File name:

jZipsetup.zip

Full analysis: https://app.any.run/tasks/22b9c18e-3c0c-41f9-8632-db1dd25265b8
Verdict: Malicious activity
Analysis date: February 19, 2024, 10:07:08
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v5.1 to extract, compression method=AES Encrypted
MD5:

59BA8C61EAFD8670423CCA9B11C00167

SHA1:

CFFAB685CB82E348E9F69FD2A49240D6FE280DE7

SHA256:

0B7FB095E02A02CCD6F2884E999DCE8203407A24F8C6A93BDECC9D1A2CDA2B88

SSDEEP:

49152:4CQn0OqQYhEmxJnOULx243gyPmrNo6cW/N1zwAHqRyEtMv5QnY+j+poItij2UDNX:4CwIQhBe2EgyPmrNNcW/NDKfBIsSYX

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • jZipSetup-bf.exe (PID: 3660)
      • jZipSetup-bf.exe (PID: 3500)
      • Uninstall.exe (PID: 1428)
      • Au_.exe (PID: 2416)
      • Au_.exe (PID: 1072)
      • ashampoo_zip_free_28561.exe (PID: 2064)
      • ashampoo_zip_free_28561.exe (PID: 1992)
      • ashampoo_zip_free_28561.exe (PID: 2148)
      • ashampoo_zip_free_28561.tmp (PID: 3684)
      • ashampoo_zip_free_28561.exe (PID: 2964)
      • ashampoo_zip_free_28561.tmp (PID: 1740)

    • Registers / Runs the DLL via REGSVR32.EXE

      • jZipSetup-bf.exe (PID: 3500)

    • Connects to the CnC server

      • jZipSetup-bf.exe (PID: 3500)

  • SUSPICIOUS

    • Malware-specific behavior (creating "System.dll" in Temp)

      • jZipSetup-bf.exe (PID: 3660)
      • jZipSetup-bf.exe (PID: 3500)
      • Au_.exe (PID: 1072)

    • The process creates files with name similar to system file names

      • jZipSetup-bf.exe (PID: 3660)
      • jZipSetup-bf.exe (PID: 3500)
      • Au_.exe (PID: 1072)

    • Executable content was dropped or overwritten

      • jZipSetup-bf.exe (PID: 3660)
      • jZipSetup-bf.exe (PID: 3500)
      • Uninstall.exe (PID: 1428)
      • Au_.exe (PID: 2416)
      • ashampoo_zip_free_28561.exe (PID: 2064)
      • ashampoo_zip_free_28561.exe (PID: 1992)
      • Au_.exe (PID: 1072)
      • ashampoo_zip_free_28561.exe (PID: 2148)
      • ashampoo_zip_free_28561.tmp (PID: 3684)
      • ashampoo_zip_free_28561.exe (PID: 2964)
      • ashampoo_zip_free_28561.tmp (PID: 1740)

    • Application launched itself

      • jZipSetup-bf.exe (PID: 3660)
      • Au_.exe (PID: 2416)

    • Process requests binary or script from the Internet

      • jZipSetup-bf.exe (PID: 3500)

    • Starts application with an unusual extension

      • jZipSetup-bf.exe (PID: 3500)

    • Reads the Internet Settings

      • jZipSetup-bf.exe (PID: 3500)
      • jZipSetup-bf.exe (PID: 3660)
      • ashampoo_zip_free_28561.tmp (PID: 3684)

    • Reads security settings of Internet Explorer

      • jZipSetup-bf.exe (PID: 3500)

    • Creates a software uninstall entry

      • jZipSetup-bf.exe (PID: 3500)

    • Starts itself from another location

      • Uninstall.exe (PID: 1428)

    • Searches for installed software

      • Au_.exe (PID: 1072)

    • Reads the Windows owner or organization settings

      • ashampoo_zip_free_28561.tmp (PID: 3684)
      • ashampoo_zip_free_28561.tmp (PID: 1740)

