File name:

cracked woofer.rar

Full analysis: https://app.any.run/tasks/2e85ac1a-2bb6-499a-8193-61fd89af4788
Verdict: Malicious activity
Analysis date: April 03, 2025, 18:39:13
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
arch-exec
arch-doc
iqvw64e-sys
vuln-driver
Indicators:
MIME: application/x-rar
File info: RAR archive data, v5
MD5:

EF43D3BBF7382F0FD67DF260FAD9AE19

SHA1:

C33B4A4FA8D23E81AE594DC098D5966BAAC5588B

SHA256:

8FBDD9042E216467650A26F2E8B89EBD320EDA503F55A85C4C886B64C794AA93

SSDEEP:

98304:ftv8Wt/em1kOF/MfscmUTbQZ94p00QLEmbpRYEnerJ6AUCTgKgd/G7laND66sWXj:p8Vqvr

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executing a file with an untrusted certificate

      • mapper.exe (PID: 5332)
      • mapper.exe (PID: 660)

    • Vulnerable driver has been detected

      • mapper.exe (PID: 660)

    • Starts NET.EXE for service management

      • net.exe (PID: 1988)
      • cmd.exe (PID: 4856)
      • net.exe (PID: 6412)
      • cmd.exe (PID: 1740)

  • SUSPICIOUS

    • Drops a system driver (possible attempt to evade defenses)

      • WinRAR.exe (PID: 5960)

    • Starts CMD.EXE for commands execution

      • stealthtempunpack4.exe (PID: 7700)
      • cmd.exe (PID: 8076)
      • stealthtempunpack4.exe (PID: 6172)
      • cmd.exe (PID: 6948)
      • stealthtempunpack4.exe (PID: 6864)
      • cmd.exe (PID: 6532)
      • stealthtempunpack4.exe (PID: 5604)
      • cmd.exe (PID: 768)
      • cmd.exe (PID: 2864)
      • cmd.exe (PID: 1792)

    • There is functionality for taking screenshot (YARA)

      • stealthtempunpack4.exe (PID: 7700)

    • Application launched itself

      • cmd.exe (PID: 8076)
      • cmd.exe (PID: 6532)
      • cmd.exe (PID: 6948)
      • cmd.exe (PID: 2864)
      • cmd.exe (PID: 768)
      • cmd.exe (PID: 1792)

    • Uses TIMEOUT.EXE to delay execution

      • cmd.exe (PID: 8132)
      • cmd.exe (PID: 7004)
      • cmd.exe (PID: 6604)
      • cmd.exe (PID: 5780)

    • Executable content was dropped or overwritten

      • mapper.exe (PID: 660)

    • Creates or modifies Windows services

      • mapper.exe (PID: 660)

    • The process executes via Task Scheduler

      • PLUGScheduler.exe (PID: 4296)

    • Using 'findstr.exe' to search for text patterns in files and output

      • cmd.exe (PID: 1080)
      • cmd.exe (PID: 956)
      • cmd.exe (PID: 6476)
      • cmd.exe (PID: 4828)

    • Uses WMIC.EXE to obtain information about the network interface controller

      • cmd.exe (PID: 1080)
      • cmd.exe (PID: 956)
      • cmd.exe (PID: 6476)
      • cmd.exe (PID: 4828)

    • Uses NETSH.EXE to change the status of the firewall

      • cmd.exe (PID: 2864)
      • cmd.exe (PID: 1792)

    • Suspicious use of NETSH.EXE

      • cmd.exe (PID: 2864)
      • cmd.exe (PID: 1792)

    • Starts SC.EXE for service management

      • cmd.exe (PID: 2864)
      • cmd.exe (PID: 1792)

    • Windows service management via SC.EXE

      • sc.exe (PID: 6160)
      • sc.exe (PID: 3612)
      • sc.exe (PID: 1520)
      • sc.exe (PID: 2424)

    • Process uses IPCONFIG to get network configuration information

      • cmd.exe (PID: 2864)
      • cmd.exe (PID: 1792)

    • Uses REG/REGEDIT.EXE to modify registry

      • cmd.exe (PID: 2864)
      • cmd.exe (PID: 1792)

    • Process uses IPCONFIG to clear DNS cache

      • cmd.exe (PID: 2864)
      • cmd.exe (PID: 1792)

