URL:

http://www.cbr.ru/vfs/analytics/mocod/MOCOD.rar

Full analysis: https://app.any.run/tasks/f4853ddf-d50d-4cc2-92b5-1d372a284356
Verdict: Malicious activity
Analysis date: September 19, 2019, 05:26:32
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MD5:

0223004310527615C1A6DCD2639D7F4E

SHA1:

EC5B5A52E9B5C42BFC97C8239BADDB399E78F9A8

SHA256:

768AC605F68CDAF8BF4884281CF722180567B1A3B7EBD1BBB815904F10632B69

SSDEEP:

3:N1KJS4eTKoZI83mqhjEXn:Cc4M5Zb3dha

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Loads dropped or rewritten executable

      • SearchProtocolHost.exe (PID: 392)
      • MOCOD.exe (PID: 4080)

    • Application was dropped or rewritten from another process

      • MOCOD.exe (PID: 4080)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 2928)

    • Reads Environment values

      • MOCOD.exe (PID: 4080)

  • INFO

    • Creates files in the user directory

      • opera.exe (PID: 3424)

    • Reads Internet Cache Settings

      • opera.exe (PID: 3424)

    • Reads the hosts file

      • RdrCEF.exe (PID: 3388)

    • Manual execution by user

      • WinRAR.exe (PID: 2928)
      • NOTEPAD.EXE (PID: 1576)
      • AcroRd32.exe (PID: 2980)
      • MOCOD.exe (PID: 4080)

    • Application launched itself

      • RdrCEF.exe (PID: 3388)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
47
Monitored processes
10
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start opera.exe winrar.exe notepad.exe no specs searchprotocolhost.exe no specs acrord32.exe no specs acrord32.exe no specs rdrcef.exe no specs rdrcef.exe no specs rdrcef.exe no specs mocod.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
392"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" C:\Windows\System32\SearchProtocolHost.exeSearchIndexer.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Windows Search Protocol Host
Exit code:
0
Version:
7.00.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\searchprotocolhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
1576"C:\Windows\system32\NOTEPAD.EXE" C:\Users\admin\Desktop\MOCOD\Readme.txtC:\Windows\system32\NOTEPAD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Notepad
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\notepad.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
2928"C:\Program Files\WinRAR\WinRAR.exe" x -iext -ow -ver -- "C:\Users\admin\Desktop\MOCOD.rar" C:\Users\admin\Desktop\C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
2980"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\admin\Desktop\MOCOD\Пример расшифровки файла выборки Кредитные требования физических лиц.pdf"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeexplorer.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
MEDIUM
Description:
Adobe Acrobat Reader DC
Exit code:
1
Version:
15.23.20070.215641
Modules
Images
c:\program files\adobe\acrobat reader dc\reader\acrord32.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
3036"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" --type=renderer "C:\Users\admin\Desktop\MOCOD\Пример расшифровки файла выборки Кредитные требования физических лиц.pdf"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeAcroRd32.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
LOW
Description:
Adobe Acrobat Reader DC
Exit code:
1
Version:
15.23.20070.215641
Modules
Images
c:\program files\adobe\acrobat reader dc\reader\acrord32.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
3040"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-3d-apis --disable-databases --disable-direct-npapi-requests --disable-file-system --disable-notifications --disable-shared-workers --disable-direct-write --lang=en-US --lang=en-US --log-severity=disable --product-version="ReaderServices/15.23.20053 Chrome/45.0.2454.85" --device-scale-factor=1 --enable-delegated-renderer --num-raster-threads=2 --gpu-rasterization-msaa-sample-count=8 --content-image-texture-target=3553 --video-image-texture-target=3553 --disable-accelerated-video-decode --disable-webrtc-hw-encoding --disable-gpu-compositing --channel="3388.0.550728857\308127505" --allow-no-sandbox-job /prefetch:673131151C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeRdrCEF.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
LOW
Description:
Adobe RdrCEF
Exit code:
0
Version:
15.23.20053.211670
Modules
Images
c:\program files\adobe\acrobat reader dc\reader\acrocef\rdrcef.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
3376"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-3d-apis --disable-databases --disable-direct-npapi-requests --disable-file-system --disable-notifications --disable-shared-workers --disable-direct-write --lang=en-US --lang=en-US --log-severity=disable --product-version="ReaderServices/15.23.20053 Chrome/45.0.2454.85" --device-scale-factor=1 --enable-delegated-renderer --num-raster-threads=2 --gpu-rasterization-msaa-sample-count=8 --content-image-texture-target=3553 --video-image-texture-target=3553 --disable-accelerated-video-decode --disable-webrtc-hw-encoding --disable-gpu-compositing --channel="3388.1.1427135396\1044068077" --allow-no-sandbox-job /prefetch:673131151C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeRdrCEF.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
LOW
Description:
Adobe RdrCEF
Exit code:
0
Version:
15.23.20053.211670
Modules
Images
c:\program files\adobe\acrobat reader dc\reader\acrocef\rdrcef.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
3388"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16448250C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeAcroRd32.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
MEDIUM
Description:
Adobe RdrCEF
Exit code:
3221225547
Version:
15.23.20053.211670
Modules
Images
c:\program files\adobe\acrobat reader dc\reader\acrocef\rdrcef.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
3424"C:\Program Files\Opera\opera.exe" "http://www.cbr.ru/vfs/analytics/mocod/MOCOD.rar"C:\Program Files\Opera\opera.exe
explorer.exe
User:
admin
Company:
Opera Software
Integrity Level:
MEDIUM
Description:
Opera Internet Browser
Exit code:
0
Version:
1748
Modules
Images
c:\program files\opera\opera.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\psapi.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\rpcrt4.dll
4080"C:\Users\admin\Desktop\MOCOD\MOCOD_x32\MOCOD.exe" C:\Users\admin\Desktop\MOCOD\MOCOD_x32\MOCOD.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Version:
1.15.1.1205
Modules
Images
c:\users\admin\desktop\mocod\mocod_x32\mocod.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
Total events
1 337
Read events
1 067
Write events
268
Delete events
2

Modification events

(PID) Process:(3424) opera.exeKey:HKEY_CURRENT_USER\Software\Opera Software
Operation:writeName:Last CommandLine v2
Value:
C:\Program Files\Opera\opera.exe "http://www.cbr.ru/vfs/analytics/mocod/MOCOD.rar"
(PID) Process:(3424) opera.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\72\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3424) opera.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
Operation:writeName:NodeSlots
Value:
0202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202
(PID) Process:(3424) opera.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
Operation:writeName:MRUListEx
Value:
0200000001000000000000000700000006000000030000000500000004000000FFFFFFFF
(PID) Process:(3424) opera.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\50\ComDlg
Operation:writeName:TV_FolderType
Value:
{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}
(PID) Process:(3424) opera.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\50\ComDlg
Operation:writeName:TV_TopViewID
Value:
{82BA0782-5B7A-4569-B5D7-EC83085F08CC}
(PID) Process:(3424) opera.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\50\ComDlg
Operation:writeName:TV_TopViewVersion
Value:
0
(PID) Process:(3424) opera.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}
Operation:writeName:Mode
Value:
4
(PID) Process:(3424) opera.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}
Operation:writeName:LogicalViewMode
Value:
1
(PID) Process:(3424) opera.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}
Operation:writeName:FFlags
Value:
1092616257
Executable files
43
Suspicious files
28
Text files
92
Unknown types
12

Dropped files

PID
Process
Filename
Type
3424opera.exeC:\Users\admin\AppData\Roaming\Opera\Opera\sessions\oprA1C3.tmp
MD5:
SHA256:
3424opera.exeC:\Users\admin\AppData\Roaming\Opera\Opera\oprA1D3.tmp
MD5:
SHA256:
3424opera.exeC:\Users\admin\AppData\Roaming\Opera\Opera\oprA222.tmp
MD5:
SHA256:
3424opera.exeC:\Users\admin\AppData\Local\Opera\Opera\cache\sesn\opr00002.tmp
MD5:
SHA256:
3424opera.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\1MQTM1F1DS3RLB6P2SUD.temp
MD5:
SHA256:
3424opera.exeC:\Users\admin\AppData\Roaming\Opera\Opera\oprEF59.tmp
MD5:
SHA256:
3424opera.exeC:\Users\admin\Desktop\MOCOD.rar
MD5:
SHA256:
3424opera.exeC:\Users\admin\AppData\Roaming\Opera\Opera\tasks.xmlxml
MD5:
SHA256:
3424opera.exeC:\Users\admin\AppData\Roaming\Opera\Opera\opssl6.datbinary
MD5:
SHA256:
3424opera.exeC:\Users\admin\AppData\Roaming\Opera\Opera\operaprefs.initext
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
6
DNS requests
4
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3424
opera.exe
GET
200
212.40.192.49:80
http://www.cbr.ru/vfs/analytics/mocod/MOCOD.rar
RU
compressed
22.5 Mb
suspicious
3424
opera.exe
GET
200
93.184.220.29:80
http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl
US
der
528 b
whitelisted
3424
opera.exe
GET
400
107.167.110.216:80
http://sitecheck2.opera.com/?host=www.cbr.ru&hdn=qZQ0TLZXlt/x2/7hGX%2BOMg==
US
html
150 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3424
opera.exe
212.40.192.49:80
www.cbr.ru
Bank of Russia
RU
unknown
3424
opera.exe
107.167.110.216:80
sitecheck2.opera.com
Opera Software Americas LLC
US
malicious
3424
opera.exe
185.26.182.94:443
certs.opera.com
Opera Software AS
whitelisted
3424
opera.exe
93.184.220.29:80
crl4.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
3424
opera.exe
185.26.182.93:443
certs.opera.com
Opera Software AS
whitelisted

DNS requests

Domain
IP
Reputation
www.cbr.ru
  • 212.40.192.49
suspicious
sitecheck2.opera.com
  • 107.167.110.216
  • 107.167.110.211
whitelisted
certs.opera.com
  • 185.26.182.94
  • 185.26.182.93
whitelisted
crl4.digicert.com
  • 93.184.220.29
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
http://www.cbr.ru/vfs/analytics/mocod/MOCOD.rar