File name:

New_Taskbar_Themes.zip

Full analysis: https://app.any.run/tasks/88a79401-dffb-4b07-9196-c7cd81ab3597
Verdict: Malicious activity
Analysis date: March 13, 2024, 07:16:24
OS: Windows 10 Professional (build: 19044, 64 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v1.0 to extract, compression method=store
MD5:

BB50612F3D321A2CD1A169F82F9C4794

SHA1:

D3E0DC907BCFD83A5CC8809276635C8AFD35000E

SHA256:

08DFBBA2E0EFE15B835B78EFC1D87FCBF464045F73B52D54CF5F1143527EB9AF

SSDEEP:

98304:wQTk2VKP3UY33jS13EvWp4mi5wsANceWqYdnhF7R1LJSGIHKtyiRePzjsdUNPcWT:SvBhDVRfEYQHbF78qYYNeEoUL

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • WinRAR.exe (PID: 4800)

    • Run PowerShell with an invisible window

      • powershell.exe (PID: 3352)

    • Changes powershell execution policy (Bypass)

      • [Setup] New_Taskbar_Themes.exe (PID: 4764)

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 3352)

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • WinRAR.exe (PID: 532)

    • The process creates files with name similar to system file names

      • WinRAR.exe (PID: 532)

    • Drops 7-zip archiver for unpacking

      • WinRAR.exe (PID: 532)

    • Starts POWERSHELL.EXE for commands execution

      • [Setup] New_Taskbar_Themes.exe (PID: 4764)

    • Reads security settings of Internet Explorer

      • [Setup] New_Taskbar_Themes.exe (PID: 4764)

    • Executes application which crashes

      • [Setup] New_Taskbar_Themes.exe (PID: 4764)

  • INFO

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 532)

    • Drops the executable file immediately after the start

      • WinRAR.exe (PID: 532)

    • Manual execution by a user

      • WinRAR.exe (PID: 532)
      • [Setup] New_Taskbar_Themes.exe (PID: 4764)

    • Checks supported languages

      • [Setup] New_Taskbar_Themes.exe (PID: 4764)

    • Reads the computer name

      • [Setup] New_Taskbar_Themes.exe (PID: 4764)

    • Reads the machine GUID from the registry

      • [Setup] New_Taskbar_Themes.exe (PID: 4764)

    • Creates files or folders in the user directory

      • [Setup] New_Taskbar_Themes.exe (PID: 4764)
      • WerFault.exe (PID: 3780)

    • Checks proxy server information

      • slui.exe (PID: 6668)

    • Reads the software policy settings

      • slui.exe (PID: 6668)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 10
ZipBitFlag: -
ZipCompression: None
ZipModifyDate: 2024:03:11 01:53:40
ZipCRC: 0x00000000
ZipCompressedSize: -
ZipUncompressedSize: -
ZipFileName: wallpapers/
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
134
Monitored processes
7
Malicious processes
0
Suspicious processes
1

Behavior graph

Click at the process to see the details
start winrar.exe no specs winrar.exe [setup] new_taskbar_themes.exe powershell.exe no specs conhost.exe no specs werfault.exe no specs slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
532"C:\Program Files\WinRAR\WinRAR.exe" x -iext -ow -ver -- "C:\Users\admin\Desktop\New_Taskbar_Themes.zip" C:\Users\admin\Desktop\C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
2044\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3352"powershell.exe" -WindowStyle Hidden -ExecutionPolicy Bypass -Command "(Get-CimInstance -ClassName Win32_VideoController).Caption;"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe[Setup] New_Taskbar_Themes.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
3780C:\WINDOWS\system32\WerFault.exe -u -p 4764 -s 2640C:\Windows\System32\WerFault.exe[Setup] New_Taskbar_Themes.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\oleaut32.dll
4764"C:\Users\admin\Desktop\[Setup] New_Taskbar_Themes.exe" C:\Users\admin\Desktop\[Setup] New_Taskbar_Themes.exe
explorer.exe
User:
admin
Company:
YL Computing
Integrity Level:
MEDIUM
Description:
imDesktop
Exit code:
1
Version:
1.3.2.0
Modules
Images
c:\users\admin\desktop\[setup] new_taskbar_themes.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
4800"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\New_Taskbar_Themes.zip"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
6668C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
Total events
15 076
Read events
15 028
Write events
47
Delete events
1