    • Reads settings of System Certificates

      • ashampoo_zip_free_28561.tmp (PID: 3684)
      • ashampoo_zip_free_28561.tmp (PID: 1740)

  • INFO

    • Drops the executable file immediately after the start

      • WinRAR.exe (PID: 3672)
      • msedge.exe (PID: 3912)
      • msedge.exe (PID: 1772)

    • Checks supported languages

      • wmpnscfg.exe (PID: 3796)
      • jZipSetup-bf.exe (PID: 3660)
      • jZipSetup-bf.exe (PID: 3500)
      • ns9952.tmp (PID: 2688)
      • ns5478.tmp (PID: 4004)
      • Uninstall.exe (PID: 1428)
      • Au_.exe (PID: 2416)
      • Au_.exe (PID: 1072)
      • ashampoo_zip_free_28561.exe (PID: 2064)
      • ashampoo_zip_free_28561.tmp (PID: 116)
      • ashampoo_zip_free_28561.exe (PID: 1992)
      • ashampoo_zip_free_28561.tmp (PID: 3684)
      • ashampoo_zip_free_28561.exe (PID: 2148)
      • ashampoo_zip_free_28561.tmp (PID: 2168)
      • ashampoo_zip_free_28561.exe (PID: 2964)
      • ashampoo_zip_free_28561.tmp (PID: 1740)

    • Reads the computer name

      • wmpnscfg.exe (PID: 3796)
      • jZipSetup-bf.exe (PID: 3660)
      • jZipSetup-bf.exe (PID: 3500)
      • Uninstall.exe (PID: 1428)
      • Au_.exe (PID: 2416)
      • Au_.exe (PID: 1072)
      • ashampoo_zip_free_28561.tmp (PID: 116)
      • ashampoo_zip_free_28561.tmp (PID: 2168)
      • ashampoo_zip_free_28561.tmp (PID: 3684)
      • ashampoo_zip_free_28561.tmp (PID: 1740)

    • Process checks whether UAC notifications are on

      • jZipSetup-bf.exe (PID: 3660)
      • Au_.exe (PID: 2416)

    • Manual execution by a user

      • jZipSetup-bf.exe (PID: 3660)
      • explorer.exe (PID: 3772)
      • control.exe (PID: 3916)
      • Uninstall.exe (PID: 1428)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 3672)
      • msedge.exe (PID: 3912)
      • msedge.exe (PID: 1772)

    • Create files in a temporary directory

      • jZipSetup-bf.exe (PID: 3660)
      • jZipSetup-bf.exe (PID: 3500)
      • Uninstall.exe (PID: 1428)
      • Au_.exe (PID: 2416)
      • Au_.exe (PID: 1072)
      • ashampoo_zip_free_28561.exe (PID: 1992)
      • ashampoo_zip_free_28561.exe (PID: 2064)
      • ashampoo_zip_free_28561.exe (PID: 2148)
      • ashampoo_zip_free_28561.tmp (PID: 3684)
      • ashampoo_zip_free_28561.tmp (PID: 1740)
      • ashampoo_zip_free_28561.exe (PID: 2964)

    • Reads Environment values

      • jZipSetup-bf.exe (PID: 3500)
      • Au_.exe (PID: 1072)

    • Creates files in the program directory

      • jZipSetup-bf.exe (PID: 3500)

    • Creates files or folders in the user directory

      • jZipSetup-bf.exe (PID: 3500)

    • Checks proxy server information

      • jZipSetup-bf.exe (PID: 3500)

    • Reads the machine GUID from the registry

      • jZipSetup-bf.exe (PID: 3500)
      • Au_.exe (PID: 1072)
      • ashampoo_zip_free_28561.tmp (PID: 3684)
      • ashampoo_zip_free_28561.tmp (PID: 1740)

    • Application launched itself

      • msedge.exe (PID: 3912)
      • msedge.exe (PID: 3352)

