File name:

cracked woofer.rar

Full analysis: https://app.any.run/tasks/2e85ac1a-2bb6-499a-8193-61fd89af4788
Verdict: Malicious activity
Analysis date: April 03, 2025, 18:39:13
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
arch-exec
arch-doc
iqvw64e-sys
vuln-driver
Indicators:
MIME: application/x-rar
File info: RAR archive data, v5
MD5:

EF43D3BBF7382F0FD67DF260FAD9AE19

SHA1:

C33B4A4FA8D23E81AE594DC098D5966BAAC5588B

SHA256:

8FBDD9042E216467650A26F2E8B89EBD320EDA503F55A85C4C886B64C794AA93

SSDEEP:

98304:ftv8Wt/em1kOF/MfscmUTbQZ94p00QLEmbpRYEnerJ6AUCTgKgd/G7laND66sWXj:p8Vqvr

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executing a file with an untrusted certificate

      • mapper.exe (PID: 5332)
      • mapper.exe (PID: 660)

    • Vulnerable driver has been detected

      • mapper.exe (PID: 660)

    • Starts NET.EXE for service management

      • net.exe (PID: 6412)
      • cmd.exe (PID: 4856)
      • cmd.exe (PID: 1740)
      • net.exe (PID: 1988)

  • SUSPICIOUS

    • Drops a system driver (possible attempt to evade defenses)

      • WinRAR.exe (PID: 5960)

    • Application launched itself

      • cmd.exe (PID: 8076)
      • cmd.exe (PID: 6532)
      • cmd.exe (PID: 6948)
      • cmd.exe (PID: 768)
      • cmd.exe (PID: 2864)
      • cmd.exe (PID: 1792)

    • There is functionality for taking screenshot (YARA)

      • stealthtempunpack4.exe (PID: 7700)

    • Uses TIMEOUT.EXE to delay execution

      • cmd.exe (PID: 8132)
      • cmd.exe (PID: 6604)
      • cmd.exe (PID: 7004)
      • cmd.exe (PID: 5780)

    • Starts CMD.EXE for commands execution

      • cmd.exe (PID: 8076)
      • stealthtempunpack4.exe (PID: 7700)
      • stealthtempunpack4.exe (PID: 6172)
      • cmd.exe (PID: 6532)
      • stealthtempunpack4.exe (PID: 6864)
      • cmd.exe (PID: 6948)
      • stealthtempunpack4.exe (PID: 5604)
      • cmd.exe (PID: 768)
      • cmd.exe (PID: 2864)
      • cmd.exe (PID: 1792)

    • Executable content was dropped or overwritten

      • mapper.exe (PID: 660)

    • Creates or modifies Windows services

      • mapper.exe (PID: 660)

    • The process executes via Task Scheduler

      • PLUGScheduler.exe (PID: 4296)

    • Uses WMIC.EXE to obtain information about the network interface controller

      • cmd.exe (PID: 1080)
      • cmd.exe (PID: 956)
      • cmd.exe (PID: 6476)
      • cmd.exe (PID: 4828)

    • Using 'findstr.exe' to search for text patterns in files and output

      • cmd.exe (PID: 1080)
      • cmd.exe (PID: 956)
      • cmd.exe (PID: 6476)
      • cmd.exe (PID: 4828)

    • Uses NETSH.EXE to change the status of the firewall

      • cmd.exe (PID: 2864)
      • cmd.exe (PID: 1792)

    • Suspicious use of NETSH.EXE

      • cmd.exe (PID: 2864)
      • cmd.exe (PID: 1792)

    • Windows service management via SC.EXE

      • sc.exe (PID: 3612)
      • sc.exe (PID: 6160)
      • sc.exe (PID: 1520)
      • sc.exe (PID: 2424)

    • Starts SC.EXE for service management

      • cmd.exe (PID: 2864)
      • cmd.exe (PID: 1792)

    • Process uses IPCONFIG to clear DNS cache

      • cmd.exe (PID: 2864)
      • cmd.exe (PID: 1792)

    • Process uses IPCONFIG to get network configuration information

      • cmd.exe (PID: 2864)
      • cmd.exe (PID: 1792)

