General Info

File name

server.zip

Full analysis
https://app.any.run/tasks/fe090c76-5c09-4a62-8ede-21243519a141
Verdict
Malicious activity
Analysis date
9/11/2019, 11:06:52
OS:
Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:

macros

Indicators:
No indicators

MIME:
application/zip
File info:
Zip archive data, at least v2.0 to extract
MD5

eed7cf8da4c94fda0fc0020e6f960758

SHA1

8f42c462e845be2443d249024706b259b73df3b9

SHA256

e524fd1489a3403729a0c6e4884c567c83fd089d2e24f732738c7068fc2c7ae5

SSDEEP

196608:lvQ/jrtZBhZ99pJ2XFDWNVwApisJVHZt9fRmP:Ve/tZR99pOoNGH2fTmP

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distored by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Software environment set and analysis options

Launch configuration

Task duration
60 seconds
Additional time used
none
Fakenet option
off
Heavy Evaision option
off
MITM proxy
off
Route via Tor
off
Network geolocation
off
Privacy
Public submission
Autoconfirmation of UAC
on

Software preset

  • Internet Explorer 8.0.7601.17514
  • Adobe Acrobat Reader DC MUI (15.023.20070)
  • Adobe Flash Player 26 ActiveX (26.0.0.131)
  • Adobe Flash Player 26 NPAPI (26.0.0.131)
  • Adobe Flash Player 26 PPAPI (26.0.0.131)
  • Adobe Refresh Manager (1.8.0)
  • CCleaner (5.35)
  • FileZilla Client 3.36.0 (3.36.0)
  • Google Chrome (75.0.3770.100)
  • Google Update Helper (1.3.34.7)
  • Java 8 Update 92 (8.0.920.14)
  • Java Auto Updater (2.8.92.14)
  • Microsoft .NET Framework 4.7.2 (4.7.03062)
  • Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Professional 2010 (14.0.6029.1000)
  • Microsoft Office Proof (English) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (French) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
  • Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
  • Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Single Image 2010 (14.0.6029.1000)
  • Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
  • Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
  • Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
  • Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2015-2019 Redistributable (x86) - 14.21.27702 (14.21.27702.2)
  • Microsoft Visual C++ 2019 X86 Additional Runtime - 14.21.27702 (14.21.27702)
  • Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.21.27702 (14.21.27702)
  • Mozilla Firefox 68.0.1 (x86 en-US) (68.0.1)
  • Notepad++ (32-bit x86) (7.5.1)
  • Opera 12.15 (12.15.1748)
  • Skype version 8.29 (8.29)
  • Update for Microsoft .NET Framework 4.7.2 (KB4087364) (1)
  • VLC media player (2.2.6)
  • WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

  • Client LanguagePack Package
  • Client Refresh LanguagePack Package
  • CodecPack Basic Package
  • Foundation Package
  • IE Troubleshooters Package
  • InternetExplorer Optional Package
  • KB2534111
  • KB2999226
  • KB4019990
  • KB976902
  • LocalPack AU Package
  • LocalPack CA Package
  • LocalPack GB Package
  • LocalPack US Package
  • LocalPack ZA Package
  • ProfessionalEdition
  • UltimateEdition

Behavior activities

MALICIOUS SUSPICIOUS INFO
Application was dropped or rewritten from another process
  • server.exe (PID: 2352)
Loads dropped or rewritten executable
  • SearchProtocolHost.exe (PID: 752)

No suspicious indicators.

Manual execution by user
  • server.exe (PID: 2352)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Static information

TRiD
.zip
|   ZIP compressed archive (36.3%)
EXIF
ZIP
ZipRequiredVersion:
20
ZipBitFlag:
null
ZipCompression:
Deflated
ZipModifyDate:
2019:07:01 09:54:21
ZipCRC:
0x00000000
ZipCompressedSize:
2
ZipUncompressedSize:
null
ZipFileName:
server/

Screenshots

Processes

Total processes
36
Monitored processes
3
Malicious processes
2
Suspicious processes
0

Behavior graph

+
start winrar.exe no specs searchprotocolhost.exe no specs server.exe no specs
Specs description
Program did not start
Integrity level elevation
Task сontains an error or was rebooted
Process has crashed
Task contains several apps running
Executable file was dropped
Debug information is available
Process was injected
Network attacks were detected
Application downloaded the executable file
Actions similar to stealing personal data
Behavior similar to exploiting the vulnerability
Inspected object has sucpicious PE structure
File is detected by antivirus software
CPU overrun
RAM overrun
Process starts the services
Process was added to the startup
Behavior similar to spam
Low-level access to the HDD
Probably Tor was used
System was rebooted
Connects to the network
Known threat

Process information

Click at the process to see the details.

