File name:

Cospuri 503 Shinanoazur Lane Cospuri 503 Shinanoazur Lane c528.zip

Full analysis: https://app.any.run/tasks/3a5e5884-9dcf-4b7e-8ed9-0c683a0b39af
Verdict: Malicious activity
Analysis date: June 16, 2024, 11:57:57
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
autoit
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract, compression method=store
MD5:

D73BFE55D427745F4561E914AD658CD8

SHA1:

68FA8F0E5F5643BE59FEDEFE27D41BB301C2C103

SHA256:

04E9ADDC341CF9D8C14B9E092353F208FA70975FCA32BAFD86A95BB430EFF4F7

SSDEEP:

98304:lDiMaMVTfOYdbJ50GcqlbwaqfWhxgW5uUNZ0y3U96x/vOpcO5K4+OXdghIbvCer/:TK3QCGWmM3EUA1u34KbsAZIr4BpTjtJH

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • WinRAR.exe (PID: 3976)

  • SUSPICIOUS

    • Reads the Internet Settings

      • info.exe (PID: 1024)

    • Reads security settings of Internet Explorer

      • info.exe (PID: 1024)

    • Potential Corporate Privacy Violation

      • info.exe (PID: 1024)

    • Starts CMD.EXE for commands execution

      • 0.scr (PID: 372)

  • INFO

    • Reads mouse settings

      • info.exe (PID: 1024)
      • 0.scr (PID: 372)

    • Checks supported languages

      • info.exe (PID: 1024)
      • 0.scr (PID: 372)
      • wmpnscfg.exe (PID: 1664)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 3976)

    • Manual execution by a user

      • info.exe (PID: 1024)
      • 0.scr (PID: 372)
      • wmpnscfg.exe (PID: 1664)

    • Reads the computer name

      • info.exe (PID: 1024)
      • wmpnscfg.exe (PID: 1664)

    • Checks proxy server information

      • info.exe (PID: 1024)

    • Reads the machine GUID from the registry

      • info.exe (PID: 1024)

    • Creates files or folders in the user directory

      • info.exe (PID: 1024)

    • Create files in a temporary directory

      • info.exe (PID: 1024)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: None
ZipModifyDate: 2024:05:18 12:28:06
ZipCRC: 0x00000000
ZipCompressedSize: -
ZipUncompressedSize: -
ZipFileName: Cospuri 503 Shinanoazur Lane Cospuri 503 Shinanoazur Lane c528/
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
41
Monitored processes
6
Malicious processes
0
Suspicious processes
1

Behavior graph

Click at the process to see the details
start winrar.exe info.exe 0.scr no specs cmd.exe no specs PhotoViewer.dll no specs wmpnscfg.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
372"C:\Users\admin\Desktop\Cospuri 503 Shinanoazur Lane Cospuri 503 Shinanoazur Lane c528\0.scr" /SC:\Users\admin\Desktop\Cospuri 503 Shinanoazur Lane Cospuri 503 Shinanoazur Lane c528\0.screxplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\cospuri 503 shinanoazur lane cospuri 503 shinanoazur lane c528\0.scr
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\wsock32.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\windows\system32\version.dll
1024"C:\Users\admin\Desktop\Cospuri 503 Shinanoazur Lane Cospuri 503 Shinanoazur Lane c528\info.exe" C:\Users\admin\Desktop\Cospuri 503 Shinanoazur Lane Cospuri 503 Shinanoazur Lane c528\info.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\cospuri 503 shinanoazur lane cospuri 503 shinanoazur lane c528\info.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\wsock32.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\windows\system32\version.dll
1184C:\Windows\system32\cmd.exe /c 1.jpgC:\Windows\System32\cmd.exe0.scr
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
1664"C:\Program Files\Windows Media Player\wmpnscfg.exe"C:\Program Files\Windows Media Player\wmpnscfg.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Media Player Network Sharing Service Configuration Application
Exit code:
0
Version:
12.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\windows media player\wmpnscfg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
2312C:\Windows\system32\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}C:\Windows\System32\dllhost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
COM Surrogate
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\dllhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
3976"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Cospuri 503 Shinanoazur Lane Cospuri 503 Shinanoazur Lane c528.zip"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
Total events
4 893
Read events
4 852
Write events
35
Delete events
6

Modification events

(PID) Process:(3976) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(3976) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(3976) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3976) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\phacker.zip
(PID) Process:(3976) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(3976) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\curl-8.5.0_1-win32-mingw.zip
(PID) Process:(3976) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\Cospuri 503 Shinanoazur Lane Cospuri 503 Shinanoazur Lane c528.zip
(PID) Process:(3976) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(3976) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(3976) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
Executable files
3
Suspicious files
0
Text files
35
Unknown types
0

