analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

q3 hook_[unknowncheats.me]_.rar

Full analysis: https://app.any.run/tasks/54691186-0172-4449-abd2-8de06dcb8a8e
Verdict: Malicious activity
Analysis date: January 18, 2020, 12:26:32
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-rar
File info: RAR archive data, v4, os: Win32
MD5:

E4846958829B6A86B52AF1EB04946A02

SHA1:

A78FE115613226C2CE4E1566B86E40DA4458AA58

SHA256:

DAB215D74D9A89A5AB3E7C862F58FB079396D87C0495A8D39F837CEC41844CAF

SSDEEP:

1536:AT8s5JUG+E/3M2qGW+31zwRq4hX/084bz80ME1ddnkO/4dAWh1gxazYf/oW:Aw8UB882tW+F8RPhPvYoqbnhuvwfAW

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • Q3 Hook.exe (PID: 2416)

    • Loads dropped or rewritten executable

      • SearchProtocolHost.exe (PID: 3476)
      • explorer.exe (PID: 352)
      • SOUNDMAN.EXE (PID: 436)

  • SUSPICIOUS

    • Uses RUNDLL32.EXE to load library

      • SOUNDMAN.EXE (PID: 436)

  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v-4.x) (58.3)
.rar | RAR compressed archive (gen) (41.6)

EXIF

ZIP

CompressedSize: 22089
UncompressedSize: 26624
OperatingSystem: Win32
ModifyDate: 2004:02:05 01:46:00
PackingMethod: Normal
ArchivedFileName: Q3 Hook.exe
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
40
Monitored processes
6
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start winrar.exe no specs explorer.exe no specs searchprotocolhost.exe no specs q3 hook.exe no specs soundman.exe no specs rundll32.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2752"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\q3 hook_[unknowncheats.me]_.rar"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
352C:\Windows\Explorer.EXEC:\Windows\explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3476"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" C:\Windows\System32\SearchProtocolHost.exeSearchIndexer.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Windows Search Protocol Host
Version:
7.00.7600.16385 (win7_rtm.090713-1255)
2416"C:\Users\admin\Desktop\New folder\Q3 Hook.exe" C:\Users\admin\Desktop\New folder\Q3 Hook.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
436 -game cstrike C:\Windows\SOUNDMAN.EXEQ3 Hook.exe
User:
admin
Company:
Realtek Semiconductor Corp.
Integrity Level:
MEDIUM
Description:
Realtek Sound Manager
Version:
6, 0, 0, 5
2456rundll32.exe shell32.dll,Control_RunDLL alsndmgr.cpl,,104C:\Windows\system32\rundll32.exeSOUNDMAN.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
4 335
Read events
4 109
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
0
Text files
3
Unknown types
0

Dropped files

PID
Process
Filename
Type
2752WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2752.42779\Q3 Hook.exe
MD5:
SHA256:
2752WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2752.42779\Q3 Hook.dll
MD5:
SHA256:
2752WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2752.42779\save.cfg
MD5:
SHA256:
2752WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2752.42779\menu.txt
MD5:
SHA256:
2416Q3 Hook.exeC:\Users\admin\Desktop\New folder\Q3 Hook.initext
MD5:BBD684C31D0B44A8BFA0EA7F0A81BFBB
SHA256:AE5DB3B186DDA4029494C2C9949DAE26A2A99E7435FA367B5C8029BED49A7374
352explorer.exeC:\Users\admin\Desktop\New folder\menu.txttext
MD5:06A72A7F9C1A3D752D27EB8E2BE5478B
SHA256:FDF6C32E9E8602426B8146D2F2EAFF30CD4FDA724CA9BDC41BFFB1B8586FCB7A
352explorer.exeC:\Users\admin\Desktop\New folder\save.cfgtext
MD5:4C433DFE2D7DA604AF6DB8367F311919
SHA256:C5FD9B5DD41315916151D286567A8FE23F5E78CC78A7C6255EFFC7876C9F6BFF
352explorer.exeC:\Users\admin\Desktop\New folder\Q3 Hook.dllexecutable
MD5:6BF9385A0E4FD6E95E913C33121C4D7D
SHA256:4F3F4247F30C289B666CE77E96EEA809D84D0AF0ECCAD7ADA8A0211E49D4F14B
352explorer.exeC:\Users\admin\Desktop\New folder\Q3 Hook.exeexecutable
MD5:E0E79DE72893C35758750AD08F66CBEB
SHA256:DE8013614D6C10E360F9F21688307FF4BA39717B4469DD057C48E7142096D679
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
q3 hook_[unknowncheats.me]_.rar