File name:

MSICALFILE7_2023-06-28_09_02_20.zip

Full analysis: https://app.any.run/tasks/09dad8c1-8d20-43f0-b143-247adb602723
Verdict: Malicious activity
Analysis date: June 28, 2023, 15:31:50
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v4.5 to extract
MD5:

66F1A88E1202569B7FBC5800816F2D14

SHA1:

A311752E99E6F7274DB13BC21FD0C75CF561BDBB

SHA256:

3634C77138B64D454D3550040BA008901235736AD009174026F51E7954787547

SSDEEP:

49152:f7LWz6kXJ8Fu6b2qmD8MmOnN8Oxayfb6waW+yK71Ad0sfwfPiQGAtVLFVneFmmFT:fWzRqurD8MbOiV+L80eUP+u+FmmFWa3

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • kmd172_en.exe (PID: 2116)
      • kmd172_en.exe (PID: 2496)
      • Setup.exe (PID: 3284)
      • IKernel.exe (PID: 3400)
      • IKernel.exe (PID: 4048)
      • IKernel.exe (PID: 3280)

    • Loads dropped or rewritten executable

      • Setup.exe (PID: 3284)
      • IKernel.exe (PID: 4048)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • kmd172_en.exe (PID: 2496)
      • Setup.exe (PID: 3284)
      • IKernel.exe (PID: 4048)
      • setup.exe (PID: 4044)
      • cd_install_291.exe (PID: 3952)
      • kazaa_336.exe (PID: 2408)
      • DelFinMediaViewer29j.exe (PID: 3040)
      • SaveNowInst.exe (PID: 2140)

    • Application launched itself

      • IKernel.exe (PID: 4048)

    • Executes as Windows Service

      • VSSVC.exe (PID: 2472)

    • Uses RUNDLL32.EXE to load library

      • kazaa_336.exe (PID: 2408)

  • INFO

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 3076)

    • The process checks LSA protection

      • dllhost.exe (PID: 3712)
      • Setup.exe (PID: 3284)
      • IKernel.exe (PID: 4048)

    • Manual execution by a user

      • kmd172_en.exe (PID: 2116)
      • kmd172_en.exe (PID: 2496)

    • Checks supported languages

      • kmd172_en.exe (PID: 2496)
      • Setup.exe (PID: 3284)
      • IKernel.exe (PID: 4048)
      • IKernel.exe (PID: 3400)
      • IKernel.exe (PID: 3280)

    • Create files in a temporary directory

      • kmd172_en.exe (PID: 2496)
      • Setup.exe (PID: 3284)
      • IKernel.exe (PID: 4048)

    • Reads the computer name

      • Setup.exe (PID: 3284)
      • IKernel.exe (PID: 3400)
      • IKernel.exe (PID: 4048)
      • IKernel.exe (PID: 3280)

    • Creates files in the program directory

      • Setup.exe (PID: 3284)
      • IKernel.exe (PID: 4048)

    • Reads the machine GUID from the registry

      • Setup.exe (PID: 3284)
      • IKernel.exe (PID: 4048)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipFileName: Device/HarddiskVolume7/Hydroconsult/Program Files/Kazaa/My Shared Folder/kmd172_en.exe
ZipUncompressedSize: 3876511
ZipCompressedSize: 3684379
ZipCRC: 0xb10d16dd
ZipModifyDate: 1980:00:00 00:00:00
ZipCompression: Deflated
ZipBitFlag: 0x0801
ZipRequiredVersion: 45
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
66
Monitored processes
25
Malicious processes
7
Suspicious processes
2

