File name:

4Shared Cracker V1.rar

Full analysis: https://app.any.run/tasks/a7d68869-85e7-4230-9716-36e63cca4aaf
Verdict: Malicious activity
Analysis date: September 01, 2024, 13:15:47
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
crypto-regex
Indicators:
MIME: application/x-rar
File info: RAR archive data, v5
MD5:

88E2A021D53B7B74D00DDBFCA68EF4D1

SHA1:

D55178B212F2DD38A7FB7B4710D0A7D142CB00F3

SHA256:

9899FF3034DC223433897000E9C7AF565B62EFB10354A812FEE42FB340681B80

SSDEEP:

49152:EKHybdzJGl+c6ybDHJ6pYNfdK58+g62Q1PmC/WgVh9SMTuHSd83jwKuhTW/0mx8P:VQzJ63H0pKWg62Q1PHOWhMIdhTW/Ze3f

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Adds path to the Windows Defender exclusion list

      • Launcher.exe (PID: 2384)

    • Changes the autorun value in the registry

      • Launcher.exe (PID: 2384)

    • Create files in the Startup directory

      • Launcher.exe (PID: 2384)

  • SUSPICIOUS

    • Write to the desktop.ini file (may be used to cloak folders)

      • WinRAR.exe (PID: 7052)

    • Script adds exclusion path to Windows Defender

      • Launcher.exe (PID: 2384)

    • Reads security settings of Internet Explorer

      • 4Shared Cracker V1.exe (PID: 6276)
      • Launcher.exe (PID: 2384)
      • Windows Services.exe (PID: 2080)

    • Reads the date of Windows installation

      • 4Shared Cracker V1.exe (PID: 6276)
      • Windows Services.exe (PID: 2080)
      • Launcher.exe (PID: 2384)

    • The process creates files with name similar to system file names

      • Launcher.exe (PID: 2384)

    • Executable content was dropped or overwritten

      • Launcher.exe (PID: 2384)

    • Drops the executable file immediately after the start

      • Launcher.exe (PID: 2384)

    • Starts POWERSHELL.EXE for commands execution

      • Launcher.exe (PID: 2384)

    • Found regular expressions for crypto-addresses (YARA)

      • Runtime Explorer.exe (PID: 6488)

  • INFO

    • The process uses the downloaded file

      • WinRAR.exe (PID: 7052)
      • 4Shared Cracker V1.exe (PID: 6276)
      • Launcher.exe (PID: 2384)
      • Windows Services.exe (PID: 2080)
      • powershell.exe (PID: 6464)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 7052)

    • Manual execution by a user

      • 4Shared Cracker V1.exe (PID: 6276)
      • notepad.exe (PID: 2400)

    • Reads the computer name

      • 4Shared Cracker V1.exe (PID: 6276)
      • Windows Services.exe (PID: 2080)
      • sys.exe (PID: 3316)
      • Secure System Shell.exe (PID: 2008)
      • Runtime Explorer.exe (PID: 6488)
      • Launcher.exe (PID: 2384)

    • Reads the machine GUID from the registry

      • 4Shared Cracker V1.exe (PID: 6276)
      • Launcher.exe (PID: 2384)
      • sys.exe (PID: 3316)
      • Windows Services.exe (PID: 2080)
      • Secure System Shell.exe (PID: 2008)

    • Checks supported languages

      • 4Shared Cracker V1.exe (PID: 6276)
      • Launcher.exe (PID: 2384)
      • sys.exe (PID: 3316)
      • Windows Services.exe (PID: 2080)
      • Runtime Explorer.exe (PID: 6488)
      • Secure System Shell.exe (PID: 2008)

    • Process checks computer location settings

      • 4Shared Cracker V1.exe (PID: 6276)
      • Windows Services.exe (PID: 2080)
      • Launcher.exe (PID: 2384)

    • Creates files or folders in the user directory

      • Launcher.exe (PID: 2384)

    • Create files in a temporary directory

      • Runtime Explorer.exe (PID: 6488)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 6464)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 6464)

    • Reads Environment values

      • Runtime Explorer.exe (PID: 6488)

