File name:

Trojan-Ransom.Win32.XBlocker.apv-88aafebe0d9478c476b723e26a98d004dc812e9f3a77ecf2b147146c7d913e83.7z

Full analysis: https://app.any.run/tasks/e1558d37-5d61-4c75-9fef-2ccfbccde8d6
Verdict: Malicious activity
Analysis date: April 23, 2025, 20:58:02
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
arch-exec
Indicators:
MIME: application/x-7z-compressed
File info: 7-zip archive data, version 0.4
MD5:

48E9C90AD1F4AA711676A780376979BD

SHA1:

5B497C19243B6C17BA485A69E340E788D2D959E2

SHA256:

662C89EF2BD06E047DBD80B13191B9AB65946B484B8910EE084A126B36F2E03F

SSDEEP:

1536:F8sHMZR7nmrn2cn8tUMiSP4t2gaxOQpBdK:FNHC7Yh8tUMfP4t2BOQpBdK

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Generic archive extractor

      • WinRAR.exe (PID: 372)

    • UAC/LUA settings modification

      • kasper_zaebal.exe (PID: 984)

  • SUSPICIOUS

    • Starts CMD.EXE for commands execution

      • Trojan-Ransom.Win32.XBlocker.apv-88aafebe0d9478c476b723e26a98d004dc812e9f3a77ecf2b147146c7d913e83.exe (PID: 1028)

    • Executable content was dropped or overwritten

      • Trojan-Ransom.Win32.XBlocker.apv-88aafebe0d9478c476b723e26a98d004dc812e9f3a77ecf2b147146c7d913e83.exe (PID: 1028)

    • Starts itself from another location

      • Trojan-Ransom.Win32.XBlocker.apv-88aafebe0d9478c476b723e26a98d004dc812e9f3a77ecf2b147146c7d913e83.exe (PID: 1028)

    • Executing commands from a ".bat" file

      • Trojan-Ransom.Win32.XBlocker.apv-88aafebe0d9478c476b723e26a98d004dc812e9f3a77ecf2b147146c7d913e83.exe (PID: 1028)

    • There is functionality for taking screenshot (YARA)

      • kasper_zaebal.exe (PID: 984)

  • INFO

    • Creates files in the program directory

      • Trojan-Ransom.Win32.XBlocker.apv-88aafebe0d9478c476b723e26a98d004dc812e9f3a77ecf2b147146c7d913e83.exe (PID: 1028)
      • cmd.exe (PID: 988)

    • Manual execution by a user

      • Trojan-Ransom.Win32.XBlocker.apv-88aafebe0d9478c476b723e26a98d004dc812e9f3a77ecf2b147146c7d913e83.exe (PID: 1028)

    • Checks supported languages

      • Trojan-Ransom.Win32.XBlocker.apv-88aafebe0d9478c476b723e26a98d004dc812e9f3a77ecf2b147146c7d913e83.exe (PID: 1028)
      • kasper_zaebal.exe (PID: 984)

    • Reads the computer name

      • Trojan-Ransom.Win32.XBlocker.apv-88aafebe0d9478c476b723e26a98d004dc812e9f3a77ecf2b147146c7d913e83.exe (PID: 1028)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 372)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.7z | 7-Zip compressed archive (v0.4) (57.1)
.7z | 7-Zip compressed archive (gen) (42.8)

EXIF

ZIP

FileVersion: 7z v0.04
ModifyDate: 2012:06:30 17:14:36+00:00
ArchivedFileName: Trojan-Ransom.Win32.XBlocker.apv-88aafebe0d9478c476b723e26a98d004dc812e9f3a77ecf2b147146c7d913e83.exe
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
44
Monitored processes
4
Malicious processes
0
Suspicious processes
1

