File name:

probablymalware.zip

Full analysis: https://app.any.run/tasks/ebfe2fa3-eaf9-4d71-ad08-15123ee333bd
Verdict: Malicious activity
Analysis date: October 25, 2023, 17:17:45
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

A7890CBD06163D3E7E65BEE9A4659BE2

SHA1:

A2A51DF81132598655F2DF9A59E416798A7A28DB

SHA256:

47E9E34DBD5EF11BD6B1382F2EA62BA65DA1EE2690241C437D69564054A35571

SSDEEP:

98304:bvWlIkwgvQZrtqn+t5q0B2j5KnxVeONYw1YZTkPpd1tyNKMdItNx6fBze/FjMJb2:3tso

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • DownloadHelperTray.exe (PID: 2860)

    • Actions looks like stealing of personal data

      • DownloadHelperTray.exe (PID: 2860)

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • WinRAR.exe (PID: 3820)

    • Reads settings of System Certificates

      • DownloadHelperTray.exe (PID: 2860)

    • Reads the Internet Settings

      • DownloadHelperTray.exe (PID: 2860)

  • INFO

    • Checks supported languages

      • DownloadHelperTray.exe (PID: 2860)

    • Reads the computer name

      • DownloadHelperTray.exe (PID: 2860)

    • Reads Environment values

      • DownloadHelperTray.exe (PID: 2860)

    • Reads the machine GUID from the registry

      • DownloadHelperTray.exe (PID: 2860)

    • Manual execution by a user

      • DownloadHelperTray.exe (PID: 2860)

    • Drops the executable file immediately after the start

      • WinRAR.exe (PID: 3820)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: Deflated
ZipModifyDate: 2022:12:07 18:34:18
ZipCRC: 0x202b9cf6
ZipCompressedSize: 895667
ZipUncompressedSize: 2609152
ZipFileName: BouncyCastle.Crypto.dll
No data.
screenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
42
Monitored processes
5
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe no specs searchprotocolhost.exe no specs downloadhelpertray.exe wisptis.exe no specs wisptis.exe

Process information

PID
CMD
Path
Indicators
Parent process
1840"C:\Windows\SYSTEM32\WISPTIS.EXE" /ManualLaunch;C:\Windows\System32\wisptis.exeDownloadHelperTray.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Pen and Touch Input Component
Exit code:
3221226540
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\wisptis.exe
c:\windows\system32\ntdll.dll
2132"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe6_ Global\UsGthrCtrlFltPipeMssGthrPipe6 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" C:\Windows\System32\SearchProtocolHost.exeSearchIndexer.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Windows Search Protocol Host
Exit code:
0
Version:
7.00.7601.24542 (win7sp1_ldr_escrow.191209-2211)
Modules
Images
c:\windows\system32\searchprotocolhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
2860"C:\Users\admin\Desktop\DownloadHelperTray.exe" C:\Users\admin\Desktop\DownloadHelperTray.exe
explorer.exe
User:
admin
Company:
DownloadHelperTray
Integrity Level:
MEDIUM
Description:
DownloadHelperTray
Exit code:
0
Version:
1.0.3.0
Modules
Images
c:\users\admin\desktop\downloadhelpertray.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
3568"C:\Windows\SYSTEM32\WISPTIS.EXE" /ManualLaunch;C:\Windows\System32\wisptis.exe
DownloadHelperTray.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft Pen and Touch Input Component
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\wisptis.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
3820"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\probablymalware.zip"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\windows\system32\ntdll.dll
c:\program files\winrar\winrar.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shlwapi.dll
Total events
5 298
Read events
5 255
Write events
43
Delete events
0

Modification events

(PID) Process:(3820) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\178\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3820) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip
(PID) Process:(3820) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(3820) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\phacker.zip
(PID) Process:(3820) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(3820) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(3820) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(3820) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(2132) SearchProtocolHost.exeKey:HKEY_USERS\.DEFAULT\Software\Classes\Local Settings\MuiCache\178\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3820) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\MainWin
Operation:writeName:Placement
Value:
2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF42000000420000000204000037020000
Executable files
7
Suspicious files
1
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
3820WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3820.26362\BouncyCastle.Crypto.dllexecutable
MD5:F0B3E112CE4807A28E2B5D66A840ED7F
SHA256:333903C7D22A27098E45FC64B77A264AA220605CFBD3E329C200D7E4B42C881C
3820WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3820.26362\Newtonsoft.Json.dllexecutable
MD5:081D9558BBB7ADCE142DA153B2D5577A
SHA256:B624949DF8B0E3A6153FDFB730A7C6F4990B6592EE0D922E1788433D276610F3
3820WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3820.26362\x64\SQLite.Interop.dllexecutable
MD5:56A504A34D2CFBFC7EAA2B68E34AF8AD
SHA256:9309FB2A3F326D0F2CC3F2AB837CFD02E4F8CB6B923B3B2BE265591FD38F4961
3820WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3820.26362\System.Security.Cryptography.ProtectedData.dllexecutable
MD5:503A90BDEDA2E75F57A424A712669BA6
SHA256:4360154B86D0E3A6B3C82BBA3684A2A01F1B5D7864A97F7AC1A9FFCD63408C65
3820WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3820.26362\DownloadHelperTray.exeexecutable
MD5:BCBD3121C98C1A2708A7E0F0F1A52446
SHA256:11B04456EABE1CBF65017632E88B57B01E280E79BA50B38114571456711850DF
3820WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3820.26362\Config.txttext
MD5:E13C37C043A9B03772917CBFE9B5FFB4
SHA256:F179730073BC288AA220677DCF243FFF7AAEAF5EA3B580E0137A2A3C51192324
3820WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3820.26362\c.dbbinary
MD5:67993A4DAFE5E21B16DB8705DDAB3BB6
SHA256:694304BF3A3C28A7492D8EA50B0B82A8E377528CE6F66CC2B7EB7EA43EC96843
3820WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3820.26362\System.Data.SQLite.dllexecutable
MD5:55C797383DBBBFE93C0FE3215B99B8EC
SHA256:5FAC5A9E9B8BBDAD6CF661DBF3187E395914CD7139E34B725906EFBB60122C0D
3820WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3820.26362\x86\SQLite.Interop.dllexecutable
MD5:8BE215ABF1F36AA3D23555A671E7E3BE
SHA256:83F332EA9535814F18BE4EE768682ECC7720794AEDC30659EB165E46257A7CAE
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
5
DNS requests
1
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
2656
svchost.exe
239.255.255.250:1900
whitelisted
2860
DownloadHelperTray.exe
18.196.39.211:443
saedion.com
AMAZON-02
DE
unknown
4
System
192.168.100.255:138
whitelisted

DNS requests

Domain
IP
Reputation
saedion.com
  • 18.196.39.211
  • 35.156.11.55
unknown

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
probablymalware.zip