File name:

2b566fa8424b46714e0357c7ba0147714ef21c6a63ed8a45caa5b03e8acc58d8.zip

Full analysis: https://app.any.run/tasks/b7b98ff0-fdc8-4e05-aaef-e79f20719a98
Verdict: Malicious activity
Analysis date: August 01, 2025, 01:29:32
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
arch-exec
snake
auto-sch-xml
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract, compression method=deflate
MD5:

ACECB43C815DD85C7B55AEEA608F16D3

SHA1:

DDF0228C25AB9EE888A3801F4848C3C205FC22A6

SHA256:

2B566FA8424B46714E0357C7BA0147714EF21C6A63ED8A45CAA5B03E8ACC58D8

SSDEEP:

24576:3sFPyBhBPgxJujbhZZD7oZyBMj+0I7Y/RJ97UHDgtpInS:3sFPmhBPgxJujbhZZD7oZyKj+0I7Y/fP

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Generic archive extractor

      • WinRAR.exe (PID: 6508)

    • SNAKE has been detected (YARA)

      • RegSvcs.exe (PID: 7124)

    • Uses Task Scheduler to run other applications

      • payment Confirmation Request.exe (PID: 6488)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • payment Confirmation Request.exe (PID: 6488)
      • WinRAR.exe (PID: 6508)

    • Executes application which crashes

      • RegSvcs.exe (PID: 7124)

    • Executing commands from a ".bat" file

      • WinRAR.exe (PID: 6508)

    • Starts CMD.EXE for commands execution

      • WinRAR.exe (PID: 6508)

    • Executable content was dropped or overwritten

      • payment Confirmation Request.exe (PID: 6488)

  • INFO

    • Process checks computer location settings

      • payment Confirmation Request.exe (PID: 6488)

    • Reads the computer name

      • RegSvcs.exe (PID: 7124)
      • payment Confirmation Request.exe (PID: 6488)
      • djnmKTAabuPDpa.exe (PID: 4864)
      • MpCmdRun.exe (PID: 5928)

    • Reads the machine GUID from the registry

      • RegSvcs.exe (PID: 7124)
      • payment Confirmation Request.exe (PID: 6488)
      • djnmKTAabuPDpa.exe (PID: 4864)

    • Checks proxy server information

      • RegSvcs.exe (PID: 7124)
      • WerFault.exe (PID: 1132)
      • slui.exe (PID: 684)

    • Reads the software policy settings

      • RegSvcs.exe (PID: 7124)
      • WerFault.exe (PID: 1132)
      • slui.exe (PID: 684)

    • Checks supported languages

      • RegSvcs.exe (PID: 7124)
      • MpCmdRun.exe (PID: 5928)
      • payment Confirmation Request.exe (PID: 6488)
      • djnmKTAabuPDpa.exe (PID: 4864)

    • Disables trace logs

      • RegSvcs.exe (PID: 7124)

    • Creates files or folders in the user directory

      • WerFault.exe (PID: 1132)
      • payment Confirmation Request.exe (PID: 6488)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 6508)

    • Create files in a temporary directory

      • MpCmdRun.exe (PID: 5928)
      • payment Confirmation Request.exe (PID: 6488)

    • Manual execution by a user

      • payment Confirmation Request.exe (PID: 6488)
      • djnmKTAabuPDpa.exe (PID: 4864)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

