File name:

fgdfgd.zip

Full analysis: https://app.any.run/tasks/e9206164-354b-4daa-bc93-6a18a87d8e63
Verdict: Malicious activity
Analysis date: November 23, 2023, 08:19:16
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v1.0 to extract
MD5:

D6F1439E833A3D442DEDE6B442E53718

SHA1:

D269AB71B70242FD6904EBC5960AC1E5244B56C2

SHA256:

B7705940D5D3E933CA7367ED37CAB08277CBA05C86E23E451F2FA33EA9DBEB06

SSDEEP:

49152:4EFZU9OJOXinbIaMV4lwksVZPr1hjw3d86dx4JDxhzUhegqXBJ5LNOChhgkwTZUd:EKvnvC1L15wN86ahzUhe7r0CbgkwTJR0

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • WinRAR.exe (PID: 3428)

  • INFO

    • Checks supported languages

      • wmpnscfg.exe (PID: 3124)
      • msoobe.exe (PID: 3920)

    • Reads the computer name

      • wmpnscfg.exe (PID: 3124)
      • msoobe.exe (PID: 3920)

    • Manual execution by a user

      • wmpnscfg.exe (PID: 3124)
      • msoobe.exe (PID: 3920)
      • winver.exe (PID: 2932)

    • Drops the executable file immediately after the start

      • WinRAR.exe (PID: 3428)

    • Reads the machine GUID from the registry

      • wmpnscfg.exe (PID: 3124)

    • Process checks computer location settings

      • msoobe.exe (PID: 3920)

    • Reads Environment values

      • msoobe.exe (PID: 3920)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 10
ZipBitFlag: -
ZipCompression: None
ZipModifyDate: 2023:11:23 12:16:22
ZipCRC: 0x00000000
ZipCompressedSize: -
ZipUncompressedSize: -
ZipFileName: fdf - ?????/
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
42
Monitored processes
4
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe no specs winver.exe no specs wmpnscfg.exe no specs msoobe.exe

Process information

PID
CMD
Path
Indicators
Parent process
2932"C:\Windows\system32\winver.exe" C:\Windows\System32\winver.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Version Reporter Applet
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\winver.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
3124"C:\Program Files\Windows Media Player\wmpnscfg.exe"C:\Program Files\Windows Media Player\wmpnscfg.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Media Player Network Sharing Service Configuration Application
Exit code:
0
Version:
12.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\windows media player\wmpnscfg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\ole32.dll
3428"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\fgdfgd.zip"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
3920"C:\Users\admin\Desktop\msoobe.exe" C:\Users\admin\Desktop\msoobe.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
MSOOBE EXE
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\users\admin\desktop\msoobe.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
Total events
1 034
Read events
1 012
Write events
19
Delete events
3

Modification events

(PID) Process:(3428) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\17A\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3428) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip
(PID) Process:(3428) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(3428) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\phacker.zip
(PID) Process:(3428) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(3428) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(3428) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(3428) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(3124) wmpnscfg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Media Player NSS\3.0\Events\{B3A380BD-512A-4A65-86AF-0D3223AB95A6}\{728BE687-1F81-4BF3-BBAA-739BDF1A7BD8}
Operation:delete keyName:(default)
Value:
(PID) Process:(3124) wmpnscfg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Media Player NSS\3.0\Events\{B3A380BD-512A-4A65-86AF-0D3223AB95A6}
Operation:delete keyName:(default)
Value:
Executable files
11
Suspicious files
0
Text files
8
Unknown types
0

Dropped files

PID
Process
Filename
Type
3428WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3428.10084\fdf - копия\msoobe.exeexecutable
MD5:0E3E8D1E32496874F58D38EEE53EFC12
SHA256:56798C20411F29D047593C2B8A8F742F3066A8D8D435C737BE31AC0A0064D42A
3428WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3428.10084\fdf - копия\ru-RU\audit.exe.muiexecutable
MD5:63A3927EAD62B4286665B236125F0E5E
SHA256:D244C0FB1AE9995FABE865F83C3AE18688A92F8359CC0EA9E0051F556227B320
3428WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3428.10084\fdf - копия\msoobeui.dllexecutable
MD5:12781DEF12CF5A6C82F29F1B01732D62
SHA256:28C41968FF0308C13C75C672000A8FDE7F9154D6114D76EC4258910446AB2945
3428WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3428.10084\fdf - копия\ru-RU\OOBE_HELP_Change_Computer_Name.rtftext
MD5:F7B4FC13BF7D0DC14AAAC46DEC8CD1C4
SHA256:77A77F48A3396478A5BE41638D4D0740E0830D68B1B9AF974BD4E55C4D4F6B90
3428WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3428.10084\fdf - копия\ru-RU\OOBE_HELP_What_is_HomeGroup.rtftext
MD5:52E265A58BF391F03018C9EA279B5332
SHA256:1F41C79F63C2CA57935D94E8EEACB6AB7E71DD435A12C24105311088EBFFA139
3428WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3428.10084\fdf - копия\ru-RU\HELP_What_is_Activation.rtftext
MD5:F03DFAB1916F3B67014CCAC83DAAD353
SHA256:0142925DBF44431A5DC0A85517062EB1F53D9291B95389F041D6E44679988288
3428WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3428.10084\fdf - копия\ru-RU\msoobeui.dll.muiexecutable
MD5:C6F28E71987B294488345FD83E048E71
SHA256:C91FBE7A2FBE0C77246D8E605D7C65BAC15CA883A41DCF48990BA98ECBE74AD7
3428WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3428.10084\fdf - копия\ru-RU\privacy.rtftext
MD5:68A6F3FB53E4A7909E8BB3CCD4349294
SHA256:720E8EBD0A8E8BAA2F59D586862A7C64FDE499377C1D45BEA7EE402318446D2B
3428WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3428.10084\fdf - копия\ru-RU\pnpibs.dll.muiexecutable
MD5:AC4302C5A47A3D78E1F897E44145AE95
SHA256:3E33FED2C59FFA6395A39049B4A1BCE67017957B98B9885CA3AD5662176089E3
3428WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3428.10084\fdf - копия\ru-RU\OOBE_HELP_Opt_in_Details.rtftext
MD5:EA4EA96C8283A88B8A33879135D06A9B
SHA256:015755D585CCE45A7347B4FC2C815A7AAA051DCF9046064AFE9AB9C0F3CDBEC6
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
4
DNS requests
1
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
868
svchost.exe
95.101.148.135:80
armmf.adobe.com
Akamai International B.V.
NL
unknown
4
System
192.168.100.255:138
whitelisted

DNS requests

Domain
IP
Reputation
armmf.adobe.com
  • 95.101.148.135
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
fgdfgd.zip