analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Panel for all emulators Latest.zip

Full analysis: https://app.any.run/tasks/fd88e839-e713-4664-8347-c0d3f4e0d7da
Verdict: Malicious activity
Analysis date: May 21, 2022, 05:24:25
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v1.0 to extract
MD5:

477B2BA80DF9F81FAE21F6A986F3CB2A

SHA1:

2EE58B4F77C58CB9395C6F3F8C30E11EC6AC1D32

SHA256:

85B1ECBD025F9ACB2C1DD74A3761522D476AF09527FCEB4CC890CA5E44D9DD1A

SSDEEP:

24576:bdcW3g4Kw6kAEGBrKbEI/bsRyYcK27K6a7KA1r1RQ7BKTS18/znWkVTqduJQ:b9Q48HEArKbEI/9Yk7K62Ku1RQ7gS182

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Drops executable file immediately after starts

      • WinRAR.exe (PID: 2492)
    • Application was dropped or rewritten from another process

      • Runtime Broker.exe (PID: 708)
      • Runtime Broker.exe (PID: 3280)
      • Runtime Broker.exe (PID: 2036)
      • Runtime Broker.exe (PID: 2656)
    • Loads dropped or rewritten executable

      • Runtime Broker.exe (PID: 3280)
      • Runtime Broker.exe (PID: 2036)
  • SUSPICIOUS

    • Checks supported languages

      • WinRAR.exe (PID: 2492)
      • Runtime Broker.exe (PID: 3280)
      • cmd.exe (PID: 188)
      • cmd.exe (PID: 1260)
      • Runtime Broker.exe (PID: 2036)
      • cmd.exe (PID: 2772)
      • cmd.exe (PID: 3004)
    • Reads the computer name

      • WinRAR.exe (PID: 2492)
      • Runtime Broker.exe (PID: 3280)
      • Runtime Broker.exe (PID: 2036)
    • Drops a file with a compile date too recent

      • WinRAR.exe (PID: 2492)
    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 2492)
    • Starts CMD.EXE for commands execution

      • Runtime Broker.exe (PID: 3280)
      • cmd.exe (PID: 188)
      • Runtime Broker.exe (PID: 2036)
      • cmd.exe (PID: 2772)
    • Application launched itself

      • cmd.exe (PID: 188)
      • cmd.exe (PID: 2772)
  • INFO

    • Checks supported languages

      • NOTEPAD.EXE (PID: 336)
      • timeout.exe (PID: 2376)
      • timeout.exe (PID: 3060)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipFileName: Panel for all emulators Latest/
ZipUncompressedSize: -
ZipCompressedSize: -
ZipCRC: 0x00000000
ZipModifyDate: 2022:05:21 10:53:02
ZipCompression: None
ZipBitFlag: -
ZipRequiredVersion: 10
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
54
Monitored processes
12
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start drop and start drop and start drop and start start winrar.exe notepad.exe no specs runtime broker.exe no specs runtime broker.exe cmd.exe no specs cmd.exe no specs timeout.exe no specs runtime broker.exe no specs runtime broker.exe cmd.exe no specs cmd.exe no specs timeout.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2492"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Panel for all emulators Latest.zip"C:\Program Files\WinRAR\WinRAR.exe
Explorer.EXE
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.91.0
336"C:\Windows\system32\NOTEPAD.EXE" C:\Users\admin\AppData\Local\Temp\Rar$DIa2492.33157\KEY.txtC:\Windows\system32\NOTEPAD.EXEWinRAR.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Notepad
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
708"C:\Users\admin\AppData\Local\Temp\Rar$EXa2492.33869\Panel for all emulators Latest\Runtime Broker.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa2492.33869\Panel for all emulators Latest\Runtime Broker.exeWinRAR.exe
User:
admin
Integrity Level:
MEDIUM
Description:
No_Thing_Else_Cheats
Exit code:
3221226540
Version:
1.0.0.0
3280"C:\Users\admin\AppData\Local\Temp\Rar$EXa2492.33869\Panel for all emulators Latest\Runtime Broker.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa2492.33869\Panel for all emulators Latest\Runtime Broker.exe
WinRAR.exe
User:
admin
Integrity Level:
HIGH
Description:
No_Thing_Else_Cheats
Exit code:
0
Version:
1.0.0.0
188"cmd.exe" /c start cmd /C "color b && title Error && echo Not initialized Check if KeyAuthApp.init() does exist && timeout /t 5"C:\Windows\system32\cmd.exeRuntime Broker.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
1260cmd /C "color b && title Error && echo Not initialized Check if KeyAuthApp.init() does exist && timeout /t 5"C:\Windows\system32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2376timeout /t 5C:\Windows\system32\timeout.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
timeout - pauses command processing
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2656"C:\Users\admin\AppData\Local\Temp\Rar$EXa2492.35955\Panel for all emulators Latest\Runtime Broker.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa2492.35955\Panel for all emulators Latest\Runtime Broker.exeWinRAR.exe
User:
admin
Integrity Level:
MEDIUM
Description:
No_Thing_Else_Cheats
Exit code:
3221226540
Version:
1.0.0.0
2036"C:\Users\admin\AppData\Local\Temp\Rar$EXa2492.35955\Panel for all emulators Latest\Runtime Broker.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa2492.35955\Panel for all emulators Latest\Runtime Broker.exe
WinRAR.exe
User:
admin
Integrity Level:
HIGH
Description:
No_Thing_Else_Cheats
Exit code:
0
Version:
1.0.0.0
2772"cmd.exe" /c start cmd /C "color b && title Error && echo Not initialized Check if KeyAuthApp.init() does exist && timeout /t 5"C:\Windows\system32\cmd.exeRuntime Broker.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Total events
1 658
Read events
1 639
Write events
19
Delete events
0

