File name:

Paradox RAT v4.2.3 Cracked.rar

Full analysis: https://app.any.run/tasks/252ebe96-d32b-45b9-ad55-33bec9563ebd
Verdict: Malicious activity
Analysis date: March 12, 2023, 15:36:50
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-rar
File info: RAR archive data, v4, os: Win32
MD5:

BDF1AB7F055F70776B2476332B2508A2

SHA1:

B2F070AB9D8312BB6599D6030998AA6E451359A6

SHA256:

D5033F8715CE5BD5DB3FF90B383770AFF79136DB5DC14D74CBB99BAD59095E68

SSDEEP:

49152:lYDO0rza7ydsctw1wZ2xL8fCET+VfzHVRY:a6CMyKct8wZ2OfCikfY

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • Paradox RAT 4.2.3 Cracked.exe (PID: 188)
      • Updater.exe (PID: 3008)
      • arawerser.exe (PID: 3112)

    • Drops the executable file immediately after the start

      • Paradox RAT 4.2.3 Cracked.exe (PID: 188)

  • SUSPICIOUS

    • Detected use of alternative data streams (AltDS)

      • Paradox RAT 4.2.3 Cracked.exe (PID: 188)

    • Connects to unusual port

      • Paradox RAT 4.2.3 Cracked.exe (PID: 188)

    • Reads the Internet Settings

      • Updater.exe (PID: 3008)
      • Paradox RAT 4.2.3 Cracked.exe (PID: 188)

    • Executable content was dropped or overwritten

      • Paradox RAT 4.2.3 Cracked.exe (PID: 188)

  • INFO

    • Drops the executable file immediately after the start

      • WinRAR.exe (PID: 2672)

    • Checks supported languages

      • Paradox RAT 4.2.3 Cracked.exe (PID: 188)
      • Updater.exe (PID: 3008)
      • arawerser.exe (PID: 3112)

    • Reads the computer name

      • Paradox RAT 4.2.3 Cracked.exe (PID: 188)
      • Updater.exe (PID: 3008)
      • arawerser.exe (PID: 3112)

    • Reads the machine GUID from the registry

      • Paradox RAT 4.2.3 Cracked.exe (PID: 188)
      • Updater.exe (PID: 3008)
      • arawerser.exe (PID: 3112)

    • Reads Environment values

      • Paradox RAT 4.2.3 Cracked.exe (PID: 188)
      • Updater.exe (PID: 3008)
      • arawerser.exe (PID: 3112)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 2672)

    • Creates files in the program directory

      • Paradox RAT 4.2.3 Cracked.exe (PID: 188)

    • The process checks LSA protection

      • Paradox RAT 4.2.3 Cracked.exe (PID: 188)
      • Updater.exe (PID: 3008)
      • arawerser.exe (PID: 3112)

    • Creates files or folders in the user directory

      • Paradox RAT 4.2.3 Cracked.exe (PID: 188)
      • arawerser.exe (PID: 3112)

    • Manual execution by a user

      • Paradox RAT 4.2.3 Cracked.exe (PID: 188)
      • Updater.exe (PID: 3008)
      • arawerser.exe (PID: 3112)

    • Drops a file that was compiled in debug mode

      • WinRAR.exe (PID: 2672)
      • Paradox RAT 4.2.3 Cracked.exe (PID: 188)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v-4.x) (58.3)
.rar | RAR compressed archive (gen) (41.6)

EXIF

ZIP

ArchivedFileName: Paradox RAT v4.2.3 Cracked\Database.txt
PackingMethod: Normal
ModifyDate: 2013:11:22 19:59:54
OperatingSystem: Win32
UncompressedSize: -
CompressedSize: 89
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
52
Monitored processes
4
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe paradox rat 4.2.3 cracked.exe updater.exe arawerser.exe

Process information

PID
CMD
Path
Indicators
Parent process
188"C:\Users\admin\Desktop\Paradox RAT v4.2.3 Cracked\Paradox RAT 4.2.3 Cracked.exe" C:\Users\admin\Desktop\Paradox RAT v4.2.3 Cracked\Paradox RAT 4.2.3 Cracked.exe
explorer.exe
User:
admin
Company:
Paradox Coding
Integrity Level:
MEDIUM
Description:
Paradox RAT 4.0
Exit code:
0
Version:
4.0.8.0
Modules
Images
c:\users\admin\desktop\paradox rat v4.2.3 cracked\paradox rat 4.2.3 cracked.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imm32.dll
2672"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\Paradox RAT v4.2.3 Cracked.rar"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\lpk.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\comdlg32.dll
3008"C:\Users\admin\Desktop\Paradox RAT v4.2.3 Cracked\Updater.exe" C:\Users\admin\Desktop\Paradox RAT v4.2.3 Cracked\Updater.exe
explorer.exe
User:
admin
Company:
Paradox Coding Inc
Integrity Level:
MEDIUM
Description:
Paradox Update Installer
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\windows\system32\ntdll.dll
c:\users\admin\desktop\paradox rat v4.2.3 cracked\updater.exe
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
3112"C:\Users\admin\Desktop\Paradox RAT v4.2.3 Cracked\arawerser.exe" C:\Users\admin\Desktop\Paradox RAT v4.2.3 Cracked\arawerser.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Description:
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\desktop\paradox rat v4.2.3 cracked\arawerser.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
Total events
12 974
Read events
12 882
Write events
86
Delete events
6

