File name:

zapret-win-bundle-master.zip

Full analysis: https://app.any.run/tasks/2c2abe71-d839-4f31-8aca-0ba759305515
Verdict: Malicious activity
Analysis date: December 23, 2024, 18:12:40
OS: Windows 11 Professional (build: 22000, 64 bit)
Tags:
arch-exec
arch-doc
Indicators:
MIME: application/zip
File info: Zip archive data, at least v1.0 to extract, compression method=store
MD5:

C9BBFD33FA18733A5ACAF663F71DAE5A

SHA1:

9E60EC8B883301C493D012012EC0A6E0ED5AFF93

SHA256:

3576080ED34DCDC72671157CE9C784068160446B1FA4CF7B333585FBD655988E

SSDEEP:

98304:gDEc8lvP7gDB14BRdMwlsgecngos5qdkcjYcZ4v3iyb1E+xUmsTqF8n9poYTo3NE:BMITFwCoyoYD4FnmaClxZ5

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Generic archive extractor

      • WinRAR.exe (PID: 780)

    • Starts NET.EXE for service management

      • cmd.exe (PID: 3180)
      • net.exe (PID: 6272)

  • SUSPICIOUS

    • Application launched itself

      • cmd.exe (PID: 6012)

    • Starts CMD.EXE for commands execution

      • cmd.exe (PID: 6012)

    • Starts SC.EXE for service management

      • cmd.exe (PID: 4400)
      • cmd.exe (PID: 3180)
      • cmd.exe (PID: 5248)

    • Windows service management via SC.EXE

      • sc.exe (PID: 6308)
      • sc.exe (PID: 4160)
      • sc.exe (PID: 3892)

    • Deletes scheduled task without confirmation

      • schtasks.exe (PID: 1744)

  • INFO

    • Manual execution by a user

      • cmd.exe (PID: 6660)
      • cmd.exe (PID: 6012)
      • cmd.exe (PID: 4400)
      • cmd.exe (PID: 1388)
      • cmd.exe (PID: 3180)
      • cmd.exe (PID: 6156)
      • cmd.exe (PID: 3856)
      • cmd.exe (PID: 2192)
      • cmd.exe (PID: 5888)
      • cmd.exe (PID: 5248)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.xpi | Mozilla Firefox browser extension (66.6)
.zip | ZIP compressed archive (33.3)

EXIF

ZIP

ZipRequiredVersion: 10
ZipBitFlag: -
ZipCompression: None
ZipModifyDate: 2024:12:15 05:35:08
ZipCRC: 0x00000000
ZipCompressedSize: -
ZipUncompressedSize: -
ZipFileName: zapret-win-bundle-master/
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
145
Monitored processes
31
Malicious processes
0
Suspicious processes
1

Behavior graph

Click at the process to see the details
start winrar.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs cmd.exe no specs conhost.exe no specs sc.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs net.exe no specs net1.exe no specs sc.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs sc.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
780"C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\Desktop\zapret-win-bundle-master.zipC:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
1160\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.22000.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
1388C:\Windows\system32\cmd.exe /c ""C:\Users\admin\Desktop\task_start.cmd" "C:\Windows\System32\cmd.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.22000.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cmdext.dll
c:\windows\system32\advapi32.dll
1744schtasks /Delete /TN winws1 /FC:\Windows\System32\schtasks.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Task Scheduler Configuration Tool
Exit code:
1
Version:
10.0.22000.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1800\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.22000.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
1900\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.22000.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
2192C:\Windows\system32\cmd.exe /c ""C:\Users\admin\Desktop\cygwin.cmd" "C:\Windows\System32\cmd.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
10.0.22000.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cmdext.dll
c:\windows\system32\advapi32.dll
2312schtasks /End /TN winws1C:\Windows\System32\schtasks.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Task Scheduler Configuration Tool
Exit code:
1
Version:
10.0.22000.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2408\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.22000.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
2820\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Version:
10.0.22000.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
Total events
1 966
Read events
1 957
Write events
9
Delete events
0

Modification events

(PID) Process:(780) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(780) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(780) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:(780) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:(780) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\zapret-win-bundle-master.zip
(PID) Process:(780) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(780) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(780) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(780) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
Executable files
0
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

No data
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
27
TCP/UDP connections
38
DNS requests
32
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2476
MoUsoCoreWorker.exe
GET
200
199.232.214.172:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?d4249e727dc2beef
unknown
whitelisted
GET
200
184.25.50.104:80
http://www.msftconnecttest.com/connecttest.txt
unknown
whitelisted
32
firefox.exe
POST
200
192.229.221.95:80
http://ocsp.digicert.com/
unknown
whitelisted
32
firefox.exe
POST
200
2.23.82.9:80
http://r11.o.lencr.org/
unknown
whitelisted
32
firefox.exe
POST
200
192.229.221.95:80
http://ocsp.digicert.com/
unknown
whitelisted
32
firefox.exe
POST
200
2.23.82.57:80
http://r11.o.lencr.org/
unknown
whitelisted
HEAD
200
23.35.236.109:443
https://fs.microsoft.com/fs/windows/config.json
unknown
32
firefox.exe
POST
200
2.23.82.9:80
http://r11.o.lencr.org/
unknown
whitelisted
2860
svchost.exe
GET
200
199.232.210.172:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/pinrulesstl.cab?c8be12605aaef0f9
unknown
whitelisted
2860
svchost.exe
GET
200
199.232.210.172:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/pinrulesstl.cab?33aada60843ae8e4
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
32
firefox.exe
34.120.208.123:443
incoming.telemetry.mozilla.org
GOOGLE-CLOUD-PLATFORM
US
whitelisted
4
System
192.168.100.255:137
whitelisted
32
firefox.exe
34.149.100.209:443
firefox.settings.services.mozilla.com
GOOGLE
US
whitelisted
184.25.50.104:80
Akamai International B.V.
DE
unknown
5804
rundll32.exe
51.124.78.146:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
256
OfficeC2RClient.exe
52.109.76.240:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2476
MoUsoCoreWorker.exe
199.232.214.172:80
ctldl.windowsupdate.com
FASTLY
US
whitelisted
1592
svchost.exe
40.126.32.134:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
256
OfficeC2RClient.exe
52.113.194.132:443
ecs.office.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
incoming.telemetry.mozilla.org
  • 34.120.208.123
whitelisted
firefox.settings.services.mozilla.com
  • 34.149.100.209
whitelisted
telemetry-incoming.r53-2.services.mozilla.com
  • 34.120.208.123
whitelisted
prod.remote-settings.prod.webservices.mozgcp.net
  • 34.149.100.209
whitelisted
google.com
  • 142.250.186.174
whitelisted
settings-win.data.microsoft.com
  • 51.104.136.2
whitelisted
ctldl.windowsupdate.com
  • 199.232.214.172
  • 199.232.210.172
whitelisted
login.live.com
  • 40.126.32.134
  • 40.126.32.76
  • 40.126.32.72
  • 20.190.160.20
  • 20.190.160.17
  • 20.190.160.22
  • 20.190.160.14
  • 40.126.32.140
whitelisted
ecs.office.com
  • 52.113.194.132
whitelisted
r11.o.lencr.org
  • 2.23.82.9
  • 2.23.82.57
whitelisted

Threats

PID
Process
Class
Message
Misc activity
ET INFO Microsoft Connection Test
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
zapret-win-bundle-master.zip