File name:

ProxyScrape checker v1.1.rar

Full analysis: https://app.any.run/tasks/99be0b1e-e455-40e6-8f7b-f39aa7c6ad98
Verdict: Malicious activity
Analysis date: February 02, 2022, 03:28:07
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-rar
File info: RAR archive data, v5
MD5:

011B6EEDD2994C26FA9EFA1144112D80

SHA1:

5AA93E6C3B7CD8F70FE73F36486A385F04044381

SHA256:

7E4D79F807A28620BEFFF82573AF306BA1EFDF43365A91FE9B0A4570F9527688

SSDEEP:

1536:mTfbc4kPiuWwKUrxbRTM/5RIb03C6D9Wstwdcd9mvopjIO:QI4uipIbRT0S6DQzdcdt

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Loads dropped or rewritten executable

      • SearchProtocolHost.exe (PID: 3620)
      • ProxyChecker.exe (PID: 2948)

    • Application was dropped or rewritten from another process

      • ProxyChecker.exe (PID: 2948)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 3632)

    • Reads Environment values

      • ProxyChecker.exe (PID: 2948)

    • Checks supported languages

      • WinRAR.exe (PID: 3632)
      • ProxyChecker.exe (PID: 2948)

    • Reads the computer name

      • WinRAR.exe (PID: 3632)
      • ProxyChecker.exe (PID: 2948)

    • Drops a file with a compile date too recent

      • WinRAR.exe (PID: 3632)

    • Drops a file that was compiled in debug mode

      • WinRAR.exe (PID: 3632)

  • INFO

    • Reads settings of System Certificates

      • ProxyChecker.exe (PID: 2948)

    • Manual execution by user

      • ProxyChecker.exe (PID: 2948)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v5.0) (61.5)
.rar | RAR compressed archive (gen) (38.4)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
36
Monitored processes
3
Malicious processes
2
Suspicious processes
1

Behavior graph

Click at the process to see the details
start winrar.exe searchprotocolhost.exe no specs proxychecker.exe

Process information

PID
CMD
Path
Indicators
Parent process
2948"C:\Users\admin\Desktop\proxychecker\ProxyChecker.exe" C:\Users\admin\Desktop\proxychecker\ProxyChecker.exe
Explorer.EXE
User:
admin
Integrity Level:
MEDIUM
Description:
ProxyChecker
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\desktop\proxychecker\proxychecker.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
3620"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" C:\Windows\system32\SearchProtocolHost.exeSearchIndexer.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Windows Search Protocol Host
Exit code:
0
Version:
7.00.7601.24542 (win7sp1_ldr_escrow.191209-2211)
Modules
Images
c:\windows\system32\searchprotocolhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
3632"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\ProxyScrape checker v1.1.rar"C:\Program Files\WinRAR\WinRAR.exe
Explorer.EXE
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\windows\system32\ntdll.dll
c:\program files\winrar\winrar.exe
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\usp10.dll
c:\windows\system32\comdlg32.dll
Total events
28 723
Read events
28 674
Write events
49
Delete events
0

Modification events

(PID) Process:(3632) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(3632) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(3632) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\16C\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3632) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip
(PID) Process:(3632) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(3632) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\ProxyScrape checker v1.1.rar
(PID) Process:(3632) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(3632) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(3632) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(3632) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
Executable files
3
Suspicious files
5
Text files
1
Unknown types
3

Dropped files

PID
Process
Filename
Type
2948ProxyChecker.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506binary
MD5:
SHA256:
2948ProxyChecker.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506compressed
MD5:ACAEDA60C79C6BCAC925EEB3653F45E0
SHA256:6B0CECCF0103AFD89844761417C1D23ACC41F8AEBF3B7230765209B61EEE5658
3632WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3632.14938\proxychecker\xNet-Ameliorated.dllexecutable
MD5:44D7396D8B6FBD8F1E9FF4D0278BB767
SHA256:16EA0EAB1FFE6B3B05ABF1B04BAA7C2695885795C5BFECB6CFCFA595A0FA7B30
2948ProxyChecker.exeC:\Users\admin\AppData\Local\Temp\Tar8CA0.tmpcat
MD5:D99661D0893A52A0700B8AE68457351A
SHA256:BDD5111162A6FA25682E18FA74E37E676D49CAFCB5B7207E98E5256D1EF0D003
2948ProxyChecker.exeC:\Users\admin\AppData\Local\Temp\Tar8C8E.tmpcat
MD5:D99661D0893A52A0700B8AE68457351A
SHA256:BDD5111162A6FA25682E18FA74E37E676D49CAFCB5B7207E98E5256D1EF0D003
2948ProxyChecker.exeC:\Users\admin\AppData\Local\Temp\Cab8C8D.tmpcompressed
MD5:ACAEDA60C79C6BCAC925EEB3653F45E0
SHA256:6B0CECCF0103AFD89844761417C1D23ACC41F8AEBF3B7230765209B61EEE5658
3632WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3632.14938\proxychecker\Colorful.Console.dllexecutable
MD5:5F3D2CFBC21591B8FEEF1EFA3E59A4D0
SHA256:F31D4FD7E729FC6CF4ECAB972B6B1EE897918A325B1CA572030966F831E768FB
2948ProxyChecker.exeC:\Users\admin\AppData\Local\Temp\Cab8C9F.tmpcompressed
MD5:ACAEDA60C79C6BCAC925EEB3653F45E0
SHA256:6B0CECCF0103AFD89844761417C1D23ACC41F8AEBF3B7230765209B61EEE5658
3632WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3632.14938\proxychecker\ProxyChecker.exeexecutable
MD5:5124F28EC4D487207B9CE6362C7B0D9B
SHA256:BD939A75151715536DCCDE6471B64A0AB6436184BD5FF4F3D89FCE976A1F5561
2948ProxyChecker.exeC:\Users\admin\AppData\Local\Temp\Cab8DE9.tmpcompressed
MD5:ACAEDA60C79C6BCAC925EEB3653F45E0
SHA256:6B0CECCF0103AFD89844761417C1D23ACC41F8AEBF3B7230765209B61EEE5658
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
53
TCP/UDP connections
97
DNS requests
59
Threats
31

