File name:

Advanced BAT to EXE Converter PRO v2.83 _ Keygen.rar.zip

Full analysis: https://app.any.run/tasks/6c34a3f8-e83b-45cb-943f-114ac354c9d4
Verdict: Malicious activity
Analysis date: August 02, 2022, 12:10:02
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
opendir
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

6E4EE3BBA46665452EFE7B8463695D54

SHA1:

05656764AC06CAEF7A3BBFE9BFBF19A7D66787CE

SHA256:

ADCC83251EFD9F82228E452F7325EA42B791BE9A4CA73572334B5BE2FB8078B9

SSDEEP:

24576:tjJSFn2OBu2FLwKNEUEOpSaWcAQl674mEH/ssvKa3:LSFfu2FEKCUtptWcAC6GHEu33

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • advbattoexepro.exe (PID: 1292)
      • advbattoexepro.exe (PID: 3408)
      • setupinf.exe (PID: 2212)
      • Keygen.exe (PID: 2440)
      • aB2Econv.exe (PID: 1804)
      • activate.exe (PID: 328)
      • activate.exe (PID: 1888)
      • ab2econv.exe (PID: 604)
      • gfksopqm.exe (PID: 3540)
      • Twitch.exe (PID: 900)
      • aB2Econv.exe (PID: 3160)
      • aB2Econv.exe (PID: 2676)

    • Drops executable file immediately after starts

      • WinRAR.exe (PID: 3120)
      • WinRAR.exe (PID: 1816)
      • advbattoexepro.exe (PID: 3408)
      • ab2econv.exe (PID: 604)
      • gfksopqm.exe (PID: 3540)

    • Loads dropped or rewritten executable

      • advbattoexepro.exe (PID: 3408)
      • aB2Econv.exe (PID: 1804)
      • ab2econv.exe (PID: 604)
      • aB2Econv.exe (PID: 3160)
      • aB2Econv.exe (PID: 2676)

    • Writes to a start menu file

      • cmd.exe (PID: 2952)

    • Disables Windows System Restore

      • reg.exe (PID: 2772)

    • Actions looks like stealing of personal data

      • powershell.exe (PID: 1432)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 3120)
      • WinRAR.exe (PID: 1816)
      • advbattoexepro.exe (PID: 3408)
      • ab2econv.exe (PID: 604)
      • gfksopqm.exe (PID: 3540)

    • Drops a file with a compile date too recent

      • WinRAR.exe (PID: 3120)
      • advbattoexepro.exe (PID: 3408)
      • WinRAR.exe (PID: 1816)
      • ab2econv.exe (PID: 604)
      • gfksopqm.exe (PID: 3540)

    • Checks supported languages

      • WinRAR.exe (PID: 1816)
      • WinRAR.exe (PID: 3120)
      • advbattoexepro.exe (PID: 3408)
      • Keygen.exe (PID: 2440)
      • setupinf.exe (PID: 2212)
      • aB2Econv.exe (PID: 1804)
      • activate.exe (PID: 328)
      • ab2econv.exe (PID: 604)
      • gfksopqm.exe (PID: 3540)
      • cmd.exe (PID: 2952)
      • WScript.exe (PID: 2372)
      • WScript.exe (PID: 3712)
      • cmd.exe (PID: 3552)
      • WScript.exe (PID: 2980)
      • powershell.exe (PID: 1796)
      • WMIC.exe (PID: 1040)
      • WMIC.exe (PID: 3316)
      • WMIC.exe (PID: 3732)
      • WMIC.exe (PID: 476)
      • cmd.exe (PID: 2844)
      • powershell.exe (PID: 2108)
      • powershell.exe (PID: 1432)
      • Twitch.exe (PID: 900)
      • aB2Econv.exe (PID: 3160)
      • WScript.exe (PID: 1432)
      • aB2Econv.exe (PID: 2676)