Behavior graph

Click at the process to see the details
start drop and start drop and start winrar.exe kmd172_en.exe no specs kmd172_en.exe setup.exe ikernel.exe no specs ikernel.exe ikernel.exe no specs explorer.exe no specs ctfmon.exe no specs Thumbnail Cache Out of Proc Server no specs vssvc.exe no specs SPPSurrogate no specs cd_install_291.exe cduninst.exe no specs rundll32.exe no specs rundll32.exe no specs setup.exe delfinmediaviewer29j.exe savenowinst.exe webinstall.exe no specs kazaa_336.exe savenow.exe no specs rundll32.exe no specs kazaa.exe no specs pgmonitr.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
372"C:\Users\admin\AppData\Local\Temp\QWa03948\cduninst.exe" 253C:\Users\admin\AppData\Local\Temp\QWa03948\cduninst.execd_install_291.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
1068C:\Windows\Explorer.EXEC:\Windows\explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
1404"C:\Program Files\SaveNow\SaveNow.exe" C:\Program Files\SaveNow\SaveNow.exeSaveNowInst.exe
User:
admin
Company:
WhenU.com, Inc.
Integrity Level:
HIGH
Description:
SaveNow
Exit code:
0
Version:
1, 6, 0, 1
1612C:\Windows\System32\ctfmon.exe C:\Windows\System32\ctfmon.exetaskeng.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
CTF Loader
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\ctfmon.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\msctfmonitor.dll
c:\windows\system32\msctf.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
1824C:\Windows\\Temp\Adware\WebInstall.exe /iC:\Windows\Temp\Adware\WebInstall.exeIKernel.exe
User:
admin
Integrity Level:
HIGH
Description:
Web Install
Exit code:
0
Version:
1.0.0.41
1908rundll32.exe C:\Users\admin\AppData\Local\Temp\QWa03948\cd_clint.dll,ServiceRunDll q_253C:\Users\admin\AppData\Local\Temp\QWa03948\RUNDLL32.EXEcduninst.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Run a DLL as an App
Exit code:
3221225794
Version:
4.10.1998
2116"C:\Users\admin\Desktop\Device\HarddiskVolume7\Hydroconsult\Program Files\Kazaa\My Shared Folder\kmd172_en.exe" C:\Users\admin\Desktop\Device\HarddiskVolume7\Hydroconsult\Program Files\Kazaa\My Shared Folder\kmd172_en.exeexplorer.exe
User:
admin
Company:
Sharman Networks Ltd
Integrity Level:
MEDIUM
Description:
Exit code:
3221226540
Version:
1.7.2
Modules
Images
c:\users\admin\desktop\device\harddiskvolume7\hydroconsult\program files\kazaa\my shared folder\kmd172_en.exe
c:\windows\system32\ntdll.dll
2140C:\Windows\\Temp\Adware\SaveNowInst.exe http://app.whenu.com/Offers?url=ZNST0102C:\Windows\Temp\Adware\SaveNowInst.exe
IKernel.exe
User:
admin
Company:
WhenU.com, Inc.
Integrity Level:
HIGH
Description:
SaveNow Setup
Exit code:
0
Version:
1, 6, 0, 2
2408C:\Windows\\Temp\Adware\kazaa_336.exe C:\Windows\Temp\Adware\kazaa_336.exe
IKernel.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
2472C:\Windows\system32\vssvc.exeC:\Windows\System32\VSSVC.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft® Volume Shadow Copy Service
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
5 058
Read events
4 864
Write events
194
Delete events
0

Modification events

(PID) Process:(1068) explorer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Action Center\Checks\{C8E6F269-B90A-4053-A3BE-499AFCEC98C4}.check.0
Operation:writeName:CheckSetting
Value:
01000000D08C9DDF0115D1118C7A00C04FC297EB010000003D77C3133A5D7248BA6D7744BB9A3E16000000000200000000001066000000010000200000004A9CAAC251DD88A0E7E33FFB23F636A225CB7CC4485369C7C9B03862A811D096000000000E8000000002000020000000659B7585C71088AEEB1875008044DFB4B07623A0B20C3E867A78A9695191E29230000000F9C4E47AAD7D214C673E4CDC8385C59DDC5AE0E28396FCF21F9D028C590E79749BDDC16862F8E26B3D4F8E8966EEF17C4000000006EE6EDF8BC2D3544F7C9D682CF07277A50A34FA9DF6D8FB7B39CA5834F62523E20C12EF252EC87A75BE0FA4A5D7BD80B713248892E659363C3419474A1FEA18
(PID) Process:(3076) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\16D\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3076) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip
(PID) Process:(3076) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(3076) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\phacker.zip
(PID) Process:(3076) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(3076) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(3076) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(3076) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(1068) explorer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.zip\OpenWithList
Operation:writeName:MRUList
Value:
a
Executable files
109
Suspicious files
91
Text files
89
Unknown types
0

