File name:

PC.zip

Full analysis: https://app.any.run/tasks/ec005845-afe7-4694-9058-7dcf3ad2a2ad
Verdict: Malicious activity
Analysis date: April 11, 2020, 09:52:36
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

F44F64756354566A215944FE2640A21E

SHA1:

5CD7DE1BD7216831D02A375B1F3A52F16FC834B6

SHA256:

09FF88A1DA882E07C2DE50F67D2F459EA1168DFEBF5DDCBE1AF6E85A2BD37D0F

SSDEEP:

49152:EI/WucgyiXl3ZwJjafYZXNyWhCPKhxJrvFNM:ECcgy82jDNyWhCPKfJzTM

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • ViewPlayCap.exe (PID: 3504)
      • ViewPlayCap.exe (PID: 1524)
      • ViewPlayCap.exe (PID: 3160)
      • ViewPlayCap.exe (PID: 3900)
      • ViewPlayCap.exe (PID: 1852)

    • Loads dropped or rewritten executable

      • ViewPlayCap.exe (PID: 3900)
      • ViewPlayCap.exe (PID: 1852)
      • WerFault.exe (PID: 2632)

    • Actions looks like stealing of personal data

      • WinRAR.exe (PID: 3568)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 3568)
      • ViewPlayCap.exe (PID: 3504)

    • Application launched itself

      • ViewPlayCap.exe (PID: 1524)

    • Creates files in the user directory

      • ViewPlayCap.exe (PID: 3504)

    • Creates files in the program directory

      • ViewPlayCap.exe (PID: 3504)
      • ViewPlayCap.exe (PID: 3900)

    • Reads internet explorer settings

      • ViewPlayCap.exe (PID: 1524)
      • ViewPlayCap.exe (PID: 3160)

  • INFO

    • Manual execution by user

      • explorer.exe (PID: 3984)
      • ViewPlayCap.exe (PID: 3900)
      • ViewPlayCap.exe (PID: 1852)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: Deflated
ZipModifyDate: 2013:05:02 14:50:18
ZipCRC: 0x224752e7
ZipCompressedSize: 2333257
ZipUncompressedSize: 2428234
ZipFileName: ViewPlayCap.exe
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
49
Monitored processes
8
Malicious processes
7
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start drop and start start winrar.exe viewplaycap.exe no specs viewplaycap.exe viewplaycap.exe no specs explorer.exe no specs viewplaycap.exe viewplaycap.exe werfault.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1524"C:\Users\admin\AppData\Local\Temp\Rar$EXa3568.10861\ViewPlayCap.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa3568.10861\ViewPlayCap.exeWinRAR.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\rar$exa3568.10861\viewplaycap.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
1852"C:\Program Files\ViewPlayCap\ViewPlayCap.exe" C:\Program Files\ViewPlayCap\ViewPlayCap.exe
explorer.exe
User:
admin
Company:
Integrity Level:
MEDIUM
Description:
ViewPlayCap
Exit code:
3221225477
Version:
3, 0, 0, 0
Modules
Images
c:\program files\viewplaycap\viewplaycap.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
2632C:\Windows\system32\WerFault.exe -u -p 1852 -s 744C:\Windows\system32\WerFault.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\werfault.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
3160"C:\Users\admin\AppData\Local\Temp\Rar$EXa3568.13527\ViewPlayCap.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa3568.13527\ViewPlayCap.exeWinRAR.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
255
Modules
Images
c:\users\admin\appdata\local\temp\rar$exa3568.13527\viewplaycap.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
3504"C:\Users\admin\AppData\Local\Temp\Rar$EXa3568.10861\ViewPlayCap.exe" -el -s2 "-dC:\Program Files\ViewPlayCap" "-p" "-sp"C:\Users\admin\AppData\Local\Temp\Rar$EXa3568.10861\ViewPlayCap.exe
ViewPlayCap.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\rar$exa3568.10861\viewplaycap.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
3568"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\PC.zip"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
3900"C:\Program Files\ViewPlayCap\ViewPlayCap.exe" C:\Program Files\ViewPlayCap\ViewPlayCap.exe
explorer.exe
User:
admin
Company:
Integrity Level:
MEDIUM
Description:
ViewPlayCap
Exit code:
0
Version:
3, 0, 0, 0
Modules
Images
c:\program files\viewplaycap\viewplaycap.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
3984"C:\Windows\explorer.exe" C:\Windows\explorer.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\explorer.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
Total events
1 257
Read events
1 208
Write events
48
Delete events
1

Modification events

(PID) Process:(3568) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(3568) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(3568) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\12B\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3568) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\PC.zip
(PID) Process:(3568) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(3568) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(3568) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(3568) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(3568) WinRAR.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
(PID) Process:(3568) WinRAR.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
1
Executable files
6
Suspicious files
1
Text files
19
Unknown types
3

Dropped files

PID
Process
Filename
Type
3504ViewPlayCap.exeC:\Users\admin\Desktop\ViewPlayCap.lnklnk
MD5:
SHA256:
3504ViewPlayCap.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\ViewPlayCap.lnklnk
MD5:
SHA256:
3504ViewPlayCap.exeC:\Program Files\ViewPlayCap\ViewPlayCap.exeexecutable
MD5:969EFC4F3304909E5DD6173432B1F5C5
SHA256:24D7D197FE1BBE7584DA4EB488213647147DAE3EC7E313ECB59B8B2F1E419C81
3504ViewPlayCap.exeC:\Program Files\ViewPlayCap\SMIUtility.dllexecutable
MD5:AEA0D6ACC43D8915A7887D91F690813B
SHA256:1EE6C041276CD5B1A3E14B2A833982DC6F9197694E0F1CD3F55453655427AD40
3568WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3568.10861\ViewPlayCap.exeexecutable
MD5:BCDD8DA242AC5BE6D2A7D86A13BE812F
SHA256:85309B4A5739A95743A0DB87A17A9458F14D84AB2CCE2EE46FFD0C63C6E1DE7F
3568WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3568.13527\ViewPlayCap.exeexecutable
MD5:BCDD8DA242AC5BE6D2A7D86A13BE812F
SHA256:85309B4A5739A95743A0DB87A17A9458F14D84AB2CCE2EE46FFD0C63C6E1DE7F
3504ViewPlayCap.exeC:\Program Files\ViewPlayCap\d3dx9_31.dllexecutable
MD5:797E24743937D67D69F28F2CF5052EE8
SHA256:E2065619FE6EB0034833B1DC0369DEB4A6EDC3110E38A1132EEAFCF430C578A5
2632WerFault.exeC:\Users\admin\AppData\Local\CrashDumps\ViewPlayCap.exe.1852.dmpdmp
MD5:
SHA256:
2632WerFault.exeC:\Users\admin\AppData\Local\Microsoft\Windows\WER\ReportArchive\AppCrash_ViewPlayCap.exe_7d88865a1a8d81e35ce871f5608af6c4bab618f_0ae0a3e0\Report.werbinary
MD5:
SHA256:
3900ViewPlayCap.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\ViewPlayCap\ViewPlayCap.iniini
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
Process
Message
ViewPlayCap.exe
g_pSM370Pool->m_pSM370[0] is NULL
ViewPlayCap.exe
SMI_GetVIDPIDByIdx:CheckSMInterfacePointer failed!idx=0
ViewPlayCap.exe
No Video Input Device
ViewPlayCap.exe
g_pSM370Pool->m_pSM370[0] is NULL
ViewPlayCap.exe
SMI_GetVIDPIDByIdx:CheckSMInterfacePointer failed!idx=0
ViewPlayCap.exe
No Video Input Device
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
PC.zip