File name:

FreeCell.zip

Full analysis: https://app.any.run/tasks/f698804f-b846-4e5a-9a0b-b05309dd8c1b
Verdict: Malicious activity
Analysis date: November 20, 2023, 01:08:04
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

5EA414074AD3D6961CA7AF07FBD9AF1A

SHA1:

7A698733C0CCCF47490CCC6E9C4041213B954B30

SHA256:

F2D4F157AF7B9DEC60FF8A57F22FE1FB6599F2B4BBBCF48FD692207BF201ECC6

SSDEEP:

98304:5vI8oIhGLaMnjJ/1bLzbFxzVobgtDAONsH0NdB3qOG+JPB56vPbHW/cCiP9Ap701:hPgjv7eyK

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • The DLL Hijacking

      • FreeCell.exe (PID: 3708)
      • FreeCell.exe (PID: 3940)
      • FreeCell.exe (PID: 3792)

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • WinRAR.exe (PID: 3428)

  • INFO

    • Checks supported languages

      • FreeCell.exe (PID: 3940)
      • FreeCell.exe (PID: 3792)
      • FreeCell.exe (PID: 3708)

    • Reads the computer name

      • FreeCell.exe (PID: 3940)
      • FreeCell.exe (PID: 3792)
      • FreeCell.exe (PID: 3708)

    • Manual execution by a user

      • FreeCell.exe (PID: 3940)
      • rundll32.exe (PID: 3604)
      • FreeCell.exe (PID: 3708)
      • FreeCell.exe (PID: 3792)

    • Drops the executable file immediately after the start

      • WinRAR.exe (PID: 3428)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: None
ZipModifyDate: 2023:11:20 03:55:44
ZipCRC: 0x00000000
ZipCompressedSize: -
ZipUncompressedSize: -
ZipFileName: FreeCell/
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
41
Monitored processes
5
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe no specs rundll32.exe no specs freecell.exe no specs freecell.exe no specs freecell.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3428"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\FreeCell.zip"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
3604"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\admin\Desktop\FreeCell\en-US\FreeCell.exe.muiC:\Windows\System32\rundll32.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imagehlp.dll
3708"C:\Users\admin\Desktop\FreeCell\FreeCell.exe" C:\Users\admin\Desktop\FreeCell\FreeCell.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Executable for FreeCell Game
Exit code:
5
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\users\admin\desktop\freecell\freecell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ole32.dll
3792"C:\Users\admin\Desktop\FreeCell\FreeCell.exe" C:\Users\admin\Desktop\FreeCell\FreeCell.exe.muiC:\Users\admin\Desktop\FreeCell\FreeCell.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Executable for FreeCell Game
Exit code:
5
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\users\admin\desktop\freecell\freecell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ole32.dll
3940"C:\Users\admin\Desktop\FreeCell\FreeCell.exe" C:\Users\admin\Desktop\FreeCell\FreeCell.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Executable for FreeCell Game
Exit code:
5
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\users\admin\desktop\freecell\freecell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ole32.dll
Total events
1 031
Read events
1 009
Write events
22
Delete events
0

Modification events

(PID) Process:(3428) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\17A\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3428) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip
(PID) Process:(3428) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(3428) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\phacker.zip
(PID) Process:(3428) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(3428) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(3428) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(3428) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(3428) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\MainWin
Operation:writeName:Placement
Value:
2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF42000000420000000204000037020000
(PID) Process:(3428) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\General
Operation:writeName:LastFolder
Value:
C:\Users\admin\Desktop
Executable files
38
Suspicious files
0
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
3428WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3428.47971\FreeCell\bg-BG\FreeCell.exe.muiexecutable
MD5:861DAB614335DE037A8EE0705E369A86
SHA256:F7A9B7B99C2537917D6415EA8FB13146F395E81D151AAFAF32C14212DFC48789
3428WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3428.47971\FreeCell\de-DE\FreeCell.exe.muiexecutable
MD5:ABCA8B8269FB97FB019CBE63C42A9271
SHA256:A6573D7C2E809980322CF00741418E8250028D0203B3E8B4A12AF36AE90A9FD6
3428WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3428.47971\FreeCell\he-IL\FreeCell.exe.muiexecutable
MD5:D20577C41C5AD68AD3DFC3150A7F1B0E
SHA256:79435EEF6FCB03EBCB13F645EB3B4FCE50A03216A2D104DFA1C188BF5482D1F5
3428WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3428.47971\FreeCell\CardGames.dllexecutable
MD5:40DF43CA1A8752CAA135E27DCC6645B3
SHA256:5197C87179D8C149C828B2132C8CAFFB79D8A4469FBE3964120391237A4AC68F
3428WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3428.47971\FreeCell\hr-HR\FreeCell.exe.muiexecutable
MD5:598A8D99FEC37702B5065C86F26F77D5
SHA256:322AA641200E38E7A897A2174F9FA7085987EF887E556FC007DD8EB79009E69F
3428WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3428.47971\FreeCell\FreeCell.exeexecutable
MD5:7A4782D702C76F9EDD932CB01EC555D8
SHA256:DE0E33F6870738EF4B8A9133AF565584BFDC3C131008FE5C307909DC94524E4A
3428WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3428.47971\FreeCell\da-DK\FreeCell.exe.muiexecutable
MD5:3585FAD68E9BBC7E92E1766139862F9E
SHA256:F07A8BCDA8D40B7EF10FE4509807ECACA7B5ECA1B39A9D875325864A76365518
3428WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3428.47971\FreeCell\hu-HU\FreeCell.exe.muiexecutable
MD5:D5BD51DFA087EBF5974D53DE3DAD7D3F
SHA256:C4984D8D2116704D9FAAC6A19E64561CA65A00F50FA6CA409C2C6F7F133B3022
3428WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3428.47971\FreeCell\cs-CZ\FreeCell.exe.muiexecutable
MD5:8C299601376029DA214E1312EDF61F90
SHA256:40559359CED0FBF18C514EC27F383B80889D8ADD75F3566F359B247834692BF5
3428WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3428.47971\FreeCell\el-GR\FreeCell.exe.muiexecutable
MD5:D39B55CACC42774102B99ED20FE743DF
SHA256:929EF49983947A5E7265DB3769FE0348DE981FB61C51736CD9969F6AE8F8CD22
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
4
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
2588
svchost.exe
239.255.255.250:1900
whitelisted
4
System
192.168.100.255:138
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
FreeCell.zip