File name:

HVR072w05_2024-12-06_20_06_21.184.zip

Full analysis: https://app.any.run/tasks/04f67a7d-9768-4bdb-a598-56448646e4fc
Verdict: No threats detected
Analysis date: December 06, 2024, 20:06:59
OS: Windows 11 Professional (build: 22000, 64 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v4.5 to extract, compression method=deflate
MD5:

EF23FBEA0186EFC459132AB2F5E9C7B9

SHA1:

F8FC8573DF5B2DE3382D4705E610BA8BDDA99F0E

SHA256:

1125BAECA539C3CB5D00027F857578C0237D97A9166C9FB96313F4180195E6AA

SSDEEP:

98304:mfYhlEVvjcsXquBgTNlyZqsjIqqpUauPCKCMtR3KZpWKJYtdGqcHkcdJ36of3MHz:yzLhOu

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • WinRAR.exe (PID: 6192)

  • INFO

    • The process uses the downloaded file

      • POWERPNT.EXE (PID: 5516)
      • WinRAR.exe (PID: 6192)

    • Reads Microsoft Office registry keys

      • WinRAR.exe (PID: 6192)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: 0x0801
ZipCompression: Deflated
ZipModifyDate: 1980:00:00 00:00:00
ZipCRC: 0x0a5c6164
ZipCompressedSize: 4480424
ZipUncompressedSize: 4743128
ZipFileName: Device/HarddiskVolume2/Users/HVR072W05/Downloads/Chapter17.pptx
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
128
Monitored processes
3
Malicious processes
0
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe no specs powerpnt.exe ai.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
6192"C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\AppData\Local\Temp\HVR072w05_2024-12-06_20_06_21.184.zipC:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
5516"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" "C:\Users\admin\AppData\Local\Temp\Rar$DIb6192.44256\Chapter17.pptx" /ou ""C:\Program Files\Microsoft Office\root\Office16\POWERPNT.EXE
WinRAR.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft PowerPoint
Version:
16.0.16626.20134
Modules
Images
c:\program files\microsoft office\root\office16\powerpnt.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ucrtbase.dll
1840"C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ai.exe" "3B4B1370-0427-4C1F-983F-169E361C2721" "A721C341-C815-4343-9FC7-04FB03AFE4D7" "5516" "C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE"C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ai.exePOWERPNT.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Artificial Intelligence (AI) Host for the Microsoft® Windows® Operating System and Platform x64.
Version:
0.14.4.0
Modules
Images
c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\office16\ai.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\common files\microsoft shared\clicktorun\appvisvsubsystems64.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
Total events
15 837
Read events
15 641
Write events
186
Delete events
10

Modification events

(PID) Process:(6192) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(6192) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(6192) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:(6192) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:(6192) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\HVR072w05_2024-12-06_20_06_21.184.zip
(PID) Process:(6192) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(6192) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(6192) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(6192) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(6192) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface
Operation:writeName:ShowPassword
Value:
0
Executable files
0
Suspicious files
31
Text files
933
Unknown types
0

