File name:

1 NOTIFICACION DEMANDA.REV

Full analysis: https://app.any.run/tasks/f5af65a9-5678-4289-a389-583a5c97936b
Verdict: Malicious activity
Threats:

HijackLoader is a modular malware acting as a vehicle for distributing different types of malicious software on compromised systems. It gained prominence during the summer of 2023 and has since been used in multiple attacks against organizations from various sectors, including hospitality businesses.

Malware Trends Tracker     >>>
Analysis date: January 18, 2024, 18:00:32
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
hijackloader
loader
Indicators:
MIME: application/x-7z-compressed
File info: 7-zip archive data, version 0.4
MD5:

294C11B20AB53ED4B6E02BF2584D4FE4

SHA1:

5DEA82FF0B8DF8B923E8C03F2ACA1D0A3877C367

SHA256:

717D495A0FA09889ABEB7EB44F5395EE7CFC22A79EC6020D3452110C293F53C4

SSDEEP:

98304:8tPbKhQ/DD0BWhA6cCOKvt3YLyNdSIe3QzlLDHHE6fV2ZTpwwk3r28bRlVbWZyoP:+st

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • HIJACKLOADER has been detected (YARA)

      • 1 NOTIFICACION DEMANDA ..exe (PID: 2584)
      • 1 NOTIFICACION DEMANDA ..exe (PID: 1904)

  • SUSPICIOUS

    No suspicious indicators.

  • INFO

    • Drops the executable file immediately after the start

      • WinRAR.exe (PID: 124)

    • Reads the computer name

      • 1 NOTIFICACION DEMANDA ..exe (PID: 2448)
      • vlc.exe (PID: 2636)
      • 1 NOTIFICACION DEMANDA ..exe (PID: 2584)
      • 1 NOTIFICACION DEMANDA ..exe (PID: 1904)

    • Checks supported languages

      • 1 NOTIFICACION DEMANDA ..exe (PID: 2448)
      • 1 NOTIFICACION DEMANDA ..exe (PID: 2584)
      • vlc.exe (PID: 2636)
      • 1 NOTIFICACION DEMANDA ..exe (PID: 1904)

    • Manual execution by a user

      • vlc.exe (PID: 2636)
      • 1 NOTIFICACION DEMANDA ..exe (PID: 2448)
      • 1 NOTIFICACION DEMANDA ..exe (PID: 2584)
      • 1 NOTIFICACION DEMANDA ..exe (PID: 1904)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 124)

    • Creates files in the program directory

      • 1 NOTIFICACION DEMANDA ..exe (PID: 2448)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.7z | 7-Zip compressed archive (v0.4) (57.1)
.7z | 7-Zip compressed archive (gen) (42.8)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
43
Monitored processes
5
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe 1 notificacion demanda ..exe vlc.exe #HIJACKLOADER 1 notificacion demanda ..exe no specs #HIJACKLOADER 1 notificacion demanda ..exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
124"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\1 NOTIFICACION DEMANDA.REV.7z"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
1904"C:\Users\admin\Desktop\1 NOTIFICACION DEMANDA\1 NOTIFICACION DEMANDA ..exe" C:\Users\admin\Desktop\1 NOTIFICACION DEMANDA\1 NOTIFICACION DEMANDA ..exe
explorer.exe
User:
admin
Company:
IObit
Integrity Level:
MEDIUM
Description:
IObit RttHlp
Exit code:
0
Version:
11.0.0.0
Modules
Images
c:\users\admin\desktop\1 notificacion demanda\1 notificacion demanda ..exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\users\admin\desktop\1 notificacion demanda\rtl120.bpl
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
2448"C:\Users\admin\Desktop\1 NOTIFICACION DEMANDA\1 NOTIFICACION DEMANDA ..exe" C:\Users\admin\Desktop\1 NOTIFICACION DEMANDA\1 NOTIFICACION DEMANDA ..exe
explorer.exe
User:
admin
Company:
IObit
Integrity Level:
MEDIUM
Description:
IObit RttHlp
Exit code:
3221225477
Version:
11.0.0.0
Modules
Images
c:\users\admin\desktop\1 notificacion demanda\1 notificacion demanda ..exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\users\admin\desktop\1 notificacion demanda\rtl120.bpl
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
2584"C:\Users\admin\Desktop\1 NOTIFICACION DEMANDA\1 NOTIFICACION DEMANDA ..exe" C:\Users\admin\Desktop\1 NOTIFICACION DEMANDA\1 NOTIFICACION DEMANDA ..exe
explorer.exe
User:
admin
Company:
IObit
Integrity Level:
MEDIUM
Description:
IObit RttHlp
Exit code:
0
Version:
11.0.0.0
Modules
Images
c:\users\admin\desktop\1 notificacion demanda\1 notificacion demanda ..exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\users\admin\desktop\1 notificacion demanda\rtl120.bpl
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
2636"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\admin\Desktop\1 NOTIFICACION DEMANDA\breakage.ogg"C:\Program Files\VideoLAN\VLC\vlc.exe
explorer.exe
User:
admin
Company:
VideoLAN
Integrity Level:
MEDIUM
Description:
VLC media player
Exit code:
3221225547
Version:
3.0.11
Modules
Images
c:\program files\videolan\vlc\vlc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\videolan\vlc\libvlc.dll
c:\program files\videolan\vlc\libvlccore.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
Total events
2 204
Read events
2 183
Write events
21
Delete events
0

