File name:

M@in_File_Setup_3232_ṔḁṨṨẄṏṛḒ.rar

Full analysis: https://app.any.run/tasks/0c2c59d4-bcf9-492f-a311-a0dc4deb2e3c
Verdict: Malicious activity
Threats:

HijackLoader is a modular malware acting as a vehicle for distributing different types of malicious software on compromised systems. It gained prominence during the summer of 2023 and has since been used in multiple attacks against organizations from various sectors, including hospitality businesses.

Malware Trends Tracker     >>>
Analysis date: February 16, 2024, 10:10:04
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
hijackloader
loader
Indicators:
MIME: application/x-rar
File info: RAR archive data, v5
MD5:

00CBC3DC359DA5EE581B72428D8A5A7F

SHA1:

A58724DEDC44B00F0CAB4F35845A13F25EC22973

SHA256:

E0CF17018498CD633BFB5C220448F067A177378B63B06A5947BF94EFA86E0C6C

SSDEEP:

98304:fsy8pWNVkGKumN+xUAyXp6SXh2cJmK4f1K6cNQ2D4VihFIz052N6H92iISkNZz+s:zTYINvmec4t7nESsfS/fb7v

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • HIJACKLOADER has been detected (YARA)

      • Full-SetUp.exe (PID: 3848)

  • SUSPICIOUS

    No suspicious indicators.

  • INFO

    • Drops the executable file immediately after the start

      • WinRAR.exe (PID: 1432)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 1432)

    • Manual execution by a user

      • Full-SetUp.exe (PID: 3428)
      • Full-SetUp.exe (PID: 4000)
      • Full-SetUp.exe (PID: 2832)
      • Full-SetUp.exe (PID: 3848)

    • Checks supported languages

      • Full-SetUp.exe (PID: 3428)
      • Full-SetUp.exe (PID: 4000)
      • Full-SetUp.exe (PID: 2832)
      • Full-SetUp.exe (PID: 3848)

    • Reads the computer name

      • Full-SetUp.exe (PID: 3848)
      • Full-SetUp.exe (PID: 3428)
      • Full-SetUp.exe (PID: 4000)
      • Full-SetUp.exe (PID: 2832)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v5.0) (61.5)
.rar | RAR compressed archive (gen) (38.4)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
46
Monitored processes
5
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe #HIJACKLOADER full-setup.exe full-setup.exe full-setup.exe full-setup.exe

Process information

PID
CMD
Path
Indicators
Parent process
1432"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\M@in_File_Setup_3232_ṔḁṨṨẄṏṛḒ.rar"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
2832"C:\Users\admin\Desktop\Full-SetUp.exe" C:\Users\admin\Desktop\Full-SetUp.exe
explorer.exe
User:
admin
Company:
VMware, Inc.
Integrity Level:
MEDIUM
Description:
VMware RVM Setup Service
Exit code:
0
Version:
10.0.12 build-4448491
Modules
Images
c:\users\admin\desktop\full-setup.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
3428"C:\Users\admin\Desktop\Full-SetUp.exe" C:\Users\admin\Desktop\Full-SetUp.exe
explorer.exe
User:
admin
Company:
VMware, Inc.
Integrity Level:
MEDIUM
Description:
VMware RVM Setup Service
Exit code:
3221225477
Version:
10.0.12 build-4448491
Modules
Images
c:\users\admin\desktop\full-setup.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
3848"C:\Users\admin\Desktop\Full-SetUp.exe" C:\Users\admin\Desktop\Full-SetUp.exe
explorer.exe
User:
admin
Company:
VMware, Inc.
Integrity Level:
MEDIUM
Description:
VMware RVM Setup Service
Exit code:
3221225477
Version:
10.0.12 build-4448491
Modules
Images
c:\users\admin\desktop\full-setup.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
4000"C:\Users\admin\Desktop\Full-SetUp.exe" C:\Users\admin\Desktop\Full-SetUp.exe
explorer.exe
User:
admin
Company:
VMware, Inc.
Integrity Level:
MEDIUM
Description:
VMware RVM Setup Service
Exit code:
3221225477
Version:
10.0.12 build-4448491
Modules
Images
c:\users\admin\desktop\full-setup.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
Total events
3 839
Read events
3 796
Write events
29
Delete events
14