Behavior graph

Click at the process to see the details
start winrar.exe trojan-ransom.win32.xblocker.apv-88aafebe0d9478c476b723e26a98d004dc812e9f3a77ecf2b147146c7d913e83.exe cmd.exe no specs kasper_zaebal.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
372"C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\Desktop\Trojan-Ransom.Win32.XBlocker.apv-88aafebe0d9478c476b723e26a98d004dc812e9f3a77ecf2b147146c7d913e83.7zC:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
984-waitC:\ProgramData\Media\kasper_zaebal.exeTrojan-Ransom.Win32.XBlocker.apv-88aafebe0d9478c476b723e26a98d004dc812e9f3a77ecf2b147146c7d913e83.exe
User:
admin
Integrity Level:
HIGH
Modules
Images
c:\programdata\media\kasper_zaebal.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
988C:\Windows\system32\cmd.exe /c C:\ProgramData\Media\rdb.batC:\Windows\System32\cmd.exeTrojan-Ransom.Win32.XBlocker.apv-88aafebe0d9478c476b723e26a98d004dc812e9f3a77ecf2b147146c7d913e83.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
1028"C:\Users\admin\Desktop\Trojan-Ransom.Win32.XBlocker.apv-88aafebe0d9478c476b723e26a98d004dc812e9f3a77ecf2b147146c7d913e83.exe" C:\Users\admin\Desktop\Trojan-Ransom.Win32.XBlocker.apv-88aafebe0d9478c476b723e26a98d004dc812e9f3a77ecf2b147146c7d913e83.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Exit code:
3221225477
Modules
Images
c:\users\admin\desktop\trojan-ransom.win32.xblocker.apv-88aafebe0d9478c476b723e26a98d004dc812e9f3a77ecf2b147146c7d913e83.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
Total events
2 679
Read events
2 653
Write events
26
Delete events
0

Modification events

(PID) Process:(372) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(372) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(372) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(372) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(372) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\curl-8.5.0_1-win32-mingw.zip
(PID) Process:(372) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:(372) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\Trojan-Ransom.Win32.XBlocker.apv-88aafebe0d9478c476b723e26a98d004dc812e9f3a77ecf2b147146c7d913e83.7z
(PID) Process:(372) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(372) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(372) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
Executable files
2
Suspicious files
0
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
1028Trojan-Ransom.Win32.XBlocker.apv-88aafebe0d9478c476b723e26a98d004dc812e9f3a77ecf2b147146c7d913e83.exeC:\ProgramData\Media\rdb.battext
MD5:C6F7299BE3ECBB88ACFDE79C4DC2B63C
SHA256:A22D2D0A98CEC8C7EFCCEA543DC7D770577B5A966735DEFFA2F1BCE9ECFBAD5D
372WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb372.19979\Trojan-Ransom.Win32.XBlocker.apv-88aafebe0d9478c476b723e26a98d004dc812e9f3a77ecf2b147146c7d913e83.exeexecutable
MD5:38930E6419D77714A2D5DF44837DE15B
SHA256:88AAFEBE0D9478C476B723E26A98D004DC812E9F3A77ECF2B147146C7D913E83
1028Trojan-Ransom.Win32.XBlocker.apv-88aafebe0d9478c476b723e26a98d004dc812e9f3a77ecf2b147146c7d913e83.exeC:\ProgramData\Media\kasper_zaebal.exeexecutable
MD5:38930E6419D77714A2D5DF44837DE15B
SHA256:88AAFEBE0D9478C476B723E26A98D004DC812E9F3A77ECF2B147146C7D913E83
988cmd.exeC:\ProgramData\Media\kasper_zaebal.exe:Zone.Identifiertext
MD5:38DE427224A5082A04FE82E2BD4EA9EC
SHA256:12F99F53144294750FE8713D580EDA286F4BD95CD9C840DB8AB957DEF8040028
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
5
DNS requests
1
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
224.0.0.252:5355
whitelisted
4
System
192.168.100.255:138
whitelisted
1080
svchost.exe
224.0.0.252:5355
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.74.206
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Trojan-Ransom.Win32.XBlocker.apv-88aafebe0d9478c476b723e26a98d004dc812e9f3a77ecf2b147146c7d913e83.7z