File name:

Desktop.rar

Full analysis: https://app.any.run/tasks/af3d42fb-2b24-4a71-840e-1ebb5584ebfb
Verdict: Malicious activity
Analysis date: May 16, 2025, 16:10:52
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
auto
mydoom
arch-exec
arch-scr
arch-html
auto-reg
auto-startup
upx
Indicators:
MIME: application/x-rar
File info: RAR archive data, v5
MD5:

E7AA9408EE2577D70DEC6B7B8B45B234

SHA1:

D625011A040B62B7C91754344239E274CC2ED935

SHA256:

7CCFD9B52EA9C8F3FAF6AFAD17BABFF9C052B0B7561B912BCF4030EFB2E9EE78

SSDEEP:

98304:3Nm+xYOGxxZVEm+PcIPnjSduoiUILbRR9F3vfrgCyMSZdNx0kMmjP5YmTj3alrPK:4URHjy5

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Generic archive extractor

      • WinRAR.exe (PID: 7392)

    • Changes the autorun value in the registry

      • Duksten.exe (PID: 7540)
      • Lacon.exe (PID: 7676)

    • Create files in the Startup directory

      • Lacon.exe (PID: 7676)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • Lacon.exe (PID: 7676)

    • Creates file in the systems drive root

      • Merkur.exe (PID: 7844)

    • Uses REG/REGEDIT.EXE to modify registry

      • Merkur.exe (PID: 7844)

  • INFO

    • Auto-launch of the file from Registry key

      • Duksten.exe (PID: 7540)
      • Lacon.exe (PID: 7676)

    • Manual execution by a user

      • Duksten.exe (PID: 7540)
      • Lacon.exe (PID: 7628)
      • Lacon.exe (PID: 7676)
      • White.a.exe (PID: 7700)
      • Kiray.exe (PID: 7768)
      • Configuration Utility.exe (PID: 7808)
      • Merkur.exe (PID: 7844)

    • Checks supported languages

      • Duksten.exe (PID: 7540)
      • White.a.exe (PID: 7700)
      • Lacon.exe (PID: 7676)
      • Kiray.exe (PID: 7768)
      • Merkur.exe (PID: 7844)

    • Reads the computer name

      • Duksten.exe (PID: 7540)
      • Lacon.exe (PID: 7676)
      • White.a.exe (PID: 7700)
      • Kiray.exe (PID: 7768)
      • Merkur.exe (PID: 7844)

    • Failed to create an executable file in Windows directory

      • Duksten.exe (PID: 7540)
      • Merkur.exe (PID: 7844)

    • Create files in a temporary directory

      • White.a.exe (PID: 7700)
      • Kiray.exe (PID: 7768)
      • Merkur.exe (PID: 7844)

    • Creates files or folders in the user directory

      • Lacon.exe (PID: 7676)

    • The sample compiled with english language support

      • Lacon.exe (PID: 7676)

    • Auto-launch of the file from Startup directory

      • Lacon.exe (PID: 7676)

    • Checks proxy server information

      • slui.exe (PID: 5116)

    • UPX packer has been detected

      • Lacon.exe (PID: 7676)

    • Reads the software policy settings

      • slui.exe (PID: 5116)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v5.0) (61.5)
.rar | RAR compressed archive (gen) (38.4)

EXIF

ZIP

FileVersion: RAR v5
CompressedSize: 10108
UncompressedSize: 34304
OperatingSystem: Win32
ArchivedFileName: MyPics.a.exe
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
141
Monitored processes
13
Malicious processes
1
Suspicious processes
1

Behavior graph

Click at the process to see the details
start winrar.exe no specs duksten.exe lacon.exe no specs lacon.exe white.a.exe no specs outlook.exe kiray.exe no specs configuration utility.exe no specs merkur.exe no specs regedit.exe no specs outlook.exe no specs slui.exe outlook.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
5116C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
5772"C:\Program Files\Microsoft Office\Root\Office16\OUTLOOK.EXE" -EmbeddingC:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEsvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Outlook
Version:
16.0.16026.20146
Modules
Images
c:\program files\microsoft office\root\office16\outlook.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ucrtbase.dll
c:\program files\common files\microsoft shared\clicktorun\appvisvsubsystems64.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
7392"C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\Desktop\Desktop.rarC:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
7540"C:\Users\admin\Desktop\Duksten.exe" C:\Users\admin\Desktop\Duksten.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\duksten.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
7628"C:\Users\admin\Desktop\Lacon.exe" C:\Users\admin\Desktop\Lacon.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Version:
1.00
Modules
Images
c:\users\admin\desktop\lacon.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
7676"C:\Users\admin\Desktop\Lacon.exe" C:\Users\admin\Desktop\Lacon.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Version:
1.00
Modules
Images
c:\users\admin\desktop\lacon.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\acgenral.dll
7700"C:\Users\admin\Desktop\White.a.exe" C:\Users\admin\Desktop\White.a.exeexplorer.exe
User:
admin
Company:
[P54C]-133mhz
Integrity Level:
MEDIUM
Version:
1.01
Modules
Images
c:\users\admin\desktop\white.a.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvbvm60.dll
7748"C:\Program Files\Microsoft Office\Root\Office16\OUTLOOK.EXE" -EmbeddingC:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft Outlook
Version:
16.0.16026.20146
Modules
Images
c:\program files\microsoft office\root\office16\outlook.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
7768"C:\Users\admin\Desktop\Kiray.exe" C:\Users\admin\Desktop\Kiray.exeexplorer.exe
User:
admin
Company:
Macromedia, Inc.
Integrity Level:
MEDIUM
Description:
4,0,7,0
Version:
1.00
Modules
Images
c:\users\admin\desktop\kiray.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
7808"C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Configuration Utility.exe"C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Configuration Utility.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Version:
1.00
Modules
Images
c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\configuration utility.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
Total events
16 419
Read events
15 804
Write events
568
Delete events
47

