| File name: | dosbox.zip |
| Full analysis: | https://app.any.run/tasks/2b44a277-5664-428b-b15d-7c349ac471eb |
| Verdict: | Malicious activity |
| Analysis date: | April 20, 2025, 05:22:26 |
| OS: | Windows 10 Professional (build: 19044, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/zip |
| File info: | Zip archive data, at least v1.0 to extract, compression method=store |
| MD5: | 6EC5969D9C1D679A4E016D1F4C12025D |
| SHA1: | DD288B32A3EA5C2C03DC0F7C55A69E1DA0242004 |
| SHA256: | 413F106555A4BC9147878A7BEC9BD32983DA07A8C4D8CD898055F7D83C94137D |
| SSDEEP: | 98304:YNljWGx9I1vbgYkgG8huBuKMMTedH++kPaBPYgNsnFxc912ZzKJql8H1PrlWmwSW:GljWvZyVZ/+voA7H3TSOK++oMLl0Ij |
MALICIOUS
Generic archive extractor
- WinRAR.exe (PID: 5072)
SUSPICIOUS
Starts CMD.EXE for commands execution
- WinRAR.exe (PID: 5072)
Reads security settings of Internet Explorer
- WinRAR.exe (PID: 5072)
Process drops legitimate windows executable
- WinRAR.exe (PID: 5072)
Executing commands from a ".bat" file
- WinRAR.exe (PID: 5072)
INFO
Manual execution by a user
- cmd.exe (PID: 5936)
- cmd.exe (PID: 1056)
- cmd.exe (PID: 6108)
- cmd.exe (PID: 6816)
- cmd.exe (PID: 5380)
- cmd.exe (PID: 4272)
- cmd.exe (PID: 5988)
- cmd.exe (PID: 6972)
- cmd.exe (PID: 5436)
- cmd.exe (PID: 6676)
The sample compiled with english language support
- WinRAR.exe (PID: 5072)
Executable content was dropped or overwritten
- WinRAR.exe (PID: 5072)
Create files in a temporary directory
- MpCmdRun.exe (PID: 1672)
Checks supported languages
- MpCmdRun.exe (PID: 1672)
Reads the computer name
- MpCmdRun.exe (PID: 1672)
Reads the software policy settings
- slui.exe (PID: 1628)
Checks proxy server information
- slui.exe (PID: 1628)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .xpi | | | Mozilla Firefox browser extension (42.1) |
|---|---|---|
| .zip | | | ZIP compressed archive (21) |
EXIF
ZIP
| ZipRequiredVersion: | 10 |
|---|---|
| ZipBitFlag: | - |
| ZipCompression: | None |
| ZipModifyDate: | 2015:06:23 07:15:14 |
| ZipCRC: | 0x00000000 |
| ZipCompressedSize: | - |
| ZipUncompressedSize: | - |
| ZipFileName: | dosbox/ |
Total processes
143
Monitored processes
25
Malicious processes
0
Suspicious processes
1
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 1040 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1056 | C:\WINDOWS\system32\cmd.exe /c ""C:\Users\admin\Desktop\Run DOSBox configuration.bat" " | C:\Windows\System32\cmd.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1328 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1628 | C:\WINDOWS\System32\slui.exe -Embedding | C:\Windows\System32\slui.exe | svchost.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Activation Client Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1672 | "C:\Program Files\Windows Defender\MpCmdRun.exe" -Scan -ScanType 3 -File "C:\Users\admin\AppData\Local\Temp\Rar$VR5072.45694" | C:\Program Files\Windows Defender\MpCmdRun.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Malware Protection Command Line Utility Exit code: 2 Version: 4.18.1909.6 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1852 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 3888 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 4008 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 4164 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 4272 | C:\WINDOWS\system32\cmd.exe /c ""C:\Users\admin\Desktop\DOSBox 0.74 Options.bat" " | C:\Windows\System32\cmd.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 1 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
Total events
5 356
Read events
5 347
Write events
9
Delete events
0
Modification events
| (PID) Process: | (5072) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory |
| Operation: | write | Name: | 3 |
Value: C:\Users\admin\Desktop\preferences.zip | |||
| (PID) Process: | (5072) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory |
| Operation: | write | Name: | 2 |
Value: C:\Users\admin\Desktop\chromium_ext.zip | |||
| (PID) Process: | (5072) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory |
| Operation: | write | Name: | 1 |
