analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

auu.rar

Full analysis: https://app.any.run/tasks/ab757126-4542-46be-8e07-7d058350d0e6
Verdict: Malicious activity
Analysis date: March 31, 2020, 08:34:38
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-rar
File info: RAR archive data, v5
MD5:

C9120696039D6D5B26A4F1948F17B2E5

SHA1:

8A91B365AEE73D2D200DAAC2D364575301B870DF

SHA256:

79357AFCBEC66BE0031CFB71B9EFC7D4690417957090B22DC4EC7E4D7DC98591

SSDEEP:

24576:1pGTe2foW8HWRJkR/j5GMyziEXMHBhx/HTjaSTYiBI+5CW2UA2DWQI4pf6UGTe2c:GIW8HWRJkJthwMhD3aSbBI+YU5MIW8HP

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Loads dropped or rewritten executable

      • SearchProtocolHost.exe (PID: 3548)
      • X-KILLER Serv.exe (PID: 3996)
    • Application was dropped or rewritten from another process

      • NordVpn Checker Account By X-KILLER.exe (PID: 3424)
      • Microsoft Windows Protocol Services Host.exe (PID: 3128)
      • X-KILLER Serv.exe (PID: 3996)
      • Host del servicio Monitor.exe (PID: 3924)
    • Writes to a start menu file

      • NordVpn Checker Account By X-KILLER.exe (PID: 3424)
  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 2804)
      • NordVpn Checker Account By X-KILLER.exe (PID: 3424)
      • X-KILLER Serv.exe (PID: 3996)
    • Writes to a desktop.ini file (may be used to cloak folders)

      • WinRAR.exe (PID: 2804)
    • Creates files in the user directory

      • NordVpn Checker Account By X-KILLER.exe (PID: 3424)
    • Creates files in the program directory

      • NordVpn Checker Account By X-KILLER.exe (PID: 3424)
    • Creates files in the Windows directory

      • NordVpn Checker Account By X-KILLER.exe (PID: 3424)
  • INFO

    • Manual execution by user

      • NordVpn Checker Account By X-KILLER.exe (PID: 3424)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v5.0) (61.5)
.rar | RAR compressed archive (gen) (38.4)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
42
Monitored processes
6
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start winrar.exe searchprotocolhost.exe no specs nordvpn checker account  by x-killer.exe microsoft windows protocol services host.exe no specs x-killer serv.exe host del servicio monitor.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2804"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\auu.rar"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
3548"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe4_ Global\UsGthrCtrlFltPipeMssGthrPipe4 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" C:\Windows\System32\SearchProtocolHost.exeSearchIndexer.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Windows Search Protocol Host
Version:
7.00.7600.16385 (win7_rtm.090713-1255)
3424"C:\Users\admin\Desktop\NordVpn Checker Account By X-KILLER\NordVpn Checker Account By X-KILLER.exe" C:\Users\admin\Desktop\NordVpn Checker Account By X-KILLER\NordVpn Checker Account By X-KILLER.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Description:
interface
Exit code:
0
Version:
1.0.0.0
3128"C:\Windows\Program Files (x86)\Microsoft Host Interface\bin\Microsoft Windows Protocol Services Host.exe" {Arguments If Needed}C:\Windows\Program Files (x86)\Microsoft Host Interface\bin\Microsoft Windows Protocol Services Host.exeNordVpn Checker Account By X-KILLER.exe
User:
admin
Integrity Level:
HIGH
Description:
Microsoft Windows Protocol Services Host
Version:
1.0.0.0
3996"C:\Users\admin\Desktop\NordVpn Checker Account By X-KILLER\bin\X-KILLER Serv.exe" {Arguments If Needed}C:\Users\admin\Desktop\NordVpn Checker Account By X-KILLER\bin\X-KILLER Serv.exe
NordVpn Checker Account By X-KILLER.exe
User:
admin
Integrity Level:
HIGH
Description:
checker by X-KILLER
Version:
1.0.0.0
3924"C:\Windows\Program Files (x86)\Microsoft Host Interface\bin\Host del servicio Monitor.exe" C:\Windows\Program Files (x86)\Microsoft Host Interface\bin\Host del servicio Monitor.exeMicrosoft Windows Protocol Services Host.exe
User:
admin
Integrity Level:
HIGH
Description:
Microsoft Windows Protocol Monitor
Version:
1.0.0.0
Total events
1 641
Read events
1 518
Write events
0
Delete events
0

Modification events

No data
Executable files
9
Suspicious files
0
Text files
0
Unknown types
1

Dropped files

PID
Process
Filename
Type
2804WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2804.2424\NordVpn Checker Account By X-KILLER\SkinSoft.VisualStyler.dll
MD5:
SHA256:
2804WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2804.2424\NordVpn Checker Account By X-KILLER\Virus Total\desktop.ini
MD5:
SHA256:
2804WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2804.2424\NordVpn Checker Account By X-KILLER\Virus Total\scan.txt
MD5:
SHA256:
2804WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2804.2424\NordVpn Checker Account By X-KILLER\xNet.dll
MD5:
SHA256:
3424NordVpn Checker Account By X-KILLER.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Startup.lnklnk
MD5:6379E03EF3C569AAC6B11AA9A45A041D
SHA256:CAA47864AE8B45E59248EAA0B63AC4EAB7B1094F386135672CC339A58A351409
2804WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2804.2424\NordVpn Checker Account By X-KILLER\NordVpn Checker Account By X-KILLER.exeexecutable
MD5:157DC17352A09048D99C70FF590647B4
SHA256:B5D2E8ECAFD75E10E5A8E095DE13D702F8FB0E32024C0C188C9208A052356592
2804WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2804.2424\NordVpn Checker Account By X-KILLER\bin\SkinSoft.VisualStyler.dllexecutable
MD5:2D84A619D4BD339F860CB48AF0C9B6C8
SHA256:365FFDE7DF914840EB21C96F34C39912A4B031E3814B8E902B67ACEE6DFF65A1
2804WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2804.2424\NordVpn Checker Account By X-KILLER\bin\Microsoft Windows Protocol Services Host.exeexecutable
MD5:CD6242455E74BEEEF78E9954E4F8F4E6
SHA256:35EAFBF9D0B2AEB388C7BDD133A08BBA856C3569734824A6926754ABD26B28E1
3424NordVpn Checker Account By X-KILLER.exeC:\Windows\Program Files (x86)\Microsoft Host Interface\bin\Host del servicio Monitor.exeexecutable
MD5:94E8BA6252CD134661B36ED83B205C8E
SHA256:1DA772EFD33F6FFDB470CE076F3F5DB87F8691B980A2022B111B859C0ADC2AB0
2804WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2804.2424\NordVpn Checker Account By X-KILLER\bin\X-KILLER Serv.exeexecutable
MD5:97F09CDC26D5D74CF7F63E4223809F46
SHA256:8381D7E7C7F0D1BFF3D18FCB6B8DFC63D6A8943887E4BC105C8F225513EED832
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info