File name:

PC.Building.Simulator.2.v1.0-v1.6.Plus.9.Trainer-FLiNG.zip

Full analysis: https://app.any.run/tasks/55428cb0-da0a-4ac9-ba2a-2dad7a67d46b
Verdict: Malicious activity
Threats:

HijackLoader is a modular malware acting as a vehicle for distributing different types of malicious software on compromised systems. It gained prominence during the summer of 2023 and has since been used in multiple attacks against organizations from various sectors, including hospitality businesses.

Malware Trends Tracker     >>>
Analysis date: November 18, 2023, 12:37:45
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
hijackloader
loader
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

B9E04C48E4527E9C49FF0BEB781021A2

SHA1:

567553606859693BDBF2646C758753C21B5B4CAE

SHA256:

9E95222B65E9828DB3C08EA768860F08770EE862992545B4053CCE0E687F2CF3

SSDEEP:

49152:QkV1cpzWo5uZBbyNg4W8T5dNOw52r1cJtwrPa4zBOrtefLkXIjnh8c+wiAmgU5RX:fDchWTjOy4FT4w21OtqPtzBBjnhUGU59

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • HIJACKLOADER has been detected (YARA)

      • FnlingTR.477.884354.exe (PID: 3604)
      • FnlingTR.477.884354.exe (PID: 2056)

  • SUSPICIOUS

    • Checks Windows Trust Settings

      • FnlingTR.477.884354.exe (PID: 3604)
      • FnlingTR.477.884354.exe (PID: 2056)

    • Reads the Internet Settings

      • FnlingTR.477.884354.exe (PID: 3604)
      • FnlingTR.477.884354.exe (PID: 2056)

    • Reads security settings of Internet Explorer

      • FnlingTR.477.884354.exe (PID: 3604)
      • FnlingTR.477.884354.exe (PID: 2056)

    • Reads settings of System Certificates

      • FnlingTR.477.884354.exe (PID: 3604)
      • FnlingTR.477.884354.exe (PID: 2056)

  • INFO

    • Drops the executable file immediately after the start

      • WinRAR.exe (PID: 3440)

    • Checks proxy server information

      • FnlingTR.477.884354.exe (PID: 3604)
      • FnlingTR.477.884354.exe (PID: 2056)

    • Checks supported languages

      • FnlingTR.477.884354.exe (PID: 3604)
      • wmpnscfg.exe (PID: 3768)
      • FnlingTR.477.884354.exe (PID: 2056)

    • Reads the computer name

      • FnlingTR.477.884354.exe (PID: 3604)
      • wmpnscfg.exe (PID: 3768)
      • FnlingTR.477.884354.exe (PID: 2056)

    • Reads the machine GUID from the registry

      • FnlingTR.477.884354.exe (PID: 3604)
      • wmpnscfg.exe (PID: 3768)
      • FnlingTR.477.884354.exe (PID: 2056)

    • Manual execution by a user

      • WinRAR.exe (PID: 3492)
      • wmpnscfg.exe (PID: 3768)
      • FnlingTR.477.884354.exe (PID: 2056)

    • Creates files or folders in the user directory

      • FnlingTR.477.884354.exe (PID: 3604)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: Deflated
ZipModifyDate: 2023:11:17 18:57:54
ZipCRC: 0xae3806f1
ZipCompressedSize: 930814
ZipUncompressedSize: 1581568
ZipFileName: PC Building Simulator 2 v1.0-v1.6 Plus 9 Trainer.exe
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
48
Monitored processes
5
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe no specs winrar.exe no specs #HIJACKLOADER fnlingtr.477.884354.exe wmpnscfg.exe no specs #HIJACKLOADER fnlingtr.477.884354.exe

Process information

PID
CMD
Path
Indicators
Parent process
2056"C:\Users\admin\Desktop\FnlingTR.477.884354.exe" C:\Users\admin\Desktop\FnlingTR.477.884354.exe
explorer.exe
User:
admin
Company:
Viewpoint Corporation
Integrity Level:
MEDIUM
Description:
Viewpoint Media Player MtsAxInstaller
Exit code:
3221225477
Version:
3, 0, 13, 200
Modules
Images
c:\users\admin\desktop\fnlingtr.477.884354.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\winmm.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
3440"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\PC.Building.Simulator.2.v1.0-v1.6.Plus.9.Trainer-FLiNG.zip"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
3492"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\FnlingTR.477.884354.tar.gz"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
3604"C:\Users\admin\AppData\Local\Temp\Rar$EXa3492.13892\FnlingTR.477.884354.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa3492.13892\FnlingTR.477.884354.exe
WinRAR.exe
User:
admin
Company:
Viewpoint Corporation
Integrity Level:
MEDIUM
Description:
Viewpoint Media Player MtsAxInstaller
Exit code:
3221225477
Version:
3, 0, 13, 200
Modules
Images
c:\users\admin\appdata\local\temp\rar$exa3492.13892\fnlingtr.477.884354.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\winmm.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
3768"C:\Program Files\Windows Media Player\wmpnscfg.exe"C:\Program Files\Windows Media Player\wmpnscfg.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Media Player Network Sharing Service Configuration Application
Exit code:
0
Version:
12.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\windows media player\wmpnscfg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\ole32.dll
Total events
9 538
Read events
9 419
Write events
116
Delete events
3