    • Uses REG/REGEDIT.EXE to modify registry

      • cmd.exe (PID: 2864)
      • cmd.exe (PID: 1792)

    • Process uses IPCONFIG to discard the IP address configuration

      • cmd.exe (PID: 2864)
      • cmd.exe (PID: 1792)

    • Process uses IPCONFIG to renew DHCP configuration

      • cmd.exe (PID: 2864)
      • cmd.exe (PID: 1792)

    • Uses WMIC.EXE to obtain network information

      • cmd.exe (PID: 4932)
      • cmd.exe (PID: 6432)

  • INFO

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 5960)

    • Checks supported languages

      • stealthtempunpack4.exe (PID: 7700)
      • mapper.exe (PID: 660)
      • PLUGScheduler.exe (PID: 4296)
      • stealthtempunpack4.exe (PID: 6172)
      • stealthtempunpack4.exe (PID: 6864)
      • stealthtempunpack4.exe (PID: 5604)
      • KeyAuthEmulator.exe (PID: 7144)

    • Manual execution by a user

      • stealthtempunpack4.exe (PID: 7700)
      • mapper.exe (PID: 5332)
      • mapper.exe (PID: 660)
      • stealthtempunpack4.exe (PID: 6172)
      • stealthtempunpack4.exe (PID: 6864)
      • stealthtempunpack4.exe (PID: 5604)
      • KeyAuthEmulator.exe (PID: 7144)
      • cmd.exe (PID: 2864)
      • cmd.exe (PID: 4856)
      • cmd.exe (PID: 1740)
      • cmd.exe (PID: 1792)

    • Reads the computer name

      • stealthtempunpack4.exe (PID: 7700)
      • PLUGScheduler.exe (PID: 4296)
      • stealthtempunpack4.exe (PID: 6172)
      • stealthtempunpack4.exe (PID: 6864)
      • KeyAuthEmulator.exe (PID: 7144)
      • stealthtempunpack4.exe (PID: 5604)

    • Disables trace logs

      • stealthtempunpack4.exe (PID: 7700)
      • stealthtempunpack4.exe (PID: 6172)
      • stealthtempunpack4.exe (PID: 6864)
      • stealthtempunpack4.exe (PID: 5604)
      • netsh.exe (PID: 6120)
      • netsh.exe (PID: 640)
      • netsh.exe (PID: 6116)
      • netsh.exe (PID: 6044)
      • netsh.exe (PID: 5660)
      • netsh.exe (PID: 5280)
      • netsh.exe (PID: 5020)
      • netsh.exe (PID: 6644)

    • Reads the software policy settings

      • slui.exe (PID: 7288)

    • Create files in a temporary directory

      • mapper.exe (PID: 660)

    • Checks proxy server information

      • stealthtempunpack4.exe (PID: 7700)
      • stealthtempunpack4.exe (PID: 6172)
      • stealthtempunpack4.exe (PID: 6864)
      • stealthtempunpack4.exe (PID: 5604)

    • Reads the machine GUID from the registry

      • stealthtempunpack4.exe (PID: 7700)
      • stealthtempunpack4.exe (PID: 6172)
      • stealthtempunpack4.exe (PID: 6864)
      • stealthtempunpack4.exe (PID: 5604)

    • The sample compiled with english language support

      • mapper.exe (PID: 660)

    • Creates files in the program directory

      • PLUGScheduler.exe (PID: 4296)

    • Reads security settings of Internet Explorer

      • netsh.exe (PID: 6064)
      • netsh.exe (PID: 6348)
      • WMIC.exe (PID: 2808)
      • WMIC.exe (PID: 4968)
      • WMIC.exe (PID: 6408)
      • netsh.exe (PID: 3928)
      • netsh.exe (PID: 1364)
      • WMIC.exe (PID: 1380)
      • WMIC.exe (PID: 5632)
      • WMIC.exe (PID: 1184)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v5.0) (61.5)
.rar | RAR compressed archive (gen) (38.4)

EXIF

ZIP

FileVersion: RAR v5
CompressedSize: 220
UncompressedSize: 437
OperatingSystem: Win32
ArchivedFileName: 997rfh/crak/KeyAuthEmulator.deps.json
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
423
Monitored processes
135
Malicious processes
3
Suspicious processes
4