Modification events

(PID) Process:(7392) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\preferences.zip
(PID) Process:(7392) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:(7392) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:(7392) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\Desktop.rar
(PID) Process:(7392) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(7392) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(7392) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(7392) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(7540) Duksten.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:XRF
Value:
C:\WINDOWS\system32\PrTecTor.exe
(PID) Process:(7676) Lacon.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:Bndt32
Value:
C:\Windows\System32\Bndt32.exe
Executable files
3
Suspicious files
4
Text files
5
Unknown types
0

Dropped files

PID
Process
Filename
Type
7748OUTLOOK.EXEC:\Users\admin\Documents\Outlook Files\Outlook1.pst
MD5:
SHA256:
7676Lacon.exeC:\Windows\SysWOW64\Bndt32.exeexecutable
MD5:CB0F7B3FD927CF0D0BA36302E6F9AF86
SHA256:9B3F73A12A793D1648F3209E1E3F10BBB548B1EC21D53B8AC060B7B95AE4EF1F
7748OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Office\16.0\AddInClassifierCache\OfficeSharedEntities.bintext
MD5:CC90D669144261B198DEAD45AA266572
SHA256:89C701EEFF939A44F28921FD85365ECD87041935DCD0FE0BAF04957DA12C9899
7676Lacon.exeC:\Windows\SysWOW64\No Call List.exeexecutable
MD5:CB0F7B3FD927CF0D0BA36302E6F9AF86
SHA256:9B3F73A12A793D1648F3209E1E3F10BBB548B1EC21D53B8AC060B7B95AE4EF1F
7748OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\3DAF8309-E93F-4EC1-8745-6BA223C75806xml
MD5:1C0942843D254D0379EC793826F3049D
SHA256:71070B29604C469CAED26D374147A912BAEB5381F4ABD5B77C1DDD7545A2F237
7748OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Outlook\RoamCache\Stream_TableViewPreviewPrefs_2_D0EAFA910A9204429B596EC8AF0EE5AE.datxml
MD5:0E092DB99AEE99FDFF9B5B222C732CFD
SHA256:D1614AD99ADED9F6F5C1BE7FE7FFA5124BD04A526580DA3818EA8A954E852AA6
7748OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbresbinary
MD5:F8095D8E7AB91254187308E9E7BEF4D0
SHA256:95BB92374B166C707E2E72AB1DE47FC4B1C63FF1FA27C53BF02B47F282711771
7700White.a.exeC:\Users\admin\AppData\Local\Temp\~DFE6F33016443E6B8C.TMPbinary
MD5:0D3301281760CD82244BF687A73A6936
SHA256:EBEDEDE617AB650E58C43E4B3F0D43B8DBA0D0876772F0B8281BD3438C1F7353
7748OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\TokenBroker\Cache\56a61aeb75d8f5be186c26607f4bb213abe7c5ec.tbresbinary
MD5:8E35DC631CCB2DBB28FBF0DF540CEAE8
SHA256:CA060F4A1029C5C8021E06769747408F20A48934F5A1E601E03B4236A1F94AD8
8088OUTLOOK.EXEC:\Users\admin\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_16026_20146-20250516T1611180835-8088.etlbinary
MD5:AD2E2807A30D1DD8489EA42457112C9E
SHA256:9EC0E5FE60A6D5EC432E925E77C216F8CF62BFEAEB956650C1585FD47F76BF7C
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
8
TCP/UDP connections
59
DNS requests
18
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
7180
SIHClient.exe
GET
200
23.48.23.143:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
7180
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
7180
SIHClient.exe
GET
200
23.48.23.143:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
unknown
whitelisted
7180
SIHClient.exe
GET
200
23.48.23.143:80
http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl
unknown
whitelisted
7180
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
7180
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
7180
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
7180
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
40.126.31.0:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
172.211.123.248:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
6544
svchost.exe
40.126.31.0:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
3216
svchost.exe
172.211.123.248:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
2112
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2104
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
7748
OUTLOOK.EXE
52.109.89.18:443
officeclient.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
whitelisted
login.live.com
  • 40.126.31.0
  • 40.126.31.129
  • 20.190.159.131
  • 20.190.159.130
  • 40.126.31.130
  • 20.190.159.128
  • 40.126.31.71
  • 40.126.31.3
whitelisted
client.wns.windows.com
  • 172.211.123.248
whitelisted
google.com
  • 172.217.16.206
whitelisted
officeclient.microsoft.com
  • 52.109.89.18
whitelisted
omex.cdn.office.net
  • 23.50.131.87
  • 23.50.131.86
whitelisted
ecs.office.com
  • 52.123.128.14
  • 52.123.129.14
whitelisted
roaming.officeapps.live.com
  • 52.109.76.243
whitelisted
slscr.update.microsoft.com
  • 20.109.210.53
whitelisted
self.events.data.microsoft.com
  • 13.69.116.108
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Desktop.rar