File name:

EaseUS Data Recovery Wizard Medicine.rar

Full analysis: https://app.any.run/tasks/0eb01728-10f7-428b-8569-a842f3c1d6df
Verdict: Malicious activity
Analysis date: March 18, 2021, 05:06:58
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-rar
File info: RAR archive data, v5
MD5:

832E8D74A85BC35EFC46D4E5F28C17A9

SHA1:

3FDCD3F4763B161FB3A1BFC0FA25DBC376736132

SHA256:

B1753B94D7D135E6E52763FCB3C43C5EA2588BC716019C2A200F24ADBE851AD3

SSDEEP:

49152:BCA+VWO31njlqM5ekeEaCA+VWO31njlqM5e6G:BzwPjlmTzwPjlO

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • (x32.x64bit.)_professional_13.5-patch.exe (PID: 3764)
      • (x32.x64bit.)_professional_13.5-patch.exe (PID: 1516)
      • (x32.x64bit.)_technician_13.5-patch.exe (PID: 2244)
      • (x32.x64bit.)_technician_13.5-patch.exe (PID: 2324)

    • Loads dropped or rewritten executable

      • (x32.x64bit.)_professional_13.5-patch.exe (PID: 1516)
      • (x32.x64bit.)_technician_13.5-patch.exe (PID: 2324)

    • Drops executable file immediately after starts

      • (x32.x64bit.)_professional_13.5-patch.exe (PID: 1516)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 1984)
      • (x32.x64bit.)_professional_13.5-patch.exe (PID: 1516)
      • (x32.x64bit.)_technician_13.5-patch.exe (PID: 2324)

    • Drops a file with too old compile date

      • (x32.x64bit.)_professional_13.5-patch.exe (PID: 1516)
      • (x32.x64bit.)_technician_13.5-patch.exe (PID: 2324)

    • Creates a directory in Program Files

      • (x32.x64bit.)_professional_13.5-patch.exe (PID: 1516)

    • Creates files in the program directory

      • (x32.x64bit.)_professional_13.5-patch.exe (PID: 1516)

  • INFO

    • Dropped object may contain Bitcoin addresses

      • (x32.x64bit.)_professional_13.5-patch.exe (PID: 1516)
      • (x32.x64bit.)_technician_13.5-patch.exe (PID: 2324)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v5.0) (61.5)
.rar | RAR compressed archive (gen) (38.4)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
49
Monitored processes
7
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start drop and start drop and start drop and start start winrar.exe (x32.x64bit.)_professional_13.5-patch.exe no specs (x32.x64bit.)_professional_13.5-patch.exe regedit.exe no specs regedit.exe no specs (x32.x64bit.)_technician_13.5-patch.exe no specs (x32.x64bit.)_technician_13.5-patch.exe

Process information

PID
CMD
Path
Indicators
Parent process
1516"C:\Users\admin\AppData\Local\Temp\Rar$EXa1984.39143\EaseUS Data Recovery Wizard Medicine\(x32.x64bit.)_professional_13.5-patch.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa1984.39143\EaseUS Data Recovery Wizard Medicine\(x32.x64bit.)_professional_13.5-patch.exe
WinRAR.exe
User:
admin
Integrity Level:
HIGH
Exit code:
3221225547
Modules
Images
c:\users\admin\appdata\local\temp\rar$exa1984.39143\easeus data recovery wizard medicine\(x32.x64bit.)_professional_13.5-patch.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\users\admin\appdata\local\temp\dup2patcher.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
1824"C:\Windows\regedit.exe" /s "C:\Users\admin\AppData\Local\Temp\\regpatch.reg"C:\Windows\regedit.exe(x32.x64bit.)_professional_13.5-patch.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Editor
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\regedit.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
1984"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\EaseUS Data Recovery Wizard Medicine.rar"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
2244"C:\Users\admin\AppData\Local\Temp\Rar$EXa1984.40593\EaseUS Data Recovery Wizard Medicine\(x32.x64bit.)_technician_13.5-patch.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa1984.40593\EaseUS Data Recovery Wizard Medicine\(x32.x64bit.)_technician_13.5-patch.exeWinRAR.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Modules
Images
c:\users\admin\appdata\local\temp\rar$exa1984.40593\easeus data recovery wizard medicine\(x32.x64bit.)_technician_13.5-patch.exe
c:\systemroot\system32\ntdll.dll
2324"C:\Users\admin\AppData\Local\Temp\Rar$EXa1984.40593\EaseUS Data Recovery Wizard Medicine\(x32.x64bit.)_technician_13.5-patch.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa1984.40593\EaseUS Data Recovery Wizard Medicine\(x32.x64bit.)_technician_13.5-patch.exe
WinRAR.exe
User:
admin
Integrity Level:
HIGH
Exit code:
3221225547
Modules
Images
c:\users\admin\appdata\local\temp\rar$exa1984.40593\easeus data recovery wizard medicine\(x32.x64bit.)_technician_13.5-patch.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\users\admin\appdata\local\temp\dup2patcher.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
3496"C:\Windows\regedit.exe" /s "C:\Users\admin\AppData\Local\Temp\\regpatch.reg"C:\Windows\regedit.exe(x32.x64bit.)_professional_13.5-patch.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Editor
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\regedit.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
3764"C:\Users\admin\AppData\Local\Temp\Rar$EXa1984.39143\EaseUS Data Recovery Wizard Medicine\(x32.x64bit.)_professional_13.5-patch.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa1984.39143\EaseUS Data Recovery Wizard Medicine\(x32.x64bit.)_professional_13.5-patch.exeWinRAR.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Modules
Images
c:\users\admin\appdata\local\temp\rar$exa1984.39143\easeus data recovery wizard medicine\(x32.x64bit.)_professional_13.5-patch.exe
c:\systemroot\system32\ntdll.dll
Total events
562
Read events
528
Write events
34
Delete events
0

