| File name: | Questions.zip |
| Full analysis: | https://app.any.run/tasks/b9d2eaac-e556-46a8-939f-2b27f4896b09 |
| Verdict: | Malicious activity |
| Threats: | A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. |
| Analysis date: | May 31, 2025, 11:16:30 |
| OS: | Windows 10 Professional (build: 19044, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/zip |
| File info: | Zip archive data, at least v2.0 to extract, compression method=deflate |
| MD5: | D1DA2FDA80913BAD71ED8B9BF406816E |
| SHA1: | D0F4B42AB83A66498FEE39C07DC4ABD6E4E39443 |
| SHA256: | 024BACA9DE9E2C4ADEBF16CFACD3962B8CE84AF3EC8FD609B7EFC96BD004FD26 |
| SSDEEP: | 48:9pyHpDGUbyiG+2fUyMPmowQ+ZNjspAvoD+8gn19Py/Pmov:gpCFC2rZNjRgD+Nn194 |
MALICIOUS
Generic archive extractor
- WinRAR.exe (PID: 5324)
SUSPICIOUS
Downloads file from URI via Powershell
- powershell.exe (PID: 7376)
Starts POWERSHELL.EXE for commands execution
- cmd.exe (PID: 5096)
Executable content was dropped or overwritten
- python-3.12.3-amd64.exe (PID: 4272)
- python-3.12.3-amd64.exe (PID: 2392)
- powershell.exe (PID: 7376)
- python-3.12.3-amd64.exe (PID: 7924)
Searches for installed software
- python-3.12.3-amd64.exe (PID: 2392)
- dllhost.exe (PID: 7860)
Reads security settings of Internet Explorer
- python-3.12.3-amd64.exe (PID: 2392)
Starts itself from another location
- python-3.12.3-amd64.exe (PID: 2392)
Executes as Windows Service
- VSSVC.exe (PID: 8000)
Process drops legitimate windows executable
- python-3.12.3-amd64.exe (PID: 2392)
- python-3.12.3-amd64.exe (PID: 7924)
- msiexec.exe (PID: 5540)
The process drops C-runtime libraries
- python-3.12.3-amd64.exe (PID: 2392)
- python-3.12.3-amd64.exe (PID: 7924)
- msiexec.exe (PID: 5540)
Process drops python dynamic module
- msiexec.exe (PID: 5540)
There is functionality for taking screenshot (YARA)
- python-3.12.3-amd64.exe (PID: 2392)
INFO
Disables trace logs
- powershell.exe (PID: 7376)
Checks proxy server information
- powershell.exe (PID: 7376)
Manual execution by a user
- cmd.exe (PID: 5096)
Checks supported languages
- python-3.12.3-amd64.exe (PID: 4272)
- python-3.12.3-amd64.exe (PID: 2392)
- python-3.12.3-amd64.exe (PID: 7924)
The sample compiled with english language support
- powershell.exe (PID: 7376)
- python-3.12.3-amd64.exe (PID: 4272)
- python-3.12.3-amd64.exe (PID: 2392)
- python-3.12.3-amd64.exe (PID: 7924)
- msiexec.exe (PID: 5540)
Create files in a temporary directory
- python-3.12.3-amd64.exe (PID: 4272)
- python-3.12.3-amd64.exe (PID: 2392)
Reads the computer name
- python-3.12.3-amd64.exe (PID: 2392)
- python-3.12.3-amd64.exe (PID: 7924)
Process checks computer location settings
- python-3.12.3-amd64.exe (PID: 2392)
Manages system restore points
- SrTasks.exe (PID: 7828)
Executable content was dropped or overwritten
- msiexec.exe (PID: 5540)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .zip | | | ZIP compressed archive (100) |
|---|
EXIF
ZIP
| ZipRequiredVersion: | 20 |
|---|---|
| ZipBitFlag: | 0x0008 |
| ZipCompression: | Deflated |
| ZipModifyDate: | 2025:05:21 13:29:52 |
| ZipCRC: | 0x02d1ca5a |
| ZipCompressedSize: | 560 |
| ZipUncompressedSize: | 3135 |
| ZipFileName: | Questions.py |
Total processes
142
Monitored processes
13
Malicious processes
3
Suspicious processes
3
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2392 | "C:\Users\admin\AppData\Local\Temp\{FC05893D-081A-4928-B73B-607A6EB34BA9}\.cr\python-3.12.3-amd64.exe" -burn.clean.room="C:\Users\admin\AppData\Local\Temp\python_install\python-3.12.3-amd64.exe" -burn.filehandle.attached=556 -burn.filehandle.self=568 /quiet InstallAllUsers=1 PrependPath=1 Include_pip=1 | C:\Users\admin\AppData\Local\Temp\{FC05893D-081A-4928-B73B-607A6EB34BA9}\.cr\python-3.12.3-amd64.exe | python-3.12.3-amd64.exe | ||||||||||||
User: admin Company: Python Software Foundation Integrity Level: MEDIUM Description: Python 3.12.3 (64-bit) Version: 3.12.3150.0 Modules
| |||||||||||||||
| 2568 | C:\WINDOWS\System32\slui.exe -Embedding | C:\Windows\System32\slui.exe | svchost.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Activation Client Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 4272 | python-3.12.3-amd64.exe /quiet InstallAllUsers=1 PrependPath=1 Include_pip=1 | C:\Users\admin\AppData\Local\Temp\python_install\python-3.12.3-amd64.exe | cmd.exe | ||||||||||||