    • Reads the computer name

      • WinRAR.exe (PID: 1816)
      • WinRAR.exe (PID: 3120)
      • advbattoexepro.exe (PID: 3408)
      • aB2Econv.exe (PID: 1804)
      • activate.exe (PID: 328)
      • ab2econv.exe (PID: 604)
      • Keygen.exe (PID: 2440)
      • gfksopqm.exe (PID: 3540)
      • cmd.exe (PID: 2952)
      • WScript.exe (PID: 2372)
      • WScript.exe (PID: 2980)
      • WScript.exe (PID: 3712)
      • powershell.exe (PID: 1796)
      • WMIC.exe (PID: 3316)
      • WMIC.exe (PID: 1040)
      • WMIC.exe (PID: 3732)
      • WMIC.exe (PID: 476)
      • powershell.exe (PID: 2108)
      • powershell.exe (PID: 1432)
      • Twitch.exe (PID: 900)
      • WScript.exe (PID: 1432)

    • Application launched itself

      • WinRAR.exe (PID: 3120)
      • cmd.exe (PID: 3552)
      • WScript.exe (PID: 3712)

    • Creates a directory in Program Files

      • advbattoexepro.exe (PID: 3408)

    • Creates a software uninstall entry

      • advbattoexepro.exe (PID: 3408)

    • Changes default file association

      • setupinf.exe (PID: 2212)

    • Creates files in the program directory

      • advbattoexepro.exe (PID: 3408)

    • Modifies files in Chrome extension folder

      • chrome.exe (PID: 3992)

    • Reads default file associations for system extensions

      • ab2econv.exe (PID: 604)
      • chrome.exe (PID: 1180)

    • Reads Environment values

      • netsh.exe (PID: 2416)
      • powershell.exe (PID: 1432)

  • INFO

    • Manual execution by user

      • advbattoexepro.exe (PID: 1292)
      • advbattoexepro.exe (PID: 3408)
      • chrome.exe (PID: 3992)
      • Keygen.exe (PID: 2440)
      • aB2Econv.exe (PID: 1804)
      • gfksopqm.exe (PID: 3540)
      • aB2Econv.exe (PID: 3160)
      • aB2Econv.exe (PID: 2676)

    • Checks supported languages

      • chrome.exe (PID: 1984)
      • chrome.exe (PID: 1568)
      • chrome.exe (PID: 2608)
      • chrome.exe (PID: 3992)
      • chrome.exe (PID: 1228)
      • chrome.exe (PID: 3528)
      • chrome.exe (PID: 2876)
      • chrome.exe (PID: 3348)
      • chrome.exe (PID: 3716)
      • chrome.exe (PID: 3876)
      • chrome.exe (PID: 128)
      • chrome.exe (PID: 3624)
      • chrome.exe (PID: 3712)
      • chrome.exe (PID: 4036)
      • chrome.exe (PID: 3884)
      • chrome.exe (PID: 3840)
      • chrome.exe (PID: 2552)
      • chrome.exe (PID: 2008)
      • chrome.exe (PID: 3456)
      • chrome.exe (PID: 128)
      • chrome.exe (PID: 1888)
      • chrome.exe (PID: 3928)
      • chrome.exe (PID: 3424)
      • chrome.exe (PID: 3604)
      • chrome.exe (PID: 3780)
      • chrome.exe (PID: 1384)
      • chrome.exe (PID: 1180)
      • chrome.exe (PID: 2224)
      • icacls.exe (PID: 3352)
      • icacls.exe (PID: 2256)
      • takeown.exe (PID: 3876)
      • reg.exe (PID: 3744)
      • takeown.exe (PID: 916)
      • takeown.exe (PID: 3296)
      • icacls.exe (PID: 1728)
      • reg.exe (PID: 2772)
      • chrome.exe (PID: 2396)
      • chrome.exe (PID: 3392)
      • net.exe (PID: 1568)
      • net1.exe (PID: 1620)
      • systeminfo.exe (PID: 1876)
      • NETSTAT.EXE (PID: 1816)
      • netsh.exe (PID: 2416)
      • ipconfig.exe (PID: 2672)
      • timeout.exe (PID: 3124)
      • chrome.exe (PID: 1424)
      • chrome.exe (PID: 1888)
      • chrome.exe (PID: 3012)
      • chrome.exe (PID: 564)
      • chrome.exe (PID: 3664)
      • chrome.exe (PID: 2096)
      • chrome.exe (PID: 2712)
      • NOTEPAD.EXE (PID: 3208)
      • chrome.exe (PID: 328)
      • chrome.exe (PID: 3996)
      • chrome.exe (PID: 3860)
      • chrome.exe (PID: 3688)
      • chrome.exe (PID: 748)
      • chrome.exe (PID: 2904)
      • chrome.exe (PID: 3188)
      • chrome.exe (PID: 3084)
      • chrome.exe (PID: 2924)
      • chrome.exe (PID: 2736)
      • chrome.exe (PID: 3560)
      • chrome.exe (PID: 1776)
      • chrome.exe (PID: 1312)
      • chrome.exe (PID: 3716)
      • chrome.exe (PID: 1724)
      • chrome.exe (PID: 2096)
      • chrome.exe (PID: 4032)
      • chrome.exe (PID: 2280)
      • chrome.exe (PID: 124)
      • chrome.exe (PID: 3696)

