File name:

41.AD100 T300 SBB MVP Incode Outcode Calculator.rar

Full analysis: https://app.any.run/tasks/0f004998-2ab3-4f9e-9709-ee28b5109205
Verdict: Malicious activity
Analysis date: May 21, 2025, 18:56:13
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
arch-exec
themida
Indicators:
MIME: application/x-rar
File info: RAR archive data, v4, os: Win32
MD5:

2CCBC70DDC56DF575CA8A9A7351876A0

SHA1:

BB7EC10A389A5EE467982B4F80BAB7F4960D39EC

SHA256:

CE8A6ABD9A971D7E0B3D1E905AB5CE5BB2148C59E7C31940E2B210E4787735C5

SSDEEP:

49152:GH3jjaevJyvfwMhUHDznFufg8ikVKVpPwIK47x8+Jhow+t/dqNEV3BFUtz2GXhQP:GXjjDvJyYMh2DzAfVikVKDhtN8+7ow2V

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Generic archive extractor

      • WinRAR.exe (PID: 6300)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • WinRAR.exe (PID: 6300)

  • INFO

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 6300)

    • Process checks whether UAC notifications are on

      • PatchAD100_VM.exe (PID: 6272)
      • PatchAD100_VM.exe (PID: 1040)
      • PatchAD100_VM.exe (PID: 5124)
      • PatchAD100_VM.exe (PID: 4208)

    • Reads the software policy settings

      • slui.exe (PID: 3268)
      • slui.exe (PID: 1660)

    • Themida protector has been detected

      • PatchAD100_VM.exe (PID: 6272)
      • PatchAD100_VM.exe (PID: 5124)
      • PatchAD100_VM.exe (PID: 1040)
      • PatchAD100_VM.exe (PID: 4208)

    • Checks supported languages

      • PatchAD100_VM.exe (PID: 1040)
      • PatchAD100_VM.exe (PID: 6272)
      • PatchAD100_VM.exe (PID: 5124)
      • PatchAD100_VM.exe (PID: 4208)

    • Manual execution by a user

      • PatchAD100_VM.exe (PID: 1040)
      • PatchAD100_VM.exe (PID: 5228)
      • PatchAD100_VM.exe (PID: 5124)
      • PatchAD100_VM.exe (PID: 4208)
      • PatchAD100_VM.exe (PID: 6488)

    • Checks proxy server information

      • slui.exe (PID: 1660)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v-4.x) (58.3)
.rar | RAR compressed archive (gen) (41.6)

EXIF

ZIP

FileVersion: RAR v4
CompressedSize: 477047
UncompressedSize: 482816
OperatingSystem: Win32
ModifyDate: 2010:01:12 21:26:14
PackingMethod: Normal
ArchivedFileName: .unlock
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
147
Monitored processes
11
Malicious processes
0
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe sppextcomobj.exe no specs slui.exe patchad100_vm.exe no specs patchad100_vm.exe slui.exe patchad100_vm.exe patchad100_vm.exe no specs patchad100_vm.exe patchad100_vm.exe no specs patchad100_vm.exe

Process information

PID
CMD
Path
Indicators
Parent process
1040"C:\Users\admin\Desktop\PatchAD100_VM.exe" C:\Users\admin\Desktop\PatchAD100_VM.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Modules
Images
c:\users\admin\desktop\patchad100_vm.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\acgenral.dll
1660C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
3268"C:\WINDOWS\System32\SLUI.exe" RuleId=3482d82e-ca2c-4e1f-8864-da0267b484b2;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c;NotificationInterval=1440;Trigger=TimerEventC:\Windows\System32\slui.exe
SppExtComObj.Exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Activation Client
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
4208"C:\Users\admin\Desktop\PatchAD100_VM.exe" C:\Users\admin\Desktop\PatchAD100_VM.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Modules
Images
c:\users\admin\desktop\patchad100_vm.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\acgenral.dll
5008"C:\Users\admin\AppData\Local\Temp\Rar$EXa6300.10269\PatchAD100_VM.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa6300.10269\PatchAD100_VM.exeWinRAR.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Modules
Images
c:\users\admin\appdata\local\temp\rar$exa6300.10269\patchad100_vm.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
5124"C:\Users\admin\Desktop\PatchAD100_VM.exe" C:\Users\admin\Desktop\PatchAD100_VM.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Modules
Images
c:\users\admin\desktop\patchad100_vm.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\acgenral.dll
5228"C:\Users\admin\Desktop\PatchAD100_VM.exe" C:\Users\admin\Desktop\PatchAD100_VM.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Modules
Images
c:\users\admin\desktop\patchad100_vm.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
6272"C:\Users\admin\AppData\Local\Temp\Rar$EXa6300.10269\PatchAD100_VM.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa6300.10269\PatchAD100_VM.exe
WinRAR.exe
User:
admin
Integrity Level:
HIGH
Modules
Images
c:\users\admin\appdata\local\temp\rar$exa6300.10269\patchad100_vm.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\acgenral.dll
6300"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\41.AD100 T300 SBB MVP Incode Outcode Calculator.rar"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
6488"C:\Users\admin\Desktop\PatchAD100_VM.exe" C:\Users\admin\Desktop\PatchAD100_VM.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Modules
Images
c:\users\admin\desktop\patchad100_vm.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
Total events
3 849
Read events
3 789
Write events
31
Delete events
29

