File name: | HQTYK.rar |
Full analysis: | https://app.any.run/tasks/2dc52ae5-8ed8-4d96-8b35-df49a2d06df4 |
Verdict: | Malicious activity |
Analysis date: | January 23, 2019, 08:43:58 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/x-rar |
File info: | RAR archive data, v4, os: Win32 |
MD5: | EC3AFF3566A5E5332EEC8BF93F6D6A6C |
SHA1: | C153ADB4644D45FE10E856C0E77F23EBB634788C |
SHA256: | 7426711453DAE875DAECF8A2E3F21373CB85EEACD4EBD4114260812A6BC22219 |
SSDEEP: | 3072:plmal9jtbg3Beh6VW7AX5EjcGD/pgHt3fXyb0UcHsuxWdjLel43lMT4MNhSGmSoP:BBKjY7+KjdDeHtvXyfZshiGM |
.rar | | | RAR compressed archive (v-4.x) (58.3) |
---|---|---|
.rar | | | RAR compressed archive (gen) (41.6) |
CompressedSize: | 51306 |
---|---|
UncompressedSize: | 110592 |
OperatingSystem: | Win32 |
ModifyDate: | 2008:09:20 16:41:29 |
PackingMethod: | Normal |
ArchivedFileName: | HQTYK\c1.dll |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2940 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\HQTYK.rar" | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.60.0 | ||||
1944 | "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe6_ Global\UsGthrCtrlFltPipeMssGthrPipe6 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" | C:\Windows\System32\SearchProtocolHost.exe | — | SearchIndexer.exe |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Microsoft Windows Search Protocol Host Version: 7.00.7600.16385 (win7_rtm.090713-1255) | ||||
4016 | "C:\Users\admin\Desktop\HQTYK\Client.exe" | C:\Users\admin\Desktop\HQTYK\Client.exe | — | explorer.exe |
User: admin Company: 魔者社区:http://www.ihaoz.cn Integrity Level: MEDIUM Description: CRACK by 彩虹神话 Exit code: 0 Version: 3, 1, 0, 0 |
(PID) Process: | (2940) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
Operation: | write | Name: | ShellExtBMP |
Value: | |||
(PID) Process: | (2940) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
Operation: | write | Name: | ShellExtIcon |
Value: | |||
(PID) Process: | (2940) WinRAR.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E |
Operation: | write | Name: | LanguageList |
Value: en-US | |||
(PID) Process: | (2940) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
Operation: | write | Name: | 0 |
Value: C:\Users\admin\AppData\Local\Temp\HQTYK.rar | |||
(PID) Process: | (2940) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | name |
Value: 120 | |||
(PID) Process: | (2940) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | size |
Value: 80 | |||
(PID) Process: | (2940) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | type |
Value: 120 | |||
(PID) Process: | (2940) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | mtime |
Value: 100 | |||
(PID) Process: | (2940) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\DialogEditHistory\ExtrPath |
Operation: | write | Name: | 0 |
Value: C:\Users\admin\Desktop | |||
(PID) Process: | (2940) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\MainWin |
Operation: | write | Name: | Placement |
Value: 2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF42000000420000000204000037020000 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2940 | WinRAR.exe | C:\Users\admin\Desktop\HQTYK\c1.dll | executable | |
MD5:D453BC9E9940B22F01EB0FE683E3E410 | SHA256:C5BD0C262C1D9F066B4370A6A4CED9DD872D74E8B2823374016CC36CCC204151 | |||
2940 | WinRAR.exe | C:\Users\admin\Desktop\HQTYK\Client.exe | executable | |
MD5:12FBDEF44A31B0209317A6312638B7C7 | SHA256:F81CE54ED9657C850BD1933063D0E33843C7480084D29901056A3C337969CB81 | |||
2940 | WinRAR.exe | C:\Users\admin\Desktop\HQTYK\Server.exe | executable | |
MD5:CEC467595944E97F1BDF9BC6F871F697 | SHA256:10DABD7FA1C5019E00C11960DD5810E95159E3E63E1D3670366B0007F66E04C7 | |||
2940 | WinRAR.exe | C:\Users\admin\Desktop\HQTYK\Setup.exe | executable | |
MD5:2BA72DD1658665A254CEF1F4F7692335 | SHA256:B573F85785002D2C8C44D3E105A5180E633E5916226CD99DD32EB89C15BA486D | |||
2940 | WinRAR.exe | C:\Users\admin\Desktop\HQTYK\QHSock.dll | executable | |
MD5:C5433978C599E2C2B50C9E539C162B84 | SHA256:053E75DDA007FCDE0E15D5CA42F449E287F7DBCC603510A4E9467E433D0291C9 | |||
2940 | WinRAR.exe | C:\Users\admin\Desktop\HQTYK\s2.dll | executable | |
MD5:3E5C3C30D374966FDEBDE646907566F8 | SHA256:E328AC99FCBF1392A54CC3DF2027A6DEB3B8C04F92499110893F838F7451542B | |||
4016 | Client.exe | C:\Users\admin\Desktop\HQTYK\server.dat | binary | |
MD5:80E8D05106470894A82639577CEE3153 | SHA256:7E7083BE6E3D373423B91405C0D5F13296F93925B868BA085EC589A109FD8599 | |||
2940 | WinRAR.exe | C:\Users\admin\Desktop\HQTYK\s1.dll | executable | |
MD5:3456424B3B3BFE09B0DE9CB966F2A28A | SHA256:91F0BFF6FF2C8EBD5F97F3BE972D3EA6950EAFACCDB1E90F9C15BDD939C68152 | |||
2940 | WinRAR.exe | C:\Users\admin\Desktop\HQTYK\server.dat | binary | |
MD5:5E28BA7BF5140F80AB6521709721AEBD | SHA256:DA1A68D263619E955587FFEFF70DE3694BE0DBF1E05A09861900EB90BE9A46BC | |||
2940 | WinRAR.exe | C:\Users\admin\Desktop\HQTYK\sc.dll | executable | |
MD5:6BCC75365C3494FDD87C920B89A9B322 | SHA256:48E2D2EC725AC72B0541E56606FEC1A012AE428AAA079B8D90B72086413F5A76 |