SnakeKeylogger

(PID) Process(7124) RegSvcs.exe
Keys
DES6fc98cd68a1aab8b
Options
Telegram Bot Token7811075287:AAEsR_gg1PtwDdagycf03iL8s4jWtgyn-Hs
Telegram Chat ID6244366695
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: Deflated
ZipModifyDate: 2025:07:31 21:39:30
ZipCRC: 0xf5e9c38a
ZipCompressedSize: 595562
ZipUncompressedSize: 712192
ZipFileName: payment Confirmation Request.exe
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
147
Monitored processes
12
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe payment confirmation request.exe schtasks.exe no specs conhost.exe no specs #SNAKE regsvcs.exe slui.exe werfault.exe cmd.exe no specs conhost.exe no specs mpcmdrun.exe no specs djnmktaabupdpa.exe no specs svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
440C:\WINDOWS\system32\cmd.exe /c ""C:\Users\admin\AppData\Local\Temp\Rar$VR6508.15266\Rar$Scan61574.bat" "C:\Windows\System32\cmd.exeWinRAR.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cmdext.dll
c:\windows\system32\advapi32.dll
684C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
1132C:\WINDOWS\SysWOW64\WerFault.exe -u -p 7124 -s 2384C:\Windows\SysWOW64\WerFault.exe
RegSvcs.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
1380"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\djnmKTAabuPDpa" /XML "C:\Users\admin\AppData\Local\Temp\tmp4C22.tmp"C:\Windows\SysWOW64\schtasks.exepayment Confirmation Request.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Task Scheduler Configuration Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
2200C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
3100\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
4856\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeschtasks.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
4864"C:\Users\admin\AppData\Roaming\djnmKTAabuPDpa.exe" C:\Users\admin\AppData\Roaming\djnmKTAabuPDpa.exeexplorer.exe
User:
admin
Company:
BookFlow1
Integrity Level:
MEDIUM
Description:
BookFlow Library
Version:
0.0.0.0
Modules
Images
c:\users\admin\appdata\roaming\djnmktaabupdpa.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
5928"C:\Program Files\Windows Defender\MpCmdRun.exe" -Scan -ScanType 3 -File "C:\Users\admin\AppData\Local\Temp\Rar$VR6508.15266"C:\Program Files\Windows Defender\MpCmdRun.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Malware Protection Command Line Utility
Exit code:
2
Version:
4.18.1909.6 (WinBuild.160101.0800)
Modules
Images
c:\program files\windows defender\mpcmdrun.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
6488"C:\Users\admin\Desktop\payment Confirmation Request.exe" C:\Users\admin\Desktop\payment Confirmation Request.exe
explorer.exe
User:
admin
Company:
BookFlow1
Integrity Level:
MEDIUM
Description:
BookFlow Library
Exit code:
0
Version:
0.0.0.0
Modules
Images
c:\users\admin\desktop\payment confirmation request.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
Total events
17 766
Read events
17 740
Write events
26
Delete events
0

Modification events

(PID) Process:(6508) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(6508) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(6508) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\preferences.zip
(PID) Process:(6508) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:(6508) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:(6508) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\2b566fa8424b46714e0357c7ba0147714ef21c6a63ed8a45caa5b03e8acc58d8.zip
(PID) Process:(6508) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(6508) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(6508) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(6508) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
Executable files
2
Suspicious files
0
Text files
5
Unknown types
1

