| File name: | ZipRipper.cmd |
| Full analysis: | https://app.any.run/tasks/fc04558f-66a7-47bf-91c2-a9d79f07b3e6 |
| Verdict: | Malicious activity |
| Analysis date: | October 03, 2024, 03:10:32 |
| OS: | Windows 10 Professional (build: 19045, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | text/x-msdos-batch |
| File info: | DOS batch file, ASCII text, with very long lines (7876), with CRLF line terminators |
| MD5: | B48D3F8AC4C16AAA66951F6FD464BF0E |
| SHA1: | 8FE001038409B30206CAEA584039182831400C58 |
| SHA256: | 102D2C95E80E20291E7600BAD9AA8A160380366A9332CC642C83757C41851C28 |
| SSDEEP: | 1536:RJ6PopbSFlTwCJlVNnvf6sOgoOwdxG7hJwC0/+AcVy:7pbSFlTwCJlVNnvfROgqdxewC0/+AcVy |
MALICIOUS
No malicious indicators.SUSPICIOUS
Application launched itself
- cmd.exe (PID: 376)
- cmd.exe (PID: 2080)
Starts POWERSHELL.EXE for commands execution
- cmd.exe (PID: 1568)
- cmd.exe (PID: 2080)
- cmd.exe (PID: 1744)
- cmd.exe (PID: 4080)
Using 'findstr.exe' to search for text patterns in files and output
- cmd.exe (PID: 376)
- cmd.exe (PID: 6400)
- cmd.exe (PID: 2080)
Get information on the list of running processes
- cmd.exe (PID: 376)
- cmd.exe (PID: 2080)
Hides command output
- cmd.exe (PID: 1116)
Uses REG/REGEDIT.EXE to modify registry
- cmd.exe (PID: 2080)
- cmd.exe (PID: 376)
Uses WMIC.EXE to obtain a list of video controllers
- cmd.exe (PID: 6400)
Starts CMD.EXE for commands execution
- cmd.exe (PID: 376)
- cmd.exe (PID: 2080)
The process bypasses the loading of PowerShell profile settings
- cmd.exe (PID: 1568)
- cmd.exe (PID: 2080)
- cmd.exe (PID: 1744)
- cmd.exe (PID: 4080)
Executing commands from ".cmd" file
- cmd.exe (PID: 376)
Uses ATTRIB.EXE to modify file attributes
- cmd.exe (PID: 2080)
CSC.EXE is used to compile C# code
- csc.exe (PID: 6784)
Executable content was dropped or overwritten
- csc.exe (PID: 6784)
Probably download files using WebClient
- cmd.exe (PID: 2080)
Kill processes via PowerShell
- powershell.exe (PID: 876)
- powershell.exe (PID: 3044)
INFO
Disables trace logs
- powershell.exe (PID: 4980)
Checks proxy server information
- powershell.exe (PID: 4980)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
Total processes
150
Monitored processes
29
Malicious processes
2
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 376 | C:\WINDOWS\system32\cmd.exe /c ""C:\Users\admin\Desktop\ZipRipper.cmd" " | C:\Windows\System32\cmd.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 876 | POWERSHELL -nop -c "Add-Type -AssemblyName PresentationFramework, System.Drawing, System.Windows.Forms, WindowsFormsIntegration;[xml]$xaml='<Window xmlns="""http://schemas.microsoft.com/winfx/2006/xaml/presentation""" xmlns:x="""http://schemas.microsoft.com/winfx/2006/xaml""" Title=""" Initializing...""" Height="""37""" Width="""210""" WindowStartupLocation="""CenterScreen""" WindowStyle="""None""" Topmost="""True""" Background="""#333333""" AllowsTransparency="""True"""><Canvas><TextBlock Name="""Info""" Canvas.Top="""3""" Text=""" Initializing...""" Foreground="""#eeeeee""" FontWeight="""Bold"""/><ProgressBar Canvas.Left="""5""" Canvas.Top="""28""" Width="""200""" Height="""3""" Name="""Progress""" Foreground="""#FF0000"""/></Canvas></Window>';$reader=(New-Object