File name:

HxDPortableSetup.zip

Full analysis: https://app.any.run/tasks/2e4d79f7-191f-4d04-8cca-a46379cb451d
Verdict: Malicious activity
Analysis date: February 26, 2024, 16:22:05
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract, compression method=deflate
MD5:

6409DD18A6B77140260943A37CCB7C67

SHA1:

E0FD241E42ABC772CE42B5429E1DA592C618E0F9

SHA256:

55BD984F097C4C1F6091CE30625B89970F74827EA9275AC9BA5D9DD42C0C38F2

SSDEEP:

98304:taOMOgYQSaSKJIPvWs5m1JL/UYp5dl9EXn:8OMWQOKe9ucYrdliX

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • WinRAR.exe (PID: 3668)
      • HxDPortableSetup.exe (PID: 3348)
      • HxDPortableSetup.tmp (PID: 3692)

  • SUSPICIOUS

    • Reads the Windows owner or organization settings

      • HxDPortableSetup.tmp (PID: 3692)

    • Executable content was dropped or overwritten

      • HxDPortableSetup.exe (PID: 3348)
      • HxDPortableSetup.tmp (PID: 3692)

    • Reads security settings of Internet Explorer

      • WinRAR.exe (PID: 3668)

    • Application launched itself

      • HxD32.exe (PID: 3216)

    • Start notepad (likely ransomware note)

      • HxDPortableSetup.tmp (PID: 3692)

  • INFO

    • Reads the computer name

      • HxDPortableSetup.tmp (PID: 3692)
      • HxD32.exe (PID: 3216)
      • HxD32.exe (PID: 2120)

    • Checks supported languages

      • HxDPortableSetup.exe (PID: 3348)
      • HxDPortableSetup.tmp (PID: 3692)
      • HxD32.exe (PID: 3216)
      • HxD32.exe (PID: 3660)
      • HxD32.exe (PID: 2120)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 3668)

    • Create files in a temporary directory

      • HxDPortableSetup.exe (PID: 3348)

    • Reads the machine GUID from the registry

      • HxDPortableSetup.tmp (PID: 3692)

    • Manual execution by a user

      • HxD32.exe (PID: 2120)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: Deflated
ZipModifyDate: 2021:02:10 22:29:54
ZipCRC: 0x8acc95ed
ZipCompressedSize: 3347928
ZipUncompressedSize: 3444995
ZipFileName: HxDPortableSetup.exe
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
44
Monitored processes
7
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe hxdportablesetup.exe hxdportablesetup.tmp hxd32.exe no specs hxd32.exe no specs notepad.exe no specs hxd32.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2120"C:\Users\admin\Desktop\HxD\HxD32.exe" C:\Users\admin\Desktop\HxD\HxD32.exeexplorer.exe
User:
admin
Company:
Maël Hörz
Integrity Level:
MEDIUM
Description:
HxD Hex Editor
Exit code:
0
Version:
2.5.0.0
Modules
Images
c:\users\admin\desktop\hxd\hxd32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
3216"C:\Users\admin\Desktop\HxD\HxD32.exe" /chooselang:enu /createdefaultconfig:normalC:\Users\admin\Desktop\HxD\HxD32.exeHxDPortableSetup.tmp
User:
admin
Company:
Maël Hörz
Integrity Level:
MEDIUM
Description:
HxD Hex Editor
Exit code:
0
Version:
2.5.0.0
Modules
Images
c:\users\admin\desktop\hxd\hxd32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
3348"C:\Users\admin\AppData\Local\Temp\Rar$EXa3668.2527\HxDPortableSetup.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa3668.2527\HxDPortableSetup.exe
WinRAR.exe
User:
admin
Company:
Maël Hörz
Integrity Level:
MEDIUM
Description:
HxD Hex Editor Portable Setup
Exit code:
0
Version:
2.5
Modules
Images
c:\users\admin\appdata\local\temp\rar$exa3668.2527\hxdportablesetup.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
3660C:\Users\admin\Desktop\HxD\HxD32.exe /chooselangC:\Users\admin\Desktop\HxD\HxD32.exeHxD32.exe
User:
admin
Company:
Maël Hörz
Integrity Level:
MEDIUM
Description:
HxD Hex Editor
Exit code:
0
Version:
2.5.0.0
Modules
Images
c:\users\admin\desktop\hxd\hxd32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
3668"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\HxDPortableSetup.zip"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
3692"C:\Users\admin\AppData\Local\Temp\is-AF95Q.tmp\HxDPortableSetup.tmp" /SL5="$130140,2973524,121344,C:\Users\admin\AppData\Local\Temp\Rar$EXa3668.2527\HxDPortableSetup.exe" C:\Users\admin\AppData\Local\Temp\is-AF95Q.tmp\HxDPortableSetup.tmp
HxDPortableSetup.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Setup/Uninstall
Exit code:
0
Version:
51.1052.0.0
Modules
Images
c:\users\admin\appdata\local\temp\is-af95q.tmp\hxdportablesetup.tmp
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
3932"C:\Windows\system32\NOTEPAD.EXE" C:\Users\admin\Desktop\HxD\readme.txtC:\Windows\System32\notepad.exeHxDPortableSetup.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Notepad
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\notepad.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
Total events
5 175
Read events
5 145
Write events
24
Delete events
6

