File name:

RECYCLER.BIN.rar

Full analysis: https://app.any.run/tasks/1d8ada81-44d3-474d-bc51-903f5fbfd0bb
Verdict: Malicious activity
Analysis date: April 24, 2024, 08:22:32
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-rar
File info: RAR archive data, v4, os: Win32
MD5:

3B7824176F12CA9E93C61FD0713BCA2F

SHA1:

92E59D5CDE77B0EFA5DDC67033AC9007C67926F8

SHA256:

80C9A1938C69E3262923B528ED3DC2A4EEF9451C673CB93465C33EE12B312CE2

SSDEEP:

6144:3Mm8zofHD18VzH79PADJ6kCz0XrhSMVs3/iJ2CY/:leo/6bVc6ktXrxVmqgp/

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • WinRAR.exe (PID: 1072)

  • SUSPICIOUS

    • Write to the desktop.ini file (may be used to cloak folders)

      • WinRAR.exe (PID: 1072)
      • WinRAR.exe (PID: 2944)

    • The process creates files with name similar to system file names

      • WinRAR.exe (PID: 1072)
      • WinRAR.exe (PID: 2944)

    • Reads security settings of Internet Explorer

      • WinRAR.exe (PID: 2944)

    • Creates file in the systems drive root

      • AcroRd32.exe (PID: 2292)

  • INFO

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 1072)
      • WinRAR.exe (PID: 2944)

    • Manual execution by a user

      • explorer.exe (PID: 2416)
      • verclsid.exe (PID: 2000)
      • WinRAR.exe (PID: 2944)
      • rundll32.exe (PID: 3936)
      • notepad++.exe (PID: 2580)
      • notepad++.exe (PID: 1496)
      • explorer.exe (PID: 2636)
      • explorer.exe (PID: 3092)
      • rundll32.exe (PID: 492)

    • Drops the executable file immediately after the start

      • WinRAR.exe (PID: 2944)
      • RdrCEF.exe (PID: 3760)

    • Checks supported languages

      • explorer.exe (PID: 3752)
      • explorer.exe (PID: 968)
      • explorer.exe (PID: 2636)
      • explorer.exe (PID: 3092)

    • Application launched itself

      • AcroRd32.exe (PID: 3516)
      • RdrCEF.exe (PID: 3760)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v-4.x) (58.3)
.rar | RAR compressed archive (gen) (41.6)

EXIF

ZIP

CompressedSize: 99493
UncompressedSize: 160779
OperatingSystem: Win32
ModifyDate: 2020:01:07 15:47:22
PackingMethod: Normal
ArchivedFileName: RECYCLER.BIN\adobeupdate.dat
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
61
Monitored processes
20
Malicious processes
0
Suspicious processes
2

Behavior graph

Click at the process to see the details
start winrar.exe explorer.exe no specs verclsid.exe no specs winrar.exe explorer.exe no specs explorer.exe no specs rundll32.exe no specs notepad++.exe explorer.exe no specs explorer.exe no specs notepad++.exe rundll32.exe no specs acrord32.exe no specs acrord32.exe no specs rdrcef.exe no specs rdrcef.exe no specs rdrcef.exe no specs rdrcef.exe no specs rdrcef.exe no specs rdrcef.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
492"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\admin\Desktop\adobeupdate.datC:\Windows\System32\rundll32.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imagehlp.dll
968"C:\Users\admin\AppData\Local\Temp\Rar$EXa2944.33713\RECYCLER.BIN\explorer.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa2944.33713\RECYCLER.BIN\explorer.exeWinRAR.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
MEDIUM
Description:
Adobe CEF Helper
Exit code:
0
Version:
3.9.0.327
Modules
Images
c:\users\admin\appdata\local\temp\rar$exa2944.33713\recycler.bin\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
1072"C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\AppData\Local\Temp\RECYCLER.BIN.rarC:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
1264"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --field-trial-handle=1168,7849581620005856521,7126384639981973328,131072 --disable-features=NetworkService,VizDisplayCompositor --disable-pack-loading --log-file="C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/20.13.20064 Chrome/80.0.0.0" --lang=en-US --gpu-preferences=KAAAAAAAAADgACAgAQAAAAAAAAAAAGAAAAAAABAAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAFAAAAEAAAAAAAAAAAAAAABgAAABAAAAAAAAAAAQAAAAUAAAAQAAAAAAAAAAEAAAAGAAAA --use-gl=swiftshader-webgl --log-file="C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --service-request-channel-token=6297176837595826912 --mojo-platform-channel-handle=1372 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeRdrCEF.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
LOW
Description:
Adobe RdrCEF
Exit code:
1
Version:
20.13.20064.405839
Modules
Images
c:\program files\adobe\acrobat reader dc\reader\acrocef\rdrcef.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
1496"C:\Program Files\Notepad++\notepad++.exe" "C:\Users\admin\Desktop\desktop.ini"C:\Program Files\Notepad++\notepad++.exe
explorer.exe
User:
admin
Company:
Don HO don.h@free.fr
Integrity Level:
MEDIUM
Description:
Notepad++ : a free (GNU) source code editor
Exit code:
0
Version:
7.91
Modules
Images
c:\program files\notepad++\notepad++.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
2000"C:\Windows\system32\verclsid.exe" /S /C {0B2C9183-C9FA-4C53-AE21-C900B0C39965} /I {0C733A8A-2A1C-11CE-ADE5-00AA0044773D} /X 0x401C:\Windows\System32\verclsid.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Extension CLSID Verification Host
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\verclsid.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
2292"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" --type=renderer "C:\Users\admin\Desktop\adobeupdate.dat"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeAcroRd32.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
LOW
Description:
Adobe Acrobat Reader DC
Exit code:
1
Version:
20.13.20064.405839
Modules
Images
c:\program files\adobe\acrobat reader dc\reader\acrord32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
2416"C:\Windows\explorer.exe" C:\Windows\explorer.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
2580"C:\Program Files\Notepad++\notepad++.exe" "C:\Users\admin\Desktop\adobeupdate.dat"C:\Program Files\Notepad++\notepad++.exe
explorer.exe
User:
admin
Company:
Don HO don.h@free.fr
Integrity Level:
MEDIUM
Description:
Notepad++ : a free (GNU) source code editor
Exit code:
0
Version:
7.91
Modules
Images
c:\program files\notepad++\notepad++.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
2636"C:\Users\admin\Desktop\explorer.exe" C:\Users\admin\Desktop\explorer.exeexplorer.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
MEDIUM
Description:
Adobe CEF Helper
Exit code:
0
Version:
3.9.0.327
Modules
Images
c:\users\admin\desktop\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
Total events
16 100
Read events
15 822
Write events
270
Delete events
8

