File name:

PCToaster.bin.zip

Full analysis: https://app.any.run/tasks/335d842a-ad3a-42dd-92ca-810086fafeac
Verdict: Malicious activity
Analysis date: July 12, 2020, 14:25:57
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

777B743BF77996D93708078516BCBFB0

SHA1:

D4B84EF7349E01DD89DFF3B3C1EC611ADF159C66

SHA256:

598ADEE81BAA3D9A1E22F56037A64758E0BEF6C1D1AF7FEFDCA031DF8EA11C37

SSDEEP:

1536:0C5bWsBUBfMHMPJVlo8LSy0IwzIoAblEZB6rxw:0AUV0uO7BA5EZEW

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • PCToaster.exe (PID: 4020)
      • PCToaster.exe (PID: 3412)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 2060)

    • Executes JAVA applets

      • PCToaster.exe (PID: 3412)

    • Uses ATTRIB.EXE to modify file attributes

      • javaw.exe (PID: 1184)

    • Uses TASKKILL.EXE to kill process

      • javaw.exe (PID: 1184)

    • Executed via COM

      • vdsldr.exe (PID: 2348)

    • Executed as Windows Service

      • vds.exe (PID: 888)

    • Low-level read access rights to disk partition

      • vds.exe (PID: 888)

  • INFO

    • Manual execution by user

      • explorer.exe (PID: 2328)
      • PCToaster.exe (PID: 3412)
      • PCToaster.exe (PID: 4020)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 788
ZipBitFlag: 0x0001
ZipCompression: Deflated
ZipModifyDate: 2020:05:15 12:24:12
ZipCRC: 0xbb833465
ZipCompressedSize: 62375
ZipUncompressedSize: 421699
ZipFileName: PCToaster.bin
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
115
Monitored processes
38
Malicious processes
1
Suspicious processes
1

Behavior graph

Click at the process to see the details
start winrar.exe explorer.exe no specs pctoaster.exe no specs pctoaster.exe javaw.exe no specs attrib.exe no specs diskpart.exe no specs vdsldr.exe no specs vds.exe no specs takeown.exe no specs takeown.exe no specs taskkill.exe no specs mountvol.exe no specs mountvol.exe no specs mountvol.exe no specs mountvol.exe no specs mountvol.exe no specs mountvol.exe no specs mountvol.exe no specs mountvol.exe no specs mountvol.exe no specs mountvol.exe no specs mountvol.exe no specs mountvol.exe no specs mountvol.exe no specs mountvol.exe no specs mountvol.exe no specs mountvol.exe no specs mountvol.exe no specs mountvol.exe no specs mountvol.exe no specs mountvol.exe no specs mountvol.exe no specs mountvol.exe no specs mountvol.exe no specs mountvol.exe no specs mountvol.exe no specs mountvol.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
328takeown /f V:\Recovery /rC:\Windows\system32\takeown.exejavaw.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Takes ownership of a file
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\takeown.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
532mountvol C: /dC:\Windows\system32\mountvol.exejavaw.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\windows\system32\mountvol.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
660mountvol S: /dC:\Windows\system32\mountvol.exejavaw.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Mount Volume Utility
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\mountvol.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
888C:\Windows\System32\vds.exeC:\Windows\System32\vds.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Virtual Disk Service
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\vds.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\atl.dll
916mountvol R: /dC:\Windows\system32\mountvol.exejavaw.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Mount Volume Utility
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\mountvol.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
1064mountvol V: /dC:\Windows\system32\mountvol.exejavaw.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\windows\system32\mountvol.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
1184"C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe" -jar "C:\Users\admin\Desktop\PCToaster.exe"C:\Program Files\Java\jre1.8.0_92\bin\javaw.exePCToaster.exe
User:
admin
Company:
Oracle Corporation
Integrity Level:
HIGH
Description:
Java(TM) Platform SE binary
Exit code:
0
Version:
8.0.920.14
Modules
Images
c:\program files\java\jre1.8.0_92\bin\javaw.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
1420mountvol F: /dC:\Windows\system32\mountvol.exejavaw.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Mount Volume Utility
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\mountvol.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
1672mountvol U: /dC:\Windows\system32\mountvol.exejavaw.exe
User:
admin
Integrity Level:
HIGH
Exit code:
1
Modules
Images
c:\windows\system32\mountvol.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
1976mountvol I: /dC:\Windows\system32\mountvol.exejavaw.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Mount Volume Utility
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\mountvol.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
Total events
386
Read events
364
Write events
22
Delete events
0

Modification events

(PID) Process:(2060) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(2060) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(2060) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\12F\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(2060) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\12F\52C64B7E
Operation:writeName:@C:\Windows\system32\NetworkExplorer.dll,-1
Value:
Network
(PID) Process:(2060) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\PCToaster.bin.zip
(PID) Process:(2060) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(2060) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(2060) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(2060) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(2060) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface
Operation:writeName:ShowPassword
Value:
0
Executable files
1
Suspicious files
0
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
1184javaw.exeC:\Users\admin\Desktop\scr.txttext
MD5:AD1869D6F0B2B809394605D3E73EEB74
SHA256:7E9CDE40095F2A877375CB30FECD4F64CF328E3AB11BAED5242F73CBB94BD394
2060WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb2060.40203\PCToaster.binexecutable
MD5:04251A49A240DBF60975AC262FC6AEB7
SHA256:85A58AA96DCCD94316A34608BA996656A22C8158D5156B6E454D9D69E6FF38C3
1184javaw.exeC:\Users\admin\.oracle_jre_usage\90737d32e3abaa4.timestamptext
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
PCToaster.bin.zip