File name:

AppData-Roaming.zip

Full analysis: https://app.any.run/tasks/18e80612-b44f-47c5-8bcc-42e657bfe045
Verdict: Malicious activity
Analysis date: January 13, 2025, 23:02:00
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
arch-exec
arch-doc
antivm
Indicators:
MIME: application/zip
File info: Zip archive data, at least v1.0 to extract, compression method=store
MD5:

174F9F9A9D24EA4471D625445124BEF2

SHA1:

B3709AA78244978AC89791ABAF84E4E0D34FBC0B

SHA256:

10D8718E2E74DE224760061ADC7BB11B058CF7BEDD8507C3FB70C909BCEA386D

SSDEEP:

196608:YnxkaEKaDknZLXcP0OMSqzefrt4nhfmt6IcvIc:YnxkaE7YlMPPfrkh+t5aJ

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Generic archive extractor

      • WinRAR.exe (PID: 6656)

  • SUSPICIOUS

    • There is functionality for VM detection VirtualBox (YARA)

      • SecurityHealthService.exe (PID: 2800)

    • Application launched itself

      • SecurityHealthService.exe (PID: 2800)

    • There is functionality for VM detection antiVM strings (YARA)

      • SecurityHealthService.exe (PID: 2800)

  • INFO

    • The process uses the downloaded file

      • WinRAR.exe (PID: 7116)
      • WinRAR.exe (PID: 6656)

    • The sample compiled with english language support

      • WinRAR.exe (PID: 6656)
      • WinRAR.exe (PID: 7116)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 6656)
      • WinRAR.exe (PID: 7116)

    • Creates files or folders in the user directory

      • SecurityHealthService.exe (PID: 2800)
      • SecurityHealthService.exe (PID: 6456)

    • Reads the computer name

      • SecurityHealthService.exe (PID: 2800)

    • Manual execution by a user

      • SecurityHealthService.exe (PID: 2800)
      • WinRAR.exe (PID: 7116)

    • Checks supported languages

      • SecurityHealthService.exe (PID: 2800)
      • SecurityHealthService.exe (PID: 6456)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 10
ZipBitFlag: -
ZipCompression: None
ZipModifyDate: 2025:01:13 22:51:04
ZipCRC: 0x00000000
ZipCompressedSize: -
ZipUncompressedSize: -
ZipFileName: AppData-Roaming/
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
121
Monitored processes
7
Malicious processes
0
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe rundll32.exe no specs winrar.exe securityhealthservice.exe conhost.exe no specs securityhealthservice.exe no specs svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
2192C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
2800"C:\Users\admin\AppData\Roaming\SecurityHealthService.exe" C:\Users\admin\AppData\Roaming\SecurityHealthService.exe
explorer.exe
User:
admin
Company:
Space Sciences Laboratory
Integrity Level:
MEDIUM
Description:
BOINC client
Exit code:
0
Version:
8.0.2
Modules
Images
c:\users\admin\appdata\roaming\securityhealthservice.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\sechost.dll
5720\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeSecurityHealthService.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6456"C:\Users\admin\AppData\Roaming\SecurityHealthService.exe" --detect_gpus --dir "C:\Users\admin\AppData\Roaming"C:\Users\admin\AppData\Roaming\SecurityHealthService.exeSecurityHealthService.exe
User:
admin
Company:
Space Sciences Laboratory
Integrity Level:
MEDIUM
Description:
BOINC client
Exit code:
0
Version:
8.0.2
Modules
Images
c:\users\admin\appdata\roaming\securityhealthservice.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
6656"C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\Downloads\AppData-Roaming.zipC:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
6932C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -EmbeddingC:\Windows\System32\rundll32.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shcore.dll
c:\windows\system32\imagehlp.dll
7116"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Downloads\AppData-Roaming.zip"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
Total events
3 030
Read events
2 997
Write events
33
Delete events
0

Modification events

(PID) Process:(6656) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\preferences.zip
(PID) Process:(6656) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:(6656) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:(6656) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Downloads\AppData-Roaming.zip
(PID) Process:(6656) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(6656) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(6656) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(6656) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(6656) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\MainWin
Operation:writeName:Placement
Value:
2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF3D0000002D000000FD03000016020000
(PID) Process:(6656) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\ArcColumnWidths
Operation:writeName:name
Value:
256
Executable files
3
Suspicious files
0
Text files
97
Unknown types
0