User: admin Company: Python Software Foundation Integrity Level: MEDIUM Description: Python 3.12.3 (64-bit) Version: 3.12.3150.0 Modules
| |||||||||||||||
| 5096 | C:\WINDOWS\system32\cmd.exe /c ""C:\Users\admin\Desktop\Python_And_Pip_Installer.bat" " | C:\Windows\System32\cmd.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 5324 | "C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\Desktop\Questions.zip | C:\Program Files\WinRAR\WinRAR.exe | — | explorer.exe | |||||||||||
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.91.0 Modules
| |||||||||||||||
| 5540 | C:\WINDOWS\system32\msiexec.exe /V | C:\Windows\System32\msiexec.exe | services.exe | ||||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Windows® installer Version: 5.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 6072 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 7376 | powershell -Command "Invoke-WebRequest -Uri 'https://www.python.org/ftp/python/3.12.3/python-3.12.3-amd64.exe' -OutFile 'python-3.12.3-amd64.exe'" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | cmd.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 7452 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | SrTasks.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 7828 | C:\WINDOWS\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:11 | C:\Windows\System32\SrTasks.exe | — | dllhost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Microsoft® Windows System Protection background tasks. Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
Total events
28 409
Read events
25 089
Write events
3 265
Delete events
55
Modification events
| (PID) Process: | (5324) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes |
| Operation: | write | Name: | ShellExtBMP |
Value: | |||
| (PID) Process: | (5324) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes |
| Operation: | write | Name: | ShellExtIcon |
Value: | |||
| (PID) Process: | (5324) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory |
| Operation: | write | Name: | 3 |
Value: C:\Users\admin\Desktop\preferences.zip | |||
| (PID) Process: | (5324) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory |
| Operation: | write | Name: | 2 |
Value: C:\Users\admin\Desktop\chromium_ext.zip | |||
| (PID) Process: | (5324) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory |
| Operation: | write | Name: | 1 |
Value: C:\Users\admin\Desktop\omni_23_10_2024_.zip | |||
| (PID) Process: | (5324) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory |
| Operation: | write | Name: | 0 |
Value: C:\Users\admin\Desktop\Questions.zip | |||
| (PID) Process: | (5324) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | name |
Value: 120 | |||
| (PID) Process: | (5324) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | size |
Value: 80 | |||
| (PID) Process: | (5324) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | type |
Value: 120 | |||
| (PID) Process: | (5324) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | mtime |
Value: 100 | |||
Executable files
75
Suspicious files
134
Text files
1 443
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 7860 | dllhost.exe | C:\System Volume Information\SPP\metadata-2 | — | |
MD5:— | SHA256:— | |||
| 2392 | python-3.12.3-amd64.exe | C:\Users\admin\AppData\Local\Temp\{03E766A0-B0FF-4D66-8097-4C53613248FF}\lib_AllUsers | — | |
MD5:— | SHA256:— | |||
| 2392 | python-3.12.3-amd64.exe | C:\Users\admin\AppData\Local\Temp\{03E766A0-B0FF-4D66-8097-4C53613248FF}\test_AllUsers | — | |
MD5:— | SHA256:— | |||
| 2392 | python-3.12.3-amd64.exe | C:\Users\admin\AppData\Local\Temp\{03E766A0-B0FF-4D66-8097-4C53613248FF}\doc_AllUsers | — | |
MD5:— | SHA256:— | |||
| 7376 | powershell.exe | C:\Users\admin\AppData\Local\Temp\python_install\python-3.12.3-amd64.exe | executable | |
MD5:C86949710E0471A065DB970290819489 | SHA256:EDFC6C84DC47EEBD4FAE9167E96FF5D9C27F8ABAA779EE1DEAB9C3D964D0DE3C | |||
