File name:	0046f06d419e3a965c3e115a64ec32c78e35004e344798d3f23d8f5248309284.zip
Full analysis:	https://app.any.run/tasks/b721f80a-64f6-4429-ba95-923128b2b9d4
Verdict:	Malicious activity
Threats:	Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	March 25, 2025, 02:23:29
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	arch-exec socelars stealer evasion
Indicators:
MIME:	application/zip
File info:	Zip archive data, at least v5.1 to extract, compression method=AES Encrypted
MD5:	282A74BBEB5432FE3E22870D23F2F7E6
SHA1:	0D6EDACCB4A6891E8E31745EC8306FFE7D0AAC7C
SHA256:	0046F06D419E3A965C3E115A64EC32C78E35004E344798D3F23D8F5248309284
SSDEEP:	24576:WUO7EFA4ifaQmT3/VNS/s1N52N1+r4Tqg5kYhZxNFCNnhCDU/2yFHl+Hmv6CCFa8:WUO7EFA4ifaQmT3dNS/s1N5qAr4Tqg5v

ZipRequiredVersion:	51
ZipBitFlag:	0x0003
ZipCompression:	Unknown (99)
ZipModifyDate:	2021:11:24 08:30:00
ZipCRC:	0xefdd9505
ZipCompressedSize:	739669
ZipUncompressedSize:	1452544
ZipFileName:	4dadde2cc75cc00a99017299ecfe878299c6c6742ce3abbb198cb440b6b3ce4f.exe


(PID) Process:	(2384) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	3
Value: C:\Users\admin\Desktop\preferences.zip
(PID) Process:	(2384) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	2
Value: C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:	(2384) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	1
Value: C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:	(2384) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	0
Value: C:\Users\admin\Desktop\0046f06d419e3a965c3e115a64ec32c78e35004e344798d3f23d8f5248309284.zip
(PID) Process:	(2384) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	name
Value: 120
(PID) Process:	(2384) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	size
Value: 80
(PID) Process:	(2384) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	type
Value: 120
(PID) Process:	(2384) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	mtime
Value: 100
(PID) Process:	(3272) dllhost.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Operation:	write	Name:	SlowContextMenuEntries
Value: 6024B221EA3A6910A2DC08002B30309D0A010000BD0E0C47735D584D9CEDE91E22E23282770100000114020000000000C0000000000000468D0000006078A409B011A54DAFA526D86198A780390100009AD298B2EDA6DE11BA8CA68E55D895936E000000
(PID) Process:	(4920) WerFault.exe	Key:	\REGISTRY\A\{c3204979-a12e-089a-7b6d-1d9c3846789c}\Root\InventoryApplicationFile
Operation:	write	Name:	WritePermissionsCheck
Value: 1

PID	Process	Filename		Type
4920	WerFault.exe	C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_4dadde2cc75cc00a_81d56ca9dd83760f6bcf0e947d4b996636e356_92609870_96e7d7ee-05e9-488e-a393-5802dc563763\Report.wer		—
		MD5:—	SHA256:—
4920	WerFault.exe	C:\ProgramData\Microsoft\Windows\WER\Temp\WEREF05.tmp.dmp		binary
		MD5:9B8EA85163C0904F625A4B7FB19AA69E	SHA256:243AB3A828AAEC130B860B3ECC52E21628F23E2A1780F39A1C1DD67B80B72A3C
4920	WerFault.exe	C:\ProgramData\Microsoft\Windows\WER\Temp\WERF0BC.tmp.WERInternalMetadata.xml		binary
		MD5:01819BDAC211012BA2935890D920BDAD	SHA256:3662F308FE8CE14DAB9CFF960B309646B81956C30FC35851047ECB2DD666F9C6
4920	WerFault.exe	C:\Users\admin\AppData\Local\CrashDumps\4dadde2cc75cc00a99017299ecfe878299c6c6742ce3abbb198cb440b6b3ce4f.exe.4696.dmp		binary
		MD5:27D9C735B7B3F30442A2EA9F4F94A45B	SHA256:DF6AD3535638CDCFDF130C4D5B0A20DA1D476C33B09B538FE69DAD5C61BF0FDE
4920	WerFault.exe	C:\Windows\appcompat\Programs\Amcache.hve		binary
		MD5:44B114884D7C76BD1DDAF8477F4A15D4	SHA256:30E2D54FE49B0FB232B78F8576A7F327BE312FE416F56685C2DE0025D3676364
4920	WerFault.exe	C:\ProgramData\Microsoft\Windows\WER\Temp\WERF0FB.tmp.xml		xml
		MD5:607E6CFAAFBC49B71CAD7CC1ABAEC566	SHA256:2FAE5E608AD159A0D940473F2B46F7F6EB3AF4546BDFA8BE2351ECA0BBC16254

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
—	—	POST	500	20.83.72.98:443	https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail	unknown	xml	512 b	whitelisted
—	—	POST	500	40.91.76.224:443	https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail	unknown	xml	512 b	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:138	—	—	—	whitelisted
—	—	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
4696	4dadde2cc75cc00a99017299ecfe878299c6c6742ce3abbb198cb440b6b3ce4f.exe	172.67.74.161:443	iplogger.org	CLOUDFLARENET	US	whitelisted
2152	slui.exe	20.83.72.98:443	activation-v2.sls.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
2268	slui.exe	40.91.76.224:443	activation-v2.sls.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	51.124.78.146	whitelisted
google.com	216.58.206.78	whitelisted
www.cncode.pw	—	unknown
iplogger.org	172.67.74.161 104.26.2.46 104.26.3.46	whitelisted
activation-v2.sls.microsoft.com	20.83.72.98 40.91.76.224	whitelisted

PID	Process	Class	Message
2196	svchost.exe	Potentially Bad Traffic	ET DNS Query to a *.pw domain - Likely Hostile
4696	4dadde2cc75cc00a99017299ecfe878299c6c6742ce3abbb198cb440b6b3ce4f.exe	Potential Corporate Privacy Violation	ET INFO IP Check Domain (iplogger .org in TLS SNI)
2196	svchost.exe	Potential Corporate Privacy Violation	ET INFO IP Check Domain (iplogger .org in DNS Lookup)
2196	svchost.exe	Potentially Bad Traffic	ET ADWARE_PUP Socelars Related Domain in DNS Lookup

General Info

0046f06d419e3a965c3e115a64ec32c78e35004e344798d3f23d8f5248309284.zip

282A74BBEB5432FE3E22870D23F2F7E6

0D6EDACCB4A6891E8E31745EC8306FFE7D0AAC7C

0046F06D419E3A965C3E115A64EC32C78E35004E344798D3F23D8F5248309284

24576:WUO7EFA4ifaQmT3/VNS/s1N52N1+r4Tqg5kYhZxNFCNnhCDU/2yFHl+Hmv6CCFa8:WUO7EFA4ifaQmT3dNS/s1N5qAr4Tqg5v

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Generic archive extractor

Known privilege escalation attack

SOCELARS mutex has been found

SOCELARS has been detected (SURICATA)

SUSPICIOUS

Reads security settings of Internet Explorer

Executes application which crashes

Potential Corporate Privacy Violation

Checks for external IP

INFO

Checks supported languages

Manual execution by a user

Reads the computer name

Reads the machine GUID from the registry

Reads security settings of Internet Explorer

Checks proxy server information

Reads the software policy settings

Creates files or folders in the user directory

Malware configuration

Static information

TRiD

EXIF

ZIP

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings