File name:

X2-Software.rar

Full analysis: https://app.any.run/tasks/daba9d70-59c2-478d-9846-2e084f6ae847
Verdict: Malicious activity
Analysis date: November 11, 2019, 07:37:38
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-rar
File info: RAR archive data, v5
MD5:

572B5FDFCE2EB377BCA06298A55BE9F8

SHA1:

A201CA0F2E4BD82EE71BD85B247FAABD6DCBB938

SHA256:

879450B2A8141AB47163256D736257C5AFFBE674634CD3F71BF14D4336BE79B3

SSDEEP:

98304:lMugZDX1eGNWknTkKVPPGQAkEjum+Pwmhf8J7:2uggknY23GiCg4KfC7

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Loads dropped or rewritten executable

      • SearchProtocolHost.exe (PID: 3416)
      • X2soft.exe (PID: 4072)

    • Application was dropped or rewritten from another process

      • X2soft.exe (PID: 4072)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 1812)

  • INFO

    • Manual execution by user

      • X2soft.exe (PID: 4072)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v5.0) (61.5)
.rar | RAR compressed archive (gen) (38.4)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
35
Monitored processes
3
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe searchprotocolhost.exe no specs x2soft.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1812"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\X2-Software.rar"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
3416"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" C:\Windows\System32\SearchProtocolHost.exeSearchIndexer.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Windows Search Protocol Host
Exit code:
0
Version:
7.00.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\searchprotocolhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
4072"C:\Users\admin\Desktop\X2-Software\X2soft.exe" C:\Users\admin\Desktop\X2-Software\X2soft.exeexplorer.exe
User:
admin
Company:
<X2 ICQ: 652228289>
Integrity Level:
MEDIUM
Description:
<X2>
Exit code:
2
Version:
1.1.0.1
Modules
Images
c:\users\admin\desktop\x2-software\x2soft.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\users\admin\desktop\x2-software\sqlite3.dll
c:\windows\system32\msvcrt.dll
c:\users\admin\desktop\x2-software\globalplatform.dll
c:\users\admin\desktop\x2-software\zlib1.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
Total events
790
Read events
769
Write events
21
Delete events
0

Modification events

(PID) Process:(1812) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(1812) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(1812) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\12B\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(1812) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\X2-Software.rar
(PID) Process:(1812) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(1812) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(1812) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(1812) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(1812) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\DialogEditHistory\ExtrPath
Operation:writeName:0
Value:
C:\Users\admin\Desktop
(PID) Process:(1812) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\MainWin
Operation:writeName:Placement
Value:
2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF42000000420000000204000037020000
Executable files
8
Suspicious files
4
Text files
0
Unknown types
3

Dropped files

PID
Process
Filename
Type
1812WinRAR.exeC:\Users\admin\Desktop\X2-Software\X2.pdb
MD5:
SHA256:
1812WinRAR.exeC:\Users\admin\Desktop\X2-Software\Bin.dbsqlite
MD5:
SHA256:
1812WinRAR.exeC:\Users\admin\Desktop\X2-Software\X2soft.exeexecutable
MD5:
SHA256:
1812WinRAR.exeC:\Users\admin\Desktop\X2-Software\mac.datcompressed
MD5:3709E18B229E3DB113BF5C7863C59DB4
SHA256:9DC70002E82C78EE34C813597925C6CF8AA8D68B7E9CE5BCC70EA9BCAB9DBF4A
1812WinRAR.exeC:\Users\admin\Desktop\X2-Software\GPPcScConnectionPlugin.dllexecutable
MD5:D65463FC8A37261B6BF5AFBC4139BDD5
SHA256:789734BBAB7B606E27FAB43F4706250399108DBA98E4428D1B95589DB0A42EA2
1812WinRAR.exeC:\Users\admin\Desktop\X2-Software\mac2.datcompressed
MD5:CBF974E9DB892E5105C2AD1D4013B1DD
SHA256:E82114E55C2EAEC534ED78F59258AAE46DA1E343476BDC4EA236CA5FA1E4047A
1812WinRAR.exeC:\Users\admin\Desktop\X2-Software\GPShell.exeexecutable
MD5:50FCDD91AEE3EC8D7C54FEB63E324C03
SHA256:BA5E9041668257393AE28413F5099DB5D12D7F48C239E8D19E9BEDA2036B31BE
1812WinRAR.exeC:\Users\admin\Desktop\X2-Software\MacGyver.capcompressed
MD5:3709E18B229E3DB113BF5C7863C59DB4
SHA256:9DC70002E82C78EE34C813597925C6CF8AA8D68B7E9CE5BCC70EA9BCAB9DBF4A
1812WinRAR.exeC:\Users\admin\Desktop\X2-Software\bins.dllexecutable
MD5:7AB812D82B3BAAF3CD337AA43E91ACDE
SHA256:C0FD4A64F7E529F3B5E98B70C048E2A2009CBA5BA03EB919EAEF864000C416CC
1812WinRAR.exeC:\Users\admin\Desktop\X2-Software\GlobalPlatform.dllexecutable
MD5:4696B9FAE32C96D487DAA887D830261B
SHA256:D516E641E63F4195C374ECEDBEE074C345AF178D703FA0761C990141E056B992
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
X2-Software.rar