File name:

WPJCleanUp.zip

Full analysis: https://app.any.run/tasks/b61a29d1-4590-4320-b3b8-734ec6045cc2
Verdict: Malicious activity
Analysis date: June 04, 2024, 08:19:34
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract, compression method=store
MD5:

3ABAB4CFE759DE84F19D0FF8A8540B20

SHA1:

F6DF6BADC1D2CF27515559C91C11AF8354C3FBFE

SHA256:

97E5046D40053BFB96151597ED3FF21276914CB11FE2E5BCC6AC0F9C7AC71642

SSDEEP:

49152:lSuQyzgkzbgwfy/dyhThTfyPMbITco90VJB9bgwfy/dyhThTfyPMbITqUln/eKMa:XdgQyFyrTPxo6VX9gQyFyrTPwGzRZfT+

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • WinRAR.exe (PID: 3980)

  • SUSPICIOUS

    • Executing commands from ".cmd" file

      • WinRAR.exe (PID: 3980)

    • Starts CMD.EXE for commands execution

      • WinRAR.exe (PID: 3980)
      • cmd.exe (PID: 4016)
      • cmd.exe (PID: 820)

    • Reads security settings of Internet Explorer

      • WinRAR.exe (PID: 3980)

    • Application launched itself

      • cmd.exe (PID: 4016)
      • cmd.exe (PID: 820)

  • INFO

    • Checks operating system version

      • cmd.exe (PID: 4016)
      • cmd.exe (PID: 820)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 3980)

    • Manual execution by a user

      • explorer.exe (PID: 1424)
      • WINWORD.EXE (PID: 2044)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: None
ZipModifyDate: 2020:04:10 13:19:22
ZipCRC: 0x00000000
ZipCompressedSize: -
ZipUncompressedSize: -
ZipFileName: WPJCleanUp/v1709/
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
46
Monitored processes
7
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs winword.exe no specs explorer.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
820C:\Windows\system32\cmd.exe /c ""C:\Users\admin\AppData\Local\Temp\Rar$DIa3980.7802\WPJCleanUp.cmd" "C:\Windows\System32\cmd.exeWinRAR.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
1064C:\Windows\system32\cmd.exe /c verC:\Windows\System32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
1424"C:\Windows\explorer.exe" C:\Windows\explorer.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
2044"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\schoolscable.rtf"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Exit code:
0
Version:
14.0.6024.1000
Modules
Images
c:\program files\microsoft office\office14\winword.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.18837_none_ec86b8d6858ec0bc\comctl32.dll
3980"C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\AppData\Local\Temp\WPJCleanUp.zipC:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
4016C:\Windows\system32\cmd.exe /c ""C:\Users\admin\AppData\Local\Temp\Rar$DIa3980.49998\WPJCleanUp.cmd" "C:\Windows\System32\cmd.exeWinRAR.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
4044C:\Windows\system32\cmd.exe /c verC:\Windows\System32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
Total events
9 674
Read events
9 165
Write events
195
Delete events
314

Modification events

(PID) Process:(3980) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(3980) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(3980) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3980) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\phacker.zip
(PID) Process:(3980) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(3980) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\curl-8.5.0_1-win32-mingw.zip
(PID) Process:(3980) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\WPJCleanUp.zip
(PID) Process:(3980) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(3980) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(3980) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
Executable files
13
Suspicious files
7
Text files
6
Unknown types
0

Dropped files

PID
Process
Filename
Type
2044WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVRC62B.tmp.cvr
MD5:
SHA256:
3980WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DIa3980.49998\WPJCleanUp.cmdtext
MD5:606ACAF64D1DA5AA33AF8732A14AAA5A
SHA256:343FE54D4E5D0B91A0B5AED57AA9733375DBAE479D7400F769394D8435822153
3980WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3980.1437\WPJCleanUp\v1803\CleanupWPJ_AMD64.exeexecutable
MD5:358651D770BA438605A43A307F37B3B4
SHA256:646900B6FF39F9A62280CAA7C699DC1A473F3242EF8C2F8551B7FF4C2DA6463D
3980WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3980.1437\WPJCleanUp\v1709\PsExec.exeexecutable
MD5:A7F7A0F74C8B48F1699858B3B6C11EDA
SHA256:3B08535B4ADD194F5661E1131C8E81AF373CA322CF669674CF1272095E5CAB95
3980WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3980.1437\WPJCleanUp\v1709\CleanupWPJ_AMD64.exeexecutable
MD5:3F1B91308035E6F16D7C06D73AA8DA65
SHA256:159F8DCC695D98B447600E3054A19D475562A2966655D7193730BA27B4B9F4BD
3980WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3980.1437\WPJCleanUp\v1809\CleanupWPJ_X86.exeexecutable
MD5:FC3927858EBFD6C5167BCF4CEA555540
SHA256:B5C96610F6877704218B761DF29A12DB166ED668EFB95AEDBC137585F69E3CCF
3980WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3980.1437\WPJCleanUp\v1803\PsExec.exeexecutable
MD5:A7F7A0F74C8B48F1699858B3B6C11EDA
SHA256:3B08535B4ADD194F5661E1131C8E81AF373CA322CF669674CF1272095E5CAB95
3980WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3980.1437\WPJCleanUp\v1803\cleanup.cmdtext
MD5:043083618BAA65A3D09A8A7FD6C0F23A
SHA256:1A989F9DD27C799F62834F5343B1461B12FFA57EF14423604ED457468BBE37F2
3980WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3980.1437\WPJCleanUp\v1809\CleanupWPJ_AMD64.exeexecutable
MD5:BA5253B2A31C5DD09507D038776D609E
SHA256:C973AFE1F219D46BA9C0E95024835B85E1D1E2AB85F908545B3A0EDFFC4101A4
3980WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3980.1437\WPJCleanUp\v1803\CleanupWPJ_X86.exeexecutable
MD5:2BB081025D6F256A91D466F5BE52B07B
SHA256:32FC0093FB38A6014998DB9AC56DC5D613491A72ADCA97493BCDB140E815ED8F
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
3
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
unknown
4
System
192.168.100.255:138
unknown
224.0.0.252:5355
unknown

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
WPJCleanUp.zip