File name:

alien.skin.plugins.x86-x64-patch.rar

Full analysis: https://app.any.run/tasks/d1aa453d-e785-4f55-941a-d992b7d083ff
Verdict: Malicious activity
Analysis date: December 29, 2022, 20:55:21
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-rar
File info: RAR archive data, v4, os: Win32
MD5:

2FB83C549354DF91A9B78797F127F3B0

SHA1:

D339C6D1C78B41500A5F9C43F9CD060017F8599F

SHA256:

C3FD16E0B07C0D1B31F2034FA62BC3E22D113ACE0EBBEFB052FEFB377F0DE8C2

SSDEEP:

6144:vXp4j3RtICVOQgc54hX0wm1R/m7AR1+iGy01IpdmPh3D6vJeOthvU/K:vXp4jhtIC/gc00n/mC1qz1BPZIIyhvUS

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • alien.skin.plugins.x86-x64-patch.exe (PID: 3580)

    • Application was dropped or rewritten from another process

      • alien.skin.plugins.x86-x64-patch.exe (PID: 3580)
      • alien.skin.plugins.x86-x64-patch.exe (PID: 3352)

    • Loads dropped or rewritten executable

      • alien.skin.plugins.x86-x64-patch.exe (PID: 3580)

  • SUSPICIOUS

    • Drops a file with too old compile date

      • alien.skin.plugins.x86-x64-patch.exe (PID: 3580)

    • Executable content was dropped or overwritten

      • alien.skin.plugins.x86-x64-patch.exe (PID: 3580)

  • INFO

    • Drops the executable file immediately after the start

      • WinRAR.exe (PID: 856)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 856)

    • Checks supported languages

      • alien.skin.plugins.x86-x64-patch.exe (PID: 3580)

    • Reads the computer name

      • alien.skin.plugins.x86-x64-patch.exe (PID: 3580)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v-4.x) (58.3)
.rar | RAR compressed archive (gen) (41.6)
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
40
Monitored processes
3
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start drop and start start winrar.exe alien.skin.plugins.x86-x64-patch.exe no specs alien.skin.plugins.x86-x64-patch.exe

Process information

PID
CMD
Path
Indicators
Parent process
856"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\alien.skin.plugins.x86-x64-patch.rar"C:\Program Files\WinRAR\WinRAR.exe
Explorer.EXE
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
3352"C:\Users\admin\AppData\Local\Temp\Rar$EXa856.32215\alien.skin.plugins.x86-x64-patch.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa856.32215\alien.skin.plugins.x86-x64-patch.exeWinRAR.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Modules
Images
c:\users\admin\appdata\local\temp\rar$exa856.32215\alien.skin.plugins.x86-x64-patch.exe
c:\windows\system32\ntdll.dll
3580"C:\Users\admin\AppData\Local\Temp\Rar$EXa856.32215\alien.skin.plugins.x86-x64-patch.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa856.32215\alien.skin.plugins.x86-x64-patch.exe
WinRAR.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\rar$exa856.32215\alien.skin.plugins.x86-x64-patch.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\users\admin\appdata\local\temp\dup2patcher.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
Total events
2 370
Read events
2 334
Write events
36
Delete events
0

Modification events

(PID) Process:(856) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(856) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(856) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\16D\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(856) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip
(PID) Process:(856) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(856) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\alien.skin.plugins.x86-x64-patch.rar
(PID) Process:(856) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(856) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(856) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(856) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
Executable files
6
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
3580alien.skin.plugins.x86-x64-patch.exeC:\Users\admin\AppData\Local\Temp\bassmod.dllexecutable
MD5:780D14604D49E3C634200C523DEF8351
SHA256:844EB66A10B848D3A71A8C63C35F0A01550A46D2FF8503E2CA8947978B03B4D2
856WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa856.32215\alien.skin.plugins.x86-x64-patch.exeexecutable
MD5:58A92B4897294E492CA4B1DA15717B5A
SHA256:55A1D2F415D00BEBC76B6D4A7D0088DAA58BFE3703BFE047A66E9FA4A5F9FDD4
3580alien.skin.plugins.x86-x64-patch.exeC:\Users\admin\AppData\Local\Temp\dup2patcher.dllexecutable
MD5:C2BC47FDC2AD7F45CDD3065B59CBD111
SHA256:EEDEE2CF4F79DE919AA51A87B72A10C4C04E3B49BA1400119496E0602BA9D522
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
alien.skin.plugins.x86-x64-patch.rar