Modification events

(PID) Process:(2492) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(2492) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(2492) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\16C\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(2492) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip
(PID) Process:(2492) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(2492) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\Panel for all emulators Latest.zip
(PID) Process:(2492) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(2492) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(2492) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(2492) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
Executable files
10
Suspicious files
0
Text files
3
Unknown types
0

Dropped files

PID
Process
Filename
Type
2492WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DIa2492.33157\KEY.txttext
MD5:6B907539A6EF037527EE603D89EF5A13
SHA256:F756B29222A8E5710A17DAEC2C858BAA4306CCA0E853697004B8A482F310F9E5
2492WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa2492.33869\Panel for all emulators Latest\KEY.txttext
MD5:6B907539A6EF037527EE603D89EF5A13
SHA256:F756B29222A8E5710A17DAEC2C858BAA4306CCA0E853697004B8A482F310F9E5
2492WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa2492.33869\Panel for all emulators Latest\Memory.dllexecutable
MD5:8C7A3DB56C91E79D73D229836EF3D2D8
SHA256:89F07A0440959C3B9D99C30539AA16F5FADEF4D60E75C81F7C18A7104F2D91CB
2492WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa2492.35955\Panel for all emulators Latest\KEY.txttext
MD5:6B907539A6EF037527EE603D89EF5A13
SHA256:F756B29222A8E5710A17DAEC2C858BAA4306CCA0E853697004B8A482F310F9E5
2492WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa2492.33869\Panel for all emulators Latest\Runtime Broker.exeexecutable
MD5:703F838EF0AD94A536922AFC6C3C2237
SHA256:714F584839554E62A08896A26B39901507429C0B4090D8EE5C1B2D3D7020BC91
2492WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa2492.35955\Panel for all emulators Latest\discord-rpc.dllexecutable
MD5:5882C37B79BAE47A0D090006564EDB22
SHA256:5CC2E504800CF4ED2F4781364F661EA22349658DDC391B5D54195E573109D87B
2492WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa2492.33869\Panel for all emulators Latest\discord-rpc.dllexecutable
MD5:5882C37B79BAE47A0D090006564EDB22
SHA256:5CC2E504800CF4ED2F4781364F661EA22349658DDC391B5D54195E573109D87B
2492WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa2492.35955\Panel for all emulators Latest\MetroFramework.dllexecutable
MD5:44538B311E9EC2BCF0A6452702628D99
SHA256:BAF326F52D39155D722465947F4CC67E6E90CFD0F89954EAB959568E9BC342AA
2492WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa2492.35955\Panel for all emulators Latest\Runtime Broker.exeexecutable
MD5:703F838EF0AD94A536922AFC6C3C2237
SHA256:714F584839554E62A08896A26B39901507429C0B4090D8EE5C1B2D3D7020BC91
2492WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa2492.35955\Panel for all emulators Latest\Memory.dllexecutable
MD5:8C7A3DB56C91E79D73D229836EF3D2D8
SHA256:89F07A0440959C3B9D99C30539AA16F5FADEF4D60E75C81F7C18A7104F2D91CB
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info