analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

new_cheat_aw.zip

Full analysis: https://app.any.run/tasks/23dea735-92f0-4d0c-b380-36582d93f05f
Verdict: Malicious activity
Analysis date: August 08, 2020, 10:56:23
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

CAF6E99409AC49EE7F08136921AF20D7

SHA1:

EA3E83FF3D5DC9D952051656EAB41A96B9B2B7E5

SHA256:

89D06EFFB3EA2AF6141A35FBE6EF995D919CD32B70EC93662F7FE6AA000ABB55

SSDEEP:

3072:MYDyqsNxCH7amfzVU4Ou5iKPdiBD3OHDhdpjR+Z8mCjE3Yh0CZtS5gpkRjDGiTo:MYGqs075r0xJ3iP3+ZNhtGS5gOdGgo

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Loads dropped or rewritten executable

      • SearchProtocolHost.exe (PID: 3700)
      • explorer.exe (PID: 1704)
      • svchost.exe (PID: 876)
  • SUSPICIOUS

    • Executed via COM

      • DllHost.exe (PID: 3724)
    • Creates files in the user directory

      • explorer.exe (PID: 1704)
  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: Deflated
ZipModifyDate: 2018:09:13 14:13:23
ZipCRC: 0xa2553ee2
ZipCompressedSize: 172354
ZipUncompressedSize: 453376
ZipFileName: new_cheat_aw.exe
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
40
Monitored processes
5
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe no specs svchost.exe explorer.exe no specs searchprotocolhost.exe no specs PhotoViewer.dll no specs

Process information

PID
CMD
Path
Indicators
Parent process
2252"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\new_cheat_aw.zip"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
876C:\Windows\system32\svchost.exe -k netsvcsC:\Windows\System32\svchost.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
1704C:\Windows\Explorer.EXEC:\Windows\explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3700"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe4_ Global\UsGthrCtrlFltPipeMssGthrPipe4 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" C:\Windows\System32\SearchProtocolHost.exeSearchIndexer.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Windows Search Protocol Host
Exit code:
0
Version:
7.00.7600.16385 (win7_rtm.090713-1255)
3724C:\Windows\system32\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}C:\Windows\system32\DllHost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
COM Surrogate
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
1 461
Read events
1 409
Write events
0
Delete events
0

Modification events

No data
Executable files
1
Suspicious files
0
Text files
0
Unknown types
4

Dropped files

PID
Process
Filename
Type
2252WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2252.3184\new_cheat_aw.exe
MD5:
SHA256:
1704explorer.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\1b4dd67f29cb1962.automaticDestinations-msautomaticdestinations-ms
MD5:1929F633FC251A1A47089C1A6172ACA6
SHA256:7E8B3D1AC80A3B7ED8AD91061DCF870DD238FF5897D5FF115CEB3E38C7F6085E
1704explorer.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\drspain.jpg (2).lnklnk
MD5:162A958BC4500836BD53655B19BB15E8
SHA256:F4455C1C4631387D164426B1AABD6691232FBD19D91FBECAEED741373562FC9C
1704explorer.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\minactivities.jpg.lnklnk
MD5:580356E6C4D2BB8E11EF9E4C288FE0B0
SHA256:8E67382047166D480C8CF9AD4C111BA0CF6BD081BF9A23C73FC7D7B614B4B5AD
876svchost.exeC:\Windows\appcompat\programs\RecentFileCache.bcftxt
MD5:80E2D81AB1E2627402AE0E47844D88E3
SHA256:12991737C711E790770A5EEA7F2CA8B71F8DDB4461524C01377EF253BD93EFCC
1704explorer.exeC:\Users\admin\Desktop\new_cheat_aw.exeexecutable
MD5:B26592DC7C58887DA7D00360AEF67380
SHA256:3426F85C98FC4AE183418E9EA4ACE10FF570C1E60FABB89C4925763C162D230E
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info