| File name: | Huzuni.zip |
| Full analysis: | https://app.any.run/tasks/fce7d75d-850e-45eb-9e56-d491ed658695 |
| Verdict: | Malicious activity |
| Threats: | Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying. |
| Analysis date: | June 29, 2025, 16:20:24 |
| OS: | Windows 10 Professional (build: 19044, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/zip |
| File info: | Zip archive data, at least v2.0 to extract, compression method=deflate |
| MD5: | E7DD10777098014518FC36F01A6F9727 |
| SHA1: | 763F8327C913258B9EEC4278291D6C61E39BC1CD |
| SHA256: | 349881ECC593A2611F39666C7672AFD6CD5BC00B20872C672CE1EB8034AD9F86 |
| SSDEEP: | 768:i9zXdtThYmY2CMa9nhS45EAzxrWWeKWrwTVQOh3lo:i5XdBOmBMh/5EAB7eKWrAVQOro |
MALICIOUS
Generic archive extractor
- WinRAR.exe (PID: 4788)
Changes the login/logoff helper path in the registry
- Huzuni.exe (PID: 6128)
Resizes shadow copies
- cmd.exe (PID: 304)
Deletes shadow copies
- cmd.exe (PID: 304)
Disables task manager
- Huzuni.exe (PID: 6128)
RANSOMWARE has been detected
- Huzuni.exe (PID: 6128)
SUSPICIOUS
Reads security settings of Internet Explorer
- Huzuni.exe (PID: 728)
- Huzuni.exe (PID: 6128)
Creates file in the systems drive root
- Huzuni.exe (PID: 728)
- cmd.exe (PID: 304)
- Huzuni.exe (PID: 6128)
Executable content was dropped or overwritten
- Huzuni.exe (PID: 728)
Executing commands from a ".bat" file
- Huzuni.exe (PID: 728)
Starts CMD.EXE for commands execution
- Huzuni.exe (PID: 728)
- Huzuni.exe (PID: 6128)
Executes as Windows Service
- VSSVC.exe (PID: 4864)
Reads the date of Windows installation
- Huzuni.exe (PID: 728)
- Huzuni.exe (PID: 6128)
INFO
Manual execution by a user
- Huzuni.exe (PID: 2716)
- Huzuni.exe (PID: 728)
- Taskmgr.exe (PID: 5084)
- mspaint.exe (PID: 420)
- Taskmgr.exe (PID: 2464)
- WINWORD.EXE (PID: 3936)
- WINWORD.EXE (PID: 6124)
Reads the computer name
- Huzuni.exe (PID: 728)
- Huzuni.exe (PID: 6128)
Executable content was dropped or overwritten
- WinRAR.exe (PID: 4788)
Reads the machine GUID from the registry
- Huzuni.exe (PID: 728)
- Huzuni.exe (PID: 6128)
Process checks computer location settings
- Huzuni.exe (PID: 728)
- Huzuni.exe (PID: 6128)
Checks supported languages
- Huzuni.exe (PID: 728)
- Huzuni.exe (PID: 6128)
Checks proxy server information
- slui.exe (PID: 5116)
Reads the software policy settings
- slui.exe (PID: 5116)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .zip | | | ZIP compressed archive (100) |
|---|
EXIF
ZIP
| ZipRequiredVersion: | 20 |
|---|---|
| ZipBitFlag: | - |
| ZipCompression: | Deflated |
| ZipModifyDate: | 2020:12:21 05:30:16 |
| ZipCRC: | 0xb4ffff48 |
| ZipCompressedSize: | 33562 |
| ZipUncompressedSize: | 66560 |
| ZipFileName: | Huzuni.exe |
Total processes
187
Monitored processes
32
Malicious processes
3
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 304 | C:\WINDOWS\system32\cmd.exe /c ""C:\window.bat"" | C:\Windows\System32\cmd.exe | — | Huzuni.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Exit code: 1 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 420 | "C:\WINDOWS\system32\mspaint.exe" "C:\Users\admin\Desktop\solutionsversion.png" | C:\Windows\System32\mspaint.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Paint Exit code: 0 Version: 10.0.19041.3758 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 728 | "C:\Users\admin\Desktop\Huzuni.exe" | C:\Users\admin\Desktop\Huzuni.exe | explorer.exe | ||||||||||||
User: admin Integrity Level: HIGH Description: Huzuni Exit code: 0 Version: 1.0.0.0 Modules
| |||||||||||||||