    • Process uses IPCONFIG to discard the IP address configuration

      • cmd.exe (PID: 2864)
      • cmd.exe (PID: 1792)

    • Uses WMIC.EXE to obtain network information

      • cmd.exe (PID: 4932)
      • cmd.exe (PID: 6432)

    • Process uses IPCONFIG to renew DHCP configuration

      • cmd.exe (PID: 2864)
      • cmd.exe (PID: 1792)

  • INFO

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 5960)

    • Reads the machine GUID from the registry

      • stealthtempunpack4.exe (PID: 7700)
      • stealthtempunpack4.exe (PID: 6172)
      • stealthtempunpack4.exe (PID: 6864)
      • stealthtempunpack4.exe (PID: 5604)

    • Checks supported languages

      • stealthtempunpack4.exe (PID: 7700)
      • mapper.exe (PID: 660)
      • PLUGScheduler.exe (PID: 4296)
      • stealthtempunpack4.exe (PID: 6172)
      • KeyAuthEmulator.exe (PID: 7144)
      • stealthtempunpack4.exe (PID: 5604)
      • stealthtempunpack4.exe (PID: 6864)

    • Checks proxy server information

      • stealthtempunpack4.exe (PID: 7700)
      • stealthtempunpack4.exe (PID: 6172)
      • stealthtempunpack4.exe (PID: 6864)
      • stealthtempunpack4.exe (PID: 5604)

    • Manual execution by a user

      • stealthtempunpack4.exe (PID: 7700)
      • mapper.exe (PID: 5332)
      • mapper.exe (PID: 660)
      • stealthtempunpack4.exe (PID: 6172)
      • KeyAuthEmulator.exe (PID: 7144)
      • stealthtempunpack4.exe (PID: 5604)
      • stealthtempunpack4.exe (PID: 6864)
      • cmd.exe (PID: 4856)
      • cmd.exe (PID: 1740)
      • cmd.exe (PID: 2864)
      • cmd.exe (PID: 1792)

    • Disables trace logs

      • stealthtempunpack4.exe (PID: 7700)
      • stealthtempunpack4.exe (PID: 6172)
      • stealthtempunpack4.exe (PID: 6864)
      • stealthtempunpack4.exe (PID: 5604)
      • netsh.exe (PID: 6120)
      • netsh.exe (PID: 640)
      • netsh.exe (PID: 6044)
      • netsh.exe (PID: 6116)
      • netsh.exe (PID: 5020)
      • netsh.exe (PID: 5280)
      • netsh.exe (PID: 5660)
      • netsh.exe (PID: 6644)

    • Reads the computer name

      • stealthtempunpack4.exe (PID: 7700)
      • PLUGScheduler.exe (PID: 4296)
      • stealthtempunpack4.exe (PID: 6172)
      • KeyAuthEmulator.exe (PID: 7144)
      • stealthtempunpack4.exe (PID: 5604)
      • stealthtempunpack4.exe (PID: 6864)

    • Reads the software policy settings

      • slui.exe (PID: 7288)

    • Create files in a temporary directory

      • mapper.exe (PID: 660)

    • The sample compiled with english language support

      • mapper.exe (PID: 660)

    • Creates files in the program directory

      • PLUGScheduler.exe (PID: 4296)

    • Reads security settings of Internet Explorer

      • WMIC.exe (PID: 1184)
      • netsh.exe (PID: 6348)
      • netsh.exe (PID: 6064)
      • WMIC.exe (PID: 2808)
      • WMIC.exe (PID: 4968)
      • WMIC.exe (PID: 6408)
      • netsh.exe (PID: 1364)
      • netsh.exe (PID: 3928)
      • WMIC.exe (PID: 5632)
      • WMIC.exe (PID: 1380)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v5.0) (61.5)
.rar | RAR compressed archive (gen) (38.4)

EXIF

ZIP

FileVersion: RAR v5
CompressedSize: 220
UncompressedSize: 437
OperatingSystem: Win32
ArchivedFileName: 997rfh/crak/KeyAuthEmulator.deps.json
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
423
Monitored processes
135
Malicious processes
3
Suspicious processes
4