Modification events

(PID) Process:(3668) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(3668) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(3668) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3668) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\phacker.zip
(PID) Process:(3668) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(3668) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\curl-8.5.0_1-win32-mingw.zip
(PID) Process:(3668) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\HxDPortableSetup.zip
(PID) Process:(3668) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(3668) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(3668) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
Executable files
6
Suspicious files
0
Text files
8
Unknown types
0

Dropped files

PID
Process
Filename
Type
3348HxDPortableSetup.exeC:\Users\admin\AppData\Local\Temp\is-AF95Q.tmp\HxDPortableSetup.tmpexecutable
MD5:34ACC2BDB45A9C436181426828C4CB49
SHA256:9C81817ACD4982632D8C7F1DF3898FCA1477577738184265D735F49FC5480F07
3692HxDPortableSetup.tmpC:\Users\admin\Desktop\HxD\HxD32.exeexecutable
MD5:804F06B24FBA7BA4E1122FAF2B119A2B
SHA256:1FC927CB6747C105D1A66E4792F166B857A9E42BC1B58A08A6698C2D05E62087
3692HxDPortableSetup.tmpC:\Users\admin\Desktop\HxD\HxD64.exeexecutable
MD5:14FCA45F383B3DE689D38F45C283F71F
SHA256:9D460040A454DEEB3FE69300FE6B9017350E1EFCB1F52F7F14A4702D96CB45CA
3668WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3668.2527\HxDPortableSetup.exeexecutable
MD5:565554EA03B1EF7812E66F13262DE601
SHA256:7EED3FBB271A7DB6D061106A0E20A5A193388F800812266CDBB7526E469820A8
3692HxDPortableSetup.tmpC:\Users\admin\Desktop\HxD\is-4R3DG.tmpexecutable
MD5:804F06B24FBA7BA4E1122FAF2B119A2B
SHA256:1FC927CB6747C105D1A66E4792F166B857A9E42BC1B58A08A6698C2D05E62087
3692HxDPortableSetup.tmpC:\Users\admin\Desktop\HxD\is-ELRMS.tmpexecutable
MD5:14FCA45F383B3DE689D38F45C283F71F
SHA256:9D460040A454DEEB3FE69300FE6B9017350E1EFCB1F52F7F14A4702D96CB45CA
3692HxDPortableSetup.tmpC:\Users\admin\Desktop\HxD\changelog.txttext
MD5:E5884E3283664012C3F2DAADE3B4FC8B
SHA256:176FE3F6276CE5E2DED4A23F63F7216114B44D9844E01F33ED1F5A862C653010
3692HxDPortableSetup.tmpC:\Users\admin\Desktop\HxD\license.txttext
MD5:4E93FBC8DB2A3BF7CC8336DE7B75169F
SHA256:DD616207E21510E9F8F3F2A220DA037DC2C8BED8D90927A2C00C01A6AFF104CF
3216HxD32.exeC:\Users\admin\Desktop\HxD\Settings\HxD Hex Editor.initext
MD5:15EDB87984CEF113E5BA210D95F627E9
SHA256:D4C743595A9924F2FA8C01C9CAE66B6B5C4AC5B5E28513966E03A292073A18A0
3660HxD32.exeC:\Users\admin\Desktop\HxD\Settings\HxD Hex Editor.langtext
MD5:392B810F865591AA5EC210E849AE769F
SHA256:78B33626B46709EBE04EDD99EA813ED291183BEBB025EA5E4783CA2260811943
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
4
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
4
System
192.168.100.255:137
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
HxDPortableSetup.zip