Modification events

(PID) Process:(124) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(124) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip
(PID) Process:(124) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\phacker.zip
(PID) Process:(124) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(124) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\curl-8.5.0_1-win32-mingw.zip
(PID) Process:(124) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(124) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(124) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(124) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(124) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface
Operation:writeName:ShowPassword
Value:
0
Executable files
5
Suspicious files
4
Text files
3
Unknown types
0

Dropped files

PID
Process
Filename
Type
2636vlc.exe
MD5:
SHA256:
124WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb124.45449\1 NOTIFICACION DEMANDA\1 NOTIFICACION DEMANDA ..exeexecutable
MD5:A2D70FBAB5181A509369D96B682FC641
SHA256:8AED681AD8D660257C10D2F0E85AE673184055A341901643F27AFC38E5EF8473
2636vlc.exeC:\Users\admin\AppData\Roaming\vlc\vlc-qt-interface.ini.locktext
MD5:DC05B58C6FDAC6477793464489A7B3AA
SHA256:22638A34123D9D524655D46E83F834DAABE7EA0D5FEF5C6CCDB9E9CF7BB9A8B7
124WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb124.45449\1 NOTIFICACION DEMANDA\vcl120.bplbinary
MD5:C594D746FF6C99D140B5E8DA97F12FD4
SHA256:572EDB7D630E9B03F93BD15135D2CA360176C1232051293663EC5B75C2428AEC
2636vlc.exeC:\Users\admin\AppData\Roaming\vlc\vlc-qt-interface.initext
MD5:494A5065A3EFE199DBDBB4DBEDCDA53A
SHA256:BF7FB51210F3F290CFB8E486042A11C767F778213A8CAE7F9FEA5057920FC276
2636vlc.exeC:\Users\admin\AppData\Roaming\vlc\vlc-qt-interface.ini.Hp2636text
MD5:494A5065A3EFE199DBDBB4DBEDCDA53A
SHA256:BF7FB51210F3F290CFB8E486042A11C767F778213A8CAE7F9FEA5057920FC276
2636vlc.exeC:\Users\admin\AppData\Roaming\vlc\ml.xspf.tmp2636xml
MD5:781602441469750C3219C8C38B515ED4
SHA256:81970DBE581373D14FBD451AC4B3F96E5F69B79645F1EE1CA715CFF3AF0BF20D
124WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb124.45449\1 NOTIFICACION DEMANDA\breakage.oggbinary
MD5:25CEB30A246B5E35393C3014A8458610
SHA256:23DF8661729E5CD150BC5821F3A3D57D918332C4E34CCA70EEC6495FCB5582D1
124WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb124.45449\1 NOTIFICACION DEMANDA\Register.dllexecutable
MD5:DD001E7A2F751F6C9E8C40E23307D102
SHA256:E2B66236119BFEA1571F423A721B1C4495B2363A0AF83B8EC2EA728B4FDD7D7A
24481 NOTIFICACION DEMANDA ..exeC:\ProgramData\IObit\IObitRtt\DBRtt.eptbinary
MD5:0D99B7BFB41127C45BD72117CD1D6E62
SHA256:483BC8BB54BA240AE356B16A67A1892EBC4BC764DB6422C7E862FF90607E1E77
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
4
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
4
System
192.168.100.255:137
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown

DNS requests

No data

Threats

No threats detected
Process
Message
vlc.exe
main libvlc debug: configured with ../extras/package/win32/../../../configure '--enable-update-check' '--enable-lua' '--enable-faad' '--enable-flac' '--enable-theora' '--enable-avcodec' '--enable-merge-ffmpeg' '--enable-dca' '--enable-mpc' '--enable-libass' '--enable-schroedinger' '--enable-realrtsp' '--enable-live555' '--enable-dvdread' '--enable-shout' '--enable-goom' '--enable-caca' '--enable-qt' '--enable-skins2' '--enable-sse' '--enable-mmx' '--enable-libcddb' '--enable-zvbi' '--disable-telx' '--enable-nls' '--host=i686-w64-mingw32' '--with-breakpad=https://win.crashes.videolan.org' 'host_alias=i686-w64-mingw32' 'PKG_CONFIG_LIBDIR=/home/jenkins/workspace/vlc-release/windows/vlc-release-win32-x86/contrib/i686-w64-mingw32/lib/pkgconfig'
vlc.exe
main libvlc debug: using multimedia timers as clock source
vlc.exe
main libvlc debug: Copyright © 1996-2020 the VideoLAN team
vlc.exe
main libvlc debug: VLC media player - 3.0.11 Vetinari
vlc.exe
main libvlc debug: searching plug-in modules
vlc.exe
main libvlc debug: min period: 1 ms, max period: 1000000 ms
vlc.exe
main libvlc debug: loading plugins cache file C:\Program Files\VideoLAN\VLC\plugins\plugins.dat
vlc.exe
main libvlc debug: revision 3.0.11-0-gdc0c5ced72
vlc.exe
main libvlc debug: recursively browsing `C:\Program Files\VideoLAN\VLC\plugins'
vlc.exe
main libvlc debug: opening config file (C:\Users\admin\AppData\Roaming\vlc\vlcrc)
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
1 NOTIFICACION DEMANDA.REV