Modification events

(PID) Process:(1072) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(1072) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(1072) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(1072) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\phacker.zip
(PID) Process:(1072) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(1072) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\curl-8.5.0_1-win32-mingw.zip
(PID) Process:(1072) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\RECYCLER.BIN.rar
(PID) Process:(1072) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(1072) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(1072) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
Executable files
3
Suspicious files
61
Text files
9
Unknown types
5

Dropped files

PID
Process
Filename
Type
2944WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa2944.33414\RECYCLER.BIN\adobeupdate.datbinary
MD5:58BDF783DA4C627D2F13612A09A9B5A8
SHA256:E3FAFA3B5C5EB9EDD1002A848312BC182460F2FF9C0DF732E6B6ACF6E00FC5EA
2944WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa2944.33713\RECYCLER.BIN\adobeupdate.datbinary
MD5:58BDF783DA4C627D2F13612A09A9B5A8
SHA256:E3FAFA3B5C5EB9EDD1002A848312BC182460F2FF9C0DF732E6B6ACF6E00FC5EA
2944WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa2944.33414\RECYCLER.BIN\desktop.iniini
MD5:295E2C458447AD6C7315FB993804A7DE
SHA256:FBEA7BF4E29763EAE80BBFAAE38DBDBCCFDFCCA562959C2714ADB17844FE8954
2944WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa2944.33414\RECYCLER.BIN\explorer.exeexecutable
MD5:C70D8DCE46B4551133ECC58AED84BF0E
SHA256:0459E62C5444896D5BE404C559C834BA455FA5CAE1689C70FC8C61BC15468681
1072WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa1072.27851\RECYCLER.BIN\adobeupdate.datbinary
MD5:58BDF783DA4C627D2F13612A09A9B5A8
SHA256:E3FAFA3B5C5EB9EDD1002A848312BC182460F2FF9C0DF732E6B6ACF6E00FC5EA
2944WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa2944.33713\RECYCLER.BIN\explorer.exeexecutable
MD5:C70D8DCE46B4551133ECC58AED84BF0E
SHA256:0459E62C5444896D5BE404C559C834BA455FA5CAE1689C70FC8C61BC15468681
1072WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa1072.27851\RECYCLER.BIN\desktop.iniini
MD5:295E2C458447AD6C7315FB993804A7DE
SHA256:FBEA7BF4E29763EAE80BBFAAE38DBDBCCFDFCCA562959C2714ADB17844FE8954
1072WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa1072.27851\RECYCLER.BIN\explorer.exeexecutable
MD5:C70D8DCE46B4551133ECC58AED84BF0E
SHA256:0459E62C5444896D5BE404C559C834BA455FA5CAE1689C70FC8C61BC15468681
2580notepad++.exeC:\Users\admin\AppData\Roaming\Notepad++\session.xmltext
MD5:667941115098B3FFC7CF474230279AE2
SHA256:7D234DF5CC904A83DF65784CAB80666E3B8954A1A1B8ACCC75DE4C7FA09ACBC3
2292AcroRd32.exeC:\Users\admin\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Reader\Files\TESTINGbinary
MD5:DC84B0D741E5BEAE8070013ADDCC8C28
SHA256:81FF65EFC4487853BDB4625559E69AB44F19E0F5EFBD6D5B2AF5E3AB267C8E06
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
4
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
224.0.0.252:5355
unknown
4
System
192.168.100.255:138
whitelisted
4
System
192.168.100.255:137
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown

DNS requests

No data

Threats

No threats detected
Process
Message
notepad++.exe
VerifyLibrary: certificate revocation checking is disabled
notepad++.exe
VerifyLibrary: C:\Program Files\Notepad++\SciLexer.dll
notepad++.exe
ED255D9151912E40DF048A56288E969A8D0DAFA3
notepad++.exe
VerifyLibrary: certificate revocation checking is disabled
notepad++.exe
VerifyLibrary: C:\Program Files\Notepad++\updater\gup.exe
notepad++.exe
ED255D9151912E40DF048A56288E969A8D0DAFA3
notepad++.exe
VerifyLibrary: certificate revocation checking is disabled
notepad++.exe
VerifyLibrary: certificate revocation checking is disabled
notepad++.exe
VerifyLibrary: C:\Program Files\Notepad++\plugins\Config\nppPluginList.dll
notepad++.exe
VerifyLibrary: C:\Program Files\Notepad++\updater\gup.exe
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
RECYCLER.BIN.rar