File name:

Test_Zip.zip

Full analysis: https://app.any.run/tasks/8824ee14-f796-4e11-a022-e3b49a576585
Verdict: Malicious activity
Analysis date: May 15, 2025, 18:49:49
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
arch-exec
arch-scr
arch-doc
Indicators:
MIME: application/zip
File info: Zip archive data, at least v1.0 to extract, compression method=store
MD5:

D1AA6C34C7CA2318F68B9B81121EC143

SHA1:

0D5A47A6225CE153F64B14BECB5DF944DBB8AD7D

SHA256:

4C17BED862778BE659E1F2336D934F18FFD8EB5AAC247DB6BE795A6130090A43

SSDEEP:

98304:A4xe+FUYtb9g3vo+ZG0SKgH3TTjmXrJTMQ9vkj5L4PhpbsYkinxBXbgR/QRlKZ8Z:MimxuJrzizaatamReB78Yusi

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Generic archive extractor

      • WinRAR.exe (PID: 7424)

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 7756)

    • Changes powershell execution policy (Bypass)

      • cmd.exe (PID: 7688)

    • Gets or sets the symmetric key that is used for encryption and decryption (POWERSHELL)

      • powershell.exe (PID: 7756)

    • Gets or sets the initialization vector for the symmetric algorithm (POWERSHELL)

      • powershell.exe (PID: 7756)

    • Uses AES cipher (POWERSHELL)

      • powershell.exe (PID: 7756)

  • SUSPICIOUS

    • The process executes Powershell scripts

      • cmd.exe (PID: 7688)

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 7688)

    • Uses base64 encoding (POWERSHELL)

      • powershell.exe (PID: 7756)

  • INFO

    • Manual execution by a user

      • cmd.exe (PID: 7688)

    • Gets data length (POWERSHELL)

      • powershell.exe (PID: 7756)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 7756)

    • Uses string replace method (POWERSHELL)

      • powershell.exe (PID: 7756)

    • Checks current location (POWERSHELL)

      • powershell.exe (PID: 7756)

    • Gets or sets the time when the file was last written to (POWERSHELL)

      • powershell.exe (PID: 7756)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 10
ZipBitFlag: -
ZipCompression: None
ZipModifyDate: 2025:05:14 18:32:54
ZipCRC: 0x00000000
ZipCompressedSize: -
ZipUncompressedSize: -
ZipFileName: RanSim/
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
130
Monitored processes
6
Malicious processes
1
Suspicious processes
1

Behavior graph

Click at the process to see the details
start winrar.exe no specs rundll32.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs slui.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
7424"C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\Test_Zip.zipC:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
7632C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -EmbeddingC:\Windows\System32\rundll32.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shcore.dll
c:\windows\system32\imagehlp.dll
7688C:\WINDOWS\system32\cmd.exe /c ""C:\Users\admin\Desktop\RanSim\start.bat" "C:\Windows\System32\cmd.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cmdext.dll
c:\windows\system32\advapi32.dll
7696\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
7756powershell -ExecutionPolicy Bypass -NoExit -File RanSim.ps1 -Mode encrypt -Extension ".enc" -Key "Q5KyUru6wn82hlY9k8xUjJOPIC9da41jgRkpt21jo2L=" -TargetPath ".\poc_files"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
8028C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
Total events
6 903
Read events
6 885
Write events
18
Delete events
0

Modification events

(PID) Process:(7424) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\preferences.zip
(PID) Process:(7424) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:(7424) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:(7424) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Test_Zip.zip
(PID) Process:(7424) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(7424) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(7424) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(7424) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(7424) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\MainWin
Operation:writeName:Placement
Value:
2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF3D0000002D000000FD03000016020000
(PID) Process:(7424) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\ArcColumnWidths
Operation:writeName:name
Value:
256
Executable files
0
Suspicious files
13
Text files
34
Unknown types
0

Dropped files

PID
Process
Filename
Type
7424WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa7424.31457\RanSim\.git\refs\heads\maintext
MD5:9BE5355F7AB7E048F73CC415D4EF114E
SHA256:9D4F770D31EABD9D8D461ECD856404E6C9A7365ED003156E87F8B802CE097BF4
7424WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa7424.31457\RanSim\.git\refs\remotes\origin\HEADtext
MD5:98B16E0B650190870F1B40BC8F4AEC4E
SHA256:2BB6A24AA0FC6C484100F5D51A29BBAD841CD2C755F5D93FAA204E5DBB4EB2B4
7424WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa7424.31457\RanSim\.git\hooks\commit-msg.sampletext
MD5:579A3C1E12A1E74A98169175FB913012
SHA256:1F74D5E9292979B573EBD59741D46CB93FF391ACDD083D340B94370753D92437
7424WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa7424.31457\RanSim\.git\packed-refstext
MD5:944E41CEAF16C74F7B2437C406C00EEC
SHA256:4F93537CE77DFC23BCEDDE1927B125DEF55545C87BF789E13FA9C13752A7EFBE
7424WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa7424.31457\RanSim\.git\hooks\post-update.sampletext
MD5:2B7EA5CEE3C49FF53D41E00785EB974C
SHA256:81765AF2DAEF323061DCBC5E61FC16481CB74B3BAC9AD8A174B186523586F6C5
7424WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa7424.31457\RanSim\.github\FUNDING.ymltext
MD5:97828F037709E596E4074ECD7AA20936
SHA256:D2EF80E462B7078260C1B3E8F15F211C2E464CD7C82D409671D9181A80112E67
7424WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa7424.31457\RanSim\LICENSEtext
MD5:7325E58BFC93561A31A5EC2775AB87AC
SHA256:C5232EF7D0F1DDC721E26817DC27A09F8DACA68CF45D7A82EE4F4C1E60FE040B
7424WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa7424.31457\RanSim\.git\hooks\pre-merge-commit.sampletext
MD5:39CB268E2A85D436B9EB6F47614C3CBC
SHA256:D3825A70337940EBBD0A5C072984E13245920CDF8898BD225C8D27A6DFC9CB53
7424WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa7424.31457\RanSim\.git\hooks\update.sampletext
MD5:647AE13C682F7827C22F5FC08A03674E
SHA256:8D5F2FA83E103CF08B57EAA67521DF9194F45CBDBCB37DA52AD586097A14D106
7424WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa7424.31457\RanSim\.git\hooks\pre-rebase.sampletext
MD5:56E45F2BCBC8226D2B4200F7C46371BF
SHA256:4FEBCE867790052338076F4E66CC47EFB14879D18097D1D61C8261859EAAA7B3
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
25
DNS requests
5
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2112
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2104
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6972
slui.exe
40.91.76.224:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 40.127.240.158
whitelisted
google.com
  • 142.250.184.238
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Test_Zip.zip