System.Xml.XmlNodeReader $xaml);$form=[Windows.Markup.XamlReader]::Load($reader);$form.Add_Closing({[System.Windows.Forms.Application]::Exit();Stop-Process $pid});$progressBar=$form.FindName("""Progress""");function Update-Gui (){$form.Dispatcher.Invoke([Windows.Threading.DispatcherPriority]::Background, [action]{})};function DownloadFile($url,$targetFile){$uri=New-Object """System.Uri""" """$url""";$request=[System.Net.HttpWebRequest]::Create($uri);$request.set_Timeout(15000);$response=$request.GetResponse();$totalLength=[System.Math]::Floor($response.get_ContentLength()/1024);$responseStream=$response.GetResponseStream();$targetStream=New-Object -TypeName System.IO.FileStream -ArgumentList $targetFile, Create;$buffer=new-object byte[] 10KB;$count=$responseStream.Read($buffer,0,$buffer.length);$downloadedBytes=$count;while ($count -gt 0){$targetStream.Write($buffer,0,$count);$count=$responseStream.Read($buffer,0,$buffer.length);$downloadedBytes=$downloadedBytes+$count;$roundedPercent=[int]((([System.Math]::Floor($downloadedBytes/1024))/$totalLength)*100);$progressBar.Value=$roundedPercent;if($progressBar.Value -ne $lastpercent){$lastpercent=$progressBar.Value;Update-Gui}};$targetStream.Flush();$targetStream.Close();$targetStream.Dispose();$responseStream.Dispose()};$form.Add_ContentRendered({downloadFile 'https://raw.githubusercontent.com/illsk1lls/ZipRipper/main/.resources/zipripper.png' 'C:\ProgramData\zipripper.png';Sleep 1;$form.Close()});$form.Show();$appContext=New-Object System.Windows.Forms.ApplicationContext;[void][System.Windows.Forms.Application]::Run($appContext)" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | cmd.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows PowerShell Exit code: 4294967295 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 892 | TASKLIST /V /NH /FI "imagename eq cmd.exe" | C:\Windows\System32\tasklist.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Lists the current running tasks Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1116 | C:\WINDOWS\system32\cmd.exe /c REG QUERY "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v ProductName 2>nul | C:\Windows\System32\cmd.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1224 | C:\WINDOWS\system32\cmd.exe /S /D /c" ECHO" | C:\Windows\System32\cmd.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1328 | ATTRIB -h "C:\ProgramData\BIT*.tmp" | C:\Windows\System32\attrib.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Attribute Utility Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1568 | C:\WINDOWS\system32\cmd.exe /c POWERSHELL -nop -c "$ProgressPreference='SilentlyContinue';irm http://www.msftncsi.com/ncsi.txt;$ProgressPreference='Continue'" | C:\Windows\System32\cmd.