Modification events

(PID) Process:(4800) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(4800) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(4800) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\GoogleChromeEnterpriseBundle64.zip
(PID) Process:(4800) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\New_Taskbar_Themes.zip
(PID) Process:(4800) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(4800) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(4800) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(4800) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(4800) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\MainWin
Operation:writeName:Placement
Value:
2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF3D0000002D000000FD03000016020000
(PID) Process:(4800) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\General
Operation:writeName:LastFolder
Value:
C:\Users\admin\Desktop
Executable files
9
Suspicious files
2
Text files
24
Unknown types
0

Dropped files

PID
Process
Filename
Type
532WinRAR.exeC:\Users\admin\Desktop\MahDefault
MD5:
SHA256:
532WinRAR.exeC:\Users\admin\Desktop\Microsoft.WindowsAPICodePack.Shell.dllexecutable
MD5:18A46202A1636B985208E2183D756617
SHA256:513D386FC084AD355D1A8668D8B4E43CC3B21F135AC3EABBC6B96ADEB3EE9E84
532WinRAR.exeC:\Users\admin\Desktop\[Setup] New_Taskbar_Themes.exeexecutable
MD5:79B862F83A5BFA3FB5011CABF9D47A63
SHA256:3CA1410D20BFD9CD35C8F9B21D2958C6973E608CAEDD726A01199CDF747B3CD7
532WinRAR.exeC:\Users\admin\Desktop\lang\Chinese(Simplified).pngimage
MD5:18BD6697BC44BCFAA606AEC883FDF1C4
SHA256:3705C17E9A6CF982234898D0269B94427FB3B1978BECE5CF4F3A6C3BF518DA70
532WinRAR.exeC:\Users\admin\Desktop\System.Windows.Interactivity.dllexecutable
MD5:E991D47605BC04629AF29939AC2CC9B5
SHA256:EDA12487C479FF31202A3C60F88F1F0E2BF7392919099315D0D951683F14609C
532WinRAR.exeC:\Users\admin\Desktop\lang\English.xmlxml
MD5:2091E6D656AE235A0E7977B0D5A51CE3
SHA256:C3CC0E93F9FFF36858CA43188BFD6B67B39EE207B373C8A1601B973B2F07395A
532WinRAR.exeC:\Users\admin\Desktop\lang\Polish.pngimage
MD5:464A2897BC125872878D68AEF0EF18BF
SHA256:5400F9D9FF3272227E66A840AEB52A8489393B04E32BD7E03C1BFE6A9A832A6B
532WinRAR.exeC:\Users\admin\Desktop\lang\English.pngimage
MD5:00214D9E4E6155A04E3997D121641C98
SHA256:1037BB804C8DA171FB1869872BCD24AA1F0C96AD8CE783861DFF91D3174D12A7
532WinRAR.exeC:\Users\admin\Desktop\lang\English.txttext
MD5:D254032F2A0D3F9AAE2C571CDD523AD6
SHA256:4C975E729E7CEEFE1896F03809C579FB228154BBD6A54F9DDEFBA0767FB91C4C
532WinRAR.exeC:\Users\admin\Desktop\lang\Portuguese (Brazil).pngimage
MD5:E1E15CEBB26738F77B3EF7BF363E158A
SHA256:B9DFB69AD9869011ACF3D3E3E3EAF1F0956D1C5FFFDDE879AE7D57CE5B083441
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
32
DNS requests
13
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4828
svchost.exe
239.255.255.250:1900
unknown
1280
MoUsoCoreWorker.exe
4.231.128.59:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2568
svchost.exe
40.126.32.140:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
unknown
2568
svchost.exe
40.126.32.76:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5272
SearchApp.exe
23.62.98.169:443
www.bing.com
Akamai International B.V.
NL
unknown
6228
SIHClient.exe
20.114.59.183:443
slscr.update.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown
6228
SIHClient.exe
13.95.31.18:443
fe3cr.delivery.mp.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
1072
backgroundTaskHost.exe
20.223.35.26:443
arc.msn.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
2568
svchost.exe
40.126.32.72:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
unknown
6568
slui.exe
40.91.76.224:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
www.bing.com
  • 23.62.98.169
  • 23.62.98.216
whitelisted
slscr.update.microsoft.com
  • 20.114.59.183
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 13.95.31.18
whitelisted
arc.msn.com
  • 20.223.35.26
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted
login.live.com
  • 40.126.31.71
  • 20.190.159.0
  • 20.190.159.4
  • 20.190.159.71
  • 20.190.159.2
  • 20.190.159.23
  • 20.190.159.68
  • 40.126.31.73
whitelisted
nexusrules.officeapps.live.com
  • 52.111.243.30
whitelisted
time.windows.com
  • 51.145.123.29
whitelisted
settings-win.data.microsoft.com
  • 40.127.240.158
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
New_Taskbar_Themes.zip