File name:

RARBG_DO_NOT_MIRROR.exe

Full analysis: https://app.any.run/tasks/7b9acda2-d13c-4fa1-8fe6-4de363ebc668
Verdict: No threats detected
Analysis date: July 21, 2019, 21:44:15
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: text/plain
File info: ASCII text
MD5:

D5A5D8421B2BD35EA6AB81F9D77EFB3F

SHA1:

76C0ABCF8F77A17ED4B3D3CA0CE4B26B3E99C87C

SHA256:

D0F72BDB78B2770AE165F360DC729C992DAA42E6126F76818D87C9EEF4A1CCCD

SSDEEP:

3:hMCLK4FcqhPQCEidKPWk9LR0FIReWnvn:hp6ox4WmiFIR1

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Executes application which crashes

      • csrstub.exe (PID: 3544)
      • csrstub.exe (PID: 2236)

  • INFO

    • Manual execution by user

      • ntvdm.exe (PID: 2468)
      • csrstub.exe (PID: 3544)
      • wermgr.exe (PID: 3128)
      • csrstub.exe (PID: 2236)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
53
Monitored processes
7
Malicious processes
0
Suspicious processes
0

Behavior graph

Click at the process to see the details
start ntvdm.exe no specs ntvdm.exe no specs csrstub.exe ntvdm.exe no specs wermgr.exe no specs csrstub.exe ntvdm.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2236csrstub.exe 67634196 -P "C:\Users\admin\Desktop\RARBG_DO_NOT_MIRROR.exe" C:\Windows\system32\csrstub.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
allows lua to launch 16-bit applications
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\csrstub.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ntvdm.exe
2328"C:\Windows\system32\ntvdm.exe" -i3 C:\Windows\system32\ntvdm.execsrstub.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
NTVDM.EXE
Exit code:
255
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\ntvdm.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
2436"C:\Windows\system32\ntvdm.exe" -i4 C:\Windows\system32\ntvdm.execsrstub.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
NTVDM.EXE
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\ntvdm.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
2468"C:\Windows\system32\ntvdm.exe" -i2 C:\Windows\system32\ntvdm.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
NTVDM.EXE
Exit code:
255
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\ntvdm.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
3128"C:\Windows\system32\wermgr.exe" "-outproc" "292" "3748" C:\Windows\system32\wermgr.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\wermgr.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\gdi32.dll
3544csrstub.exe 67634196 -P "C:\Users\admin\Desktop\RARBG_DO_NOT_MIRROR.exe" C:\Windows\system32\csrstub.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
allows lua to launch 16-bit applications
Exit code:
255
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\csrstub.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ntvdm.exe
c:\windows\system32\apphelp.dll
3648"C:\Windows\system32\ntvdm.exe" -i1 C:\Windows\system32\ntvdm.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
NTVDM.EXE
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\ntvdm.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
Total events
35
Read events
35
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
1
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
3648ntvdm.exeC:\Users\admin\AppData\Local\Temp\scsF54D.tmp
MD5:
SHA256:
3648ntvdm.exeC:\Users\admin\AppData\Local\Temp\scsF54E.tmp
MD5:
SHA256:
2468ntvdm.exeC:\Users\admin\AppData\Local\Temp\scs1307.tmp
MD5:
SHA256:
2468ntvdm.exeC:\Users\admin\AppData\Local\Temp\scs1308.tmp
MD5:
SHA256:
2328ntvdm.exeC:\Users\admin\AppData\Local\Temp\scs3E1E.tmp
MD5:
SHA256:
2328ntvdm.exeC:\Users\admin\AppData\Local\Temp\scs3E2E.tmp
MD5:
SHA256:
2436ntvdm.exeC:\Users\admin\AppData\Local\Temp\scsAB30.tmp
MD5:
SHA256:
2436ntvdm.exeC:\Users\admin\AppData\Local\Temp\scsAB31.tmp
MD5:
SHA256:
3128wermgr.exeC:\Users\admin\AppData\Local\Microsoft\Windows\WER\ReportQueue\NonCritical_RARBG_DO_NOT_MIR_c5cafcd8c122e258aaeb40161072f24f38d2cc_cab_0c36a11e\Report.werbinary
MD5:
SHA256:
3128wermgr.exeC:\Users\admin\AppData\Local\Microsoft\Windows\WER\ReportQueue\NonCritical_RARBG_DO_NOT_MIR_c5cafcd8c122e258aaeb40161072f24f38d2cc_cab_0c36a11e\appcompat.txtxml
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
RARBG_DO_NOT_MIRROR.exe