Dropped files

PID
Process
Filename
Type
3976WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3976.40415\Cospuri 503 Shinanoazur Lane Cospuri 503 Shinanoazur Lane c528\0.screxecutable
MD5:6CBBF6FD42173A836D36E97B0439E8F9
SHA256:28FD6817E73D063F2AEB8990DDEC202B45457B18A7FA92963399FB388DB51D6A
3976WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3976.40415\Cospuri 503 Shinanoazur Lane Cospuri 503 Shinanoazur Lane c528\10__c5288becb84a7dd0.jpgimage
MD5:058D26FAE3F4CAFED2489BFECB76AABB
SHA256:C755E5931AB09CBB8D6D3DCD36B6E8EBA945D21130F507710AFBD5A1750762FE
3976WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3976.40415\Cospuri 503 Shinanoazur Lane Cospuri 503 Shinanoazur Lane c528\11__c5288becb84a7dd0.jpgimage
MD5:05E18D9D5C0BCFC9F179F15FBED43B91
SHA256:138C60D46931887C0E11F9106A9574D44131AE61AD370065E78F3E37A1C40690
3976WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3976.40415\Cospuri 503 Shinanoazur Lane Cospuri 503 Shinanoazur Lane c528\17__c5288becb84a7dd0.jpgimage
MD5:3039D3ED64CB0D27743DC6E919CF19D3
SHA256:97EA335DAA8201246796C80695F87423091389B94F5B50E9EF6D4BC1375ADA59
3976WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3976.40415\Cospuri 503 Shinanoazur Lane Cospuri 503 Shinanoazur Lane c528\13__c5288becb84a7dd0.jpgimage
MD5:DAE540A04B55137045FA2E4CB9D1EF92
SHA256:BCFDAA12CD29B0A5C31789382B1AC42DDA074EC5C95DA1E265ADF1D161964F9C
3976WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3976.40415\Cospuri 503 Shinanoazur Lane Cospuri 503 Shinanoazur Lane c528\15__c5288becb84a7dd0.jpgimage
MD5:484BBAE2D2FC3E8735EE5CD37C78A30C
SHA256:2D0B60F1132BC11BB610F8B31831061B75784E181E6662F03A2FE44E408FDBCF
3976WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3976.40415\Cospuri 503 Shinanoazur Lane Cospuri 503 Shinanoazur Lane c528\16__c5288becb84a7dd0.jpgimage
MD5:D08FA39721733997DE7DB26A069E517D
SHA256:5AACCDB369711882E697BBE105528C0DB9DEBB89AD43E11914B9E1772E7FFA65
3976WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3976.40415\Cospuri 503 Shinanoazur Lane Cospuri 503 Shinanoazur Lane c528\14__c5288becb84a7dd0.jpgimage
MD5:B9872FA19F308E47405A6534B0FCCAFF
SHA256:8C3047E1E95C982D6AF0E9CA6422B5A079239E78145D3D92C417249DFD5F5D13
3976WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3976.40415\Cospuri 503 Shinanoazur Lane Cospuri 503 Shinanoazur Lane c528\23__c5288becb84a7dd0.jpgimage
MD5:953957B39E2FFFBBEE897E292EECFF0A
SHA256:60F077662FD344AADF011EE60848BDF2909E1F890908AA8AD2E630A9D1F6E599
3976WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3976.40415\Cospuri 503 Shinanoazur Lane Cospuri 503 Shinanoazur Lane c528\22__c5288becb84a7dd0.jpgimage
MD5:3D5B3CBB6AE4415AB0E5F4450B847BF2
SHA256:A64F65B1EF623B86D58316555657A46A88D712BF55DCE7ACEE22D6E3CA479F92
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
5
DNS requests
1
Threats
2

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1024
info.exe
GET
77.81.120.23:80
http://forum.helenheaven.xyz/c.7z
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
224.0.0.252:5355
unknown
1088
svchost.exe
224.0.0.252:5355
unknown
1024
info.exe
77.81.120.23:80
forum.helenheaven.xyz
KnownSRV Ltd.
NL
unknown

DNS requests

Domain
IP
Reputation
forum.helenheaven.xyz
  • 77.81.120.23
unknown

Threats

PID
Process
Class
Message
1024
info.exe
Potential Corporate Privacy Violation
ET POLICY Autoit Windows Automation tool User-Agent in HTTP Request - Possibly Hostile
1 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Cospuri 503 Shinanoazur Lane Cospuri 503 Shinanoazur Lane c528.zip