File name:

ShareX-13.0.1-setup.rar

Full analysis: https://app.any.run/tasks/a7faf25e-3ab6-40b7-8636-1179edd19f32
Verdict: Malicious activity
Analysis date: September 27, 2019, 12:52:00
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-rar
File info: RAR archive data, v5
MD5:

598BEAE1547CE27A062FF7BAE8A088A2

SHA1:

541C7D7565F8D6E6B908492F2C83C8E72E424C89

SHA256:

86CA05AD6CAF638B68610A4AF72AE0CE1D11284F2A62B6C3158C97C1673272FD

SSDEEP:

98304:5CErpqJxRTP4R8Rffmth1dVX0BsIR0pEq6URUt:5xCTfXWhAb0uMq

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • ShareX-13.0.1-setup.exe (PID: 2784)
      • ShareX-13.0.1-setup.exe (PID: 2136)
      • ShareX.exe (PID: 2564)

    • Changes settings of System certificates

      • ShareX.exe (PID: 2564)

    • Writes to a start menu file

      • ShareX-13.0.1-setup.tmp (PID: 3128)

    • Loads dropped or rewritten executable

      • ShareX.exe (PID: 2564)

  • SUSPICIOUS

    • Reads the Windows organization settings

      • ShareX-13.0.1-setup.tmp (PID: 3128)

    • Reads Windows owner or organization settings

      • ShareX-13.0.1-setup.tmp (PID: 3128)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 3392)
      • ShareX-13.0.1-setup.exe (PID: 2136)
      • ShareX-13.0.1-setup.exe (PID: 2784)
      • ShareX-13.0.1-setup.tmp (PID: 3128)

    • Reads Internet Cache Settings

      • ShareX.exe (PID: 2564)

    • Adds / modifies Windows certificates

      • ShareX.exe (PID: 2564)

    • Creates files in the user directory

      • ShareX-13.0.1-setup.tmp (PID: 3128)

    • Reads Environment values

      • ShareX.exe (PID: 2564)

    • Modifies the open verb of a shell class

      • ShareX.exe (PID: 2564)

  • INFO

    • Manual execution by user

      • explorer.exe (PID: 4088)

    • Application was dropped or rewritten from another process

      • ShareX-13.0.1-setup.tmp (PID: 3248)
      • ShareX-13.0.1-setup.tmp (PID: 3128)

    • Loads dropped or rewritten executable

      • ShareX-13.0.1-setup.tmp (PID: 3128)

    • Reads settings of System Certificates

      • ShareX.exe (PID: 2564)

    • Creates a software uninstall entry

      • ShareX-13.0.1-setup.tmp (PID: 3128)

    • Creates files in the program directory

      • ShareX-13.0.1-setup.tmp (PID: 3128)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v5.0) (61.5)
.rar | RAR compressed archive (gen) (38.4)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
43
Monitored processes
7
Malicious processes
4
Suspicious processes
2

Behavior graph

Click at the process to see the details
drop and start start drop and start drop and start winrar.exe explorer.exe no specs sharex-13.0.1-setup.exe sharex-13.0.1-setup.tmp no specs sharex-13.0.1-setup.exe sharex-13.0.1-setup.tmp sharex.exe

