| File name: | CXK-NMSL V3.2.bat.zip |
| Full analysis: | https://app.any.run/tasks/800cb53e-f1cc-4168-88e2-043f8f125961 |
| Verdict: | Malicious activity |
| Threats: | Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying. |
| Analysis date: | April 19, 2025, 08:56:23 |
| OS: | Windows 10 Professional (build: 19044, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/zip |
| File info: | Zip archive data, at least v5.1 to extract, compression method=AES Encrypted |
| MD5: | 4BE59A2FAA344A4266E3BE98B557012E |
| SHA1: | 3105700380FDD7B48FA9441A4660E33AC34E6181 |
| SHA256: | 4C525F443912E12711EE97526080A0BB1D257D1CE047C6CAF428B3003C6A44D3 |
| SSDEEP: | 98304:iTOtalPWQuxJtdBhpFsTImsCz0DO0oYvLuxQdVgT/W/bBBruLPhrZEaJp7AqEtKE:zTuT3qEqvPb |
MALICIOUS
Generic archive extractor
- WinRAR.exe (PID: 7556)
Renames files like ransomware
- cmd.exe (PID: 7488)
SUSPICIOUS
No suspicious indicators.INFO
Manual execution by a user
- cmd.exe (PID: 7488)
Reads the software policy settings
- slui.exe (PID: 7708)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .zip | | | ZIP compressed archive (100) |
|---|
EXIF
ZIP
| ZipRequiredVersion: | 51 |
|---|---|
| ZipBitFlag: | 0x0009 |
| ZipCompression: | Unknown (99) |
| ZipModifyDate: | 2025:04:19 04:58:56 |
| ZipCRC: | 0x1e59c75c |
| ZipCompressedSize: | 4919915 |
| ZipUncompressedSize: | 7427407 |
| ZipFileName: | CXK-NMSL V3.2.bat.bin |
Total processes
161
Monitored processes
35
Malicious processes
1
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 660 | certutil -encode "visualhelpful.rtf.cxkdata" "visualhelpful.rtf.cxk_nmsl" | C:\Windows\System32\certutil.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: CertUtil.exe Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 744 | certutil -encode "assessmentstudy.rtf.cxkdata" "assessmentstudy.rtf.cxk_nmsl" | C:\Windows\System32\certutil.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: CertUtil.exe Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1164 | certutil -encode "growthname.rtf.cxkdata" "growthname.rtf.cxk_nmsl" | C:\Windows\System32\certutil.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: CertUtil.exe Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1324 | certutil -encode "presentdaily.rtf.cxkdata" "presentdaily.rtf.cxk_nmsl" | C:\Windows\System32\certutil.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: CertUtil.exe Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1452 | certutil -encode "llcsmith.png.cxkdata" "llcsmith.png.cxk_nmsl" | C:\Windows\System32\certutil.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: CertUtil.exe Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1532 | certutil -encode "associatedlatest.png.cxkdata" "associatedlatest.png.cxk_nmsl" | C:\Windows\System32\certutil.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: CertUtil.exe Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2236 | certutil -encode "eachsports.rtf.cxkdata" "eachsports.rtf.cxk_nmsl" | C:\Windows\System32\certutil.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: CertUtil.exe Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2800 | certutil -encode "currentlysep.rtf.cxkdata" "currentlysep.rtf.cxk_nmsl" | C:\Windows\System32\certutil.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: CertUtil.exe Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 4488 | certutil -encode "dateus.jpg.cxkdata" "dateus.jpg.cxk_nmsl" | C:\Windows\System32\certutil.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: CertUtil.exe Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 4688 | certutil -encode "CXK-NMSL V3.2.bat.zip.cxkdata" "CXK-NMSL V3.2.bat.zip.cxk_nmsl" | C:\Windows\System32\certutil.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: CertUtil.exe Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
Total events
6 816
Read events
6 797
Write events
19
Delete events
0
Modification events
| (PID) Process: | (7556) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory |
| Operation: | write | Name: | 3 |
Value: C:\Users\admin\Desktop\preferences.zip | |||
| (PID) Process: | (7556) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory |
| Operation: | write | Name: | 2 |
Value: C:\Users\admin\Desktop\chromium_ext.zip | |||
| (PID) Process: | (7556) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory |
| Operation: | write | Name: | 1 |
Value: C:\Users\admin\Desktop\omni_23_10_2024_.zip | |||
| (PID) Process: | (7556) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory |
| Operation: | write | Name: | 0 |
Value: C:\Users\admin\Desktop\CXK-NMSL V3.2.bat.zip | |||
