File name:

FreeCell.zip

Full analysis: https://app.any.run/tasks/f698804f-b846-4e5a-9a0b-b05309dd8c1b
Verdict: Malicious activity
Analysis date: November 20, 2023, 01:08:04
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

5EA414074AD3D6961CA7AF07FBD9AF1A

SHA1:

7A698733C0CCCF47490CCC6E9C4041213B954B30

SHA256:

F2D4F157AF7B9DEC60FF8A57F22FE1FB6599F2B4BBBCF48FD692207BF201ECC6

SSDEEP:

98304:5vI8oIhGLaMnjJ/1bLzbFxzVobgtDAONsH0NdB3qOG+JPB56vPbHW/cCiP9Ap701:hPgjv7eyK

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • The DLL Hijacking

      • FreeCell.exe (PID: 3940)
      • FreeCell.exe (PID: 3792)
      • FreeCell.exe (PID: 3708)

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • WinRAR.exe (PID: 3428)

  • INFO

    • Checks supported languages

      • FreeCell.exe (PID: 3940)
      • FreeCell.exe (PID: 3792)
      • FreeCell.exe (PID: 3708)

    • Manual execution by a user

      • rundll32.exe (PID: 3604)
      • FreeCell.exe (PID: 3940)
      • FreeCell.exe (PID: 3792)
      • FreeCell.exe (PID: 3708)

    • Reads the computer name

      • FreeCell.exe (PID: 3940)
      • FreeCell.exe (PID: 3792)
      • FreeCell.exe (PID: 3708)

    • Drops the executable file immediately after the start

      • WinRAR.exe (PID: 3428)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: None
ZipModifyDate: 2023:11:20 03:55:44
ZipCRC: 0x00000000
ZipCompressedSize: -
ZipUncompressedSize: -
ZipFileName: FreeCell/
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
41
Monitored processes
5
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe no specs rundll32.exe no specs freecell.exe no specs freecell.exe no specs freecell.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3428"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\FreeCell.zip"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
3604"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\admin\Desktop\FreeCell\en-US\FreeCell.exe.muiC:\Windows\System32\rundll32.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imagehlp.dll
3708"C:\Users\admin\Desktop\FreeCell\FreeCell.exe" C:\Users\admin\Desktop\FreeCell\FreeCell.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Executable for FreeCell Game
Exit code:
5
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\users\admin\desktop\freecell\freecell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ole32.dll
3792"C:\Users\admin\Desktop\FreeCell\FreeCell.exe" C:\Users\admin\Desktop\FreeCell\FreeCell.exe.muiC:\Users\admin\Desktop\FreeCell\FreeCell.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Executable for FreeCell Game
Exit code:
5
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\users\admin\desktop\freecell\freecell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ole32.dll
3940"C:\Users\admin\Desktop\FreeCell\FreeCell.exe" C:\Users\admin\Desktop\FreeCell\FreeCell.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Executable for FreeCell Game
Exit code:
5
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\users\admin\desktop\freecell\freecell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ole32.dll
Total events
1 031
Read events
1 009
Write events
22
Delete events
0

Modification events

(PID) Process:(3428) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\17A\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3428) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip
(PID) Process:(3428) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(3428) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\phacker.zip
(PID) Process:(3428) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(3428) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(3428) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(3428) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(3428) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\MainWin
Operation:writeName:Placement
Value:
2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF42000000420000000204000037020000
(PID) Process:(3428) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\General
Operation:writeName:LastFolder
Value:
C:\Users\admin\Desktop
Executable files
38
Suspicious files
0
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
3428WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3428.47971\FreeCell\cs-CZ\FreeCell.exe.muiexecutable
MD5:8C299601376029DA214E1312EDF61F90
SHA256:40559359CED0FBF18C514EC27F383B80889D8ADD75F3566F359B247834692BF5
3428WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3428.47971\FreeCell\FreeCellMCE.pngimage
MD5:755C928148B13D1E2DF8C1739A872AFC
SHA256:5B3836CBDAA75AE229691DE3AE29ACF38859D761B74E62A8FE77C8FAA243717D
3428WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3428.47971\FreeCell\da-DK\FreeCell.exe.muiexecutable
MD5:3585FAD68E9BBC7E92E1766139862F9E
SHA256:F07A8BCDA8D40B7EF10FE4509807ECACA7B5ECA1B39A9D875325864A76365518
3428WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3428.47971\FreeCell\el-GR\FreeCell.exe.muiexecutable
MD5:D39B55CACC42774102B99ED20FE743DF
SHA256:929EF49983947A5E7265DB3769FE0348DE981FB61C51736CD9969F6AE8F8CD22
3428WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3428.47971\FreeCell\de-DE\FreeCell.exe.muiexecutable
MD5:ABCA8B8269FB97FB019CBE63C42A9271
SHA256:A6573D7C2E809980322CF00741418E8250028D0203B3E8B4A12AF36AE90A9FD6
3428WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3428.47971\FreeCell\CardGames.dllexecutable
MD5:40DF43CA1A8752CAA135E27DCC6645B3
SHA256:5197C87179D8C149C828B2132C8CAFFB79D8A4469FBE3964120391237A4AC68F
3428WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3428.47971\FreeCell\fi-FI\FreeCell.exe.muiexecutable
MD5:04BBFF51DFFEDBE6E695DB2EF8DBAFA9
SHA256:59B63C3BC2B1E0AEEFB5017A27D9CBDCC96885EA640B012F199A078DC4854323
3428WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3428.47971\FreeCell\es-ES\FreeCell.exe.muiexecutable
MD5:5F139C27385A950549122BEDBCE2CD20
SHA256:53C884B63195764726A360BE38DF6BE3B18C3E29C1A02501698A5824FB7ADAC6
3428WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3428.47971\FreeCell\et-EE\FreeCell.exe.muiexecutable
MD5:9C499F2CF89C645411E40001C6D19376
SHA256:0123574E6B1C639B1409053CD683A34572237692C9FEFB613DB5CB139BA1034D
3428WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3428.47971\FreeCell\FreeCell.exeexecutable
MD5:7A4782D702C76F9EDD932CB01EC555D8
SHA256:DE0E33F6870738EF4B8A9133AF565584BFDC3C131008FE5C307909DC94524E4A
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
4
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
2588
svchost.exe
239.255.255.250:1900
whitelisted
4
System
192.168.100.255:138
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
FreeCell.zip