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1744 | C:\WINDOWS\system32\cmd.exe /c POWERSHELL -nop -c "Add-Type -AssemblyName PresentationFramework, System.Drawing, System.Windows.Forms, WindowsFormsIntegration;function wlist(){Switch($showL){0{$D.Visibility="""Visible""";$R.Visibility="""Visible""";$C.Visibility="""Visible""";$global:showL="""1"""}1{$D.Visibility="""Collapsed""";$R.Visibility="""Collapsed""";$C.Visibility="""Collapsed""";$global:showL="""0"""}}};[xml]$xaml='<Window xmlns="""http://schemas.microsoft.com/winfx/2006/xaml/presentation""" xmlns:x="""http://schemas.microsoft.com/winfx/2006/xaml""" WindowStartupLocation="""CenterScreen""" WindowStyle="""None""" Background="""Transparent""" AllowsTransparency="""True""" Width="""285""" Height="""324"""><Window.Resources><ControlTemplate x:Key="""nM""" TargetType="""Button"""><Border Background="""{TemplateBinding Background}""" BorderBrush="""{TemplateBinding BorderBrush}""" BorderThickness="""{TemplateBinding BorderThickness}"""><ContentPresenter HorizontalAlignment="""{TemplateBinding HorizontalContentAlignment}""" VerticalAlignment="""{TemplateBinding VerticalContentAlignment}"""/></Border><ControlTemplate.Triggers><Trigger Property="""IsEnabled""" Value="""False"""><Setter Property="""Background""" Value="""{x:Static SystemColors.ControlLightBrush}"""/><Setter Property="""Foreground""" Value="""{x:Static SystemColors.GrayTextBrush}"""/></Trigger></ControlTemplate.Triggers></ControlTemplate></Window.Resources><Grid><Grid.RowDefinitions><RowDefinition Height="""298"""/><RowDefinition Height="""*"""/></Grid.RowDefinitions><Grid.Background><ImageBrush ImageSource="""C:\ProgramData\zipripper.png"""/></Grid.Background><Grid.Triggers><EventTrigger RoutedEvent="""Loaded"""><BeginStoryboard><Storyboard><DoubleAnimation Storyboard.TargetProperty="""Background.Opacity""" From="""0""" To="""1""" Duration="""0:0:1"""/></Storyboard></BeginStoryboard></EventTrigger></Grid.Triggers><Canvas Grid.Row="""0"""><Button x:Name="""Offline""" Canvas.Left="""141""" Canvas.Top="""56""" Height="""16""" Width="""26""" ToolTip="""Create [zr-offline.txt]""" Template="""{StaticResource nM}"""/><Button x:Name="""Cleanup""" Canvas.Left="""138""" Canvas.Top="""154""" Height="""20""" Width="""20""" ToolTip="""Clear Resume Cache""" Template="""{StaticResource nM}"""/><Button Name="""List""" Canvas.Left="""143""" Canvas.Top="""116""" Height="""10""" Width="""15""" ToolTip="""Select Wordlist""" Template="""{StaticResource nM}""" Opacity="""0"""></Button><Button Name="""Default""" Canvas.Left="""123""" Canvas.Top="""130""" FontSize="""11""" Foreground="""#eeeeee""" Background="""#333333""" Height="""18""" Width="""55""" Visibility="""Collapsed""" HorizontalContentAlignment="""Left""" Template="""{StaticResource nM}""" Opacity="""0.9""">Default</Button><Button Name="""WL""" Canvas.Left="""123""" Canvas.Top="""147""" FontSize="""11""" Foreground="""#eeeeee""" Background="""#333333""" Height="""18""" Width="""55""" Visibility="""Collapsed""" HorizontalContentAlignment="""Left""" Template="""{StaticResource nM}""" Opacity="""0.9""">Cyclone</Button><Button Name="""Custom""" Canvas.Left="""123""" Canvas.Top="""164""" FontSize="""11""" Foreground="""#eeeeee""" Background="""#333333""" Height="""18""" Width="""55""" Visibility="""Collapsed""" HorizontalContentAlignment="""Left""" Template="""{StaticResource nM}""" Opacity="""0.9""">Custom</Button></Canvas><Canvas Grid.Row="""1"""><Button x:Name="""Start""" Height="""22""" Width="""65""" Content="""Start""" ToolTip="""Click to Begin...""" Template="""{StaticResource nM}"""><Button.Triggers><EventTrigger RoutedEvent="""Loaded"""><BeginStoryboard><Storyboard><DoubleAnimation From="""40""" To="""65""" Duration="""0:0:1""" Storyboard.TargetProperty="""(Canvas.Left)""" AutoReverse="""False"""/><DoubleAnimation Storyboard.TargetProperty="""Opacity""" From="""0""" To="""1""" Duration="""0:0:2"""/></Storyboard></BeginStoryboard></EventTrigger></Button.Triggers></Button></Canvas><Canvas Grid.Row="""1"""><Button x:Name="""Quit""" Height="""22""" Width="""65""" Content="""Quit""" ToolTip="""Click to Exit""" Template="""{StaticResource nM}"""><Button.Triggers><EventTrigger RoutedEvent="""Loaded"""><BeginStoryboard><Storyboard><DoubleAnimation From="""40""" To="""65""" Duration="""0:0:1""" Storyboard.TargetProperty="""(Canvas.Right)""" AutoReverse="""False"""/><DoubleAnimation Storyboard.TargetProperty="""Opacity""" From="""0""" To="""1""" Duration="""0:0:2"""/></Storyboard></BeginStoryboard></EventTrigger></Button.Triggers></Button></Canvas></Grid><Window.TaskbarItemInfo><TaskbarItemInfo/></Window.TaskbarItemInfo></Window>';$reader=(New-Object System.Xml.XmlNodeReader $xaml);$window=[Windows.Markup.XamlReader]::Load($reader);$window.Title='ZipRipper';$bitmap=New-Object System.Windows.Media.Imaging.BitmapImage;$bitmap='C:\ProgramData\zipripper.png';$window.Icon=$bitmap;$window.TaskbarItemInfo.Overlay=$bitmap;$window.TaskbarItemInfo.Description=$window.Title;$window.Add_Closing({[System.Windows.Forms.Application]::Exit();Stop-Process $pid});$L=$Window.FindName("""List""");$D=$Window.FindName("""Default""");$R=$Window.FindName("""WL""");$C=$Window.FindName("""Custom""");$L.Add_Click({wlist});$D.Add_MouseEnter({$D.Background="""#eeeeee""";$D.Foreground="""#333333"""});$D.Add_MouseLeave({$D.Background="""#333333""";$D.Foreground="""#eeeeee"""});$D.Add_Click({$global:list="""0""";wlist});$R.Add_MouseEnter({$R.Background="""#eeeeee""";$R.Foreground="""#333333"""});$R.Add_MouseLeave({$R.Background="""#333333""";$R.Foreground="""#eeeeee"""});$R.Add_Click({$global:list="""1""";wlist});$C.Add_MouseEnter({$C.Background="""#eeeeee""";$C.Foreground="""#333333"""});$C.Add_MouseLeave({$C.Background="""#333333""";$C.Foreground="""#eeeeee"""});$C.Add_Click({$global:list="""2""";wlist});$b=$Window.FindName("""Start""");$b.Background = """#333333""";$b.Foreground="""#eeeeee""";$b.FontSize="""12""";$b.FontWeight="""Bold""";$b.Add_MouseEnter({$b.Background="""#eeeeee""";$b.Foreground="""#333333"""});$b.Add_MouseLeave({$b.Background="""#333333""";$b.Foreground="""#eeeeee"""});$b.Add_Click({write-host """Start,$list""";Exit});$b2=$Window.FindName("""Quit""");$b2.Background="""#333333""";$b2.Foreground="""#eeeeee""";$b2.FontSize="""12""";$b2.FontWeight="""Bold""";$b2.Add_MouseEnter({$b2.Background="""#eeeeee""";$b2.Foreground="""#333333"""});$b2.Add_MouseLeave({$b2.Background="""#333333""";$b2.Foreground="""#eeeeee"""});$b2.Add_Click({write-host 'Quit';Exit});$b3=$Window.FindName("""Offline""");$b3.Opacity="""0""";$b3.Add_Click({$b3m=New-Object -ComObject Wscript.Shell;$b3a=$b3m.Popup('Create [zr-offline.txt] for Offline Mode?',0,'Offline Mode Builder',0x1);if($b3a -eq 1){write-host 'Offline';Exit}});$b4=$Window.FindName("""Cleanup""");$b4.Opacity="""0""";$b4.Add_Click({$b4m=New-Object -ComObject Wscript.Shell;$b4a=$b4m.Popup("""Cleanup ALL resume data?""",0,'Clear InProgress Jobs',0x1);if($b4a -eq 1){if(Test-Path -Path 'C:\Users\admin\AppData\Roaming\ZR-InProgress'){Remove-Item 'C:\Users\admin\AppData\Roaming\ZR-InProgress' -Recurse -force -ErrorAction SilentlyContinue;$b4m2=New-Object -ComObject Wscript.Shell;$b4m2.Popup("""ALL Jobs Cleared""",0,'Clear InProgress Jobs',0x0)} else {$b4m3=New-Object -ComObject Wscript.Shell;$b4m3.Popup('There are no jobs to clear',0,'Clear InProgress Jobs',0x0)}}});$list="""0""";$showL="""0""";$window.add_MouseLeftButtonDown({if($showL -eq 1){wlist};$window.DragMove()});$window.Show();$appContext=New-Object System.Windows.Forms.ApplicationContext;[void][System.Windows.Forms.Application]::Run($appContext)" | C:\Windows\System32\cmd.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2080 | "CMD.exe" /x /d /r SET "f0=1"&CALL "C:\ProgramData\ZipRipper.cmd" | C:\Windows\System32\cmd.exe | cmd.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 3044 | POWERSHELL -nop -c "Add-Type -AssemblyName PresentationFramework, System.Drawing, System.Windows.Forms, WindowsFormsIntegration;function wlist(){Switch($showL){0{$D.Visibility="""Visible""";$R.Visibility="""Visible""";$C.Visibility="""Visible""";$global:showL="""1"""}1{$D.Visibility="""Collapsed""";$R.Visibility="""Collapsed""";$C.Visibility="""Collapsed""";$global:showL="""0"""}}};[xml]$xaml='<Window xmlns="""http://schemas.microsoft.com/winfx/2006/xaml/presentation""" xmlns:x="""http://schemas.microsoft.com/winfx/2006/xaml""" WindowStartupLocation="""CenterScreen""" WindowStyle="""None""" Background="""Transparent""" AllowsTransparency="""True""" Width="""285""" Height="""324"""><Window.Resources><ControlTemplate x:Key="""nM""" TargetType="""Button"""><Border Background="""{TemplateBinding Background}""" BorderBrush="""{TemplateBinding BorderBrush}""" BorderThickness="""{TemplateBinding BorderThickness}"""><ContentPresenter HorizontalAlignment="""{TemplateBinding HorizontalContentAlignment}""" VerticalAlignment="""{TemplateBinding VerticalContentAlignment}"""/></Border><ControlTemplate.Triggers><Trigger Property="""IsEnabled""" Value="""False"""><Setter Property="""Background""" Value="""{x:Static SystemColors.ControlLightBrush}"""/><Setter Property="""Foreground""" Value="""{x:Static SystemColors.GrayTextBrush}"""/></Trigger></ControlTemplate.Triggers></ControlTemplate></Window.Resources><Grid><Grid.RowDefinitions><RowDefinition Height="""298"""/><RowDefinition Height="""*"""/></Grid.RowDefinitions><Grid.Background><ImageBrush ImageSource="""C:\ProgramData\zipripper.png"""/></Grid.Background><Grid.Triggers><EventTrigger RoutedEvent="""Loaded"""><BeginStoryboard><Storyboard><DoubleAnimation Storyboard.TargetProperty="""Background.Opacity""" From="""0""" To="""1""" Duration="""0:0:1"""/></Storyboard></BeginStoryboard></EventTrigger></Grid.Triggers><Canvas Grid.Row="""0"""><Button x:Name="""Offline""" Canvas.Left="""141""" Canvas.Top="""56""" Height="""16""" Width="""26""" ToolTip="""Create [zr-offline.txt]""" Template="""{StaticResource nM}"""/><Button x:Name="""Cleanup""" Canvas.Left="""138""" Canvas.Top="""154""" Height="""20""" Width="""20""" ToolTip="""Clear Resume Cache""" Template="""{StaticResource nM}"""/><Button Name="""List""" Canvas.Left="""143""" Canvas.Top="""116""" Height="""10""" Width="""15""" ToolTip="""Select Wordlist""" Template="""{StaticResource nM}""" Opacity="""0"""></Button><Button Name="""Default""" Canvas.Left="""123""" Canvas.Top="""130""" FontSize="""11""" Foreground="""#eeeeee""" Background="""#333333""" Height="""18""" Width="""55""" Visibility="""Collapsed""" HorizontalContentAlignment="""Left""" Template="""{StaticResource nM}""" Opacity="""0.9""">Default</Button><Button Name="""WL""" Canvas.Left="""123""" Canvas.Top="""147""" FontSize="""11""" Foreground="""#eeeeee""" Background="""#333333""" Height="""18""" Width="""55""" Visibility="""Collapsed""" HorizontalContentAlignment="""Left""" Template="""{StaticResource nM}""" Opacity="""0.9""">Cyclone</Button><Button Name="""Custom""" Canvas.Left="""123""" Canvas.Top="""164""" FontSize="""11""" Foreground="""#eeeeee""" Background="""#333333""" Height="""18""" Width="""55""" Visibility="""Collapsed""" HorizontalContentAlignment="""Left""" Template="""{StaticResource nM}""" Opacity="""0.9""">Custom</Button></Canvas><Canvas Grid.Row="""1"""><Button x:Name="""Start""" Height="""22""" Width="""65""" Content="""Start""" ToolTip="""Click to Begin...""" Template="""{StaticResource nM}"""><Button.Triggers><EventTrigger RoutedEvent="""Loaded"""><BeginStoryboard><Storyboard><DoubleAnimation From="""40""" To="""65""" Duration="""0:0:1""" Storyboard.TargetProperty="""(Canvas.Left)""" AutoReverse="""False"""/><DoubleAnimation Storyboard.TargetProperty="""Opacity""" From="""0""" To="""1""" Duration="""0:0:2"""/></Storyboard></BeginStoryboard></EventTrigger></Button.Triggers></Button></Canvas><Canvas Grid.Row="""1"""><Button x:Name="""Quit""" Height="""22""" Width="""65""" Content="""Quit""" ToolTip="""Click to Exit""" Template="""{StaticResource nM}"""><Button.Triggers><EventTrigger RoutedEvent="""Loaded"""><BeginStoryboard><Storyboard><DoubleAnimation From="""40""" To="""65""" Duration="""0:0:1""" Storyboard.TargetProperty="""(Canvas.Right)""" AutoReverse="""False"""/><DoubleAnimation Storyboard.TargetProperty="""Opacity""" From="""0""" To="""1""" Duration="""0:0:2"""/></Storyboard></BeginStoryboard></EventTrigger></Button.Triggers></Button></Canvas></Grid><Window.TaskbarItemInfo><TaskbarItemInfo/></Window.TaskbarItemInfo></Window>';$reader=(New-Object System.Xml.XmlNodeReader $xaml);$window=[Windows.Markup.XamlReader]::Load($reader);$window.Title='ZipRipper';$bitmap=New-Object System.Windows.Media.Imaging.BitmapImage;$bitmap='C:\ProgramData\zipripper.png';$window.Icon=$bitmap;$window.TaskbarItemInfo.Overlay=$bitmap;$window.TaskbarItemInfo.Description=$window.Title;$window.Add_Closing({[System.Windows.Forms.Application]::Exit();Stop-Process $pid});$L=$Window.FindName("""List""");$D=$Window.FindName("""Default""");$R=$Window.FindName("""WL""");$C=$Window.FindName("""Custom""");$L.Add_Click({wlist});$D.Add_MouseEnter({$D.Background="""#eeeeee""";$D.Foreground="""#333333"""});$D.Add_MouseLeave({$D.Background="""#333333""";$D.Foreground="""#eeeeee"""});$D.Add_Click({$global:list="""0""";wlist});$R.Add_MouseEnter({$R.Background="""#eeeeee""";$R.Foreground="""#333333"""});$R.Add_MouseLeave({$R.Background="""#333333""";$R.Foreground="""#eeeeee"""});$R.Add_Click({$global:list="""1""";wlist});$C.Add_MouseEnter({$C.Background="""#eeeeee""";$C.Foreground="""#333333"""});$C.Add_MouseLeave({$C.Background="""#333333""";$C.Foreground="""#eeeeee"""});$C.Add_Click({$global:list="""2""";wlist});$b=$Window.FindName("""Start""");$b.Background = """#333333""";$b.Foreground="""#eeeeee""";$b.FontSize="""12""";$b.FontWeight="""Bold""";$b.Add_MouseEnter({$b.Background="""#eeeeee""";$b.Foreground="""#333333"""});$b.Add_MouseLeave({$b.Background="""#333333""";$b.Foreground="""#eeeeee"""});$b.Add_Click({write-host """Start,$list""";Exit});$b2=$Window.FindName("""Quit""");$b2.Background="""#333333""";$b2.Foreground="""#eeeeee""";$b2.FontSize="""12""";$b2.FontWeight="""Bold""";$b2.Add_MouseEnter({$b2.Background="""#eeeeee""";$b2.Foreground="""#333333"""});$b2.Add_MouseLeave({$b2.Background="""#333333""";$b2.Foreground="""#eeeeee"""});$b2.Add_Click({write-host 'Quit';Exit});$b3=$Window.FindName("""Offline""");$b3.Opacity="""0""";$b3.Add_Click({$b3m=New-Object -ComObject Wscript.Shell;$b3a=$b3m.Popup('Create [zr-offline.txt] for Offline Mode?',0,'Offline Mode Builder',0x1);if($b3a -eq 1){write-host 'Offline';Exit}});$b4=$Window.FindName("""Cleanup""");$b4.Opacity="""0""";$b4.Add_Click({$b4m=New-Object -ComObject Wscript.Shell;$b4a=$b4m.Popup("""Cleanup ALL resume data?""",0,'Clear InProgress Jobs',0x1);if($b4a -eq 1){if(Test-Path -Path 'C:\Users\admin\AppData\Roaming\ZR-InProgress'){Remove-Item 'C:\Users\admin\AppData\Roaming\ZR-InProgress' -Recurse -force -ErrorAction SilentlyContinue;$b4m2=New-Object -ComObject Wscript.Shell;$b4m2.Popup("""ALL Jobs Cleared""",0,'Clear InProgress Jobs',0x0)} else {$b4m3=New-Object -ComObject Wscript.Shell;$b4m3.Popup('There are no jobs to clear',0,'Clear InProgress Jobs',0x0)}}});$list="""0""";$showL="""0""";$window.add_MouseLeftButtonDown({if($showL -eq 1){wlist};$window.DragMove()});$window.Show();$appContext=New-Object System.Windows.Forms.ApplicationContext;[void][System.Windows.Forms.Application]::Run($appContext)" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows PowerShell Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
Total events
25 238
Read events
25 236
Write events
2
Delete events
0
Modification events
| (PID) Process: | (376) cmd.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\MuiCache |
| Operation: | write | Name: | C:\WINDOWS\system32\CMD.exe.FriendlyAppName |
Value: Windows Command Processor | |||
| (PID) Process: | (376) cmd.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\MuiCache |
| Operation: | write | Name: | C:\WINDOWS\system32\CMD.exe.ApplicationCompany |
Value: Microsoft Corporation | |||
Executable files
1
Suspicious files
3
Text files
16
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 4980 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_1qy0osxk.bzu.ps1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 5612 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_iialm4n1.nzz.psm1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 4980 | powershell.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | binary | |
MD5:D1D2B836B2B33545B98778110FFF2DF4 | SHA256:395BCD93CD18A16CA9A883EAB6B1E1455A5ACF275E7E83FD3C5E8325F123C392 | |||