    • Reads the computer name

      • chrome.exe (PID: 3992)
      • chrome.exe (PID: 2608)
      • chrome.exe (PID: 1568)
      • chrome.exe (PID: 3348)
      • chrome.exe (PID: 128)
      • chrome.exe (PID: 4036)
      • chrome.exe (PID: 3840)
      • chrome.exe (PID: 1180)
      • takeown.exe (PID: 3876)
      • takeown.exe (PID: 916)
      • takeown.exe (PID: 3296)
      • chrome.exe (PID: 2396)
      • net1.exe (PID: 1620)
      • systeminfo.exe (PID: 1876)
      • netsh.exe (PID: 2416)
      • ipconfig.exe (PID: 2672)
      • NETSTAT.EXE (PID: 1816)
      • chrome.exe (PID: 1888)
      • chrome.exe (PID: 3664)
      • chrome.exe (PID: 3860)
      • chrome.exe (PID: 3996)
      • chrome.exe (PID: 3084)
      • chrome.exe (PID: 1776)
      • chrome.exe (PID: 1724)

    • Application launched itself

      • chrome.exe (PID: 3992)
      • chrome.exe (PID: 1888)
      • chrome.exe (PID: 3664)
      • chrome.exe (PID: 3996)
      • chrome.exe (PID: 3860)
      • chrome.exe (PID: 3084)
      • chrome.exe (PID: 1776)
      • chrome.exe (PID: 1724)

    • Reads settings of System Certificates

      • chrome.exe (PID: 2608)
      • powershell.exe (PID: 2108)
      • WScript.exe (PID: 1432)

    • Changes default file association

      • chrome.exe (PID: 3992)

    • Reads the date of Windows installation

      • chrome.exe (PID: 4036)

    • Checks Windows Trust Settings

      • WScript.exe (PID: 2372)
      • WScript.exe (PID: 3712)
      • WScript.exe (PID: 2980)
      • powershell.exe (PID: 1796)
      • powershell.exe (PID: 2108)
      • powershell.exe (PID: 1432)
      • WScript.exe (PID: 1432)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipFileName: keygen.rar
ZipUncompressedSize: 906111
ZipCompressedSize: 906111
ZipCRC: 0xfc2dc038
ZipModifyDate: 2021:06:28 19:08:06
ZipCompression: None
ZipBitFlag: 0x0001
ZipRequiredVersion: 788
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
162
Monitored processes
101
Malicious processes
15
Suspicious processes
5