PID
752
CMD
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
Path
C:\Windows\System32\SearchProtocolHost.exe
Indicators
No indicators
Parent process
––
User
SYSTEM
Integrity Level
SYSTEM
Version:
Company
Microsoft Corporation
Description
Microsoft Windows Search Protocol Host
Version
7.00.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\searchprotocolhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\tquery.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\msshooks.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\msidle.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\mssprxy.dll
c:\windows\system32\mssph.dll
c:\windows\system32\mapi32.dll
c:\windows\system32\authz.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\shell32.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\propsys.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\profapi.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\slc.dll
c:\windows\system32\version.dll
c:\users\admin\desktop\server\xnzymp3.exe
c:\users\admin\desktop\server\xnzybs.dll
c:\windows\system32\ieframe.dll
c:\program files\common files\microsoft shared\office14\msoshext.dll
c:\users\admin\desktop\server\web\client.exe
c:\users\admin\desktop\server\usercj.dll
c:\windows\system32\notepad.exe
c:\users\admin\desktop\server\upload.dll
c:\users\admin\desktop\server\server.exe
c:\users\admin\desktop\server\server.dll
c:\users\admin\desktop\server\printtext.dll
c:\users\admin\desktop\server\lame_enc.dll
c:\users\admin\desktop\server\addtools\ranhan.exe
c:\users\admin\desktop\server\addtools\clientime.exe
c:\windows\system32\hhctrl.ocx

PID
3708
CMD
"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\server.zip"
Path
C:\Program Files\WinRAR\WinRAR.exe
Indicators
No indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Version:
Company
Alexander Roshal
Description
WinRAR archiver
Version
5.60.0
Modules
Image
c:\program files\winrar\winrar.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\shlwapi.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\uxtheme.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\msimg32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\riched20.dll
c:\program files\common files\microsoft shared\ink\tiptsf.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ehstorshell.dll
c:\windows\system32\cscui.dll
c:\windows\system32\cscdll.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\slc.dll
c:\windows\system32\imageres.dll
c:\windows\system32\mpr.dll
c:\windows\system32\drprov.dll
c:\windows\system32\winsta.dll
c:\windows\system32\ntlanman.dll
c:\windows\system32\davclnt.dll
c:\windows\system32\davhlpr.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\netutils.dll
c:\windows\system32\wpdshext.dll
c:\windows\system32\winmm.dll
c:\windows\system32\portabledeviceapi.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\audiodev.dll
c:\windows\system32\wmvcore.dll
c:\windows\system32\wmasf.dll
c:\windows\system32\ehstorapi.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\samcli.dll
c:\windows\system32\samlib.dll
c:\windows\system32\profapi.dll
c:\windows\installer\{90140000-003d-0000-0000-0000000ff1ce}\xlicons.exe
c:\windows\system32\hhctrl.ocx
c:\windows\hh.exe
c:\windows\installer\{90140000-003d-0000-0000-0000000ff1ce}\accicons.exe
c:\program files\videolan\vlc\vlc.exe
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\structuredquery.dll
c:\windows\system32\actxprxy.dll
c:\program files\internet explorer\ieproxy.dll
c:\windows\system32\thumbcache.dll
c:\windows\system32\psapi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\oleacc.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\searchfolder.dll
c:\windows\system32\explorerframe.dll
c:\windows\system32\duser.dll
c:\windows\system32\dui70.dll

PID
2352
CMD
"C:\Users\admin\Desktop\server\server.exe"
Path
C:\Users\admin\Desktop\server\server.exe
Indicators
No indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Version:
Company
西南资源网
Description
专用网络打字比赛-服务端
Version
6.3.6.0
Modules
Image
c:\users\admin\desktop\server\server.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\user32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\shell32.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\nsi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\version.dll
c:\windows\system32\winmm.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\wsock32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\clbcatq.dll
c:\program files\common files\system\ado\msado15.dll
c:\windows\system32\msdart.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\napinsp.dll
c:\windows\system32\pnrpnsp.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\winrnr.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\rasadhlp.dll
c:\program files\common files\system\ole db\oledb32.dll
c:\windows\system32\bcrypt.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\program files\common files\system\ole db\oledb32r.dll
c:\windows\system32\comsvcs.dll
c:\windows\system32\atl.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\msjetoledb40.dll
c:\windows\system32\msjet40.dll
c:\windows\system32\mswstr10.dll
c:\windows\system32\msjter40.dll
c:\windows\system32\msjint40.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\mswdat10.dll
c:\program files\common files\system\msadc\msadce.dll
c:\program files\common files\system\msadc\msadcer.dll

