File name:

OpenRGB_0.9_Windows_32_b5f46e3.zip

Full analysis: https://app.any.run/tasks/7f9c82b8-e5dc-4c7c-9ddd-fb1d77228f39
Verdict: Malicious activity
Analysis date: October 26, 2023, 14:32:19
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

51C1D9BA512D33F466CB1635E38D6B1F

SHA1:

5D3CD1EE5E9D37865FE1CBFFDFA3B49C9C4F8077

SHA256:

983CC04BC14FCB824E8075C23BD9A39642B632C84784510FF81DD8FDD84331B4

SSDEEP:

98304:YwETIJIZNPD9zs14zgoSNgdUTWDpUpdy+znGrrChQ8PhiwpZGYjrje3UovGiMZIs:Lfk60UdDtmt0mW

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • OpenRGB.exe (PID: 1888)

    • Loads dropped or rewritten executable

      • OpenRGB.exe (PID: 1888)

  • SUSPICIOUS

    • Drops a system driver (possible attempt to evade defenses)

      • WinRAR.exe (PID: 1372)

  • INFO

    • Drops the executable file immediately after the start

      • WinRAR.exe (PID: 1372)

    • Manual execution by a user

      • OpenRGB.exe (PID: 1888)

    • Checks supported languages

      • OpenRGB.exe (PID: 1888)

    • Reads the computer name

      • OpenRGB.exe (PID: 1888)

    • Reads the machine GUID from the registry

      • OpenRGB.exe (PID: 1888)

    • Creates files or folders in the user directory

      • OpenRGB.exe (PID: 1888)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: 0x0800
ZipCompression: None
ZipModifyDate: 2023:07:10 04:51:44
ZipCRC: 0x00000000
ZipCompressedSize: -
ZipUncompressedSize: -
ZipFileName: OpenRGB Windows 32-bit/
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
39
Monitored processes
3
Malicious processes
1
Suspicious processes
1

Behavior graph

Click at the process to see the details
start winrar.exe no specs searchprotocolhost.exe no specs openrgb.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
844"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe6_ Global\UsGthrCtrlFltPipeMssGthrPipe6 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" C:\Windows\System32\SearchProtocolHost.exeSearchIndexer.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Windows Search Protocol Host
Exit code:
0
Version:
7.00.7601.24542 (win7sp1_ldr_escrow.191209-2211)
Modules
Images
c:\windows\system32\searchprotocolhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
1372"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\OpenRGB_0.9_Windows_32_b5f46e3.zip"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\windows\system32\ntdll.dll
c:\program files\winrar\winrar.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
1888"C:\Users\admin\Desktop\OpenRGB Windows 32-bit\OpenRGB.exe" C:\Users\admin\Desktop\OpenRGB Windows 32-bit\OpenRGB.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Version:
0.9.0.0
Modules
Images
c:\users\admin\desktop\openrgb windows 32-bit\openrgb.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
Total events
5 867
Read events
5 838
Write events
28
Delete events
1

Modification events

(PID) Process:(1372) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\178\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(1372) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip
(PID) Process:(1372) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(1372) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\phacker.zip
(PID) Process:(1372) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(1372) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(1372) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(1372) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(1888) OpenRGB.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Direct3D\MostRecentApplication
Operation:writeName:Name
Value:
Explorer.EXE
(PID) Process:(1888) OpenRGB.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
Operation:writeName:NodeSlots
Value:
0202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202
Executable files
15
Suspicious files
2
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
1372WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa1372.23863\OpenRGB Windows 32-bit\OpenRazer.dllexecutable
MD5:B36AA6C32E4424B13470B8394E193FF5
SHA256:09090B5E2214CB9D0CC7E0445C263603893DBD90AE8E02FB003F2673C888D597
1372WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa1372.23863\OpenRGB Windows 32-bit\WinRing0.dllexecutable
MD5:3EFA8F1865595EBE1DD415025BF17D8F
SHA256:8EDB4338883CB12D730EA1827C8E232B4A1562E207C5AF26B0D8D86E4B3F2269
1372WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa1372.23863\OpenRGB Windows 32-bit\WinRing0.sysexecutable
MD5:845AF1BA23C8D5E64DEF61BCC441604C
SHA256:206EE7A7C3F4D9496F742CCB84718F556ECB4BA2A95FE7E0CDF3A003FFBE4597
1372WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa1372.23863\OpenRGB Windows 32-bit\OpenRGB.exeexecutable
MD5:6773DED4A68259FF075899B7176A93BC
SHA256:B28C1F532028EC0E58EBA69C192BA8E1915C862094E7FE22276DDF3D95A63117
1372WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa1372.23863\OpenRGB Windows 32-bit\imageformats\qgif.dllexecutable
MD5:A7D24E2226FF09208E22FC6F70BF0DE7
SHA256:6356257682FB64D28AD68DEBEA96E1A0104C273E8838953459A110933F0A84BE
1888OpenRGB.exeC:\Users\admin\AppData\Roaming\OpenRGB\OpenRGB.jsonbinary
MD5:DBE20E7D179E00843EF10CB71E7E770D
SHA256:A01DF43817C7EB85A05A86A9FF1E4C8149B684EF2CA0FD34E7FAECDE75FAD408
1372WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa1372.23863\OpenRGB Windows 32-bit\Qt5Core.dllexecutable
MD5:80A95EAC18B0D41D393B3F72CF03CCE0
SHA256:2059AE8AF9B3ADC40E3FBAC46EDCE469A5A3340B1A42C0E2B0F79FCFAB838ED2
1372WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa1372.23863\OpenRGB Windows 32-bit\imageformats\qico.dllexecutable
MD5:A7C0175BFE4B8A3915C4A204F20D7264
SHA256:8CF7FC943170701E89EB9D52F8B777846B00D69F7BA2AD96AAE891269BDC00BF
1372WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa1372.23863\OpenRGB Windows 32-bit\libusb-1.0.dllexecutable
MD5:8F0AF7C309AFFC8AECA63871A145249A
SHA256:ED6699BE4A8894B31FD36D7508DBBF9A865D8D3343F320FCB19617164F63C00B
1372WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa1372.23863\OpenRGB Windows 32-bit\styles\qwindowsvistastyle.dllexecutable
MD5:355B1D5FE2613C1CBF74D3B6F7C6C415
SHA256:2B7BAAB53240A523BA7CD405EE36D8F50A0E64E7E0F81DF463D983E60ABC7E1C
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
4
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
4
System
192.168.100.255:137
whitelisted
2656
svchost.exe
239.255.255.250:1900
whitelisted
1088
svchost.exe
224.0.0.252:5355
unknown

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
OpenRGB_0.9_Windows_32_b5f46e3.zip