File name:

rkill (1).exe

Full analysis: https://app.any.run/tasks/6aa87eaa-2ce8-4fb7-9067-95a9d009e06e
Verdict: Malicious activity
Analysis date: October 04, 2024, 19:37:13
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
upx
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed, RAR self-extracting archive
MD5:

28C253A0212B221E96F6A17499B91651

SHA1:

4592DE27B3D46BD32BF6779420FE441E990A45A4

SHA256:

B7FC473EB8029EA559315300F953995B126B0E1942762CAFCA96B80E8D1A4207

SSDEEP:

49152:QrYgzgxsD3EiOFafuN07tHY7q11LRt6fiiycZnhnu41lSCauZkEHHwDp1OhABgdv:ATgxsDUPFaWNgtJ1bkfBi43SoZkEnwDw

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Starts application with an unusual extension

      • rkill (1).exe (PID: 3936)

    • Executable content was dropped or overwritten

      • rkill (1).exe (PID: 3936)

    • Starts CMD.EXE for commands execution

      • iexplore.exe (PID: 2628)
      • rkill (1).exe (PID: 3936)

    • Executing commands from a ".bat" file

      • iexplore.exe (PID: 2628)
      • rkill (1).exe (PID: 3936)

    • The executable file from the user directory is run by the CMD process

      • nircmd.exe (PID: 4092)

  • INFO

    • NirSoft software is detected

      • winlogon.exe (PID: 5852)
      • userinit.exe (PID: 2032)
      • iexplore.exe (PID: 6216)
      • iexplore.exe (PID: 1336)
      • iexplore.exe (PID: 3116)
      • iexplore.exe (PID: 6388)
      • iexplore.exe (PID: 4668)
      • iexplore.exe (PID: 3916)
      • iexplore.exe (PID: 2480)
      • iexplore.exe (PID: 4248)
      • iexplore.exe (PID: 5280)
      • iexplore.exe (PID: 1656)
      • iexplore.exe (PID: 5184)
      • nircmd.exe (PID: 4092)

