD5022865EE12BA02E5B32B4496D6C2AB6509092940901EE85075954E9E4E2
5108	WinRAR.exe	C:\rhino_en-us_7.27.23032.13001.exe		executable
		MD5:0FB030057C4335E98BC9DB2BF23247EB	SHA256:58FD5022865EE12BA02E5B32B4496D6C2AB6509092940901EE85075954E9E4E2
9208	cmd.exe	C:\Windows\System32\drivers\etc\hosts		text
		MD5:A70E8712202BBF676464BB6FC51EF96B	SHA256:36971ED643D27094B644A228FF21F48D3B650F746C7DBAF8A8AA75642DFB807D
1600	RhinoActivator.exe	C:\ProgramData\McNeel\Rhinoceros\6.0\License Manager\Licenses\59ff75c9-9c71-4ef8-a290-6b590f3fc63a.lic~RF209b3a.TMP		binary
		MD5:019208C773817296BBA032109D269138	SHA256:AE01B7D0F83B0E42B7C1DC8CCDB0BBAE827B00F65DE8B64D18B66A863B34ABD2

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
5040	svchost.exe	GET	304	40.127.240.158:443	https://settings-win.data.microsoft.com/settings/v3.0/WSD/UpdateHealthTools?os=Windows&osVer=10.0.19041.1.amd64fre.vb_release.191206-&sku=48&deviceClass=Windows.Desktop&locale=en-US&deviceId=s:BAD99146-31D3-4EC6-A1A4-BE76F32BA5D4&sampleId=s:95271487&appVer=10.0.19041.3626&FlightRing=Retail&TelemetryLevel=1&HidOverGattReg=C%3A%5CWINDOWS%5CSystem32%5CDriverStore%5CFileRepository%5Chidbthle.inf_amd64_9610b4821fdf82a5%5CMicrosoft.Bluetooth.Profiles.HidOverGatt.dll&AppVer=&ProcessorIdentifier=AMD64%20Family%2023%20Model%201%20Stepping%202&OEMModel=DELL&UpdateOfferedDays=4294967295&ProcessorManufacturer=AuthenticAMD&InstallDate=1661339444&OEMModelBaseBoard=&BranchReadinessLevel=CB&OEMSubModel=J5CR&IsCloudDomainJoined=0&DeferFeatureUpdatePeriodInDays=30&IsDeviceRetailDemo=0&FlightingBranchName=&OSUILocale=en-US&DeviceFamily=Windows.Desktop&WuClientVer=10.0.19041.3996&UninstallActive=1&IsFlightingEnabled=0&OSSkuId=48&ProcessorClockSpeed=3094&TotalPhysicalRAM=6144&SecureBootCapable=0&App=SedimentPack&ProcessorCores=6&CurrentBranch=vb_release&InstallLanguage=en-US&DeferQualityUpdatePeriodInDays=0&OEMName_Uncleaned=DELL&TPMVersion=0&PrimaryDiskTotalCapacity=262144&InstallationType=Client&AttrDataVer=186&ProcessorModel=AMD%20Ryzen%205%203500%206-Core%20Processor&IsEdgeWithChromiumInstalled=1&OSVersion=10.0.19045.4046&IsMDMEnrolled=0&ActivationChannel=Retail&FirmwareVersion=A.40&TrendInstalledKey=1&OSArchitecture=AMD64&DefaultUserRegion=244&UpdateManagementGroup=2	unknown	—	—	whitelisted
6768	MoUsoCoreWorker.exe	GET	304	51.104.136.2:443	https://settings-win.data.microsoft.com/settings/v3.0/OneSettings/Client?OSVersionFull=10.0.19045.4046.amd64fre.vb_release.191206-1406&LocalDeviceID=s%3ABAD99146-31D3-4EC6-A1A4-BE76F32BA5D4&FlightRing=Retail&AttrDataVer=186&OSUILocale=en-US&OSSkuId=48&App=WOSC&AppVer=&IsFlightingEnabled=0&TelemetryLevel=1&DeviceFamily=Windows.Desktop	unknown	—	—	whitelisted
5440	SIHClient.exe	GET	304	74.179.77.204:443	https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL	unknown	—	—	whitelisted
5440	SIHClient.exe	GET	200	20.165.94.54:443	https://fe3cr.delivery.mp.microsoft.com/clientwebservice/ping	unknown	—	—	whitelisted
5440	SIHClient.exe	GET	200	74.179.77.204:443	https://slscr.update.microsoft.com/sls/ping	unknown	—	—	whitelisted
5440	SIHClient.exe	GET	304	74.179.77.204:443	https://slscr.update.microsoft.com/SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL	unknown	—	—	whitelisted
5040	svchost.exe	GET	200	40.127.240.158:443	https://settings-win.data.microsoft.com/settings/v3.0/WSD/WaaSAssessment?os=Windows&osVer=10.0.19041.1.amd64fre.vb_release.191206-&ring=Retail&sku=48&deviceClass=Windows.Desktop&locale=en-US&deviceId=BAD99146-31D3-4EC6-A1A4-BE76F32BA5D4&FlightRing=Retail&TelemetryLevel=1&HidOverGattReg=C%3A%5CWINDOWS%5CSystem32%5CDriverStore%5CFileRepository%5Chidbthle.inf_amd64_9610b4821fdf82a5%5CMicrosoft.Bluetooth.Profiles.HidOverGatt.dll&AppVer=10.0&ProcessorIdentifier=AMD64%20Family%2023%20Model%201%20Stepping%202&OEMModel=DELL&UpdateOfferedDays=4294967295&ProcessorManufacturer=AuthenticAMD&InstallDate=1661339444&OEMModelBaseBoard=&BranchReadinessLevel=CB&OEMSubModel=J5CR&IsCloudDomainJoined=0&DeferFeatureUpdatePeriodInDays=30&IsDeviceRetailDemo=0&FlightingBranchName=&OSUILocale=en-US&DeviceFamily=Windows.Desktop&WuClientVer=10.0.19041.3996&UninstallActive=1&IsFlightingEnabled=0&OSSkuId=48&ProcessorClockSpeed=3094&TotalPhysicalRAM=6144&SecureBootCapable=0&App=WaaSAssessment&ProcessorCores=6&CurrentBranch=vb_release&InstallLanguage=en-US&DeferQualityUpdatePeriodInDays=0&ServicingBranch=CB&OEMName_Uncleaned=DELL&TPMVersion=0&PrimaryDiskTotalCapacity=262144&InstallationType=Client&AttrDataVer=186&ProcessorModel=AMD%20Ryzen%205%203500%206-Core%20Processor&IsEdgeWithChromiumInstalled=1&OSVersion=10.0.19045.4046&IsMDMEnrolled=0&ActivationChannel=Retail&HonorWUfBDeferrals=0&FirmwareVersion=A.40&TrendInstalledKey=1&OSArchitecture=AMD64&DefaultUserRegion=244&UpdateManagementGroup=2	unknown	binary	5.70 Kb	whitelisted
5040	svchost.exe	GET	200	2.16.164.99:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
356	svchost.exe	POST	200	40.126.31.71:443	https://login.live.com/RST2.srf	unknown	xml	11.1 Kb	whitelisted
356	svchost.exe	POST	200	40.126.31.71:443	https://login.live.com/RST2.srf	unknown	xml	10.2 Kb	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	Not routed	—	whitelisted
5040	svchost.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
3004	RUXIMICS.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
6768	MoUsoCoreWorker.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
4	System	192.168.100.255:138	—	Not routed	—	whitelisted
5040	svchost.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
5040	svchost.exe	2.16.164.99:80	crl.microsoft.com	AKAMAI-ASN1	NL	whitelisted
3412	svchost.exe	172.211.123.248:443	client.wns.windows.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
356	svchost.exe	40.126.31.71:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
356	svchost.exe	2.17.190.73:80	ocsp.digicert.com	AKAMAI-AS	US	whitelisted