Behavior graph

Click at the process to see the details
start winrar.exe sppextcomobj.exe no specs slui.exe rundll32.exe no specs stealthtempunpack4.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs timeout.exe no specs slui.exe no specs mapper.exe no specs THREAT mapper.exe conhost.exe no specs plugscheduler.exe no specs stealthtempunpack4.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs timeout.exe no specs stealthtempunpack4.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs timeout.exe no specs keyauthemulator.exe no specs conhost.exe no specs stealthtempunpack4.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs timeout.exe no specs cmd.exe no specs conhost.exe no specs net.exe no specs net1.exe no specs cmd.exe no specs conhost.exe no specs net.exe no specs net1.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs wmic.exe no specs findstr.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs sc.exe no specs netsh.exe no specs reg.exe no specs netsh.exe no specs sc.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs ipconfig.exe no specs ipconfig.exe no specs ipconfig.exe no specs ipconfig.exe no specs netsh.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs cmd.exe no specs wmic.exe no specs findstr.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs cmd.exe no specs wmic.exe no specs netsh.exe no specs netsh.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs wmic.exe no specs findstr.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs sc.exe no specs netsh.exe no specs reg.exe no specs netsh.exe no specs sc.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs ipconfig.exe no specs ipconfig.exe no specs ipconfig.exe no specs ipconfig.exe no specs netsh.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs cmd.exe no specs wmic.exe no specs findstr.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs cmd.exe no specs wmic.exe no specs netsh.exe no specs netsh.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
204reg add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v LargeSendOffloadv2IPv6 /t REG_DWORD /d 0 /fC:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Console Tool
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ws2_32.dll
488reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters" /v "Dhcpv6DomainSearchList" /t REG_BINARY /d /fC:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Console Tool
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ws2_32.dll
556reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters" /v DisabledComponents /t REG_DWORD /d 0xFFFFFFFF /fC:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Console Tool
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ws2_32.dll
564ipconfig /releaseC:\Windows\System32\ipconfig.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
IP Configuration Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\ipconfig.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\nsi.dll
c:\windows\system32\dhcpcsvc.dll
640netsh interface set interface "Microsoft Network Adapter Multiplexor Protocol" admin=disabledC:\Windows\System32\netsh.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Network Command Shell
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\netsh.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
660"C:\Users\admin\Desktop\997rfh\files\mapper.exe" C:\Users\admin\Desktop\997rfh\files\spoofx.sysC:\Users\admin\Desktop\997rfh\files\mapper.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\desktop\997rfh\files\mapper.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
664ipconfig /renewC:\Windows\System32\ipconfig.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
IP Configuration Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\ipconfig.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\dhcpcsvc.dll
768"cmd.exe" /c start cmd /C "color b && title Error && echo You must run the function SkyAuthApp.init(); first && timeout /t 5"C:\Windows\SysWOW64\cmd.exestealthtempunpack4.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
768reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters" /v "Dhcpv6DUID" /t REG_BINARY /d /fC:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Console Tool
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ws2_32.dll
956C:\WINDOWS\system32\cmd.exe /c wmic nic where physicaladapter=true get deviceid | findstr [0-9]C:\Windows\System32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
Total events
21 114
Read events
21 090
Write events
24
Delete events
0

Modification events

(PID) Process:(5960) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\preferences.zip
(PID) Process:(5960) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:(5960) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:(5960) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\cracked woofer.rar
(PID) Process:(5960) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(5960) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(5960) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(5960) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(7700) stealthtempunpack4.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\stealthtempunpack4_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(7700) stealthtempunpack4.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\stealthtempunpack4_RASAPI32
Operation:writeName:EnableAutoFileTracing
Value:
0
Executable files
6
Suspicious files
47
Text files
6
Unknown types
0

