File name:

KingMail_v1.1_Crack.zip

Full analysis: https://app.any.run/tasks/8025f185-6865-401e-9252-dce6a0d4ef6e
Verdict: Malicious activity
Analysis date: June 15, 2024, 16:11:31
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v1.0 to extract, compression method=store
MD5:

FD80BA58E946F39E59E3B1B0A6CB1FD7

SHA1:

2635602C21D834C7316E9A283B6E5318CCD67AF2

SHA256:

BE1B793D6CEA78BDF91384963CDCB7B009FF61D87E1CCEC17239BE2EA5B85E0F

SSDEEP:

98304:huc2ffTDx1/fQ9LgSQizOZs0FhD2wRouuUM57dWhOuL4mRIzUS9UHskAAWcjM3Qz:I7RF

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • WinRAR.exe (PID: 3976)
      • KingMail 1.1.exe (PID: 2072)
      • sanctam.exe (PID: 1120)
      • mscomponentBrowserFontwin.exe (PID: 1432)

    • Uses sleep, probably for evasion detection (SCRIPT)

      • wscript.exe (PID: 748)

  • SUSPICIOUS

    • Reads the Internet Settings

      • KingMail 1.1.exe (PID: 2072)
      • sanctam.exe (PID: 1120)
      • wscript.exe (PID: 748)

    • Reads security settings of Internet Explorer

      • KingMail 1.1.exe (PID: 2072)
      • sanctam.exe (PID: 1120)

    • Executable content was dropped or overwritten

      • KingMail 1.1.exe (PID: 2072)
      • sanctam.exe (PID: 1120)
      • mscomponentBrowserFontwin.exe (PID: 1432)

    • Runs shell command (SCRIPT)

      • wscript.exe (PID: 748)

    • Starts CMD.EXE for commands execution

      • wscript.exe (PID: 748)

    • Executing commands from a ".bat" file

      • wscript.exe (PID: 748)

  • INFO

    • Checks supported languages

      • KingMail 1.1.exe (PID: 2072)
      • sanctam.exe (PID: 1120)
      • mscomponentBrowserFontwin.exe (PID: 1432)

    • Reads the computer name

      • KingMail 1.1.exe (PID: 2072)
      • sanctam.exe (PID: 1120)
      • mscomponentBrowserFontwin.exe (PID: 1432)

    • Manual execution by a user

      • KingMail 1.1.exe (PID: 2072)

    • Create files in a temporary directory

      • KingMail 1.1.exe (PID: 2072)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 3976)

    • Reads the machine GUID from the registry

      • mscomponentBrowserFontwin.exe (PID: 1432)

    • Reads product name

      • mscomponentBrowserFontwin.exe (PID: 1432)

    • Reads Environment values

      • mscomponentBrowserFontwin.exe (PID: 1432)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 10
ZipBitFlag: -
ZipCompression: None
ZipModifyDate: 2024:06:15 08:42:18
ZipCRC: 0x00000000
ZipCompressedSize: -
ZipUncompressedSize: -
ZipFileName: KingMail v1.1 Crack/
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
41
Monitored processes
6
Malicious processes
3
Suspicious processes
1

Behavior graph

Click at the process to see the details
start winrar.exe kingmail 1.1.exe sanctam.exe wscript.exe no specs cmd.exe no specs mscomponentbrowserfontwin.exe

Process information

PID
CMD
Path
Indicators
Parent process
748"C:\Windows\System32\WScript.exe" "C:\fontsavesperf\IqDu.vbe" C:\Windows\System32\wscript.exesanctam.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
Modules
Images
c:\windows\system32\wscript.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
1120"C:\Users\admin\AppData\Local\Temp\sanctam.exe" C:\Users\admin\AppData\Local\Temp\sanctam.exe
KingMail 1.1.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\sanctam.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
1432"C:\fontsavesperf/mscomponentBrowserFontwin.exe"C:\fontsavesperf\mscomponentBrowserFontwin.exe
cmd.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3762504530
Version:
16.10.31418.88
Modules
Images
c:\fontsavesperf\mscomponentbrowserfontwin.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
1872C:\Windows\system32\cmd.exe /c ""C:\fontsavesperf\HronhTxGy0bMjeIAkJVetpPpU3.bat" "C:\Windows\System32\cmd.exewscript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
3762504530
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
2072"C:\Users\admin\Desktop\KingMail v1.1 Crack\KingMail 1.1.exe" C:\Users\admin\Desktop\KingMail v1.1 Crack\KingMail 1.1.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\kingmail v1.1 crack\kingmail 1.1.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
3976"C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\AppData\Local\Temp\KingMail_v1.1_Crack.zipC:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
Total events
7 530
Read events
7 486
Write events
44
Delete events
0