| (PID) Process: | (7556) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | name |
Value: 120 | |||
| (PID) Process: | (7556) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | size |
Value: 80 | |||
| (PID) Process: | (7556) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | type |
Value: 120 | |||
| (PID) Process: | (7556) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | mtime |
Value: 100 | |||
| (PID) Process: | (7556) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface |
| Operation: | write | Name: | ShowPassword |
Value: 0 | |||
| (PID) Process: | (7556) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\ArcColumnWidths |
| Operation: | write | Name: | name |
Value: 256 | |||
Executable files
0
Suspicious files
18
Text files
39
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 7556 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRb7556.32024\CXK-NMSL V3.2.bat.bin | — | |
MD5:— | SHA256:— | |||
| 7488 | cmd.exe | C:\Users\admin\Desktop\CXK-NMSL V3.2.bat.cxkdata | — | |
MD5:— | SHA256:— | |||
| 7488 | cmd.exe | C:\Users\admin\Desktop\CXK-NMSL V3.2.bat | — | |
MD5:— | SHA256:— | |||
| 4688 | certutil.exe | C:\Users\admin\Desktop\CXK-NMSL V3.2.bat.zip.cxk_nmsl | — | |
MD5:— | SHA256:— | |||
| 7488 | cmd.exe | C:\Users\admin\Desktop\eachsports.rtf.cxkdata | text | |
MD5:072FB8CB7619845CA8CB84A8F56F93A1 | SHA256:1150607609FAC38DEE948A2F367B8FA44F83725E53D631B07575F93E3FDA4C24 | |||
| 7488 | cmd.exe | C:\Users\admin\Desktop\growthname.rtf.cxkdata | text | |
MD5:A440C55BF9B2A1D6093528F84D76A70A | SHA256:8B2121C0E9FB8883BA159374413B996CC6968F21740DC245A5D18ECD4155DD6B | |||
| 7488 | cmd.exe | C:\Users\admin\Desktop\dateus.jpg.cxkdata | binary | |
MD5:C22D985DD74B64C6720016FDE9D48294 | SHA256:9A219C59752E8F960572BB16FCA2665FFC7EB69803338EDAA450BC278793DB79 | |||
| 7488 | cmd.exe | C:\Users\admin\Desktop\presentdaily.rtf.cxkdata | text | |
MD5:B23E1BD9CFA85F914A3F9ED926B4315C | SHA256:1B886A1A3C66669F618B3919D4D2643AE279CBF395791664C06BAA4FBE7C143D | |||
| 7488 | cmd.exe | C:\Users\admin\Desktop\evaluationstate.png.cxkdata | binary | |
MD5:6A27F881BCEAFB32725D07FD08EDF2C7 | SHA256:030981176518E9D485129072A5CDAE1ECE733C3AA508E2C83E864C057DE2B9E9 | |||
| 7488 | cmd.exe | C:\Users\admin\Desktop\overallsection.rtf.cxkdata | text | |
MD5:39DC7E63B04F7BBCD7A72945338A7533 | SHA256:AB303B5FA11C1837E65F0C4A00BE3DD2D4F350C1C536A96C666D0218AA359F4C | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
40
DNS requests
19
Threats
0
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
3304 | firefox.exe | GET | 404 | 34.107.221.82:80 | http://detectportal.firefox.com/canonical.html | unknown | — | — | whitelisted |
3304 | firefox.exe | GET | 404 | 34.107.221.82:80 | http://detectportal.firefox.com/canonical.html | unknown | — | — | whitelisted |
3304 | firefox.exe | GET | 404 | 34.107.221.82:80 | http://detectportal.firefox.com/canonical.html | unknown | — | — | whitelisted |
3304 | firefox.exe | GET | 404 | 34.107.221.82:80 | http://detectportal.firefox.com/canonical.html | unknown | — | — | whitelisted |
3304 | firefox.exe | GET | 404 | 34.107.221.82:80 | http://detectportal.firefox.com/canonical.html | unknown | — | — | whitelisted |
3304 | firefox.exe | GET | 404 | 34.107.221.82:80 | http://detectportal.firefox.com/canonical.html | unknown | — | — | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
2104 | svchost.exe | 20.73.194.208:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
— | — | 20.73.194.208:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
2112 | svchost.exe | 4.231.128.59:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
3216 | svchost.exe | 172.211.123.248:443 | client.wns.windows.com | MICROSOFT-CORP-MSN-AS-BLOCK | FR | whitelisted |
3304 | firefox.exe | 34.107.221.82:80 | detectportal.firefox.com | GOOGLE | US | whitelisted |
6544 | svchost.exe | 20.190.159.129:443 | login.live.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
2104 | svchost.exe | 4.231.128.59:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
2284 | SIHClient.exe | 4.175.87.197:443 | slscr.update.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
google.com |
| whitelisted |
client.wns.windows.com |
| whitelisted |
detectportal.firefox.com |
| whitelisted |
prod.detectportal.prod.cloudops.mozgcp.net |
| whitelisted |
login.live.com |
| whitelisted |
slscr.update.microsoft.com |
| whitelisted |
fe3cr.delivery.mp.microsoft.com |
| whitelisted |
171.39.242.20.in-addr.arpa |
| unknown |
7.4.8.4.4.3.1.4.0.0.0.0.0.0.0.0.0.0.0.a.0.0.1.f.1.1.1.0.1.0.a.2.ip6.arpa |
| unknown |