    • The process uses the downloaded file

      • msedge.exe (PID: 2572)
      • msedge.exe (PID: 3912)

    • Reads the software policy settings

      • ashampoo_zip_free_28561.tmp (PID: 3684)
      • ashampoo_zip_free_28561.tmp (PID: 1740)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 51
ZipBitFlag: 0x0001
ZipCompression: Unknown (99)
ZipModifyDate: 2020:03:13 10:28:28
ZipCRC: 0x00000000
ZipCompressedSize: 1014054
ZipUncompressedSize: 1060144
ZipFileName: jZipSetup-bf.exe
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
113
Monitored processes
56
Malicious processes
9
Suspicious processes
2

Behavior graph

Click at the process to see the details
start winrar.exe jzipsetup-bf.exe jzipsetup-bf.exe ns5478.tmp no specs ntvdm.exe ns9952.tmp no specs regsvr32.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs control.exe no specs explorer.exe no specs uninstall.exe au_.exe au_.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs ashampoo_zip_free_28561.exe ashampoo_zip_free_28561.tmp no specs ashampoo_zip_free_28561.exe ashampoo_zip_free_28561.tmp ashampoo_zip_free_28561.exe ashampoo_zip_free_28561.tmp no specs ashampoo_zip_free_28561.exe ashampoo_zip_free_28561.tmp msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs wmpnscfg.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
116"C:\Users\admin\AppData\Local\Temp\is-GLFSL.tmp\ashampoo_zip_free_28561.tmp" /SL5="$2034A,26548538,413696,C:\Users\admin\Downloads\ashampoo_zip_free_28561.exe" C:\Users\admin\AppData\Local\Temp\is-GLFSL.tmp\ashampoo_zip_free_28561.tmpashampoo_zip_free_28561.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Setup/Uninstall
Exit code:
0
Version:
51.1052.0.0
Modules
Images
c:\users\admin\appdata\local\temp\is-glfsl.tmp\ashampoo_zip_free_28561.tmp
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
584"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3936 --field-trial-handle=1192,i,4101677854562216975,11657571692066178904,131072 /prefetch:8C:\Program Files\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
109.0.1518.115
Modules
Images
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edge\application\109.0.1518.115\msedge_elf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
680"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1240 --field-trial-handle=1192,i,4101677854562216975,11657571692066178904,131072 /prefetch:2C:\Program Files\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
109.0.1518.115
Modules
Images
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edge\application\109.0.1518.115\msedge_elf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
908"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4116 --field-trial-handle=1192,i,4101677854562216975,11657571692066178904,131072 /prefetch:8C:\Program Files\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Exit code:
0
Version:
109.0.1518.115
Modules
Images
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edge\application\109.0.1518.115\msedge_elf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
1044"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4532 --field-trial-handle=1192,i,4101677854562216975,11657571692066178904,131072 /prefetch:8C:\Program Files\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
109.0.1518.115
Modules
Images
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edge\application\109.0.1518.115\msedge_elf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
1072"C:\Users\admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" /UAC:90230 /NCRC _?=C:\Program Files\jZip\C:\Users\admin\AppData\Local\Temp\~nsu.tmp\Au_.exe
Au_.exe
User:
admin
Company:
Bandoo Media Inc
Integrity Level:
HIGH
Description:
jZip Uninstall
Exit code:
1223
Version:
2.0.0.136805
Modules
Images
c:\users\admin\appdata\local\temp\~nsu.tmp\au_.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
1216"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1316 --field-trial-handle=1192,i,4101677854562216975,11657571692066178904,131072 /prefetch:2C:\Program Files\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
109.0.1518.115
Modules
Images
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edge\application\109.0.1518.115\msedge_elf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
1428"C:\Program Files\jZip\Uninstall.exe" C:\Program Files\jZip\Uninstall.exe
explorer.exe
User:
admin
Company:
Bandoo Media Inc
Integrity Level:
MEDIUM
Description:
jZip Uninstall
Exit code:
0
Version:
2.0.0.136805
Modules
Images
c:\program files\jzip\uninstall.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
1540"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=renderer --first-renderer-process --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2204 --field-trial-handle=1192,i,4101677854562216975,11657571692066178904,131072 /prefetch:1C:\Program Files\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
109.0.1518.115
Modules
Images
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edge\application\109.0.1518.115\msedge_elf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
1628"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=renderer --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1464 --field-trial-handle=1192,i,4101677854562216975,11657571692066178904,131072 /prefetch:1C:\Program Files\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
109.0.1518.115
Modules
Images
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edge\application\109.0.1518.115\msedge_elf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
Total events
37 664
Read events
37 432
Write events
213
Delete events
19

