Crack Risk

BAT/RiskWare.HackTool.WinActivator.H (file analysis)

Malware Removal

The BAT/RiskWare.HackTool.WinActivator.H is considered dangerous by lots of security experts. When this infection is active, you may notice unwanted processes in Task Manager list. In this case, it is adviced to scan your computer with GridinSoft Anti-Malware.

GridinSoft Anti-Malware - Review 2020

GridinSoft Anti-Malware

Removing PC viruses manually may take hours and may damage your PC in the process. We recommend to use GridinSoft Anti-Malware for virus removal. Allows to complete scan and cure your PC during the TRIAL period.
6-day free trial available.

What BAT/RiskWare.HackTool.WinActivator.H virus can do?

  • SetUnhandledExceptionFilter detected (possible anti-debug)
  • Behavioural detection: Executable code extraction – unpacking
  • Yara rule detections observed from a process memory dump/dropped files/CAPE
  • Creates RWX memory
  • Guard pages use detected – possible anti-debugging.
  • Dynamic (imported) function loading detected
  • Reads data out of its own binary image
  • A process created a hidden window
  • CAPE extracted potentially suspicious content
  • Authenticode signature is invalid
  • A scripting utility was executed
  • A ping command was executed with the -n argument possibly to delay analysis
  • Uses Windows utilities for basic functionality
  • Collects and encrypts information about the computer likely to send to C2 server
  • Creates a hidden or system file
  • A script or command line contains a long continuous string indicative of obfuscation
  • Attempts to execute suspicious powershell command arguments

How to determine BAT/RiskWare.HackTool.WinActivator.H?

File Info:

name: 1805DB094813CF397EC2.mlw
path: /opt/CAPEv2/storage/binaries/7099af33451a9e339f82bdd5b480a2981fcd48281f1be447b5387281f5e871b8
crc32: 90F752E8
md5: 1805db094813cf397ec2fa77ffc25fe7
sha1: 518df0ea389db416243f3ed454cb1b0564ddf153
sha256: 7099af33451a9e339f82bdd5b480a2981fcd48281f1be447b5387281f5e871b8
sha512: c97187a4fc0a87b3a7fd5444abc482511dfc05565914ed810c809ee320ce77a478eca7918a8c9ff05ca66f2a9ac9e0f5074ee8319bc8587d3d9952848f3ec3ee
ssdeep: 3072:VfY/TU9fE9PEtunboyeFfFgl5Jr4WpwCEEm5rT:ZYa6VTeFfFgbJrjpwBFT
type: PE32 executable (GUI) Intel 80386, for MS Windows
tlsh: T1EAC302087AF0C2B7F97346720D3B5B166BF5AA1138B44F8F23406A9D7D21793990E761
sha3_384: 2c4c7c5c8ad9ac42090f5a826667ef714607d66529e4ff869dcd5c7c6be94a6e729c1e5315e5632499132d212139cdfd
ep_bytes: 558bec81ecf40300005356576a205f33
timestamp: 2021-09-25 21:56:47

Version Info:

0: [No Data]

BAT/RiskWare.HackTool.WinActivator.H also known as:

CynetMalicious (score: 100)
SophosGeneric ML PUA (PUA)
SentinelOneStatic AI – Suspicious PE

How to remove BAT/RiskWare.HackTool.WinActivator.H?

BAT/RiskWare.HackTool.WinActivator.H removal tool
  • Download and install GridinSoft Anti-Malware.
  • Open GridinSoft Anti-Malware and perform a “Standard scan“.
  • Move to quarantine” all items.
  • Open “Tools” tab – Press “Reset Browser Settings“.
  • Select proper browser and options – Click “Reset”.
  • Restart your computer.

About the author

Paul Valéry

I'm a cyber security analyst and data science expert with 5+ years of experience with security software contractors.

Leave a Comment