| File name: | newuiwithpatch.zip |
| Full analysis: | https://app.any.run/tasks/bf47bd02-08ce-4aa5-abce-61bfc91b433f |
| Verdict: | Malicious activity |
| Analysis date: | April 29, 2025, 18:17:33 |
| OS: | Windows 10 Professional (build: 19044, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/zip |
| File info: | Zip archive data, at least v2.0 to extract, compression method=deflate |
| MD5: | CCC8BB14BBF88719D2BE73C2BE1A57FA |
| SHA1: | DEFEDB164C2C867D654D4CDC00FFEBA1AEF0D12A |
| SHA256: | 0D7D0DA1690C2598908FFA2E4C18FEE754A8E2257BDBD21292B1AF92C75B0A20 |
| SSDEEP: | 98304:QespGrfoJNw0w+fSuGnds0vNQ1vctwOzmB0zhUvbvEWXHUMwCM583PCWKMcgMo8u:pPFzhDaDf1QMMIfRbqs0FkxL |
MALICIOUS
Generic archive extractor
- WinRAR.exe (PID: 8064)
Runs injected code in another process
- newuimatrix.exe (PID: 5892)
Application was injected by another process
- explorer.exe (PID: 5492)
SUSPICIOUS
Modifies hosts file to alter network resolution
- newuimatrix.exe (PID: 5892)
Executes application which crashes
- newuimatrix.exe (PID: 5892)
INFO
Manual execution by a user
- WinRAR.exe (PID: 4224)
- newuimatrix.exe (PID: 1188)
- newuimatrix.exe (PID: 5892)
Reads Microsoft Office registry keys
- explorer.exe (PID: 5492)
Executable content was dropped or overwritten
- WinRAR.exe (PID: 4224)
Reads security settings of Internet Explorer
- explorer.exe (PID: 5492)
Reads the computer name
- newuimatrix.exe (PID: 5892)
Checks supported languages
- newuimatrix.exe (PID: 5892)
Creates files or folders in the user directory
- WerFault.exe (PID: 7524)
Create files in a temporary directory
- WerFault.exe (PID: 7524)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .zip | | | ZIP compressed archive (100) |
|---|
EXIF
ZIP
| ZipRequiredVersion: | 20 |
|---|---|
| ZipBitFlag: | - |
| ZipCompression: | Deflated |
| ZipModifyDate: | 2025:04:24 07:53:14 |
| ZipCRC: | 0x36216d84 |
| ZipCompressedSize: | 12160350 |
| ZipUncompressedSize: | 13359104 |
| ZipFileName: | version.dat |
Total processes
133
Monitored processes
9
Malicious processes
0
Suspicious processes
2
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 1188 | "C:\Users\admin\Desktop\newuiwithpatch\newuimatrix.exe" | C:\Users\admin\Desktop\newuiwithpatch\newuimatrix.exe | — | explorer.exe | |||||||||||
User: admin Integrity Level: MEDIUM Exit code: 3221226540 Modules
| |||||||||||||||
| 4224 | "C:\Program Files\WinRAR\WinRAR.exe" x -iext -ow -ver -- "C:\Users\admin\Desktop\newuiwithpatch.zip" C:\Users\admin\Desktop\newuiwithpatch\ | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | ||||||||||||
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.91.0 Modules
| |||||||||||||||
| 4620 | C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding | C:\Windows\System32\rundll32.exe | — | svchost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows host process (Rundll32) Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 5156 | C:\WINDOWS\System32\slui.exe -Embedding | C:\Windows\System32\slui.exe | — | svchost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Activation Client Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 5492 | C:\WINDOWS\Explorer.EXE | C:\Windows\explorer.exe | — | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Version: 10.0.19041.3758 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 5552 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | newuimatrix.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 5892 | "C:\Users\admin\Desktop\newuiwithpatch\newuimatrix.exe" | C:\Users\admin\Desktop\newuiwithpatch\newuimatrix.exe | explorer.exe | ||||||||||||
User: admin Integrity Level: HIGH Exit code: 3221225477 Modules
| |||||||||||||||
| 7524 | C:\WINDOWS\system32\WerFault.exe -u -p 5892 -s 632 | C:\Windows\System32\WerFault.exe | — | newuimatrix.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Problem Reporting Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 8064 | "C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\Desktop\newuiwithpatch.zip | C:\Program Files\WinRAR\WinRAR.exe | — | explorer.exe | |||||||||||
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.91.0 Modules
| |||||||||||||||
Total events
13 107
Read events
13 020
Write events
77
Delete events
10
Modification events
| (PID) Process: | (8064) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory |
| Operation: | write | Name: | 3 |
Value: C:\Users\admin\Desktop\preferences.zip | |||
| (PID) Process: | (8064) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory |
| Operation: | write | Name: | 2 |
Value: C:\Users\admin\Desktop\chromium_ext.zip | |||
| (PID) Process: | (8064) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory |
| Operation: | write | Name: | 1 |
Value: C:\Users\admin\Desktop\omni_23_10_2024_.zip | |||
