File name:

NavaShield.zip

Full analysis: https://app.any.run/tasks/f45e8280-f9fe-4b19-80cd-47cb0b39e5b0
Verdict: Malicious activity
Analysis date: October 27, 2023, 04:34:04
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

B05E1B131299F3D57323BDCA54B00570

SHA1:

82EBEB46687E7B285F588C056E52CCAAB87E464D

SHA256:

3ADB8147E461A11ADD25101D78205B61B54B6993022C8014B9A55B3197CA39C9

SSDEEP:

98304:t2OC4V3d1R3N6Dh9i+uxdqlli0YXZqYo50n54qktOPWL+nD+NBf1GhN2gXKotMiL:tBZJcbnV0LbeMOYH

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • Endermanch@NavaShield.exe (PID: 2204)
      • Endermanch@NavaShield.exe (PID: 2396)
      • NavaShield.exe (PID: 2820)
      • NavaBridge.exe (PID: 3792)
      • NavaDebugger.exe (PID: 2888)

    • Drops the executable file immediately after the start

      • Endermanch@NavaShield.exe (PID: 2204)

    • Loads dropped or rewritten executable

      • NavaBridge.exe (PID: 3792)
      • NavaDebugger.exe (PID: 2888)
      • NavaShield.exe (PID: 2820)

    • Actions looks like stealing of personal data

      • cmd.exe (PID: 3752)
      • setup.exe (PID: 2960)

  • SUSPICIOUS

    • Reads the Internet Settings

      • Endermanch@NavaShield.exe (PID: 2204)
      • NavaDebugger.exe (PID: 2888)
      • NavaShield.exe (PID: 2820)

    • Starts itself from another location

      • NavaShield.exe (PID: 2820)

    • Application launched itself

      • setup.exe (PID: 2960)

  • INFO

    • Drops the executable file immediately after the start

      • WinRAR.exe (PID: 3628)

    • Checks supported languages

      • Endermanch@NavaShield.exe (PID: 2204)
      • NavaShield.exe (PID: 2820)
      • NavaBridge.exe (PID: 3792)
      • NavaDebugger.exe (PID: 2888)
      • wmpnscfg.exe (PID: 2184)
      • setup.exe (PID: 2960)
      • setup.exe (PID: 520)

    • Create files in a temporary directory

      • Endermanch@NavaShield.exe (PID: 2204)
      • NavaBridge.exe (PID: 3792)
      • NavaDebugger.exe (PID: 2888)
      • NavaShield.exe (PID: 2820)

    • Creates files or folders in the user directory

      • Endermanch@NavaShield.exe (PID: 2204)
      • setup.exe (PID: 520)

    • Reads the computer name

      • Endermanch@NavaShield.exe (PID: 2204)
      • NavaShield.exe (PID: 2820)
      • wmpnscfg.exe (PID: 2184)
      • NavaDebugger.exe (PID: 2888)
      • setup.exe (PID: 520)
      • NavaBridge.exe (PID: 3792)

    • Reads CPU info

      • NavaShield.exe (PID: 2820)

    • Reads the machine GUID from the registry

      • wmpnscfg.exe (PID: 2184)

    • Manual execution by a user

      • wmpnscfg.exe (PID: 2184)
      • msedge.exe (PID: 1440)
      • cmd.exe (PID: 3752)

    • Application launched itself

      • msedge.exe (PID: 2216)
      • msedge.exe (PID: 3560)
      • msedge.exe (PID: 1440)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: 0x0001
ZipCompression: Deflated
ZipModifyDate: 2016:04:23 15:58:12
ZipCRC: 0x04ecc40d
ZipCompressedSize: 9761508
ZipUncompressedSize: 10148025
ZipFileName: Endermanch@NavaShield.exe
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
84
Monitored processes
38
Malicious processes
7
Suspicious processes
1

Behavior graph

Click at the process to see the details
drop and start drop and start start drop and start winrar.exe no specs endermanch@navashield.exe no specs endermanch@navashield.exe navashield.exe no specs navabridge.exe no specs navadebugger.exe no specs wmpnscfg.exe no specs cmd.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs setup.exe setup.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
120"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=1652 --field-trial-handle=1324,i,10466584556688016585,9420819609014123775,131072 /prefetch:8C:\Program Files\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
109.0.1518.115
Modules
Images
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\kernelbase.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\program files\microsoft\edge\application\109.0.1518.115\msedge_elf.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
396"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=renderer --extension-process --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=2308 --field-trial-handle=1324,i,10466584556688016585,9420819609014123775,131072 /prefetch:1C:\Program Files\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
109.0.1518.115
Modules
Images
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\program files\microsoft\edge\application\109.0.1518.115\msedge_elf.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\api-ms-win-downlevel-shell32-l1-1-0.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
520"C:\Program Files\Microsoft\Edge\Application\109.0.1518.115\Installer\setup.exe" --msedge --channel=stable --system-level --verbose-logging --installerdata="C:\Program Files\Microsoft\Edge\Application\master_preferences" --create-shortcuts=1 --install-level=0C:\Program Files\Microsoft\Edge\Application\109.0.1518.115\Installer\setup.exesetup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge Installer
Exit code:
99
Version:
109.0.1518.115
Modules
Images
c:\program files\microsoft\edge\application\109.0.1518.115\installer\setup.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\rpcrt4.dll
748"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1112 --field-trial-handle=1304,i,9946681490783404539,1478485088467928636,131072 /prefetch:2C:\Program Files\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
109.0.1518.115
Modules
Images
c:\program files\microsoft\edge\application\109.0.1518.115\msedge_elf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\api-ms-win-downlevel-shell32-l1-1-0.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\shell32.dll
844"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=renderer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2304 --field-trial-handle=1324,i,10466584556688016585,9420819609014123775,131072 /prefetch:1C:\Program Files\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
109.0.1518.115
Modules
Images
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edge\application\109.0.1518.115\msedge_elf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
1052"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=renderer --first-renderer-process --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2296 --field-trial-handle=1324,i,10466584556688016585,9420819609014123775,131072 /prefetch:1C:\Program Files\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
109.0.1518.115
Modules
Images
c:\windows\system32\ntdll.dll
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\kernel32.dll
c:\program files\microsoft\edge\application\109.0.1518.115\msedge_elf.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
1440"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --flag-switches-begin --flag-switches-end --do-not-de-elevate http://www.gaythrills.com/C:\Program Files\Microsoft\Edge\Application\msedge.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Exit code:
0
Version:
109.0.1518.115
Modules
Images
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edge\application\109.0.1518.115\msedge_elf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
2184"C:\Program Files\Windows Media Player\wmpnscfg.exe"C:\Program Files\Windows Media Player\wmpnscfg.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Media Player Network Sharing Service Configuration Application
Exit code:
0
Version:
12.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\ntdll.dll
c:\program files\windows media player\wmpnscfg.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\ole32.dll
2204"C:\Users\admin\AppData\Local\Temp\Rar$EXb3628.24823\Endermanch@NavaShield.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXb3628.24823\Endermanch@NavaShield.exe
WinRAR.exe
User:
admin
Company:
Nava Labs
Integrity Level:
HIGH
Description:
Nava Shield 4.1 Installation
Exit code:
0
Version:
4.1
Modules
Images
c:\users\admin\appdata\local\temp\rar$exb3628.24823\endermanch@navashield.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\usp10.dll
c:\windows\system32\advapi32.dll
2216"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.gaythrills.com/C:\Program Files\Microsoft\Edge\Application\msedge.exeNavaDebugger.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft Edge
Exit code:
0
Version:
109.0.1518.115
Modules
Images
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edge\application\msedge.exe
c:\program files\microsoft\edge\application\109.0.1518.115\msedge_elf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
Total events
5 361
Read events
5 270
Write events
87
Delete events
4

Modification events

(PID) Process:(3628) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\178\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3628) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip
(PID) Process:(3628) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(3628) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\phacker.zip
(PID) Process:(3628) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(3628) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(3628) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(3628) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(3628) WinRAR.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(3628) WinRAR.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
Executable files
14
Suspicious files
126
Text files
46
Unknown types
1

Dropped files

PID
Process
Filename
Type
2204Endermanch@NavaShield.exeC:\Users\admin\AppData\Local\Temp\$inst\temp_0.tmp
MD5:
SHA256:
2204Endermanch@NavaShield.exeC:\Nava Labs\Nava Shield\NavaDebugger Libs\MD5.dllexecutable
MD5:831295342C47B770BF7CC591A6916FA7
SHA256:8341ECC0938CA6D90B7E0F02AF2D7E6B571C948A03A99D54AF61C4557C78D656
2204Endermanch@NavaShield.exeC:\Nava Labs\Nava Shield\NavaBridge Libs\Browser Plugin.dllexecutable
MD5:912924F628E277BE9CC28A5F2A990CB9
SHA256:BD474C5AAFCAA12F20DA5ECB29E17555B953ECA46B4F56588A72672A36D4A8EB
2204Endermanch@NavaShield.exeC:\Nava Labs\Nava Shield\config.datbinary
MD5:389BF6E15AE0A7250F454DA52AA7CED5
SHA256:5993325ACFE309946C176737A019AA16E22B921FA6387B766BF8BC8A504E220D
2204Endermanch@NavaShield.exeC:\Users\admin\AppData\Local\Temp\$inst\5.tmpimage
MD5:110B42B9AA84606C7FF6177535D9ED77
SHA256:DDCD070A764F83C367631A205C833C4901293FE0A64C59916C82393F9AEE99AD
2204Endermanch@NavaShield.exeC:\Nava Labs\Nava Shield\install.logtext
MD5:33836EF8621FC8D2E5F3302FD3BFBC8C
SHA256:FE219EB5CC7DA3F928E816D65DCEC5FD8A727F34B026F681810DFCC2B9F395DA
2204Endermanch@NavaShield.exeC:\Nava Labs\Nava Shield\NavaBridge.exeexecutable
MD5:6F89DF4CDE193C0636C3D497CF1A17BF
SHA256:E7F05380E90DFB15B91B8BBC2AE48A04BA84D573B3C9F7D81BCC12F814215929
2204Endermanch@NavaShield.exeC:\Nava Labs\Nava Shield\NavaShield.exeexecutable
MD5:9D299E41BAE269641AF28A6C02B80EF6
SHA256:FCE1BC05FBE2DE83EE535E5CE0CEEE94F2B4F917CDCBE1F1F649F44BE25D4EC8
2204Endermanch@NavaShield.exeC:\Users\admin\AppData\Local\Temp\$inst\0001.tmpcompressed
MD5:F96FAA6EC671EAABC66EF44D5A715DB2
SHA256:6BEAE61AC55708892F869336FBF24F5987B433D3ABE54F00BB69A098715CAA1F
2204Endermanch@NavaShield.exeC:\Nava Labs\Nava Shield\NavaMod.dllexecutable
MD5:3D7F80FB0534D24F95EE377C40B72FB3
SHA256:ABD84867D63A5449101B7171B1CC3907C44D7D327EA97D45B22A1015CC3AF4DC
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
Process
Message
msedge.exe
[1027/053910.232:ERROR:exception_handler_server.cc(527)] ConnectNamedPipe: The pipe is being closed. (0xE8)
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
NavaShield.zip