File name:

daprovare (1).rar

Full analysis: https://app.any.run/tasks/bbfa49e9-06d5-4965-97d8-cefd8a723bd0
Verdict: Malicious activity
Analysis date: November 16, 2019, 20:46:54
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-rar
File info: RAR archive data, v5
MD5:

3B4503CEA21FDC60BC8F76EFBABBB8E5

SHA1:

6B474A089366B8EA4765B8ED0A33C5977E31F0EF

SHA256:

7017DD101CDD2C7CBB5F6AEE8D2F52DDFE443B42272505396D20DDA9256B8B07

SSDEEP:

196608:xHt3JIaIjWaRcOqATB9CFms5rhOSHkkdwA+tpOGtxwJjl1R4:TaewcOqkBoprb3dwAM0G3wNi

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • X2.exe (PID: 3316)

    • Loads dropped or rewritten executable

      • SearchProtocolHost.exe (PID: 3460)
      • X2.exe (PID: 3316)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 2968)

  • INFO

    • Dropped object may contain Bitcoin addresses

      • WinRAR.exe (PID: 2968)

    • Manual execution by user

      • X2.exe (PID: 3316)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v5.0) (61.5)
.rar | RAR compressed archive (gen) (38.4)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
37
Monitored processes
3
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe searchprotocolhost.exe no specs x2.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2968"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\daprovare (1).rar"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
3316"C:\Users\admin\Desktop\Files\LR\X2.exe" C:\Users\admin\Desktop\Files\LR\X2.exeexplorer.exe
User:
admin
Company:
<X2 ARQC>
Integrity Level:
MEDIUM
Description:
<X2>
Exit code:
0
Version:
2.1.0.1
Modules
Images
c:\users\admin\desktop\files\lr\x2.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\users\admin\desktop\files\lr\sqlite3.dll
c:\windows\system32\msvcrt.dll
c:\users\admin\desktop\files\lr\globalplatform.dll
c:\users\admin\desktop\files\lr\zlib1.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
3460"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" C:\Windows\System32\SearchProtocolHost.exeSearchIndexer.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Windows Search Protocol Host
Exit code:
0
Version:
7.00.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\searchprotocolhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
Total events
787
Read events
764
Write events
23
Delete events
0

Modification events

(PID) Process:(2968) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(2968) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(2968) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\12B\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(2968) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\daprovare (1).rar
(PID) Process:(2968) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(2968) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(2968) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(2968) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(2968) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\DialogEditHistory\ExtrPath
Operation:writeName:0
Value:
C:\Users\admin\Desktop
(PID) Process:(3460) SearchProtocolHost.exeKey:HKEY_USERS\.DEFAULT\Software\Classes\Local Settings\MuiCache\12B\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
Executable files
7
Suspicious files
5
Text files
1
Unknown types
3

Dropped files

PID
Process
Filename
Type
2968WinRAR.exeC:\Users\admin\Desktop\Files\LR\X2.pdb
MD5:
SHA256:
2968WinRAR.exeC:\Users\admin\Desktop\Files\cardpeek-0.8.1-win32-setup.exeexecutable
MD5:
SHA256:
2968WinRAR.exeC:\Users\admin\Desktop\Files\LR\Bin.dbsqlite
MD5:
SHA256:
2968WinRAR.exeC:\Users\admin\Desktop\Files\bins-ok.pdfpdf
MD5:
SHA256:
2968WinRAR.exeC:\Users\admin\Desktop\Files\Cardpeek currency.pdfpdf
MD5:
SHA256:
2968WinRAR.exeC:\Users\admin\Desktop\Files\Dump shops.txttext
MD5:
SHA256:
2968WinRAR.exeC:\Users\admin\Desktop\Files\LR\GlobalPlatform.dllexecutable
MD5:4696B9FAE32C96D487DAA887D830261B
SHA256:D516E641E63F4195C374ECEDBEE074C345AF178D703FA0761C990141E056B992
2968WinRAR.exeC:\Users\admin\Desktop\Files\LR\mac.datcompressed
MD5:3709E18B229E3DB113BF5C7863C59DB4
SHA256:9DC70002E82C78EE34C813597925C6CF8AA8D68B7E9CE5BCC70EA9BCAB9DBF4A
2968WinRAR.exeC:\Users\admin\Desktop\Files\LR\cardtemp.datbinary
MD5:F1D3FF8443297732862DF21DC4E57262
SHA256:DF3F619804A92FDB4057192DC43DD748EA778ADC52BC498CE80524C014B81119
2968WinRAR.exeC:\Users\admin\Desktop\Files\LR\mac2.datcompressed
MD5:CBF974E9DB892E5105C2AD1D4013B1DD
SHA256:E82114E55C2EAEC534ED78F59258AAE46DA1E343476BDC4EA236CA5FA1E4047A
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
daprovare (1).rar