Registry activity

Total events
997
Read events
941
Write events
56
Delete events
0

Modification events

PID
Process
Operation
Key
Name
Value
752
SearchProtocolHost.exe
write
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached
{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF
010000000000000044F51A5F8068D501
752
SearchProtocolHost.exe
write
HKEY_USERS\.DEFAULT\Software\Classes\Local Settings\MuiCache\72\52C64B7E
LanguageList
en-US
752
SearchProtocolHost.exe
write
HKEY_USERS\.DEFAULT\Software\Classes\Local Settings\MuiCache\72\52C64B7E
@C:\Windows\System32\ieframe.dll,-912
HTML Document
752
SearchProtocolHost.exe
write
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached
{993BE281-6695-4BA5-8A2A-7AACBFAAB69E} {0000013A-0000-0000-C000-000000000046} 0xFFFF
010000000000000092C1D0618068D501
752
SearchProtocolHost.exe
write
HKEY_USERS\.DEFAULT\Software\Classes\Local Settings\MuiCache\72\52C64B7E
@C:\Windows\system32\notepad.exe,-469
Text Document
752
SearchProtocolHost.exe
write
HKEY_USERS\.DEFAULT\Software\Classes\Local Settings\MuiCache\72\52C64B7E
@C:\Windows\System32\hhctrl.ocx,-452
Compiled HTML Help file
3708
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
ShellExtBMP
3708
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
ShellExtIcon
3708
WinRAR.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\72\52C64B7E
LanguageList
en-US
3708
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
0
C:\Users\admin\AppData\Local\Temp\server.zip
3708
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
name
120
3708
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
size
80
3708
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
type
120
3708
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
mtime
100
3708
WinRAR.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\72\52C64B7E
@C:\Windows\System32\hhctrl.ocx,-452
Compiled HTML Help file
3708
WinRAR.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\FirstFolder
0
43003A005C00500072006F006700720061006D002000460069006C00650073005C00570069006E005200410052005C00570069006E005200410052002E00650078006500000043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C004C006F00630061006C005C00540065006D0070000000
3708
WinRAR.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\FirstFolder
MRUListEx
00000000FFFFFFFF
3708
WinRAR.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
NodeSlots
0202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202
3708
WinRAR.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
MRUListEx
0700000001000000000000000200000006000000030000000500000004000000FFFFFFFF
3708
WinRAR.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\103\Shell
SniffedFolderType
Generic
3708
WinRAR.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\CIDSizeMRU
1
570069006E005200410052002E006500780065000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000004001000081000000730300003A02000000000000000000000000000000000000000000000000000000000000000000000100000000000000
3708
WinRAR.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\CIDSizeMRU
1
570069006E005200410052002E0065007800650000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000003D0100006B000000070300000E0200004001000081000000730300003A02000000000000000000000000000000000000000000000000000000000000000000000100000000000000
3708
WinRAR.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\CIDSizeMRU
MRUListEx
0100000000000000FFFFFFFF
3708
WinRAR.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\103\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}
Mode
4
3708
WinRAR.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\103\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}
LogicalViewMode
1
3708
WinRAR.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\103\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}
FFlags
1092616193
3708
WinRAR.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\103\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}
IconSize
16
3708
WinRAR.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\103\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}
ColInfo
00000000000000000000000000000000FDDFDFFD100000000000000000000000040000001800000030F125B7EF471A10A5F102608C9EEBAC0A000000EE00000030F125B7EF471A10A5F102608C9EEBAC0E0000006900000030F125B7EF471A10A5F102608C9EEBAC040000006900000030F125B7EF471A10A5F102608C9EEBAC0C00000046000000
3708
WinRAR.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\103\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}
Sort
000000000000000000000000000000000100000030F125B7EF471A10A5F102608C9EEBAC0A00000001000000
3708
WinRAR.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\103\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}
GroupView
0
3708
WinRAR.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\103\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}
GroupByKey:FMTID
{00000000-0000-0000-0000-000000000000}
3708
WinRAR.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\103\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}
GroupByKey:PID
0
3708
WinRAR.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\103\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}
GroupByDirection
1
3708
WinRAR.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\103\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}
FFlags
1
3708
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\DialogEditHistory\ArcName
0
C:\Users\admin\AppData\Local\Temp\server.zip
3708
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\DialogEditHistory\ExtrPath
0
C:\Users\admin\Desktop