Behavior graph

Click at the process to see the details
start winrar.exe sppextcomobj.exe no specs slui.exe rundll32.exe no specs stealthtempunpack4.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs timeout.exe no specs slui.exe no specs mapper.exe no specs THREAT mapper.exe conhost.exe no specs plugscheduler.exe no specs stealthtempunpack4.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs timeout.exe no specs stealthtempunpack4.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs timeout.exe no specs keyauthemulator.exe no specs conhost.exe no specs stealthtempunpack4.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs timeout.exe no specs cmd.exe no specs conhost.exe no specs net.exe no specs net1.exe no specs cmd.exe no specs conhost.exe no specs net.exe no specs net1.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs wmic.exe no specs findstr.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs sc.exe no specs netsh.exe no specs reg.exe no specs netsh.exe no specs sc.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs ipconfig.exe no specs ipconfig.exe no specs ipconfig.exe no specs ipconfig.exe no specs netsh.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs cmd.exe no specs wmic.exe no specs findstr.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs cmd.exe no specs wmic.exe no specs netsh.exe no specs netsh.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs wmic.exe no specs findstr.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs sc.exe no specs netsh.exe no specs reg.exe no specs netsh.exe no specs sc.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs ipconfig.exe no specs ipconfig.exe no specs ipconfig.exe no specs ipconfig.exe no specs netsh.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs cmd.exe no specs wmic.exe no specs findstr.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs cmd.exe no specs wmic.exe no specs netsh.exe no specs netsh.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
204reg add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v LargeSendOffloadv2IPv6 /t REG_DWORD /d 0 /fC:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Console Tool
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ws2_32.dll
488reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters" /v "Dhcpv6DomainSearchList" /t REG_BINARY /d /fC:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Console Tool
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ws2_32.dll
556reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters" /v DisabledComponents /t REG_DWORD /d 0xFFFFFFFF /fC:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Console Tool
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ws2_32.dll
564ipconfig /releaseC:\Windows\System32\ipconfig.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
IP Configuration Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\ipconfig.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\nsi.dll
c:\windows\system32\dhcpcsvc.dll
640netsh interface set interface "Microsoft Network Adapter Multiplexor Protocol" admin=disabledC:\Windows\System32\netsh.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Network Command Shell
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\netsh.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
660"C:\Users\admin\Desktop\997rfh\files\mapper.exe" C:\Users\admin\Desktop\997rfh\files\spoofx.sysC:\Users\admin\Desktop\997rfh\files\mapper.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\desktop\997rfh\files\mapper.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
664ipconfig /renewC:\Windows\System32\ipconfig.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
IP Configuration Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\ipconfig.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\dhcpcsvc.dll
768"cmd.exe" /c start cmd /C "color b && title Error && echo You must run the function SkyAuthApp.init(); first && timeout /t 5"C:\Windows\SysWOW64\cmd.exestealthtempunpack4.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
768reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters" /v "Dhcpv6DUID" /t REG_BINARY /d /fC:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Console Tool
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ws2_32.dll
956C:\WINDOWS\system32\cmd.exe /c wmic nic where physicaladapter=true get deviceid | findstr [0-9]C:\Windows\System32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
Total events
21 114
Read events
21 090
Write events
24
Delete events
0

Modification events

(PID) Process:(5960) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\preferences.zip
(PID) Process:(5960) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:(5960) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:(5960) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\cracked woofer.rar
(PID) Process:(5960) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(5960) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(5960) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(5960) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(7700) stealthtempunpack4.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\stealthtempunpack4_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(7700) stealthtempunpack4.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\stealthtempunpack4_RASAPI32
Operation:writeName:EnableAutoFileTracing
Value:
0
Executable files
6
Suspicious files
47
Text files
6
Unknown types
0