| 1296 | vssadmin resize shadowstorage /for=c: /on=e: /maxsize=401MB | C:\Windows\System32\vssadmin.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Command Line Interface for Microsoft® Volume Shadow Copy Service Exit code: 2 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1300 | vssadmin resize shadowstorage /for=c: /on=g: /maxsize=401MB | C:\Windows\System32\vssadmin.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Command Line Interface for Microsoft® Volume Shadow Copy Service Exit code: 2 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1324 | "C:\Windows\System32\cmd.exe" /takeown /f C:\Windows\System32\Taskmgr.exe && icacls C:\Windows\System32\Taskmgr.exe /grant %username%:F && del C:\Windows\System32\Taskmgr.exe && exit | C:\Windows\System32\cmd.exe | — | Huzuni.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1388 | "C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ai.exe" "DD796572-42E3-4178-9418-1DE902784691" "F69D9A78-AEE9-4AA1-BF5A-A7FD735FB03D" "3936" | C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ai.exe | — | WINWORD.EXE | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Artificial Intelligence (AI) Host for the Microsoft® Windows® Operating System and Platform x64. Exit code: 0 Version: 0.12.2.0 Modules
| |||||||||||||||
| 1936 | vssadmin Delete shadows /all /quiet | C:\Windows\System32\vssadmin.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Command Line Interface for Microsoft® Volume Shadow Copy Service Exit code: 1 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1948 | C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding | C:\Windows\System32\rundll32.exe | — | svchost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows host process (Rundll32) Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2216 | vssadmin resize shadowstorage /for=c: /on=g: /maxsize=unbounded | C:\Windows\System32\vssadmin.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Command Line Interface for Microsoft® Volume Shadow Copy Service Exit code: 2 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
Total events
22 049
Read events
20 834
Write events
1 109
Delete events
106
Modification events
| (PID) Process: | (4788) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes |
| Operation: | write | Name: | ShellExtBMP |
Value: | |||
| (PID) Process: | (4788) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes |
| Operation: | write | Name: | ShellExtIcon |
Value: | |||
| (PID) Process: | (4788) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory |
| Operation: | write | Name: | 3 |
Value: C:\Users\admin\Desktop\preferences.zip | |||
| (PID) Process: | (4788) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory |
| Operation: | write | Name: | 2 |
Value: C:\Users\admin\Desktop\chromium_ext.zip | |||
| (PID) Process: | (4788) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory |
| Operation: | write | Name: | 1 |
Value: C:\Users\admin\Desktop\omni_23_10_2024_.zip | |||
| (PID) Process: | (4788) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory |
| Operation: | write | Name: | 0 |
Value: C:\Users\admin\Desktop\Huzuni.zip | |||
| (PID) Process: | (4788) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | name |
Value: 120 | |||
| (PID) Process: | (4788) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | size |
Value: 80 | |||
| (PID) Process: | (4788) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | type |
Value: 120 | |||
| (PID) Process: | (4788) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | mtime |
Value: 100 | |||
Executable files
3
Suspicious files
62
Text files
7
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 4788 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa4788.37852\Huzuni.exe | executable | |
MD5:E988915EB5706F5EEEA7B684EEC41A85 | SHA256:06B8827FC8494E0E7B284A8DCB704E38169347FB857E4114813A2B8DB206EC2C | |||
| 6128 | Huzuni.exe | C:\Users\admin\Desktop\solutionsversion.png | binary | |
MD5:A47CF6BF201EEC9608B48C0E30426EA6 | SHA256:C82AB83F64561517647899260A6493A24F06980B47F412670807BC8CEC20D4E9 | |||
| 6128 | Huzuni.exe | C:\Users\admin\Desktop\chargerange.png | binary | |
MD5:0DE220F65E672EF7001DD675AE9890A5 | SHA256:327DDBF66B95764252A28136071D038815549757DD0CBB624D3C083BED601F32 | |||
| 6128 | Huzuni.exe | C:\Users\admin\Desktop\femalenorthern.rtf | binary | |
MD5:1F2804832058061044B981FAD0F3C1E6 | SHA256:811243AAC6788DA4E42A8E326F178F739AABC67ADAC909028FC49313EFFC2298 | |||
| 728 | Huzuni.exe | C:\window.bat | text | |
MD5:9DBA906094EE0F15F38E0640E5923270 | SHA256:0E79EFBEAE919D458E637000C20E4E71DDB916903527C593248038A78358F57D | |||
| 6128 | Huzuni.exe | C:\Users\admin\Desktop\strather.jpg | binary | |
