File name:

1.rar

Full analysis: https://app.any.run/tasks/b5f537ce-c39c-4582-9d2a-92895b6416cf
Verdict: Malicious activity
Analysis date: September 18, 2019, 15:10:06
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
MIME: application/x-rar
File info: RAR archive data, v4, os: Win32
MD5:

36421EDE11A144AD707DC4A8F055EDCF

SHA1:

99291F97E49B0403EE3841171FCF37C0E7F1A5A2

SHA256:

5C48CA53280880FB8A012E6C89B4E6B32995FC83DA461FCA9FF4718C95EDDCF6

SSDEEP:

49152:iX8Lmfiufb3xOuO5UEXTLQGD4Y7o1wltke:zqiuVn4tTLQGT3

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Loads dropped or rewritten executable

      • SearchProtocolHost.exe (PID: 772)
      • ACProtect_2.0.exe (PID: 2180)

    • Application was dropped or rewritten from another process

      • ACProtect_2.0.exe (PID: 2180)
      • 0-371.exe (PID: 3644)
      • 0-371.exe (PID: 3116)
      • 0-371.exe (PID: 1420)
      • 0-371.exe (PID: 3560)
      • 0-371.exe (PID: 2928)
      • 0-371.exe (PID: 4072)
      • 0-371.exe (PID: 2984)
      • 0-371.exe (PID: 4068)
      • 0-371.exe (PID: 3120)
      • 0-371.exe (PID: 2272)
      • 0-371.exe (PID: 3452)
      • 0-371.exe (PID: 3956)
      • 0-371.exe (PID: 3728)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 3824)
      • WinRAR.exe (PID: 4036)
      • ACProtect_2.0.exe (PID: 2180)

  • INFO

    • Manual execution by user

      • WinRAR.exe (PID: 3824)
      • ACProtect_2.0.exe (PID: 2180)
      • 0-371.exe (PID: 3644)
      • 0-371.exe (PID: 3116)
      • 0-371.exe (PID: 3560)
      • 0-371.exe (PID: 1420)
      • 0-371.exe (PID: 2928)
      • 0-371.exe (PID: 4072)
      • 0-371.exe (PID: 2984)
      • 0-371.exe (PID: 4068)
      • 0-371.exe (PID: 3120)
      • 0-371.exe (PID: 2272)
      • 0-371.exe (PID: 3452)
      • rundll32.exe (PID: 2884)
      • 0-371.exe (PID: 3956)
      • 0-371.exe (PID: 3728)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v-4.x) (58.3)
.rar | RAR compressed archive (gen) (41.6)

