File name:

x64__x32__installer.zip

Full analysis: https://app.any.run/tasks/792c7a12-1ba1-4cec-abed-4c5e2b6754f8
Verdict: Malicious activity
Analysis date: May 01, 2024, 18:17:14
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract, compression method=deflate
MD5:

8C311968FB83ADC9052F4BE272504A26

SHA1:

01E9324892FF2F4286BB0B52B0249E950BBAF7DF

SHA256:

BCBEB2A22072A7CFD302AA31B78A556722AA7D52D7B136ADEACEC711F481821C

SSDEEP:

98304:7g7eIXMCeqCMvgdUeq7RDG1w3ECKGUah4EEdaIdQEqwJQbkYku3bj3SR38CKTdA5:G/ajAxXTGZSrnCL

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • msiexec.exe (PID: 676)

  • SUSPICIOUS

    • Application launched itself

      • WinRAR.exe (PID: 4000)
      • taskmgr.exe (PID: 2124)

    • Reads security settings of Internet Explorer

      • WinRAR.exe (PID: 4000)

    • Process drops legitimate windows executable

      • WinRAR.exe (PID: 820)

    • Reads the Internet Settings

      • taskmgr.exe (PID: 2124)

    • Reads the Windows owner or organization settings

      • msiexec.exe (PID: 676)

  • INFO

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 820)
      • msiexec.exe (PID: 676)

    • Drops the executable file immediately after the start

      • WinRAR.exe (PID: 820)

    • Checks supported languages

      • msiexec.exe (PID: 676)
      • msiexec.exe (PID: 2484)

    • Reads the computer name

      • msiexec.exe (PID: 676)
      • msiexec.exe (PID: 2484)

    • Manual execution by a user

      • taskmgr.exe (PID: 2124)
      • msiexec.exe (PID: 2656)

    • Reads security settings of Internet Explorer

      • taskmgr.exe (PID: 2124)

    • Application launched itself

      • msiexec.exe (PID: 676)

    • Create files in a temporary directory

      • msiexec.exe (PID: 2656)

    • Reads the machine GUID from the registry

      • msiexec.exe (PID: 2484)
      • msiexec.exe (PID: 676)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: Deflated
ZipModifyDate: 2024:05:01 17:32:46
ZipCRC: 0x682aa699
ZipCompressedSize: 4174
ZipUncompressedSize: 980346
ZipFileName: password.jpg
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
47
Monitored processes
8
Malicious processes
1
Suspicious processes
2

Behavior graph

Click at the process to see the details
start winrar.exe no specs PhotoViewer.dll no specs winrar.exe taskmgr.exe no specs taskmgr.exe msiexec.exe no specs msiexec.exe msiexec.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
676C:\Windows\system32\msiexec.exe /VC:\Windows\System32\msiexec.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows® installer
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
820"C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\AppData\Local\Temp\Rar$DIa4000.26146\x64__x32___setup.zipC:\Program Files\WinRAR\WinRAR.exe
WinRAR.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
1244"C:\Windows\system32\taskmgr.exe" /1C:\Windows\System32\taskmgr.exe
taskmgr.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Task Manager
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\taskmgr.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
2124"C:\Windows\system32\taskmgr.exe" /4C:\Windows\System32\taskmgr.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Task Manager
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\taskmgr.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
2484C:\Windows\system32\MsiExec.exe -Embedding 0ED4715EB6D086AD57560329635124E9C:\Windows\System32\msiexec.exemsiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
2656"C:\Windows\System32\msiexec.exe" /i "C:\Users\admin\Desktop\setup\setup.msi" C:\Windows\System32\msiexec.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
4000"C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\AppData\Local\Temp\x64__x32__installer.zipC:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
4044C:\Windows\system32\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}C:\Windows\System32\dllhost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
COM Surrogate
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\dllhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
Total events
13 278
Read events
13 206
Write events
72
Delete events
0

Modification events

(PID) Process:(4000) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(4000) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(4000) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(4000) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\phacker.zip
(PID) Process:(4000) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(4000) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\curl-8.5.0_1-win32-mingw.zip
(PID) Process:(4000) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\x64__x32__installer.zip
(PID) Process:(4000) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(4000) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(4000) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
Executable files
14
Suspicious files
1
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
820WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb820.27231\setup.msi
MD5:
SHA256:
676msiexec.exeC:\Windows\Installer\10f86b.msi
MD5:
SHA256:
820WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb820.27231\iasnap\iasnap.dllexecutable
MD5:9159148D50715F59A725A977967898B7
SHA256:7C1DFB2B669A3346DB1C72AA240AA0C8C11AE874F295957A4AE5225AEA5CE338
820WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb820.27231\iasnap\mprddm.dllexecutable
MD5:AA6C7B6257F5C9175979A36A29B66BE7
SHA256:6B7AAB5FC92181204E2FA92058C3D1A321377827580164C47973930F3D8335AC
4000WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DIa4000.25810\password.jpgimage
MD5:338E61371ABE6DCE32235FA39A40387E
SHA256:267A7F2AE4BDDD8A5CF05E734ED92EFC1CFC0E05199060F8DFFE16349CC2665C
820WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb820.27231\winmde\winmde.dllexecutable
MD5:2F6EEC666FCF2A5A81DDD5D7C3CB69A1
SHA256:4256747504369F6D70E0051D1966952BF96E1AD178F9FFE6ECF369B9C3A088EC
820WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb820.27231\srhelper\srhelper.dllexecutable
MD5:EF1C527CD3F8FD9DED04B9AC0E4F7C9E
SHA256:1A7B3DC6503FEC4A080DAE7AE59B4A2BEB2766326D148653C5E3DC3E05113415
820WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb820.27231\winmde\MMDevAPI.dllexecutable
MD5:8123FCED22F5424445BAA833E790ABE8
SHA256:0A5E682042A3DAD4BF67AB9A0E3542683A12B75C727EC4972820CF15E5CF59C2
676msiexec.exeC:\Windows\Installer\MSIF985.tmpexecutable
MD5:B158D8D605571EA47A238DF5AB43DFAA
SHA256:CA763693CC25D316F14A9EBAD80EBF00590329550C45ADB7E5205486533C2504
676msiexec.exeC:\Windows\Installer\MSIF9D4.tmpexecutable
MD5:B158D8D605571EA47A238DF5AB43DFAA
SHA256:CA763693CC25D316F14A9EBAD80EBF00590329550C45ADB7E5205486533C2504
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
4
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
224.0.0.252:5355
unknown
4
System
192.168.100.255:138
whitelisted
1088
svchost.exe
224.0.0.252:5355
unknown

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
x64__x32__installer.zip