File name:

OpenRGB_0.9_Windows_32_b5f46e3.zip

Full analysis: https://app.any.run/tasks/7f9c82b8-e5dc-4c7c-9ddd-fb1d77228f39
Verdict: Malicious activity
Analysis date: October 26, 2023, 14:32:19
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

51C1D9BA512D33F466CB1635E38D6B1F

SHA1:

5D3CD1EE5E9D37865FE1CBFFDFA3B49C9C4F8077

SHA256:

983CC04BC14FCB824E8075C23BD9A39642B632C84784510FF81DD8FDD84331B4

SSDEEP:

98304:YwETIJIZNPD9zs14zgoSNgdUTWDpUpdy+znGrrChQ8PhiwpZGYjrje3UovGiMZIs:Lfk60UdDtmt0mW

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Loads dropped or rewritten executable

      • OpenRGB.exe (PID: 1888)

    • Application was dropped or rewritten from another process

      • OpenRGB.exe (PID: 1888)

  • SUSPICIOUS

    • Drops a system driver (possible attempt to evade defenses)

      • WinRAR.exe (PID: 1372)

  • INFO

    • Creates files or folders in the user directory

      • OpenRGB.exe (PID: 1888)

    • Manual execution by a user

      • OpenRGB.exe (PID: 1888)

    • Checks supported languages

      • OpenRGB.exe (PID: 1888)

    • Reads the computer name

      • OpenRGB.exe (PID: 1888)

    • Reads the machine GUID from the registry

      • OpenRGB.exe (PID: 1888)

    • Drops the executable file immediately after the start

      • WinRAR.exe (PID: 1372)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: 0x0800
ZipCompression: None
ZipModifyDate: 2023:07:10 04:51:44
ZipCRC: 0x00000000
ZipCompressedSize: -
ZipUncompressedSize: -
ZipFileName: OpenRGB Windows 32-bit/
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
39
Monitored processes
3
Malicious processes
1
Suspicious processes
1

Behavior graph

Click at the process to see the details
start winrar.exe no specs searchprotocolhost.exe no specs openrgb.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
844"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe6_ Global\UsGthrCtrlFltPipeMssGthrPipe6 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" C:\Windows\System32\SearchProtocolHost.exeSearchIndexer.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Windows Search Protocol Host
Exit code:
0
Version:
7.00.7601.24542 (win7sp1_ldr_escrow.191209-2211)
Modules
Images
c:\windows\system32\searchprotocolhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
1372"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\OpenRGB_0.9_Windows_32_b5f46e3.zip"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\windows\system32\ntdll.dll
c:\program files\winrar\winrar.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
1888"C:\Users\admin\Desktop\OpenRGB Windows 32-bit\OpenRGB.exe" C:\Users\admin\Desktop\OpenRGB Windows 32-bit\OpenRGB.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Version:
0.9.0.0
Modules
Images
c:\users\admin\desktop\openrgb windows 32-bit\openrgb.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
Total events
5 867
Read events
5 838
Write events
28
Delete events
1

Modification events

(PID) Process:(1372) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\178\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(1372) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip
(PID) Process:(1372) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(1372) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\phacker.zip
(PID) Process:(1372) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(1372) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(1372) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(1372) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(1888) OpenRGB.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Direct3D\MostRecentApplication
Operation:writeName:Name
Value:
Explorer.EXE
(PID) Process:(1888) OpenRGB.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
Operation:writeName:NodeSlots
Value:
0202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202
Executable files
15
Suspicious files
2
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
1888OpenRGB.exeC:\Users\admin\AppData\Roaming\OpenRGB\logs\OpenRGB_20231026_153240.logbinary
MD5:ACB9A9913B2F5338E02C9A57A990A1DE
SHA256:FCC332BD22BA33EC090F3F2FF120838D09B1F7307AE7E73051BE94FA423D7021
1372WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa1372.23863\OpenRGB Windows 32-bit\Qt5Gui.dllexecutable
MD5:DF758556C1235D3A7E0CFAC2E060A465
SHA256:A383BC6B268D1E1B344414DDBDD400843649C61AD45C6018CA81EC0EF535B0DD
1372WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa1372.23863\OpenRGB Windows 32-bit\Qt5Widgets.dllexecutable
MD5:CD41B766612B7B65DF6F062A405A33FB
SHA256:BF37AB90776BA011EF345913EBF5BC1176B651B846F0288B6A25716E676D82A5
1372WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa1372.23863\OpenRGB Windows 32-bit\imageformats\qico.dllexecutable
MD5:A7C0175BFE4B8A3915C4A204F20D7264
SHA256:8CF7FC943170701E89EB9D52F8B777846B00D69F7BA2AD96AAE891269BDC00BF
1372WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa1372.23863\OpenRGB Windows 32-bit\hidapi.dllexecutable
MD5:F58A8C6BEECC50988AD30A6796D8382C
SHA256:44553A3366EF1F17302D9C0D76D71FCF1AAA58011332DAA0AF0B7FCEE1E991DB
1372WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa1372.23863\OpenRGB Windows 32-bit\Qt5Core.dllexecutable
MD5:80A95EAC18B0D41D393B3F72CF03CCE0
SHA256:2059AE8AF9B3ADC40E3FBAC46EDCE469A5A3340B1A42C0E2B0F79FCFAB838ED2
1372WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa1372.23863\OpenRGB Windows 32-bit\styles\qwindowsvistastyle.dllexecutable
MD5:355B1D5FE2613C1CBF74D3B6F7C6C415
SHA256:2B7BAAB53240A523BA7CD405EE36D8F50A0E64E7E0F81DF463D983E60ABC7E1C
1372WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa1372.23863\OpenRGB Windows 32-bit\libusb-1.0.dllexecutable
MD5:8F0AF7C309AFFC8AECA63871A145249A
SHA256:ED6699BE4A8894B31FD36D7508DBBF9A865D8D3343F320FCB19617164F63C00B
1372WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa1372.23863\OpenRGB Windows 32-bit\imageformats\qgif.dllexecutable
MD5:A7D24E2226FF09208E22FC6F70BF0DE7
SHA256:6356257682FB64D28AD68DEBEA96E1A0104C273E8838953459A110933F0A84BE
1372WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa1372.23863\OpenRGB Windows 32-bit\platforms\qwindows.dllexecutable
MD5:1E6793D71EB9DEB7AD943AABBBB17240
SHA256:6B9E0CC5F72B8FDDD16AE0EF7A14E64BC0EAFCDB4D5F74B2C12194241D66407D
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
4
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
4
System
192.168.100.255:137
whitelisted
2656
svchost.exe
239.255.255.250:1900
whitelisted
1088
svchost.exe
224.0.0.252:5355
unknown

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
OpenRGB_0.9_Windows_32_b5f46e3.zip