Modification events

(PID) Process:(3672) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(3672) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(3672) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3672) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\phacker.zip
(PID) Process:(3672) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(3672) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\curl-8.5.0_1-win32-mingw.zip
(PID) Process:(3672) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\jZipsetup.zip
(PID) Process:(3672) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(3672) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(3672) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
Executable files
42
Suspicious files
100
Text files
115
Unknown types
91

Dropped files

PID
Process
Filename
Type
3660jZipSetup-bf.exeC:\Users\admin\AppData\Local\Temp\nsa343B.tmp\registry.dllexecutable
MD5:2B7007ED0262CA02EF69D8990815CBEB
SHA256:0B25B20F26DE5D5BD795F934C70447112B4981343FCB2DFAB3374A4018D28C2D
3660jZipSetup-bf.exeC:\Users\admin\AppData\Local\Temp\nsa343B.tmp\modern-header.bmpimage
MD5:2E8831AB3CDE2DCE2C6CAE8BBE099619
SHA256:8FC75B7D66F025AA82937B569BCEE3F32B5D6D84954BD662160BECCB9280F3E6
3660jZipSetup-bf.exeC:\Users\admin\AppData\Local\Temp\nsa343B.tmp\UserInfo.dllexecutable
MD5:C7CE0E47C83525983FD2C4C9566B4AAD
SHA256:6293408A5FA6D0F55F0A4D01528EB5B807EE9447A75A28B5986267475EBCD3AE
3500jZipSetup-bf.exeC:\Users\admin\AppData\Local\Temp\nsa3573.tmp\license.txttext
MD5:7483FA1BF5AD5C0BB562E33329D696EC
SHA256:EBC068AFADC00B72158E1E3E365EA56464648F62DABA95B5D5370A7CC4E12468
3500jZipSetup-bf.exeC:\Users\admin\AppData\Local\Temp\nsa3573.tmp\modern-header.bmpimage
MD5:2E8831AB3CDE2DCE2C6CAE8BBE099619
SHA256:8FC75B7D66F025AA82937B569BCEE3F32B5D6D84954BD662160BECCB9280F3E6
3660jZipSetup-bf.exeC:\Users\admin\AppData\Local\Temp\nsa343B.tmp\System.dllexecutable
MD5:BF712F32249029466FA86756F5546950
SHA256:7851CB12FA4131F1FEE5DE390D650EF65CAC561279F1CFE70AD16CC9780210AF
3500jZipSetup-bf.exeC:\Users\admin\AppData\Local\Temp\nsa3573.tmp\registry.dllexecutable
MD5:2B7007ED0262CA02EF69D8990815CBEB
SHA256:0B25B20F26DE5D5BD795F934C70447112B4981343FCB2DFAB3374A4018D28C2D
3660jZipSetup-bf.exeC:\Users\admin\AppData\Local\Temp\nsa343B.tmp\UAC.dllexecutable
MD5:A88BAAD3461D2E9928A15753B1D93FD7
SHA256:C5AB2926C268257122D0342739E73573D7EEDA34C861BC7A68A02CBC69BD41AF
3500jZipSetup-bf.exeC:\Users\admin\AppData\Local\Temp\nsa3573.tmp\System.dllexecutable
MD5:BF712F32249029466FA86756F5546950
SHA256:7851CB12FA4131F1FEE5DE390D650EF65CAC561279F1CFE70AD16CC9780210AF
3500jZipSetup-bf.exeC:\Users\admin\AppData\Local\Temp\nsa3573.tmp\UserInfo.dllexecutable
MD5:C7CE0E47C83525983FD2C4C9566B4AAD
SHA256:6293408A5FA6D0F55F0A4D01528EB5B807EE9447A75A28B5986267475EBCD3AE
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
13
TCP/UDP connections
146
DNS requests
139
Threats
2

