File name:

doctor.zip

Full analysis: https://app.any.run/tasks/1a1639c5-8a84-4005-ad8d-6f02836a4427
Verdict: Malicious activity
Analysis date: July 08, 2025, 10:19:21
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
ip-check
rust
evasion
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract, compression method=deflate
MD5:

B97D64E5F33E068AE8D8465D8DDD98A9

SHA1:

44EF5BFFB945BABF1BD010645FD55AA36D123E91

SHA256:

16750E5ECF5DB0EC2BE6950BB7176790644E63028968A062ADC3D8DF72988D5E

SSDEEP:

98304:WMg2PN+DQgrkkYXQ9EqOSkHzPb/Zu9lMS/n2vARhcej966G/FPHo5nB4vuyvQUki:AL09jRfeZt9WB

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • The process creates files with name similar to system file names

      • WinRAR.exe (PID: 3908)

    • Process drops legitimate windows executable

      • WinRAR.exe (PID: 3908)

    • Reads the date of Windows installation

      • aha_doctor.exe (PID: 2288)

    • Starts CMD.EXE for commands execution

      • aha_doctor.exe (PID: 2288)

    • Uses WMIC.EXE to obtain Windows Installer data

      • cmd.exe (PID: 2272)
      • cmd.exe (PID: 6408)

    • Uses WMIC.EXE to obtain physical disk drive information

      • cmd.exe (PID: 4708)

    • The process checks if it is being run in the virtual environment

      • aha_doctor.exe (PID: 2288)

    • Uses WMIC.EXE to obtain data on the base board management (motherboard or system board)

      • cmd.exe (PID: 5060)

    • Uses WMIC.EXE to obtain operating system information

      • cmd.exe (PID: 3924)

    • Uses WMIC.EXE

      • cmd.exe (PID: 6420)

    • There is functionality for capture public ip (YARA)

      • aha_doctor.exe (PID: 2288)

    • Checks for external IP

      • svchost.exe (PID: 2200)
      • aha_doctor.exe (PID: 2288)

  • INFO

    • Checks supported languages

      • task_host.exe (PID: 6180)
      • aha_doctor.exe (PID: 2288)

    • Reads Environment values

      • aha_doctor.exe (PID: 2288)

    • Reads the computer name

      • aha_doctor.exe (PID: 2288)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 3908)

    • Reads product name

      • aha_doctor.exe (PID: 2288)

    • Manual execution by a user

      • aha_doctor.exe (PID: 2288)

    • The sample compiled with english language support

      • WinRAR.exe (PID: 3908)

    • Creates files or folders in the user directory

      • aha_doctor.exe (PID: 2288)

    • Reads security settings of Internet Explorer

      • WMIC.exe (PID: 1948)
      • WMIC.exe (PID: 3504)
      • WMIC.exe (PID: 6472)
      • WMIC.exe (PID: 6936)
      • WMIC.exe (PID: 2348)
      • WMIC.exe (PID: 1632)

    • Reads the software policy settings

      • slui.exe (PID: 4084)

    • Reads the machine GUID from the registry

      • aha_doctor.exe (PID: 2288)

    • Checks proxy server information

      • aha_doctor.exe (PID: 2288)
      • slui.exe (PID: 4084)

    • Application based on Rust

      • aha_doctor.exe (PID: 2288)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: Deflated
ZipModifyDate: 2025:07:02 16:45:50
ZipCRC: 0x5f55b8ce
ZipCompressedSize: 776354
ZipUncompressedSize: 1906464
ZipFileName: aha_doctor.exe
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
159
Monitored processes
24
Malicious processes
1
Suspicious processes
1

Behavior graph

Click at the process to see the details
start winrar.exe no specs rundll32.exe no specs aha_doctor.exe task_host.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs slui.exe svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
756\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
984\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1632wmic Path Win32_PhysicalMemory Get Capacity /valueC:\Windows\System32\wbem\WMIC.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
WMI Commandline Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\wbem\wmic.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\framedynos.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
1948wmic csproduct get UUID /valueC:\Windows\System32\wbem\WMIC.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
WMI Commandline Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\wbem\wmic.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\framedynos.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
2192C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -EmbeddingC:\Windows\System32\rundll32.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shcore.dll
c:\windows\system32\imagehlp.dll
2200C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
2216\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2272"cmd" /C "wmic csproduct get UUID /value"C:\Windows\System32\cmd.exeaha_doctor.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
2288"C:\Users\admin\Desktop\doctor\aha_doctor.exe" C:\Users\admin\Desktop\doctor\aha_doctor.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Aha Doctor
Version:
1.0.1.2
Modules
Images
c:\users\admin\desktop\doctor\aha_doctor.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\imm32.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
2348wmic os get Version /valueC:\Windows\System32\wbem\WMIC.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
WMI Commandline Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\wbem\wmic.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\framedynos.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
Total events
5 830
Read events
5 796
Write events
21
Delete events
13

Modification events

(PID) Process:(3908) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\preferences.zip
(PID) Process:(3908) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:(3908) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:(3908) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\doctor.zip
(PID) Process:(3908) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(3908) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(3908) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(3908) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(3908) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\DialogEditHistory\ExtrPath
Operation:delete valueName:15
Value:
(PID) Process:(3908) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\DialogEditHistory\ExtrPath
Operation:delete valueName:14
Value:
Executable files
21
Suspicious files
11
Text files
178
Unknown types
10