MD5:0D844191588E20AA9C2F426DD01FAD3B | SHA256:426C2431E1E9D8D8CB796346CA71AF1D8CBDB9ED62984DF33EAF732C134710FD | |||
| 6128 | Huzuni.exe | C:\Users\admin\Desktop\holidayfit.jpg | binary | |
MD5:EF87AC6716FA26B69417E8D7872947D7 | SHA256:23EC74B767A45DACDF429D3F476E9C222DAC52E13BFBF9AEC4B78E4850A2D15D | |||
| 6128 | Huzuni.exe | C:\Users\admin\Desktop\southerndefinition.png | binary | |
MD5:59F77120C9EC126540B5E4211824F6C7 | SHA256:BE3969D312AE452FFAF8D02854FED14875BD3EDE44549A4AE79AFB5E921D08C4 | |||
| 6128 | Huzuni.exe | C:\Users\admin\Desktop\virginiacases.rtf | binary | |
MD5:9B0F53A3C6D38D96410A9B35AA5E120C | SHA256:D6EFCCDA447534777D6DDA4712FAE5E4324CA9D54C189E0CCA706855F8D16AB9 | |||
| 6128 | Huzuni.exe | C:\Users\admin\Desktop\caremployment.rtf | binary | |
MD5:A9918D16D876477E214A9ECF67B1C00C | SHA256:8C8D20E407C1AE593BCFE0EEF4B8E198DB94B5B6E1EF62A9558276D8DBE2F664 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
10
TCP/UDP connections
48
DNS requests
35
Threats
1
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
1268 | svchost.exe | GET | 200 | 23.48.23.156:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
1268 | svchost.exe | GET | 200 | 23.35.229.160:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
2940 | svchost.exe | GET | 200 | 2.23.197.184:80 | http://x1.c.lencr.org/ | unknown | — | — | whitelisted |
1440 | svchost.exe | GET | 200 | 2.23.77.188:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D | unknown | — | — | whitelisted |
3936 | WINWORD.EXE | GET | 200 | 2.23.77.188:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D | unknown | — | — | whitelisted |
1580 | backgroundTaskHost.exe | GET | 200 | 2.23.77.188:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEA77flR%2B3w%2FxBpruV2lte6A%3D | unknown | — | — | whitelisted |
3936 | WINWORD.EXE | GET | 200 | 2.23.77.188:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEA77flR%2B3w%2FxBpruV2lte6A%3D | unknown | — | — | whitelisted |
2760 | SIHClient.exe | GET | 200 | 23.35.229.160:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl | unknown | — | — | whitelisted |
3948 | svchost.exe | GET | 200 | 2.17.190.73:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D | unknown | — | — | whitelisted |
2760 | SIHClient.exe | GET | 200 | 23.35.229.160:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl | unknown | — | — | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
1268 | svchost.exe | 51.104.136.2:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
5944 | MoUsoCoreWorker.exe | 51.104.136.2:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
6380 | RUXIMICS.exe | 51.104.136.2:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
1268 | svchost.exe | 23.48.23.156:80 | crl.microsoft.com | Akamai International B.V. | DE | whitelisted |
1268 | svchost.exe | 23.35.229.160:80 | www.microsoft.com | AKAMAI-AS | DE | whitelisted |
3948 | svchost.exe | 20.190.159.129:443 | login.live.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
3948 | svchost.exe | 2.17.190.73:80 | ocsp.digicert.com | AKAMAI-AS | DE | whitelisted |
2336 | svchost.exe | 172.211.123.250:443 | client.wns.windows.com | MICROSOFT-CORP-MSN-AS-BLOCK | FR | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
google.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
login.live.com |
| whitelisted |
ocsp.digicert.com |
| whitelisted |
client.wns.windows.com |
| whitelisted |
nexusrules.officeapps.live.com |
| whitelisted |
slscr.update.microsoft.com |
| whitelisted |
fe3cr.delivery.mp.microsoft.com |
| whitelisted |
Threats
PID | Process | Class | Message |
|---|---|---|---|
— | — | Unknown Traffic | ET USER_AGENTS Microsoft Dr Watson User-Agent (MSDW) |
Process | Message |
|---|---|
WINWORD.EXE | WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
|
WINWORD.EXE | WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
|
WINWORD.EXE | WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
|
WINWORD.EXE | WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
|
WINWORD.EXE | WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
|
WINWORD.EXE | WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
|