analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

BlTools Cracked.rar

Full analysis: https://app.any.run/tasks/5351b638-727b-4c3e-9974-63a160e6deff
Verdict: Malicious activity
Analysis date: June 19, 2022, 11:21:27
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-rar
File info: RAR archive data, v5
MD5:

6F83819D322329F898D2F11926990FDD

SHA1:

8FD4D5228CC6A58077E49C467AF4099AE1CD3B84

SHA256:

94F3464AB83376C5D68F57EA2BAD349762274353E474B476C2FDAE23CA4F9057

SSDEEP:

24576:J1mzau3Q5JT1bAJCQ940hCqiXr0MSm0y46Tuk1XxmTGIhgWHHZv0diDE8ZV:+zau3MpCCq4i6r0MSm0yx1Xx6hZHHZvx

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Loads dropped or rewritten executable

      • SearchProtocolHost.exe (PID: 3628)
      • [Cracked By Grizzly] BLTools.exe (PID: 1248)
      • [Cracked By Grizzly] BLTools.exe (PID: 3868)
      • [Cracked By Grizzly] BLTools.exe (PID: 3696)

    • Application was dropped or rewritten from another process

      • [Cracked By Grizzly] BLTools Activator.exe (PID: 2432)
      • [Cracked By Grizzly] BLTools Activator.exe (PID: 2604)
      • [Cracked By Grizzly] BLTools.exe (PID: 3868)
      • [Cracked By Grizzly] BLTools.exe (PID: 1248)
      • [Cracked By Grizzly] BLTools Activator.exe (PID: 3896)
      • [Cracked By Grizzly] BLTools.exe (PID: 3696)

    • Changes the autorun value in the registry

      • [Cracked By Grizzly] BLTools Activator.exe (PID: 2432)

    • Drops executable file immediately after starts

      • WinRAR.exe (PID: 2952)
      • [Cracked By Grizzly] BLTools Activator.exe (PID: 2432)

  • SUSPICIOUS

    • Checks supported languages

      • WinRAR.exe (PID: 2952)
      • [Cracked By Grizzly] BLTools Activator.exe (PID: 2604)
      • [Cracked By Grizzly] BLTools Activator.exe (PID: 2432)
      • [Cracked By Grizzly] BLTools.exe (PID: 3868)
      • [Cracked By Grizzly] BLTools.exe (PID: 3696)
      • [Cracked By Grizzly] BLTools Activator.exe (PID: 3896)
      • [Cracked By Grizzly] BLTools.exe (PID: 1248)

    • Reads the computer name

      • WinRAR.exe (PID: 2952)
      • [Cracked By Grizzly] BLTools.exe (PID: 3868)
      • [Cracked By Grizzly] BLTools.exe (PID: 1248)
      • [Cracked By Grizzly] BLTools.exe (PID: 3696)

    • Executable content was dropped or overwritten

      • [Cracked By Grizzly] BLTools Activator.exe (PID: 2432)
      • WinRAR.exe (PID: 2952)

    • Creates files in the program directory

      • [Cracked By Grizzly] BLTools Activator.exe (PID: 2432)

    • Drops a file with a compile date too recent

      • WinRAR.exe (PID: 2952)
      • [Cracked By Grizzly] BLTools Activator.exe (PID: 2432)

    • Starts itself from another location

      • [Cracked By Grizzly] BLTools Activator.exe (PID: 2432)

  • INFO

    • Manual execution by user

      • [Cracked By Grizzly] BLTools.exe (PID: 3868)
      • [Cracked By Grizzly] BLTools Activator.exe (PID: 2432)
      • [Cracked By Grizzly] BLTools Activator.exe (PID: 3896)
      • [Cracked By Grizzly] BLTools.exe (PID: 1248)
      • [Cracked By Grizzly] BLTools.exe (PID: 3696)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v5.0) (61.5)
.rar | RAR compressed archive (gen) (38.4)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
44
Monitored processes
8
Malicious processes
6
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start winrar.exe searchprotocolhost.exe no specs [cracked by grizzly] bltools activator.exe [cracked by grizzly] bltools activator.exe no specs [cracked by grizzly] bltools.exe [cracked by grizzly] bltools.exe [cracked by grizzly] bltools activator.exe no specs [cracked by grizzly] bltools.exe