Modification events

(PID) Process:(2672) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\16D\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(2672) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip
(PID) Process:(2672) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(2672) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\phacker.zip
(PID) Process:(2672) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(2672) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(2672) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(2672) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(188) Paradox RAT 4.2.3 Cracked.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
Operation:writeName:NodeSlots
Value:
020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202
(PID) Process:(188) Paradox RAT 4.2.3 Cracked.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
Operation:writeName:MRUListEx
Value:
0E0000000C000000000000000B00000001000000020000000D00000007000000060000000A0000000900000008000000030000000500000004000000FFFFFFFF
Executable files
6
Suspicious files
32
Text files
1 998
Unknown types
0

Dropped files

PID
Process
Filename
Type
2672WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb2672.41227\Paradox RAT v4.2.3 Cracked\Settings.iniini
MD5:
SHA256:
188Paradox RAT 4.2.3 Cracked.exeC:\Users\admin\Desktop\Paradox RAT v4.2.3 Cracked\arawerser.exeexecutable
MD5:
SHA256:
188Paradox RAT 4.2.3 Cracked.exeC:\ProgramData\DYA_CABFHNOWBPPHTAFRR\1.0.0\Data\updates.datbinary
MD5:C4DD250A4FFFBA7F74CE24CB3A17520B
SHA256:5FA173893BDB515B6A18ECBA2DE838EE7F4DDBF4EB2FD50E9B46353736612296
3112arawerser.exeC:\Users\admin\Desktop\0.txtbinary
MD5:CFCD208495D565EF66E7DFF9F98764DA
SHA256:5FECEB66FFC86F38D952786C6D696C79C2DBC239DD4E91B46729D73A27FB57E9
188Paradox RAT 4.2.3 Cracked.exeC:\Users\admin\AppData\Roaming\DYA_CABFHNOWBPPHTAFRR\1.0.0\Data\dya.datbinary
MD5:4C74BAF7B3F144027E8E72F09037A1AD
SHA256:2A8232561DCC2C0E555145D9DD5273A1B058C29498BD874EFB297C2F9075D1BE
188Paradox RAT 4.2.3 Cracked.exeC:\ProgramData\DYA_CABFHNOWBPPHTAFRR\1.0.0:$SS_DESCRIPTOR_SBXNV9VVGV1BFLVHNF1HJ2B3MFLBJTV1KBXV36JFSPF7VB4VP4GVbinary
MD5:D84987E02C6BCB22A99923A9036BAA82
SHA256:1B366175BF7779558F9BE9F75392704523955292E1A9212BBC62ECA000783622
3112arawerser.exeC:\Users\admin\Desktop\Paradox RAT v4.2.3 Cracked\Logs.txttext
MD5:81051BCC2CF1BEDF378224B0A93E2877
SHA256:7EB70257593DA06F682A3DDDA54A9D260D4FC514F645237F5CA74B08F8DA61A6
3112arawerser.exeC:\Users\admin\Desktop\1.txtbinary
MD5:C4CA4238A0B923820DCC509A6F75849B
SHA256:
3112arawerser.exeC:\Users\admin\Desktop\3.txtbinary
MD5:ECCBC87E4B5CE2FE28308FD9F2A7BAF3
SHA256:
188Paradox RAT 4.2.3 Cracked.exeC:\ProgramData:$SS_DESCRIPTOR_SBXNV9VVGV1BFLVHNF1HJ2B3MFLBJTV1KBXV36JFSPF7VB4VP4GVbinary
MD5:8D45B315B1BBFBA59A613575FACB3044
SHA256:A00C54685419AE5BA1B509B37CA8C2FB420CA4FB9EE16519BB5DD4A96110D355
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
7
DNS requests
4
Threats
6

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3008
Updater.exe
GET
301
162.125.66.15:80
http://dl.dropbox.com/u/23639317/Paradox/Version.txt
DE
shared
188
Paradox RAT 4.2.3 Cracked.exe
GET
301
162.125.66.15:80
http://dl.dropbox.com/u/23639317/Paradox/MOTD.txt
DE
shared
188
Paradox RAT 4.2.3 Cracked.exe
GET
301
162.125.66.15:80
http://dl.dropbox.com/u/23639317/Paradox/Version.txt
DE
shared
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
188
Paradox RAT 4.2.3 Cracked.exe
94.73.33.36:81
vpslogin1.no-ip.info
Xtra Telecom S.A.
ES
malicious
3008
Updater.exe
162.125.66.15:80
dl.dropbox.com
DROPBOX
DE
malicious
3008
Updater.exe
162.125.66.15:443
dl.dropbox.com
DROPBOX
DE
malicious
188
Paradox RAT 4.2.3 Cracked.exe
162.125.66.15:80
dl.dropbox.com
DROPBOX
DE
malicious
188
Paradox RAT 4.2.3 Cracked.exe
162.125.66.15:443
dl.dropbox.com
DROPBOX
DE
malicious

DNS requests

Domain
IP
Reputation
vpslogin1.no-ip.info
  • 94.73.33.36
malicious
dl.dropbox.com
  • 162.125.66.15
shared

Threats

PID
Process
Class
Message
Misc activity
ET INFO DYNAMIC_DNS Query to a Suspicious no-ip Domain
5 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Paradox RAT v4.2.3 Cracked.rar