Behavior graph

Click at the process to see the details
start drop and start winrar.exe winrar.exe advbattoexepro.exe no specs advbattoexepro.exe setupinf.exe no specs keygen.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs ab2econv.exe no specs activate.exe no specs activate.exe chrome.exe no specs chrome.exe no specs ab2econv.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs gfksopqm.exe cmd.exe takeown.exe no specs takeown.exe no specs takeown.exe no specs icacls.exe no specs icacls.exe no specs icacls.exe no specs reg.exe no specs reg.exe no specs wscript.exe no specs wscript.exe no specs wscript.exe no specs cmd.exe no specs net.exe no specs net1.exe no specs powershell.exe no specs wmic.exe no specs wmic.exe no specs wmic.exe no specs systeminfo.exe no specs wmic.exe no specs netsh.exe no specs cmd.exe no specs ipconfig.exe no specs netstat.exe no specs timeout.exe no specs powershell.exe no specs powershell.exe twitch.exe no specs ab2econv.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs wscript.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs notepad.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs ab2econv.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
124"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1036,13188767992603912341,8381363107355207865,131072 --enable-features=PasswordImport --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2936 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
86.0.4240.198
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\86.0.4240.198\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-shell32-l1-1-0.dll
c:\windows\system32\shell32.dll
128"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1036,13188767992603912341,8381363107355207865,131072 --enable-features=PasswordImport --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3328 /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
0
Version:
86.0.4240.198
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\86.0.4240.198\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-shell32-l1-1-0.dll
c:\windows\system32\shell32.dll
128"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1036,13188767992603912341,8381363107355207865,131072 --enable-features=PasswordImport --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1848 /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
86.0.4240.198
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\86.0.4240.198\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\api-ms-win-downlevel-shell32-l1-1-0.dll
c:\windows\system32\shlwapi.dll
328"C:\Program Files\Advanced BAT to EXE Converter PRO v2.83\ab2econv283pro\activate.exe" C:\Program Files\Advanced BAT to EXE Converter PRO v2.83\ab2econv283pro\activate.exe
aB2Econv.exe
User:
admin
Company:
Brandon Dargo
Integrity Level:
HIGH
Description:
BDargo Software Activation
Exit code:
0
Version:
1.01.0002
Modules
Images
c:\program files\advanced bat to exe converter pro v2.83\ab2econv283pro\activate.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvbvm60.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
328"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1036,13188767992603912341,8381363107355207865,131072 --enable-features=PasswordImport --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3220 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
86.0.4240.198
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\program files\google\chrome\application\86.0.4240.198\chrome_elf.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\version.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\api-ms-win-downlevel-shell32-l1-1-0.dll
c:\windows\system32\shell32.dll
476wmic csproduct get uuid C:\Windows\System32\Wbem\WMIC.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
WMI Commandline Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\wbem\wmic.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
564"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1036,13188767992603912341,8381363107355207865,131072 --enable-features=PasswordImport --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2100 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
86.0.4240.198
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\86.0.4240.198\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-shell32-l1-1-0.dll
c:\windows\system32\shell32.dll
604"C:\Program Files\Advanced BAT to EXE Converter PRO v2.83\ab2econv283pro\ab2econv.exe" C:\Program Files\Advanced BAT to EXE Converter PRO v2.83\ab2econv283pro\ab2econv.exe
activate.exe
User:
admin
Company:
Brandon Dargo
Integrity Level:
HIGH
Description:
Advanced BAT to EXE Converter PRO
Exit code:
0
Version:
2.08.0003
Modules
Images
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\program files\advanced bat to exe converter pro v2.83\ab2econv283pro\ab2econv.exe
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvbvm60.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\usp10.dll
748"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1036,13188767992603912341,8381363107355207865,131072 --enable-features=PasswordImport --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3784 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
86.0.4240.198
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\version.dll
c:\program files\google\chrome\application\86.0.4240.198\chrome_elf.dll
c:\windows\system32\api-ms-win-downlevel-shell32-l1-1-0.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shlwapi.dll
900"C:\Users\admin\AppData\Local\Temp\afolder\Twitch.exe" C:\Users\admin\AppData\Local\Temp\afolder\Twitch.exeWScript.exe
User:
admin
Company:
Microsoft
Integrity Level:
HIGH
Description:
WindowsFormsApplication2
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\local\temp\afolder\twitch.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
Total events
40 334
Read events
39 428
Write events
876
Delete events
30

