File name:

TreeSizeFree-Portable.zip

Full analysis: https://app.any.run/tasks/9f9f12b5-0342-4e6e-98e2-e374fc6f8625
Verdict: Malicious activity
Analysis date: February 23, 2024, 09:48:10
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract, compression method=deflate
MD5:

3A61963C7291F89F6A2A0C43092C2AEC

SHA1:

29E8CEE1101FCECD9A086E96A08DEA8FB48AC67D

SHA256:

E876B1135EFEDAA814842BCD7AA61F65AEEC5EDCAD53DB77E39778196266FB0D

SSDEEP:

196608:om/KkUcMvckaq42PR3t+QmzhTYwuS/2xA0aP53Et:p/aTvcQl5/mzhEwka0aRE

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • WinRAR.exe (PID: 3652)

  • SUSPICIOUS

    • Reads the Internet Settings

      • hh.exe (PID: 3464)
      • hh.exe (PID: 4000)

    • Reads Internet Explorer settings

      • hh.exe (PID: 3464)
      • hh.exe (PID: 4000)

    • Reads Microsoft Outlook installation path

      • hh.exe (PID: 3464)
      • hh.exe (PID: 4000)

  • INFO

    • Manual execution by a user

      • hh.exe (PID: 3464)
      • hh.exe (PID: 4000)

    • Create files in a temporary directory

      • hh.exe (PID: 3464)
      • hh.exe (PID: 4000)

    • Reads the machine GUID from the registry

      • hh.exe (PID: 3464)
      • hh.exe (PID: 4000)

    • Reads security settings of Internet Explorer

      • hh.exe (PID: 3464)
      • hh.exe (PID: 4000)

    • Checks proxy server information

      • hh.exe (PID: 3464)
      • hh.exe (PID: 4000)

    • Creates files or folders in the user directory

      • hh.exe (PID: 3464)
      • hh.exe (PID: 4000)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: 0x0002
ZipCompression: Deflated
ZipModifyDate: 2023:11:06 13:50:46
ZipCRC: 0xbbd71042
ZipCompressedSize: 16281338
ZipUncompressedSize: 48110272
ZipFileName: TreeSizeFree.exe
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
40
Monitored processes
3
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe no specs hh.exe no specs hh.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3464"C:\Windows\hh.exe" C:\Users\admin\AppData\Local\Temp\TreeSizeFree-Portable\TreeSizeFree_DE.chmC:\Windows\hh.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft® HTML Help Executable
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\hh.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\hhctrl.ocx
c:\windows\system32\user32.dll
3652"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\TreeSizeFree-Portable.zip"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
4000"C:\Windows\hh.exe" C:\Users\admin\AppData\Local\Temp\TreeSizeFree-Portable\TreeSizeFree.chmC:\Windows\hh.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft® HTML Help Executable
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\hh.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\hhctrl.ocx
c:\windows\system32\user32.dll
Total events
6 378
Read events
6 336
Write events
38
Delete events
4

Modification events

(PID) Process:(3652) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(3652) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(3652) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3652) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\phacker.zip
(PID) Process:(3652) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(3652) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\curl-8.5.0_1-win32-mingw.zip
(PID) Process:(3652) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\TreeSizeFree-Portable.zip
(PID) Process:(3652) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(3652) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(3652) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
Executable files
0
Suspicious files
6
Text files
24
Unknown types
3

Dropped files

PID
Process
Filename
Type
3652WinRAR.exeC:\Users\admin\AppData\Local\Temp\TreeSizeFree-Portable\TreeSizeFree.exe
MD5:
SHA256:
3652WinRAR.exeC:\Users\admin\AppData\Local\Temp\TreeSizeFree-Portable\LicenseFiles\SynPDF\License.txttext
MD5:21733EA78792989242F5B2335EE98930
SHA256:D11F2A48EC689B6087601AD447A2B27B00DE49ED18A6E960F19524C7C164C099
3652WinRAR.exeC:\Users\admin\AppData\Local\Temp\TreeSizeFree-Portable\LicenseFiles\GLScene\LICENSEtext
MD5:55A288862EC4D1FD20F996344D511A1F
SHA256:2684DE17300E0A434686F1EC7F8AF6045207A4B457A3FE04B2B9CE655E7C5D50
3652WinRAR.exeC:\Users\admin\AppData\Local\Temp\TreeSizeFree-Portable\TreeSizeFree_DE.chmchm
MD5:02DE6A3EF0D59BCE1E0DF3EEE216F829
SHA256:CDD3FF2C88E78E933F004178A5996CE89D3DB54B3E05468A57F17BDB09965DF5
3652WinRAR.exeC:\Users\admin\AppData\Local\Temp\TreeSizeFree-Portable\LicenseFiles\Jedi Component Library\License.txttext
MD5:119094B8F3DB0B669B39C70F95199A54
SHA256:5E8AD5B75CB6FFE779D84BFA19836E92E7B26CC50500AEE939A9E7C97E9417AD
3652WinRAR.exeC:\Users\admin\AppData\Local\Temp\TreeSizeFree-Portable\LicenseFiles\PasOpenCL\License.txttext
MD5:D195221EFF7F43570C622E530DFB54C1
SHA256:BFF8769453EEF48260BF36B8DD3096E4B416359FF5FC2A9FBF433D04F505E596
3652WinRAR.exeC:\Users\admin\AppData\Local\Temp\TreeSizeFree-Portable\LicenseFiles\Spring4D\License.txttext
MD5:3CD65C5DF51A3989AF566559988AED3A
SHA256:16867DA3DE1576EFA706D6AFBD123B3746C3103EB2A13664E2F26CFF2754D894
3652WinRAR.exeC:\Users\admin\AppData\Local\Temp\TreeSizeFree-Portable\LicenseFiles\Virtual TreeView\License.txttext
MD5:779779A7229289E71CED3F290A644F71
SHA256:6283D1E7EF5C6F6BACFA23C6FB73A0FBFF4E1BBD77EF1410590F47532E38DBD7
3652WinRAR.exeC:\Users\admin\AppData\Local\Temp\TreeSizeFree-Portable\LicenseFiles\Windows Ribbon Framework for Delphi\License.txttext
MD5:8F311CAE53D392494AAEF34CE9D7296F
SHA256:9137CF1DC1B99DEFB98C79E504C00D542110A035F1D848B9D99B6A6E65DE1F0C
3652WinRAR.exeC:\Users\admin\AppData\Local\Temp\TreeSizeFree-Portable\License.freeware.DE.txttext
MD5:04B5944C970EE3094DD70D6339768630
SHA256:EA2BCBADF06B009984D92FCB27F3742C36D160DDC82EE8205E049FD6F0D45640
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
3
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1080
svchost.exe
224.0.0.252:5355
unknown
4
System
192.168.100.255:138
whitelisted
4
System
192.168.100.255:137
whitelisted

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
TreeSizeFree-Portable.zip