File name:

virus-files.zip

Full analysis: https://app.any.run/tasks/51de476a-80eb-4456-a607-430f536ca4f8
Verdict: Malicious activity
Analysis date: August 09, 2023, 08:14:18
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

0C11768D49CD22EBEE5B6AD3D7FEBCD6

SHA1:

BB463DA43458F7708AAEA4931579503B067090D7

SHA256:

E231CC1FB99FCCA6BAE8DF59470F82136CB97B9F9C96A75D8CF7AB2AD4E222A0

SSDEEP:

393216:owy0YNUtmKdreI8t7pMRRdusbu6SxpQ0uCsmTAwG3z4:5y0w8d/8/CRhbu6Sxy0uH4

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Known privilege escalation attack

      • dllhost.exe (PID: 2740)

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 3060)
      • powershell.exe (PID: 2680)
      • powershell.exe (PID: 2972)

    • Changes powershell execution policy (Bypass)

      • Amigodainapasik.exe (PID: 2744)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • Amigodainapasik.exe (PID: 1828)
      • explorer.exe (PID: 1404)

    • Starts CMD.EXE for commands execution

      • Amigodainapasik.exe (PID: 2744)

    • Application launched itself

      • Amigodainapasik.exe (PID: 2744)

    • Uses powercfg.exe to modify the power settings

      • Amigodainapasik.exe (PID: 2744)

    • Starts POWERSHELL.EXE for commands execution

      • Amigodainapasik.exe (PID: 2744)

  • INFO

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 3504)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipFileName: 7za.exe
ZipUncompressedSize: 791040
ZipCompressedSize: 429498
ZipCRC: 0xb6df338d
ZipModifyDate: 2021:11:03 08:41:44
ZipCompression: Deflated
ZipBitFlag: 0x0001
ZipRequiredVersion: 20
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
84
Monitored processes
30
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe explorer.exe searchprotocolhost.exe no specs amigodainapasik.exe CMSTPLUA no specs amigodainapasik.exe no specs cmd.exe no specs amigodainapasik.exe no specs amigodainapasik.exe no specs amigodainapasik.exe no specs everything.exe no specs taskmgr.exe no specs powercfg.exe no specs powercfg.exe no specs powercfg.exe no specs powercfg.exe no specs powercfg.exe no specs powercfg.exe no specs powercfg.exe no specs powercfg.exe no specs powercfg.exe no specs powercfg.exe no specs powercfg.exe no specs powercfg.exe no specs powercfg.exe no specs powercfg.exe no specs powershell.exe no specs powercfg.exe no specs powershell.exe no specs powershell.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
940powercfg.exe -SETACVALUEINDEX e9a42b02-d5df-448d-aa00-03f14749eb61 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 0C:\Windows\System32\powercfg.exeAmigodainapasik.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Power Settings Command-Line Tool
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
996"C:\Users\admin\AppData\Local\{D3F1A24A-4570-94FC-C72A-8CAE679319B4}\Amigodainapasik.exe" -e ul2C:\Users\admin\AppData\Local\{D3F1A24A-4570-94FC-C72A-8CAE679319B4}\Amigodainapasik.exeAmigodainapasik.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
1164cmd.exe /c DC.exe /DC:\Windows\System32\cmd.exeAmigodainapasik.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
1
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
1404C:\Windows\Explorer.EXEC:\Windows\explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
1412"C:\Users\admin\AppData\Local\{D3F1A24A-4570-94FC-C72A-8CAE679319B4}\Amigodainapasik.exe" -e watch -pid 2744 -! C:\Users\admin\AppData\Local\{D3F1A24A-4570-94FC-C72A-8CAE679319B4}\Amigodainapasik.exeAmigodainapasik.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
1520"C:\Windows\system32\taskmgr.exe" /4C:\Windows\System32\taskmgr.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Task Manager
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
1532powercfg.exe -SETDCVALUEINDEX e9a42b02-d5df-448d-aa00-03f14749eb61 4f971e89-eebd-4455-a8de-9e59040e7347 96996bc0-ad50-47ec-923b-6f41874dd9eb 0C:\Windows\System32\powercfg.exeAmigodainapasik.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Power Settings Command-Line Tool
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
1572powercfg.exe -SETACVALUEINDEX 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 0C:\Windows\System32\powercfg.exeAmigodainapasik.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Power Settings Command-Line Tool
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
1828"C:\Users\admin\Desktop\123\Amigodainapasik.exe" C:\Users\admin\Desktop\123\Amigodainapasik.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
1932powercfg.exe -SETACVALUEINDEX 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 4f971e89-eebd-4455-a8de-9e59040e7347 7648efa3-dd9c-4e3e-b566-50f929386280 0C:\Windows\System32\powercfg.exeAmigodainapasik.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Power Settings Command-Line Tool
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
4 679
Read events
4 617
Write events
60
Delete events
2