Modification events

(PID) Process:(3120) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(3120) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(3120) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\16C\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3120) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip
(PID) Process:(3120) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(3120) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\Advanced BAT to EXE Converter PRO v2.83 _ Keygen.rar.zip
(PID) Process:(3120) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(3120) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(3120) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(3120) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
Executable files
27
Suspicious files
191
Text files
265
Unknown types
19

Dropped files

PID
Process
Filename
Type
3120WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb3120.38463\660.txttext
MD5:
SHA256:
1816WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb1816.39649\Advanced.BAT.to.EXE.Converter.PRO.v2.83.RETAIL.INCL_KEYGEN-FFF\FILE_ID.DIZtext
MD5:
SHA256:
1816WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb1816.39649\Advanced.BAT.to.EXE.Converter.PRO.v2.83.RETAIL.INCL_KEYGEN-FFF\advbattoexepro.exeexecutable
MD5:
SHA256:
3408advbattoexepro.exeC:\Program Files\Advanced BAT to EXE Converter PRO v2.83\ab2econv283pro\aB2Econv.exeexecutable
MD5:
SHA256:
1816WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb1816.39649\Advanced.BAT.to.EXE.Converter.PRO.v2.83.RETAIL.INCL_KEYGEN-FFF\FFF.NFOtext
MD5:
SHA256:
3120WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb3120.38149\yop.txttext
MD5:
SHA256:
1816WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb1816.39649\Advanced.BAT.to.EXE.Converter.PRO.v2.83.RETAIL.INCL_KEYGEN-FFF\Keygen.exeexecutable
MD5:
SHA256:
3408advbattoexepro.exeC:\Users\admin\AppData\Local\Temp\gentee00\setup_temp.geabs
MD5:
SHA256:
3120WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DIb3120.38706\keygen.rarcompressed
MD5:BE8EB085385D87ADEA27C9D9FFD23FAC
SHA256:085690A637FEB9CD46F55A3A6FE8D7471594BE9B68694F6AA86E43D2483EE18B
3408advbattoexepro.exeC:\Users\admin\AppData\Local\Temp\gentee00\1Default.bmpimage
MD5:0895D223FA59A94BED73D25D1CB5AF70
SHA256:53228A7C924889D300C7FFE9BAA1879EE94BD9B4286E84B7B29F870E9567B82D
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
74
TCP/UDP connections
73
DNS requests
40
Threats
5