Files activity

Executable files
0
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
3708
WinRAR.exe
C:\Users\admin\Desktop\server\XnzyMp3.exe
––
MD5: 89f432e97630bb34520ddea583cbc09e
SHA256: eac7c731cfe04f92c3793bbbcaf0df4b5793f32134c7cc8c6089c3f0277a33b3
3708
WinRAR.exe
C:\Users\admin\Desktop\server\printtext.dll
––
MD5: 85ad96f48b3afba67aef4a5ece46c46f
SHA256: 1b1f0f3dee1c0032b49079dc605a022df2d1901d59cf6d34d2dc5bc2af73b0a7
3708
WinRAR.exe
C:\Users\admin\Desktop\server\Web\index.htm
––
MD5: 83ad77c71a002907494cdfcfe1528dd2
SHA256: bbe97f401b625a8d184b2ccbc0120f2cb85180ac36c9d238ddcf7a88d32a56d6
3708
WinRAR.exe
C:\Users\admin\Desktop\server\¦¦-+-¦+¦.xls
––
MD5: 8882bcdcb19b89b2d434a60b4c434269
SHA256: b909a9a149bb2ce5f4d735d72dd7c075ed4bcbfb6011debc8f61611512b42d80
3708
WinRAR.exe
C:\Users\admin\Desktop\server\usercj.dll
––
MD5: e90b95cfc34797ac6779451cab50d0b3
SHA256: 1d2c6d7dd5220cf4806592aab6bffcb1d709836082c94aadce07373d50f70a11
3708
WinRAR.exe
C:\Users\admin\Desktop\server\Web\client.ini
––
MD5: 276882c92ea461ce3db4e749ec9be2cb
SHA256: 2f18c54e3905e538e7abd8d3f332787200ecddd5fe8c9afc156037fe12acdad7
3708
WinRAR.exe
C:\Users\admin\Desktop\server\Web\client.exe
––
MD5: d598627723c18b29f2c6e6a9fba6f3ef
SHA256: 937a938812d727bc0662b88a326b8c4a799fb1207d44e99a6faea1c58ea6b0a4
3708
WinRAR.exe
C:\Users\admin\Desktop\server\Web\index.files\colorschememapping.xml
––
MD5: 6b7a472a22fbdbff4b2b08ddb4f43735
SHA256: 65f3cdbc4390c81b94fa960b7362917443fc1e6a51e3f81e4cb4c4dfa09da4be
3708
WinRAR.exe
C:\Users\admin\Desktop\server\Web\index.files\filelist.xml
––
MD5: a5d243ec2f295af37cbf2af124b9a9d5
SHA256: 3b3edc6abbe49874b4270f21fce0fbfaa4e740b6e6b43f894888e2935ed3f1b8
3708
WinRAR.exe
C:\Users\admin\Desktop\server\Web\index.files\themedata.thmx
––
MD5: a3f07dbe5165153a077ef17fd71dda36
SHA256: 6d7bf9f89e7b24d0f648766e752520140a2052c27c09aee9e0a41e382fe22390
3708
WinRAR.exe
C:\Users\admin\Desktop\server\usercj.dcd
––
MD5: 3ca159f6bd957b6a237d66e9e6810d09
SHA256: b57f321df3ddd02838d9fd9c3d0ef70994128c899850f671488f62c276a7a5bf
3708
WinRAR.exe
C:\Users\admin\Desktop\server\Upload.dll
––
MD5: 9ef77b83a1e9048f245ff10f91f80958
SHA256: 9b9564743608555bab1f3ed81110695ab9a06aa435892f266cc1f4bfb638a1a6
3708
WinRAR.exe
C:\Users\admin\Desktop\server\user\+t¦+¦++¬-++÷-+--¦+¦=¦-+-.txt
––
MD5: 5b26d826c844122fc4a7cbae9171de79
SHA256: 5abad4b864ba9bd1f3d84ad1a2a29c302412106e62152e5d36098eb7d3d385b5
3708
WinRAR.exe
C:\Users\admin\Desktop\server\user\¦=¦º+¦.txt
––
MD5: ca96a30e835e1850eb178f6671904706
SHA256: 8ef469c447f55e8547dd68a0a2771a824c0b9f69d93459b9a94c38f0c1b0baae
3708
WinRAR.exe
C:\Users\admin\Desktop\server\user\+++++·+n¦-¦G¦-.txt
