File name:

Combo Editor Pro v1 by Draghost.rar

Full analysis: https://app.any.run/tasks/a165c619-b949-42e2-bf4d-ad72042b40b5
Verdict: Malicious activity
Analysis date: October 08, 2023, 12:09:32
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-rar
File info: RAR archive data, v5
MD5:

9643DEB9B89BA2DD585256A48E162B10

SHA1:

CA5470346DA49DD03E46B637B9447886B94C0294

SHA256:

8D57195C05BCC5D97872E8F17424BD9E69CF0EC4B3D1C688A2C1E41EBC16B8A5

SSDEEP:

98304:eOkHH0Vqkw/b3QTjZbj3YBoH0KUqP/DcgJx1ZVGP2ElYcNSWkKq3P4/cikgF9x5k:zrmNPibe1YX

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Adds path to the Windows Defender exclusion list

      • Combo Editor Pro.exe (PID: 3632)
      • Combo Editor Pro.exe (PID: 2556)
      • LZMYBCTLTD.exe (PID: 980)
      • Combo Editor Pro.exe (PID: 3876)
      • LZMYBCTLTD.exe (PID: 3712)
      • Combo Editor Pro.exe (PID: 2808)

    • Uses Task Scheduler to run other applications

      • LZMYBCTLTD.exe (PID: 3712)

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • WinRAR.exe (PID: 3832)

    • Application launched itself

      • Combo Editor Pro.exe (PID: 2272)
      • Combo Editor Pro.exe (PID: 2460)

    • Reads the BIOS version

      • Combo Editor Pro.exe (PID: 2272)
      • Combo Editor Pro.exe (PID: 3632)
      • Combo Editor Pro.exe (PID: 2460)
      • Combo Editor Pro.exe (PID: 2556)
      • LZMYBCTLTD.exe (PID: 980)
      • Combo Editor Pro.exe (PID: 2808)
      • Combo Editor Pro.exe (PID: 3876)
      • LZMYBCTLTD.exe (PID: 3712)

    • Reads the Internet Settings

      • Combo Editor Pro.exe (PID: 3632)
      • Combo Editor Pro.exe (PID: 2272)
      • Combo Editor Pro.exe (PID: 2556)
      • LZMYBCTLTD.exe (PID: 980)
      • Combo Editor Pro.exe (PID: 2808)
      • Combo Editor Pro.exe (PID: 3876)
      • LZMYBCTLTD.exe (PID: 3712)
      • Combo Editor Pro.exe (PID: 2460)

    • Powershell version downgrade attack

      • powershell.exe (PID: 2620)
      • powershell.exe (PID: 372)
      • powershell.exe (PID: 292)
      • powershell.exe (PID: 2232)
      • powershell.exe (PID: 2268)
      • powershell.exe (PID: 3448)
      • powershell.exe (PID: 3544)
      • powershell.exe (PID: 3524)
      • powershell.exe (PID: 3004)
      • powershell.exe (PID: 1484)
      • powershell.exe (PID: 3612)
      • powershell.exe (PID: 3256)

    • Starts POWERSHELL.EXE for commands execution

      • Combo Editor Pro.exe (PID: 3632)
      • Combo Editor Pro.exe (PID: 2556)
      • LZMYBCTLTD.exe (PID: 980)
      • Combo Editor Pro.exe (PID: 2808)
      • Combo Editor Pro.exe (PID: 3876)
      • LZMYBCTLTD.exe (PID: 3712)

    • Script adds exclusion path to Windows Defender

      • Combo Editor Pro.exe (PID: 3632)
      • Combo Editor Pro.exe (PID: 2556)
      • LZMYBCTLTD.exe (PID: 980)
      • Combo Editor Pro.exe (PID: 2808)
      • Combo Editor Pro.exe (PID: 3876)
      • LZMYBCTLTD.exe (PID: 3712)

