File name:

blizzard.zip

Full analysis: https://app.any.run/tasks/49f0f1f5-839e-4921-99ef-58fc5790d906
Verdict: Malicious activity
Threats:

Netwire is an advanced RAT — it is a malware that takes control of infected PCs and allows its operators to perform various actions. Unlike many RATs, this one can target every major operating system, including Windows, Linux, and MacOS.

Malware Trends Tracker     >>>
Analysis date: December 18, 2018, 07:35:06
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
rat
netwire
Indicators:
MIME: application/zip
File info: Zip archive data, at least v1.0 to extract
MD5:

F25ADCC08984E7CA606C3C99003C6645

SHA1:

09DAACFEBD06EC949042A6FF22471BCDAAD44B53

SHA256:

92CF206C24884C67651100BADFEAD0E0A23B56C92B9C47AD400239BF1F1CB2D1

SSDEEP:

196608:JIXg/KZedlxTWzeApbdvLNSn8hD1pYN+q++vgwn4Dgn69P5QBRK:CQ/IedPWzeQdLNSksE+Y040n2uBU

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • blizzard checker .exe (PID: 3960)
      • blizzard checker .exe (PID: 2052)
      • blizzard.exe (PID: 3996)
      • blizzard.exe (PID: 2984)
      • svchost.exe (PID: 2092)
      • svchost.exe (PID: 3000)
      • blizzard checker.exe (PID: 1704)

    • Loads dropped or rewritten executable

      • SearchProtocolHost.exe (PID: 1708)
      • blizzard checker.exe (PID: 1704)

    • Changes the autorun value in the registry

      • svchost.exe (PID: 3000)

    • NETWIRE was detected

      • svchost.exe (PID: 3000)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 3160)
      • blizzard checker .exe (PID: 2052)
      • blizzard.exe (PID: 2984)

    • Creates executable files which already exist in Windows

      • blizzard.exe (PID: 2984)

    • Creates files in the user directory

      • blizzard.exe (PID: 2984)
      • svchost.exe (PID: 3000)

    • Application launched itself

      • blizzard checker .exe (PID: 3960)
      • svchost.exe (PID: 2092)

    • Connects to unusual port

      • svchost.exe (PID: 3000)

  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 10
ZipBitFlag: -
ZipCompression: None
ZipModifyDate: 2018:12:18 08:47:29
ZipCRC: 0x00000000
ZipCompressedSize: -
ZipUncompressedSize: -
ZipFileName: blizzard/
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
38
Monitored processes
9
Malicious processes
8
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start drop and start drop and start winrar.exe blizzard checker .exe no specs searchprotocolhost.exe no specs blizzard checker .exe blizzard.exe no specs blizzard checker.exe no specs blizzard.exe svchost.exe no specs #NETWIRE svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
1704"C:\Users\admin\AppData\Local\Temp\blizzard checker.exe" 0C:\Users\admin\AppData\Local\Temp\blizzard checker.exeblizzard checker .exe
User:
admin
Integrity Level:
MEDIUM
Description:
Wpf checker test
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\local\temp\blizzard checker.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
1708"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe6_ Global\UsGthrCtrlFltPipeMssGthrPipe6 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" C:\Windows\System32\SearchProtocolHost.exeSearchIndexer.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Windows Search Protocol Host
Exit code:
0
Version:
7.00.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\searchprotocolhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
2052"C:\Users\admin\Desktop\blizzard\blizzard checker .exe" C:\Users\admin\Desktop\blizzard\blizzard checker .exe
blizzard checker .exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\desktop\blizzard\blizzard checker .exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvbvm60.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
2092"C:\Users\admin\AppData\Roaming\Microsoft\MMC\svchost.exe"C:\Users\admin\AppData\Roaming\Microsoft\MMC\svchost.exeblizzard.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\roaming\microsoft\mmc\svchost.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
2984"C:\Users\admin\AppData\Local\Temp\blizzard.exe" 0C:\Users\admin\AppData\Local\Temp\blizzard.exe
blizzard.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\local\temp\blizzard.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\gdi32.dll
3000"C:\Users\admin\AppData\Roaming\Microsoft\MMC\svchost.exe"C:\Users\admin\AppData\Roaming\Microsoft\MMC\svchost.exe
svchost.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\roaming\microsoft\mmc\svchost.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
3160"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\blizzard.zip"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
3960"C:\Users\admin\Desktop\blizzard\blizzard checker .exe" C:\Users\admin\Desktop\blizzard\blizzard checker .exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\desktop\blizzard\blizzard checker .exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
3996"C:\Users\admin\AppData\Local\Temp\blizzard.exe" 0C:\Users\admin\AppData\Local\Temp\blizzard.exeblizzard checker .exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\local\temp\blizzard.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
Total events
1 109
Read events
1 093
Write events
16
Delete events
0

Modification events

(PID) Process:(3160) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(3160) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(3160) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3160) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\blizzard.zip
(PID) Process:(3160) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(3160) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(3160) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(3160) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(1708) SearchProtocolHost.exeKey:HKEY_USERS\.DEFAULT\Software\Classes\Local Settings\MuiCache\5F\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(1708) SearchProtocolHost.exeKey:HKEY_USERS\.DEFAULT\Software\Classes\Local Settings\MuiCache\5F\52C64B7E
Operation:writeName:@C:\Windows\system32\notepad.exe,-469
Value:
Text Document
Executable files
12
Suspicious files
1
Text files
5
Unknown types
0

Dropped files

PID
Process
Filename
Type
3160WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3160.8589\blizzard\bad_Bad[09_14_05].txttext
MD5:
SHA256:
3160WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3160.8589\blizzard\blizzard checker .exeexecutable
MD5:
SHA256:
2052blizzard checker .exeC:\Users\admin\AppData\Local\Temp\blizzard checker.exeexecutable
MD5:
SHA256:
2052blizzard checker .exeC:\Users\admin\AppData\Local\Temp\blizzard.exeexecutable
MD5:
SHA256:
2984blizzard.exeC:\Users\admin\AppData\Roaming\Microsoft\MMC\svchost.exeexecutable
MD5:
SHA256:
3000svchost.exeC:\Users\admin\AppData\Roaming\Microsoft\MMC\Settings.inibinary
MD5:
SHA256:
3160WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3160.8589\blizzard\battle.net[09_22_39].txttext
MD5:
SHA256:
3160WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3160.8589\blizzard\battle.net[09_14_05].txttext
MD5:
SHA256:
3160WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3160.8589\blizzard\bad_Bad[08_07_49].txttext
MD5:
SHA256:
3160WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3160.8589\blizzard\bad_Bad[09_22_39].txttext
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
2
DNS requests
1
Threats
4

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3000
svchost.exe
37.228.134.84:8999
playhardgopro.life
Mike Kaldig
DE
suspicious

DNS requests

Domain
IP
Reputation
playhardgopro.life
  • 37.228.134.84
malicious

Threats

PID
Process
Class
Message
3000
svchost.exe
A Network Trojan was detected
SC SPYWARE Spyware Weecnaw Win32
3000
svchost.exe
A Network Trojan was detected
MALWARE [PTsecurity] Netwire.RAT
3000
svchost.exe
A Network Trojan was detected
SC SPYWARE Spyware Weecnaw Win32
3000
svchost.exe
A Network Trojan was detected
MALWARE [PTsecurity] Netwire.RAT
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
blizzard.zip