––
MD5: 7269222e9a9081e0ec648de3b8e656a0
SHA256: 827759b23654a3e5078c89a72129567f3f503258d47b7c8da395782ed052c298
3708
WinRAR.exe
C:\Users\admin\Desktop\server\server.exe
––
MD5: e53d352c48208ca66078183614aad6c7
SHA256: 238de92bbac682c2cf6fb83834f815eb08b43bca122e4b797e4450246e69b5e1
3708
WinRAR.exe
C:\Users\admin\Desktop\server\Temp.wav
––
MD5: a539ebd5da61daab8a2d21e7f3b5ee58
SHA256: 991cd2a53281fab26a26b23f2b3d7a020e277b83978ea36796679e0952ae7575
3708
WinRAR.exe
C:\Users\admin\Desktop\server\server.dll
––
MD5: 7380ff678b1ad9e79d8fce7837b2b43e
SHA256: f9afba55cb827425ad7d6f2a425b5bd5bac0c9b30116beb488b80c26f445bf28
3708
WinRAR.exe
C:\Users\admin\Desktop\server\server.ini
––
MD5: 900273a58fadcbad1f708c8c4130096e
SHA256: cd2a971a94a81aff2a13e52cee5011b19651c85ced79692158278951f5344487
3708
WinRAR.exe
C:\Users\admin\Desktop\server\lame_enc.dll
––
MD5: e814a58a8c7200fc293403a3f1c43e6a
SHA256: 170ae18d8e599c1d811789ac6daed67649051022b0029d9b6d2e5525ec3bda52
3708
WinRAR.exe
C:\Users\admin\Desktop\server\xnzybs.dll
––
MD5: 9569b92591733039e89a02fdc99a0f18
SHA256: 86cd254f32c380de2ea3d866a136c0f381836b3e8dd5a85b6eec052cb59adfe9
3708
WinRAR.exe
C:\Users\admin\Desktop\server\help.chm
––
MD5: 31667e290776c2a7edf6c88ae5d58797
SHA256: 0ada45268614187b2e3f9daa9fff146a80e777d9108a2bc0627e9eaf0baf6e61
3708
WinRAR.exe
C:\Users\admin\Desktop\server\limit.mdb
––
MD5: 45e7eb2306ba19e9b7f23dfd3d36cdd1
SHA256: 6c1eb5bec369f8ef00aecfc8987360be7f1e3105267f9b1d76f921cbe4482362
3708
WinRAR.exe
C:\Users\admin\Desktop\server\addtools\¦ú++¦¦++-S+d\-(¦¦\P1.mp3
––
MD5: e2131f7a6585b50475726818ce629f1a
SHA256: 7a4fa34a54abec469598e92eb9de0546b8d9d3f80c0cadc4f8adce6cb3002d1e
3708
WinRAR.exe
C:\Users\admin\Desktop\server\addtools\¦ú++¦¦++-S+d\-(¦¦\P1.TXT
––
MD5: d9a37197eef0f04154472eff5f62269f
SHA256: 14c3923852f96d006e31375b0c657b2eb176e91ab17c5a9ebdf5d764ba67898f
3708
WinRAR.exe
C:\Users\admin\Desktop\server\addtools\++++¦ñ+¯-¦+˜.txt
––
MD5: 026d5f782c65edc729fe7bba018b7736
SHA256: b0bc386dfa047e140e7240dd920e64cacc41b4f0b97ee1a2c3c6fff494327893
3708
WinRAR.exe
C:\Users\admin\Desktop\server\addtools\¦ú++¦¦++-S+d\+s¦-\¦ú++1500++-1.txt
––
MD5: c79296c77084b7939ec2736c043964ba
SHA256: 84a6dbbce56c2cd8836918b3a285c4d5a3a3e5073bf44ae9d9a6b01343f87fad
3708
WinRAR.exe
C:\Users\admin\Desktop\server\addtools\¦ú++¦¦++-S+d\+s¦-\¦ú++1500++-2.txt
––
MD5: d3f4ddd38e8ece8331861e1d237a9f66
SHA256: e3ee342ba6dca61b8e8f257336a73b169d33aee629403154e322fcf4b430563f
3708
WinRAR.exe
C:\Users\admin\Desktop\server\addtools\¦ú++¦¦++-S+d\+++G\-++¦+++G.txt
––
MD5: 45c65e2b0141495d4bb0c9b053790c8a
SHA256: 0069ab1203b570cb910ea3bbba0a442c1e43a1de546052aa168c85d618e24554
