File name:

WinPCS - newLIM Installer 2022.zip

Full analysis: https://app.any.run/tasks/876eb7e6-6284-4da8-872c-d55823438eb2
Verdict: Malicious activity
Analysis date: June 12, 2024, 14:07:27
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract, compression method=deflate
MD5:

18C2F8DBB811068FBBEE56D7AE99BEFA

SHA1:

0956375BEBB48BCE16CA9CDA0EB6E2465956E397

SHA256:

7665D939756926BDAB2E91BCCC05FBB8C4BE280F7025D933DFDF8A318B303B37

SSDEEP:

98304:lZ04wMi+RjLmJaoQsWlXdfpaF9/nRCmHXQOzS9iuIgSBuOAX03fFRh651Zo3nzVD:w0hE39hD

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • WinPCS_newLIM_Installer.exe (PID: 2108)
      • WinRAR.exe (PID: 3976)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • WinRAR.exe (PID: 3976)

    • Executable content was dropped or overwritten

      • WinPCS_newLIM_Installer.exe (PID: 2108)

    • Connects to unusual port

      • WinPCS_newLIM_Installer.exe (PID: 2108)

  • INFO

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 3976)

    • Checks supported languages

      • WinPCS_newLIM_Installer.exe (PID: 2108)
      • wmpnscfg.exe (PID: 2036)

    • Create files in a temporary directory

      • WinPCS_newLIM_Installer.exe (PID: 2108)

    • Reads the computer name

      • wmpnscfg.exe (PID: 2036)

    • Manual execution by a user

      • wmpnscfg.exe (PID: 2036)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: Deflated
ZipModifyDate: 2024:03:06 15:07:32
ZipCRC: 0x20111902
ZipCompressedSize: 10005
ZipUncompressedSize: 19462
ZipFileName: WinPCS - newLIM Installer 2022/COMPLANC39S.TTF
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
38
Monitored processes
4
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe winpcs_newlim_installer.exe no specs winpcs_newlim_installer.exe wmpnscfg.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2036"C:\Program Files\Windows Media Player\wmpnscfg.exe"C:\Program Files\Windows Media Player\wmpnscfg.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Media Player Network Sharing Service Configuration Application
Exit code:
0
Version:
12.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\windows media player\wmpnscfg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
2108"C:\Users\admin\AppData\Local\Temp\Rar$EXa3976.7671\WinPCS - newLIM Installer 2022\WinPCS_newLIM_Installer.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa3976.7671\WinPCS - newLIM Installer 2022\WinPCS_newLIM_Installer.exe
WinRAR.exe
User:
admin
Integrity Level:
HIGH
Modules
Images
c:\users\admin\appdata\local\temp\rar$exa3976.7671\winpcs - newlim installer 2022\winpcs_newlim_installer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.24542_none_5c0717c7a00ddc6d\gdiplus.dll
c:\windows\system32\user32.dll
3976"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\WinPCS - newLIM Installer 2022.zip"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
4016"C:\Users\admin\AppData\Local\Temp\Rar$EXa3976.7671\WinPCS - newLIM Installer 2022\WinPCS_newLIM_Installer.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa3976.7671\WinPCS - newLIM Installer 2022\WinPCS_newLIM_Installer.exeWinRAR.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Modules
Images
c:\users\admin\appdata\local\temp\rar$exa3976.7671\winpcs - newlim installer 2022\winpcs_newlim_installer.exe
c:\windows\system32\ntdll.dll
Total events
4 838
Read events
4 818
Write events
20
Delete events
0

Modification events

(PID) Process:(3976) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(3976) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(3976) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3976) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\phacker.zip
(PID) Process:(3976) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(3976) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\curl-8.5.0_1-win32-mingw.zip
(PID) Process:(3976) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\WinPCS - newLIM Installer 2022.zip
(PID) Process:(3976) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(3976) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(3976) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
Executable files
6
Suspicious files
2
Text files
3
Unknown types
2

Dropped files

PID
Process
Filename
Type
3976WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3976.7671\WinPCS - newLIM Installer 2022\WinPCS_newLIM_Installer.exeexecutable
MD5:8947F3DEF625529D7DE498B4BC736104
SHA256:1DC7893488F18FB485E6BD05E2D2F336A3F3404E1F585CC2F0A3A2F847E62F40
2108WinPCS_newLIM_Installer.exeC:\WinPCS\newLIM\system32\CLIENT.INIbinary
MD5:1A497242BF4B791F70456421BE922BB3
SHA256:4956CB0468E34147F315231C8518FBC2D7A04EA82E2421E39143C389E59C3710
3976WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3976.7671\WinPCS - newLIM Installer 2022\debug.txttext
MD5:0214F08366385350E5850FAE64354C21
SHA256:FE1A7C66B76647B1974B55616CD69947A85CAFD47AD40D32D96773EBFD128E31
2108WinPCS_newLIM_Installer.exeC:\WinPCS\newLIM\system32\ANCHORC.DLLexecutable
MD5:C4A08F0BA7690E69C7D714C06E5A1419
SHA256:A696DB3AD151EA430D198A9E1FAC31532C5B43E09B58A1149E42A267D286D926
2108WinPCS_newLIM_Installer.exeC:\WinPCS\newLIM\system32\WINPCS.INIdii
MD5:ADCDCA1B09BEC7F2B1F6E7F1BA4B8DEE
SHA256:18A9D50F9B4A9A2201453BE4567BA5196083BEA8C2BD6624E82C524D2D119BCF
2108WinPCS_newLIM_Installer.exeC:\WinPCS\newLIM\COMPLANC39S.TTFpi2
MD5:E7F7AA1AAB7387378D53630D13992D13
SHA256:8C681C55DA0246873E06E21BD0C010420BEE8E3D62BBEDBCC71C7F0DA9E3BF05
3976WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3976.7671\WinPCS - newLIM Installer 2022\COMPLANC39S.TTFpi2
MD5:E7F7AA1AAB7387378D53630D13992D13
SHA256:8C681C55DA0246873E06E21BD0C010420BEE8E3D62BBEDBCC71C7F0DA9E3BF05
2108WinPCS_newLIM_Installer.exeC:\WinPCS\newLIM\setup\ZLIB1.DLLexecutable
MD5:0B26256FBB02D79CA078EF1475076C76
SHA256:3B2B4A3633322A8679A52BEE771A4B5D7EAACA7879527310C433FA2754B8C0CF
2108WinPCS_newLIM_Installer.exeC:\WinPCS\newLIM\setup\CWULIB.DLLexecutable
MD5:AFA5FA6AD9C3B1D1AC321672ED8E4312
SHA256:0BA6A387CC48158E3AA1ED35EE9DB54350DF228B2822A65D72C078111A1F3EDD
2108WinPCS_newLIM_Installer.exeC:\WinPCS\newLIM\setup\NEXUS31.DLLexecutable
MD5:0FA165B966AED358098D5BBB78B7DA45
SHA256:95BE87EAF84FE57742868709B2D37528688CB147DBB16C46BD506A4B9DB16DE6
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
46
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
224.0.0.252:5355
unknown
4
System
192.168.100.255:138
whitelisted
1088
svchost.exe
224.0.0.252:5355
unknown
2108
WinPCS_newLIM_Installer.exe
192.168.1.180:16380
unknown
2108
WinPCS_newLIM_Installer.exe
20.119.244.213:5166
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
WinPCS - newLIM Installer 2022.zip