Modification events

(PID) Process:(6300) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\preferences.zip
(PID) Process:(6300) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:(6300) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:(6300) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\41.AD100 T300 SBB MVP Incode Outcode Calculator.rar
(PID) Process:(6300) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(6300) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(6300) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(6300) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(6272) PatchAD100_VM.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\WLkt
Operation:writeName:CheckIN
Value:
1
(PID) Process:(6272) PatchAD100_VM.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\WLkt
Operation:delete keyName:(default)
Value:
Executable files
5
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
6300WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa6300.10269\PatchAD100_VM.exeexecutable
MD5:A2ED20B7358273BB92A7E143B93A85A6
SHA256:024469AD597B64F8BF52E6A8D2A4501363436EF8EC968F21C0B6352751270BED
6300WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa6300.10269\.unlockexecutable
MD5:0A5C5223FDF0A3D2E609DEDE1FA11FF1
SHA256:55F9EA19C73813B565DA6397996F5C2A67D86AE78FB1783351639887440CBA66
6300WinRAR.exeC:\Users\admin\AppData\Local\Temp\41.AD100 T300 SBB MVP Incode Outcode Calculator\.unlockexecutable
MD5:0A5C5223FDF0A3D2E609DEDE1FA11FF1
SHA256:55F9EA19C73813B565DA6397996F5C2A67D86AE78FB1783351639887440CBA66
6300WinRAR.exeC:\Users\admin\Desktop\PatchAD100_VM.exeexecutable
MD5:A2ED20B7358273BB92A7E143B93A85A6
SHA256:024469AD597B64F8BF52E6A8D2A4501363436EF8EC968F21C0B6352751270BED
6300WinRAR.exeC:\Users\admin\AppData\Local\Temp\41.AD100 T300 SBB MVP Incode Outcode Calculator\PatchAD100_VM.exeexecutable
MD5:A2ED20B7358273BB92A7E143B93A85A6
SHA256:024469AD597B64F8BF52E6A8D2A4501363436EF8EC968F21C0B6352751270BED
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
24
DNS requests
17
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5496
MoUsoCoreWorker.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5496
MoUsoCoreWorker.exe
GET
200
23.48.23.155:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
6544
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
6036
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
6036
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
5496
MoUsoCoreWorker.exe
23.48.23.155:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5496
MoUsoCoreWorker.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
4
System
192.168.100.255:137
whitelisted
3216
svchost.exe
172.211.123.248:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
6544
svchost.exe
20.190.160.132:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6544
svchost.exe
2.17.190.73:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
2104
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.186.142
whitelisted
settings-win.data.microsoft.com
  • 4.231.128.59
whitelisted
crl.microsoft.com
  • 23.48.23.155
  • 23.48.23.159
  • 23.48.23.162
  • 23.48.23.156
  • 23.48.23.164
  • 23.48.23.160
  • 23.48.23.158
  • 23.48.23.161
  • 23.48.23.157
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
client.wns.windows.com
  • 172.211.123.248
  • 172.211.123.249
whitelisted
login.live.com
  • 20.190.160.132
  • 40.126.32.134
  • 20.190.160.130
  • 40.126.32.138
  • 20.190.160.17
  • 40.126.32.72
  • 40.126.32.68
  • 40.126.32.74
whitelisted
ocsp.digicert.com
  • 2.17.190.73
whitelisted
slscr.update.microsoft.com
  • 52.149.20.212
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 40.69.42.241
whitelisted
activation-v2.sls.microsoft.com
  • 20.83.72.98
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
41.AD100 T300 SBB MVP Incode Outcode Calculator.rar