File name:

ProgramData.7z

Full analysis: https://app.any.run/tasks/a279da30-3e3a-41b0-b6c1-0bb085d95b38
Verdict: Malicious activity
Analysis date: November 16, 2023, 07:22:18
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-7z-compressed
File info: 7-zip archive data, version 0.4
MD5:

1E9A83BD60EB77B49244C19C714EBAEA

SHA1:

96610674CC3E0330AC35DC817C5151B2ECD5E967

SHA256:

74241E33BA01B5E81FB50C8405028A91E5F725E7B70B0C2C32E77904F9FEF316

SSDEEP:

12288:UywOjGwVUJ0ImgzU+JxJXU+/Ne42FjSftwaSRDer:UytGAUJfmgz/JxJXUk042FjmtwaSRDm

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • cmd.exe (PID: 3988)

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • WinRAR.exe (PID: 3220)

    • Get information on the list of running processes

      • cmd.exe (PID: 3988)

    • Runs PING.EXE to delay simulation

      • cmd.exe (PID: 3988)

    • Using 'findstr.exe' to search for text patterns in files and output

      • cmd.exe (PID: 3988)

  • INFO

    • Drops the executable file immediately after the start

      • WinRAR.exe (PID: 3220)

    • Checks supported languages

      • Agghosts.exe (PID: 3732)
      • Agghosts.exe (PID: 4088)

    • Creates files in the program directory

      • cmd.exe (PID: 3988)
      • WinRAR.exe (PID: 3220)

    • Manual execution by a user

      • cmd.exe (PID: 3988)
      • explorer.exe (PID: 3572)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.7z | 7-Zip compressed archive (v0.4) (57.1)
.7z | 7-Zip compressed archive (gen) (42.8)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
48
Monitored processes
11
Malicious processes
1
Suspicious processes
1

Behavior graph

Click at the process to see the details
start winrar.exe no specs explorer.exe no specs cmd.exe no specs agghosts.exe no specs ping.exe no specs tasklist.exe no specs findstr.exe no specs agghosts.exe no specs ping.exe no specs findstr.exe no specs tasklist.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3220"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\ProgramData.7z"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
3572"C:\Windows\explorer.exe" C:\Windows\explorer.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
3684findstr /i "Agghosts.exe" C:\Windows\System32\findstr.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Find String (QGREP) Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\findstr.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
3716tasklistC:\Windows\System32\tasklist.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Lists the current running tasks
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\tasklist.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
3732C:\ProgramData\Agghosts.exe C:\ProgramData\Agghosts.execmd.exe
User:
admin
Integrity Level:
MEDIUM
Description:
ppcef render
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\programdata\agghosts.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\programdata\libcef.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
3792ping 127.0.0.1 -n 1 C:\Windows\System32\PING.EXEcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
TCP/IP Ping Command
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\ping.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\nsi.dll
3972tasklistC:\Windows\System32\tasklist.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Lists the current running tasks
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\tasklist.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
3976findstr /i "Agghosts.exe" C:\Windows\System32\findstr.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Find String (QGREP) Utility
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\findstr.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
3988C:\Windows\system32\cmd.exe /c ""C:\ProgramData\cba.bat" "C:\Windows\System32\cmd.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
3992ping 127.0.0.1 -n 1 C:\Windows\System32\PING.EXEcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
TCP/IP Ping Command
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\ping.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\nsi.dll
Total events
1 540
Read events
1 510
Write events
30
Delete events
0

Modification events

(PID) Process:(3220) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\17A\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3220) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip
(PID) Process:(3220) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(3220) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\phacker.zip
(PID) Process:(3220) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(3220) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(3220) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(3220) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(3220) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\DialogEditHistory\ExtrPath
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\ProgramData
(PID) Process:(3220) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\MainWin
Operation:writeName:Placement
Value:
2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF42000000420000000204000037020000
Executable files
5
Suspicious files
5
Text files
6
Unknown types
0

Dropped files

PID
Process
Filename
Type
3220WinRAR.exeC:\Users\admin\AppData\Local\Temp\ProgramData\Agghosts.exeexecutable
MD5:201BD1EC28614133F06D6B5EEAF391DB
SHA256:3586A2C0C8A78902DF81212FADDB166C0117E942E53CF5C392895013FC542335
3220WinRAR.exeC:\Users\admin\AppData\Local\Temp\ProgramData\cba.battext
MD5:FC22F14D2EF42789A388972E5E0CE6AF
SHA256:DC9EF4EBB8F84192D15D3C4DF26717AABC72AE2E5276BD034946F208DF897F00
3220WinRAR.exeC:\Users\admin\AppData\Local\Temp\ProgramData\l.dllbinary
MD5:8515D0F8C1DB6FACC42DA907FA924BC6
SHA256:3084ED8A4177BCE83400CDEA260654B5E7BDE85B7E49E98E1803E1E23D7A834E
3220WinRAR.exeC:\Users\admin\AppData\Local\Temp\ProgramData\_3binary
MD5:EC212A83FCF8FB168433C5DA564CDE4C
SHA256:62EC2C1D311C57B642415A23CD9BEC080AF369CD33752B76D73A882DA710AD91
3220WinRAR.exeC:\Users\admin\AppData\Local\Temp\ProgramData\vcruntime140.dllexecutable
MD5:1B171F9A428C44ACF85F89989007C328
SHA256:9D02E952396BDFF3ABFE5654E07B7A713C84268A225E11ED9A3BF338ED1E424C
3220WinRAR.exeC:\Users\admin\AppData\Local\Temp\ProgramData\ntuser.polbinary
MD5:06009C3252889EA87A48E0B789721896
SHA256:F24CC4F66C2CDF94AFA3E886D3356F4CA193CD1A4062B080B56044FA1E5470A0
3220WinRAR.exeC:\ProgramData\_3binary
MD5:EC212A83FCF8FB168433C5DA564CDE4C
SHA256:62EC2C1D311C57B642415A23CD9BEC080AF369CD33752B76D73A882DA710AD91
3220WinRAR.exeC:\ProgramData\a.initext
MD5:82BEF32153657DC25DC439A3B500A614
SHA256:D14214E95C9D1EA850E508DFE27928494F2155A7597E4EA0BAD9F70690ABB397
3220WinRAR.exeC:\ProgramData\dx.vbstext
MD5:3CC3551AC6E274DD34D36DDD0EE80A8F
SHA256:F504ED272933AA3F54FEC780B17FEC18F5D948A554AC22B05AE20615298DCDA4
3220WinRAR.exeC:\ProgramData\Agghosts.exeexecutable
MD5:201BD1EC28614133F06D6B5EEAF391DB
SHA256:3586A2C0C8A78902DF81212FADDB166C0117E942E53CF5C392895013FC542335
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
4
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
2588
svchost.exe
239.255.255.250:1900
whitelisted
4
System
192.168.100.255:137
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
ProgramData.7z