Modification events

(PID) Process:(1984) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(1984) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(1984) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\13C\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(1984) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\13C\52C64B7E
Operation:writeName:@C:\Windows\system32\NetworkExplorer.dll,-1
Value:
Network
(PID) Process:(1984) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\EaseUS Data Recovery Wizard Medicine.rar
(PID) Process:(1984) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(1984) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(1984) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(1984) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(1984) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\ArcColumnWidths
Operation:writeName:name
Value:
120
Executable files
8
Suspicious files
1
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
1516(x32.x64bit.)_professional_13.5-patch.exeC:\Users\admin\AppData\Local\Temp\regpatch.reg
MD5:
SHA256:
1984WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa1984.39143\EaseUS Data Recovery Wizard Medicine\(x32.x64bit.)_technician_13.5-patch.exeexecutable
MD5:
SHA256:
1516(x32.x64bit.)_professional_13.5-patch.exeC:\Users\admin\AppData\Local\Temp\dup2patcher.dllexecutable
MD5:33D64C8E7D1E61844D5358CC2A15FA8A
SHA256:001BC598D16A943AEC0909E72B875EFFCE611C34192B734C89AE852327234DA1
1984WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa1984.40593\EaseUS Data Recovery Wizard Medicine\(x32.x64bit.)_technician_13.5-patch.exeexecutable
MD5:
SHA256:
2324(x32.x64bit.)_technician_13.5-patch.exeC:\Users\admin\AppData\Local\Temp\dup2patcher.dllexecutable
MD5:
SHA256:
1516(x32.x64bit.)_professional_13.5-patch.exeC:\Users\admin\AppData\Local\Temp\bassmod.dllexecutable
MD5:780D14604D49E3C634200C523DEF8351
SHA256:844EB66A10B848D3A71A8C63C35F0A01550A46D2FF8503E2CA8947978B03B4D2
1516(x32.x64bit.)_professional_13.5-patch.exeC:\Program Files\EaseUS\EaseUS Data Recovery Wizard\Configure.dattext
MD5:98057FC9D93F348FA040C083C21102A6
SHA256:F8284E5493F30ACD335C8CA5C68F9534A8EB2A2BAEE2F316D9BD55F6FFA8E145
1516(x32.x64bit.)_professional_13.5-patch.exeC:\Program Files\EaseUS\EaseUS Data Recovery Wizard\EuCfg.binbinary
MD5:FBBF2E6BA5647272ADBACF311AE300F5
SHA256:74C02C992A5C9E2280B628B8193F494B14D8ABE164365B0C585831E12AB173DE
1984WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa1984.40593\EaseUS Data Recovery Wizard Medicine\(x32.x64bit.)_professional_13.5-patch.exeexecutable
MD5:448E74F8A32676FE946C80A039B2A950
SHA256:3A2F5921C97E9126B7207F776081E05944D4B1D2A5AFAD3E84D2A788388F3164
1984WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa1984.39143\EaseUS Data Recovery Wizard Medicine\(x32.x64bit.)_professional_13.5-patch.exeexecutable
MD5:448E74F8A32676FE946C80A039B2A950
SHA256:3A2F5921C97E9126B7207F776081E05944D4B1D2A5AFAD3E84D2A788388F3164
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
EaseUS Data Recovery Wizard Medicine.rar