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2948
ProxyChecker.exe
GET
204.68.111.100:80
http://proxysearcher.sourceforge.net/Proxy%20List.php?type=socks
US
malicious
2948
ProxyChecker.exe
GET
172.67.219.60:80
http://premiumproxy.net/
US
malicious
2948
ProxyChecker.exe
GET
172.67.219.60:80
http://premiumproxy.net/http-proxy-list
US
malicious
2948
ProxyChecker.exe
GET
23.254.165.218:80
http://rootjazz.com/proxies/proxies.txt
US
malicious
2948
ProxyChecker.exe
GET
172.67.202.192:80
http://proxy-daily.com/proxy/getproxymanual.php?limit=50000&filter=socks4
US
malicious
2948
ProxyChecker.exe
GET
142.250.186.161:80
http://vipaccounts24.blogspot.com/
US
whitelisted
2948
ProxyChecker.exe
GET
69.64.49.18:80
http://nntime.com/proxy-updated-09.htm
US
suspicious
2948
ProxyChecker.exe
GET
172.67.219.60:80
http://premiumproxy.net/http-proxy-list.php
US
malicious
2948
ProxyChecker.exe
GET
142.250.186.161:80
http://freshssh-list2018.blogspot.com/feeds/posts/default
US
whitelisted
2948
ProxyChecker.exe
GET
142.250.186.161:80
http://free-fresh-proxy-daily.blogspot.com/feeds/posts/default
US
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2948
ProxyChecker.exe
91.186.19.233:443
premproxy.com
Simply Transit Ltd
GB
unknown
2948
ProxyChecker.exe
69.64.49.18:80
nntime.com
server4you Inc.
US
suspicious
2948
ProxyChecker.exe
85.214.115.35:443
proxydb.net
Strato AG
DE
unknown
2948
ProxyChecker.exe
204.68.111.100:80
proxysearcher.sourceforge.net
American Internet Services, LLC.
US
malicious
2948
ProxyChecker.exe
134.119.217.246:80
spys.ru
velia.net Internetdienste GmbH
FR
suspicious
2948
ProxyChecker.exe
23.254.165.218:80
rootjazz.com
Hostwinds LLC.
US
malicious
2948
ProxyChecker.exe
172.67.219.60:80
premiumproxy.net
US
suspicious
2948
ProxyChecker.exe
104.21.76.254:80
proxy-daily.com
Cloudflare Inc
US
suspicious
2948
ProxyChecker.exe
142.250.186.161:80
vipaccounts24.blogspot.com
Google Inc.
US
whitelisted
2948
ProxyChecker.exe
116.202.102.103:443
www.spoofs.de
334,Udyog Vihar
IN
suspicious

DNS requests

Domain
IP
Reputation
proxylistchecker.org
  • 82.192.82.226
suspicious
topproxy.info
malicious
www.spoofs.de
  • 116.202.102.103
malicious
txt.proxyspy.net
  • 103.224.182.253
malicious
vipaccounts24.blogspot.com
  • 142.250.186.161
whitelisted
www.vipsocks24.net
  • 192.157.56.142
whitelisted
www.proxydocker.com
  • 13.37.118.229
  • 13.37.97.160
unknown
sslproxies24.blogspot.in
  • 172.217.18.97
whitelisted
nntime.com
  • 69.64.49.18
unknown
proxyfreaks.com
  • 78.41.204.26
malicious

Threats

PID
Process
Class
Message
2948
ProxyChecker.exe
Not Suspicious Traffic
ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O)
2948
ProxyChecker.exe
Misc activity
ET POLICY Proxy Server Lookup (nntime)
2948
ProxyChecker.exe
Potentially Bad Traffic
ET INFO Terse Request for .txt - Likely Hostile
Potentially Bad Traffic
ET DNS Query to a *.top domain - Likely Hostile
2948
ProxyChecker.exe
Misc activity
ET POLICY Proxy Server Lookup (nntime)
2948
ProxyChecker.exe
Potentially Bad Traffic
ET INFO Terse Request for .txt - Likely Hostile
2948
ProxyChecker.exe
Misc activity
ET POLICY Proxy Server Lookup (nntime)
2948
ProxyChecker.exe
Potentially Bad Traffic
ET INFO HTTP Request to a *.top domain
2948
ProxyChecker.exe
Potentially Bad Traffic
ET INFO Request to .TOP Domain with Minimal Headers
2948
ProxyChecker.exe
Misc activity
ET POLICY Proxy Server Lookup (nntime)
2 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
ProxyScrape checker v1.1.rar