analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

HQTYK.rar

Full analysis: https://app.any.run/tasks/2dc52ae5-8ed8-4d96-8b35-df49a2d06df4
Verdict: Malicious activity
Analysis date: January 23, 2019, 08:43:58
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-rar
File info: RAR archive data, v4, os: Win32
MD5:

EC3AFF3566A5E5332EEC8BF93F6D6A6C

SHA1:

C153ADB4644D45FE10E856C0E77F23EBB634788C

SHA256:

7426711453DAE875DAECF8A2E3F21373CB85EEACD4EBD4114260812A6BC22219

SSDEEP:

3072:plmal9jtbg3Beh6VW7AX5EjcGD/pgHt3fXyb0UcHsuxWdjLel43lMT4MNhSGmSoP:BBKjY7+KjdDeHtvXyfZshiGM

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Loads dropped or rewritten executable

      • Client.exe (PID: 4016)
      • SearchProtocolHost.exe (PID: 1944)
    • Application was dropped or rewritten from another process

      • Client.exe (PID: 4016)
  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 2940)
  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v-4.x) (58.3)
.rar | RAR compressed archive (gen) (41.6)

EXIF

ZIP

CompressedSize: 51306
UncompressedSize: 110592
OperatingSystem: Win32
ModifyDate: 2008:09:20 16:41:29
PackingMethod: Normal
ArchivedFileName: HQTYK\c1.dll
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
32
Monitored processes
3
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe searchprotocolhost.exe no specs client.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2940"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\HQTYK.rar"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
1944"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe6_ Global\UsGthrCtrlFltPipeMssGthrPipe6 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" C:\Windows\System32\SearchProtocolHost.exeSearchIndexer.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Windows Search Protocol Host
Version:
7.00.7600.16385 (win7_rtm.090713-1255)
4016"C:\Users\admin\Desktop\HQTYK\Client.exe" C:\Users\admin\Desktop\HQTYK\Client.exeexplorer.exe
User:
admin
Company:
魔者社区:http://www.ihaoz.cn
Integrity Level:
MEDIUM
Description:
CRACK by 彩虹神话
Exit code:
0
Version:
3, 1, 0, 0
Total events
777
Read events
756
Write events
21
Delete events
0

Modification events

(PID) Process:(2940) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(2940) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(2940) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(2940) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\HQTYK.rar
(PID) Process:(2940) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(2940) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(2940) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(2940) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(2940) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\DialogEditHistory\ExtrPath
Operation:writeName:0
Value:
C:\Users\admin\Desktop
(PID) Process:(2940) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\MainWin
Operation:writeName:Placement
Value:
2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF42000000420000000204000037020000
Executable files
9
Suspicious files
2
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
2940WinRAR.exeC:\Users\admin\Desktop\HQTYK\c1.dllexecutable
MD5:D453BC9E9940B22F01EB0FE683E3E410
SHA256:C5BD0C262C1D9F066B4370A6A4CED9DD872D74E8B2823374016CC36CCC204151
2940WinRAR.exeC:\Users\admin\Desktop\HQTYK\Client.exeexecutable
MD5:12FBDEF44A31B0209317A6312638B7C7
SHA256:F81CE54ED9657C850BD1933063D0E33843C7480084D29901056A3C337969CB81
2940WinRAR.exeC:\Users\admin\Desktop\HQTYK\Server.exeexecutable
MD5:CEC467595944E97F1BDF9BC6F871F697
SHA256:10DABD7FA1C5019E00C11960DD5810E95159E3E63E1D3670366B0007F66E04C7
2940WinRAR.exeC:\Users\admin\Desktop\HQTYK\Setup.exeexecutable
MD5:2BA72DD1658665A254CEF1F4F7692335
SHA256:B573F85785002D2C8C44D3E105A5180E633E5916226CD99DD32EB89C15BA486D
2940WinRAR.exeC:\Users\admin\Desktop\HQTYK\QHSock.dllexecutable
MD5:C5433978C599E2C2B50C9E539C162B84
SHA256:053E75DDA007FCDE0E15D5CA42F449E287F7DBCC603510A4E9467E433D0291C9
2940WinRAR.exeC:\Users\admin\Desktop\HQTYK\s2.dllexecutable
MD5:3E5C3C30D374966FDEBDE646907566F8
SHA256:E328AC99FCBF1392A54CC3DF2027A6DEB3B8C04F92499110893F838F7451542B
4016Client.exeC:\Users\admin\Desktop\HQTYK\server.datbinary
MD5:80E8D05106470894A82639577CEE3153
SHA256:7E7083BE6E3D373423B91405C0D5F13296F93925B868BA085EC589A109FD8599
2940WinRAR.exeC:\Users\admin\Desktop\HQTYK\s1.dllexecutable
MD5:3456424B3B3BFE09B0DE9CB966F2A28A
SHA256:91F0BFF6FF2C8EBD5F97F3BE972D3EA6950EAFACCDB1E90F9C15BDD939C68152
2940WinRAR.exeC:\Users\admin\Desktop\HQTYK\server.datbinary
MD5:5E28BA7BF5140F80AB6521709721AEBD
SHA256:DA1A68D263619E955587FFEFF70DE3694BE0DBF1E05A09861900EB90BE9A46BC
2940WinRAR.exeC:\Users\admin\Desktop\HQTYK\sc.dllexecutable
MD5:6BCC75365C3494FDD87C920B89A9B322
SHA256:48E2D2EC725AC72B0541E56606FEC1A012AE428AAA079B8D90B72086413F5A76
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info