| File name: | 382eccd545c69bcf07e9b7b73701bd2bea707c58452cb108f99d3f541545b86b_rl |
| Full analysis: | https://app.any.run/tasks/c974a777-c02e-424b-af8a-8078ef47e646 |
| Verdict: | Malicious activity |
| Analysis date: | June 15, 2025, 17:47:24 |
| OS: | Windows 10 Professional (build: 19044, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/zip |
| File info: | Zip archive data, at least v2.0 to extract, compression method=deflate |
| MD5: | EE3A51CF7DB3E4183910A0B2EB39BC9D |
| SHA1: | 6C9EA3FBBE5B451E24325F2EC964F42BE293E0C4 |
| SHA256: | 382ECCD545C69BCF07E9B7B73701BD2BEA707C58452CB108F99D3F541545B86B |
| SSDEEP: | 1536:5dpsgnze6ghlQJR3fAgywu/Lt3FXmZzWx:5dpsgnzgsJR34g1Cx3ZezWx |
MALICIOUS
Generic archive extractor
- WinRAR.exe (PID: 4224)
SUSPICIOUS
Creates FileSystem object to access computer's file system (SCRIPT)
- wscript.exe (PID: 6380)
- wscript.exe (PID: 1136)
Writes binary data to a Stream object (SCRIPT)
- wscript.exe (PID: 1136)
Reads security settings of Internet Explorer
- WinRAR.exe (PID: 4224)
Executing commands from a ".bat" file
- WinRAR.exe (PID: 4224)
Starts CMD.EXE for commands execution
- WinRAR.exe (PID: 4224)
INFO
Manual execution by a user
- wscript.exe (PID: 436)
- wscript.exe (PID: 1352)
- wscript.exe (PID: 3048)
- wscript.exe (PID: 7120)
- wscript.exe (PID: 888)
- wscript.exe (PID: 6292)
- wscript.exe (PID: 3624)
- wscript.exe (PID: 6380)
- wscript.exe (PID: 6776)
- wscript.exe (PID: 1136)
Checks proxy server information
- wscript.exe (PID: 3048)
- slui.exe (PID: 3836)
Checks supported languages
- MpCmdRun.exe (PID: 760)
Create files in a temporary directory
- MpCmdRun.exe (PID: 760)
Reads the computer name
- MpCmdRun.exe (PID: 760)
Reads the software policy settings
- slui.exe (PID: 3836)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .zip | | | ZIP compressed archive (100) |
|---|
EXIF
ZIP
| ZipRequiredVersion: | 20 |
|---|---|
| ZipBitFlag: | 0x0008 |
| ZipCompression: | Deflated |
| ZipModifyDate: | 2024:07:25 10:20:26 |
| ZipCRC: | 0x92c45a20 |
| ZipCompressedSize: | 158 |
| ZipUncompressedSize: | 217 |
| ZipFileName: | JsonSafeTest.wsf |
Total processes
148
Monitored processes
15
Malicious processes
0
Suspicious processes
1
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 436 | "C:\WINDOWS\System32\WScript.exe" C:\Users\admin\Desktop\regListStream.wsf | C:\Windows\System32\wscript.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 1 Version: 5.812.10240.16384 Modules
| |||||||||||||||
| 760 | "C:\Program Files\Windows Defender\MpCmdRun.exe" -Scan -ScanType 3 -File "C:\Users\admin\AppData\Local\Temp\Rar$VR4224.49774" | C:\Program Files\Windows Defender\MpCmdRun.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Malware Protection Command Line Utility Exit code: 2 Version: 4.18.1909.6 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 888 | "C:\WINDOWS\System32\WScript.exe" C:\Users\admin\Desktop\regDeleteValue.wsf | C:\Windows\System32\wscript.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Version: 5.812.10240.16384 Modules
| |||||||||||||||
| 1136 | "C:\WINDOWS\System32\WScript.exe" C:\Users\admin\Desktop\JsonSafeTest.wsf | C:\Windows\System32\wscript.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 1 Version: 5.812.10240.16384 Modules
| |||||||||||||||
| 1352 | "C:\WINDOWS\System32\WScript.exe" C:\Users\admin\Desktop\regDeleteKey.wsf | C:\Windows\System32\wscript.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 1 Version: 5.812.10240.16384 Modules
| |||||||||||||||
| 1800 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 3048 | "C:\WINDOWS\System32\WScript.exe" C:\Users\admin\Desktop\ArchitectureSpecificRegistry.vbs | C:\Windows\System32\wscript.exe | explorer.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.812.10240.16384 Modules
| |||||||||||||||
| 3624 | "C:\WINDOWS\System32\WScript.exe" C:\Users\admin\Desktop\regUtil.vbs | C:\Windows\System32\wscript.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.812.10240.16384 Modules
| |||||||||||||||
| 3836 | C:\WINDOWS\System32\slui.exe -Embedding | C:\Windows\System32\slui.exe | svchost.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Activation Client Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 4224 | "C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\Desktop\382eccd545c69bcf07e9b7b73701bd2bea707c58452cb108f99d3f541545b86b_rl.zip | C:\Program Files\WinRAR\WinRAR.exe | — | explorer.exe | |||||||||||
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.91.0 Modules
| |||||||||||||||
Total events
24 073
Read events
24 061
Write events
12
Delete events
0
Modification events
| (PID) Process: | (4224) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes |
| Operation: | write | Name: | ShellExtBMP |
Value: | |||
| (PID) Process: | (4224) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes |
| Operation: | write | Name: | ShellExtIcon |
Value: | |||
| (PID) Process: | (4224) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory |
| Operation: | write | Name: | 3 |
Value: C:\Users\admin\Desktop\preferences.zip | |||
| (PID) Process: | (4224) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory |
| Operation: | write | Name: | 2 |
Value: C:\Users\admin\Desktop\chromium_ext.zip | |||
| (PID) Process: | (4224) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory |
| Operation: | write | Name: | 1 |
Value: C:\Users\admin\Desktop\omni_23_10_2024_.zip | |||
| (PID) Process: | (4224) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory |
| Operation: | write | Name: | 0 |
Value: C:\Users\admin\Desktop\382eccd545c69bcf07e9b7b73701bd2bea707c58452cb108f99d3f541545b86b_rl.zip | |||
| (PID) Process: | (4224) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | name |
Value: 120 | |||
| (PID) Process: | (4224) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | size |
Value: 80 | |||
| (PID) Process: | (4224) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | type |
Value: 120 | |||
| (PID) Process: | (4224) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | mtime |
Value: 100 | |||
Executable files
0
Suspicious files
6
Text files
13
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 4224 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$VR4224.49774\382eccd545c69bcf07e9b7b73701bd2bea707c58452cb108f99d3f541545b86b_rl.zip\regCreateKey.wsf | html | |
MD5:04E6D736DDA6EEC814E5BFF7121A695C | SHA256:44201185E05845FEF8B56BA9CEA0194EDFFD89D0465B86E055292F84F19526C0 | |||
| 4224 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$VR4224.49774\382eccd545c69bcf07e9b7b73701bd2bea707c58452cb108f99d3f541545b86b_rl.zip\JsonSafeTest.wsf | html | |
MD5:B2F8FFF6092358229A94CC309AB6C11B | SHA256:C2FAB2EB9137FEB5CE29833D58690A0735703A0BD2F38538061758B47A44105F | |||
| 3048 | wscript.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB | binary | |
MD5:14CAA4CF42ECDF8603D976A060F2431D | SHA256:5441248E74C1559FA5738A3A6FD82A729732F917433447B9708A66F3F47F9548 | |||
| 3048 | wscript.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB | binary | |
MD5:D461C27BB082B06F77FDED3EB9055FE6 | SHA256:46D425BE288DAF11A4AD6FBB296425F44D1F93BEFABA6B561EC6C8425CE46B1A | |||
| 3048 | wscript.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141 | binary | |
MD5:312B94AB7A45A5BB1CF61DD145473A6F | SHA256:866EBD50EB1640161C94431C72763DDDBC28486C40465FF18FA167795D4789E6 | |||
| 3048 | wscript.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141 | binary | |
MD5:15DC701363674984E4F9A551F3CE2F2E | SHA256:8E9C851C8B5CB21765E6D03C9F8BB1D62C39D7A71EFC071E047359D6C2B82988 | |||
| 3048 | wscript.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_E5EDA8ADF20028E870340B80105C2BF6 | binary | |
MD5:DD1AA88E23CA36CC8C809EB427FE571D | SHA256:589078DB06B52774455FAB8B1B6C81C45923549710E05440A82F1344A25BE88E | |||
| 3048 | wscript.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_E5EDA8ADF20028E870340B80105C2BF6 | binary | |
MD5:2638FE8311FB3EAB54C84CCA38F05292 | SHA256:A3D314CA65BF17ECA5E1F5813780D17001761DB3C7536D29F84304CB6DB3E6F8 | |||
| 4224 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$VR4224.49774\382eccd545c69bcf07e9b7b73701bd2bea707c58452cb108f99d3f541545b86b_rl.zip\regList.wsf | html | |
MD5:CAE7DB4194DE43346121A463596E4F4F | SHA256:B65C5AF7DBEB43C62F6A5528AF6DB3CB1CA2A71735A8E7A1451796F834E355C2 | |||
| 4224 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$VR4224.49774\382eccd545c69bcf07e9b7b73701bd2bea707c58452cb108f99d3f541545b86b_rl.zip\regDeleteValue.wsf | html | |
MD5:2F99F4A960ECD045306AD0581854CD8E | SHA256:080B83A9B8666C5F02A5AF1A0FCD351D3073A05C2319628E060FCDCE7F70AB35 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
30
TCP/UDP connections
40
DNS requests
19
Threats
0
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
1268 | svchost.exe | GET | 200 | 2.16.168.114:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | RU | binary | 825 b | whitelisted |
1268 | svchost.exe | GET | 200 | 2.23.246.101:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | QA | binary | 868 b | whitelisted |
5944 | MoUsoCoreWorker.exe | GET | 200 | 2.23.246.101:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | QA | binary | 868 b | whitelisted |
2028 | RUXIMICS.exe | GET | 200 | 2.23.246.101:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | QA | binary | 868 b | whitelisted |
— | — | POST | 200 | 20.190.159.131:443 | https://login.live.com/RST2.srf | US | xml | 11.1 Kb | whitelisted |
3048 | wscript.exe | GET | 200 | 2.23.77.188:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT3xL4LQLXDRDM9P665TW442vrsUQQUReuir%2FSSy4IxLVGLp6chnfNtyA8CEA6bGI750C3n79tQ4ghAGFo%3D | DE | binary | 471 b | whitelisted |
3048 | wscript.exe | GET | 200 | 2.23.77.188:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfIs%2BLjDtGwQ09XEB1Yeq%2BtX%2BBgQQU7NfjgtJxXWRM3y5nP%2Be6mK4cD08CEAitQLJg0pxMn17Nqb2Trtk%3D | DE | binary | 727 b | whitelisted |
3048 | wscript.exe | GET | 200 | 2.23.77.188:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSRXerF0eFeSWRripTgTkcJWMm7iQQUaDfg67Y7%2BF8Rhvv%2BYXsIiGX0TkICEAQYvm4tb9UHj6rvky5iRBk%3D | DE | binary | 751 b | whitelisted |
— | — | POST | 200 | 20.190.159.131:443 | https://login.live.com/RST2.srf | US | xml | 11.0 Kb | whitelisted |
— | — | POST | 200 | 40.126.31.3:443 | https://login.live.com/RST2.srf | US | xml | 10.3 Kb | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
5944 | MoUsoCoreWorker.exe | 20.73.194.208:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
1268 | svchost.exe | 20.73.194.208:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
2028 | RUXIMICS.exe | 20.73.194.208:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
1268 | svchost.exe | 2.16.168.114:80 | crl.microsoft.com | Akamai International B.V. | RU | whitelisted |
5944 | MoUsoCoreWorker.exe | 2.16.168.114:80 | crl.microsoft.com | Akamai International B.V. | RU | whitelisted |
2028 | RUXIMICS.exe | 2.16.168.114:80 | crl.microsoft.com | Akamai International B.V. | RU | whitelisted |
1268 | svchost.exe | 2.23.246.101:80 | www.microsoft.com | Ooredoo Q.S.C. | QA | whitelisted |
5944 | MoUsoCoreWorker.exe | 2.23.246.101:80 | www.microsoft.com | Ooredoo Q.S.C. | QA | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
google.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
login.live.com |
| whitelisted |
client.wns.windows.com |
| whitelisted |
ocsp.digicert.com |
| whitelisted |
nexusrules.officeapps.live.com |
| whitelisted |
slscr.update.microsoft.com |
| whitelisted |
fe3cr.delivery.mp.microsoft.com |
| whitelisted |