File name:

stas_min.zip

Full analysis: https://app.any.run/tasks/3a44d9b3-e613-4741-801b-2ab8935d8854
Verdict: Malicious activity
Analysis date: December 18, 2018, 07:35:56
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

573E3A714B9B777FD199035EF5A74A5B

SHA1:

136039B94B170446BF8C18F179D42AD65845925D

SHA256:

91EFB740412679033186A27DB5C15500A2D3AC1B762D67EF2674929FF0C68B6A

SSDEEP:

98304:/e5zlnNRIn7LLhvmzN4zEEs+coUZQu/1iAq:25pA7X5mdhnIAq

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Loads dropped or rewritten executable

      • RouterScan.exe (PID: 2224)
      • SearchProtocolHost.exe (PID: 416)

    • Application was dropped or rewritten from another process

      • RouterScan.exe (PID: 2224)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 3044)

  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: 0x0008
ZipCompression: Deflated
ZipModifyDate: 2016:06:07 09:27:12
ZipCRC: 0x247d0c65
ZipCompressedSize: 1123
ZipUncompressedSize: 2857
ZipFileName: auth_basic.txt
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
33
Monitored processes
3
Malicious processes
1
Suspicious processes
1

Behavior graph

Click at the process to see the details
start winrar.exe searchprotocolhost.exe no specs routerscan.exe

Process information

PID
CMD
Path
Indicators
Parent process
416"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe6_ Global\UsGthrCtrlFltPipeMssGthrPipe6 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" C:\Windows\System32\SearchProtocolHost.exeSearchIndexer.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Windows Search Protocol Host
Exit code:
0
Version:
7.00.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\searchprotocolhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
2224"C:\Users\admin\Desktop\RouterScan.exe" C:\Users\admin\Desktop\RouterScan.exe
explorer.exe
User:
admin
Company:
Stas'M Corp.
Integrity Level:
MEDIUM
Description:
Router Scan by Stas'M
Exit code:
0
Version:
2.5.7.0
Modules
Images
c:\users\admin\desktop\routerscan.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
3044"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\stas_min.zip"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
Total events
464
Read events
434
Write events
30
Delete events
0

Modification events

(PID) Process:(3044) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(3044) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(3044) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3044) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\stas_min.zip
(PID) Process:(3044) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(3044) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(3044) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(3044) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(3044) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\ArcColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(3044) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\ArcColumnWidths
Operation:writeName:size
Value:
80
Executable files
5
Suspicious files
0
Text files
20
Unknown types
0

Dropped files

PID
Process
Filename
Type
3044WinRAR.exeC:\Users\admin\Desktop\RouterScan.exeexecutable
MD5:
SHA256:
3044WinRAR.exeC:\Users\admin\Desktop\librouter.dllexecutable
MD5:
SHA256:
3044WinRAR.exeC:\Users\admin\Desktop\ports.txttext
MD5:
SHA256:
2224RouterScan.exeC:\Users\admin\Desktop\RouterScan.logtext
MD5:
SHA256:
3044WinRAR.exeC:\Users\admin\Desktop\auth_form.txttext
MD5:
SHA256:
3044WinRAR.exeC:\Users\admin\Desktop\ports2.txttext
MD5:
SHA256:
3044WinRAR.exeC:\Users\admin\Desktop\auth_basic.txttext
MD5:
SHA256:
3044WinRAR.exeC:\Users\admin\Desktop\msvcr100.dllexecutable
MD5:BF38660A9125935658CFA3E53FDC7D65
SHA256:60C06E0FA4449314DA3A0A87C1A9D9577DF99226F943637E06F61188E5862EFA
3044WinRAR.exeC:\Users\admin\Desktop\ssleay32.dllexecutable
MD5:C3692FC84603DB4331F508E157646318
SHA256:D48936E817D62076D37A843A3B820E1BCCBEFF7E3D8FDED1FCD0508A9924029A
3044WinRAR.exeC:\Users\admin\Desktop\config.initext
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
2
DNS requests
1
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2224
RouterScan.exe
GET
200
134.0.119.34:80
http://3wifi.stascorp.com/3wifi.php?a=hash&check=8uYuB7bHJED1hUbyAhQwhhMQuRuqI9RN
RU
text
111 b
suspicious
2224
RouterScan.exe
POST
200
134.0.119.34:80
http://3wifi.stascorp.com/3wifi.php?a=apikeys
RU
text
214 b
suspicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2224
RouterScan.exe
134.0.119.34:80
3wifi.stascorp.com
Domain names registrar REG.RU, Ltd
RU
suspicious

DNS requests

Domain
IP
Reputation
3wifi.stascorp.com
  • 134.0.119.34
suspicious

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
stas_min.zip