    • Reads security settings of Internet Explorer

      • notepad.exe (PID: 2400)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v5.0) (61.5)
.rar | RAR compressed archive (gen) (38.4)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
147
Monitored processes
13
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe rundll32.exe no specs 4shared cracker v1.exe no specs launcher.exe powershell.exe no specs conhost.exe no specs sys.exe windows services.exe no specs secure system shell.exe no specs THREAT runtime explorer.exe no specs sppextcomobj.exe no specs slui.exe no specs notepad.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1448C:\WINDOWS\system32\SppExtComObj.exe -EmbeddingC:\Windows\System32\SppExtComObj.Exesvchost.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
KMS Connection Broker
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\sppextcomobj.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\oleaut32.dll
1840\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2008"C:\Windows\IMF\Secure System Shell.exe" C:\Windows\IMF\Secure System Shell.exeWindows Services.exe
User:
admin
Integrity Level:
HIGH
Description:
Secure System Shell
Version:
1.0.0.0
Modules
Images
c:\windows\imf\secure system shell.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
2080"C:\Windows\IMF\Windows Services.exe" {Arguments If Needed}C:\Windows\IMF\Windows Services.exeLauncher.exe
User:
admin
Integrity Level:
HIGH
Description:
Windows Services
Version:
1.0.0.0
Modules
Images
c:\windows\imf\windows services.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
2384"C:\Users\admin\Desktop\4Shared Cracker V1\dll Library\Launcher.exe" C:\Users\admin\Desktop\4Shared Cracker V1\dll Library\Launcher.exe
4Shared Cracker V1.exe
User:
admin
Integrity Level:
HIGH
Description:
Launcher
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\desktop\4shared cracker v1\dll library\launcher.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
2400"C:\WINDOWS\system32\NOTEPAD.EXE" C:\Users\admin\Desktop\4Shared Cracker V1\Results\hits.txtC:\Windows\System32\notepad.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Notepad
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\notepad.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\user32.dll
3316"C:\Users\admin\Desktop\4Shared Cracker V1\dll Library\sys.exe" C:\Users\admin\Desktop\4Shared Cracker V1\dll Library\sys.exe
4Shared Cracker V1.exe
User:
admin
Company:
Crackingsat.Com
Integrity Level:
HIGH
Description:
Rapidbaz Cracker
Version:
1.0.0.0
Modules
Images
c:\users\admin\desktop\4shared cracker v1\dll library\sys.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
6276"C:\Users\admin\Desktop\4Shared Cracker V1\4Shared Cracker V1.exe" C:\Users\admin\Desktop\4Shared Cracker V1\4Shared Cracker V1.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Launcher
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\desktop\4shared cracker v1\4shared cracker v1.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
6464"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" add-mppreference -exclusionpath C:\Windows\IMF\C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeLauncher.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
6488"C:\Windows\IMF\Runtime Explorer.exe" C:\Windows\IMF\Runtime Explorer.exe
Windows Services.exe
User:
admin
Company:
Microsoft Windows
Integrity Level:
HIGH
Version:
1.00
Modules
Images
c:\windows\imf\runtime explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
Total events
19 127
Read events
19 085
Write events
42
Delete events
0

Modification events

(PID) Process:(7052) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(7052) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(7052) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\GoogleChromeEnterpriseBundle64.zip
(PID) Process:(7052) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\4Shared Cracker V1.rar
(PID) Process:(7052) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(7052) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(7052) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(7052) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(7052) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\DialogEditHistory\ExtrPath
Operation:writeName:0
Value:
C:\Users\admin\Desktop
(PID) Process:(6276) 4Shared Cracker V1.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
Executable files
16
Suspicious files
5
Text files
7
Unknown types
0