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1772
msedge.exe
GET
200
199.59.243.225:80
http://www.jzip.com/post_install.php?sysid=102&appid=0&ln=en&osver=6.1&pver=2.0.0.136805&iver=2.0.0.136805&ptype=n&itype=n&ostype=win32
unknown
html
1.39 Kb
unknown
3500
jZipSetup-bf.exe
POST
200
199.59.243.225:80
http://service.jzip.com/install_statistics.php
unknown
html
1.06 Kb
unknown
3500
jZipSetup-bf.exe
GET
200
199.59.243.225:80
http://download.cdn.jzip.com/cdn/packs/1/pack.exe
unknown
html
1.06 Kb
unknown
1772
msedge.exe
POST
200
199.59.243.225:80
http://www.jzip.com/_fd?sysid=102&appid=0&ln=en&osver=6.1&pver=2.0.0.136805&iver=2.0.0.136805&ptype=n&itype=n&ostype=win32
unknown
compressed
2.00 Kb
unknown
1772
msedge.exe
GET
200
199.59.243.225:80
http://www.jzip.com/bMPaULvTq.js
unknown
text
32.2 Kb
unknown
1772
msedge.exe
GET
199.59.243.225:80
http://www.jzip.com/?caf&sysid=102&appid=0&ln=en&osver=6.1&pver=2.0.0.136805&iver=2.0.0.136805&ptype=n&itype=n&ostype=win32&query=Unzip+Files&afdToken=ChMIgb_mqpS3hAMVO_YCBx22bwmzEmUBlLqpj2QyIcRd0zImkdIdZtZSK24upkPZOayQ8RX8-fii4Rrbndndt2GGkSlXeSSDujtWS5hS19vcgZCiYh5ruDnCiOGmbtsAdnD6thruCdDrcrCPso2c0zQzJNO9-rlVS-a5ig&pcsa=false&nb=0&nm=16&nx=332&ny=73&is=700x480&clkt=70
unknown
unknown
1772
msedge.exe
GET
199.59.243.225:80
http://www.jzip.com/?caf&sysid=102&appid=0&ln=en&osver=6.1&pver=2.0.0.136805&iver=2.0.0.136805&ptype=n&itype=n&ostype=win32&query=Unzip+Files&afdToken=ChMIgb_mqpS3hAMVO_YCBx22bwmzEmUBlLqpj2QyIcRd0zImkdIdZtZSK24upkPZOayQ8RX8-fii4Rrbndndt2GGkSlXeSSDujtWS5hS19vcgZCiYh5ruDnCiOGmbtsAdnD6thruCdDrcrCPso2c0zQzJNO9-rlVS-a5ig&pcsa=false&nb=0&nm=16&nx=332&ny=73&is=700x480&clkt=70
unknown
unknown
1772
msedge.exe
GET
200
199.59.243.225:80
http://www.jzip.com/?caf&sysid=102&appid=0&ln=en&osver=6.1&pver=2.0.0.136805&iver=2.0.0.136805&ptype=n&itype=n&ostype=win32&query=Unzip+Files&afdToken=ChMIgb_mqpS3hAMVO_YCBx22bwmzEmUBlLqpj2QyIcRd0zImkdIdZtZSK24upkPZOayQ8RX8-fii4Rrbndndt2GGkSlXeSSDujtWS5hS19vcgZCiYh5ruDnCiOGmbtsAdnD6thruCdDrcrCPso2c0zQzJNO9-rlVS-a5ig&pcsa=false&nb=0&nm=16&nx=332&ny=73&is=700x480&clkt=70
unknown
html
2.22 Kb
unknown
1772
msedge.exe
GET
200
199.59.243.225:80
http://www.jzip.com/bBdAtQZJj.js
unknown
text
32.2 Kb
unknown
1772
msedge.exe
POST
200
199.59.243.225:80
http://www.jzip.com/_fd?caf&sysid=102&appid=0&ln=en&osver=6.1&pver=2.0.0.136805&iver=2.0.0.136805&ptype=n&itype=n&ostype=win32&query=Unzip+Files&afdToken=ChMIgb_mqpS3hAMVO_YCBx22bwmzEmUBlLqpj2QyIcRd0zImkdIdZtZSK24upkPZOayQ8RX8-fii4Rrbndndt2GGkSlXeSSDujtWS5hS19vcgZCiYh5ruDnCiOGmbtsAdnD6thruCdDrcrCPso2c0zQzJNO9-rlVS-a5ig&pcsa=false&nb=0&nm=16&nx=332&ny=73&is=700x480&clkt=70
unknown
compressed
2.00 Kb
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown
3500
jZipSetup-bf.exe
199.59.243.225:80
download.cdn.jzip.com
AMAZON-02
US
unknown
3912
msedge.exe
239.255.255.250:1900
unknown
1772
msedge.exe
204.79.197.239:443
edge.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown
1772
msedge.exe
199.59.243.225:80
download.cdn.jzip.com
AMAZON-02
US
unknown
1772
msedge.exe
13.107.42.16:443
config.edge.skype.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
1772
msedge.exe
142.250.186.68:443
www.google.com
GOOGLE
US
whitelisted
1772
msedge.exe
216.58.206.46:443
www.adsensecustomsearchads.com
whitelisted

DNS requests

Domain
IP
Reputation
download.cdn.jzip.com
  • 199.59.243.225
malicious
service.jzip.com
  • 199.59.243.225
unknown
www.jzip.com
  • 199.59.243.225
malicious
edge.microsoft.com
  • 204.79.197.239
  • 13.107.21.239
  • 131.253.33.239
  • 13.107.22.239
whitelisted
config.edge.skype.com
  • 13.107.42.16
whitelisted
www.google.com
  • 142.250.186.68
  • 142.250.185.68
whitelisted
www.adsensecustomsearchads.com
  • 216.58.206.46
  • 142.250.185.174
whitelisted
partner.googleadservices.com
  • 142.250.186.34
whitelisted
afs.googleusercontent.com
  • 142.250.185.129
whitelisted
www.bing.com
  • 2.19.120.21
  • 2.19.120.17
  • 2.19.120.29
  • 2.19.120.32
  • 104.126.37.163
  • 104.126.37.168
  • 104.126.37.184
  • 104.126.37.170
  • 104.126.37.179
  • 104.126.37.161
  • 104.126.37.160
  • 104.126.37.186
  • 104.126.37.162
  • 104.126.37.137
  • 104.126.37.171
  • 104.126.37.177
  • 104.126.37.136
  • 104.126.37.128
  • 104.126.37.178
  • 104.126.37.130
  • 104.126.37.131
whitelisted

Threats

PID
Process
Class
Message
3500
jZipSetup-bf.exe
Potential Corporate Privacy Violation
AV POLICY HTTP request for .exe file with no User-Agent
3500
jZipSetup-bf.exe
Possibly Unwanted Program Detected
ET ADWARE_PUP W32/SearchSuite Install CnC Beacon
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
jZipsetup.zip