Modification events

(PID) Process:(3976) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(3976) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(3976) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3976) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\phacker.zip
(PID) Process:(3976) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(3976) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\curl-8.5.0_1-win32-mingw.zip
(PID) Process:(3976) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\KingMail_v1.1_Crack.zip
(PID) Process:(3976) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(3976) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(3976) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
Executable files
8
Suspicious files
2
Text files
19
Unknown types
0

Dropped files

PID
Process
Filename
Type
3976WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3976.25141\KingMail v1.1 Crack\Jint.dllexecutable
MD5:734C5CE8F9B104D8AD3C7B494E96F9B9
SHA256:ED618668AE9E7C02C7C2B7332DD09079168CCA96432A051044683C996337001C
3976WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3976.25141\KingMail v1.1 Crack\KingMail 1.1.exeexecutable
MD5:A8F954748047B339C19DF2711E0DB074
SHA256:0EEBDE0EAF8BDA36E4F80AC3987586555C60D309C4E3CBFED3C83B107DC6B264
3976WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3976.25141\KingMail v1.1 Crack\Results\Hotmail__Hotmail_Valids_US\[email protected]text
MD5:29B9AA58A20D5A5734188239B83D59F7
SHA256:9A2F83349C82F6C1ED5BD98862E9F8CCB415CB1FBEF224BE28C2059A5C022174
3976WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3976.25141\KingMail v1.1 Crack\Results\Hotmail__Hotmail_Valids_US\[email protected]text
MD5:932D0633838AB2010DDEEE63D20A28EF
SHA256:DD8F3689D728748CE8674244F81258F2BBF709B42E662B9F7DD381F99C83ADFB
3976WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3976.25141\KingMail v1.1 Crack\proxies.txtbinary
MD5:8AF14DABEF638E7AF592C48FF7C43E98
SHA256:45B3A8CA7BFC14DB0410E5A697F1BAB75424D65671BA43CEC66FD91A93F2100E
3976WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3976.25141\KingMail v1.1 Crack\Results\Hotmail__Hotmail_Valids_US\[email protected]text
MD5:E3FC61BAD09D34C0285CF42AFB2CF8BB
SHA256:9A2BB25264DBDEBA322BBF30FE0E89E909FE3351A56BFD4A4FE21151C7FE5F77
3976WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3976.25141\KingMail v1.1 Crack\Results\Hotmail__Hotmail_Valids_US\[email protected]text
MD5:C83870DA03C7033CE8EB46FB8695B079
SHA256:CA826C35B554EBEE02779BA8CA88C36BED4E2019AC005D17DE61A625569232BA
3976WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3976.25141\KingMail v1.1 Crack\Results\Hotmail__Hotmail_Valids_US\[email protected]text
MD5:9A28D073387BDB8FF3B731011F9EB398
SHA256:3667ED207DEC421CF34F8F32656A682ECEF6B3FA311B7AC1914634A50AC0B511
3976WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3976.25141\KingMail v1.1 Crack\keywords.txttext
MD5:8C80A98C3AEAFEC0694A8469B6D25EB0
SHA256:071698FA0CFD1E20759F7EC6F18BC6F21AE62B6332262C1EA6E9DEAA0BABEA59
3976WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3976.25141\KingMail v1.1 Crack\Results\Hotmail__Hotmail_Valids_US\aq_Hotmail_Valids_US_All_Hotmail_Valids.txttext
MD5:3AB23A433D78BE94C2B2BAE6DDE3E2A1
SHA256:C6F9A05D02C8962D9F10E77191094BD28830492F97422138A02D7C6956DC01A4
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
4
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
4
System
192.168.100.255:137
whitelisted
1088
svchost.exe
224.0.0.252:5355
unknown

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
KingMail_v1.1_Crack.zip