Value: C:\Users\admin\Desktop\omni_23_10_2024_.zip | |||
| (PID) Process: | (5072) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory |
| Operation: | write | Name: | 0 |
Value: C:\Users\admin\Desktop\dosbox.zip | |||
| (PID) Process: | (5072) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | name |
Value: 120 | |||
| (PID) Process: | (5072) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | size |
Value: 80 | |||
| (PID) Process: | (5072) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | type |
Value: 120 | |||
| (PID) Process: | (5072) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | mtime |
Value: 100 | |||
| (PID) Process: | (5072) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\VirusScan |
| Operation: | write | Name: | DefScanner |
Value: Windows Defender | |||
Executable files
35
Suspicious files
15
Text files
109
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 5072 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$VR5072.45694\dosbox.zip\dosbox\Documentation\THANKS.txt | text | |
MD5:366E90C5B46ACA9E238B8590C11CDD24 | SHA256:ACD9CBB904EBCEA9AD6D0D871A1131C5262A0BB8BCE94DFAF21EE4ED5140B45E | |||
| 5072 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$VR5072.45694\dosbox.zip\dosbox\DOSBox 0.74 Manual.txt | text | |
MD5:28165C1AACEB324FF796D9862B11B37E | SHA256:25B1C0BEBC166F34487081DC036A433F20640C3F5A145C6B287A2E8EEF1395A3 | |||
| 5072 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$VR5072.45694\dosbox.zip\dosbox\Screenshots & Recordings.bat | text | |
MD5:49C28D6953FB810692795A8F93E894C5 | SHA256:9B235D133481E85BF12E2BA5BEA2AAB5E87B54404DE1A06C58FF4DE1E5AD9560 | |||
| 5072 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$VR5072.45694\dosbox.zip\dosbox\dosbox-debug.exe | executable | |
MD5:E8520041221442AB267C72863606A121 | SHA256:4785166E374F69ECCBDDC7B1C0459EE98D5108ACB8A2505928C8B85D132D7BC0 | |||
| 5072 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$VR5072.45694\dosbox.zip\dosbox\DOSBox.exe | executable | |
MD5:33294E0A8B970B8DE45CE446E2ADD783 | SHA256:E09F78E60B5BE25A6AF0381B71A90B8AA625F2EA42ECD427638EDF2ABB7130F0 | |||
| 5072 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$VR5072.45694\dosbox.zip\dosbox\dosboxsvn.exe | executable | |
MD5:52FA6B3FCB8FEFDCA5E8FDC4F81F9E55 | SHA256:5A916B3BA28678BEC5FFB376A9BEA60540D331149220FDEF22AD7B876B302239 | |||
| 5072 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$VR5072.45694\dosbox.zip\dosbox\Documentation\NEWS.txt | text | |
MD5:C48E30CED714BBB2A93411ACD0576D65 | SHA256:45AEE809A1D4751F9851FE94588FB29EB8A99B52F586C234EC18193AAD8BBE87 | |||
| 5072 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$VR5072.45694\dosbox.zip\dosbox\svn\d3dx9_43.dll | executable | |
MD5:E415862612E65F10D7D888443ECD7594 | SHA256:5EDEED79F2359527A55B8189CFA8B9B121CD608D44EEAD905A0F3436938AD532 | |||
| 5072 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$VR5072.45694\dosbox.zip\dosbox\SDL_net.dll | executable | |
MD5:7DB830B9FB29781F86CEC2A1BBFE050C | SHA256:2F39DC04ACBECF47EFA45034891602B6EA7BF6FD2F27B5C0A5CA8D7FB155C929 | |||
| 5072 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$VR5072.45694\dosbox.zip\dosbox\Documentation\COPYING.txt | text | |
MD5:46AAF69A91703493B666F212A04F2D8D | SHA256:DA0ECA0FB517AC939D167924C9D4B3F8750A6B7191932EF2CB145ACFA624AC7E | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
23
DNS requests
3
Threats
0
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
— | — | POST | 500 | 40.91.76.224:443 | https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail | unknown | xml | 512 b | whitelisted |
— | — | POST | 500 | 40.91.76.224:443 | https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail | unknown | xml | 512 b | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
— | — | 4.231.128.59:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
6620 | slui.exe | 40.91.76.224:443 | activation-v2.sls.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
1628 | slui.exe | 40.91.76.224:443 | activation-v2.sls.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
google.com |
| whitelisted |
activation-v2.sls.microsoft.com |
| whitelisted |