| (PID) Process: | (8064) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory |
| Operation: | write | Name: | 0 |
Value: C:\Users\admin\Desktop\newuiwithpatch.zip | |||
| (PID) Process: | (8064) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | name |
Value: 120 | |||
| (PID) Process: | (8064) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | size |
Value: 80 | |||
| (PID) Process: | (8064) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | type |
Value: 120 | |||
| (PID) Process: | (8064) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | mtime |
Value: 100 | |||
| (PID) Process: | (5492) explorer.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\5\ApplicationViewManagement\W32:000000000009028A |
| Operation: | write | Name: | VirtualDesktop |
Value: 1000000030304456BFA0DB55E4278845B426357D5B5F97B3 | |||
| (PID) Process: | (8064) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\ArcColumnWidths |
| Operation: | write | Name: | name |
Value: 256 | |||
Executable files
1
Suspicious files
0
Text files
3
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 4224 | WinRAR.exe | C:\Users\admin\Desktop\newuiwithpatch\version.dat | — | |
MD5:— | SHA256:— | |||
| 7524 | WerFault.exe | C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_bad_module_info_1eba89dbf420a62f833a4ce282376bda3656d4_85207d7d_084d10e2-26f4-4866-b820-43b5cc7fb989\Report.wer | — | |
MD5:— | SHA256:— | |||
| 7524 | WerFault.exe | C:\ProgramData\Microsoft\Windows\WER\Temp\WER395E.tmp.WERInternalMetadata.xml | xml | |
MD5:D5438A7483FF6EDB78342D46DAC97820 | SHA256:58A3687D47701E74318746E661A0331BE6D4C2AD494EE0987D298518A22503BB | |||
| 7524 | WerFault.exe | C:\ProgramData\Microsoft\Windows\WER\Temp\WER398E.tmp.xml | xml | |
MD5:4CB0EC97DEC59A9E053E4507A316B91C | SHA256:5B41C4A274F6A3331F7836688925FFFFFB7AD22B1CBDA3605EDA99DFF175EF45 | |||
| 7524 | WerFault.exe | C:\Users\admin\AppData\Local\Temp\WER298F.tmp.WERDataCollectionStatus.txt | text | |
MD5:8F2FDBD11F1EE39043E03B2A24C640B2 | SHA256:BA4374A5A9DAD609942B26BA23BA7E5865CF72F5E7F0E6221B18A5DC2420DD72 | |||
| 4224 | WinRAR.exe | C:\Users\admin\Desktop\newuiwithpatch\newuimatrix.exe | executable | |
MD5:49B79A318C7CF4BCF6C3F44D0ED260F9 | SHA256:887B773172839A3149DF2E67E8F6746A1BEAEF05C98718F525089F82D4EB15FF | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
17
TCP/UDP connections
32
DNS requests
12
Threats
0
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
— | — | GET | 304 | 4.245.163.56:443 | https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL | unknown | — | — | — |
— | — | GET | 200 | 40.69.42.241:443 | https://fe3cr.delivery.mp.microsoft.com/clientwebservice/ping | unknown | — | — | — |
920 | SIHClient.exe | GET | 200 | 23.216.77.18:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
920 | SIHClient.exe | GET | 200 | 23.35.229.160:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl | unknown | — | — | whitelisted |
920 | SIHClient.exe | GET | 200 | 23.216.77.18:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl | unknown | — | — | whitelisted |
920 | SIHClient.exe | GET | 200 | 23.216.77.18:80 | http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl | unknown | — | — | whitelisted |
920 | SIHClient.exe | GET | 200 | 23.35.229.160:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl | unknown | — | — | whitelisted |
920 | SIHClient.exe | GET | 200 | 23.35.229.160:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.1.crl | unknown | — | — | whitelisted |
920 | SIHClient.exe | GET | 200 | 23.35.229.160:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.2.crl | unknown | — | — | whitelisted |
— | — | GET | 200 | 4.245.163.56:443 | https://slscr.update.microsoft.com/sls/ping | unknown | — | — | — |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
976 | RUXIMICS.exe | 4.231.128.59:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
— | — | 4.231.128.59:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
— | — | 172.211.123.248:443 | client.wns.windows.com | MICROSOFT-CORP-MSN-AS-BLOCK | FR | whitelisted |
3216 | svchost.exe | 172.211.123.248:443 | client.wns.windows.com | MICROSOFT-CORP-MSN-AS-BLOCK | FR | whitelisted |
5892 | newuimatrix.exe | 109.123.234.188:9999 | — | — | — | unknown |
920 | SIHClient.exe | 20.12.23.50:443 | slscr.update.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
920 | SIHClient.exe | 23.216.77.18:80 | crl.microsoft.com | Akamai International B.V. | DE | whitelisted |
920 | SIHClient.exe | 23.35.229.160:80 | www.microsoft.com | AKAMAI-AS | DE | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
google.com |
| whitelisted |
client.wns.windows.com |
| whitelisted |
slscr.update.microsoft.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
fe3cr.delivery.mp.microsoft.com |
| whitelisted |
activation-v2.sls.microsoft.com |
| whitelisted |