analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

DESKTOP-5KIJTKK_2022-08-12_17_45_28.zip

Full analysis: https://app.any.run/tasks/4b5c6db3-08d4-4c5b-ba67-72028e0666d5
Verdict: Malicious activity
Analysis date: August 12, 2022, 15:46:01
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v4.5 to extract
MD5:

E3AAA9E59FBD37F56CCDB0122A405CD0

SHA1:

2D005A24F344290B7474F4EB8AE08B60F2BA7FBA

SHA256:

48A8DE40382B0B22115422A2C3A65F672EE1A6380FD8CC3F0131E0993FCAD167

SSDEEP:

96:N7z4baWKQ2G3oC8n4E/XX4qdSdmjmibKX/jHKkrktyDIWJsLGn:N7z4mQdUn4pFamiOOkJD3eLE

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • AddHostLauncherToRun.exe (PID: 2180)
      • AddHostLauncherToRun.exe (PID: 1268)
    • Drops executable file immediately after starts

      • WinRAR.exe (PID: 2520)
  • SUSPICIOUS

    • Checks supported languages

      • WinRAR.exe (PID: 2520)
      • AddHostLauncherToRun.exe (PID: 1268)
    • Reads the computer name

      • WinRAR.exe (PID: 2520)
      • AddHostLauncherToRun.exe (PID: 1268)
    • Creates a directory in Program Files

      • WinRAR.exe (PID: 2520)
    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 2520)
    • Creates files in the program directory

      • WinRAR.exe (PID: 2520)
    • Drops a file with a compile date too recent

      • WinRAR.exe (PID: 2520)
  • INFO

    • Manual execution by user

      • AddHostLauncherToRun.exe (PID: 2180)
      • AddHostLauncherToRun.exe (PID: 1268)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipFileName: Device/HarddiskVolume3/Program Files/WindowsApps/AD2F1837.HPSystemEventUtility_1.3.2.0_x64__v10z8vjag6ke6/SystemEventUtility/AddHostLauncherToRun.exe
ZipUncompressedSize: 11264
ZipCompressedSize: 4344
ZipCRC: 0x696cb767
ZipModifyDate: 1980:00:00 00:00:00
ZipCompression: Deflated
ZipBitFlag: 0x0801
ZipRequiredVersion: 20
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
43
Monitored processes
3
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe addhostlaunchertorun.exe no specs addhostlaunchertorun.exe

Process information

PID
CMD
Path
Indicators
Parent process
2520"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\DESKTOP-5KIJTKK_2022-08-12_17_45_28.zip"C:\Program Files\WinRAR\WinRAR.exe
Explorer.EXE
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.91.0
2180"C:\Users\admin\Desktop\Device\HarddiskVolume3\Program Files\WindowsApps\AD2F1837.HPSystemEventUtility_1.3.2.0_x64__v10z8vjag6ke6\SystemEventUtility\AddHostLauncherToRun.exe" C:\Users\admin\Desktop\Device\HarddiskVolume3\Program Files\WindowsApps\AD2F1837.HPSystemEventUtility_1.3.2.0_x64__v10z8vjag6ke6\SystemEventUtility\AddHostLauncherToRun.exeExplorer.EXE
User:
admin
Company:
HP Inc.
Integrity Level:
MEDIUM
Description:
AddHostLauncherToRun
Exit code:
3221226540
Version:
1.2.7.0
1268"C:\Users\admin\Desktop\Device\HarddiskVolume3\Program Files\WindowsApps\AD2F1837.HPSystemEventUtility_1.3.2.0_x64__v10z8vjag6ke6\SystemEventUtility\AddHostLauncherToRun.exe" C:\Users\admin\Desktop\Device\HarddiskVolume3\Program Files\WindowsApps\AD2F1837.HPSystemEventUtility_1.3.2.0_x64__v10z8vjag6ke6\SystemEventUtility\AddHostLauncherToRun.exe
Explorer.EXE
User:
admin
Company:
HP Inc.
Integrity Level:
HIGH
Description:
AddHostLauncherToRun
Version:
1.2.7.0
Total events
996
Read events
985
Write events
11
Delete events
0

Modification events

(PID) Process:(2520) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(2520) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(2520) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\16C\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(2520) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip
(PID) Process:(2520) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(2520) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\DESKTOP-5KIJTKK_2022-08-12_17_45_28.zip
(PID) Process:(2520) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(2520) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(2520) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(2520) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
Executable files
1
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
2520WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb2520.32584\Device\HarddiskVolume3\Program Files\WindowsApps\AD2F1837.HPSystemEventUtility_1.3.2.0_x64__v10z8vjag6ke6\SystemEventUtility\AddHostLauncherToRun.exeexecutable
MD5:752EAA22C0131624DDA5FEBF499B7246
SHA256:E581C6FA6EBB6F010A965EFE6579DC3174C4D1DC16B2C73E641A8F45ED8A8AE6
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
2
DNS requests
1
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2344
WerFault.exe
20.189.173.20:443
watson.microsoft.com
Microsoft Corporation
US
suspicious

DNS requests

Domain
IP
Reputation
watson.microsoft.com
  • 20.189.173.20
whitelisted

Threats

No threats detected
No debug info