Modification events

(PID) Process:(3440) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\17A\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3440) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip
(PID) Process:(3440) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(3440) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\phacker.zip
(PID) Process:(3440) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(3440) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(3440) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(3440) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(3440) WinRAR.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(3440) WinRAR.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
Executable files
2
Suspicious files
4
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
3492WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3492.13892\FnlingTR.477.884354.exe
MD5:
SHA256:
3492WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3492.20810\FnlingTR.477.884354.exe
MD5:
SHA256:
3604FnlingTR.477.884354.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157compressed
MD5:1BFE591A4FE3D91B03CDF26EAACD8F89
SHA256:9CF94355051BF0F4A45724CA20D1CC02F76371B963AB7D1E38BD8997737B13D8
3440WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3440.6264\PC Building Simulator 2 v1.0-v1.6 Plus 9 Trainer.exeexecutable
MD5:AC432710BE3034102B6E8C410CEF68D0
SHA256:6D24667F79A928F9C78E96CA0050113590D21DBD0180BE145B88CD9F0E6855BB
3440WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3440.6716\PC Building Simulator 2 v1.0-v1.6 Plus 9 Trainer.exeexecutable
MD5:AC432710BE3034102B6E8C410CEF68D0
SHA256:6D24667F79A928F9C78E96CA0050113590D21DBD0180BE145B88CD9F0E6855BB
3604FnlingTR.477.884354.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157binary
MD5:2D2DA3B623BDC108A31FEFBB4D19134D
SHA256:F2CCBF3D8EADA2EAD41337735323CB048FB52EAFA942E7DD629B0EA42165B97D
3604FnlingTR.477.884354.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\mailing-lists[2].txttext
MD5:63D8439240B7774F44AC0697790F49BB
SHA256:D80753DF3937F00B468740620C62DF57C44FE24E42ED840A564016A7842DEB1D
3604FnlingTR.477.884354.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27binary
MD5:5120FF36D8245A91962751CB0B3B05C1
SHA256:2CFCD8E990AD9E3B21FEA5C511B2724A176CBC08A784E694BA30AE140B8448AC
3604FnlingTR.477.884354.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\mailing-lists[1].txttext
MD5:6003309B86E546B79FB4AB80DB7DA45F
SHA256:2540834BABCAD71A1717C55503B709ACBB2D9911B1810982E6491C2FE6784C63
3604FnlingTR.477.884354.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27binary
MD5:C8955B6EAC97A077AC4AC915DF66D0DB
SHA256:BC3EAE5DF16DB7EC36FD092AFD753B94AF4C2BD0AC60793FA28134E91BD25D33
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
15
DNS requests
6
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3604
FnlingTR.477.884354.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAo3h2ReX7SMIk79G%2B0UDDw%3D
unknown
binary
1.47 Kb
unknown
GET
200
67.27.157.254:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?e1cf7d31d43684f4
unknown
compressed
4.66 Kb
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
2588
svchost.exe
239.255.255.250:1900
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown
3604
FnlingTR.477.884354.exe
104.18.39.207:443
docutils.sourceforge.io
CLOUDFLARENET
unknown
3604
FnlingTR.477.884354.exe
67.27.157.254:80
ctldl.windowsupdate.com
LEVEL3
US
unknown
3604
FnlingTR.477.884354.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
3604
FnlingTR.477.884354.exe
162.19.58.159:443
i.ibb.co
OVH SAS
FR
unknown
3604
FnlingTR.477.884354.exe
146.75.116.193:443
i.imgur.com
FASTLY
US
unknown
2056
FnlingTR.477.884354.exe
104.18.39.207:443
docutils.sourceforge.io
CLOUDFLARENET
unknown

DNS requests

Domain
IP
Reputation
docutils.sourceforge.io
  • 104.18.39.207
  • 172.64.148.49
unknown
ctldl.windowsupdate.com
  • 67.27.157.254
  • 67.27.235.126
  • 67.26.137.254
  • 67.26.139.254
  • 67.27.234.126
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
i.ibb.co
  • 162.19.58.159
  • 162.19.58.157
  • 162.19.58.158
  • 162.19.58.156
  • 162.19.58.160
  • 162.19.58.161
shared
i.imgur.com
  • 146.75.116.193
  • 146.75.120.193
shared

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
PC.Building.Simulator.2.v1.0-v1.6.Plus.9.Trainer-FLiNG.zip