File name:

McQuay-Duct-Sizer-1.zip

Full analysis: https://app.any.run/tasks/b18b6312-a609-425f-9ee5-f008fde088b0
Verdict: Malicious activity
Analysis date: October 05, 2023, 13:31:57
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

EFD3AA0B70DB1BF976124AE317661622

SHA1:

91898D7FF90AD4DBEABE4D5FC05179245E4C32D5

SHA256:

EF5C20DF7D7F2539C049D74431BE29FA9E3C1679DFB71F9BEA0C2E9E996315AA

SSDEEP:

6144:/todgyzO63vYmLMZ7NA12fxkMdydtpFaevT9M/EEFg7c10sdTv5SteKhp8p:/taOGYEoO2RwFae41ftv5SkcWp

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • DuctSizer.exe (PID: 3088)
      • DuctSizer.exe (PID: 2744)

    • Creates a writable file the system directory

      • printfilterpipelinesvc.exe (PID: 1904)
      • DuctSizer.exe (PID: 2744)

  • SUSPICIOUS

    No suspicious indicators.

  • INFO

    • Drops the executable file immediately after the start

      • WinRAR.exe (PID: 3264)

    • Checks supported languages

      • DuctSizer.exe (PID: 3088)
      • DuctSizer.exe (PID: 2744)
      • ONENOTE.EXE (PID: 2444)

    • Create files in a temporary directory

      • DuctSizer.exe (PID: 3088)
      • DuctSizer.exe (PID: 2744)
      • ONENOTE.EXE (PID: 2444)

    • Reads the machine GUID from the registry

      • DuctSizer.exe (PID: 2744)
      • DuctSizer.exe (PID: 3088)
      • ONENOTE.EXE (PID: 2444)

    • Reads the computer name

      • DuctSizer.exe (PID: 2744)
      • ONENOTE.EXE (PID: 2444)

    • Reads Microsoft Office registry keys

      • ONENOTE.EXE (PID: 2444)

    • Manual execution by a user

      • DuctSizer.exe (PID: 2744)

    • Creates files or folders in the user directory

      • printfilterpipelinesvc.exe (PID: 1904)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: None
ZipModifyDate: 2020:10:28 09:28:24
ZipCRC: 0x00000000
ZipCompressedSize: -
ZipUncompressedSize: -
ZipFileName: McQuay Duct Sizer/McQuay Duct Sizer/
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
44
Monitored processes
5
Malicious processes
2
Suspicious processes
2

Behavior graph

Click at the process to see the details
drop and start start winrar.exe no specs ductsizer.exe no specs ductsizer.exe no specs printfilterpipelinesvc.exe no specs onenote.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1904C:\Windows\system32\printfilterpipelinesvc.exe -EmbeddingC:\Windows\System32\printfilterpipelinesvc.exesvchost.exe
User:
LOCAL SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Print Filter Pipeline Host
Exit code:
0
Version:
6.1.7601.24537 (win7sp1_ldr_escrow.191114-1547)
Modules
Images
c:\windows\system32\printfilterpipelinesvc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\lpk.dll
c:\windows\system32\gdi32.dll
2444/insertdoc "C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\{74C2FA6D-4D19-4C0C-8C93-9C37F56F01C1}.xps" 133409866234520000C:\Program Files\Microsoft Office\Office14\ONENOTE.EXEprintfilterpipelinesvc.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft OneNote
Exit code:
0
Version:
14.0.6022.1000
Modules
Images
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft office\office14\onenote.exe
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\lpk.dll
c:\windows\system32\user32.dll
2744"C:\Users\admin\Desktop\McQuay Duct Sizer\McQuay Duct Sizer\DuctSizer.exe" C:\Users\admin\Desktop\McQuay Duct Sizer\McQuay Duct Sizer\DuctSizer.exeexplorer.exe
User:
admin
Company:
NaSoft, contact Nafziger@nonline.net
Integrity Level:
MEDIUM
Exit code:
0
Version:
6.00
Modules
Images
c:\users\admin\desktop\mcquay duct sizer\mcquay duct sizer\ductsizer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\msvbvm60.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\lpk.dll
c:\windows\system32\advapi32.dll
3088"C:\Users\admin\Downloads\McQuay-Duct-Sizer-1\McQuay Duct Sizer\McQuay Duct Sizer\DuctSizer.exe" C:\Users\admin\Downloads\McQuay-Duct-Sizer-1\McQuay Duct Sizer\McQuay Duct Sizer\DuctSizer.exeWinRAR.exe
User:
admin
Company:
NaSoft, contact Nafziger@nonline.net
Integrity Level:
MEDIUM
Exit code:
0
Version:
6.00
Modules
Images
c:\users\admin\downloads\mcquay-duct-sizer-1\mcquay duct sizer\mcquay duct sizer\ductsizer.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\msvbvm60.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\advapi32.dll
3264"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Downloads\McQuay-Duct-Sizer-1.zip"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shlwapi.dll
Total events
2 071
Read events
2 012
Write events
59
Delete events
0

Modification events

(PID) Process:(3264) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\178\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3264) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip
(PID) Process:(3264) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(3264) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\phacker.zip
(PID) Process:(3264) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(3264) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(3264) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(3264) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(3264) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\ArcColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(3264) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\ArcColumnWidths
Operation:writeName:size
Value:
80
Executable files
4
Suspicious files
7
Text files
4
Unknown types
0

Dropped files

PID
Process
Filename
Type
1904printfilterpipelinesvc.exeC:\Windows\system32\spool\PRINTERS\PPblniny2ona109n0r46yhbv_bc.TMP
MD5:
SHA256:
1904printfilterpipelinesvc.exeC:\Windows\system32\spool\PRINTERS\PPdybu0mp6nbompnfe2dybp8hab.TMP
MD5:
SHA256:
1904printfilterpipelinesvc.exeC:\Windows\system32\spool\PRINTERS\PP68i_0x_934curd0s2oi70e_jd.TMP
MD5:
SHA256:
2444ONENOTE.EXEC:\Users\admin\AppData\Local\Temp\CVR9B5B.tmp.cvr
MD5:
SHA256:
2744DuctSizer.exeC:\Windows\system32\spool\PRINTERS\00002.SPLbinary
MD5:A7B9721BE86C696CD6E4F35EEAE9E98E
SHA256:7ECE2A35229B6F241B78E1FD24FC8F1DAF5505E7936D5D262D8E5AEE5D7F4D7C
1904printfilterpipelinesvc.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\{74C2FA6D-4D19-4C0C-8C93-9C37F56F01C1}.xpsbinary
MD5:A7B9721BE86C696CD6E4F35EEAE9E98E
SHA256:7ECE2A35229B6F241B78E1FD24FC8F1DAF5505E7936D5D262D8E5AEE5D7F4D7C
3264WinRAR.exeC:\Users\admin\Downloads\McQuay-Duct-Sizer-1\McQuay Duct Sizer\McQuay Duct Sizer\MCQUAY.DLLimage
MD5:12181C9D00D05E0F663128ED584EFB8A
SHA256:B1156A248E3747829903941F77E000D521D11D4B38AC1899069B3F0247E2FEE1
3088DuctSizer.exeC:\Users\admin\AppData\Local\Temp\~DFE4150985CAB2A2E2.TMPbinary
MD5:E23DB4D89A55F4B8A72CF4946CE9DA9B
SHA256:98741F95AD86ADF0065AFAD79AE4715926CBDE929DB0713AB215477216A4FAB7
3264WinRAR.exeC:\Users\admin\Downloads\McQuay-Duct-Sizer-1\McQuay Duct Sizer\McQuay Duct Sizer\DT_DUCT.DLLbinary
MD5:CB33E875A22231DF940F8004EDD92D24
SHA256:279A7572825673311AF37D7B225DF3037EF6F34AB6F17B335E2D94FEF92BE701
3264WinRAR.exeC:\Users\admin\Downloads\McQuay-Duct-Sizer-1\McQuay Duct Sizer\McQuay Duct Sizer\www.hvacsimplified.in.txttext
MD5:6B7DE6DD93D117867930DCFC74048C3A
SHA256:050FFF513746EA39CE28519B0C5A2F7F5A5F702A9848DF28DC180E0652D26A35
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
3
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
2656
svchost.exe
239.255.255.250:1900
whitelisted
4
System
192.168.100.255:138
whitelisted

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
McQuay-Duct-Sizer-1.zip