Dropped files

PID
Process
Filename
Type
2496kmd172_en.exeC:\Users\admin\AppData\Local\Temp\plf310B.tmptext
MD5:9EFCC61A0BAA38A6D7C67A05A97C7B87
SHA256:7CCB3A50CA08C66A220E4DA614CBABA1D05157359EDD174223C788B86D929EDF
3076WinRAR.exeC:\Users\admin\Desktop\manifest.jsontext
MD5:75F6F4985EC0F6A54CFAB94EB9DC49B3
SHA256:55CA6A74DAAF9C7970BC396CC86EBD0F3CF154433F10167ABDAC1B057F193B14
2496kmd172_en.exeC:\Users\admin\AppData\Local\Temp\ext310C.tmptext
MD5:9EFCC61A0BAA38A6D7C67A05A97C7B87
SHA256:7CCB3A50CA08C66A220E4DA614CBABA1D05157359EDD174223C788B86D929EDF
2496kmd172_en.exeC:\Users\admin\AppData\Local\Temp\pft313C.tmp\pftw1.pkgcompressed
MD5:1FB635809DA280DBE19E21243A16811F
SHA256:48BD184C657A53D4F8EEC8B77E0FC7DE934A9C17ABAB09E1E0EC6D3B48D4E179
3076WinRAR.exeC:\Users\admin\Desktop\Device\HarddiskVolume7\Hydroconsult\Program Files\Kazaa\My Shared Folder\kmd172_en.exeexecutable
MD5:57280C91136E4D9213DBEA2DF76BE252
SHA256:D30AFDECF03C5672803636D3EAC36C3136916051BDE36B2F63DACDEE42C86C2D
2496kmd172_en.exeC:\Users\admin\AppData\Local\Temp\pft313C.tmp\Disk1\data1.hdrbinary
MD5:5D1FA87C2C4027EE6D72BA82199D027F
SHA256:177DE914B92E520099D23B1F017D791E5A317E2F48579BEEEF3EB70306BC7F88
2496kmd172_en.exeC:\Users\admin\AppData\Local\Temp\pft313C.tmp\Disk1\Copy of Setup.exeexecutable
MD5:1AEB989E361AF85F5099DE3DA25457F4
SHA256:AB9E0291A763EFC32E84E7117F9A0FBC99B681C96DF0BB27A66433A726667E5C
2496kmd172_en.exeC:\Users\admin\AppData\Local\Temp\pft313C.tmp\Disk1\data2.cabcompressed
MD5:07857DB0D0D9D67C5C08E179A11BAE06
SHA256:7819A91667E4557427424B8DB71A45A17B470B53FDFB9164266C17D3F63CFC0F
2496kmd172_en.exeC:\Users\admin\AppData\Local\Temp\pft313C.tmp\Disk1\layout.binbinary
MD5:52AC2910EFFDBFC1DCB24566621B0DD1
SHA256:2F6C3E9AEEF07BE318D5347600F4D36C27C359B6C09DA056EC89D7A2BF7EA37C
2496kmd172_en.exeC:\Users\admin\AppData\Local\Temp\pft313C.tmp\Disk1\setup.inxbinary
MD5:3F3794E23A71B49E5E2ABD943AA95498
SHA256:8AA778A9C847EB800B84818FA4958A17701C587B4FFED16C67D516A83F1AEAF3
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
9
DNS requests
7
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
HEAD
200
18.205.187.81:80
http://18.205.187.81:80/
US
unknown
HEAD
400
23.56.201.214:80
http://23.56.201.214:80/
GB
suspicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
4
System
192.168.100.255:137
whitelisted
23.56.201.214:80
www.intel.com
AKAMAI-AS
GB
suspicious
820
svchost.exe
239.255.255.250:1900
whitelisted
1076
svchost.exe
224.0.0.252:5355
unknown
18.205.187.81:80
www.brilliantdigital.com
AMAZON-AES
US
unknown

DNS requests

Domain
IP
Reputation
adserv.internetfuel.com
unknown
ad2.brilliantdigital.com
unknown
www.brilliantdigital.com
  • 18.205.187.81
unknown
www.intel.com
  • 23.56.201.214
whitelisted
upgrade.new.tech
unknown
upgrade.newdotnet.net
malicious

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
MSICALFILE7_2023-06-28_09_02_20.zip