EXIF

ZIP

CompressedSize: 3420
UncompressedSize: 24576
OperatingSystem: Win32
ModifyDate: 2017:09:25 17:28:09
PackingMethod: Normal
ArchivedFileName: 0-37.exe
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
58
Monitored processes
18
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe winrar.exe searchprotocolhost.exe no specs acprotect_2.0.exe 0-371.exe no specs 0-371.exe no specs 0-371.exe no specs 0-371.exe no specs 0-371.exe no specs 0-371.exe no specs 0-371.exe no specs 0-371.exe no specs 0-371.exe no specs 0-371.exe no specs 0-371.exe no specs rundll32.exe no specs 0-371.exe no specs 0-371.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
772"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" C:\Windows\System32\SearchProtocolHost.exeSearchIndexer.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Windows Search Protocol Host
Exit code:
0
Version:
7.00.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\searchprotocolhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
1420"C:\Users\admin\Desktop\AC Protect 2.0\AC Protect 2.0\0-371.exe" C:\Users\admin\Desktop\AC Protect 2.0\AC Protect 2.0\0-371.exeexplorer.exe
User:
admin
Company:
amd
Integrity Level:
MEDIUM
Exit code:
0
Version:
1.00
Modules
Images
c:\users\admin\desktop\ac protect 2.0\ac protect 2.0\0-371.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imm32.dll
2180"C:\Users\admin\Desktop\AC Protect 2.0\AC Protect 2.0\ACProtect_2.0.exe" C:\Users\admin\Desktop\AC Protect 2.0\AC Protect 2.0\ACProtect_2.0.exe
explorer.exe
User:
admin
Company:
RiScO
Integrity Level:
MEDIUM
Description:
Anti-Crack Protection
Exit code:
0
Version:
2.0.1.864
Modules
Images
c:\users\admin\desktop\ac protect 2.0\ac protect 2.0\acprotect_2.0.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imm32.dll
2272"C:\Users\admin\Desktop\AC Protect 2.0\AC Protect 2.0\0-371.exe" C:\Users\admin\Desktop\AC Protect 2.0\AC Protect 2.0\0-371.exeexplorer.exe
User:
admin
Company:
amd
Integrity Level:
MEDIUM
Exit code:
0
Version:
1.00
Modules
Images
c:\users\admin\desktop\ac protect 2.0\ac protect 2.0\0-371.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
2884"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\admin\Desktop\AC Protect 2.0\AC Protect 2.0\tmp.acpC:\Windows\system32\rundll32.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\rundll32.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imagehlp.dll
2928"C:\Users\admin\Desktop\AC Protect 2.0\AC Protect 2.0\0-371.exe" C:\Users\admin\Desktop\AC Protect 2.0\AC Protect 2.0\0-371.exeexplorer.exe
User:
admin
Company:
amd
Integrity Level:
MEDIUM
Exit code:
0
Version:
1.00
Modules
Images
c:\users\admin\desktop\ac protect 2.0\ac protect 2.0\0-371.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imm32.dll
2984"C:\Users\admin\Desktop\AC Protect 2.0\AC Protect 2.0\0-371.exe" C:\Users\admin\Desktop\AC Protect 2.0\AC Protect 2.0\0-371.exeexplorer.exe
User:
admin
Company:
amd
Integrity Level:
MEDIUM
Exit code:
0
Version:
1.00
Modules
Images
c:\users\admin\desktop\ac protect 2.0\ac protect 2.0\0-371.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imm32.dll
3116"C:\Users\admin\Desktop\AC Protect 2.0\AC Protect 2.0\0-371.exe" C:\Users\admin\Desktop\AC Protect 2.0\AC Protect 2.0\0-371.exeexplorer.exe
User:
admin
Company:
amd
Integrity Level:
MEDIUM
Exit code:
0
Version:
1.00
Modules
Images
c:\users\admin\desktop\ac protect 2.0\ac protect 2.0\0-371.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imm32.dll
3120"C:\Users\admin\Desktop\AC Protect 2.0\AC Protect 2.0\0-371.exe" C:\Users\admin\Desktop\AC Protect 2.0\AC Protect 2.0\0-371.exeexplorer.exe
User:
admin
Company:
amd
Integrity Level:
MEDIUM
Exit code:
0
Version:
1.00
Modules
Images
c:\users\admin\desktop\ac protect 2.0\ac protect 2.0\0-371.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imm32.dll
3452"C:\Users\admin\Desktop\AC Protect 2.0\AC Protect 2.0\0-371.exe" C:\Users\admin\Desktop\AC Protect 2.0\AC Protect 2.0\0-371.exeexplorer.exe
User:
admin
Company:
amd
Integrity Level:
MEDIUM
Exit code:
0
Version:
1.00
Modules
Images
c:\users\admin\desktop\ac protect 2.0\ac protect 2.0\0-371.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imm32.dll
Total events
1 219
Read events
1 133
Write events
85
Delete events
1

Modification events

(PID) Process:(4036) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(4036) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(4036) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\72\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(4036) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\1.rar
(PID) Process:(4036) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(4036) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(4036) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(4036) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(4036) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\MainWin
Operation:writeName:Placement
Value:
2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF42000000420000000204000037020000
(PID) Process:(4036) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\General
Operation:writeName:LastFolder
Value:
C:\Users\admin\Desktop
Executable files
8
Suspicious files
2
Text files
10
Unknown types
0

Dropped files

PID
Process
Filename
Type
2180ACProtect_2.0.exeC:\Users\admin\Desktop\0-37.exe.bak
MD5:
SHA256:
2180ACProtect_2.0.exeC:\Users\admin\Desktop\tmp.acp
MD5:
SHA256:
2180ACProtect_2.0.exeC:\Users\admin\Desktop\AC Protect 2.0\AC Protect 2.0\tmp
MD5:
SHA256:
4036WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa4036.43627\0-37.exeexecutable
MD5:
SHA256:
3824WinRAR.exeC:\Users\admin\Desktop\AC Protect 2.0\AC Protect 2.0\key.datbinary
MD5:
SHA256:
3824WinRAR.exeC:\Users\admin\Desktop\AC Protect 2.0\AC Protect 2.0\jcalg1.dllexecutable
MD5:
SHA256:
3824WinRAR.exeC:\Users\admin\Desktop\AC Protect 2.0\AC Protect 2.0\tmp.acpexecutable
MD5:
SHA256:
4036WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa4036.43627\AC Protect 2.0.rarcompressed
MD5:
SHA256:
3824WinRAR.exeC:\Users\admin\Desktop\AC Protect 2.0\AC Protect 2.0\ACProtect_2.0.exeexecutable
MD5:
SHA256:
31160-371.exeC:\Users\admin\AppData\Local\VirtualStore\sgtxey.ogbtext
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info