File name:

MyDockFinder.v1.10.4.zip

Full analysis: https://app.any.run/tasks/ad17a342-f05b-4c72-8b12-3e10419fed51
Verdict: Malicious activity
Analysis date: February 21, 2025, 13:46:22
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
arch-doc
Indicators:
MIME: application/zip
File info: Zip archive data, at least v1.0 to extract, compression method=store
MD5:

AB38EB6EF2CEC6CE70B18F2476BD7DD3

SHA1:

1909EB5AF6446251FE473C83843E0DD8018F5C48

SHA256:

EF2FDC3CFEF1ECEA02274849E9CC2219A23932836A0E55F057E5A7C677716683

SSDEEP:

786432:dMbwNwzEEct0qudhqudBqCjJR4qTO9QldqOD2:WbgjE7dzdBqAJR4qTO9QTrD2

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • WinRAR.exe (PID: 4764)

    • Reads security settings of Internet Explorer

      • WinRAR.exe (PID: 4764)

  • INFO

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 4764)

    • Reads security settings of Internet Explorer

      • notepad.exe (PID: 3688)
      • rundll32.exe (PID: 3076)
      • rundll32.exe (PID: 4536)
      • rundll32.exe (PID: 3364)
      • rundll32.exe (PID: 5496)
      • rundll32.exe (PID: 2076)
      • rundll32.exe (PID: 4160)
      • notepad.exe (PID: 1200)

    • The sample compiled with english language support

      • WinRAR.exe (PID: 4764)

    • Manual execution by a user

      • notepad.exe (PID: 3688)
      • rundll32.exe (PID: 4536)
      • rundll32.exe (PID: 3076)
      • rundll32.exe (PID: 3364)
      • rundll32.exe (PID: 5496)
      • rundll32.exe (PID: 2076)
      • rundll32.exe (PID: 4160)
      • notepad.exe (PID: 1200)

    • Local mutex for internet shortcut management

      • rundll32.exe (PID: 3076)
      • rundll32.exe (PID: 4536)
      • rundll32.exe (PID: 3364)
      • rundll32.exe (PID: 5496)
      • rundll32.exe (PID: 2076)
      • rundll32.exe (PID: 4160)
      • WinRAR.exe (PID: 4764)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 10
ZipBitFlag: -
ZipCompression: None
ZipModifyDate: 2025:01:29 06:24:30
ZipCRC: 0x00000000
ZipCompressedSize: -
ZipUncompressedSize: -
ZipFileName: MyDockFinder.v1.10.4/
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
117
Monitored processes
9
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe notepad.exe no specs rundll32.exe no specs rundll32.exe no specs rundll32.exe no specs rundll32.exe no specs rundll32.exe no specs rundll32.exe no specs notepad.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1200"C:\WINDOWS\system32\NOTEPAD.EXE" C:\Users\admin\Desktop\config.iniC:\Windows\System32\notepad.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Notepad
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\notepad.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\user32.dll
2076"C:\WINDOWS\System32\rundll32.exe" "C:\Program Files\Windows Photo Viewer\PhotoViewer.dll", ImageView_Fullscreen C:\Users\admin\Desktop\18.pngC:\Windows\System32\rundll32.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shcore.dll
c:\windows\system32\imagehlp.dll
3076"C:\WINDOWS\system32\rundll32.exe" "C:\WINDOWS\system32\ieframe.dll",OpenURL %lC:\Windows\System32\rundll32.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shcore.dll
c:\windows\system32\imagehlp.dll
3364"C:\WINDOWS\System32\rundll32.exe" "C:\Program Files\Windows Photo Viewer\PhotoViewer.dll", ImageView_Fullscreen C:\Users\admin\Desktop\16.pngC:\Windows\System32\rundll32.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shcore.dll
c:\windows\system32\imagehlp.dll
3688"C:\WINDOWS\system32\NOTEPAD.EXE" "C:\Users\admin\Desktop\HOW TO RUN GAME!!.txt"C:\Windows\System32\notepad.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Notepad
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\notepad.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\user32.dll
4160"C:\WINDOWS\System32\rundll32.exe" "C:\Program Files\Windows Photo Viewer\PhotoViewer.dll", ImageView_Fullscreen C:\Users\admin\Desktop\28.pngC:\Windows\System32\rundll32.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shcore.dll
c:\windows\system32\imagehlp.dll
4536"C:\WINDOWS\System32\rundll32.exe" "C:\Program Files\Windows Photo Viewer\PhotoViewer.dll", ImageView_Fullscreen C:\Users\admin\Desktop\13n.pngC:\Windows\System32\rundll32.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shcore.dll
c:\windows\system32\imagehlp.dll
4764"C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\Desktop\MyDockFinder.v1.10.4.zipC:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
5496"C:\WINDOWS\System32\rundll32.exe" "C:\Program Files\Windows Photo Viewer\PhotoViewer.dll", ImageView_Fullscreen C:\Users\admin\Desktop\minute.pngC:\Windows\System32\rundll32.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shcore.dll
c:\windows\system32\imagehlp.dll
Total events
4 944
Read events
4 915
Write events
29
Delete events
0

Modification events

(PID) Process:(4764) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\preferences.zip
(PID) Process:(4764) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:(4764) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:(4764) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\MyDockFinder.v1.10.4.zip
(PID) Process:(4764) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(4764) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(4764) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(4764) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(4764) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\VirusScan
Operation:writeName:DefScanner
Value:
Windows Defender
(PID) Process:(4536) rundll32.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
Executable files
258
Suspicious files
61
Text files
17
Unknown types
0

Dropped files

PID
Process
Filename
Type
4764WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$VR4764.42780\MyDockFinder.v1.10.4.zip\MyDockFinder.v1.10.4\MyDockFinder.v1.10.4\dll\x64\msvcp140_2_app.dllexecutable
MD5:0306AD8C5FFD199F20EE8C34645C99C6
SHA256:C51F0DBBBD342C0E495D531A4C4E86B0F70F09912BF6007958DB4528D2F4D40E
4764WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$VR4764.42780\MyDockFinder.v1.10.4.zip\MyDockFinder.v1.10.4\MyDockFinder.v1.10.4\dll\x64\msvcp140_2.dllexecutable
MD5:DDC38BB34DE28E1F42B6DEA9770D4D65
SHA256:89E2E9A163165E20C540F9ADEA081E927DDFE4A556547B0F45F11586D4CCE165
4764WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$VR4764.42780\MyDockFinder.v1.10.4.zip\MyDockFinder.v1.10.4\MyDockFinder.v1.10.4\dll\x64\Microsoft.Graphics.Canvas.dllexecutable
MD5:4FA3917224642623174DCF7F081D9AE3
SHA256:532358E45807395426DD70D46DBAFA28B58CCE23A740AE8A4C8915C1BEF4D3CA
4764WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$VR4764.42780\MyDockFinder.v1.10.4.zip\MyDockFinder.v1.10.4\MyDockFinder.v1.10.4\dll\x64\Microsoft.Graphics.Canvas.winmdexecutable
MD5:AA105D26DE44D1BE8E483EB85DC24284
SHA256:D01F38C5F5607DDB5300083CB049540B5D902C381FF864E910372880E46E7F56
4764WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$VR4764.42780\MyDockFinder.v1.10.4.zip\MyDockFinder.v1.10.4\MyDockFinder.v1.10.4\dll\x64\msvcp140.dllexecutable
MD5:CFDF6EAF5328FECBDEC268B7F9E21F3A
SHA256:9057D39B36B6C7D054865EE2BF9CDE7A490FE3B01EC4E82514687E24F576269F
4764WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$VR4764.42780\MyDockFinder.v1.10.4.zip\MyDockFinder.v1.10.4\MyDockFinder.v1.10.4\dll\x64\msvcp140_atomic_wait.dllexecutable
MD5:333727166AF151E95B05CB54550342CD
SHA256:FBF41E4B53F51BBF73FEE37B6120103FEA6B7D5AE29916F8EF50C50CFDEDEEAD
4764WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$VR4764.42780\MyDockFinder.v1.10.4.zip\MyDockFinder.v1.10.4\MyDockFinder.v1.10.4\dll\x64\concrt140.dllexecutable
MD5:8FC1C2F2EBB7E46DF30ECD772622B0BC
SHA256:E2E4609C569C69F7B1686F6D0E81CE62187AC5DF05E0247954500053B3C3DE3F
4764WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$VR4764.42780\MyDockFinder.v1.10.4.zip\MyDockFinder.v1.10.4\MyDockFinder.v1.10.4\dll\x64\mfcm140.dllexecutable
MD5:58B613899800EB4B690984E1C78BD31F
SHA256:9B53E19B5F96DE66CD3992169009146AD08F2F042CC0AED4191E1F0B1068891F
4764WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$VR4764.42780\MyDockFinder.v1.10.4.zip\MyDockFinder.v1.10.4\MyDockFinder.v1.10.4\dll\x64\mfcm140u.dllexecutable
MD5:76D7D08147A8F109A69C7A9871D3BED7
SHA256:99328025DD44FBF310280E83CB0F17AA0D0420446A08768A8910D70B6D8C94F7
4764WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$VR4764.42780\MyDockFinder.v1.10.4.zip\MyDockFinder.v1.10.4\MyDockFinder.v1.10.4\dll\x64\msvcp140_1_app.dllexecutable
MD5:17DE759913138D59757CE32CC8F2DCC6
SHA256:F7664C1CECC9C98B5D472D95CC0EA0015EE0B2F7E1D739B9447023304B61A8F9
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
16
DNS requests
7
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5156
svchost.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5156
svchost.exe
GET
200
2.19.11.120:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
2.19.11.120:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
POST
204
2.16.204.156:443
https://www.bing.com/threshold/xls.aspx
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
5156
svchost.exe
2.19.11.120:80
crl.microsoft.com
Elisa Oyj
NL
whitelisted
4712
MoUsoCoreWorker.exe
2.19.11.120:80
crl.microsoft.com
Elisa Oyj
NL
whitelisted
5156
svchost.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
4712
MoUsoCoreWorker.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5064
SearchApp.exe
2.23.227.208:443
www.bing.com
Ooredoo Q.S.C.
QA
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 40.127.240.158
whitelisted
google.com
  • 142.250.186.142
whitelisted
crl.microsoft.com
  • 2.19.11.120
  • 2.19.11.105
whitelisted
www.microsoft.com
  • 95.101.149.131
whitelisted
www.bing.com
  • 2.23.227.208
  • 2.23.227.215
whitelisted
self.events.data.microsoft.com
  • 52.182.143.210
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
MyDockFinder.v1.10.4.zip