analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Debug.zip

Full analysis: https://app.any.run/tasks/ca23558c-5419-4e76-8dc2-e05d52c9fd22
Verdict: Malicious activity
Analysis date: March 22, 2019, 00:42:45
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

FF5029CC1281128BC5B7E165247C7634

SHA1:

B036CE234F04CA3048A044C32C29F7674AB6A962

SHA256:

DC0E18A9AF2C0869E80A86F2F8DF93B385F27D7081A3EDC476FC8859405D33B3

SSDEEP:

6144:tSr9WkagPTUO1XEXrVGOxzCsvjhTpGrqec0Ey3YNdYescwu:/kagpXIrVDljhTpG+6Ey3kYU7

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • FixUrShitDiscord.exe (PID: 2656)
      • FixUrShitDiscord.exe (PID: 2800)

    • Loads dropped or rewritten executable

      • SearchProtocolHost.exe (PID: 3592)

  • SUSPICIOUS

    No suspicious indicators.

  • INFO

    • Application was crashed

      • FixUrShitDiscord.exe (PID: 2800)
      • FixUrShitDiscord.exe (PID: 2656)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipFileName: FixUrShitDiscord.exe
ZipUncompressedSize: 15360
ZipCompressedSize: 6628
ZipCRC: 0x23d99e06
ZipModifyDate: 2018:10:20 10:45:03
ZipCompression: Deflated
ZipBitFlag: -
ZipRequiredVersion: 20
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
41
Monitored processes
5
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe no specs searchprotocolhost.exe no specs fixurshitdiscord.exe notepad.exe no specs fixurshitdiscord.exe

Process information

PID
CMD
Path
Indicators
Parent process
1604"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Debug.zip"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
3592"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe4_ Global\UsGthrCtrlFltPipeMssGthrPipe4 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" C:\Windows\System32\SearchProtocolHost.exeSearchIndexer.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Windows Search Protocol Host
Version:
7.00.7600.16385 (win7_rtm.090713-1255)
2800"C:\Users\admin\Desktop\FixUrShitDiscord.exe" C:\Users\admin\Desktop\FixUrShitDiscord.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
FixUrShitDiscord
Exit code:
3762504530
Version:
1.0.0.0
1520"C:\Windows\system32\NOTEPAD.EXE" C:\Users\admin\Desktop\combo.txtC:\Windows\system32\NOTEPAD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Notepad
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2656"C:\Users\admin\Desktop\FixUrShitDiscord.exe" C:\Users\admin\Desktop\FixUrShitDiscord.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
FixUrShitDiscord
Version:
1.0.0.0
Total events
556
Read events
495
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
0
Text files
3
Unknown types
0

Dropped files

PID
Process
Filename
Type
1604WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa1604.39756\FixUrShitDiscord.exe
MD5:
SHA256:
1604WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa1604.39756\Newtonsoft.Json.dll
MD5:
SHA256:
1604WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa1604.39756\Newtonsoft.Json.xml
MD5:
SHA256:
2656FixUrShitDiscord.exeC:\Users\admin\Desktop\Cumsies.txthtml
MD5:86D929370FB245906151E74DF6B63273
SHA256:409FA23CCD731D8392E2CB8A9125532B84165CCFDD0195BDACE42960B39D720C
1520NOTEPAD.EXEC:\Users\admin\Desktop\combo.txttext
MD5:583D2DE601295B6B9850B561096EEBC2
SHA256:94A2C24C45B770FEA88501A8F2D9D1469E83A38944B82D28674B5329326BCCDB
2800FixUrShitDiscord.exeC:\Users\admin\Desktop\Cumsies.txthtml
MD5:86D929370FB245906151E74DF6B63273
SHA256:409FA23CCD731D8392E2CB8A9125532B84165CCFDD0195BDACE42960B39D720C
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
4
DNS requests
2
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2800
FixUrShitDiscord.exe
104.28.5.69:443
proxyscrape.com
Cloudflare Inc
US
shared
2800
FixUrShitDiscord.exe
104.27.189.178:443
proxyscra.pe
Cloudflare Inc
US
shared
2656
FixUrShitDiscord.exe
104.27.189.178:443
proxyscra.pe
Cloudflare Inc
US
shared
2656
FixUrShitDiscord.exe
104.28.5.69:443
proxyscrape.com
Cloudflare Inc
US
shared

DNS requests

Domain
IP
Reputation
proxyscra.pe
  • 104.27.189.178
  • 104.27.188.178
malicious
proxyscrape.com
  • 104.28.5.69
  • 104.28.4.69
suspicious

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
Debug.zip