Dropped files

PID
Process
Filename
Type
6656WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa6656.15683\AppData-Roaming\Microsoft\27c283e9cb0a31d120b0b1d7f5bfee69
MD5:
SHA256:
6656WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa6656.15683\AppData-Roaming\notices\archive_rosettahome.cn_rosettahome_notices.php.xmltext
MD5:6B0A8CC3F90BFEA8C69440F259D95BA4
SHA256:269B3AD12D598980B0EB1673443E84FAC6D7F2B66639B2B72F284DDFB38FD7D9
6656WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa6656.15683\AppData-Roaming\client_state.xmltext
MD5:13F53B08E5C4C2C0E06127AB7BDBAF23
SHA256:7778C7AEA53271DBB2A97356A231700623C01D015031D1C78C4847E2E734C785
6656WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa6656.15683\AppData-Roaming\master_rosettahome.top_rosettahome.xmlhtml
MD5:F5D0DDD9D44A2EFEC1BE2C26FB1B8E82
SHA256:5F481DFB4031EABD4E89B25FCD801130EC914D97BDE647A800400303744A7771
6656WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa6656.15683\AppData-Roaming\master_rosettahome.cn_rosettahome.xmlhtml
MD5:F5D0DDD9D44A2EFEC1BE2C26FB1B8E82
SHA256:5F481DFB4031EABD4E89B25FCD801130EC914D97BDE647A800400303744A7771
6656WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa6656.15683\AppData-Roaming\sched_reply_rosettahome.top_rosettahome.xmltext
MD5:9FA2A6889F9B25976C2C20F857C47B06
SHA256:A0B344E25B85D3E2A34BD061C871EB41DC94CD97CD2242C819E9D9DC2A381B9F
6656WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa6656.15683\AppData-Roaming\client_state_prev.xmltext
MD5:52303B5F3559E6E69D0B92AE16094C36
SHA256:6AA523E83869FE896C78242367BBE0BC7BCC7604DD12D349F35D2954585DD5FC
6656WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa6656.15683\AppData-Roaming\statistics_rosettahome.cn_rosettahome.xmltext
MD5:8BFDA7C3BF44F9A7811850909557B58F
SHA256:9A1789F6228F8B43F2FF9B1E5D8AF7A2B998C2BD41AEBA094456F5D179C6A72E
6656WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa6656.15683\AppData-Roaming\sched_request_rosettahome.top_rosettahome.xmltext
MD5:F14ADFF6E3099570E2D16786155C3D19
SHA256:6B20BD5462A4AC91BB284D09BCE674A043BD3BB5BD7D1D04801CD14E8470E515
6656WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa6656.15683\AppData-Roaming\notices\feeds_rosettahome.cn_rosettahome.xmltext
MD5:59E58FBBFEA295E359C0B3DDCE4E5E6D
SHA256:A59DBB66285D0A209D78858BDA62C0824CA4E88AE69DBDE5202D033DAB5A2209
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
44
TCP/UDP connections
57
DNS requests
16
Threats
3

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2800
SecurityHealthService.exe
GET
200
104.238.61.8:80
http://rosettahome.cn/rosettahome/notices.php?userid=1&auth=1_1a362b2ad50985e203845fe44682096e
unknown
unknown
2800
SecurityHealthService.exe
POST
200
104.238.61.8:80
http://rosettahome.top/rosettahome_cgi/cgi
unknown
unknown
GET
200
13.85.23.206:443
https://fe3cr.delivery.mp.microsoft.com/clientwebservice/ping
unknown
GET
304
172.202.163.200:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
2800
SecurityHealthService.exe
POST
200
104.238.61.8:80
http://rosettahome.top/rosettahome_cgi/cgi
unknown
unknown
POST
200
40.126.32.138:443
https://login.live.com/RST2.srf
unknown
xml
1.25 Kb
whitelisted
3560
SIHClient.exe
GET
200
23.48.23.143:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
POST
200
40.126.32.136:443
https://login.live.com/RST2.srf
unknown
xml
1.24 Kb
whitelisted
POST
403
23.218.209.163:443
https://go.microsoft.com/fwlink/?LinkID=2257403&clcid=0x409
unknown
whitelisted
POST
400
40.126.32.68:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
210 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
2800
SecurityHealthService.exe
104.238.61.8:80
rosettahome.cn
ASN-QUADRANET-GLOBAL
US
unknown
5064
SearchApp.exe
104.126.37.123:443
www.bing.com
Akamai International B.V.
DE
whitelisted
1176
svchost.exe
40.126.32.133:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
1076
svchost.exe
23.35.238.131:443
go.microsoft.com
AKAMAI-AS
DE
whitelisted
3560
SIHClient.exe
172.202.163.200:443
slscr.update.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
GB
whitelisted
3560
SIHClient.exe
23.48.23.143:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
3560
SIHClient.exe
23.218.209.163:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
whitelisted
google.com
  • 142.250.185.78
whitelisted
self.events.data.microsoft.com
  • 20.42.65.88
whitelisted
rosettahome.cn
  • 104.238.61.8
unknown
rosettahome.top
  • 104.238.61.8
unknown
www.bing.com
  • 104.126.37.123
  • 104.126.37.130
  • 104.126.37.144
  • 104.126.37.129
  • 104.126.37.136
  • 104.126.37.163
  • 104.126.37.178
  • 104.126.37.131
whitelisted
login.live.com
  • 40.126.32.133
  • 40.126.32.68
  • 40.126.32.134
  • 20.190.160.22
  • 40.126.32.76
  • 20.190.160.17
  • 40.126.32.136
  • 40.126.32.138
whitelisted
go.microsoft.com
  • 23.35.238.131
whitelisted
slscr.update.microsoft.com
  • 172.202.163.200
whitelisted
crl.microsoft.com
  • 23.48.23.143
  • 23.48.23.156
whitelisted

Threats

PID
Process
Class
Message
2192
svchost.exe
Potentially Bad Traffic
ET DNS Query to a *.top domain - Likely Hostile
2800
SecurityHealthService.exe
Potentially Bad Traffic
ET INFO HTTP Request to a *.top domain
2800
SecurityHealthService.exe
Misc activity
SUSPICIOUS [ANY.RUN] Sent Host Name in HTTP POST Body
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
AppData-Roaming.zip