    • UPX packer has been detected

      • rkill (1).exe (PID: 3936)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | UPX compressed Win32 Executable (39.3)
.exe | Win32 EXE Yoda's Crypter (38.6)
.dll | Win32 Dynamic Link Library (generic) (9.5)
.exe | Win32 Executable (generic) (6.5)
.exe | Generic Win/DOS Executable (2.9)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2010:03:15 06:27:50+00:00
ImageFileCharacteristics: No relocs, Executable, 32-bit
PEType: PE32
LinkerVersion: 9
CodeSize: 49152
InitializedDataSize: 143360
UninitializedDataSize: 241664
EntryPoint: 0x471c0
OSVersion: 5
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
251
Monitored processes
127
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start THREAT rkill (1).exe explorer.exe no specs explorer.exe no specs conhost.exe no specs iexplore.exe no specs iexplore.exe no specs conhost.exe no specs iexplore.com no specs conhost.exe no specs userinit.exe no specs infdefaultinstall.exe no specs explorer.exe no specs explorer.exe no specs iexplore.exe no specs runonce.exe no specs conhost.exe no specs iexplore.exe no specs explorer.exe no specs explorer.exe no specs conhost.exe no specs conhost.exe no specs iexplore.exe no specs iexplore.exe no specs conhost.exe no specs iexplore.com no specs conhost.exe no specs grpconv.exe no specs iexplore.exe no specs iexplore.exe no specs explorer.exe no specs explorer.exe no specs conhost.exe no specs iexplore.exe no specs iexplore.exe no specs conhost.exe no specs winlogon.exe no specs infdefaultinstall.exe no specs iexplore.exe no specs runonce.exe no specs infdefaultinstall.exe no specs iexplore.exe no specs runonce.exe no specs iexplore.exe no specs grpconv.exe no specs iexplore.exe no specs iexplore.exe no specs iexplore.exe no specs iexplore.exe no specs grpconv.exe no specs iexplore.exe no specs iexplore.exe no specs iexplore.exe no specs iexplore.exe no specs conhost.exe no specs iexplore.exe no specs iexplore.exe no specs iexplore.exe no specs explorer.exe no specs explorer.exe no specs conhost.exe no specs explorer.exe no specs explorer.exe no specs conhost.exe no specs iexplore.exe no specs iexplore.exe no specs conhost.exe no specs iexplore.exe no specs iexplore.exe no specs conhost.exe no specs iexplore.exe no specs iexplore.exe no specs conhost.exe no specs iexplore.exe no specs iexplore.exe no specs conhost.exe no specs iexplore.exe no specs iexplore.exe no specs conhost.exe no specs iexplore.exe no specs iexplore.exe no specs conhost.exe no specs iexplore.exe no specs iexplore.exe no specs conhost.exe no specs iexplore.exe no specs iexplore.exe no specs conhost.exe no specs iexplore.exe no specs iexplore.exe no specs conhost.exe no specs iexplore.exe no specs iexplore.exe no specs conhost.exe no specs iexplore.exe no specs iexplore.exe no specs conhost.exe no specs iexplore.exe no specs iexplore.exe no specs conhost.exe no specs iexplore.exe no specs iexplore.exe no specs conhost.exe no specs iexplore.exe no specs iexplore.exe no specs conhost.exe no specs iexplore.exe no specs iexplore.exe no specs conhost.exe no specs iexplore.exe no specs iexplore.exe no specs conhost.exe no specs iexplore.exe no specs iexplore.exe no specs conhost.exe no specs iexplore.exe no specs iexplore.exe no specs conhost.exe no specs iexplore.exe no specs cmd.exe no specs conhost.exe no specs iexplore.exe no specs iexplore.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs nircmd.exe no specs rkill (1).exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
68"C:\Users\admin\AppData\Local\Temp\RarSFX0\h\iexplore.exe" procs\iexplore.exe -k "antivirus plus*"C:\Users\admin\AppData\Local\Temp\RarSFX0\h\iexplore.exerkill (1).exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\rarsfx0\h\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
188procs\iexplore.exe -loadline"extra.dat" and not "C:\Users\admin\AppData\Local\Temp\rkill (1).exe"C:\Users\admin\AppData\Local\Temp\RarSFX0\procs\iexplore.exeiexplore.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\rarsfx0\procs\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
304\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
832procs\explorer.exe plist C:\Users\admin\AppData\Local\Temp\rks1.logC:\Users\admin\AppData\Local\Temp\RarSFX0\procs\explorer.exeexplorer.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\rarsfx0\procs\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
1072procs\iexplore.exe -k "C:\NetworkControl\*.exe"C:\Users\admin\AppData\Local\Temp\RarSFX0\procs\iexplore.exeiexplore.exe
User:
admin
Integrity Level:
HIGH
Exit code:
4
Modules
Images
c:\users\admin\appdata\local\temp\rarsfx0\procs\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
1132procs\iexplore.exe RIMPORT rkill.regC:\Users\admin\AppData\Local\Temp\RarSFX0\procs\iexplore.exeiexplore.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\rarsfx0\procs\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
1132procs\iexplore.exe -k *sysguard.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\procs\iexplore.exeiexplore.exe
User:
admin
Integrity Level:
HIGH
Exit code:
4
Modules
Images
c:\users\admin\appdata\local\temp\rarsfx0\procs\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
1144"C:\Windows\System32\grpconv.exe" -oC:\Windows\SysWOW64\grpconv.exerunonce.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Progman Group Converter
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\grpconv.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
1256procs\iexplore.exe -k "antivirus plus*"C:\Users\admin\AppData\Local\Temp\RarSFX0\procs\iexplore.exeiexplore.exe
User:
admin
Integrity Level:
HIGH
Exit code:
4
Modules
Images
c:\users\admin\appdata\local\temp\rarsfx0\procs\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
1336"C:\Users\admin\AppData\Local\Temp\RarSFX0\nird\iexplore.exe" win close stitle "Antivirus Suite"C:\Users\admin\AppData\Local\Temp\RarSFX0\nird\iexplore.exerkill (1).exe
User:
admin
Company:
NirSoft
Integrity Level:
HIGH
Description:
NirCmd
Exit code:
0
Version:
2.37
Modules
Images
c:\users\admin\appdata\local\temp\rarsfx0\nird\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
Total events
7 487
Read events
7 383
Write events
10
Delete events
94