Dropped files

PID
Process
Filename
Type
1132WerFault.exeC:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_RegSvcs.exe_887b6fb525c7c5e5f253acdbcd291d7cd6a15618_30ee27f1_82791df4-3055-47ff-87a3-9b427b017fe3\Report.wer
MD5:
SHA256:
1132WerFault.exeC:\Users\admin\AppData\Local\CrashDumps\RegSvcs.exe.7124.dmp
MD5:
SHA256:
6488payment Confirmation Request.exeC:\Users\admin\AppData\Roaming\djnmKTAabuPDpa.exeexecutable
MD5:50AD8CA4DE5B8D6ADF27C215D1201E41
SHA256:18511EC36F7D5820423CE0E5D2E8C128100F8C5D522FAC1DF573296E0C590F71
6508WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$VR6508.15266\2b566fa8424b46714e0357c7ba0147714ef21c6a63ed8a45caa5b03e8acc58d8.zip\payment Confirmation Request.exeexecutable
MD5:50AD8CA4DE5B8D6ADF27C215D1201E41
SHA256:18511EC36F7D5820423CE0E5D2E8C128100F8C5D522FAC1DF573296E0C590F71
1132WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WER9B5D.tmp.xmlxml
MD5:54BBE4DDC187D86118F7445ABDF64218
SHA256:B1E092AFB0E739BDA1C63B99291CC1E27DB042471E818049C015384DD945E0AD
1132WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WER9A61.tmp.dmpdmp
MD5:AF9021FA9241740A42173D73DA30F9FD
SHA256:B01274871C2B4E4188CB00975BFBF7C0A527148FE3453043B3F5CEC14901227E
6508WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$VR6508.15266\Rar$Scan61574.battext
MD5:319071E50CDDC7B8619A211C9060DDAB
SHA256:37A213A04B1896AAA2090B22712A42EE016C7DAAC33BB8779C1CCFAB5D0864EC
5928MpCmdRun.exeC:\Users\admin\AppData\Local\Temp\MpCmdRun.logtext
MD5:5477F5249EBD24663E67E887CEF44911
SHA256:0A248B80A8274C55A10FD4FF1423762E99589942F3C4C035507631DC77AE8916
6488payment Confirmation Request.exeC:\Users\admin\AppData\Local\Temp\tmp4C22.tmpxml
MD5:8DACD03F2BE37C5D0AB7A3FB5D2A7192
SHA256:8B3D591866A37401513A618291EDC92575EA0ED10B60798ED3AB38EBEC6332C5
1132WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WER9B4D.tmp.WERInternalMetadata.xmlxml
MD5:B8248FC565C0FF0D78BD978473DEDE90
SHA256:B5F7458E56A32758E447E4B7CD94162A55759B10364FABA369AB834D693547DD
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
50
TCP/UDP connections
46
DNS requests
22
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5944
MoUsoCoreWorker.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
6732
RUXIMICS.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
POST
400
20.190.159.64:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
203 b
whitelisted
POST
400
20.190.159.129:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
203 b
whitelisted
POST
200
40.126.31.71:443
https://login.live.com/RST2.srf
unknown
xml
1.24 Kb
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
23.216.77.28:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
POST
400
20.190.159.75:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
203 b
whitelisted
1268
svchost.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
74.178.76.128:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
compressed
23.9 Kb
whitelisted
6812
SIHClient.exe
GET
200
23.216.77.6:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
5944
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
1268
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6732
RUXIMICS.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
5944
MoUsoCoreWorker.exe
23.216.77.28:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5944
MoUsoCoreWorker.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
1268
svchost.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
6732
RUXIMICS.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
5944
MoUsoCoreWorker.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 51.124.78.146
  • 40.127.240.158
whitelisted
google.com
  • 216.58.206.78
whitelisted
crl.microsoft.com
  • 23.216.77.28
  • 23.216.77.6
whitelisted
www.microsoft.com
  • 23.35.229.160
  • 23.3.109.244
whitelisted
login.live.com
  • 20.190.159.75
  • 20.190.159.129
  • 20.190.159.128
  • 20.190.159.64
  • 40.126.31.73
  • 40.126.31.71
  • 20.190.159.2
  • 40.126.31.67
  • 20.190.160.64
  • 20.190.160.132
  • 20.190.160.2
  • 20.190.160.17
  • 20.190.160.128
  • 40.126.32.140
  • 40.126.32.72
  • 20.190.160.5
whitelisted
slscr.update.microsoft.com
  • 20.109.210.53
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 40.69.42.241
whitelisted
checkip.dyndns.org
  • 132.226.247.73
  • 193.122.6.168
  • 132.226.8.169
  • 158.101.44.242
  • 193.122.130.0
whitelisted
client.wns.windows.com
  • 172.211.123.249
whitelisted
reallyfreegeoip.org
  • 104.21.16.1
  • 104.21.32.1
  • 104.21.64.1
  • 104.21.96.1
  • 104.21.112.1
  • 104.21.48.1
  • 104.21.80.1
malicious

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2b566fa8424b46714e0357c7ba0147714ef21c6a63ed8a45caa5b03e8acc58d8.zip