analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

processhacker-2.39-bin.zip

Full analysis: https://app.any.run/tasks/b55296ad-85f7-4f63-a9ea-138a57dcc28b
Verdict: Malicious activity
Analysis date: April 25, 2019, 09:04:00
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

B444CF14642CE9B8D75E079166A5DF0B

SHA1:

8E8F8423D163D922242B8B7D85427664F77EDC97

SHA256:

2AFB5303E191DDE688C5626C3EE545E32E52F09DA3B35B20F5E0D29A418432F5

SSDEEP:

98304:jDqt5TrOmlLB/7rTOqcXfOzJR1qioDLK2EbhQ:3sTrHlB73OqX4ioDfshQ

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Loads dropped or rewritten executable

      • SearchProtocolHost.exe (PID: 3900)
      • ProcessHacker.exe (PID: 2344)
      • DllHost.exe (PID: 3224)
      • DllHost.exe (PID: 2232)
      • explorer.exe (PID: 2036)
      • SearchProtocolHost.exe (PID: 3868)

    • Application was dropped or rewritten from another process

      • ProcessHacker.exe (PID: 2344)

    • Changes settings of System certificates

      • ProcessHacker.exe (PID: 2344)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 1352)
      • explorer.exe (PID: 2036)

    • Adds / modifies Windows certificates

      • ProcessHacker.exe (PID: 2344)

    • Creates files in the user directory

      • explorer.exe (PID: 2036)

    • Reads Internet Cache Settings

      • explorer.exe (PID: 2036)

    • Modifies files in Chrome extension folder

      • chrome.exe (PID: 2696)

  • INFO

    • Application launched itself

      • chrome.exe (PID: 2696)

    • Reads settings of System Certificates

      • ProcessHacker.exe (PID: 2344)

    • Modifies the open verb of a shell class

      • chrome.exe (PID: 2696)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: Deflated
ZipModifyDate: 2016:03:29 12:18:04
ZipCRC: 0x34beb5ab
ZipCompressedSize: 7294
ZipUncompressedSize: 25995
ZipFileName: CHANGELOG.txt
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
84
Monitored processes
33
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe searchprotocolhost.exe no specs processhacker.exe Copy/Move/Rename/Delete/Link Object no specs Copy/Move/Rename/Delete/Link Object no specs explorer.exe searchprotocolhost.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs winrar.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1352"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\processhacker-2.39-bin.zip"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
3900"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe4_ Global\UsGthrCtrlFltPipeMssGthrPipe4 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" C:\Windows\System32\SearchProtocolHost.exeSearchIndexer.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Windows Search Protocol Host
Exit code:
0
Version:
7.00.7600.16385 (win7_rtm.090713-1255)
2344"C:\Users\admin\Desktop\processhacker-2.39-bin\x86\ProcessHacker.exe" C:\Users\admin\Desktop\processhacker-2.39-bin\x86\ProcessHacker.exe
explorer.exe
User:
admin
Company:
wj32
Integrity Level:
HIGH
Description:
Process Hacker
Version:
2.39.0.124
2232C:\Windows\system32\DllHost.exe /Processid:{3AD05575-8857-4850-9277-11B85BDB8E09}C:\Windows\system32\DllHost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
COM Surrogate
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3224C:\Windows\system32\DllHost.exe /Processid:{3AD05575-8857-4850-9277-11B85BDB8E09}C:\Windows\system32\DllHost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
COM Surrogate
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2036C:\Windows\Explorer.EXEC:\Windows\explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3868"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe5_ Global\UsGthrCtrlFltPipeMssGthrPipe5 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" C:\Windows\system32\SearchProtocolHost.exeSearchIndexer.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Windows Search Protocol Host
Version:
7.00.7600.16385 (win7_rtm.090713-1255)
2696"C:\Program Files\Google\Chrome\Application\chrome.exe" C:\Program Files\Google\Chrome\Application\chrome.exe
explorer.exe
User:
admin
Company:
Google Inc.
Integrity Level:
MEDIUM
Description:
Google Chrome
Version:
73.0.3683.75
3240"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win32 --annotation=prod=Chrome --annotation=ver=73.0.3683.75 --initial-client-data=0x7c,0x80,0x84,0x78,0x88,0x6bcf0f18,0x6bcf0f28,0x6bcf0f34C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google Inc.
Integrity Level:
MEDIUM
Description:
Google Chrome
Version:
73.0.3683.75
3616"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=watcher --main-thread-id=2136 --on-initialized-event-handle=308 --parent-handle=312 /prefetch:6C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google Inc.
Integrity Level:
MEDIUM
Description:
Google Chrome
Version:
73.0.3683.75
Total events
16 626
Read events
15 240
Write events
0
Delete events
0