Dropped files

PID
Process
Filename
Type
7052WinRAR.exeC:\Users\admin\Desktop\4Shared Cracker V1\4Shared Cracker V1.exeexecutable
MD5:E5022266E5CBA902AC2A37DB2A65594B
SHA256:B9299D69379432C2586159B021AE7A93C62C194C01A9A6ADA7BB24D6E5FB4257
7052WinRAR.exeC:\Users\admin\Desktop\4Shared Cracker V1\dll Library\MetroFramework.Fonts.dllexecutable
MD5:65EF4B23060128743CEF937A43B82AA3
SHA256:C843869AACA5135C2D47296985F35C71CA8AF4431288D04D481C4E46CC93EE26
7052WinRAR.exeC:\Users\admin\Desktop\4Shared Cracker V1\dll Library\Ionic.Zip.dllexecutable
MD5:F6933BF7CEE0FD6C80CDF207FF15A523
SHA256:17BB0C9BE45289A2BE56A5F5A68EC9891D7792B886E0054BC86D57FE84D01C89
7052WinRAR.exeC:\Users\admin\Desktop\4Shared Cracker V1\dll Library\MetroFramework.Design.dllexecutable
MD5:AB4C3529694FC8D2427434825F71B2B8
SHA256:0A4A96082E25767E4697033649B16C76A652E120757A2CECAB8092AD0D716B65
7052WinRAR.exeC:\Users\admin\Desktop\4Shared Cracker V1\dll Library\MetroFramework.dllexecutable
MD5:34EA7F7D66563F724318E322FF08F4DB
SHA256:C2C12D31B4844E29DE31594FC9632A372A553631DE0A0A04C8AF91668E37CF49
7052WinRAR.exeC:\Users\admin\Desktop\4Shared Cracker V1\MetroFramework.Design.dllexecutable
MD5:AB4C3529694FC8D2427434825F71B2B8
SHA256:0A4A96082E25767E4697033649B16C76A652E120757A2CECAB8092AD0D716B65
7052WinRAR.exeC:\Users\admin\Desktop\4Shared Cracker V1\dll Library\sys.exeexecutable
MD5:A8FEE8F535C073BEC67A9E240E0EFEF7
SHA256:583112111EC2038D31BD2FC1A6A1F2B77E9CA0306FBF957FFFCFE491E082FB90
7052WinRAR.exeC:\Users\admin\Desktop\4Shared Cracker V1\dll Library\Launcher.exeexecutable
MD5:C6D4C881112022EB30725978ECD7C6EC
SHA256:0D87B9B141A592711C52E7409EC64DE3AB296CDDC890BE761D9AF57CEA381B32
7052WinRAR.exeC:\Users\admin\Desktop\4Shared Cracker V1\dll Library\Scan Results.txttext
MD5:F2F4FE7326B9272C91D7AC29A845DBE4
SHA256:FAFF4A8624535628227C46CA32CD29B2DFBD5614767A794FAB0682DCEA63BE0E
7052WinRAR.exeC:\Users\admin\Desktop\4Shared Cracker V1\MetroFramework.Fonts.dllexecutable
MD5:65EF4B23060128743CEF937A43B82AA3
SHA256:C843869AACA5135C2D47296985F35C71CA8AF4431288D04D481C4E46CC93EE26
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
47
DNS requests
21
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2036
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
5244
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
5244
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
5336
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEA77flR%2B3w%2FxBpruV2lte6A%3D
unknown
whitelisted
5336
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEApDqVCbATUviZV57HIIulA%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
608
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2120
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6208
RUXIMICS.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
608
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3260
svchost.exe
40.113.110.67:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2120
MoUsoCoreWorker.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2036
svchost.exe
20.190.160.20:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2036
svchost.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 40.127.240.158
  • 51.124.78.146
  • 51.104.136.2
whitelisted
google.com
  • 172.217.18.14
whitelisted
client.wns.windows.com
  • 40.113.110.67
whitelisted
login.live.com
  • 20.190.160.20
  • 40.126.32.134
  • 40.126.32.140
  • 40.126.32.133
  • 20.190.160.22
  • 40.126.32.68
  • 40.126.32.136
  • 20.190.160.17
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
slscr.update.microsoft.com
  • 20.114.59.183
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 20.242.39.171
whitelisted
www.bing.com
  • 2.23.209.176
  • 2.23.209.177
  • 2.23.209.179
  • 2.23.209.140
  • 2.23.209.182
  • 2.23.209.158
  • 2.23.209.150
  • 2.23.209.185
  • 2.23.209.149
whitelisted
r.bing.com
  • 2.23.209.176
  • 2.23.209.177
  • 2.23.209.189
  • 2.23.209.133
  • 2.23.209.187
  • 2.23.209.179
  • 2.23.209.130
  • 2.23.209.182
  • 2.23.209.185
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
4Shared Cracker V1.rar