File name:

kf151.zip

Full analysis: https://app.any.run/tasks/2c43b10f-add7-4ad2-845a-29601799a583
Verdict: Malicious activity
Analysis date: November 28, 2019, 14:56:06
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

9248012B83991E3FE6B6B424A9A3BB23

SHA1:

7FA4177A4B1E5DCC9D24762D374483D9CFDE7C18

SHA256:

121064CC16E06CA58B2FF58FC8E868C8175107D424CD7F19A23D992849E482AE

SSDEEP:

6144:OQ8DTO+JLWnXJU2jD5h+fSzcRJmiCN0UEcJ3Dm22:OQ8DTNLWnXNJKRJmjNscJ3y22

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • findkey.exe (PID: 2040)
      • xpkey.exe (PID: 3968)
      • keyfinder.exe (PID: 3332)
      • keyfinder.exe (PID: 2480)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 1940)
      • keyfinder.exe (PID: 2480)

  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: 0x0002
ZipCompression: Deflated
ZipModifyDate: 2006:08:06 19:54:03
ZipCRC: 0x7a553444
ZipCompressedSize: 266712
ZipUncompressedSize: 272357
ZipFileName: keyfinder.exe
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
42
Monitored processes
5
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start drop and start start drop and start winrar.exe keyfinder.exe no specs keyfinder.exe findkey.exe no specs xpkey.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1940"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\kf151.zip"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
2040"C:\Users\admin\AppData\Local\Temp\RarSFX0\findkey.exe" C:\Users\admin\AppData\Local\Temp\RarSFX0\findkey.exekeyfinder.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\rarsfx0\findkey.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
2480"C:\Users\admin\AppData\Local\Temp\Rar$EXa1940.49779\keyfinder.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa1940.49779\keyfinder.exe
WinRAR.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\rar$exa1940.49779\keyfinder.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
3332"C:\Users\admin\AppData\Local\Temp\Rar$EXa1940.49779\keyfinder.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa1940.49779\keyfinder.exeWinRAR.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Modules
Images
c:\users\admin\appdata\local\temp\rar$exa1940.49779\keyfinder.exe
c:\systemroot\system32\ntdll.dll
3968"C:\Users\admin\AppData\Local\Temp\RarSFX0\xpkey.exe" C:\Users\admin\AppData\Local\Temp\RarSFX0\xpkey.exefindkey.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\rarsfx0\xpkey.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\crtdll.dll
c:\windows\system32\apphelp.dll
Total events
1 168
Read events
1 137
Write events
31
Delete events
0

Modification events

(PID) Process:(1940) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(1940) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(1940) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\12B\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(1940) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\kf151.zip
(PID) Process:(1940) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(1940) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(1940) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(1940) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(1940) WinRAR.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
(PID) Process:(1940) WinRAR.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
1
Executable files
4
Suspicious files
0
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
2480keyfinder.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\xpkey.exeexecutable
MD5:F5393A2616FDACD43D46B302CC723E84
SHA256:CB603DA8A9CB1C8BBF922175D30E8F51DB867FA5DA3A4DDC3637805B7A6CCAE2
1940WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa1940.49779\keyfinder.exeexecutable
MD5:042F13CB1818A8B9FE026A250C4EEF93
SHA256:47AB0544C45E7E745B2459018B4CA5AA1631602CD6977A2A0CE73A2F5F454831
3968xpkey.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\xpkey.txttext
MD5:4EF283E7931D2FF21AC766BDC7EA4700
SHA256:7273F70BBB22BE4418DC8AE35F4525A3335307522790C4FC7383E95BEF19C9ED
2480keyfinder.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\officekey.exeexecutable
MD5:BA47986812381F64938D22FC55D2C6E9
SHA256:5B4FEC2EC25E488C8C377A7FE3AD90CF1AFFDA5A053A6A44EEA13CA6B98CAD9C
2480keyfinder.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\findkey.exeexecutable
MD5:D1EEE936774BC595DE3BBC9666723646
SHA256:F8D3C74B6843436688DCE8E6F8AD44D9EB9B179B1E04AAC3F831CA2B663FC04F
2480keyfinder.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\chgxp.vbstext
MD5:DDD5148D88DB8298FA44A83ACE8B540F
SHA256:00A3B8A2E8E04522FFD6955639A8F706B8955A4640744C53D05DF517BBF147DC
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
kf151.zip