| 4980 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_212ev22r.zvn.psm1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 6916 | cmd.exe | C:\ProgramData\launcher.ZipRipper | text | |
MD5:B89B15B2F9AA79B81F2624130B667A74 | SHA256:B0EDD6B84B01059AB7FC1DD48443706D254E25EFA3082F6BFA0D03858F44A80B | |||
| 376 | cmd.exe | C:\ProgramData\ZipRipper.cmd | text | |
MD5:B48D3F8AC4C16AAA66951F6FD464BF0E | SHA256:102D2C95E80E20291E7600BAD9AA8A160380366A9332CC642C83757C41851C28 | |||
| 5612 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_q0qvplw2.p50.ps1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 5328 | powershell.exe | C:\Users\admin\AppData\Local\Temp\pinqbpsi\pinqbpsi.cmdline | text | |
MD5:E304AFB127B86EE39E30B757A2807C8D | SHA256:DFABE7278B32290F704D14069F43D77DD2B55A15AA04ABC0DAA97C893BDFA3B1 | |||
| 5328 | powershell.exe | C:\Users\admin\AppData\Local\Temp\pinqbpsi\pinqbpsi.0.cs | text | |
MD5:2243CF02366045A3304A61B0D91B4AAA | SHA256:0AED36513811D5A2A36EC7E4AA2FC98FF931CF27D6F7E5394515B8AAFAE9B252 | |||
| 5328 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_les03gp0.xdq.ps1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
28
DNS requests
7
Threats
3
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
2120 | MoUsoCoreWorker.exe | GET | 200 | 184.30.21.171:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
4980 | powershell.exe | GET | 200 | 2.21.20.140:80 | http://www.msftncsi.com/ncsi.txt | unknown | — | — | whitelisted |
3588 | svchost.exe | GET | 200 | 184.30.21.171:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
5612 | powershell.exe | GET | 200 | 2.21.20.140:80 | http://www.msftncsi.com/ncsi.txt | unknown | — | — | whitelisted |
— | — | GET | 200 | 140.82.121.3:443 | https://raw.githubusercontent.com/illsk1lls/ZipRipper/main/.resources/zipripper.png | unknown | image | 48.6 Kb | unknown |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
3588 | svchost.exe | 51.104.136.2:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
2120 | MoUsoCoreWorker.exe | 51.104.136.2:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
— | — | 51.104.136.2:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
3888 | svchost.exe | 239.255.255.250:1900 | — | — | — | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
2120 | MoUsoCoreWorker.exe | 184.30.21.171:80 | www.microsoft.com | AKAMAI-AS | DE | whitelisted |
3588 | svchost.exe | 184.30.21.171:80 | www.microsoft.com | AKAMAI-AS | DE | whitelisted |
2120 | MoUsoCoreWorker.exe | 4.231.128.59:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
4980 | powershell.exe | 2.21.20.140:80 | www.msftncsi.com | Akamai International B.V. | DE | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
google.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
www.msftncsi.com |
| whitelisted |
raw.githubusercontent.com |
| shared |
Threats
PID | Process | Class | Message |
|---|---|---|---|
4980 | powershell.exe | Not Suspicious Traffic | ET INFO Windows Powershell User-Agent Usage |
5612 | powershell.exe | Not Suspicious Traffic | ET INFO Windows Powershell User-Agent Usage |
2256 | svchost.exe | Not Suspicious Traffic | INFO [ANY.RUN] Attempting to access raw user content on GitHub |