File name:

2244.zip

Full analysis: https://app.any.run/tasks/97b4179c-2c05-4b27-8d70-5ba0ea0c2249
Verdict: Malicious activity
Analysis date: June 17, 2024, 07:08:13
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract, compression method=store
MD5:

705FAEF7EA7739B6803CF6D86E5456B2

SHA1:

B16DDA656EE23BE405ED8B153E0DC6DCECE6AD97

SHA256:

40F758387BA5A5D7D79CAE07E15DA4F5C725A5DE08D4E7E63330EF392A5E7D18

SSDEEP:

98304:zg7surMjdp/6WrBz/IYQqrAxbopw8kkRaeVcjOL5Rt2HTglljVMKyPXzpP6nxgjK:bpNKiF8So6t3aQJUJeVbBh

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • WinRAR.exe (PID: 3980)

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • WinRAR.exe (PID: 3980)

  • INFO

    • Manual execution by a user

      • POWERPNT.EXE (PID: 764)
      • POWERPNT.EXE (PID: 1136)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 3980)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: None
ZipModifyDate: 2024:06:17 15:01:32
ZipCRC: 0x00000000
ZipCompressedSize: -
ZipUncompressedSize: -
ZipFileName: ##!!SetUp_2244_Pa$sW0rd$!!/
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
41
Monitored processes
3
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe powerpnt.exe no specs powerpnt.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
764"C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE" "C:\Users\admin\Desktop\##!!SetUp_2244_Pa$sW0rd$!!\hogg.pptx"C:\Program Files\microsoft office\Office14\POWERPNT.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft PowerPoint
Exit code:
0
Version:
14.0.6009.1000
Modules
Images
c:\program files\microsoft office\office14\powerpnt.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\program files\microsoft office\office14\ppcore.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
1136"C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE" "C:\Users\admin\Desktop\##!!SetUp_2244_Pa$sW0rd$!!\hogg.pptx"C:\Program Files\microsoft office\Office14\POWERPNT.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft PowerPoint
Exit code:
0
Version:
14.0.6009.1000
Modules
Images
c:\program files\microsoft office\office14\powerpnt.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\program files\microsoft office\office14\ppcore.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
3980"C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\AppData\Local\Temp\2244.zipC:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
Total events
8 803
Read events
8 685
Write events
103
Delete events
15

Modification events

(PID) Process:(3980) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(3980) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(3980) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3980) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\phacker.zip
(PID) Process:(3980) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(3980) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\curl-8.5.0_1-win32-mingw.zip
(PID) Process:(3980) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\2244.zip
(PID) Process:(3980) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(3980) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(3980) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
Executable files
33
Suspicious files
4
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
3980WinRAR.exeC:\Users\admin\Desktop\##!!SetUp_2244_Pa$sW0rd$!!\amphipod.tiff
MD5:
SHA256:
3980WinRAR.exeC:\Users\admin\Desktop\##!!SetUp_2244_Pa$sW0rd$!!\PassCode.txt
MD5:
SHA256:
3980WinRAR.exeC:\Users\admin\Desktop\##!!SetUp_2244_Pa$sW0rd$!!\updater\manager\ks_tyres.initext
MD5:47F6571C7884DA6C743551AC724186D4
SHA256:894D3C57598ECB22C769CC3EA8219859A95E22740E72394A474012EA2119B3D9
3980WinRAR.exeC:\Users\admin\Desktop\##!!SetUp_2244_Pa$sW0rd$!!\Qt5Core.dllexecutable
MD5:1CCC90E7AAC237B45A75292BC9145CB9
SHA256:2E33FE29145A2F13DCB56635EB292F6C25C116E1E14FA081EB728EE04071AE25
3980WinRAR.exeC:\Users\admin\Desktop\##!!SetUp_2244_Pa$sW0rd$!!\msvcp140.dllexecutable
MD5:1BA6D1CF0508775096F9E121A24E5863
SHA256:74892D9B4028C05DEBAF0B9B5D9DC6D22F7956FA7D7EEE00C681318C26792823
3980WinRAR.exeC:\Users\admin\Desktop\##!!SetUp_2244_Pa$sW0rd$!!\hogg.pptxbinary
MD5:4A1BB50A70821601F854CB93681F57A1
SHA256:4DB21E4665018A3E6CD03EC1B65F42A1C6C8F8046B3F451A1E025A2013E8203F
3980WinRAR.exeC:\Users\admin\Desktop\##!!SetUp_2244_Pa$sW0rd$!!\msvcp140_1.dllexecutable
MD5:69D96E09A54FBC5CF92A0E084AB33856
SHA256:A3A1199DE32BBBC8318EC33E2E1CE556247D012851E4B367FE853A51E74CE4EE
3980WinRAR.exeC:\Users\admin\Desktop\##!!SetUp_2244_Pa$sW0rd$!!\vcruntime140_1.dllexecutable
MD5:CF0A1C4776FFE23ADA5E570FC36E39FE
SHA256:6FD366A691ED68430BCD0A3DE3D8D19A0CB2102952BFC140BBEF4354ED082C47
3980WinRAR.exeC:\Users\admin\Desktop\##!!SetUp_2244_Pa$sW0rd$!!\Qt5Network.dllexecutable
MD5:C24C89879410889DF656E3A961C59BCC
SHA256:739BEDCFC8EB860927EB2057474BE5B39518AAAA6703F9F85307A432FA1F236E
3980WinRAR.exeC:\Users\admin\Desktop\##!!SetUp_2244_Pa$sW0rd$!!\steam_api64.dllexecutable
MD5:6B4AB6E60364C55F18A56A39021B74A6
SHA256:1DB3FD414039D3E5815A5721925DD2E0A3A9F2549603C6CAB7C49B84966A1AF3
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
4
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
4
System
192.168.100.255:137
whitelisted
1088
svchost.exe
224.0.0.252:5355
unknown

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2244.zip