Dropped files

PID
Process
Filename
Type
3908WinRAR.exeC:\Users\admin\Desktop\doctor\aha_doctor.exeexecutable
MD5:5AB1727361F9A95428A6E63AB8BFCC8D
SHA256:CEC76AC8F504188E12531706AF5CAA2B1687C55AC524F3F9A25BB764090BF95D
3908WinRAR.exeC:\Users\admin\Desktop\doctor\config\21b2c27ce49c45626ed7515783e4b6262cb8c071eebinary
MD5:0BDD9F8CF55690CDA915C35E876CCA01
SHA256:83CCFB40BB3327CD496C334058EC62489BE4D9948E15860E33800418A9BDAFD7
3908WinRAR.exeC:\Users\admin\Desktop\doctor\aha_engine.dllexecutable
MD5:14487F5640C1C68D3ABB72C8C5FD503A
SHA256:89D2AE19174C15805C15F418B0B16EFDACFF91A66A103E662DB5B54E64BFC76E
3908WinRAR.exeC:\Users\admin\Desktop\doctor\applogrs.dllexecutable
MD5:5A71328C02BE015114D5C1DC33575CC8
SHA256:9BB915E83F91801CE90D74DA956B711A3ABE8EEDDD6D06FDA27A2651700BBE7A
3908WinRAR.exeC:\Users\admin\Desktop\doctor\config\third_party_feature.jsonbinary
MD5:24B96DAEFD82D213C11CEDAE1E0D3B93
SHA256:6F5A9BF44E77CA35AFC0F6430CD62FCA0A59CEC53967B8F4A6E1C1AF5D8DB368
3908WinRAR.exeC:\Users\admin\Desktop\doctor\plugin\event_reporter.dllexecutable
MD5:C3BE1A8E4546B47F91177E5E350829CA
SHA256:5B88AA4F7AB9D5A3B1C744B385909D74FC1F7D8C84D184C6B0049539DF7570D5
3908WinRAR.exeC:\Users\admin\Desktop\doctor\plugin\module_block.dllexecutable
MD5:7A560162594B8E05072D9F7B3F3A49B0
SHA256:09D5AD89A3DCD991DCB00A01BEE8A76AF8598FD4F62385910F7C114CFD667645
3908WinRAR.exeC:\Users\admin\Desktop\doctor\resources\certs\DigiCert Global Root G2.crttext
MD5:226EE39FA355BAE90D579EBB8FA61DB4
SHA256:D6D71565725851C8594379585A29CE9F8C1689B2C87D1064158A1AA8D0422BFC
3908WinRAR.exeC:\Users\admin\Desktop\doctor\perfctrl.dllexecutable
MD5:1A30A5CB16B97BE962F81F0592E293C0
SHA256:14BFCBD518546275D042B7D2A35227452577921D6E2C6310B3EEBC029A00D3B6
3908WinRAR.exeC:\Users\admin\Desktop\doctor\chromium_base.dllexecutable
MD5:83B8F0E3A7EDF161F9F534E1C4EB6107
SHA256:22AE64F67064340C0C928C9160F65921D786E230D92488FC0613AAF9401CEC02
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
115
DNS requests
32
Threats
4

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1268
svchost.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
DE
binary
814 b
whitelisted
6320
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
DE
binary
471 b
whitelisted
2140
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
DE
binary
408 b
whitelisted
1268
svchost.exe
GET
200
23.216.77.17:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
DE
binary
825 b
whitelisted
2140
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
DE
binary
420 b
whitelisted
2940
svchost.exe
GET
200
69.192.161.44:80
http://x1.c.lencr.org/
DE
binary
734 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
1268
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1268
svchost.exe
23.216.77.17:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1268
svchost.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
6320
svchost.exe
20.190.159.131:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6320
svchost.exe
2.17.190.73:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
2336
svchost.exe
172.211.123.249:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
2288
aha_doctor.exe
163.181.254.187:443
log-klink.zijieapi.com
US
unknown

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
  • 40.127.240.158
  • 4.231.128.59
whitelisted
google.com
  • 142.250.185.110
whitelisted
crl.microsoft.com
  • 23.216.77.17
  • 23.216.77.18
  • 23.216.77.21
  • 23.216.77.23
  • 23.216.77.14
whitelisted
www.microsoft.com
  • 23.35.229.160
whitelisted
login.live.com
  • 20.190.159.131
  • 40.126.31.69
  • 40.126.31.0
  • 20.190.159.64
  • 20.190.159.4
  • 40.126.31.2
  • 20.190.159.75
  • 40.126.31.71
whitelisted
ocsp.digicert.com
  • 2.17.190.73
whitelisted
client.wns.windows.com
  • 172.211.123.249
whitelisted
log-klink.zijieapi.com
  • 163.181.254.187
  • 163.181.254.194
  • 163.181.254.188
  • 163.181.254.193
  • 163.181.254.190
  • 163.181.254.192
  • 163.181.254.189
  • 163.181.254.191
unknown
nexusrules.officeapps.live.com
  • 52.111.236.23
whitelisted
slscr.update.microsoft.com
  • 52.149.20.212
whitelisted

Threats

PID
Process
Class
Message
Unknown Traffic
ET USER_AGENTS Microsoft Dr Watson User-Agent (MSDW)
2200
svchost.exe
Misc activity
ET INFO External IP Lookup Domain (ifconfig .me) in DNS Lookup
2200
svchost.exe
Device Retrieving External IP Address Detected
INFO [ANY.RUN] External IP Lookup Domain (ifconfig .me)
2288
aha_doctor.exe
Misc activity
ET INFO Observed External IP Lookup Domain (ifconfig .me) in TLS SNI
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
doctor.zip