File name:

processhacker-2.38-bin.zip

Full analysis: https://app.any.run/tasks/077ccdb2-1e87-41db-88df-53f3a85c50df
Verdict: Malicious activity
Analysis date: January 07, 2021, 01:57:21
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

8DD71039BB7FB960DDF187F11F089601

SHA1:

F9AE9036E657393599D3282DDDDA4CCBB33AE11B

SHA256:

FFF36E5C17D0F6D1AB54A776FC7193AD908619FCC2EB221391A64E4EF43B93FE

SSDEEP:

98304:ReQHM/E8ZmmKNHtvp2sDhkVt9CN4NIk++OqazMeobBU5:dMrgNF3hESzk++9az

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Loads dropped or rewritten executable

      • ProcessHacker.exe (PID: 1140)

    • Application was dropped or rewritten from another process

      • ProcessHacker.exe (PID: 1140)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 3880)

    • Drops a file that was compiled in debug mode

      • WinRAR.exe (PID: 3880)

  • INFO

    • Reads settings of System Certificates

      • ProcessHacker.exe (PID: 1140)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: Deflated
ZipModifyDate: 2016:02:26 12:55:19
ZipCRC: 0x14e22da9
ZipCompressedSize: 7134
ZipUncompressedSize: 25227
ZipFileName: CHANGELOG.txt
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
38
Monitored processes
2
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start start winrar.exe processhacker.exe

Process information

PID
CMD
Path
Indicators
Parent process
1140"C:\Users\admin\AppData\Local\Temp\Rar$EXa3880.108\x86\ProcessHacker.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa3880.108\x86\ProcessHacker.exe
WinRAR.exe
User:
admin
Company:
wj32
Integrity Level:
MEDIUM
Description:
Process Hacker
Exit code:
0
Version:
2.38.0.343
Modules
Images
c:\users\admin\appdata\local\temp\rar$exa3880.108\x86\processhacker.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\winsta.dll
c:\windows\system32\msvcrt.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
3880"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\processhacker-2.38-bin.zip"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
Total events
908
Read events
885
Write events
23
Delete events
0

Modification events

(PID) Process:(3880) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(3880) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(3880) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\13B\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3880) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\processhacker-2.38-bin.zip
(PID) Process:(3880) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(3880) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(3880) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(3880) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(3880) WinRAR.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
(PID) Process:(3880) WinRAR.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
1
Executable files
30
Suspicious files
0
Text files
4
Unknown types
0

Dropped files

PID
Process
Filename
Type
3880WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3880.108\x64\plugins\ExtendedNotifications.dllexecutable
MD5:4743EB2C478096E257674F45D7FBDCDB
SHA256:1BDA47190276D04DF5BFD1CE6AA8D1F1C37E0CC93772E0ACE0400D2F3AABBCD2
3880WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3880.108\x64\plugins\ExtendedTools.dllexecutable
MD5:9DD086AC1A99ADD8E2E2E879BDD318CD
SHA256:0214CB8F2AFC2A2321ACA631BE85F18CFC3B29884D3E4599E4C38474373FAC28
3880WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3880.108\x64\plugins\HardwareDevices.dllexecutable
MD5:CC2F65A5FE5D71A4CFA14F9E8950428B
SHA256:97D62F37D3E69EAF2227E63794112BB8B33458B7418852FF24069EE38B3EC7ED
3880WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3880.108\CHANGELOG.txttext
MD5:9B81C67D5FB83EFAEE48D233E3231F73
SHA256:6778C0AD507F1A6F7D31D09431534DAA84F95C21EDABF1CBAFB7AD4CFC3530A3
3880WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3880.108\x64\peview.exeexecutable
MD5:92A9E70B57AAA4F9E6637B47364691A8
SHA256:7FDE6A7DBD3CB16B59CBFAC84FD4E061315F3983EE15592DAED2D7479A1824D5
3880WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3880.108\x64\kprocesshacker.sysexecutable
MD5:BBBC9A6CC488CFB0F6C6934B193891EB
SHA256:C725919E6357126D512C638F993CF572112F323DA359645E4088F789EB4C7B8C
3880WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3880.108\x64\plugins\SbieSupport.dllexecutable
MD5:801C143256826532E93495F766B92F72
SHA256:04751F35839D74CC661EF192E89F7AED2C4D27B011C2425DA8DFF30A023D562D
3880WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3880.108\x64\plugins\NetworkTools.dllexecutable
MD5:30FE94DFFCDABB0EF660520DCA934E17
SHA256:3C68ABC00E359B530BCA5831A879DA54DA4F70372E15737120234470E4EBF56E
3880WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3880.108\x64\plugins\UserNotes.dllexecutable
MD5:40A12F4C43ACA65AF42B5366A45B0D88
SHA256:67A21DFEB9B93E18368298FA2EDE59E8EB6CC32900052401E16A4E5A53B12EE6
3880WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3880.108\x64\plugins\WindowExplorer.dllexecutable
MD5:0B8451A10BABA8D643EAFFEF792B15B3
SHA256:C81EDCF76EF299FB7A185616B5E36132F377AA4090F151361E68402547697E28
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
1
DNS requests
1
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1140
ProcessHacker.exe
162.243.25.33:443
wj32.org
Digital Ocean, Inc.
US
suspicious

DNS requests

Domain
IP
Reputation
wj32.org
  • 162.243.25.33
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
processhacker-2.38-bin.zip