    • Uses TIMEOUT.EXE to delay execution

      • cmd.exe (PID: 1828)
      • cmd.exe (PID: 300)
      • cmd.exe (PID: 3116)

    • Executing commands from a ".bat" file

      • Combo Editor Pro.exe (PID: 3632)
      • Combo Editor Pro.exe (PID: 2556)
      • Combo Editor Pro.exe (PID: 2808)

    • Starts CMD.EXE for commands execution

      • Combo Editor Pro.exe (PID: 2556)
      • Combo Editor Pro.exe (PID: 2808)
      • Combo Editor Pro.exe (PID: 3632)

  • INFO

    • Checks supported languages

      • Combo Editor Pro.exe (PID: 2272)
      • Combo Editor Pro.exe (PID: 3632)
      • LZMYBCTLTD.exe (PID: 980)
      • Combo Editor Pro.exe (PID: 2556)
      • Combo Editor Pro.exe (PID: 2808)
      • Combo Editor Pro.exe (PID: 3876)
      • Combo Editor Pro.exe (PID: 2460)
      • LZMYBCTLTD.exe (PID: 3712)

    • Reads the computer name

      • Combo Editor Pro.exe (PID: 2272)
      • Combo Editor Pro.exe (PID: 3632)
      • Combo Editor Pro.exe (PID: 2460)
      • Combo Editor Pro.exe (PID: 2556)
      • LZMYBCTLTD.exe (PID: 980)
      • Combo Editor Pro.exe (PID: 2808)
      • Combo Editor Pro.exe (PID: 3876)
      • LZMYBCTLTD.exe (PID: 3712)

    • Process checks are UAC notifies on

      • Combo Editor Pro.exe (PID: 3632)
      • Combo Editor Pro.exe (PID: 2556)
      • LZMYBCTLTD.exe (PID: 980)
      • Combo Editor Pro.exe (PID: 2808)
      • Combo Editor Pro.exe (PID: 3876)
      • LZMYBCTLTD.exe (PID: 3712)

    • Drops the executable file immediately after the start

      • WinRAR.exe (PID: 3832)

    • Manual execution by a user

      • Combo Editor Pro.exe (PID: 2272)
      • Combo Editor Pro.exe (PID: 2460)
      • Combo Editor Pro.exe (PID: 2808)
      • Combo Editor Pro.exe (PID: 3876)

    • Create files in a temporary directory

      • Combo Editor Pro.exe (PID: 3632)
      • Combo Editor Pro.exe (PID: 2556)
      • Combo Editor Pro.exe (PID: 2808)

    • Creates files in the program directory

      • Combo Editor Pro.exe (PID: 3632)
      • Combo Editor Pro.exe (PID: 2808)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v5.0) (61.5)
.rar | RAR compressed archive (gen) (38.4)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
88
Monitored processes
29
Malicious processes
22
Suspicious processes
1

Behavior graph

Click at the process to see the details
start winrar.exe no specs searchprotocolhost.exe no specs combo editor pro.exe no specs combo editor pro.exe powershell.exe no specs powershell.exe no specs cmd.exe no specs timeout.exe no specs combo editor pro.exe no specs combo editor pro.exe lzmybctltd.exe no specs powershell.exe no specs powershell.exe no specs powershell.exe no specs powershell.exe no specs cmd.exe no specs timeout.exe no specs combo editor pro.exe powershell.exe no specs powershell.exe no specs combo editor pro.exe powershell.exe no specs powershell.exe no specs cmd.exe no specs timeout.exe no specs lzmybctltd.exe no specs powershell.exe no specs powershell.exe no specs schtasks.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
292"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\ProgramData'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCombo Editor Pro.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
300C:\Windows\system32\cmd.exe /c ""C:\Users\admin\AppData\Local\Temp\s1z0.0.bat" "C:\Windows\System32\cmd.exeCombo Editor Pro.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
372"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\admin\AppData\Roaming'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCombo Editor Pro.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
980"C:\ProgramData\active\LZMYBCTLTD.exe" C:\ProgramData\active\LZMYBCTLTD.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Logon Application
Exit code:
0
Version:
10.0.17134.1
1484"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\ProgramData'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeLZMYBCTLTD.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
1828C:\Windows\system32\cmd.exe /c ""C:\Users\admin\AppData\Local\Temp\s2sw.0.bat" "C:\Windows\System32\cmd.exeCombo Editor Pro.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2004timeout 3 C:\Windows\System32\timeout.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
timeout - pauses command processing
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2232"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\ProgramData'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeLZMYBCTLTD.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2268"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\admin\AppData\Roaming'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeLZMYBCTLTD.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2272"C:\Users\admin\Desktop\Combo Editor Pro v1 by Draghost\Combo Editor Pro.exe" C:\Users\admin\Desktop\Combo Editor Pro v1 by Draghost\Combo Editor Pro.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Logon Application
Exit code:
1
Version:
10.0.17134.1
Total events
0
Read events
0
Write events
0
Delete events
0

Modification events

No data
Executable files
5
Suspicious files
37
Text files
4
Unknown types
0

Dropped files

PID
Process
Filename
Type
3832WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3832.46789\Combo Editor Pro v1 by Draghost\Combo Editor Pro.exe
MD5:
SHA256:
3632Combo Editor Pro.exeC:\ProgramData\active\LZMYBCTLTD.exe
MD5:
SHA256:
3448powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\XZ6TFT5WQOR2VVT3744U.tempbinary
MD5:B2A14C47DF15CD98C7FC022417BAC08B
SHA256:6EF2E6B9227BAE870B2046C9E6D0CB669B61545444F3E2116C30DDA8ED58AF3F
3448powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msbinary
MD5:B2A14C47DF15CD98C7FC022417BAC08B
SHA256:6EF2E6B9227BAE870B2046C9E6D0CB669B61545444F3E2116C30DDA8ED58AF3F
3832WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3832.46789\Combo Editor Pro v1 by Draghost\SMDiagnostics.dllexecutable
MD5:F1D92AC71001BCC24B99044EE675619F
SHA256:5DF3A2E0329D7668AD0F6C426F6E4C6D1ECD45225B2C39D96B15CD7B6A1BBE53
372powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msbinary
MD5:B2A14C47DF15CD98C7FC022417BAC08B
SHA256:6EF2E6B9227BAE870B2046C9E6D0CB669B61545444F3E2116C30DDA8ED58AF3F
3832WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3832.46789\Combo Editor Pro v1 by Draghost\Data\x64\SQLite.Interop.dllexecutable
MD5:56A504A34D2CFBFC7EAA2B68E34AF8AD
SHA256:9309FB2A3F326D0F2CC3F2AB837CFD02E4F8CB6B923B3B2BE265591FD38F4961
3832WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3832.46789\Combo Editor Pro v1 by Draghost\PresentationFramework-SystemXml.dllexecutable
MD5:BE1A96C998147BFBEB5F635FE0C3428D
SHA256:D024E1CBECF038D59AE375552E4F47D2C737EAFCE7C68DA5EC8B2B02BECB297E
3632Combo Editor Pro.exeC:\Users\admin\AppData\Local\Temp\s2sw.0.battext
MD5:7CA363315ACB07DAF0D7B46085CC51AE
SHA256:90F8CC3A6EFBDBD0C3F10FD7BC827F7D701E2550D6E813325392977EFC4D7F5C
2620powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF15584b.TMPbinary
MD5:B2A14C47DF15CD98C7FC022417BAC08B
SHA256:6EF2E6B9227BAE870B2046C9E6D0CB669B61545444F3E2116C30DDA8ED58AF3F
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
3
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2656
svchost.exe
239.255.255.250:1900
whitelisted
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
Combo Editor Pro v1 by Draghost.rar