Modification events

(PID) Process:(1404) explorer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Action Center\Checks\{C8E6F269-B90A-4053-A3BE-499AFCEC98C4}.check.0
Operation:writeName:CheckSetting
Value:
01000000D08C9DDF0115D1118C7A00C04FC297EB01000000F6D6788197A75D498472ACE88906AC8D000000000200000000001066000000010000200000009E878810DB7ADAA62BFF5B2995C9135391587830D7B78763BAF891A8E326C1D2000000000E8000000002000020000000708BCEE11BAED4DDD5A3536C5255C2A3EF209C73E80BF0C5975934919F66066C3000000061005E5889DC4149BCED257BF4BA4C21CB59685E22EC16EF02A95B0CEABEBA93FBB032CCA687E18A4BDEBA6F726F319C40000000F064E3528192B7C6D193DF6C50758DA37C0621234E8F51940EC6686BA8A09CA3B94552BD897D898E633AF8A1B24303E938BA186E293CEDBB46D515585CB43CE0
(PID) Process:(3504) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\178\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3504) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip
(PID) Process:(3504) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(3504) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\phacker.zip
(PID) Process:(3504) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(3504) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(3504) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(3504) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(1404) explorer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.zip\OpenWithList
Operation:writeName:MRUList
Value:
a
Executable files
18
Suspicious files
20
Text files
4
Unknown types
0

Dropped files

PID
Process
Filename
Type
3504WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb3504.37753\Everything.db
MD5:
SHA256:
1404explorer.exeC:\Users\admin\Desktop\123\Everything.db
MD5:
SHA256:
3504WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb3504.37753\7za.exeexecutable
MD5:B93EB0A48C91A53BDA6A1A074A4B431E
SHA256:AB15A9B27EE2D69A8BC8C8D1F5F40F28CD568F5CBB28D36ED938110203F8D142
3504WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb3504.37753\Everything.initext
MD5:AA3A3920373062703D7875A4DB7FC17E
SHA256:5482D861779F3B99D8E400269D46BA35FFD50B229444059B5CDB2481ADFB50B2
3504WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb3504.37753\Amigodainapasik.exeexecutable
MD5:0DA0F742CF3BD80919716FBD03299189
SHA256:8F8CE3E99D843A4BEB1D3D961A7CAB27E75E32490132464E448BDBCD97DDCFD5
3504WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb3504.37753\Everything32.dllexecutable
MD5:3B03324537327811BBBAFF4AAFA4D75B
SHA256:8CAE8A9740D466E17F16481E68DE9CBD58265863C3924D66596048EDFD87E880
3504WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb3504.37753\Everything2.ini.an8uxv2wbinary
MD5:20D9A5C42F39966C76F4A0616A429F2C
SHA256:DE5C9C79750515BE2FDB0D7121F9325EF705BFA0AC665E8DC1BBB7277EC5722C
1828Amigodainapasik.exeC:\Users\admin\AppData\Local\{D3F1A24A-4570-94FC-C72A-8CAE679319B4}\Everything.db
MD5:
SHA256:
3504WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb3504.37753\sdel64.exeexecutable
MD5:E2114B1627889B250C7FD0425BA1BD54
SHA256:5434DFDB731238EDCB07A8C3A83594791536DDA7A63C29F19BE7BB1D59AEDD60
3504WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb3504.37753\Everything64.dll.an8uxv2wbinary
MD5:FCD36B7EF26DA345F52B33D1C3F7E3FC
SHA256:B52EBD19240268E747B7F919A6D41F72DF46CCC3E82D329BB7C3324C3709F839
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
4
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2640
svchost.exe
239.255.255.250:1900
whitelisted
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
1088
svchost.exe
224.0.0.252:5355
unknown

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
virus-files.zip