Modification events

No data
Executable files
34
Suspicious files
137
Text files
193
Unknown types
19

Dropped files

PID
Process
Filename
Type
1352WinRAR.exeC:\Users\admin\Desktop\processhacker-2.39-bin\x64\plugins\ExtendedServices.dllexecutable
MD5:4858BDB7731BF0B46B247A1F01F4A282
SHA256:5AE7C0972FD4E4C4AE14C0103602CA854377FEFCBCCD86FA68CFC5A6D1F99F60
1352WinRAR.exeC:\Users\admin\Desktop\processhacker-2.39-bin\x64\plugins\Updater.dllexecutable
MD5:6976B57C6391F54DBD2828A45CA81100
SHA256:0C11CDC3765FFB53BA9707B6F99EC17AE4F7334578A935BA7BCBBC9C7BDEED2E
1352WinRAR.exeC:\Users\admin\Desktop\processhacker-2.39-bin\x64\plugins\ExtendedNotifications.dllexecutable
MD5:BE4DC4D2D1D05001AB0BB2BB8659BFAD
SHA256:61E8CD8DE80A5C0D7CED280FE04AD8387A846A7BF2EE51BCBBA96B971C7C1795
1352WinRAR.exeC:\Users\admin\Desktop\processhacker-2.39-bin\x64\plugins\NetworkTools.dllexecutable
MD5:D6BED1D6FDBED480E32FDD2DD4C13352
SHA256:476AA6AF14DD0B268786E32543B9A6917A298D4D90E1015DAC6FB2B522CF5D2E
1352WinRAR.exeC:\Users\admin\Desktop\processhacker-2.39-bin\README.txttext
MD5:72AC5A8DD6491E525B9783C9BC439FE6
SHA256:0C4F051675A690EA4DB6AB2EB81FDCED6990E2538AD21DC4610AA5925253A090
1352WinRAR.exeC:\Users\admin\Desktop\processhacker-2.39-bin\x64\plugins\SbieSupport.dllexecutable
MD5:37CBFA73883E7E361D3FA67C16D0F003
SHA256:57C56F7B312DC1F759E6AD039AAC3F36CE5130D259EB9FAAD77239083398308B
1352WinRAR.exeC:\Users\admin\Desktop\processhacker-2.39-bin\COPYRIGHT.txttext
MD5:39B07060A5C6199730219E29C747C061
SHA256:319CD301CF40BE03C00CD086560D4E810E0F6D0DBFDC2D28D6AF3522C027CF49
1352WinRAR.exeC:\Users\admin\Desktop\processhacker-2.39-bin\x64\kprocesshacker.sysexecutable
MD5:1B5C3C458E31BEDE55145D0644E88D75
SHA256:70211A3F90376BBC61F49C22A63075D1D4DDD53F0AEFA976216C46E6BA39A9F4
1352WinRAR.exeC:\Users\admin\Desktop\processhacker-2.39-bin\x64\peview.exeexecutable
MD5:DDE1F44789CD50C1F034042D337DEAE3
SHA256:4259E53D48A3FED947F561FF04C7F94446BEDD64C87F52400B2CB47A77666AAA
1352WinRAR.exeC:\Users\admin\Desktop\processhacker-2.39-bin\LICENSE.txttext
MD5:EB59E0A5D01D0A5B02DA0C9E7786969F
SHA256:C38E811F6F83428921D0CECD998A44B717149B577B4C1A63B66064F03C34E4E7
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
69
DNS requests
52
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2696
chrome.exe
GET
200
74.125.173.74:80
http://r5---sn-c0q7lnse.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvMjJlQUFXRC12Ny1ldUFnMXF3SDlXZDlFZw/7319.128.0.1_pkedcjkdefgpdelpbcmbmeomcjbeemfm.crx?cms_redirect=yes&mip=185.183.107.236&mm=28&mn=sn-c0q7lnse&ms=nvh&mt=1556183127&mv=m&pl=24&shardbypass=yes
US
crx
842 Kb
whitelisted
2696
chrome.exe
GET
302
172.217.22.78:80
http://redirector.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvMjJlQUFXRC12Ny1ldUFnMXF3SDlXZDlFZw/7319.128.0.1_pkedcjkdefgpdelpbcmbmeomcjbeemfm.crx
US
html
506 b
whitelisted
2696
chrome.exe
GET
200
205.185.216.10:80
http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
US
compressed
55.6 Kb
whitelisted
2696
chrome.exe
GET
200
52.85.182.165:80
http://x.ss2.us/x.cer
US
der
1.27 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2696
chrome.exe
172.217.22.78:80
redirector.gvt1.com
Google Inc.
US
whitelisted
2696
chrome.exe
172.217.23.131:443
www.gstatic.com
Google Inc.
US
whitelisted
2696
chrome.exe
172.217.23.173:443
accounts.google.com
Google Inc.
US
whitelisted
2696
chrome.exe
216.58.205.227:443
clientservices.googleapis.com
Google Inc.
US
whitelisted
2696
chrome.exe
172.217.16.131:443
www.google.com.ua
Google Inc.
US
whitelisted
2696
chrome.exe
172.217.22.14:443
clients1.google.com
Google Inc.
US
whitelisted
2696
chrome.exe
74.125.173.74:80
r5---sn-c0q7lnse.gvt1.com
Google Inc.
US
whitelisted
2696
chrome.exe
216.58.207.78:443
consent.google.com
Google Inc.
US
whitelisted
2696
chrome.exe
52.85.182.165:80
x.ss2.us
Amazon.com, Inc.
US
whitelisted
2696
chrome.exe
52.17.170.122:443
wetransfer.com
Amazon.com, Inc.
IE
unknown

DNS requests

Domain
IP
Reputation
wj32.org
  • 162.243.25.33
whitelisted
clientservices.googleapis.com
  • 216.58.205.227
whitelisted
www.google.com.ua
  • 172.217.16.131
whitelisted
accounts.google.com
  • 172.217.23.173
shared
clients1.google.com
  • 172.217.22.14
whitelisted
ssl.gstatic.com
  • 216.58.205.227
whitelisted
www.gstatic.com
  • 172.217.23.131
whitelisted
apis.google.com
  • 172.217.22.14
whitelisted
clients2.google.com
  • 172.217.22.14
whitelisted
redirector.gvt1.com
  • 172.217.22.78
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
processhacker-2.39-bin.zip