download:

Shoot-the-blacks.zip

Full analysis: https://app.any.run/tasks/df80a17b-fc2f-4058-937a-b16f4f7b8e28
Verdict: Malicious activity
Analysis date: May 29, 2020, 23:28:07
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

C8B9A1BA6D850068A506D590E5F5CE18

SHA1:

9AABC1BC45BD711E98204C6144CC5D0996E6E117

SHA256:

468F4B48F6F1DADC34912BF2FD2EDD202A2EC20F27F7A282CB458A7F572036C8

SSDEEP:

24576:btj/eMJWSpzgWwNZYq31zMudvU0+6GMv1JDXIUZdqqNwT4IwHSyZI9I6CD:x5kSpUgqlzldvU0+6GMv1JDXIUzqqNwO

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Loads dropped or rewritten executable

      • Area Alby.exe (PID: 3848)

    • Application was dropped or rewritten from another process

      • Area Alby.exe (PID: 3848)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • Area Alby.exe (PID: 3848)
      • WinRAR.exe (PID: 2020)

    • Starts CMD.EXE for commands execution

      • uninstal.exe (PID: 4032)

  • INFO

    • Manual execution by user

      • Area Alby.exe (PID: 3848)
      • uninstal.exe (PID: 3712)
      • uninstal.exe (PID: 4032)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: Deflated
ZipModifyDate: 2018:11:18 08:25:20
ZipCRC: 0x3c3c53ff
ZipCompressedSize: 133174
ZipUncompressedSize: 277770
ZipFileName: Shoot the blacks/Area Alby.exe
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
48
Monitored processes
5
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe area alby.exe uninstal.exe no specs uninstal.exe cmd.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2020"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\Shoot-the-blacks.zip"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
2648cmd /c C:\Delapp.batC:\Windows\system32\cmd.exeuninstal.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
1
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
3712"C:\Users\admin\Desktop\Shoot the blacks\uninstal.exe" C:\Users\admin\Desktop\Shoot the blacks\uninstal.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Modules
Images
c:\users\admin\desktop\shoot the blacks\uninstal.exe
c:\systemroot\system32\ntdll.dll
3848"C:\Users\admin\Desktop\Shoot the blacks\Area Alby.exe" C:\Users\admin\Desktop\Shoot the blacks\Area Alby.exe
explorer.exe
User:
admin
Company:
Europress Software
Integrity Level:
MEDIUM
Description:
The Games Factory Stand Alone Game
Exit code:
0
Version:
1.00
Modules
Images
c:\users\admin\desktop\shoot the blacks\area alby.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\users\admin\desktop\shoot the blacks\cncs32.dll
c:\windows\system32\winmm.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
4032"C:\Users\admin\Desktop\Shoot the blacks\uninstal.exe" C:\Users\admin\Desktop\Shoot the blacks\uninstal.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\desktop\shoot the blacks\uninstal.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
Total events
338
Read events
329
Write events
9
Delete events
0

Modification events

(PID) Process:(2020) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(2020) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(2020) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\12F\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(2020) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\12F\52C64B7E
Operation:writeName:@C:\Windows\system32\NetworkExplorer.dll,-1
Value:
Network
(PID) Process:(2020) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\Shoot-the-blacks.zip
(PID) Process:(2020) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(2020) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(2020) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(2020) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
Executable files
2
Suspicious files
0
Text files
1
Unknown types
10

Dropped files

PID
Process
Filename
Type
2020WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2020.24574\Shoot the blacks\cncs32.dll
MD5:
SHA256:
2020WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2020.24574\Shoot the blacks\uninstal.bin
MD5:
SHA256:
2020WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2020.24574\Shoot the blacks\uninstal.exe
MD5:
SHA256:
3848Area Alby.exeC:\Users\admin\AppData\Local\Temp\gfcC841.midrmi
MD5:
SHA256:
3848Area Alby.exeC:\Users\admin\AppData\Local\Temp\gfcDA32.midrmi
MD5:
SHA256:
3848Area Alby.exeC:\Users\admin\AppData\Local\Temp\gfc97EA.GOXexecutable
MD5:
SHA256:
3848Area Alby.exeC:\Users\admin\AppData\Local\Temp\gfc9867.midmid
MD5:
SHA256:
3848Area Alby.exeC:\Users\admin\AppData\Local\Temp\gfc7E52.midrmi
MD5:
SHA256:
2020WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2020.24574\Shoot the blacks\Area Alby.exeexecutable
MD5:
SHA256:
2020WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2020.24574\Shoot the blacks\Area Alby.gamgam
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Shoot-the-blacks.zip