Modification events

(PID) Process:(3300) explorer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command
Operation:delete valueName:IsolatedCommand
Value:
(PID) Process:(3300) explorer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\runas\command
Operation:delete valueName:IsolatedCommand
Value:
(PID) Process:(3300) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Operation:delete valueName:DisableRegistryTools
Value:
(PID) Process:(3300) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Operation:delete valueName:DisableTaskMgr
Value:
(PID) Process:(3300) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer
Operation:delete valueName:NoRun
Value:
(PID) Process:(3300) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer
Operation:delete valueName:NoDesktop
Value:
(PID) Process:(3300) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer
Operation:delete valueName:NoActiveDesktopChanges
Value:
(PID) Process:(3300) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer
Operation:delete valueName:NoSetActiveDesktop
Value:
(PID) Process:(3300) explorer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer
Operation:delete valueName:NoRun
Value:
(PID) Process:(3300) explorer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer
Operation:delete valueName:NoDesktop
Value:
Executable files
14
Suspicious files
2
Text files
12
Unknown types
0

Dropped files

PID
Process
Filename
Type
3936rkill (1).exeC:\Users\admin\AppData\Local\Temp\RarSFX0\procs\iexplore.exeexecutable
MD5:3C33B26F2F7FA61D882515F2D6078691
SHA256:908FDB876715F0A77014A37396D9E964FA6359D98099929BAB4086E66D72BB9F
3936rkill (1).exeC:\Users\admin\AppData\Local\Temp\RarSFX0\wl.txttext
MD5:175946A0BE1C6E5AD70DD11332D6CACB
SHA256:50265CB4868CFDC49A94469D1C71105B839FACD5FDDC2B9609A58CA0D40DF874
3936rkill (1).exeC:\Users\admin\AppData\Local\Temp\RarSFX0\winlogon.exeexecutable
MD5:AC6094297CD882B8626466CDEB64F19F
SHA256:27C7FFD8367AAA73155FBB287A7DF1F157F2D0C3323DBB176D02B36FF616FCA5
3936rkill (1).exeC:\Users\admin\AppData\Local\Temp\RarSFX0\h\iexplore.exeexecutable
MD5:ABC6379205DE2618851C4FCBF72112EB
SHA256:22E7528E56DFFAA26CFE722994655686C90824B13EB51184ABFE44D4E95D473F
3936rkill (1).exeC:\Users\admin\AppData\Local\Temp\RarSFX0\h\explorer.exeexecutable
MD5:ABC6379205DE2618851C4FCBF72112EB
SHA256:22E7528E56DFFAA26CFE722994655686C90824B13EB51184ABFE44D4E95D473F
3936rkill (1).exeC:\Users\admin\AppData\Local\Temp\RarSFX0\nircmdc.exeexecutable
MD5:9CB3A38088807F54E7F89AC30E09C030
SHA256:71579B7BB651004F9C2E3F8D62511F610443C7E8225001865415A4620BD04219
3936rkill (1).exeC:\Users\admin\AppData\Local\Temp\RarSFX0\pev.exeexecutable
MD5:3C33B26F2F7FA61D882515F2D6078691
SHA256:908FDB876715F0A77014A37396D9E964FA6359D98099929BAB4086E66D72BB9F
3936rkill (1).exeC:\Users\admin\AppData\Local\Temp\RarSFX0\rkill.battext
MD5:62590E28772FCA41D8548515D7CF2EB8
SHA256:F41F623E6299E454594540AA5531915A8BD32CBB277EAB92A2A9CC9E25FE49BB
3936rkill (1).exeC:\Users\admin\AppData\Local\Temp\RarSFX0\proxycheck.exeexecutable
MD5:43FEE8A7DA368EAAF5019443382D450D
SHA256:77E590CA7680C7C35A895FCD870EDB4CBD4C2A920D01739C21331D9FF874A9A6
3936rkill (1).exeC:\Users\admin\AppData\Local\Temp\RarSFX0\nircmd.exeexecutable
MD5:AC6094297CD882B8626466CDEB64F19F
SHA256:27C7FFD8367AAA73155FBB287A7DF1F157F2D0C3323DBB176D02B36FF616FCA5
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
14
DNS requests
4
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
92.122.76.122:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
92.122.76.122:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
3888
svchost.exe
239.255.255.250:1900
whitelisted
4324
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
5388
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
  • 51.104.136.2
whitelisted
www.microsoft.com
  • 92.122.76.122
whitelisted
google.com
  • 142.250.186.174
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
rkill (1).exe