File name:

WebView2Loader-FiletypeApplication.zip

Full analysis: https://app.any.run/tasks/f234aa8f-6610-49aa-a8bd-77c38c8f59d8
Verdict: Malicious activity
Analysis date: September 16, 2024, 18:32:05
OS: Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract, compression method=deflate
MD5:

711F8C34ABF14929531D2C5D94117B68

SHA1:

AF24D389F23A0D2959C7323A0B8B91FA7B0C54D9

SHA256:

2FC053334943622343EB1DC96D826ADC3AC527F4D89E685CF6002E5439F24217

SSDEEP:

393216:Xu+J1mo8//AQR+izy3w0+y66aQDF92RC0:e+4/xqg0M6nDFko0

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Starts a Microsoft application from unusual location

      • excelcnv.exe (PID: 6808)
      • MSOHTMED.EXE (PID: 4404)
      • ONENOTEM.EXE (PID: 5624)
      • VPREVIEW.EXE (PID: 7164)

    • Reads security settings of Internet Explorer

      • WinRAR.exe (PID: 6312)

  • INFO

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 6312)

    • The process uses the downloaded file

      • WinRAR.exe (PID: 6312)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: 0x0008
ZipCompression: Deflated
ZipModifyDate: 2024:09:04 14:55:42
ZipCRC: 0x2c0f5276
ZipCompressedSize: 23858
ZipUncompressedSize: 47120
ZipFileName: Wordconv.exe
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
115
Monitored processes
5
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe msohtmed.exe no specs excelcnv.exe no specs onenotem.exe no specs vpreview.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
4404"C:\Users\admin\AppData\Local\Temp\Rar$EXa6312.41367\MSOHTMED.EXE" C:\Users\admin\AppData\Local\Temp\Rar$EXa6312.41367\MSOHTMED.EXEWinRAR.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Office component
Exit code:
3221225781
Version:
16.0.17928.20066
Modules
Images
c:\users\admin\appdata\local\temp\rar$exa6312.41367\msohtmed.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
5624"C:\Users\admin\AppData\Local\Temp\Rar$EXa6312.41700\ONENOTEM.EXE" C:\Users\admin\AppData\Local\Temp\Rar$EXa6312.41700\ONENOTEM.EXEWinRAR.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Send to OneNote Tool
Exit code:
3221225781
Version:
16.0.17928.20114
Modules
Images
c:\users\admin\appdata\local\temp\rar$exa6312.41700\onenotem.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\gdi32.dll
6312"C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\Desktop\WebView2Loader-FiletypeApplication.zipC:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
6808"C:\Users\admin\AppData\Local\Temp\Rar$EXa6312.41548\excelcnv.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa6312.41548\excelcnv.exeWinRAR.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Excel
Exit code:
3221225781
Version:
16.0.17928.20114
Modules
Images
c:\users\admin\appdata\local\temp\rar$exa6312.41548\excelcnv.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ole32.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\combase.dll
c:\windows\system32\gdi32.dll
7164"C:\Users\admin\AppData\Local\Temp\Rar$EXa6312.41851\VPREVIEW.EXE" C:\Users\admin\AppData\Local\Temp\Rar$EXa6312.41851\VPREVIEW.EXEWinRAR.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Office Visio Previewer
Exit code:
3221225781
Version:
16.0.17928.20114
Modules
Images
c:\users\admin\appdata\local\temp\rar$exa6312.41851\vpreview.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
Total events
1 808
Read events
1 802
Write events
6
Delete events
0

Modification events

(PID) Process:(6312) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\GoogleChromeEnterpriseBundle64.zip
(PID) Process:(6312) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\WebView2Loader-FiletypeApplication.zip
(PID) Process:(6312) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(6312) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(6312) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(6312) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
Executable files
68
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
6312WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa6312.41367\excelcnv.exe
MD5:
SHA256:
6312WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa6312.41548\excelcnv.exe
MD5:
SHA256:
6312WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa6312.41367\CLVIEW.EXEexecutable
MD5:BE4BB11DCD98BEC1B19496EB177BF1CB
SHA256:B63F0194B52A54BDBAB7C28EDB126CD895FC4D5F9A7CE07364B0C0A5AB8C330F
6312WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa6312.41367\PerfBoost.exeexecutable
MD5:81E3C9443F961FD6DBA64EF9FF5B9DC4
SHA256:646B178B9817E6677442F747878EA9524126DC2FAD0258814BDF488D9E0478E9
6312WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa6312.41367\msoasb.exeexecutable
MD5:090EAC1A7AF143E9F04F9BB3DBF4F78F
SHA256:4C988B97FE836EDC2E56480ED0AEEED6A6E681DDF0F474DC0027994D2BC03BB0
6312WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa6312.41367\NAMECONTROLSERVER.EXEexecutable
MD5:58B636F66CF8C69AB5AE87BB11347E90
SHA256:167C46AF8237163CDA0E26DA297FFE69B386A5738C30AA0B969DD0D06EB093F0
6312WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa6312.41367\msoadfsb.exeexecutable
MD5:796477D051EE7D533E13B305DCE916D4
SHA256:F48E4CEE9023E74A975EA27FBBFBC86FC0E27A4E616325506F8406AB4FD4E40A
6312WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa6312.41367\MSQRY32.EXEexecutable
MD5:7EEDC21EE4973BEB984FE4EF6980BBB8
SHA256:1CAFFF5817FD97DC295DEA11AB655B77EE6D9A6F4787807918338909EF4FE0EB
6312WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa6312.41367\SETLANG.EXEexecutable
MD5:45FC6373128323739937B398839962B8
SHA256:9301C5A62905AC6DAF56FCC06F21724E3D6A5502268D45C644E544F9EF842D8C
6312WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa6312.41367\ONENOTE.EXEexecutable
MD5:EB565C3C392231BA6D8DA394C018598C
SHA256:6AC619D67F89E6DD070AC9D2BFA3B749C259DD40E79CD05815B681CE3BD7CCFD
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
17
DNS requests
5
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
23.218.209.163:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
2120
MoUsoCoreWorker.exe
GET
200
23.218.209.163:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
23.218.209.163:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
2120
MoUsoCoreWorker.exe
23.218.209.163:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
3888
svchost.exe
239.255.255.250:1900
whitelisted
5644
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
  • 40.127.240.158
whitelisted
google.com
  • 142.250.185.142
whitelisted
www.microsoft.com
  • 23.218.209.163
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
WebView2Loader-FiletypeApplication.zip