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
HEAD
34.104.35.123:80
http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/d73azlwdjoju4dawoukxfjz6bu_2022.7.25.1141/ggkkehgbnfjpeggfpleeakpidbkibbmn_2022.7.25.1141_all_ebemybvzva3g6qooytqjclbctq.crx3
US
whitelisted
HEAD
200
34.104.35.123:80
http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/ac5q25btpqhkjhcekqoslcldvuya_1.3.36.141/ihnlcenocehgdaegdmhbidjhnhdchfmm_1.3.36.141_win_ehzjmd5kjmert7jdgsrj4xqxj4.crx3
US
whitelisted
GET
200
34.104.35.123:80
http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/ac4kqpd5vf6wkr67nuk3womi2oaa_9.37.2/gcmjkmgdlgnkkcocmoeiminaijmmjnii_9.37.2_all_adr6ecsctmaarsezoenukfuqk6aq.crx3
US
crx
39.1 Kb
whitelisted
GET
206
34.104.35.123:80
http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/ac5q25btpqhkjhcekqoslcldvuya_1.3.36.141/ihnlcenocehgdaegdmhbidjhnhdchfmm_1.3.36.141_win_ehzjmd5kjmert7jdgsrj4xqxj4.crx3
US
binary
10.0 Kb
whitelisted
GET
206
34.104.35.123:80
http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/ac5q25btpqhkjhcekqoslcldvuya_1.3.36.141/ihnlcenocehgdaegdmhbidjhnhdchfmm_1.3.36.141_win_ehzjmd5kjmert7jdgsrj4xqxj4.crx3
US
binary
45.0 Kb
whitelisted
GET
206
34.104.35.123:80
http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/ac5q25btpqhkjhcekqoslcldvuya_1.3.36.141/ihnlcenocehgdaegdmhbidjhnhdchfmm_1.3.36.141_win_ehzjmd5kjmert7jdgsrj4xqxj4.crx3
US
binary
10.0 Kb
whitelisted
GET
206
34.104.35.123:80
http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/ac5q25btpqhkjhcekqoslcldvuya_1.3.36.141/ihnlcenocehgdaegdmhbidjhnhdchfmm_1.3.36.141_win_ehzjmd5kjmert7jdgsrj4xqxj4.crx3
US
binary
39.9 Kb
whitelisted
1432
WScript.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAo3h2ReX7SMIk79G%2B0UDDw%3D
US
der
1.47 Kb
whitelisted
HEAD
200
34.104.35.123:80
http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/ac4kqpd5vf6wkr67nuk3womi2oaa_9.37.2/gcmjkmgdlgnkkcocmoeiminaijmmjnii_9.37.2_all_adr6ecsctmaarsezoenukfuqk6aq.crx3
US
binary
2.51 Kb
whitelisted
2608
chrome.exe
GET
200
210.165.122.35:80
http://www.trottla.net/egallery1108mj1.html
JP
html
1.92 Kb
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2608
chrome.exe
142.250.184.196:443
www.google.com
Google Inc.
US
whitelisted
2608
chrome.exe
142.250.186.33:443
clients2.googleusercontent.com
Google Inc.
US
whitelisted
2608
chrome.exe
216.58.212.138:443
fonts.googleapis.com
Google Inc.
US
whitelisted
2608
chrome.exe
142.250.185.131:443
clientservices.googleapis.com
Google Inc.
US
whitelisted
2608
chrome.exe
142.250.185.174:443
clients2.google.com
Google Inc.
US
whitelisted
2608
chrome.exe
142.250.185.109:443
accounts.google.com
Google Inc.
US
suspicious
142.250.185.99:443
ssl.gstatic.com
Google Inc.
US
whitelisted
2608
chrome.exe
34.104.35.123:80
edgedl.me.gvt1.com
US
whitelisted
34.104.35.123:80
edgedl.me.gvt1.com
US
whitelisted
142.250.184.238:443
encrypted-tbn0.gstatic.com
Google Inc.
US
whitelisted

DNS requests

Domain
IP
Reputation
www.google.com
  • 142.250.184.196
malicious
clients2.google.com
  • 142.250.185.174
whitelisted
accounts.google.com
  • 142.250.185.109
shared
clients2.googleusercontent.com
  • 142.250.186.33
whitelisted
fonts.googleapis.com
  • 216.58.212.138
whitelisted
www.gstatic.com
  • 142.250.184.227
whitelisted
fonts.gstatic.com
  • 142.250.184.195
whitelisted
apis.google.com
  • 142.250.185.206
whitelisted
clientservices.googleapis.com
  • 142.250.185.131
whitelisted
ssl.gstatic.com
  • 142.250.185.99
whitelisted

Threats

PID
Process
Class
Message
Misc activity
ET INFO Observed Discord Domain in DNS Lookup (discord .com)
1432
powershell.exe
Misc activity
ET INFO Observed Discord Domain (discord .com in TLS SNI)
Misc activity
ET INFO Observed Discord Domain in DNS Lookup (discordapp .com)
1432
WScript.exe
Misc activity
ET INFO Observed Discord Domain (discordapp .com in TLS SNI)
1432
WScript.exe
Misc activity
ET INFO Observed Discord Domain (discordapp .com in TLS SNI)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Advanced BAT to EXE Converter PRO v2.83 _ Keygen.rar.zip