3708
WinRAR.exe
C:\Users\admin\Desktop\server\addtools\¦ú++¦¦++-S+d\+++G\¦¦+¦+++G.txt
––
MD5: 634e507e81644df2dcd4f4e40ab55354
SHA256: 6e4f1adb57d9573661b18088138d690c01b3091c73d5362a0d75be6df9d6b598
3708
WinRAR.exe
C:\Users\admin\Desktop\server\addtools\¦ú++¦¦++-S+d\+s¦-\¦++--+.txt
––
MD5: 4d892987966fbb7648060941b1ef7dbf
SHA256: 1839a6b330634467e14d47b8718a9e0110027dcbac46b5c6fd89a7b8ee14496e
3708
WinRAR.exe
C:\Users\admin\Desktop\server\addtools\¦ú++¦¦++-S+d\+s¦-\+s¦-86¦µ-++¦+=-d.txt
––
MD5: abd97704804a3a858d6230ffd93be6f6
SHA256: 59f7576e2e92a8118da15623217086dd170b3258080c8c38aa2c74644185e3ae
3708
WinRAR.exe
C:\Users\admin\Desktop\server\addtools\¦ú++¦¦++-S+d\+s¦-\+s¦--++¦+=-d.txt
––
MD5: 95bc788f77e2af4b11dbe6774fab0b1b
SHA256: 35a0deec992ebfa2985bb71dddba4fcac13ab89278e32c9de48c69d67e65f9e1
3708
WinRAR.exe
C:\Users\admin\Desktop\server\addtools\¦ú++¦¦++-S+d\+s¦-\+s¦-¦¦+¦+=-d.txt
––
MD5: 720cf82d51a02b9225a877372764f84e
SHA256: f879ec1cf60910b34f233e4287ed4ced35716993408a11c956f2edf290bff75b
3708
WinRAR.exe
C:\Users\admin\Desktop\server\addtools\¦ú++¦¦++-S+d\+s¦-\+s¦-+²+¦+=-d.txt
––
MD5: 17524920bcc6cf7c102ce2658775d5d8
SHA256: 9104c718c02d35e78ca609e63b2ca3d370080d61caa40c39cf28553c90c83e92
3708
WinRAR.exe
C:\Users\admin\Desktop\server\addtools\¦ú++¦¦++-S+d\+s¦-\+s¦-86¦µ+++·+·+¦.txt
––
MD5: ac654775a4d6a08d348cef2d68129a91
SHA256: 125a0557cd04b0140d38ef66f0f929b2e037830482acc8b5f3808d5bfbdd88df
3708
WinRAR.exe
C:\Users\admin\Desktop\server\addtools\¦ú++¦¦++-S+d\+s¦-\+s¦-+·¦º--¦=.txt
––
MD5: c15f42a2f27ea615d38574d06970cace
SHA256: 41d8f6c594e8c142af5545f7078f15ee74fbf2f6480df0f867f6b2f0c5634b84
3708
WinRAR.exe
C:\Users\admin\Desktop\server\addtools\¦ú++¦¦++-S+d\+s¦-\+s¦-86¦µ+=-d+++˜.txt
––
MD5: 3e6ab0991d4606cfd7989a73af1267ff
SHA256: e2635b6376b0b7febb41db99d83be9a07649309a947f7c8491d31f9975a61194
3708
WinRAR.exe
C:\Users\admin\Desktop\server\addtools\¦ú++¦¦++-S+d\+s¦-\+s¦-86¦µ+²+¦+=-d.txt
––
MD5: b90d18038f29d723e8ab9b01d294bdc2
SHA256: e49e8145acb8fab6f4a3af60e22d587cb016b6003f95b3559a9dea475fb695a3
3708
WinRAR.exe
C:\Users\admin\Desktop\server\addtools\RanHan.exe
––
MD5: 5ac93680b91970e44376e6a0a4d845d8
SHA256: 75aaab72b5b1afa86b932a5d2036511a82fcacd1a2f91f80b3bb1bd9778d355f
3708
WinRAR.exe
C:\Users\admin\Desktop\server\addtools\ClientIme.exe
––
MD5: 1c6dc05afa3120df2ff7285d0728fed5
SHA256: b4ec8e9a15a30b86bfb1577cd45c99a55cfc252d72999529d658e1fcef1e299e

Find more information of the staic content and download it at the full report

Network activity

HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

No network activity.

Debug output strings

No debug info.