| 7376 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_znvl54y2.xrm.ps1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 2392 | python-3.12.3-amd64.exe | C:\Users\admin\AppData\Local\Temp\{03E766A0-B0FF-4D66-8097-4C53613248FF}\.be\python-3.12.3-amd64.exe | executable | |
MD5:D6958B9B90D2667936691080102ECC18 | SHA256:EBEE7043423BC83B3E8C8DDE159E660CF15B376E248C3F8385B5076B85083614 | |||
| 2392 | python-3.12.3-amd64.exe | C:\Users\admin\AppData\Local\Temp\{03E766A0-B0FF-4D66-8097-4C53613248FF}\.ba\Default.wxl | xml | |
MD5:411D2DC96FFF95E6BE82A9BBE882AF7B | SHA256:1529FAD8A804911B2854233DADBA6E36CEBA35EDCE6AA1838818142CB3936384 | |||
| 7376 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_00p4jrgi.tav.psm1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 7376 | powershell.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | binary | |
MD5:8AA61BF74240F7FB2899BAB5E6E14B5D | SHA256:A623A1A276BC8653BB0FB30DC1428EA5CF8C41697182E879560D994640D2286A | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
10
TCP/UDP connections
24
DNS requests
10
Threats
4
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
7868 | RUXIMICS.exe | GET | 200 | 2.20.245.137:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | NL | binary | 825 b | whitelisted |
7636 | svchost.exe | GET | 200 | 2.20.245.137:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | NL | binary | 825 b | whitelisted |
— | — | GET | 200 | 151.101.192.223:443 | https://www.python.org/ftp/python/3.12.3/python-3.12.3-amd64.exe | US | executable | 25.4 Mb | whitelisted |
7868 | RUXIMICS.exe | GET | 200 | 2.23.181.156:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | DE | binary | 868 b | whitelisted |
7636 | svchost.exe | GET | 200 | 2.23.181.156:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | DE | binary | 868 b | whitelisted |
— | — | POST | 500 | 40.91.76.224:443 | https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail | US | xml | 512 b | whitelisted |
5540 | msiexec.exe | GET | 200 | 2.17.190.73:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfIs%2BLjDtGwQ09XEB1Yeq%2BtX%2BBgQQU7NfjgtJxXWRM3y5nP%2Be6mK4cD08CEAitQLJg0pxMn17Nqb2Trtk%3D | DE | binary | 727 b | whitelisted |
— | — | POST | 500 | 20.83.72.98:443 | https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail | US | xml | 512 b | whitelisted |
5540 | msiexec.exe | GET | 200 | 2.17.190.73:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSRXerF0eFeSWRripTgTkcJWMm7iQQUaDfg67Y7%2BF8Rhvv%2BYXsIiGX0TkICEAcfFBuLMA0l8xTrIwzQ0d0%3D | DE | binary | 727 b | whitelisted |
5540 | msiexec.exe | GET | 200 | 2.17.190.73:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT3xL4LQLXDRDM9P665TW442vrsUQQUReuir%2FSSy4IxLVGLp6chnfNtyA8CEA6bGI750C3n79tQ4ghAGFo%3D | DE | binary | 471 b | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
7868 | RUXIMICS.exe | 4.231.128.59:443 | — | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
— | — | 4.231.128.59:443 | — | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
7636 | svchost.exe | 4.231.128.59:443 | — | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
— | — | 51.104.136.2:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
7636 | svchost.exe | 2.20.245.137:80 | crl.microsoft.com | Akamai International B.V. | NL | whitelisted |
7868 | RUXIMICS.exe | 2.20.245.137:80 | crl.microsoft.com | Akamai International B.V. | NL | whitelisted |
7636 | svchost.exe | 2.23.181.156:80 | www.microsoft.com | AKAMAI-AS | DE | whitelisted |
7868 | RUXIMICS.exe | 2.23.181.156:80 | www.microsoft.com | AKAMAI-AS | DE | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
google.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
www.python.org |
| whitelisted |
activation-v2.sls.microsoft.com |
| whitelisted |
ocsp.digicert.com |
| whitelisted |
self.events.data.microsoft.com |
| whitelisted |
Threats
PID | Process | Class | Message |
|---|---|---|---|
— | — | Not Suspicious Traffic | ET INFO Windows Powershell User-Agent Usage |
— | — | Misc activity | ET INFO Packed Executable Download |
— | — | Potential Corporate Privacy Violation | ET INFO PE EXE or DLL Windows file download HTTP |
— | — | Misc activity | ET INFO Request for EXE via Powershell |