Dropped files

PID
Process
Filename
Type
5960WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa5960.37221\997rfh\crak\KeyAuthEmulator.deps.jsonbinary
MD5:47306D1FC832C57AB35F197F48E05864
SHA256:98150B82CBB9F35DC99DAA5116D9EAE18ADF22C11CBE245E1822FF42A254D624
5960WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa5960.37221\997rfh\crak\KeyAuthEmulator.exeexecutable
MD5:CF78D5995312872C075AE9772A14A5A2
SHA256:71FEDE3D07F8B24D08E15748ABCD95ABCFE48E21A5A71F0C96D6BF752C12252C
4296PLUGScheduler.exeC:\ProgramData\PLUG\Logs\RUXIMLog.049.etlbinary
MD5:5EA68411BF8E9EAF4621BAF73F61449E
SHA256:9D4CA5A1D871F819C139A498BB910A63576C2FE6367853544F8D172D8B6EBFF7
660mapper.exeC:\Users\admin\AppData\Local\Temp\aDMXoZQlDcGvstOtzyGKjOSNcxvXCexecutable
MD5:1898CEDA3247213C084F43637EF163B3
SHA256:4429F32DB1CC70567919D7D47B844A91CF1329A6CD116F582305F3B7B60CD60B
5960WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa5960.37221\997rfh\stealthtempunpack4.exeexecutable
MD5:A4F8C262E57723F13C6F02E3DCF87BBD
SHA256:4D5F575FDAF9E3B53DBBB13BE5729B22D59F9603C0B44660FB19B8149F64B2B6
5960WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa5960.37221\997rfh\files\tempswoofsetup.battext
MD5:E625D46D449A82E4D94FEFA3CB2BC429
SHA256:443E031F17726670E72D9CD787D3B27032B78CF08B6B9FF06DBFF4B854D4062D
4296PLUGScheduler.exeC:\ProgramData\PLUG\Logs\RUXIMLog.050.etlbinary
MD5:C8834D365FAE073DEDE1F1620454CE71
SHA256:C6DD793EEE1D5551CA507A3C5BFFECA82DD3E29C63C2C6DD218A7D4BFB37046B
4296PLUGScheduler.exeC:\ProgramData\PLUG\Logs\RUXIMLog.046.etlbinary
MD5:A7A21FBC9D00F33F186B34A50E170C13
SHA256:64CAC91E46D4FC832958232A658431CBF9D8D9F265653ACA2BEB32428D4688EC
5960WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa5960.37221\997rfh\files\s6qjg4.battext
MD5:4B88777F136A2A75A6839105D74F29A2
SHA256:63B82535C9C9E3CD735567D8255A294DD8AFFFABF41737F4BD98DCFBFDDAA544
4296PLUGScheduler.exeC:\ProgramData\PLUG\Logs\RUXIMLog.048.etlbinary
MD5:A23907B6FDD47DCABFDFD7CF2FCD7671
SHA256:0C9C33FE9E984A2E5A70EBA51F36B9929A86199E424AF2F8080E1267B87DC970
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
9
TCP/UDP connections
65
DNS requests
39
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5496
MoUsoCoreWorker.exe
GET
200
23.48.23.140:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
6544
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
7932
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
7932
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
4908
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
5148
SearchApp.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
6284
backgroundTaskHost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
1084
BackgroundTransferHost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
6340
backgroundTaskHost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2104
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:137
whitelisted
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5496
MoUsoCoreWorker.exe
23.48.23.140:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4
System
192.168.100.255:138
whitelisted
3216
svchost.exe
172.172.255.218:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
6544
svchost.exe
20.190.160.128:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6544
svchost.exe
2.17.190.73:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
2112
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2104
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
  • 4.231.128.59
whitelisted
google.com
  • 142.250.185.174
whitelisted
crl.microsoft.com
  • 23.48.23.140
  • 23.48.23.168
  • 23.48.23.158
  • 23.48.23.148
  • 23.48.23.156
  • 23.48.23.141
  • 23.48.23.164
  • 23.48.23.139
  • 23.48.23.166
whitelisted
client.wns.windows.com
  • 172.172.255.218
  • 20.7.2.167
whitelisted
login.live.com
  • 20.190.160.128
  • 40.126.32.76
  • 20.190.160.65
  • 40.126.32.140
  • 20.190.160.3
  • 40.126.32.138
  • 20.190.160.64
  • 20.190.160.22
  • 20.190.159.68
  • 20.190.159.131
  • 40.126.31.130
  • 40.126.31.67
  • 20.190.159.75
  • 40.126.31.129
  • 20.190.159.71
  • 20.190.159.4
whitelisted
ocsp.digicert.com
  • 2.17.190.73
whitelisted
slscr.update.microsoft.com
  • 20.12.23.50
  • 4.175.87.197
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 52.165.164.15
whitelisted
nexusrules.officeapps.live.com
  • 52.111.243.29
  • 52.111.229.43
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
cracked woofer.rar