Process information

PID
CMD
Path
Indicators
Parent process
2952"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\BlTools Cracked.rar"C:\Program Files\WinRAR\WinRAR.exe
Explorer.EXE
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
3628"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe3_ Global\UsGthrCtrlFltPipeMssGthrPipe3 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" C:\Windows\system32\SearchProtocolHost.exeSearchIndexer.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Windows Search Protocol Host
Version:
7.00.7601.24542 (win7sp1_ldr_escrow.191209-2211)
Modules
Images
c:\windows\system32\searchprotocolhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
2432"C:\Users\admin\Desktop\BlTools Cracked\[Cracked By Grizzly] BLTools Activator.exe" C:\Users\admin\Desktop\BlTools Cracked\[Cracked By Grizzly] BLTools Activator.exe
Explorer.EXE
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\bltools cracked\[cracked by grizzly] bltools activator.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
2604"C:\ProgramData\[Cracked By Grizzly] BLTools Activator\[Cracked By Grizzly] BLTools Activator.exe" --runC:\ProgramData\[Cracked By Grizzly] BLTools Activator\[Cracked By Grizzly] BLTools Activator.exe[Cracked By Grizzly] BLTools Activator.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\programdata\[cracked by grizzly] bltools activator\[cracked by grizzly] bltools activator.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
3868"C:\Users\admin\Desktop\BlTools Cracked\[Cracked By Grizzly] BLTools.exe" C:\Users\admin\Desktop\BlTools Cracked\[Cracked By Grizzly] BLTools.exe
Explorer.EXE
User:
admin
Integrity Level:
MEDIUM
Description:
BLTools
Exit code:
3762504530
Version:
1.5.2.0
Modules
Images
c:\users\admin\desktop\bltools cracked\[cracked by grizzly] bltools.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
1248"C:\Users\admin\Desktop\BlTools Cracked\[Cracked By Grizzly] BLTools.exe" C:\Users\admin\Desktop\BlTools Cracked\[Cracked By Grizzly] BLTools.exe
Explorer.EXE
User:
admin
Integrity Level:
MEDIUM
Description:
BLTools
Exit code:
3762504530
Version:
1.5.2.0
Modules
Images
c:\users\admin\desktop\bltools cracked\[cracked by grizzly] bltools.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
3896"C:\Users\admin\Desktop\BlTools Cracked\[Cracked By Grizzly] BLTools Activator.exe" C:\Users\admin\Desktop\BlTools Cracked\[Cracked By Grizzly] BLTools Activator.exeExplorer.EXE
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\bltools cracked\[cracked by grizzly] bltools activator.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
3696"C:\Users\admin\Desktop\BlTools Cracked\[Cracked By Grizzly] BLTools.exe" C:\Users\admin\Desktop\BlTools Cracked\[Cracked By Grizzly] BLTools.exe
Explorer.EXE
User:
admin
Integrity Level:
MEDIUM
Description:
BLTools
Version:
1.5.2.0
Modules
Images
c:\users\admin\desktop\bltools cracked\[cracked by grizzly] bltools.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
Total events
1 915
Read events
1 890
Write events
25
Delete events
0

Modification events

(PID) Process:(2952) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(2952) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(2952) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\16C\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(2952) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip
(PID) Process:(2952) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(2952) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\BlTools Cracked.rar
(PID) Process:(2952) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(2952) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(2952) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(2952) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
Executable files
6
Suspicious files
0
Text files
4
Unknown types
2

Dropped files

PID
Process
Filename
Type
2952WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2952.35150\BlTools Cracked\AlphaFS.dllexecutable
MD5:D76ADD65B204F5C07A9DD9A51B8C3F81
SHA256:63EE98FD3D184ADEA59AEF7B99A1156250BA6FE90371EA5DB4BCF331431E60CA
2952WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2952.35150\BlTools Cracked\Extreme.Net.dllexecutable
MD5:7DD917A7FB7DEFCC168E7D46CF07B7DA
SHA256:21A457EED7A2E3E32A9E550082917F07B421799FCDA8EE4E0BD3EB2FF1E3B0EF
2952WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2952.35150\BlTools Cracked\AlphaFS.libobj
MD5:8B9B4D97CED97253935540B880CF4EDD
SHA256:1AEF9DC1C147EFF5B2407CA3C7456DB609FD2A85C203F31E5707348FE0D99321
2952WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2952.35150\BlTools Cracked\Read me.txttext
MD5:9D5DA26923947479987D6D0C222ED6B9
SHA256:EA244354A3388232A35C1E8DBA1377D6742361188B61D64AA030D13793549F6F
2952WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2952.35150\BlTools Cracked\[Cracked By Grizzly] BLTools Activator.exeexecutable
MD5:F8014A557CBD6A0356E82A6634D1D285
SHA256:1E08D8D779B313DB9EF8539261BFD33E4FA24CAFDD213E8D9C9B576E5F8FC777
2952WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2952.35150\BlTools Cracked\Extreme.Net.libobj
MD5:E7409215270EA2EBD8DD18905935B397
SHA256:2ACAD9AB864A5E17C068491DC088965C3AF20C12A02E7F8732E1A26A065B1F3F
2432[Cracked By Grizzly] BLTools Activator.exeC:\ProgramData\[Cracked By Grizzly] BLTools Activator\[Cracked By Grizzly] BLTools Activator.exeexecutable
MD5:F8014A557CBD6A0356E82A6634D1D285
SHA256:1E08D8D779B313DB9EF8539261BFD33E4FA24CAFDD213E8D9C9B576E5F8FC777
2952WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2952.35150\BlTools Cracked\Settings.initext
MD5:1EDBCE62BCAB359F0C7104CB690829AF
SHA256:94E21D10F06A353692AF6638835008B80E4581C99DD19EEC68270C0655F7DDEE
2952WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2952.35150\BlTools Cracked\Service.htext
MD5:490A62B93A8A016E4C306459F3E32833
SHA256:1FFDECA0AB3142EF1142FE2103ADC4C88193221A3E8F7F1D58F2990FDAD3E0EB
2952WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2952.35150\BlTools Cracked\[Cracked By Grizzly] BLTools.exeexecutable
MD5:ADBE188BDEB56E9DE21EB22840CB1ECC
SHA256:30634E675EDDB8A0B953DAC342B0B93958809BDAF3577F85A46C4D5D4E3EA539
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
BlTools Cracked.rar