Dropped files

PID
Process
Filename
Type
5960WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa5960.37221\997rfh\crak\KeyAuthEmulator.exeexecutable
MD5:CF78D5995312872C075AE9772A14A5A2
SHA256:71FEDE3D07F8B24D08E15748ABCD95ABCFE48E21A5A71F0C96D6BF752C12252C
5960WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa5960.37221\997rfh\crak\KeyAuthEmulator.deps.jsonbinary
MD5:47306D1FC832C57AB35F197F48E05864
SHA256:98150B82CBB9F35DC99DAA5116D9EAE18ADF22C11CBE245E1822FF42A254D624
5960WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa5960.37221\997rfh\crak\secret.txttext
MD5:5A799BD4D528CDED12B143DEE91659EC
SHA256:8B1CC8E0744DCA5FADA8CF95E4D88B4CD769A99757351B82A14D333E2E515115
5960WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa5960.37221\997rfh\crak\KeyAuthEmulator.runtimeconfig.jsonbinary
MD5:9FCDF880F73E74CF6347F8194B9F3509
SHA256:162D81F468BEC570EC15E527433F4DE5D5729FFE338AB79B22671F38760D34BD
5960WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa5960.37221\997rfh\decrypted_strings.txttext
MD5:CF2F9B0677D5E267A39EBB6B29C83AFE
SHA256:FCB46A58931C731D7AB0C456881F725A0523961F7675E7D37E7E47291E3603B4
5960WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa5960.37221\997rfh\stealthtempunpack4.exeexecutable
MD5:A4F8C262E57723F13C6F02E3DCF87BBD
SHA256:4D5F575FDAF9E3B53DBBB13BE5729B22D59F9603C0B44660FB19B8149F64B2B6
5960WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa5960.37221\997rfh\crak\KeyAuthEmulator.dllexecutable
MD5:279F591B2BAD3022911ACF0D18923075
SHA256:406904DFCC899696AC20863829A67D5DABEF7C06EA886937A85F6A76FC2F0CA4
5960WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa5960.37221\997rfh\files\tempswoofsetup.battext
MD5:E625D46D449A82E4D94FEFA3CB2BC429
SHA256:443E031F17726670E72D9CD787D3B27032B78CF08B6B9FF06DBFF4B854D4062D
5960WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa5960.37221\997rfh\files\mapper.exeexecutable
MD5:AB1448FC98DA17E33CDA062EDED54FF4
SHA256:3F14BEC002F322A26DCB47740CAF3274A8A8D699E4AAF46B52A6703F2A88304C
7700stealthtempunpack4.exeC:\Users\admin\Desktop\997rfh\Logs\ErrorLogs.txttext
MD5:B2FF8D6CAEC234BDC773094B4DD58EA1
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
9
TCP/UDP connections
65
DNS requests
39
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
6340
backgroundTaskHost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
5148
SearchApp.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
6284
backgroundTaskHost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
6544
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
5496
MoUsoCoreWorker.exe
GET
200
23.48.23.140:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1084
BackgroundTransferHost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
4908
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
7932
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
7932
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2104
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:137
whitelisted
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5496
MoUsoCoreWorker.exe
23.48.23.140:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4
System
192.168.100.255:138
whitelisted
3216
svchost.exe
172.172.255.218:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
6544
svchost.exe
20.190.160.128:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6544
svchost.exe
2.17.190.73:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
2112
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2104
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
  • 4.231.128.59
whitelisted
google.com
  • 142.250.185.174
whitelisted
crl.microsoft.com
  • 23.48.23.140
  • 23.48.23.168
  • 23.48.23.158
  • 23.48.23.148
  • 23.48.23.156
  • 23.48.23.141
  • 23.48.23.164
  • 23.48.23.139
  • 23.48.23.166
whitelisted
client.wns.windows.com
  • 172.172.255.218
  • 20.7.2.167
whitelisted
login.live.com
  • 20.190.160.128
  • 40.126.32.76
  • 20.190.160.65
  • 40.126.32.140
  • 20.190.160.3
  • 40.126.32.138
  • 20.190.160.64
  • 20.190.160.22
  • 20.190.159.68
  • 20.190.159.131
  • 40.126.31.130
  • 40.126.31.67
  • 20.190.159.75
  • 40.126.31.129
  • 20.190.159.71
  • 20.190.159.4
whitelisted
ocsp.digicert.com
  • 2.17.190.73
whitelisted
slscr.update.microsoft.com
  • 20.12.23.50
  • 4.175.87.197
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 52.165.164.15
whitelisted
nexusrules.officeapps.live.com
  • 52.111.243.29
  • 52.111.229.43
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
cracked woofer.rar