Dropped files

PID
Process
Filename
Type
5516POWERPNT.EXEC:\Users\admin\AppData\Local\Microsoft\Office\16.0\powerpnt.exe_Rules\rule100083v2.xmlxml
MD5:7B5BAC8525989E8899C3679731D98258
SHA256:9A3292D9D11EE8CB27677F193ABE095831F9B7E4174D9E652F82803D328E5DE9
5516POWERPNT.EXEC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04der
MD5:231DA7E6DBCA23228A658B15DDBA703F
SHA256:866A4BDA4969544C1682BDE0EE79BD2A39F51FF4B86F862292FD3C2DFC93E486
5516POWERPNT.EXEC:\Users\admin\AppData\Local\Microsoft\Office\16.0\powerpnt.exe_Rules\rule100076v2.xmlxml
MD5:A1C32A2040850EEC0D8769D73B81F8B3
SHA256:8EBC17CB904B635F64A26B18D6C3BBB95BBA210C348D386F15A0C302B752A478
5516POWERPNT.EXEC:\Users\admin\AppData\Local\Microsoft\Office\16.0\powerpnt.exe_Rules\rule100074v0.xmlxml
MD5:B5F555AC798495BD8A6B4E254745EDA0
SHA256:1C79426930C54765CB7B121361D58839DDDBCED8F37502FAB16903274414AB21
5516POWERPNT.EXEC:\Users\admin\AppData\Local\Microsoft\Office\16.0\powerpnt.exe_Rules\rule100043v0.xmlxml
MD5:E03148FECDFEA3BFD90CA19AA52AC2C1
SHA256:6BBCCD4AEA9494B1FD31DE86E19B2634F3AC6E6C72506BCBFD5A5C849C67829C
5516POWERPNT.EXEC:\Users\admin\AppData\Local\Microsoft\Office\16.0\powerpnt.exe_Rules\rule100068v2.xmlxml
MD5:B9B2CA56A048BDBFE74315BAC8FEFAF0
SHA256:3C4A4929450C661680E8B674867368D76A71AA0A5FE6B1541E0CAB2EAECC2F2D
5516POWERPNT.EXEC:\Users\admin\AppData\Local\Microsoft\Office\16.0\powerpnt.exe_Rules\rule100084v1.xmlxml
MD5:3671EA9C5CBDE113F64D8C3561349D0F
SHA256:7D7B07D4C42A86C7C69E9FDE8460DA77F21D6B82F7A65F183D859BBE9F76D674
5516POWERPNT.EXEC:\Users\admin\AppData\Local\Microsoft\Office\16.0\powerpnt.exe_Rules\rule100078v1.xmlxml
MD5:F1CE09999B4B350E954C449DCD687080
SHA256:D708E23A5A1B7EEF562C29674913688C4C09F3BA6917988202F54A9B68EAD43E
5516POWERPNT.EXEC:\Users\admin\AppData\Local\Microsoft\Office\16.0\powerpnt.exe_Rules\rule100070v0.xmlxml
MD5:D6DAF9F991EB87EB13BE13E79B869750
SHA256:4CD12BB7EED5FE69ACC9E7A1EE29515CAEE4C453AB088F765ACB304DC882227C
5516POWERPNT.EXEC:\Users\admin\AppData\Local\Microsoft\Office\16.0\powerpnt.exe_Rules\rule100075v1.xmlxml
MD5:6E76DCB19FB44EA1E65014E0CE218AB0
SHA256:735879C44400699786304B87916667E37F35A3B26331C41B2366FEA88033B070
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
30
TCP/UDP connections
53
DNS requests
35
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4856
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
5516
POWERPNT.EXE
GET
304
146.75.122.172:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?c32a3bb15b338866
unknown
whitelisted
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTk45WiKdPUwcMf8JgMC07ACYqr2AQUt2ui6qiqhIx56rTaD5iyxZV2ufQCEAOav%2F2w8K4jHzmTOaTzWTM%3D
unknown
whitelisted
5516
POWERPNT.EXE
GET
200
23.52.120.96:80
http://www.microsoft.com/pki/certs/MicrosoftRootCert.crt
unknown
whitelisted
1296
svchost.exe
GET
200
184.24.77.24:80
http://www.msftconnecttest.com/connecttest.txt
unknown
whitelisted
5516
POWERPNT.EXE
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEApDqVCbATUviZV57HIIulA%3D
unknown
whitelisted
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAo1CNVcKSsBffitZcAP9%2BQ%3D
unknown
whitelisted
2096
firefox.exe
POST
200
184.24.77.56:80
http://r10.o.lencr.org/
unknown
whitelisted
5516
POWERPNT.EXE
GET
200
23.52.120.96:80
http://www.microsoft.com/pki/certs/MicrosoftRootCert.crt
unknown
whitelisted
GET
200
146.75.122.172:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?e7e8e0ff86be79ee
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
34.120.208.123:443
incoming.telemetry.mozilla.org
GOOGLE-CLOUD-PLATFORM
US
whitelisted
34.149.100.209:443
firefox.settings.services.mozilla.com
GOOGLE
US
whitelisted
2096
firefox.exe
34.149.100.209:443
firefox.settings.services.mozilla.com
GOOGLE
US
whitelisted
2096
firefox.exe
34.120.208.123:443
incoming.telemetry.mozilla.org
GOOGLE-CLOUD-PLATFORM
US
whitelisted
2096
firefox.exe
184.24.77.56:80
r10.o.lencr.org
Akamai International B.V.
DE
whitelisted
2096
firefox.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
5552
svchost.exe
239.255.255.250:1900
whitelisted
2096
firefox.exe
34.160.144.191:443
content-signature-2.cdn.mozilla.net
GOOGLE
US
whitelisted
35.190.72.216:443
location.services.mozilla.com
unknown
4
System
192.168.100.255:137
whitelisted

DNS requests

Domain
IP
Reputation
firefox.settings.services.mozilla.com
  • 34.149.100.209
whitelisted
incoming.telemetry.mozilla.org
  • 34.120.208.123
whitelisted
prod.remote-settings.prod.webservices.mozgcp.net
  • 34.149.100.209
whitelisted
telemetry-incoming.r53-2.services.mozilla.com
  • 34.120.208.123
whitelisted
r10.o.lencr.org
  • 184.24.77.56
  • 184.24.77.48
  • 184.24.77.45
  • 184.24.77.54
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
a1887.dscq.akamai.net
  • 184.24.77.56
  • 184.24.77.48
  • 184.24.77.45
  • 184.24.77.54
  • 2a02:26f0:3100::1735:29f0
  • 2a02:26f0:3100::1735:2a08
  • 2a02:26f0:3100::1735:2a18
whitelisted
fp2e7a.wpc.phicdn.net
  • 192.229.221.95
  • 2606:2800:233:fa02:67b:9ff6:6107:833
whitelisted
google.com
  • 142.250.185.110
whitelisted
content-signature-2.cdn.mozilla.net
  • 34.160.144.191
whitelisted

Threats

PID
Process
Class
Message
Misc activity
ET INFO Microsoft Connection Test
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
HVR072w05_2024-12-06_20_06_21.184.zip