Modification events

(PID) Process:(1432) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(1432) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(1432) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(1432) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface
Operation:writeName:ShowPassword
Value:
0
(PID) Process:(1432) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\phacker.zip
(PID) Process:(1432) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(1432) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\curl-8.5.0_1-win32-mingw.zip
(PID) Process:(1432) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\M@in_File_Setup_3232_ṔḁṨṨẄṏṛḒ.rar
(PID) Process:(1432) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(1432) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
Executable files
32
Suspicious files
1
Text files
0
Unknown types
1

Dropped files

PID
Process
Filename
Type
1432WinRAR.exeC:\Users\admin\AppData\Local\Temp\M@in_File_Setup_3232_ṔḁṨṨẄṏṛḒ\slavocrat.dxf
MD5:
SHA256:
1432WinRAR.exeC:\Users\admin\AppData\Local\Temp\M@in_File_Setup_3232_ṔḁṨṨẄṏṛḒ\plugins\access\libfilesystem_plugin.dllexecutable
MD5:8FAC15D2A2DA66ABDF345AFA45AC5E3B
SHA256:66EF741A9282B420B09B940FBDBF666CD1625A8DA18DAAECE036FCC4E1A74D38
1432WinRAR.exeC:\Users\admin\Desktop\slavocrat.dxf
MD5:
SHA256:
1432WinRAR.exeC:\Users\admin\AppData\Local\Temp\M@in_File_Setup_3232_ṔḁṨṨẄṏṛḒ\plugins\audio_output\libdirectsound_plugin.dllexecutable
MD5:077990F957556E8A72A37F0EE09A2083
SHA256:412F9EC13DA17B2F2269567B8397B587352070CE77A641AE40B7A243E26C57EF
1432WinRAR.exeC:\Users\admin\AppData\Local\Temp\M@in_File_Setup_3232_ṔḁṨṨẄṏṛḒ\iconv.dllexecutable
MD5:862DFC9BF209A46D6F4874614A6631CC
SHA256:84538F1AACEBF9DAAD9FDB856611AB3D98A6D71C9EC79A8250EEE694D2652A8B
1432WinRAR.exeC:\Users\admin\AppData\Local\Temp\M@in_File_Setup_3232_ṔḁṨṨẄṏṛḒ\plugins\access\libimem_plugin.dllexecutable
MD5:B0770C82314E94AFD0D793774D66290B
SHA256:A5C2F2030E2CB70837D35E434D9793CAFA04132E1823430EBCFBD4D985899637
1432WinRAR.exeC:\Users\admin\AppData\Local\Temp\M@in_File_Setup_3232_ṔḁṨṨẄṏṛḒ\vmtools.dllexecutable
MD5:BF75203528099AE68816F209F568B966
SHA256:A3D340480FC015CD7C548FCCAD9218222C37178AF95727B612D768D8E4B24964
1432WinRAR.exeC:\Users\admin\Desktop\libvlccore.dllexecutable
MD5:E25413BB41C2F239FFDD3569F76E74B0
SHA256:9126D9ABF91585456000FFFD9336478E91B9EA07ED2A25806A4E2E0437F96D29
1432WinRAR.exeC:\Users\admin\AppData\Local\Temp\M@in_File_Setup_3232_ṔḁṨṨẄṏṛḒ\plugins\video_output\libdirect3d9_plugin.dllexecutable
MD5:F910AEE501D6FE100096DCDF9BD4B525
SHA256:77A79184B2C81DA3B98D501632FC8E5C8AF6D078DD29414AE693906F51C343AA
1432WinRAR.exeC:\Users\admin\AppData\Local\Temp\M@in_File_Setup_3232_ṔḁṨṨẄṏṛḒ\plugins\video_output\libdrawable_plugin.dllexecutable
MD5:DEFB6D6C7BFBDDAFD3D48D47A69D47A8
SHA256:AA8CDD685BE3FFECB848DD4264061536D562B784C473C3AD1ABC1FC3527AC1F5
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
3
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
M@in_File_Setup_3232_ṔḁṨṨẄṏṛḒ.rar