DNS requests

Domain	IP	Reputation
settings-win.data.microsoft.com	51.104.136.2 40.127.240.158	whitelisted
google.com	142.251.141.142	whitelisted
self.events.data.microsoft.com	20.42.65.84 52.168.117.175	whitelisted
crl.microsoft.com	2.16.164.99 2.16.164.81 2.16.164.40 2.16.164.24 2.16.164.18 2.16.164.106 2.16.164.32 2.16.164.72 2.16.164.34 2.16.164.9 2.16.164.17 2.16.164.51 2.16.164.49	whitelisted
client.wns.windows.com	172.211.123.248	whitelisted
login.live.com	40.126.31.71 20.190.159.71 40.126.31.129 40.126.31.73 20.190.159.2 20.190.159.64 20.190.159.128 40.126.31.0 20.190.160.132 20.190.160.5 20.190.160.130 40.126.32.138 40.126.32.72 20.190.160.4 40.126.32.74 20.190.160.65	whitelisted
ocsp.digicert.com	2.17.190.73	whitelisted
slscr.update.microsoft.com	74.179.77.204	whitelisted
www.microsoft.com	23.52.181.212	whitelisted
fe3cr.delivery.mp.microsoft.com	20.165.94.54	whitelisted

Threats

PID	Process	Class	Message
5040	svchost.exe	Unknown Traffic	ET USER_AGENTS Microsoft Dr Watson User-Agent (MSDW)

Add for printing

No debug info

General Info

Download Rhinoceros 3D Full Crack.rar

F0D639C0F83F28520CA4BE402F95A892

E8BCB83F7D1B40F2875FA42857BBCD118D042A2A

558ADDCE27D6C672CE6F2C1FC40670C933C731338D4D6FC9EE0BF16F212FFF2C

24576:OpvgvqlmSXVmTnvkIU4AxT20QXwjncr/c21A4l3jjD3Z1LF7+/TzihVhcHI/:OtEqlmSXVmTnvkIUtxT20qw7crJ1A4lJ

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

SUSPICIOUS

Start notepad (likely ransomware note)

Application launched itself

Starts CMD.EXE for commands execution

Uses ATTRIB.EXE to modify file attributes

Uses attrib.exe to force local storage

Modifies hosts file to alter network resolution

Service autostart disabling

Starts SC.EXE for service management

Stops a currently running service

Windows service management via SC.EXE

Uses NETSH.EXE to delete a firewall rule or allowed programs

Uses NETSH.EXE to add a firewall rule or allowed programs

INFO

Reads Microsoft Office registry keys

Reads mouse settings

Reads security settings of Internet Explorer

Checks supported languages

Reads the computer name

Executable content was dropped or overwritten

Drops script file

The sample compiled with english language support

Checks proxy server information

Manual execution by a user

Reads the machine GUID from the registry

Creates files in the program directory

.NET Reactor protector has been detected

There is functionality for taking screenshot (YARA)

The process uses AutoIt

Malware configuration

Static information

TRiD

EXIF

ZIP

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats