File name:

pay express.rar

Full analysis: https://app.any.run/tasks/4613e37d-6354-4bb8-bb41-ae2b57c792a2
Verdict: Malicious activity
Analysis date: December 12, 2023, 08:51:26
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-rar
File info: RAR archive data, v4, os: Win32
MD5:

0FDC7FA7E78178CB5DE0422D89AB8158

SHA1:

9101EFBF2EBDC4D6F6BFCC3D8124CE96FD6A01F8

SHA256:

EFF51F22FE7D96D1869115D671E0E487D52DFF83D26C78702F6ED960355F43EC

SSDEEP:

98304:RjjAl8j3ajG6XOOUVIbE9S2i+v5/1Pd+Lt+YnFXVnhRXJeIRVbYFg9yFsaR8Ee4e:wy2aTls8S7QZbShTt32jRGsR2

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • setup.exe (PID: 3680)
      • Setup1.exe (PID: 1276)

    • Create files in the Startup directory

      • setup.exe (PID: 3680)

    • Creates a writable file in the system directory

      • setup.exe (PID: 3680)
      • Setup1.exe (PID: 1276)

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • WinRAR.exe (PID: 1344)
      • setup.exe (PID: 3680)
      • Setup1.exe (PID: 1276)

    • The process drops C-runtime libraries

      • setup.exe (PID: 3680)

    • Searches for installed software

      • Setup1.exe (PID: 1276)

  • INFO

    • Manual execution by a user

      • setup.exe (PID: 3892)
      • WinRAR.exe (PID: 1344)
      • setup.exe (PID: 3680)
      • WinRAR.exe (PID: 3564)
      • payeXpress.exe (PID: 3600)

    • Drops the executable file immediately after the start

      • WinRAR.exe (PID: 1344)

    • Checks supported languages

      • setup.exe (PID: 3680)
      • Setup1.exe (PID: 1276)
      • payeXpress.exe (PID: 3600)

    • Create files in a temporary directory

      • setup.exe (PID: 3680)
      • Setup1.exe (PID: 1276)
      • payeXpress.exe (PID: 3600)

    • Reads the computer name

      • setup.exe (PID: 3680)
      • Setup1.exe (PID: 1276)

    • Creates files or folders in the user directory

      • setup.exe (PID: 3680)
      • Setup1.exe (PID: 1276)

    • Reads the machine GUID from the registry

      • Setup1.exe (PID: 1276)
      • payeXpress.exe (PID: 3600)

    • Reads mouse settings

      • Setup1.exe (PID: 1276)
      • payeXpress.exe (PID: 3600)

    • Creates files in the program directory

      • Setup1.exe (PID: 1276)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v-4.x) (58.3)
.rar | RAR compressed archive (gen) (41.6)

EXIF

ZIP

CompressedSize: 2849555
UncompressedSize: 3325952
OperatingSystem: Win32
ModifyDate: 2009:10:12 11:31:38
PackingMethod: Normal
ArchivedFileName: pay express\ADC launching presentation - 11102009.ppt
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
48
Monitored processes
7
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe no specs winrar.exe no specs setup.exe no specs setup.exe setup1.exe no specs winrar.exe no specs payexpress.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1276Setup1.exe "C:\Users\admin\Desktop\pay express\" "C:\WINDOWS\ST6UNST.000" "C:\WINDOWS\st6unst.exe"C:\Windows\Setup1.exesetup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Visual Basic 6.0 Setup Toolkit
Exit code:
0
Version:
6.00.8171
Modules
Images
c:\windows\setup1.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvbvm60.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
1344"C:\Program Files\WinRAR\WinRAR.exe" x -iext -ow -ver -- "C:\Users\admin\Desktop\pay express.rar" C:\Users\admin\Desktop\C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
1556"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\pay express.rar"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
3564"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\pay express\payeXpress.CAB"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
3600"C:\Users\admin\Desktop\pay express\Support\payeXpress.exe" C:\Users\admin\Desktop\pay express\Support\payeXpress.exeexplorer.exe
User:
admin
Company:
NSGB
Integrity Level:
MEDIUM
Exit code:
0
Version:
1.00
Modules
Images
c:\users\admin\desktop\pay express\support\payexpress.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\users\admin\desktop\pay express\support\msvbvm60.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
3680"C:\Users\admin\Desktop\pay express\setup.exe" C:\Users\admin\Desktop\pay express\setup.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Setup Bootstrap for Visual Basic Setup Toolkit
Exit code:
0
Version:
6.00.8169
Modules
Images
c:\users\admin\desktop\pay express\setup.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
3892"C:\Users\admin\Desktop\pay express\setup.exe" C:\Users\admin\Desktop\pay express\setup.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Setup Bootstrap for Visual Basic Setup Toolkit
Exit code:
3221226540
Version:
6.00.8169
Modules
Images
c:\users\admin\desktop\pay express\setup.exe
c:\windows\system32\ntdll.dll
Total events
3 275
Read events
3 226
Write events
34
Delete events
15

Modification events

(PID) Process:(1556) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\17F\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(1556) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip
(PID) Process:(1556) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(1556) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\phacker.zip
(PID) Process:(1556) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(1556) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(1556) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(1556) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(1344) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(1344) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
Executable files
81
Suspicious files
16
Text files
8
Unknown types
0

Dropped files

PID
Process
Filename
Type
1344WinRAR.exeC:\Users\admin\Desktop\pay express\ADC launching presentation - 11102009.pptdocument
MD5:B972D9B12282339BA067090BA4C0D32C
SHA256:282FFED1D7FA319122221C048DD12D18B33142AD6CDF77DA0DD4D2A5993060D2
1344WinRAR.exeC:\Users\admin\Desktop\pay express\Support\asycfilt.dllexecutable
MD5:F4FB024A16ACBA4AAA40C8A8855AEDE5
SHA256:6C666D3847E1BF6903BC3ACD2DE4302ED551A8B34FE71EF7FCC3F250C9468057
1344WinRAR.exeC:\Users\admin\Desktop\pay express\KIT KAT\AGTD.NSGtext
MD5:AFA181E170A8D9D4E610027E33D71FF1
SHA256:7C0AD9B85791AE56E6A5E8C5C32983D0427D84298B1B597134946E0CF16AC112
1344WinRAR.exeC:\Users\admin\Desktop\pay express\NSGB - Payroll Project - Test Kick Off presentation - V9.pptdocument
MD5:CE9F1A3C3DAEF57D5565943FD29D409C
SHA256:E89665983605F46778A979C126A7A0B6D981C003E14444FD7280C6685D7B8BE2
1344WinRAR.exeC:\Users\admin\Desktop\pay express\PayeXpress User Guide v7.pptdocument
MD5:787A9C657BDF62D6C61C91942ABFFF3B
SHA256:138997675065DD4B3F68111DB71DFCDD9F09A2A1F465ACA59321917E85DDF419
1344WinRAR.exeC:\Users\admin\Desktop\pay express\SETUP.LSTini
MD5:BBD714ACB8489E11C476C3F77D68D04C
SHA256:D38CB0FB223BE1BEFDBFB29E2CC9EAEC3935A3AC42AA02193F7CC1A5FB85301E
1344WinRAR.exeC:\Users\admin\Desktop\pay express\payeXpress.CABcompressed
MD5:C4939A75F45C8F09DDD6C711C5D4CCE7
SHA256:EBAD21E4C2467AE2FFE77B27AC6BF9A8E9F0D855EEE8FADB7A5D6340F716382D
1344WinRAR.exeC:\Users\admin\Desktop\pay express\Support\DAO350.DLLexecutable
MD5:8888BDBD4E118D915D40A11748282BCA
SHA256:A4B20735BE317A924D2E36707BAAF911FBAE890CA53C5044FB506F15D33BCB6D
1344WinRAR.exeC:\Users\admin\Desktop\pay express\setup.exeexecutable
MD5:35561A7ACB299A7278E8706FD6E01AA0
SHA256:978123C86B1CBC981770FBD8BDFC58EF4030F8D9B3ADF06B71B928CC0394C073
1344WinRAR.exeC:\Users\admin\Desktop\pay express\NSGB - Payroll Commercial Center.pptdocument
MD5:E2D216632D26B83F84C3CA5E80D1D85E
SHA256:313BD2F3180531D726F35422EB3290B292CA6882161181AF7F887E60BBAB0BD8
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
5
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
224.0.0.252:5355
unknown
2588
svchost.exe
239.255.255.250:1900
whitelisted
4
System
192.168.100.255:138
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown

DNS requests

No data

Threats

No threats detected
Process
Message
setup.exe
Close
setup.exe
Ending BRC
setup.exe
Close
setup.exe
Ending BRC
setup.exe
Close
setup.exe
Ending BRC
setup.exe
Close
setup.exe
Ending BRC
setup.exe
About to check for ProcAddress Call
setup.exe
Close
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
pay express.rar