File name:

Win9x.zip

Full analysis: https://app.any.run/tasks/811b4d20-470e-411c-8cc1-8db77fe2c4b4
Verdict: Malicious activity
Analysis date: March 10, 2024, 23:26:01
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v4.5 to extract, compression method=deflate
MD5:

E5FCF4C5B90E585AC6084BBE1377D03D

SHA1:

47355CC3AAF20F4951EDAE89E11E2D088EDC678E

SHA256:

3B34AD22B264B89548E713B6737A35294F49920586DD66DE7585C86D288AF7C6

SSDEEP:

49152:7yn7wqjrbqPoZEZfZyAD6Ja1uNgjFt80zirh0udJKFOoxTqobr2oSzX2akMT6zP6:g7NruPoZEZfg6a66JdJK9vSb2abT6DU5

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • WinRAR.exe (PID: 3656)
      • AlZip.exe (PID: 2504)

    • Creates a writable file in the system directory

      • AlZip.exe (PID: 2504)

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • WinRAR.exe (PID: 3656)
      • AlZip.exe (PID: 2504)

    • Executable content was dropped or overwritten

      • AlZip.exe (PID: 2504)

    • Starts a Microsoft application from unusual location

      • CIH.exe (PID: 3036)

  • INFO

    • Manual execution by a user

      • Smash.exe (PID: 3500)
      • Prizm.exe (PID: 1644)
      • AlZip.exe (PID: 2504)
      • AlZip.exe (PID: 2780)
      • CIH.exe (PID: 3036)
      • FlashKiller.exe (PID: 3780)
      • FlashKiller.exe (PID: 908)
      • Smash.exe (PID: 3392)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 3656)

    • Checks supported languages

      • Prizm.exe (PID: 1644)
      • AlZip.exe (PID: 2504)
      • AlZip.exe (PID: 2780)

    • Creates files or folders in the user directory

      • AlZip.exe (PID: 2504)

    • Reads the computer name

      • AlZip.exe (PID: 2504)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 45
ZipBitFlag: 0x0800
ZipCompression: Deflated
ZipModifyDate: 2024:03:10 21:40:24
ZipCRC: 0x00000000
ZipCompressedSize: 2
ZipUncompressedSize: -
ZipFileName: Win9x/
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
64
Monitored processes
9
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe smash.exe no specs prizm.exe no specs alzip.exe alzip.exe no specs cih.exe no specs flashkiller.exe flashkiller.exe smash.exe

Process information

PID
CMD
Path
Indicators
Parent process
908"C:\Users\admin\AppData\Local\Temp\Win9x\Win9x\Trojan.Win9x.FlashKiller\FlashKiller.exe" C:\Users\admin\AppData\Local\Temp\Win9x\Win9x\Trojan.Win9x.FlashKiller\FlashKiller.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Exit code:
3221225477
Modules
Images
c:\users\admin\appdata\local\temp\win9x\win9x\trojan.win9x.flashkiller\flashkiller.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
1644"C:\Users\admin\AppData\Local\Temp\Win9x\Win9x\Virus.Win9x.Prizm\Prizm.exe" C:\Users\admin\AppData\Local\Temp\Win9x\Win9x\Virus.Win9x.Prizm\Prizm.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
1986719548
Modules
Images
c:\users\admin\appdata\local\temp\win9x\win9x\virus.win9x.prizm\prizm.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imm32.dll
2504"C:\Users\admin\AppData\Local\Temp\Win9x\Win9x\Virus.Win9x.CIH (Infected AlZip program)\AlZip.exe" C:\Users\admin\AppData\Local\Temp\Win9x\Win9x\Virus.Win9x.CIH (Infected AlZip program)\AlZip.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\win9x\win9x\virus.win9x.cih (infected alzip program)\alzip.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
2780"C:\Users\admin\AppData\Local\Temp\Win9x\Win9x\Virus.Win9x.CIH (Infected AlZip program)\AlZip.exe" C:\Users\admin\AppData\Local\Temp\Win9x\Win9x\Virus.Win9x.CIH (Infected AlZip program)\AlZip.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\win9x\win9x\virus.win9x.cih (infected alzip program)\alzip.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
3036"C:\Users\admin\AppData\Local\Temp\Win9x\Win9x\Virus.Win9x.CIH\CIH.exe" C:\Users\admin\AppData\Local\Temp\Win9x\Win9x\Virus.Win9x.CIH\CIH.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
TCP/IP Arp Command
Exit code:
3221225595
Version:
3.51
Modules
Images
c:\users\admin\appdata\local\temp\win9x\win9x\virus.win9x.cih\cih.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
3392"C:\Users\admin\AppData\Local\Temp\Win9x\Win9x\Virus.Win9x.Smash\Smash.exe" C:\Users\admin\AppData\Local\Temp\Win9x\Win9x\Virus.Win9x.Smash\Smash.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\win9x\win9x\virus.win9x.smash\smash.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
3500"C:\Users\admin\AppData\Local\Temp\Win9x\Win9x\Virus.Win9x.Smash\Smash.exe" C:\Users\admin\AppData\Local\Temp\Win9x\Win9x\Virus.Win9x.Smash\Smash.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\win9x\win9x\virus.win9x.smash\smash.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
3656"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Win9x.zip"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
3780"C:\Users\admin\AppData\Local\Temp\Win9x\Win9x\Trojan.Win9x.FlashKiller\FlashKiller.exe" C:\Users\admin\AppData\Local\Temp\Win9x\Win9x\Trojan.Win9x.FlashKiller\FlashKiller.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221225477
Modules
Images
c:\users\admin\appdata\local\temp\win9x\win9x\trojan.win9x.flashkiller\flashkiller.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
Total events
4 457
Read events
4 440
Write events
17
Delete events
0