Process information

PID
CMD
Path
Indicators
Parent process
2136"C:\Users\admin\AppData\Local\Temp\Rar$EXa3392.24923\ShareX-13.0.1-setup.exe" /SPAWNWND=$201EC /NOTIFYWND=$201CE C:\Users\admin\AppData\Local\Temp\Rar$EXa3392.24923\ShareX-13.0.1-setup.exe
ShareX-13.0.1-setup.tmp
User:
admin
Company:
ShareX Team
Integrity Level:
HIGH
Description:
ShareX Setup
Exit code:
0
Version:
13.0.1
Modules
Images
c:\users\admin\appdata\local\temp\rar$exa3392.24923\sharex-13.0.1-setup.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
2564"C:\Program Files\ShareX\ShareX.exe"C:\Program Files\ShareX\ShareX.exe
ShareX-13.0.1-setup.tmp
User:
admin
Company:
ShareX Team
Integrity Level:
MEDIUM
Description:
ShareX
Exit code:
0
Version:
13.0.1
Modules
Images
c:\program files\sharex\sharex.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
2784"C:\Users\admin\AppData\Local\Temp\Rar$EXa3392.24923\ShareX-13.0.1-setup.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa3392.24923\ShareX-13.0.1-setup.exe
WinRAR.exe
User:
admin
Company:
ShareX Team
Integrity Level:
MEDIUM
Description:
ShareX Setup
Exit code:
0
Version:
13.0.1
Modules
Images
c:\users\admin\appdata\local\temp\rar$exa3392.24923\sharex-13.0.1-setup.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\lpk.dll
3128"C:\Users\admin\AppData\Local\Temp\is-NSHVK.tmp\ShareX-13.0.1-setup.tmp" /SL5="$301EA,5183354,121344,C:\Users\admin\AppData\Local\Temp\Rar$EXa3392.24923\ShareX-13.0.1-setup.exe" /SPAWNWND=$201EC /NOTIFYWND=$201CE C:\Users\admin\AppData\Local\Temp\is-NSHVK.tmp\ShareX-13.0.1-setup.tmp
ShareX-13.0.1-setup.exe
User:
admin
Integrity Level:
HIGH
Description:
Setup/Uninstall
Exit code:
0
Version:
51.1052.0.0
Modules
Images
c:\users\admin\appdata\local\temp\is-nshvk.tmp\sharex-13.0.1-setup.tmp
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
3248"C:\Users\admin\AppData\Local\Temp\is-JE5GA.tmp\ShareX-13.0.1-setup.tmp" /SL5="$201CE,5183354,121344,C:\Users\admin\AppData\Local\Temp\Rar$EXa3392.24923\ShareX-13.0.1-setup.exe" C:\Users\admin\AppData\Local\Temp\is-JE5GA.tmp\ShareX-13.0.1-setup.tmpShareX-13.0.1-setup.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Setup/Uninstall
Exit code:
0
Version:
51.1052.0.0
Modules
Images
c:\users\admin\appdata\local\temp\is-je5ga.tmp\sharex-13.0.1-setup.tmp
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
3392"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Downloads\ShareX-13.0.1-setup.rar"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
4088"C:\Windows\explorer.exe" C:\Windows\explorer.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\explorer.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
Total events
1 278
Read events
1 185
Write events
87
Delete events
6

Modification events

(PID) Process:(3392) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(3392) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(3392) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\72\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3392) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Downloads\ShareX-13.0.1-setup.rar
(PID) Process:(3392) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(3392) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(3392) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(3392) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(3392) WinRAR.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
(PID) Process:(3392) WinRAR.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
1
Executable files
140
Suspicious files
0
Text files
300
Unknown types
6

Dropped files

PID
Process
Filename
Type
3128ShareX-13.0.1-setup.tmpC:\Program Files\ShareX\is-1MGH8.tmp
MD5:
SHA256:
3128ShareX-13.0.1-setup.tmpC:\Program Files\ShareX\is-VP26K.tmp
MD5:
SHA256:
3128ShareX-13.0.1-setup.tmpC:\Program Files\ShareX\is-S8CRO.tmp
MD5:
SHA256:
3128ShareX-13.0.1-setup.tmpC:\Program Files\ShareX\is-9K5OM.tmp
MD5:
SHA256:
3128ShareX-13.0.1-setup.tmpC:\Program Files\ShareX\is-I5S9I.tmp
MD5:
SHA256:
3128ShareX-13.0.1-setup.tmpC:\Program Files\ShareX\is-NOMVA.tmp
MD5:
SHA256:
3128ShareX-13.0.1-setup.tmpC:\Program Files\ShareX\is-P3MIA.tmp
MD5:
SHA256:
3128ShareX-13.0.1-setup.tmpC:\Program Files\ShareX\is-V8VGH.tmp
MD5:
SHA256:
3128ShareX-13.0.1-setup.tmpC:\Program Files\ShareX\is-PIB3Q.tmp
MD5:
SHA256:
3128ShareX-13.0.1-setup.tmpC:\Program Files\ShareX\is-5G7HG.tmp
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
2
DNS requests
2
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2564
ShareX.exe
140.82.118.5:443
api.github.com
US
suspicious
2564
ShareX.exe
185.199.109.153:443
getsharex.com
GitHub, Inc.
NL
shared

DNS requests

Domain
IP
Reputation
api.github.com
  • 140.82.118.5
whitelisted
getsharex.com
  • 185.199.109.153
  • 185.199.110.153
  • 185.199.111.153
  • 185.199.108.153
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
ShareX-13.0.1-setup.rar