Modification events

(PID) Process:(3656) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(3656) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(3656) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3656) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\phacker.zip
(PID) Process:(3656) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(3656) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\curl-8.5.0_1-win32-mingw.zip
(PID) Process:(3656) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\Win9x.zip
(PID) Process:(3656) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(3656) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(3656) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
Executable files
15
Suspicious files
2
Text files
6
Unknown types
0

Dropped files

PID
Process
Filename
Type
2504AlZip.exe
MD5:
SHA256:
3656WinRAR.exeC:\Users\admin\AppData\Local\Temp\Win9x\Win9x\Virus.Win9x.Shoerec\Shoerec.exeexecutable
MD5:F257A5F19F616F63785052CB3B316927
SHA256:A7FC7287EFA7BFC2362399975C785F9E60F028E48A0F5BDE316243DA4EB6C797
3656WinRAR.exeC:\Users\admin\AppData\Local\Temp\Win9x\Win9x\Virus.Win9x.CIH (Infected AlZip program)\AlZip.exeexecutable
MD5:7BC322D95951DFE16E8CF47EE586E909
SHA256:6BF4879E15B5E25B35144FE4E136705AFB501B21F78EB1CACF45618A1452D272
2504AlZip.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\AlZip\Uninstal.$Aexecutable
MD5:06AFCB032515F959E965F7E8AA8360E9
SHA256:EFC5421F9FCF4185DF86EAC260B674B46413A09E92E847A49AAE8E954397D028
2504AlZip.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\AlZip\AlZipSFX.$Aexecutable
MD5:58F6EAB018E76839C7851F01064E5E0F
SHA256:1F7D05473E0EEA270EF38F5E4748CE2177D9C0A72D546FCB0C0B5C1804BA561F
2504AlZip.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\AlZip\AzShlExt.$Aexecutable
MD5:2616568A7A67D61573E5AF32E4AB6F65
SHA256:E105B5EACEF1703D0B7CB0A739A2B6251795A9EA3675ED40D91194624BB9D65B
3656WinRAR.exeC:\Users\admin\AppData\Local\Temp\Win9x\Win9x\Virus.Win9x.Prizm\Prizm.exeexecutable
MD5:FEEF71C9299C0B6F7313074260FAE590
SHA256:96D2EAFF43D5807EE8C55E6AC9A8D32855198DC3BF83327766E53E4E7A88FF53
2504AlZip.exeC:\Users\admin\Desktop\¾ËÁý.lnkbinary
MD5:BCE4B7F65F6F8E069427F7838AC016D0
SHA256:F666877F75CE4C8CB6DD3FF002F2BF2010FB4A52E779E410F10C9091F18004D6
3656WinRAR.exeC:\Users\admin\AppData\Local\Temp\Win9x\Win9x\Virus.Win9x.Smash\Smash.exeexecutable
MD5:628CA226D18EA3DF1C4B02882329B044
SHA256:5F7D233D25994AC890720A89DB315D2FE66C6F512A919BA74F27F28DB629A309
2504AlZip.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\AlZip\Alzip.$Aexecutable
MD5:DC9230367FD6678E9C06C99FBBD1B0E6
SHA256:94ADFA6C8E091E3485F9C6C6704E4E950306DCCAEAAF1BDD4DE34A1C99BB4C9C
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
6
DNS requests
1
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
4
System
192.168.100.255:137
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown
3792
WerFault.exe
104.208.16.93:443
watson.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown
3872
WerFault.exe
104.208.16.93:443
watson.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown

DNS requests

Domain
IP
Reputation
watson.microsoft.com
  • 104.208.16.93
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Win9x.zip